The Payment Services Directive 2 (PSD2) is an EU directive (Directive 2015/2366) that regulates payment services and payment service providers throughout the European Economic Area. PSD2 introduced groundbreaking requirements for open banking — mandating that banks provide third-party payment service providers access to customer account data (with customer consent) — and established Strong Customer Authentication (SCA) requirements to enhance payment security.
Why PSD2 Matters
PSD2 fundamentally transformed the European payments landscape by breaking banks' monopoly on customer payment data. By mandating open banking APIs, PSD2 enabled a new generation of fintech services — from account aggregation and payment initiation to personal finance management and credit scoring based on transaction data. PSD2 also introduced two new categories of regulated entities: Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs), creating new market opportunities and competitive dynamics.
Regulatory Implications
PSD2 introduced several transformative regulatory requirements:
Open banking/API access: Banks must provide licensed third-party providers access to customer account information and payment initiation capabilities through secure APIs, with the customer's explicit consent.
Strong Customer Authentication (SCA): Most electronic payments require two-factor authentication combining two of three elements: knowledge (PIN/password), possession (phone/card), and inherence (biometrics).
New provider categories: PSD2 created AISPs (accessing account data) and PISPs (initiating payments from customer accounts), each with specific licensing requirements.
Enhanced consumer protection: Reduced liability for unauthorized transactions, faster refund obligations, and prohibition on surcharging for most payment methods.
Passporting: Payment institutions authorized in one EU member state can passport services across the EEA.
How PSD2 Relates to Compliance Monitoring
PSD2 compliance continues to evolve through regulatory technical standards, European Banking Authority (EBA) opinions, and national supervisory practices. With PSD3 now in development, the payments regulatory landscape is entering a new phase. RegPulse monitors all PSD2-related developments, including EBA guidance, national implementation variations, and the transition toward PSD3.
Open banking under PSD2 requires banks to provide licensed third-party payment service providers (TPPs) access to customer account data and payment initiation functionality through dedicated, secure interfaces (APIs). This access is only provided with the customer's explicit consent. It enables services like account aggregation (viewing multiple bank accounts in one app), payment initiation (making payments directly from a bank account without a card), and financial data analysis. Open banking has spawned a multi-billion-dollar ecosystem of fintech services.
Strong Customer Authentication is a PSD2 requirement mandating that electronic payments use at least two independent authentication factors from three categories: something the customer knows (PIN, password), something they possess (phone, card), and something they are (fingerprint, face recognition). SCA applies to most online payments, with exemptions for low-value transactions, recurring payments, and transactions assessed as low-risk through transaction risk analysis. SCA significantly reduced payment fraud across Europe.
PSD3 will build on PSD2 rather than replace it entirely. Key expected changes include enhanced open banking rules (addressing API quality and access issues), improved fraud prevention measures, stronger consumer protection, and consolidation of payment and e-money regulation. PSD3 is expected to become applicable around 2026-2027, with transitional provisions for existing license holders. Companies should begin preparing for the transition by monitoring legislative progress and planning compliance updates.