PSD2 is a European directive that uniformly regulates payment services and payment service providers across the European Union (EU). The directive aims to increase competition across Europe and also allows non-banks, such as FinTechs, to participate in the payment industry.
PSD2 – A Definition
PSD2 stands for “Payment Services Directive 2” and is a European directive regulating payment services and electronic money. It was developed to promote competition in the payment services sector, improve the security of online payments, and give consumers more control over their financial data.
PSD2 and open banking
PSD2 is considered the regulatory starting point for open banking in Europe. The directive requires banks to provide standardized and secure interfaces (APIs) through which licensed third-party providers can access account data or initiate payments with the express consent of the customer.
In the open banking ecosystem, PSD2 distinguishes between three key roles:
- ASPSP (Account Servicing Payment Service Provider):
The account-holding institution, usually a bank, which provides payment accounts and makes the API infrastructure available. - AISP (Account Information Service Provider):
Third-party providers that bundle and process account information (e.g., for financial overviews, creditworthiness analyses, or personal finance management). - PISP (Payment Initiation Service Provider):
Third-party providers that initiate payments directly from the customer’s bank account on their behalf.
By assigning these roles, PSD2 creates the legal basis for new data-based business models, innovative payment processes, and stronger networking between banks and FinTechs.
Scope of application of PSD2
PSD2 applies to payment service providers in the European Union (EU) and the European Economic Area (EEA), including Iceland, Liechtenstein, and Norway. It covers both banks and licensed payment and e-money institutions.
Geographical scope
The directive applies to:
- Payments within the EU/EEA
- Transactions in which at least one participating payment service provider is based in the EU/EEA (“one-leg-out”)
- Payments in all currencies, provided they are executed by an EU/EEA payment service provider
Compared to PSD1, the scope of application has been significantly expanded – in particular through the inclusion of third-country currencies and cross-border constellations.
Material scope
PSD2 regulates core payment services such as credit transfers, direct debits, card payments, and the new services of payment initiation (PIS) and account information (AIS). Purely technical service providers without access to customer funds are not covered.
Legal nature of PSD2
PSD2 is an EU directive. It is therefore not directly applicable, but must be transposed into national law by each member state.
In Germany, this was achieved in particular through amendments to the Payment Services Supervision Act (ZAG) and other financial regulations. Despite uniform objectives across Europe, this can result in differences in practical implementation.
Technical detail requirements—in particular for strong customer authentication (SCA) and interfaces for third-party providers—were additionally specified in Regulatory Technical Standards (RTS), which apply directly as EU regulations and ensure greater harmonization.
PSD2 as a regulatory framework
PSD2 is not just a collection of individual security requirements, but a comprehensive regulatory framework for European payment transactions.
Among other things, it regulates:
- Authorization and supervision of payment service providers
- Security requirements (e.g., SCA)
- Liability and transparency obligations
- Rights and obligations in the open banking environment
PSD2 thus creates the legal basis for more competition, innovation, and consumer protection in the European payments market.
Who is affected by PSD2?
PSD2 affects various players in the European payment system – with different implications for each:
Consumers:
- Greater security through strong customer authentication (SCA)
- Greater transparency regarding fees and liability
- Greater control over own account data through consent requirement
Merchants:
- Elimination of additional fees for common cards (“surcharging ban”)
- Adaptation to SCA requirements in the checkout process
- New payment options through Payment Initiation Services (PIS)
Banks:
- Obligation to provide secure interfaces (APIs) for third-party providers
- Higher regulatory requirements and security standards
- Stronger competition through open banking
FinTechs / Third Party Providers (TPPs):
- Regulated access to account information (AIS)
- Legally compliant initiation of payments on behalf of the customer (PIS)
- Clear licensing and supervisory requirements within the EU
PSD2 thus creates a uniform framework that is intended to promote both security and innovation—with tangible effects for all market participants.
Advantages and challenges of PSD2
PSD2 strengthens competition in the European payments market by requiring banks to open their account interfaces, thereby enabling open banking. This gives rise to new data-based business models and innovative payment processes. At the same time, the directive increases security and improves consumer protection through strong customer authentication (SCA) and clearer liability rules.
On the other hand, it requires considerable implementation effort on the part of banks, payment service providers, and fintechs. The technical requirements for APIs and authentication procedures are complex, and differing national interpretations can lead to regulatory uncertainty. In addition, the additional authentication in the payment process can affect the user experience.
PSD2 is thus both a driver of innovation and a regulatory challenge for European payments.
Since When Has PSD2 Been in Effect?
The implementation of PSD2 took place in two stages. The first stage came into effect on January 13, 2018, replacing the original PSD (Payment Services Directive) from 2007. The second version included, among other things, a reduction in the liability limit for unauthorized card transactions, the so-called surcharging ban, and an extension of the scope to include non-EU/EEA currencies. The obligation for strong customer authentication and the opening of payment accounts to “third parties” were initially specified in the European Commission’s Regulatory Technical Standards (RTS). These came into effect with the second stage on September 14, 2019.
Key Features of PSD2
Two-Factor Authentication (2FA):
PSD2 requires that online payments be secured by at least two independent authentication factors. This can be something the user knows (such as a password), something the user has (such as a mobile device), or something the user is (such as a fingerprint or facial recognition).
Access to Account Information:
PSD2 allows third-party providers to access consumer account data, provided the consumers give explicit consent. This was the starting point for Open Banking, where third-party providers like FinTech companies can develop innovative financial services based on this data.
Access to Payment Services (Payment Initiation Service):
PSD2 also enables third-party providers to initiate payments on behalf of consumers. This can help increase the efficiency of payments and offer alternative payment methods.
Stronger Security Standards:
The directive introduces stricter security standards for payment service providers to prevent fraud and increase the security of online payments.
Transparency and Consumer Protection:
PSD2 requires banks and payment service providers to provide consumers with clear information about fees and transactions and strengthen consumer protection.
What comes after PSD2? PSD3 explained in brief
The European Commission has conducted a comprehensive evaluation of PSD2 and, based on this, has presented proposals for further development: PSD3 and an accompanying Payment Services Regulation (PSR). The aim is to eliminate existing ambiguities, further strengthen harmonization within the EU, and implement security requirements in an even more uniform manner.
PSD3 is intended in particular to reduce regulatory differences between member states, improve fraud prevention, and further develop the open banking framework. At the same time, some of the regulations will no longer be designed as a directive but as a directly applicable regulation (PSR) in order to ensure more consistent application in the internal market.
PSD3 therefore does not mark a break with the system, but rather the consistent further development of the European payment framework – with the aim of further balancing innovation, security, and competition.
Would you like to learn more about the differences between PSD2 and PSD3?
Click here to read the full article
