Explained: The Revised Payment Services Directive (PSD2)
Everything you need to know about the payment services directive, why it was updated, and how you can take advantage of the rules.
What are the “Payment Services Directive” (PSD) and PSD2?
EU Directive 2007/64/CE, or “Payment Services Directive” (PSD) was a legal act taken by the European Commission, the executive branch of the European Union, in 2007.
The PSD formed the legal basis for the Single Euro Payments Area (SEPA), an integrated payment services market for transactions in euros across the EEA and Switzerland. Being created at the initiative of the European banking industry, represented by the European Payments Council (EPC), the PSD aimed to increase competition in the European markets by strengthening the rights of consumers and by expanding and clarifying the obligations of payment providers.
In 2015, the EU Parliament adopted EU Directive 2015/2366, also known as the Revised Payment Services Directive or PSD2. This updated regulation demanded new safeguards for consumers shopping online, encouraged the development and usage of innovative online and mobile payments and created safer European-wide payments.
In short, PSD2 is regulatory legislation that democratizes access to payment services such as account information and payment initiation. This means that now, thanks to PSD2, consumers and businesses can choose with whom they want to share and where they want to view their account data and have more secure payments due to Strong Customer Authentication (SCA).
This legislation introduced two new major agents in the financial services industry:
Account Information Service Provider (AISP)
Payment initiation Service Provider (PISP)
These two agents are also called Third Party Providers (TPPs), supervised by local financial supervisory authorities (FSAs). They need to passport their registration or license to other EEA countries if they want to provide services in other markets. These companies can be found on the European Banking Authority’s database.
PSD2 has been in place since January 2018, but given the magnitude of the changes it presents, it has not been fully implemented by all the banks across Europe even until now, in 2023, but it has definitely progressed significantly over these years. Currently, it is used in multiple business cases such as accounting, lending, invoicing, PFM solutions, etc.
What are the main changes that PSD2 introduced?
The updated directive requires banks and other payment service providers to take measures to protect customers' data and ensure that their transactions are safe and secure. Drivers of change are:
Increased Security (SCA and FSA control)
Competition in the payment industry (PIS)
Consumers’ & Businesses’ data ownership (AIS)
SCA and supervision of Financial Supervisory Authorities
One of the most significant changes that PSD2 introduced is the requirement for Strong Customer Authentication (SCA). This requires all electronic payments to be authenticated using two or more independent factors, such as:
Knowledge: something you know (PIN, one-time password)
Possession: something you own (a card or smartphone)
Inherence: something you are (usually biometric data such as fingerprints or a facial scan)
This is designed to reduce fraud and increase the security of sharing your financial information and online payments. For instance, for end-users, a visible change has been that due to the PSD2 SCA is also now required when initiating credit card payments. All PSD2 service providers (TPPs) are supervised by local financial supervisory authorities which is a huge improvement from an environment where any company could screen scrape or reverse engineer banks’ APIs and provide services, without any control.
Payment Initiation Service (PIS)
Payment Initiation Services (PIS) are provided by Payment Initiation Service Providers (PISPs). These are companies regulated under a Financial Supervisory Authority (FSA) that are licensed to enable direct account-to-account payments for their customers. PISPs can provide fast and easy payments without requiring you to enter card or account details. When payments are initiated directly between account-to-account it is more sustainable and cost-efficient than most traditional payment methods.
As PIS payments require SCA, it is most suitable for payments where the user is initiating single or batch payments, for instance, for buying on e-commerce sites or paying for invoices via a link. However, when there is a need to automate high volumes of outgoing payments, it is also worth exploring the options of premium payment APIs your bank provides.
Account Information Service (AIS)
Account Information Services (AIS) are provided by supervised Account Information Service Providers (AISPs). AISP provides you with a service which connects your or your company’s payment account information to the services you are using. A practical example, your accounting software can provide you with your real-time business payment accounts information and automated bank reconciliation, with your consent. Consent is achieved through SCA and it can be valid for 90 days (soon 180 days) meaning the real-time payment account data can be accessed during that period without extra authentication required. It also allows receiving historical data from accounts. Normally banks are providing at least one year of historical data.
PSD2 has made it so that any business beyond traditional financial institutions (that meets the strict requirements, of course) can be an AISP. It is also common that end-user solutions, for example, companies providing accounting software become AISPs when the service of connecting the payment accounts of their customers is a crucial part of their businesses. Before this regulation, this information was available through methods like screen scraping, reverse engineering, or file transfers. Now, PSD2 is providing opportunities for consumers and businesses to make the most of their financial data through other services of their choice.
This is one of the largest changes in the Revised Payment Services Directive – the democratization of financial/banking information. The financial sector becomes one of the first real-world examples of an API economy as thousands of European financial institutions are opening up the data and companies can implement new and more efficient services to their customers.
Open Banking
In Europe, the regulation became a driver of introducing Open Banking. PSD2 brought in a set of APIs (Application Programming Interfaces) that allow authorized TPPs in Europe to access account information and initiate payments on behalf of their customers, with customers staying in charge thanks to the SCA. Given the level of improvement in a short time, it is already seen that there can be even more data sources and opportunities to bring new innovations to other aspects of financial services.
At the moment, Europe is undergoing a project to introduce new regulation which is also known as Open Finance. It is a natural extension of Open Banking: it envisions a world in which financial institutions disclose all of their client's financial data upon request, enabling a much wider ecosystem of TPPs and organizations eager to act on this data. This could be your investment, loan and saving accounts data from your banks, as well as your insurance data from the insurance companies.
In conclusion, the Revised Payment Services Directive (PSD2) is already bringing significant benefits to consumers and the financial services industry in Europe. However, we see a shift towards Open Banking happening all over the world. It prevails in Australia, the United States, the Middle East, Asia and many other markets, where it is also driven by either the regulation or the needs of the market.
This global open data ecosystem has the potential to revolutionize the way financial services are provided. Allowing users to share their data with solutions and services, that they are using, opens up a huge range of possibilities for wildly innovative new services.