Browse Regulation

PSD2

PSD2 is a European directive aimed at increasing innovation, competition, and security in the payment services industry by mandating Open Banking.

Definition

The Revised Payment Services Directive (PSD2) is a legislative framework established by the European Union to regulate payment services and payment service providers throughout the European Union and European Economic Area (EEA). Implemented on January 13, 2018, PSD2’s primary goal is to foster innovation, enhance competition, and ensure the security of electronic payments and consumer protection by mandating the adoption of Open Banking.

Key Objectives of PSD2

  • Innovation: Encourage the development of new payment services and financial technologies (FinTech).
  • Competition: Level the playing field by allowing Third-Party Providers (TPPs) to offer services that traditionally were the domain of banks.
  • Security: Enhance the security of payments and reduce the risk of fraud through strict security requirements.
  • Consumer Protection: Increase transparency and protection for consumers using payment services.

Open Banking

PSD2 requires banks to open their payment services and data to third-party providers through Application Programming Interfaces (APIs). This creates a collaborative ecosystem where account information and payment initiation services can be provided by non-banking entities.

Strong Customer Authentication (SCA)

To ensure the security of electronic payments, PSD2 mandates the implementation of Strong Customer Authentication (SCA) mechanisms. SCA requires at least two independent factors from the following categories:

  • Knowledge (e.g., password or PIN)
  • Possession (e.g., mobile phone or hardware token)
  • Inherence (e.g., fingerprint or facial recognition)

Third-Party Providers (TPPs)

PSD2 identifies three types of TPPs:

  • Account Information Service Providers (AISPs): Offer aggregated account information from different banks.
  • Payment Initiation Service Providers (PISPs): Initiate payments on behalf of users.
  • Card-Based Payment Instrument Issuers (CBPIIs): Issue card-based payment instruments accessing a customer’s payment account.

Historical Context

The original Payment Services Directive (PSD) was implemented in 2007. However, advancements in technology and the increasing number of new market entrants necessitated an update to the regulatory framework, leading to the introduction of PSD2 in 2015. By addressing inefficiencies and inconsistencies, PSD2 enhances the existing framework to accommodate evolving technological and market developments.

Examples of PSD2 in Action

  • Open Banking API Usage: FinTech companies like Yolt and Revolut leverage PSD2 to offer innovative financial services directly to consumers.
  • SCA Implementation: European banks have integrated multi-factor authentication processes into their login and payment confirmation workflows to comply with SCA requirements.

What is the significance of PSD2 for consumers?

Consumers benefit from increased security, more payment choices, and enhanced financial services due to the competitive landscape fostered by PSD2.

How does PSD2 impact banks?

Banks must adapt by providing secure APIs and fostering collaborations with FinTech companies, potentially transforming their product offerings and business models to remain competitive.

What are the penalties for non-compliance with PSD2?

Non-compliance with PSD2 regulations can result in significant fines and legal repercussions, varying by member state within the EU.

Practical Use

Regulated firms use PSD2 to understand permissions, obligations, disclosures, controls, capital effects, and enforcement risk.

Practical Example

In a compliance review, map PSD2 to the rule source, covered entity, required action, evidence, and consequence of non-compliance.

Decision Check

Ask whether PSD2 changes who may act, what must be disclosed, how capital or conduct is monitored, or what penalty risk exists.

Watch For

Regulatory terms vary by jurisdiction, entity type, activity, effective date, and supervisory interpretation.

Interpretation Note

Interpret PSD2 by identifying the regulated activity, responsible party, required control, and financial consequence.

Finance Context

In finance, PSD2 matters when it affects market access, product design, capital requirements, disclosure, enforcement exposure, or investor protection.

Decision Lens

The practical regulatory question is whether PSD2 changes permission, disclosure, capital, conduct controls, or the cost of being wrong.

What Changes The Analysis

The analysis changes if PSD2 affects permitted activity, required disclosure, capital treatment, customer protection, supervision, evidence retention, or enforcement exposure. Those variables determine whether compliance risk changes economics.

Common Confusion

Do not confuse PSD2 with a general legal idea. Scope, covered entity, and required control drive the practical result.

Where It Shows Up

PSD2 appears in rulebooks, compliance manuals, filings, supervisory letters, enforcement actions, risk assessments, and product approvals.

Analyst Takeaway

Treat PSD2 as material when it changes allowed behavior, required evidence, capital impact, or enforcement risk.

Analysis Boundary

The analysis boundary for PSD2 is crossed when covered-party status, required conduct, disclosure, filing, supervision, evidence retention, and enforcement exposure are unchanged. Then it is regulatory background rather than a control action.

Control Point

The control point for PSD2 is the required action: filing, disclosure, supervision, suitability, capital, remediation, monitoring, or recordkeeping. PSD2 matters when a regulated party must change behavior, evidence, approval, or customer communication. Before relying on PSD2, identify the rule source, responsible party, deadline, and proof needed. If no obligation changes, keep it as regulatory context rather than a compliance conclusion.

Practical Signal

The practical signal for PSD2 is a changed obligation: filing, disclosure, supervision, approval, suitability review, capital treatment, remediation, monitoring, or recordkeeping. When that signal appears, identify the covered party, deadline, evidence, and enforcement consequence.

Use Boundary

The use boundary for PSD2 is reached when filing, disclosure, supervision, approval, suitability, capital treatment, remediation, monitoring, and recordkeeping are unchanged. In that case, keep the term as regulatory context rather than a compliance action.

Decision Marker

The decision marker for PSD2 is the moment a required action changes: filing, disclosure, approval, suitability, supervision, capital treatment, remediation, monitoring, or record retention. If no duty changes, keep the term as regulatory context.

Risk Check

The risk check for PSD2 is whether a compliance conclusion has a covered party, rule source, deadline, evidence, and owner. Test filing, disclosure, suitability, supervision, recordkeeping, remediation, and enforcement exposure before assuming no action is required.

Decision Evidence

Decision evidence for PSD2 should show the rule citation, covered party, required action, deadline, approval trail, filing, disclosure, and retention evidence. PSD2 can change compliance analysis only when those facts alter duty, supervision, or enforcement exposure.

Review Evidence

Review evidence for PSD2 should make the regulatory evidence traceable, not just definitional. For PSD2, tie the evidence to the rule text, regulator guidance, filing, policy memo, and compliance record and explain why that evidence is reliable enough for the finance decision.

Before relying on PSD2, document the decision context: the effective date, reporting period, transition window, and jurisdiction involved. Keep the PSD2 evidence trail visible: responsible owner, approval evidence, testing record, remediation status, and disclosure trail. In Regulation work, PSD2 matters when it changes permissible activity, capital treatment, reporting duty, customer protection, or enforcement risk.

  • Source: cite the record, filing, contract, model input, system log, or policy that supports PSD2.
  • Timing: record when PSD2 is measured: date, period, jurisdiction, market condition, or processing window that could change the financial conclusion.
  • Boundary: distinguish PSD2 from nearby concepts that require different evidence or support a different finance decision.
  • Decision use: identify the approval, valuation input, allocation step, control, disclosure, or risk decision affected if the evidence for PSD2 were different.

The practical risk for PSD2 is that regulatory terms are unsafe when jurisdiction, effective date, rule source, and compliance evidence are left implicit. If those facts are unavailable, keep PSD2 in the explanatory layer instead of treating it as decision-grade evidence.

Decision Workflow

Use PSD2 as a decision workflow, not a static glossary label: define the finance meaning, verify the evidence, and identify which conclusion changes. Start by linking PSD2 to rule source, jurisdiction, effective date, covered activity, compliance owner, and enforcement exposure. Only after those checks should PSD2 influence a regulatory decision.

For PSD2, confirm the source record, the date or jurisdiction that could change the answer, and the finance decision affected if the evidence were wrong. If those checks are incomplete, keep PSD2 as explanatory context rather than a decisive input.

  • Security: Related finance concept that helps compare PSD2 with nearby terms.
  • Antitrust Law: Related finance concept that helps compare PSD2 with nearby terms.
  • Deregulation: Related finance concept that helps compare PSD2 with nearby terms.
  • Financial Services Act 1986: Related finance concept that helps compare PSD2 with nearby terms.
Revised on Sunday, June 21, 2026