The revised payment services directive, or PSD2, was developed to even the playing field and increase cooperation and collaboration between fintechs and traditional banks. This revised directive was base on the original PSD1 adopted in 2007, which provided the legal framework for a single market for payments in the EU.
The main benefits of the revised directive are increased consumer rights, improved security and permission for third parties to access payment account information.
Regulatory technical standards (RTS) are a set of technical compliance standards that, once endorsed by the European Commission (EC), need to be met by all parties. They were draft and implemented by the European Banking Authority and have the goal to establish minimum conditions that need to be met for businesses to be compliant with the revised payment services directive (PSD2).
Regarding specifically PSD2, RTS focused on define specific security measures, and to ensure effective and secure communication. PSD2 RTS are for strong customer authentication (SCA) and common and secure open standards of communication (CSC).
In the PSD2 legislative, this security measures were only mentioned superficially, creating the need to draft a more specific and clear set of standards to guarantee compliance.
Strong Customer Authentication (SCA) is an authentication based on the use of two or more elements categorized as:
The basic principle of SCA is to ensure customer protection via an increased level of security of electronic payments.
SCA needs to be applied when a customer accesses their bank account online, including situations where is presented an aggregated view of various accounts, when making an online payment and when using any remote channel which may present a risk of payment fraud.
On top of the customer authentication, it is added an extra layer of security by generate a unique code that links the transaction to a specific amount and a specific payee.
Although payment service providers and account information providers need to implement the use of SCA to be PSD2 compliant, there are a few cases where there is exemption to SCA application:
It is important to highlight that the payment service providers (PSPs) have the responsibility of SCA application when needed. According to PSD2, a payer can claim full reimbursement from their PSP in case of an unauthorised payment if there was no SCA measure in place.
Common and secure communication (CSC) standards were specified in the RTS draft to ensure that the communication made between banks and regulated third party providers (TPP) happen through secure messaging.
According to these standards, banks have to develop a communication channel that allows TPP to access needed data securely. Also, these communication channels enable both the banks and TPP to identify each other when accessing customer data.
With the implementation of RTS and its CSC standards, TTP are no longer allowed to access customer data through the use of “screen scraping”. However, to facilitate the transition, some exceptions were put in place during a transitional period.
In the final version of RTS, the transaction risk analysis was one of the more interesting aspects covered. Even though banks and service providers do it on a daily basis, the RTS specified very detailed requirements that need to be met.
With its implementation, risk analysis has become an essential requirement which have a basic minimum threshold across the EU, resulting in a more levelled playing filed and a broader choice for customers.
The European Banking Authority (EBA) also have access to the results of these risk analyses and fraud rates, meaning that the focus will not be exclusively on financial health, but also on cybersecurity.
Sustainable Finance Disclosure Regulation (SFDR) was meant to come into effect from March 10th, 2021, but the European Commission (EC) have decided that the new regulation could not be adopted within the timeframe previously anticipated.
SFDR was created to ensure that any business providing financial services and products are comprehensively disclosing just how committed they are to sustainability.
One of the key parts of this directive is to prevent “greenwashing”, which is the practice by financial firms of exaggerating their environmental commitments on paper, without their application in practice.
The revised version of the original Markets In Financial Instruments Directive (MiFID 2) rolled out on January 3, 2018, to regulate financial markets and improve protections for investors.
MiFID II is a legislative framework instituted by the European Union (EU), with the aim to standardize practices across the EU and restore confidence in the industry.
This is the legislative framework used as legal basis on the RTS.
We frequently share industry news and Nordigen product updates to our closest friends, fintech innovators and industry experts. Sign up to our newsletter to hear more from us.
By providing your email, you accept