Revised Payment Services Directive
PSD2 is an EU directive regulating payment services that mandates Strong Customer Authentication and requires banks to open account access to licensed third parties via secure APIs. National regulators enforce it with fines and authorization restrictions.
What PSD2 Is and Why It Exists
The Revised Payment Services Directive (PSD2) is an EU directive that regulates payment services and payment service providers across the European Economic Area. Applying from January 2018, it modernizes the original Payment Services Directive to reflect new payment technologies and players. PSD2 has two headline aims: to make electronic payments safer through Strong Customer Authentication, and to open the banking market by giving regulated third parties access to account data and payment initiation, with the customer's consent.
It exists to increase competition and innovation in payments while improving security and consumer protection.
Who It Applies To
PSD2 applies to banks and other account-servicing payment service providers, and to newer regulated entities: Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs), collectively third-party providers. It covers payment services within the EEA and, for some provisions, transactions where only one leg is in the EEA. As a directive, it is implemented through national laws in each member state.
Key Requirements
- Strong Customer Authentication (SCA): electronic payments and account access generally require two of three independent factors (knowledge, possession, inherence), with defined exemptions for low-risk transactions.
- Access to accounts: banks must provide secure interfaces, typically APIs, so licensed third parties can access account information and initiate payments with consent.
- Consent and transparency: customers must explicitly authorize data sharing and can revoke it.
- Security and incident reporting: providers must manage operational and security risks and report major incidents to regulators.
- Liability rules limit consumer losses from unauthorized transactions.
Penalties for Non-Compliance
Because PSD2 is implemented nationally, penalties vary by member state but are set to be effective, proportionate, and dissuasive. National regulators can impose administrative fines, require corrective action, and restrict or withdraw authorization to provide payment services. Banks that fail to offer compliant access interfaces, or providers that mishandle SCA, also face enforcement and reputational damage.
How to Comply
- Determine your role under PSD2: account servicer, AISP, PISP, or other provider, and obtain the required authorization.
- Implement Strong Customer Authentication with appropriate exemptions and dynamic linking for payments.
- For banks, expose secure, well-documented access interfaces and maintain their availability.
- Build robust consent management so customers control third-party access.
- Establish security risk management and major-incident reporting to your national authority.
Many institutions use OAuth 2.0 and OpenID Connect patterns to deliver compliant, interoperable account access.
API Standards and the Move to Open Finance
While PSD2 mandates access to accounts, it does not prescribe a single technical standard, which led to regional API standards such as the Berlin Group's NextGenPSD2 and the UK Open Banking Standard. This fragmentation has been a practical challenge for third-party providers operating across markets. Looking ahead, the EU's proposed payment-services and financial-data-access reforms aim to refine SCA, improve API quality, and extend data sharing beyond payments into broader "open finance." Institutions building today should favor well-documented, highly available, standards-based APIs and robust consent management, since regulatory direction continues to reward reliable, interoperable access rather than minimal compliance.