PSD2 is the upgraded Payment Service Directive, designed and used by countries within the European Union and the European Economic Area to regulate their electronic payment services and payment service providers. PTS2 replaced the first Payment Services Directive in 2015 to contribute to the development of a single payment market in Europe by improving consumer protection, reinforcing security, fostering competition, and encouraging innovation in the sector. Overall, updated PSD seeks to further modernize and integrate payment services by changing the distribution of power in the banking industry and enabling the emergence of independent service providers. As PSD2 is the most prominent legislation in the area of banking and financial services, here is a brief history regarding the development of this directive across Europe.
The transformation of the banking industry began when the European Union adopted the first Payment Services Directive. This legislation, applied in 2007, has set out the legal foundation for uniform payment services in Europe to encourage safer and more innovative financial services. The goal of the first PSD regarding the payments industry was to provide access for new market entrants and financial institutions other than banks and to create more competition and more options for consumers. Also, the first PSD aimed to benefit consumers by ensuring more transparency of information on payments, execution time, and fees, speeding up transactions, increasing customer rights describing refund rights, and providing easier clarification of accountability of both consumers and payment institutions.
Even though the first PSD laid the ground regarding today's financial services, PSD needed updates to be in line with emerging innovations, such as rapid digitization in the banking industry, shift to e-commerce, development of authentication methods, and the overall new approach to the payment market. At the same time, the revision of PSD was necessary due to inconsistent implementation of this directive in different European countries. For instance, the PSD left both options for financial institutions to charge their consumers with a fee or give them a rebate and choice for countries to limit these charges leading to extreme differences of application fees across European countries. Also, several generic exemptions considering payment-related activities from the scope of this directive have been distinctly implemented by different countries and result in regulatory arbitrage and legal unreliability. Also, the inadequacy of standardization and interoperability of security systems exemptions regarding payment activities left consumers unprotected. Even though this directive aimed to create a single payment market, issues related to lack of standardization and discrepancies in application processes led to competitive distortions among European countries. To solve problems and keep up with the emergence of innovations within the payments industry, the European Commission in July 2013 suggested the additions and alterations to the original directive in the form of PSD2.
The revised PSD was published in December 2015, started gradually entering into force in January 2016, and applies to European countries since January 2018. However, due to delays in technical measures, several countries of the EU did not fully comply with PSD2 requirements until January 2021, as Brexit-bound UK is still on its way. Nevertheless, today PSD2 is major legislation regarding the regulation of financial services in Europe. To be aware of all milestones regarding the development and implementation of this directive, a thorough PSD2 timeline is provided below.
July 2013: The European Commission publishes its proposal to create the second PSD.
October 2015: the European Parliament approves the European Commission's proposal to create a new directive regarding safer and more innovative payment services.
November 2015: The European Parliament agrees to adopt PSD2 and obligates all member states to incorporate the new directive into national regulations by January 2018.
December 2015: The final version of PSD2 is published in the Official Journal of the European Union.
January 2016: PSD2 comes into force, and member states begin the implementation of the new directive into their national laws.
August to October 2016: The European Banking Authority consults on the preliminary version of Regulatory Technical Standards, also known as RTS, regarding strong customer authentication and secure and common communications, or so-called SCA & CSA.
February 2017: The European Banking Authority finalizes and publishes the preliminary version of RTS - SCA & CSA.
November 2017: The European Commission approves and adopts the final version of RTS on strong customer authentication and secure and common communications.
Throughout 2017: The European Banking Authority finalizes other guidelines required to fully implement PSD2.
January 2018: PSD2 applies to all member states of the EU.
March 2018: The final version of RTS on SCA & CSA is published in the Official Journal of the European Union.
September 2019: PSD2 goes into full effect as a definitive version of RTS on strong customer authentication, and secure and common communications finally came into force. However, due to delays in technical requirements, the European Banking Authority extends the deadline for PSD2 compliance to December 31, 2020.
December 31, 2020: PSD2 officially becomes the law governing e-commerce in Europe. All state members fully comply with PSD2, except the Brexit-bound UK delays PSD2 compliance until March 2021 for online banking and September 2021 for online shopping.
September 2021. The UK's Financial Conduct Authority extends the deadline for full SCA compliance regarding e-commerce transactions until March 2022.
First and foremost, the new PSD widens the scope of the previous legislation by facilitating the development of innovative solutions as new providers of new payment and account information services enter the market. Specifically, PSD2 demands banks and other financial institutions to create open access to payment systems and accounts to new players, co-called Third-Party Payment Services Providers, or more commonly known as TPPs. Also, PSD2 increases the range of financial institutions covered as TTP, including payment institutions, credit institutions, e-money institutions, and central banks. These third parties, authorized as Account Information Services Providers, or AISPs, can access and consolidate consumers' financial data even if it is held in multiple bank accounts on behalf of users. AISPs allow customers to overview their financial situation and comfortably analyze their spendings and financial needs. Concurrently, third parties, licensed as Payment Initiation Services Providers, or PISPs, can instigate payments or transfers on the customers' behalf to their online banking account. These service providers can initiate a payment by filling in the information needed for the bank transfer (account number, amount of the transaction, message) and informing the consumer and merchant of the transaction. PSD2 allows consumers to make payments to a third party from a bank’s mobile app using any of the user’s accounts. All mentioned service providers were brought within the scope of the PSD2 to boost innovation and competition by providing more, and often cheaper, alternatives regarding financial services.
Secondly, PSD2 builds on the previous one by upgrading the protection of consumers‘ personal and financial data through advanced security measures. The biggest regulatory milestone regarding the secure authentication and thirty-party access requirements known as Strong Consumer Authentication, or so-called SCA, came into force in September 2019. SCA demands payment service providers to use at least two out of three authentication factors for various bank operations, including transactions and access to the account via apps or online. To put it simpler, to ensure the protection of the customers' data on online payments, PSD2 requires to verify the customer’s identity with at least two independent elements — such as a smartphone or token combined with a password or biometric feature, like fingerprints or facial recognition. In addition to the requirement of multi-factor authentication for electronic transactions and access to data, PSD2 mandates all payment service providers to include an additional feature known as dynamic linking. This requirement demands providing a unique authentication code that links each transaction to its value and the recipient. Due to dynamic linking, the transaction becomes immediately invalid if there are changes considering the specific payment amount or payee. By demanding more secure identity checks, PSD2 makes payments safer by reducing the risk of many frauds, such as social engineering, malware, advanced persistent threats, mobile device-related attacks, denial of service attacks, and other threats related to big data or virtual currency, etc.
To sum up, The PSD2 changes the banking industry by opening up the payment market to new participants to create more competition and upgrading security requirements leading to a better banking experience for consumers. Undoubtedly, PSD2 has made splendid progress in regard to revolutionizing the banking industry. However, much remains to be done to achieve widespread adoption.
We frequently share industry news and Nordigen product updates to our closest friends, fintech innovators and industry experts. Sign up to our newsletter to hear more from us.
By providing your email, you accept