The European Union’s revised Payment Services Directive, commonly known as PSD2, has fundamentally transformed how financial institutions, payment service providers, and third-party vendors handle digital payments and customer data. Since its implementation in January 2018, PSD2 has reshaped the competitive landscape of financial services while strengthening consumer protection and security standards across the EU and EEA member states.
Understanding PSD2 compliance is essential for any organization operating in the European payments ecosystem. This directive affects traditional banks, fintech companies, payment processors, e-commerce platforms, and any business that facilitates electronic payments. Non-compliance can result in substantial penalties and operational disruptions, making it critical for organizations to maintain adherence to these regulatory requirements.
What is PSD2 Regulation
PSD2, or the Second Payment Services Directive, is European legislation that governs payment services and payment service providers throughout the European Union and European Economic Area. The directive came into force in January 2018, replacing the original Payment Services Directive from 2007. PSD2 was designed to increase competition in the payments industry, enhance consumer protection, and improve the security of electronic payments.
The regulation introduces several groundbreaking concepts to the financial services sector. Most notably, PSD2 mandates that banks must open their payment services and customer account information to third-party providers through secure application programming interfaces. This requirement has enabled new market entrants to offer innovative services such as account aggregation, payment initiation, and personal finance management tools.
PSD2 establishes a framework for two new types of regulated payment service providers: Account Information Service Providers, which can access customer account data with consent, and Payment Initiation Service Providers, which can initiate payments directly from customer accounts. These providers must be authorized and supervised by national competent authorities within their respective jurisdictions.
The directive also introduces Strong Customer Authentication requirements, which mandate multi-factor authentication for most electronic payment transactions. This security measure aims to reduce fraud and protect consumers from unauthorized transactions. Additionally, PSD2 enhances consumer protection through improved transparency requirements, clearer information disclosure, and strengthened liability rules for unauthorized payments.
PSD2 Requirements
Organizations subject to PSD2 must meet several core requirements to maintain compliance. Understanding these obligations is fundamental to developing an effective compliance strategy.
Strong Customer Authentication represents one of the most impactful requirements under PSD2. Payment service providers must implement authentication mechanisms that use at least two independent elements from three categories: knowledge (something only the user knows, like a password), possession (something only the user possesses, like a mobile device), and inherence (something the user is, like a fingerprint). This authentication must be applied when customers access their payment accounts online, initiate electronic payment transactions, or carry out actions that could involve fraud or other abuse.
PSD2 requires banks and other account servicing payment service providers to maintain dedicated interfaces that allow authorized third-party providers to access customer account information and initiate payments. These interfaces must meet specific technical standards outlined in the regulatory technical standards, ensuring secure communication and data exchange. The interfaces must be tested and made available with the same level of availability and performance as the interfaces used by the account servicing payment service provider for its own services.
Organizations must obtain explicit consent from customers before third-party providers can access their account information or initiate payments on their behalf. This consent must be specific, informed, and unambiguous, and customers must be able to withdraw consent at any time. Payment service providers are responsible for maintaining clear records of customer consent and ensuring that access is limited to the scope agreed upon.
The directive imposes strict data protection and security requirements on all payment service providers. Organizations must implement robust security measures to protect customer data, prevent fraud, and detect operational and security risks. These measures must be proportionate to the risks involved and must be regularly tested and updated. Payment service providers must also report major security incidents to their national competent authority without undue delay.
PSD2 establishes comprehensive liability rules for unauthorized payment transactions. In general, payment service providers bear liability for unauthorized transactions unless they can prove the customer acted fraudulently or with gross negligence. Customers have limited liability for unauthorized transactions occurring before they notify their payment service provider, capped at fifty euros in most circumstances. These provisions strengthen consumer protection while incentivizing payment service providers to maintain high security standards.
PSD2 Compliance Checklist
Developing a systematic approach to PSD2 compliance requires attention to multiple operational and technical areas. Organizations should evaluate their current practices against regulatory requirements and implement necessary changes to achieve full compliance.
Start by conducting a comprehensive assessment of your organization’s status under PSD2. Determine whether your services fall within the scope of the directive and identify which specific requirements apply to your operations. Organizations offering payment services may need to register or obtain authorization from their national competent authority. Review your existing authorization status and ensure all required licenses remain current and valid.
Implement Strong Customer Authentication across all applicable transactions and account access scenarios. Design authentication flows that incorporate at least two independent authentication factors from different categories. Consider user experience carefully when implementing these measures, ensuring security enhancements do not create unnecessary friction for legitimate customers. Document your authentication approach and maintain evidence demonstrating compliance with technical standards.
For banks and account servicing payment service providers, develop and deploy compliant application programming interfaces that allow authorized third-party providers to access customer account information and initiate payments. These interfaces must meet the technical standards specified in the regulatory technical standards, including requirements for secure communication protocols, data formats, and performance standards. Establish testing environments and procedures to allow third-party providers to validate their integrations before moving to production.
Review and update your customer consent management processes to ensure compliance with PSD2 requirements. Implement systems that capture explicit consent before allowing third-party access to customer accounts. Provide customers with clear information about what data will be accessed, how it will be used, and their rights to withdraw consent. Maintain audit trails documenting all consent activities and third-party access to customer accounts.
Strengthen your security and fraud prevention capabilities to meet PSD2 standards. Conduct regular risk assessments to identify vulnerabilities in your payment systems and implement appropriate safeguards. Establish monitoring systems to detect suspicious activities and potential security incidents. Develop incident response procedures and ensure your organization can report major incidents to the competent authority within required timeframes.
Update your contractual agreements, terms and conditions, and customer communications to reflect PSD2 requirements. Ensure customers receive clear, comprehensive information about payment services, fees, charges, and their rights and obligations. Review liability provisions in your agreements to align with PSD2 standards for unauthorized transactions.
Establish internal governance structures to oversee ongoing compliance efforts. Assign clear responsibilities for PSD2 compliance to specific individuals or teams within your organization. Implement regular compliance monitoring and reporting procedures. Develop training programs to ensure staff understand their compliance obligations and can identify potential issues.
PSD2 Compliance Check
Organizations should implement systematic procedures to verify their ongoing compliance with PSD2 requirements. Regular compliance checks help identify potential issues before they result in regulatory action or operational problems.
Begin your compliance check by reviewing your organization’s authorization or registration status. Confirm that all required licenses remain valid and that you have notified your competent authority of any material changes to your business operations, ownership structure, or service offerings. Verify that your organization maintains the required level of professional indemnity insurance or comparable guarantee.
Evaluate your Strong Customer Authentication implementation across all payment channels and customer touchpoints. Test authentication flows to confirm they incorporate the required factors and meet independence requirements. Review any exemptions you apply to ensure they align with the conditions specified in regulatory technical standards. Monitor authentication success rates and investigate any anomalies that might indicate compliance issues or security concerns.
For organizations providing interfaces to third-party providers, assess the performance, availability, and functionality of these interfaces. Compare interface capabilities with those available for your own services to ensure third parties are not disadvantaged. Review testing procedures and support arrangements for third-party providers. Examine interface documentation to confirm it provides clear, comprehensive technical specifications.
Examine your consent management processes by reviewing a sample of customer consent records. Verify that consent was obtained before granting third-party access, that customers received adequate information, and that consent scope matches actual data access. Check that your systems properly enforce consent withdrawal and that customers can easily manage their authorizations.
Assess your security posture through regular security testing, vulnerability assessments, and penetration testing. Review security incident logs and your organization’s responses to any incidents that occurred. Confirm that major incidents were reported to the competent authority within required timeframes and that appropriate remedial actions were taken.
Review customer communications, website content, and contractual documentation to ensure they provide accurate, clear information about your services and comply with PSD2 transparency requirements. Check that fee structures are clearly disclosed and that customers understand their rights regarding unauthorized transactions.
Conduct interviews with relevant staff to verify that personnel understand PSD2 requirements and their compliance responsibilities. Review training records to ensure employees receive regular updates on regulatory obligations. Examine internal compliance reports and management oversight activities to confirm that compliance monitoring occurs systematically.
PSD2 Compliance Penalties
Failure to comply with PSD2 requirements can result in significant penalties imposed by national competent authorities. Understanding the potential consequences of non-compliance underscores the importance of maintaining robust compliance programs.
National competent authorities across EU member states have extensive powers to enforce PSD2 compliance. These authorities can impose administrative sanctions and measures on payment service providers that breach directive requirements. The specific penalties available vary by jurisdiction, as each member state implements PSD2 through national legislation, but all competent authorities maintain substantial enforcement capabilities.
Financial penalties represent one of the most common sanctions for PSD2 violations. Competent authorities can impose administrative fines on organizations that fail to meet compliance obligations. While penalty amounts vary across jurisdictions, many national frameworks allow for fines reaching into the millions of euros for serious or persistent violations. Some jurisdictions calculate penalties as a percentage of the organization’s annual turnover, potentially resulting in substantial financial impact for larger institutions.
Beyond monetary fines, competent authorities can issue public warnings or notices identifying organizations and describing the nature of their violations. These public statements can damage an organization’s reputation and erode customer trust, potentially resulting in business losses that exceed direct financial penalties. Public censure can be particularly damaging for organizations operating in competitive markets where customer confidence is essential.
Competent authorities maintain the power to suspend or revoke authorizations for payment service providers that fail to comply with PSD2 requirements. This ultimate sanction effectively prevents an organization from continuing to offer payment services within its jurisdiction. Authorization revocation can be devastating for businesses that depend on payment services for their core operations or revenue streams.
In cases involving serious violations, competent authorities may impose restrictions on an organization’s business activities. These restrictions might include temporary prohibitions on accepting new customers, limitations on specific service offerings, or requirements to cease certain business practices. Such measures can significantly constrain an organization’s growth and operational flexibility.
Individual penalties may also apply to senior management and directors of payment service providers in cases where their actions or omissions contributed to compliance failures. Some jurisdictions allow competent authorities to impose fines on individuals or to prohibit them from holding management positions in regulated financial institutions.
Beyond formal regulatory sanctions, non-compliance can result in operational and commercial consequences. Organizations may face increased scrutiny from competent authorities, requiring more frequent reporting, additional audits, or enhanced supervision. Non-compliant organizations may also encounter difficulties in business relationships, as other financial institutions and partners may be reluctant to work with entities that have demonstrated compliance failures.
The reputational damage from compliance violations can extend beyond immediate penalties. Media coverage of enforcement actions can attract unwanted attention from customers, investors, and business partners. In competitive markets, compliance failures may drive customers toward competitors with stronger compliance records, resulting in customer attrition and reduced market share.
Organizations should recognize that compliance violations can trigger investigations into other aspects of their operations. A PSD2 violation might prompt authorities to examine whether the organization complies with other regulatory frameworks such as GDPR, anti-money laundering regulations, or consumer protection laws. This expanded scrutiny can uncover additional compliance issues and compound regulatory risks.
PSD2 Summary
PSD2 represents a fundamental shift in how payment services are regulated and delivered across Europe. The directive aims to foster innovation, enhance competition, and strengthen consumer protection in the payments ecosystem while ensuring high security standards.
At its core, PSD2 requires banks to open their payment infrastructure to authorized third-party providers through secure interfaces. This open banking approach enables new market entrants to offer innovative services built on access to customer account data and payment initiation capabilities. The directive creates a regulatory framework for these third-party providers, establishing clear authorization requirements and operational standards.
Strong Customer Authentication stands as one of the most visible and impactful elements of PSD2. By requiring multi-factor authentication for electronic payments and account access, the directive significantly strengthens security protections for consumers. While implementing these authentication requirements has presented challenges for some organizations, the measures have helped reduce fraud and protect customers from unauthorized transactions.
PSD2 substantially enhances consumer protections through multiple mechanisms. The directive establishes clear liability rules that generally place responsibility for unauthorized transactions on payment service providers rather than customers. Transparency requirements ensure customers receive comprehensive information about payment services, fees, and their rights. These provisions give consumers greater confidence in using electronic payment services and clearer recourse when problems occur.
The directive has catalyzed significant innovation in financial services. Open banking has enabled new business models, from account aggregation services that help consumers manage finances across multiple institutions to payment initiation services that offer alternatives to traditional card payments. This increased competition benefits consumers through greater choice, improved services, and often lower costs.
For organizations operating in the payments sector, PSD2 compliance is not optional. The directive establishes mandatory requirements backed by significant enforcement powers held by national competent authorities. Organizations must invest in the technical infrastructure, processes, and governance needed to meet these obligations. While compliance requires resources and ongoing attention, it also creates opportunities for organizations to enhance their security posture, improve customer experiences, and participate in the evolving payments ecosystem.
PSD2 Regulation PDF (Please Contact Us For Access)
Organizations seeking comprehensive documentation of PSD2 can access official texts through several authoritative sources. The definitive version of the Payment Services Directive is available through the European Union’s official legal database, EUR-Lex, which provides free access to EU legislation.
The core directive document, formally titled Directive (EU) 2015/2366 of the European Parliament and of the Council, can be downloaded as a PDF from EUR-Lex. This document contains the complete legal text of PSD2, including all articles, recitals, and annexes. The official publication includes authentic versions in all EU official languages, ensuring organizations can access the directive in their preferred language.
Beyond the core directive, organizations should also access the regulatory technical standards that provide detailed technical requirements for implementing PSD2. The European Banking Authority has published several regulatory technical standards covering topics such as Strong Customer Authentication, secure communication, and home-member state cooperation. These technical standards are essential for organizations implementing PSD2 requirements, as they specify the concrete technical and procedural measures that constitute compliance.
The European Banking Authority’s official website provides comprehensive PSD2 documentation, including the regulatory technical standards, implementation guidelines, opinions, and other supervisory materials. These resources offer valuable guidance for organizations seeking to understand their compliance obligations and implement appropriate measures.
National competent authorities in each EU member state also publish guidance documents specific to their jurisdictions. Since PSD2 is implemented through national legislation in each member state, organizations should review guidance from their relevant national authority. These documents often address jurisdiction-specific implementation details, supervisory expectations, and authorization procedures.
Organizations should ensure they reference the most current versions of all PSD2 documentation, as regulations and technical standards may be amended over time. Regularly checking official sources helps organizations stay informed about regulatory developments and maintain compliance with evolving requirements. Most regulatory bodies provide notification services or newsletters that alert subscribers to new publications and regulatory updates.
When working with PSD2 documentation, organizations should recognize that regulatory texts are often complex and may require legal expertise to interpret correctly. Many organizations benefit from consulting with legal advisors, compliance specialists, or industry associations that can help translate regulatory requirements into practical compliance strategies tailored to their specific business models and operational contexts.
Maintaining PSD2 compliance is an ongoing commitment that requires sustained attention, resources, and adaptation as the regulatory environment evolves. Organizations that approach compliance systematically, invest in appropriate infrastructure and processes, and maintain vigilance in monitoring their adherence to requirements position themselves for success in Europe’s dynamic payments landscape. By treating compliance not merely as a regulatory burden but as an opportunity to strengthen security, enhance customer trust, and participate in innovation, organizations can thrive under the PSD2 framework while contributing to a more secure, competitive, and consumer-friendly payments ecosystem.
