The new PSD2 directive is a fundamental piece of payment legislation in Europe.
It was to go into effect on 14 September 2019.
However, the European Banking Authority (EBA) granted further potential exemptions and set the new PSD2 deadline to 31 December 2020.
The Financial Conduct Authority set the new deadline in the UK to 14 March 2022. This means UK issuers are not required to decline non-compliant transactions before this date.
The PSD 2.0 regulation drastically impacts the financial ecosystem and infrastructure for banks, fintechs, and businesses using payment data to benefit consumers.
The Payment Services Directive 1(aka PSD1 or Directive 2007/64/EC) opened up the European banking and financial services market and went into effect almost ten years ago.
Let's dig in.
What is PSD2?
The revised Payment Services Directive 2 (PSD2) aims to better align payment regulation with the market and technology's current state.
It introduces security requirements for initiating and processing electronic payments and protecting consumers' financial data.
It also recognizes and regulates Third-Party Providers (TPPs) to access or aggregate accounts and initiate payment services.
This move will shake up the payments market, particularly in eCommerce, by encouraging greater competition, transparency, and innovation in payment services.
In short, PSD2 aims to facilitate consumer access to their banking data and drive innovation by encouraging banks to exchange customer data with third parties securely.
PSD2 directive: What is the new timeline?
After a long debate, at the end of November 2017, the European Banking Authority (EBA) published the RTS's final release (Regulatory Technical Specifications), which details all the payment actors' responsibilities and obligations.
On 13 March 2018, the European Parliament and the European Council approved them, opening an 18-month delay for their actual implementation that should have happened before 14 September 2019.
This date was the "final deadline" for all companies within the EU to comply with PSD2's Regulatory Technical Standard (RTS) related to the directive (EU) 2015/2366.
New dedicated Open API interfaces were available (as of 14 March 2019) for a six-month testing period. European regulators have completed new technical standards and defined precisely how banks must link their technology platforms to outsiders.
The bad news?
Many banks and merchants were not ready for the March or September deadline. The EBA had to reset a deadline for the end of 2020.
The good news?
This move genuinely cements open banking into place, according to Bloomberg.
PSD2 compliance: Who's ready?
As stated by Finextra, 41% of the 442 European banks part of a survey failed to meet the March 2019 deadline. They could not provide a testing environment to third-party service providers.
Before the September deadline, this six-month testing period was seen as critical for them to test the APIs that will connect them to banks and key to pilot new services.
At MONEY 2020 in June 2019, several speakers pointed out that some banks and financial providers were clearly dragging their feet in handing over data to customers, arguing about their compliance and risk scenarios.
And it happened.
The European Banking Authority (EBA) announcement (so-called Opinion) clearly showed that it has acknowledged that massive numbers of online merchants were not ready for this change.
The new deadline to implement Strong Customer Authentication (SCA) has been pushed back by fifteen months. According to the EBA, it's enough time to make the expected developments.
And yes, the coronavirus is adding another layer of complexity.
Read more about SCA PSD2.
PSD2 regulation: Impacts on banks and TPPs
Security is top-of-mind
The core principles of the PSD2 RTS – i.e., Strong Customer Authentication (SCA), Secured Communication, Risk Management, and Transaction Risk Analysis (TRA) – have been maintained, confirming the directive's security objectives.
PSD2 requires banks to implement multi-factor authentication for all proximity and remote transactions performed on any channel to protect the consumer.
This obligation means using two of these three features:
- Knowledge: Something only the user knows, e.g., password, code, personal identification number
- Possession: Something only the user possesses, e.g., token, smart card, mobile handset
- Inherence: Something the user, is, e.g., biometric characteristics, such as a fingerprint.
Besides, the elements selected must be mutually independent, which means that the breach of one should not compromise any others.
Is it working? yes, it is.
Since the enforcement of Strong Customer Authentication (SCA), approximately 73% of retailers have experienced a reduction in online payment fraud, as reported by Barclaycard in 2022.
Smooth user experience
To ensure a smooth user experience, PSD2 requests banks to put security measures "compatible with the level of risk involved in the payment service" to find the right balance between security and user convenience.
To simplify life for digital banking consumers, the RTS list several situations for which Payment Service Providers (PSPs) are not required to perform strong customer authentication.
Most of these exemptions are related to low-value payments, repetitive transactions, and transactions to trusted beneficiaries.
PSD 2 and open banking
The move to open banking means removing barriers between competitors as it requires banks to allow their account details and transactions to be shared with third parties through APIs.
PSD2 hinges on a critical connection between retailers, fintechs, and banks.
This relationship will be powered by APIs that banks must open to any Third-Party Provider wanting to aggregate account data and/or initiate payment services.
This change builds a common ground of more robust collaboration and better interoperability between traditional financial institutions and new banking and payment space players.
And to provide a consistent and seamless user experience, banks will also have to collaborate to define a common approach at a country or regional level.
Read more about this in our blog post:
Why we need strong authentication standards to deliver the promises of Open Banking (August 2022 update)
A new world of opportunities
PSD2 is a customer-centric regulation that should improve the customer environment, benefiting end-users and all banking and payment parties.
New partnerships and open-banking APIs with the right security level brought by SCA and risk monitoring can generate value by:
- Adding third-party capabilities to core offerings
- Capitalizing on consumer behavior and storing consumer preference data
- Making the multi-factor authentication process as easy as possible for the customer.
New customer onboarding will be made easier, offering end-users better tools to manage their finance and enticing them to buy new products and services provided by banks and TPPs.
Banks can use financial data better to provide competing services at competitive rates.
Already, leading banks have started building strong partnerships and open-banking API hubs, showing how PSD2 regulation can be the perfect tool for more innovation in payment and banking.
PSD2 compliance: Where do we fit in?
As a leading provider of digital security solutions, we enable banks and financial institutions to meet the challenges raised by PSD2.
Thales helps financial organizations understand and address PSD2 requirements for strong customer authentication, risk management, and Open Banking API. With Thales solutions, you can combine PSD2 SCA and the latest innovation in passwordless authentication, such as FIDO passkeys.
We have released the first white paper introducing PSD2 in general and opening the payments and additional white papers, allowing us to analyze PSD2 compliance of various solutions.
Another white paper describes how Thales' solutions may help our customers comply with PSD2 security requirements. You will find them in the download section below.
More Resources on payments compliance
Strong Customer Authentication
Strong Customer Authentication, as defined in PSD2, means that transactions are authenticated using 2‑factor authentication or more.
How to improve user experience?
By evaluating risk and adapting accordingly, banks can offer a targeted approach that balances security and user convenience.
Innovate with Open Banking API
Financial institutions can better prepare themselves for market changes by working more closely with third-party actors and proactively identifying research and development areas.
Cloud platform to secure onboarding and access to digital banking services
We help financial institutions take advantage of the ongoing digital transformation by ensuring customer trust and regulatory compliance.
More on Cloud Banking
The fifth Anti Money Laundering Directive (AMLD5)
Read more on AML5