THALES BLOG

PSD2 Regulation and Compliance

August 5, 2024

Ammar Faheem Ammar Faheem | Product Marketing Manager More About This Author >

Understanding the Impact of the PSD2 Directive

The PSD2 directive is a cornerstone of payment legislation in Europe, designed to enhance consumer protection, foster innovation, and create a more integrated and secure European payment landscape.

Initially, PSD2 was set to take full effect on September 14, 2019. However, to accommodate the industry's need for additional preparation, the European Banking Authority (EBA) granted further exemptions, extending the final deadline to 31 December 2020.

In the UK, the Financial Conduct Authority (FCA) set a later deadline of March 14, 2022, allowing UK issuers additional time to comply. Until this date, UK issuers were not required to decline non-compliant transactions, providing more time for a smooth transition.

PSD2 has had a profound impact on the financial ecosystem, reshaping the infrastructure for banks, fintechs, and businesses that rely on payment data to serve consumers better. The directive builds upon the foundations laid by the original Payment Services Directive (PSD1 or Directive 2007/64/EC), which opened up the European banking and financial services market nearly a decade ago.

Let's explore the details further.

PSD2

PSD2 Directive Timeline and Status

After extensive discussions, the European Banking Authority (EBA) released the final Regulatory Technical Standards (RTS) in November 2017, outlining the specific responsibilities and obligations for all payment service providers under PSD2.

On 13 March 2018, the European Parliament and the European Council formally approved these standards, setting an 18-month implementation period that culminated on September 14, 2019. This was intended to be the final deadline for all companies within the EU to comply with the RTS as mandated by the PSD2 directive (EU) 2015/2366.

To facilitate this transition, dedicated Open API interfaces became available on March 14, 2019 for a six-month testing period. These technical standards precisely defined how banks must connect their technology platforms with third-party providers to support open banking.

However, many banks and merchants struggled to meet the initial deadlines. As a result, the EBA extended the deadline to the end of 2020, giving the industry additional time to achieve full compliance.

While the delays presented challenges, they also solidified the foundation of open banking across Europe, ensuring that the shift towards more accessible and secure digital banking services is firmly established.

PSD2 Compliance: Who's Ready?

Historically, the transition to PSD2 compliance has been challenging for many financial institutions. As reported by Finextra, 41% of the 442 European banks surveyed failed to meet the March 2019 deadline for providing a testing environment to third-party service providers. This six-month testing period was crucial for these providers to test the APIs that connect them to banks and pilot new services.

At MONEY 2020 in June 2019, several speakers highlighted that some banks and financial providers were dragging their feet in complying with PSD2 requirements, particularly concerning data handover to customers and managing compliance and risk scenarios.

Ultimately, these delays led to the European Banking Authority (EBA) extending the deadline to implement Strong Customer Authentication (SCA) by fifteen months, setting a new deadline for December 2020.

Despite this extension, many financial institutions continued to struggle, compounded by the added complexities introduced by the coronavirus pandemic.

Ongoing Challenges

Since these early challenges, the financial industry has made significant progress toward PSD2 compliance. A 2023 impact assessment by the European Commission revealed that PSD2 has successfully advanced open banking across Europe, driving innovation and competition within the payments market. However, despite these advances, challenges remain, particularly in achieving full standardization and consistent implementation across all EU member states (sources: Deloitte United States, INNOPAY).

While the majority of European financial institutions have now implemented the required technologies and frameworks, compliance is not a one-time effort. The financial landscape continues to evolve, with ongoing developments related to PSD3 and other regulatory changes indicating that banks and fintech companies must continue adapting to maintain compliance and leverage new opportunities within the market (source: BNY | Global Financial Services).

PSD2 regulation: Impacts on banks and TPPs

Security is top-of-mind

The core principles of the PSD2 RTS – i.e., Strong Customer Authentication (SCA), Secured Communication, Risk Management, and Transaction Risk Analysis (TRA) – have been maintained, confirming the directive's security objectives. PSD2 requires banks to implement multi-factor authentication for all proximity and remote transactions performed on any channel to protect the consumer.

This obligation means using two of these three features:

  • Knowledge: Something only the user knows, e.g., password, code, personal identification number
  • Possession: Something only the user possesses, e.g., token, smart card, mobile handset
  • Inherence: Something the user, is, e.g., biometric characteristics, such as a fingerprint.

Besides, the elements selected must be mutually independent, which means that the breach of one should not compromise any others.

Smooth user experience

To ensure a smooth user experience, PSD2 requests banks to put security measures "compatible with the level of risk involved in the payment service" to find the right balance between security and user convenience.

To simplify life for digital banking consumers, the RTS list several situations for which Payment Service Providers (PSPs) are not required to perform strong customer authentication.

Most of these exemptions are related to low-value payments, repetitive transactions, and transactions to trusted beneficiaries.

PSD2 and open banking

The move to open banking means removing barriers between competitors as it requires banks to allow their account details and transactions to be shared with third parties through APIs.

PSD2 hinges on a critical connection between retailers, fintechs, and banks.

This relationship will be powered by APIs that banks must open to any Third-Party Provider wanting to aggregate account data and/or initiate payment services.

This change builds a common ground of more robust collaboration and better interoperability between traditional financial institutions and new banking and payment space players.

And to provide a consistent and seamless user experience, banks will also have to collaborate to define a common approach at a country or regional level.

A new world of opportunities

PSD2 is a customer-centric regulation that should improve the customer environment, benefiting end-users and all banking and payment parties.

Partnerships and open-banking APIs with the right security level brought by SCA and risk monitoring can generate value by:

  • Adding third-party capabilities to core offerings.
  • Capitalizing on consumer behavior and storing consumer preference data.
  • Making the multi-factor authentication process as easy as possible for the customer.

New customer onboarding will be made easier, offering end-users better tools to manage their finance and enticing them to buy new products and services provided by banks and TPPs.

Banks can use financial data better to provide competing services at competitive rates.

Leading banks have started building strong partnerships and open-banking API hubs, showing how PSD2 regulation can be the perfect tool for more innovation in payment and banking.

PSD2 compliance: Where do we fit in?

As a leading provider of digital security solutions, we enable banks and financial institutions to meet the challenges raised by PSD2.

Thales helps financial organizations understand and address PSD2 requirements for strong customer authentication, risk management, and Open Banking API. With Thales solutions, you can combine PSD2 SCA and the latest innovation in passwordless authentication, such as FIDO passkeys.

Download our PSD2 Compliance Requirements & Solutions series of white papers to learn more, or contact our team of digital banking IAM experts for help with PSD2.