Payment Services Directive 2 (PSD2)
The Payment Services Directive 2 (PSD2) is the European regulatory framework governing payment services and access to bank accounts. Effective since January 2018, it introduced Strong Customer Authentication (SCA), open banking, and new obligations for third-party payment service providers.
PSD2 fundamentally transformed the European payments landscape by opening access to banking data to new players (aggregators, payment initiators) while strengthening transaction security. Strong Customer Authentication (SCA) mandates two-factor verification for electronic payments, combining at least two elements from knowledge (password), possession (phone), and inherence (biometrics).
Open banking, a central pillar of PSD2, requires banks to provide access to account data through secure APIs to licensed third-party providers (AISPs for account information and PISPs for payment initiation). This framework has spurred innovation in identity verification: confirming the identity of a bank account holder now serves as a complementary tool to traditional KYC.
For compliance professionals, PSD2 is closely linked with AML obligations. Payment service providers must not only meet the directive's technical requirements (SCA, secure communication, incident management) but also apply due diligence measures mandated by anti-money laundering regulations. PSD3, currently being developed, is expected to further strengthen these requirements.
Regulations
Real-world examples
- 1.A fintech account aggregator (AISP) obtains its licence from the regulator and must verify the identity of its users before granting access to their bank account data via PSD2 APIs.
- 2.An e-commerce merchant sees increased cart abandonment following the introduction of SCA: it implements regulatory exemptions for recurring payments and low-value transactions.
- 3.A payment initiation service provider (PISP) processes a EUR 15,000 transfer and automatically triggers enhanced identity verification of the payer, in compliance with AML thresholds and PSD2 SCA requirements.