The revised Payment Services Directive (PSD2) is a European regulation that makes online payments more secure while supporting competition in financial services. PSD2 went into effect in 2016 as an update to the original PSD, which was established in 2007. PSD2 mandates stronger customer authentication to protect against fraud in online transactions and requires banks to open their payment services and customer data to third-party providers (TPPs), which can drive the creation of new financial products and services.

PSD2 is a major piece of legislation that’s reshaping the way digital payments work in Europe. Below, we’ll explain what’s included in this legislation, how it impacts the financial industry, and what businesses need to know about staying compliant with PSD2.

What’s in this article?

• Key objectives of PSD2
  
• What are the main components of PSD2?
  
• How PSD2 impacts the financial industry
  
• Benefits of PSD2 for customers and businesses
  
• Challenges and concerns related to PSD2
  
• How to stay compliant with PSD2
  

Key objectives of PSD2

PSD2 focuses on improving the retail payments market with stronger security and more competitive offerings. Here are the key objectives of this updated European Union standard:

• Market competition: By opening up access to customer data, PSD2 encourages new players (such as fintech companies) to enter the market and offer innovative financial services. This promotes competition and leads to better products and services.

• Security: PSD2 introduces stricter security requirements for online payments, such as Strong Customer Authentication (SCA). This helps minimize fraud and protect customers’ financial data.

• Consumer protection: PSD2 gives customers more control over their financial data and strengthens procedures for handling complaints, leading to faster, more effective resolutions.

• Integrated payments market: PSD2 creates a more integrated and efficient European payments market by standardizing payment regulations across the EU. This makes it easier for businesses and customers to make and receive payments across borders.

What are the main components of PSD2?

PSD2 affects several key areas to reshape how payment services operate in Europe. Here are the main components of PSD2:

• SCA: SCA requires multifactor authentication for most online transactions to minimize fraud in digital payments. This could involve verification with something the customer knows (such as a password), something they have (such as a phone), and something they are (such as a fingerprint).

• Open banking: PSD2 requires banks to give TPPs access to customers’ bank accounts with customer consent. Access to account (XS2A) services enable open banking, through which customers can use services from fintech companies to manage their finances, pay bills, or even make investments, all directly from their bank accounts.

• TPPs: Customers receive the right to use payment initiation service providers (PISPs) and account information service providers (AISPs). PISPs can initiate payments on a user’s behalf, while AISPs can provide users with consolidated information from different bank accounts.

• Transparency: PSD2 creates greater transparency in fees. It sets strict requirements on how charges should be communicated to users and ensures that users are not hit with unexpected fees, especially in cross-border payments.

• Liability and refunds: PSD2 clarifies the responsibilities and liabilities of all parties involved in a payment transaction. This includes clearer rules for how and when customers can get refunds if something goes wrong, such as in cases of unauthorized transactions.

• Surcharge ban: PSD2 prohibits surcharges for card payments. This means businesses in the EU can’t charge extra fees for using credit or debit cards.

How PSD2 impacts the financial industry

PSD2 has introduced additional regulatory requirements, increased competition, and empowered customers by giving them greater control over their data. Here’s how PSD2 has impacted the European financial industry:

• Increased competition: PSD2 lowered the barriers to entry for fintech companies and allowed them to offer services that were once the exclusive domain of traditional banks. PSD2 has created a more level playing field by requiring banks to share customer data and enabled smaller, more agile companies to compete with established financial institutions. This has led to an increase in innovative financial products and services that cater to specific customer needs.

• Shift to open banking: PSD2 has accelerated the adoption of open banking by requiring banks to provide application programming interfaces (APIs) that allow TPPs to access customer accounts. This allows customers to use a single interface to manage their money across multiple banks and platforms.

• Enhanced security measures: PSD2’s SCA requirements have forced the financial industry to adopt stronger security measures for online transactions. This has increased adoption of multifactor authentication in Europe.

• Regulatory burden: PSD2 has imposed a substantial regulatory burden on financial institutions. Banks and payment service providers must take steps such as upgrading their IT infrastructure and implementing new security protocols to ensure compliance.

• Customer empowerment: PSD2 has empowered customers by giving them more control over their financial data and choices. Under PSD2, customers can use third-party services to manage their finances and are no longer tied to a single bank for all their financial needs.

• Strategic reorientation: PSD2 has forced traditional banks to rethink their strategies. They must collaborate with fintech companies to stay relevant in a quickly changing financial sector, either by integrating third-party services into their offerings or by developing their own solutions.

Benefits of PSD2 for customers and businesses

PSD2 creates more financial options and improves transaction costs for customers and businesses. Here are the benefits PSD2 creates for both groups.

For customers

• Security: PSD2’s SCA requirements create stronger protection for customer information in online transactions.

• Financial services: PSD2 encourages the creation of more financial tools and services that can help customers better manage their money with comprehensive overviews and data-driven insight.

• Transparency: PSD2 protects customers from hidden fees, particularly with international payments.

• Control over data: Customers receive the right to control who can use and access their financial data, as well as the option to revoke access anytime.

For businesses

• Innovation: PSD2 allows businesses to tap into new features and services that can refine internal processes, improve the customer experience, and create new revenue streams.

• Payment options: PSD2 increases the number of available payment methods, which allows businesses to offer their customers greater flexibility and can make transactions quicker, cheaper, and more secure.

• Competition: Businesses can develop modern payment solutions and use new technologies to build stronger customer relationships and loyalty.

• Strategic decisions: Businesses gain access to more detailed financial data through AISPs. Businesses can use this data to craft more personalized services for customers.

• Costs: PSD2 can help businesses save money by eliminating card surcharges and transaction fees from traditional payment networks.

Challenges and concerns related to PSD2

While PSD2 offers many benefits, it also presents challenges. Here are some common hurdles that customers and businesses encounter under PSD2.

For customers

• Overwhelming number of choices: Users might struggle to find reliable TPPs in a market saturated with new services and apps.

• Data privacy concerns: More providers have access to user data under PSD2. This can raise concerns about data security.

• User experience hiccups: SCA requirements can frustrate users, because it can introduce extra steps such as entering a code and using a fingerprint.

For businesses

• Regulatory compliance costs: Businesses can face major costs in upgrading their systems and securing their data to meet PSD2 standards. This can be a heavy burden, particularly for businesses with limited resources.

• Competition: Traditional banks and established financial institutions must adapt quickly or risk losing customers to newer, more agile fintech companies. This creates a difficult environment in which only the most adaptive businesses can thrive.

• Integration challenges: Businesses must have the technical expertise to integrate third-party services into existing systems without disrupting their operations.

• Security risks: Businesses must remain vigilant about protecting customer data and ensuring that the TPPs with which they share financial data are equally committed to security.

• Customer education: Businesses must help their customers understand changes tied to PSD2, such as why they’re being asked to go through extra steps during payment and why new apps are now part of the financial ecosystem. This requires clear communication and effective customer support.

How to stay compliant with PSD2

Staying compliant with PSD2 is an ongoing, multifaceted challenge that demands a thoughtful strategy. Here’s how businesses can manage and maintain compliance.

SCA requirements

• Contextual authentication: Consider implementing risk-based authentication that adjusts to each transaction and adds extra security checks if anything is flagged as abnormal.

• Behavioral biometrics: Consider adding behavioral biometrics to your SCA tool kit. This tracks how users naturally interact with a website or app (e.g., how they type, how they navigate your site) to verify identity without the user noticing. This creates stronger security with less hassle for your customers.

APIs and security

• Adaptive API gateways: Use API gateways that can adjust security measures in real time. These gateways should be smart enough to tweak the level of protection based on what kind of data is being accessed.

• Zero-trust model: Use a zero-trust model in which no one is trusted automatically, even if they’re inside your network. Require that every request is authenticated and authorized, with strict segmentation so that users gain access only to what they need.

Data governance

• Automated monitoring: Invest in software that automatically monitors your compliance with PSD2. This system watches data handling practices and flags any potential issues before they become serious. It also simplifies audit processes.

• Data anonymization and tokenization: Anonymize and tokenize sensitive customer information. This adds an extra layer of protection even when data is shared by converting real data into something that becomes useless to anyone who might intercept it.

Using technology

• Regulatory technology (RegTech): Look into RegTech solutions designed to handle PSD2 requirements. These platforms help manage several tasks, including reporting and risk management.

• Compliance-as-a-service (CaaS): If expanding compliance efforts is a challenge, consider partnering with CaaS providers. These services offer ready-made solutions that keep up with regulatory changes, so you can stay compliant without having to build in-house.

Adaptation and agility

• Agile compliance: Build an agile compliance framework that can quickly respond to changes in PSD2 or new security threats. This might involve regular sprints where your team assesses recent updates and makes necessary adjustments to your policies and tech stack.

• Industry collaboration: Participate in industry groups and forums to keep up with best practices and changes in PSD2. Collaborate with peers to stay ahead of trends and share tactics for staying compliant as the regulatory environment develops.

Customer communication

• Proactive customer education: Engage your customers with customized communication. Use data insight to segment your audience and deliver specific education efforts through personalized in-app messages, targeted webinars, or detailed FAQs.

• Enhancing user experience: Fine-tune the customer experience by integrating PSD2 requirements into your user experience (UX) design. Test different authentication methods to find the right balance between security and convenience and use analytics to keep improving the user journey.

Risk management

• Dynamic risk scoring: Develop risk scoring models that can adapt in real time and use the latest data to predict and prevent compliance risks. Integrate machine learning to shift from a reactive approach to a predictive one and catch issues before they escalate.

• Continuous third-party assessment: Continually monitor TPPs’ compliance and security practices over time. Automated tools can help you stay on top of any changes in their risk profiles.