What you need to know about PSD2 regulation and compliance

When it comes to the electronic payment market, financial institutions and payment providers have a lot in common. Most notably, both parties are enabling a new wave of online transactions — and in turn, are subject to strict regulations. This is especially true in Europe, where the region’s Payment Service Directive is raising the bar for strong authentication, open banking, and compliance.

Read on to understand the basics of PSD2 compliance, why it’s important, and what you can do to future-proof your organization today.

PSD2 stands for the second iteration of the Payment Service Directive. Although it applies specifically to the European Union (EU), it’s widely considered a landmark payment services regulation with the potential to change how banks, payment processors, and similar firms operate worldwide.

In 2007, the European Commission enacted the original Payment Services Directive for two primary reasons:

1. To create a more integrated, competitive, and efficient European payment market
2. To make payments more secure and safe in the digital era

In other words, PSD1 aimed to level the playing field for all financial players by encouraging non-traditional institutions to participate. It allowed new firms, such as fintech companies and third-party payment providers, to enter the market more easily. It also unified financial institutions under a single regulatory framework, establishing common rules for all.

PSD1 also afforded the public more transparency and information surrounding fees, liabilities, and their consumer rights. And, because it was easier for new payment providers to enter the market, the regulation gave more freedom of choice to consumers.

However, as time rolled on, the European Union recognized a need to update and revise PSD1. In 2013, citing technological changes and growing security concerns, the EU formally decided to do so. Three years later, EU member states voted to pass PSD2, which was scheduled to take effect in 2018. However, certain elements of the updated PSD2 regulation were phased in gradually, allowing financial institutions time to adapt.

PSD2’s primary purpose, once again, was to further promote innovation, competition, and security throughout the European payment industry.

Who is subject to PSD2 compliance?

PSD2 is meant to protect consumers in all EU member states. As such, its primary focus is on EU financial institutions, including payment processors, banks, brokerages, fintech companies, and more.

However, organizations headquartered outside Europe may still be subject to PSD2 compliance requirements if they have customers or users in the region. In this case, companies have no choice but to comply with the PSD2 regulation if they currently or plan to operate in the EU.

Institutions that fail to meet the requirements of PSD2 can be charged with financial penalties of up to 4% of their annual returns.

Before you can meet PSD2’s requirements, you first have to understand how it fundamentally altered banking throughout the European Union — most notably, through the introduction of “open banking.”

What is open banking?

Open banking is the process by which a third-party financial service provider gains open access to consumer banking, transactions, and other data from banks and other financial institutions through application programming interfaces (APIs). In short, it’s the secure sharing of financial information between two parties. Although this concept has been around for a long time, PSD2 pioneered its adoption across Europe.

The introduction of open banking helped PSD2 accomplish its goal of increasing competition, transparency, and security in the market. In turn, it brought in two new types of regulated payment providers:

1. Payment Initiation Service Providers (PISPs) enable the use of digital banking to make an online payment. In short, they allow you to pay for things directly from your bank account rather than using a credit or debit card through a third party. The term “payment initiation” refers to the process PISPs use to bridge two accounts through an interface that facilitates the transaction.
2. Account Information Service Providers (AISPs) facilitate the collection and storage of account information from a customer’s bank accounts in a single place. This allows the consumer to have a global view of their finances and easily analyze expenses. For example, budgeting apps and price comparison websites may fall under the category of Account Information Service Providers because they house this data in one pane of glass.

Under PSD2 regulation, these two parties must request consumer consent and are regulated by the central bank.

How does PSD2 impact traditional financial institutions?

Banks are now required to open access to customer accounts to third-party providers (TPPs) — AISPs and PISPs — so long as the customer has granted permission. In turn, the chief technological requirement for PSD2 compliance is to create open APIs, which the TPP needs to access account information.

Additionally, consumers have more choices when it comes to payment services. They can now choose the best option for their needs, meaning banks will have to compete harder for their business.

What is Strong Consumer Authentication?

The Revised Payment Services Directive also introduces the concept of Strong Customer Authentication (SCA). According to the SCA requirement, consumers must use at least two types of multi-factor authentication (MFA) on all payments. These methods are organized into three categories:

1. Knowledge: Something the customer already knows, such as a password.
2. Inherence: Something that is part of the user, such as their fingerprint or facial recognition.
3. Possession: Something they have or can send, such as a one-time code.

The SCA requirement is designed to increase consumer protection. With additional safeguards standing between a user and sensitive financial information, strong authentication makes it more difficult for bad actors to get away with fraud.

Aiming to once again update the Payment Services Directive for continuous improvement, the European Commission decided to reevaluate the regulation in 2022. The evaluation concluded that PSD2 has had limited success in meeting its objectives. Although the introduction of Strong Consumer Authentication has had a significant impact on reducing fraud, new challenges have emerged.

For specificity, here is the exact language reported by the European Commission:

“New types of fraud have emerged for which PSD2 is not equipped. For example, PSD3 will go beyond the PSD2 tackling new types of fraud like ‘spoofing’ (impersonation fraud), which blurs the distinction between unauthorized and authorized transactions, since the consent given by the customer to authorize a transaction is subjected to manipulative techniques by the fraudster, who for example uses the telephone number or email address of the bank. Prevention mechanisms such as SCA have been insufficient to prevent such frauds until now.”

Aside from security-related concerns, the Commission also found that there is still an unlevel playing field between payment service providers. So, with advice from the European Banking Authority, the Commission decided to propose amendments that will:

• Strengthen fraud prevention strategies
• Allow non-bank payment service providers access to all EU payment systems
• Improve the functionality of open banking
• Further improve consumer information and rights
• Increase the availability of cash
• Merge the legal frameworks applicable to electronic money and payment services

There is yet to be a clear timeline for when PSD3 compliance requirements will be finalized. However, assuming the revised regulation will be completed by late 2024, EU member states will have an 18-month transition period. This suggests PSD3 could take effect by the end of 2026.

Regardless of how it may change, PSD compliance is still non-negotiable for financial institutions and payment providers. As such, it’s important to take the necessary steps to future-proof your organization and get ahead of the PSD3 curve — particularly when it comes to security.

The good news? There are plenty of solutions available to help exceed your SCA requirement and offer consumers the highest level of assurance possible. For example, with a partner like Entrust, you can leverage the following capabilities:

1. Phishing-resistant MFA: Deploy a robust array of authentication strategies, including risk-based, certificate-based, and adaptive step-up authentication. Combined with Single Sign-On (SSO), users gain seamless but secure access to payment services without skipping a beat. Plus, SSO prevents password fatigue and reuse so you (and your consumers) stay protected.
2. Digital certificates: Qualified Website Authentication Certificates (QWACs) encrypt sensitive data and identify payment service providers and financial institutions in compliance with PSD2. Entrust’s QWACs feature unlimited reissues and server licenses, allowing you to reissue and install certificates at no extra cost.
3. Transaction risk analysis: Transaction monitoring and risk analysis take device reputation, adaptive authentication, and 3DS compliance into account for card-not-present transactions.
4. Identity proofing: Verify identities in an instant to improve the customer experience and lower abandonment rates. Entrust’s ID proofing solution supports thousands of government-issued documents and multiple layers of step-up security.
5. Hardware security modules (HSMs): Entrust nShield® HSMs generate and store signing and encryption keys and facilitate your cryptographic operations from a certified, secured device so that you can issue certificates and encrypt data knowing you are protected with a strong root of trust.

The PSD2 regulation is just as important as it is difficult to implement. However, with Entrust’s range of PSD2 and open banking solutions, you can ease compliance and satisfy your requirements at scale.

From MFA and identity proofing to digital certificates and HSMs, we’re here to help you offer customers the ultimate assurance.