The Ultimate Guide to PSD2 (Payment Services Directive)

PSD2 (Revised Payment Services Directive) is a European Commission’s regulation for electronic payment services. It is a second version of the Payment Services Directive that was introduced in 2007 and then updated in 2015. It’s a legislative response to the changing financial market that has been disrupted by the latest technology. The main goal of PSD2 is to give consumers protection when they perform online transactions and other banking operations. 

The invention of technology often precedes the creation of the laws that define its use. That is why the EU had to face the challenge and regulate the digital finance landscape before it got out of hand. PSD2 aims to make payments and other financial services more secure in Europe. Coincidentally, it also boosts innovation and helps traditional financial institutions adapt to new technologies. The directive levels the playing field between new financial instruments and banks that have been present for years on the market. Thanks to PSD2, old and new can work together on equal terms, regulated by the same entity.

PSD2 regulates two types of banking services that have become popular in recent years:

1. Payment Initiation Services (PIS): collecting and storing information from a consumer’s different bank accounts in a single place
2. Account Information Services (AIS): initiating a payment from the consumer’s account to the merchant’s account; those services create an interface to bridge both accounts, fill in the information needed (amount of the transaction, account number, message, etc.), and inform both parties of the transaction.

PSD2 regulations apply to the following countries within the European Economic Area (EEA): Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Monaco, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the UK. (The status of the UK may change in the future due to Brexit.)

The initial deadline for applying the PSD2 regulations was scheduled for September 14th, 2019. However, institutions across the EU asked for an extension of the deadline. The request was accepted and the date of the new deadline was set on December 31st, 2020. Since then there, some countries have asked for further extensions due to the crisis caused by COVID-19. 

The ask for the deadline extension was motivated by the necessity of implementing Multiple Level Authentication for better protection of consumers. The task has been proven to be a challenge from a technological standpoint.

At the moment of writing this guide, the COVID-19 pandemic that occurred in 2020 does not affect the deadline for PSD2 compliance (December 31st, 2020).

However, the European Commission has received requests for additional deadline extensions. The UK was the first country to extend the delay by 6 months due to the Covid crisis. The new deadline for the UK is September 14th, 2021. Denmark has announced an 18-month delay and set the new deadline for March 14th, 2021. Delays have also been announced by France, Belgium, Ireland, and Poland. Other countries have not declared any need for an extension. They are expected to meet the initial deadline. 

The main reason behind the delay is the challenge of adapting IT structures in times of health crisis. The implementation of Strong Customer Authentication has been particularly challenging. PSD2 and the coronavirus outbreak have exposed the necessity of establishing solid IT architectures in financial institutions. 

The first wave of COVID-19 has been an unfortunate catalyst for major technology advancements in many sectors of the economy. Banks and finance companies are one of them. To keep the cash flow, institutions all around the world have to run towards modern banking solutions. The pandemic caused lockdowns that included financial facilities. Therefore, they have been pushed towards the introduction of online banking services. Banks have to come up with new offers to keep their customers satisfied and, more importantly, safe. 

The pandemic has also greatly affected consumers’ behaviors. Online and cashless payments are in favor. It’s safe to say that the pandemic has sped up the process that has been accelerated by PSD2. 

In the light of regulations provided by PSD2, the banks that conduct non-compliant financial transactions might be violating the law of their home country. 

Although PSD2 applies to banks, merchants should make sure that their transactions with banks are conducted in a law-abiding way. Merchants outside of the EEA may notice an increase in declined transactions from EEA. However, there might be exemptions available for consideration. 

Banks have two major challenges ahead of them: 

• update the authentication elements they provide their customers, 
• open their API in accordance with technical protocols, 
• develop systems and processes that will allow smooth cooperation between the bank’s API and Third-Party Providers.

Third-Party Providers or TPPs are licensed external parties that can offer certain financial services to consumers. Banks and other financial institutions will be required to give TPPs access to relevant customer information in order to take over the direct relationship with the customer. A variety of fintech companies can be considered as TPPs.

Open Banking is an idea based on Open API (Application Program Interfaces). It’s a banking practice that provides Third-Party Providers open access to consumer banking, transaction, and other financial data from banks and non-bank financial institutions. PSD2 directive is a regulatory push that made this idea the standard for financial services providers. 

The standard for information released through the Open API is that it’s the information necessary to process transactions. The members of EEA work on their own protocols to ensure that the transformation to Open Banking triggered by PSD2 is unproblematic for the local institutions.

BinarApps has been a proud contributor to the Polish API Standard.

The entire impact of PSD2 on the banking sector will be fully known in the upcoming years. Since laws regarding finance are different in each European country, we can expect that PSD2 will be challenged in the future. For now, the regulations included in PSD2 have triggered 3 major changes.

Open API and Open Banking

PSD2 highlights the importance of Application Program Interfaces (APIs). An API is a software intermediary that allows application programs to interact with each other and share data. It’s a very important part of every bank’s and TPP’s infrastructure because it’s pretty much their framework for communicating. PSD2 requires banks to open their API, making way for the era of Open Banking. 

Third-Party Providers: New Players on the Financial Market 

PSD2 names and specifies the role of new financial services backed up by technology advancements: now they’re called Third-Party Providers or simply TPP. Because of PSD2, TPP now can act on equal footing with traditional banking. That is beneficial to the banks as well since they can provide new services to their customers. There are two types of TPP in general: Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs). 

Consumer Protection – Strong Customer Authentication

PSD2 includes an obligation for payment service providers to implement Strong Customer Authentication (SCA). This makes the transactions more secure. In order to go through with the transactions, the consumer will have to confirm their identity by using at least two of the safety precautions based on the following principles:

• knowledge – something the consumer knows (password, PIN, key combination),
• possession – something the consumer has (device, credit or debit card),
• inherence – something the consumer is physically (a fingerprint or other biometric).

How does it look in practice? For example, if the consumer makes an online payment, they will have to confirm their identity by entering the password to their banking account and providing a number they received via text message. Without one or the other, the transaction will fail. 

The SCA has to be applied to every transaction over 30 euro or 5 low-value transactions in a row. SCA is currently only required when both the acquirer and the issuer of the transactions are located within the EEA.

Each of the 3 changes mentioned above is basically a new business venture. 

In the area of Open API and Open Banking, there’s already a spike of interest in services that help financial institutions with the process. Services that help banks open their APIs, from engines to technical support, are in demand. 

The definition of a Third-Party Provider is an open door for innovation. That is the area where fintech can truly flourish. 

The necessity to protect consumers creates a need for reliable, solid ways of securing data. TPPs have to build a sophisticated and adaptable infrastructure to provide the best services while respecting the consumer’s right to privacy. 

All of these should be considered as part of the broader picture. There is space for new products, software, and platforms. Every new service requires a working environment to grow, so the area of business consulting for finance is expected to peak in the upcoming years. 

The decisive factor for a successful launch is always the same: provide a product that solves a real problem of your users.

PSD2 changes how the electronic payments of the consumers are processed. Third-Party Providers work as a bridge between the consumer, their bank, and the payment process. It’s faster and much more secure. Consumers won’t see a lot of change apart from the ones started by SCA – to complete the payment, they will have to go through a multiple-level authentication process. 

To become a legitimate TPP, companies must obtain a relevant license: AISP (Account Information Service Provider) or PISP (Payment Initiation Service Provider). Both new and existing companies can apply for one or both. However, they do need to meet the national PSD2 requirements of their member state. Please contact your local authority for more information.

TPPs are seen as the innovators. PSD2 encourages creating brand new propositions that have a positive impact on the financial sector and consumers’ satisfaction. As long as the security requirements are complied with, the possibilities are near endless. By establishing your business idea now, on the brink of PSD2 becoming the standard in every EEA country, you gain the opportunity to be a true trailblazer. It is still uncharted territory.

The biggest strength of Third Party-Providers, no matter if it’s an AISP or a PISP, is their novelty. They are limited only by the security requirements and technology currently available. Some examples to consider:

• Merchants, eStores, or eCommerce becoming a TPP and taking the payments process in-house for a quicker, more satisfying customer experience.
• More attractive loyalty programs for customers based on their preferred paying option (e.g. pay with our eWallet and gain more points). 
• More attractive, secure, and faster ways of obtaining loans. 
• Mobile applications that work as a management interface for accounts across different banks. 
• Saving apps that track your monthly expenses and spending patterns. 

The key is to identify the needs of users and create a solution that adds real value to their lives. Those solutions can be created for everyday customers, merchants, B2B or B2C systems, and many more. These are all new challenges for business development in finance.

The beauty of this concept is that most TPPs are not subject to the same stringent regulatory burden as traditional banks and are typically not weighed down by the legacy IT infrastructure that constrains most banks. As a result, they can be much more innovative and adaptable, allowing them to meet market demand quickly and efficiently.

At first, it may seem like the new regulations don’t work in favor of banks. The new requirement to give third parties access to data through open API might sound like a disadvantage on the market. However, this is a great opportunity for banks to become more innovative. TPPs can help them improve customer relationships and become more competitive. A customer-focused approach is what is going to win in the long run. It’s also worth noting that banks do not have to rely entirely on outside TPPs: they can create their own in-house TTP as a means to expand their offerings and keep their independence. Investment in new technology will be an important factor in the race for customers’ approval.

For startups that offer innovation in the financial sector – absolutely. The creation of PSD2 gave an indirect boost to the financial technology industry (fintech) because the regulations allow innovation to grow in an environment regulated by law. New companies can emerge without worrying about their legislative status. That is a crucial point in the world of finance. Thanks to clear rules and regulations, it will be easier for startups to find investors as the risk of a failed launch due to an inexact law is now reduced. It’s especially important for startups that want to be present in the EEA. Operating under PSD2 regulations makes the product preparation and release a lot faster. Startups can become a TTP or provide solutions linked to PSD2, e.g. API connection engine for eCommerce.

Without a doubt, the coronavirus pandemic in 2020 has left a mark on the financial market. It has accelerated the digital transformation by making open banking a more obvious solution for players in financial markets. Full digitalization is now the only viable option. Banks need to be aware that almost all of their activities must, and will increasingly, rely on technology, services, and platforms from external providers. In order to successfully digitize, banks must digitally open up to cooperation with new suppliers. Open banking is truly the only way to go.

Every eCommerce business that receives electronic payments is directly affected by PSD2. The directive established standard rules about how to conduct credit transfers, direct debits, card payments, and mobile and online payments. 

To be able to keep your business receiving those sorts of payments, you will need to ensure that:

1. your eCommerce is compliant with the technical standards for SCA (Strong Customer Authentication),
2. your eCommerce has a 3-D secure protocol in place (the name of the 3-D protocol refers to the action performed between three domains: the issuer, the acquirer, and the interoperability domain). 

Online stores generally do not fall under the Third Party-Provider category. However, it could be an exciting opportunity to explore.

Here are a few tips on how to prepare your eCommerce business for changes caused by PSD2:

• Analyze the payment options offered by your eCommerce and learn more about how they work. Check which ones are favored by your customers. 
• Contact your Payment Service Provider and discuss the matter of compliance with the SCA standards for online payments. 
• Inform your customers about the changes. Implementation of SCA means that there’ll be an extra step in the User Experience Path which may cause uneasiness, especially if customers do not follow the news about financial regulations. Be transparent and reach out to them with the information.
• Stay informed about new payment options. With the growing fintech market, there’ll be plenty of new possibilities available very soon that could take your eCommerce business ahead of the curve.

Above all, try to follow these steps as soon as possible.

Account Servicing Payment Service Provider, or just ASPSP, maintains a payment account of the user. ASPSP has an API that has to be open, as stated by PSD2. Therefore they enable, with the user’s consent, payments initiated by TPPs and/or make their customers’ account transaction data available to TPPS.

Third-Party Providers can offer different kinds of services. Those services have been categorized into 3 types:

1. AIS (Account Information Service) – access to information about the customer’s payment accounts in various banks.
2. PIS (Payment Initiation Service) – payment initiation by the service provider, directly from the consumer’s account.
3. CAF (Confirmation of the Availability of Funds) – with this service, the service provider will check if the consumer has enough funds in the bank account to complete the transaction.

TPPs can provide one, two, or all of the services above. They are obligated to obtain a separate license for each of the services. 

Account Information Service: The Access to Data

The AIS services can, at the user’s request and with their consent, transfer consolidated data about the online payment accounts maintained by one or more other payment service providers. 

As part of the AIS service, a user who has online payment accounts in several banks or other ASPSPs may commission a TPP, i.e. the provider Account Information Service Provider – AISP), preparation of collective information concerning e.g. balances and turnover on individual accounts. For this purpose, AISP, at the user’s request and with his consent, obtains access to the user’s accounts via electronic banking43, then aggregates and presents to the user all the necessary information. The user, therefore, has immediate access to information about his current situation financial, receipts, and turnover on individual accounts.

Payment Initiation Service: Necessary for Online Transactions 

The PIS service is mainly used in e-commerce. The TPP as the provider of the payment initiation service supports the user in the process of making payments on the Internet. 

After placing an order in the online store by the customer, they are redirected to the PISP website, where they are asked to indicate the ASPSP maintaining their account from which the payment will be initiated. Then the PISP, with the customer’s consent, gains access to the user’s electronic banking account and collects all the data necessary to order the payment. Then the user can approve the transfer order to the recipient’s account payments (merchant). After approval of the transaction by the customer’s bank, PISP immediately informs the merchant that the payment has been initiated. The merchant begins the order fulfillment process and delivers the order to the user.

Confirmation of the Availability of Funds: Checking the Balance 

CAF service allows TPPs to check whether a specific amount of funds requested is available on a payment account. A TPP can request that kind of information ahead of processing a transaction. In answer, the ASPSP sends a short message (simple YES or NO) or required

the amount is available, without indicating the amount of the balance on the account in question. Confirmation of the availability of funds on the account does not enable the ASPSP to block these funds on the account payer. CAF service does not process any sensitive data.

Errors happen and there is a risk of unauthorized transactions is real, especially as a result of a security breach or an identity theft. PSD2 regulates the responsibility between the parties involved in an unauthorized transaction. 

In the case of an unauthorized transaction made as part of the PIS service, the party responsible for the return of the payment is the ASPSP. The ASPSP should do so immediately, not later than by the end of the next business day, and restore the customer’s debited payment account to the state from before the unauthorized payment transaction.

If the PIS provider is responsible for the unauthorized payment transaction, it should immediately compensate the losses to the ASPSP (at the request of the ASPSP). The PIS is obligated to prove that, as far as it is concerned, the payment transaction made has been authorized, correctly recorded in the PIS system, and that the payment transaction was not affected by a technical failure or another type of bug related to the payment service on the provider’s side.

The entity authorized to give out licenses for AIS, PIS, and CAF services is specified by country. In Poland, it’s the Financial Supervision Committee (KNF).

Fintech (Financial Technology) is an umbrella term for all kinds of financial technologies that disrupt, digitize, or expand financial services. It includes software, platforms, mobile and web applications, and even devices. It encompasses inventions such as cryptocurrency and peer-to-peer lending. Fintech is strongly connected with other industries such as insurance and healthcare.

Most of the consumers who shop online have already interacted with fintech. Some of the most popular fintech solutions include companies such as:

• Klarna – “buy now, pay later” microloans provider 
• Chime – fully mobile bank
• PayPal – payment provider
• Xero – online accounting software
• Avant – online lending platform
• Lemonade – an insurance company
• Robinhood – a platform for stock market investments
• Venmo – P2P payment service
• TransferWise – borderless debit cards

This is just a small sample of fintech companies. The shortlist above already showcases the variety of possibilities that can become reality with the right approach. PSD2 encourages such initiatives to develop and turn into business ventures.

Based on the list of examples provided in the previous section, we can differentiate many kinds of fintech. The distinction is made by the type of service or solutions they provide. 

Payment

This type of fintech deals with money-related services. This includes consumer payments (e.g. e-wallets), back-end infrastructure (e.g. payment processing providers), and cryptocurrency transactions. What makes them especially attractive is the lack of fees.  

Lending and credit

Peer-to-peer lending is a fintech solution that grows more and more popular every day. Consumers don’t need to turn to banks to borrow money. Loans are granted faster, with little to no bureaucracy involved. 

Online banking

All kinds of banking services can be performed online or via a dedicated app. It includes a variety of innovative solutions, such as chatbots, spending tracker, push notifications, etc. The main characteristic of online banking is that it’s open 24/7.  

Personal finance

Whether it’s saving or monthly budgeting, fintech apps take on the role of a financial advisor.

Insurance

More flexible and available than traditional providers, insuretech companies cooperate with fintech solutions in making the insurance market more customer-friendly. 

Alternative financing methods

Crowdfunding platforms are a type of fintech, too. It can be based on donation-based financing, debt-based, or reward-based. 

Regtech

Rapidly growing type of fintech that helps businesses comply with the latest regulations. Regtech monitors reports and informs when and what compliance is needed.

In a special report, Deloitte predicts that an economic recovery after the COVID-19 pandemic will go hand in hand with new opportunities for fintech. Even though fintech suffered from some setbacks, it is clear that the demand for fintech services is at an all-time high. The majority of people around the world look forward to the digitalization of their finances due to the constraints caused by lockdowns and various safety precautions. That reason alone is responsible for a surge in fintech investment. 

According to CB Insights, there are currently 66 VC-backed fintech unicorns worth a combined $248B. After the initial decline at the beginning of 2020, North America, Europe, South America, Africa, and Australia increased their fintech funding.

We can safely assume that the year 2020 is the starting point for fintech to reach peak maturity. It’s the perfect time to get involved in changing the global financial landscape.

In the second quarter of 2020, the European Commission has announced that they are working on a document that will further regulate the growth of fintech. The project “Consultation on a new digital finance strategy for Europe or FinTech Action Plan” is an open consultation process that is the first stage of creating new regulations. As of now, the consultations are ongoing.

The main objectives of the strategy are as follows:

• provide consumers with even better digital finance solutions with the best security possible,
• technological neutrality – none of the emerging technologies shall be favored by regulations,
• creation of a digital ID,
• the use of AI in financial technology,
• implementation of the green strategy for the EU – sustainable development in the banking sector.

The Fintech Action Plan has been partially inspired by the White Paper on Artificial Intelligence. This shows how important it is to start the digital transformation as soon as possible even in small and micro-companies. Fintech will have a major role in shaping the future.

Fintech Action Plan does not have a release date yet.