What is the Payment Services Directive 2 (PSD2)?
PSD2 is a regulation that entered into force in January 2016. All Member States of the European Union were required to make these rules a national law by the end of 2019, but the active enforcement of SCA, which is a part of the directive started in January 2021 in most of Europe. The directive applies to electronic payment services. PSD2 extends the reach of an enhances the previously introduced PSD. Payment Services Directive entered into force in 2007. It regulated electronic payments made within the European Union.
PSD2 applies to both retail customers and corporate companies, business accounts and personal accounts. The products that the regulation concerns include credit cards, debit cards, as well as pre-paid cards.
What is the purpose of PSD2?
There have been several reasons for implementing the new directive. The main ones include:
- making payments with credit and debit cards more secure
- encouraging competition in the payments industry
- increasing the participation of non-bank actors in payments
- protecting customers more efficiently
- boosting innovation and facilitating the creation of a Digital Single Market in Europe.
What is Strong Customer Authentication?
New requirements that PSD2 introduced are known as Strong Customer Authentication (SCA). SCA aims to reduce fraud and make online payments safer. That’s why in order for transactions to meet SCA requirements, at least two of authentication elements are necessary. An overview of them can be found in the table below.
| authentication element | examples |
| something only the customer knows | passwordPINmemorable information |
| something the customer possesses | phonesmart cardtoken |
| something the customer is | face recognitionfingerprintvoice patterns |
Strong Customer Authentication applies to all online payments initiated by customers. That means that when someone, for example, uses a credit card to purchase something or makes a bank transfer, they will be required to confirm their identity.
For online payments where customers use their cards, both the business’s and the cardholder’s banks need to be located in the European Economic Area (EEA) for the rules to apply.
SCA makes payments more secure in a few ways:
- Reduces the risk of online fraud occurring
- Reduces the financial consequences of processing fraudulent transactions
- Ensures merchants comply with PSD2
- Makes customers have more trust and feel safe
Some low-risk payments may not be subject to Strong Customer Authentication. When a customer initiates a transaction, the cardholder’s bank will see it, assess the risk, and decide whether strong authentication is needed.
What changes does PSD2 introduce?
PSD2 makes mobile and online payments easier and helps customers manage their accounts and keep track of their transactions. Moreover, thanks to the changes introduced by PSD2 comparing deals will be easier. The main changes include:
- Better market efficiency
- New providers of services
- New ways of making payments
- Better customer protection
- More effective security risk management
- Stronger customer authentication
- Safer online communication
- Closer supervision of payment institutions
Does PSD2 apply in the UK?
When first introduced PSD2 applied to all Member States of the European Union, as well as Norway, Iceland and Liechtenstein. Now, after the UK has left the EU, many people wonder if the directive is still binding. Brexit has undoubtedly made digital payments between the European Union and the UK more complicated. As PSD2 already became law, it still applies. Nevertheless, the UK’s Financial Conduct Authority postponed the enforcement of PSD2. British online merchants have until March 2021 to update their payment systems to comply with PSD2.
What is open banking and how it relates to PSD2?
Open banking requires banks in the UK to release their data in a secure form so that it can be shared by authorised bodies. Banks store information about all transactions carried out by their customers. Thanks to open banking this information can be used by third parties to provide more personalised services. Moreover, customers can choose to share information about how they operate their bank account with parties that, based on that, will tailor their banking experience. Thanks to that finding the best financial products for their needs will be easier than ever.
Many people say that PSD2 is a form of open banking. In principle, the concepts are very similar. The difference between them, however, lays in the fact that PSD2 requires banks to share their data with third bankings in some way. Open Banking requires them to do it in a certain, specific way. PSD2 makes it possible for Open Banking to take place.
Institutions that PDS2 applies to
PSD2 regulates the two types of services that became popular after the first PSD was adopted. That includes the Payment Initiation Services (PIS), and Account Information Services (AIS) on the other.
An overview of the institutions that PDS2 mentiones can be found in the table below.
| institution | abbreviation | how PDS2 affects them |
| Payment Initiation Service Provider | PISP | allows PISPs to initiate payments directly from customer payment accounts |
| Account Information Service Provider | AISP | AISPs can access customer data and provide an overall overview of their financial activity |
| Account Servicing Payments Service Provider | ASPSP | ASPSPs are the institution holding customers’ payment accounts |
PISPs and AISPs represent Third Party Providers (TPPs). For the time being, Thanks to PSD2, TPPs and individual customers can access data referring to things like pricing and product information that will be publicly available. Moreover, certain regulated TPPs can get insight into customers’ transaction data. They need to get customer’s consent for that, however.
TPPs also have to comply with the rules that apply to traditional payment service providers:
- registration
- authorization
- supervision by external authorities
Conclusion
PSD2 represents a major innovation in how banks operate and how online transactions are processed. As open banking means that personal information will be shared between multiple organisations, including non-bank third parties, it is imperative that customers are aware of that. Before any data is shared, customers have to express their consent, and banks have to do everything they can to ensure their clients are protected. Thanks to Strong Customer Authentication that PSD2 introduces, this greater level of security and fraud prevention can be achieved.