Updated: Jan 1, 2021
What Open Banking is to UK, PSD2 is to EU
PSD2 or Revised Payment Service Directive is a new piece of European Legislation which came into force on 13th January 2018 and is now implemented into national laws and regulations of EU member states.
Focused primarily on online transactions, PSD2 is a new regulation designed with hopes of instigating a more uniform, transparent and open EU payment market.
Among other things, this directive is an attempt by the European Union to foster competition and innovation in banking while improving security. PSD2 promises — or, depending on who you ask, threatens — to transform the way we move and use money.
PSD2 is a complementing version of the first Payment Services Directive (PSD), a law that was adopted in 2007. While PSD (predecessor of PSD2) primarily tried to establish safer payment services across the EU, PSD2 widens the directive’s scope by insisting on new services and players, as well as raises the bar in terms of security.
Unlike its predecessor, PSD2 completely focuses on electronic payments, a manner of transacting that’s more cost-efficient than cash and will inevitably be the backbone of economic growth in the future.
The second Payment Service Directive (PSD2) requires banks to provide access to customer data through open APIs. Security is a crucial factor when exposing confidential customer data in this manner. Before allowing third-party providers (TPPs) access to consumer financial data, the bank must make sure that the data does not fall into the wrong hands. To make sure the applications accessing the data are secure, the application needs to be first registered with the bank.
PSD2 regulates and harmonizes two types of services that were already in existence but were not regulated before. Bringing them within the scope of the PSD2 has boosted transparency, innovation and security in the single market and created a level playing field between different payment service providers. These services are:
1. Payment Initiation Services (PIS): This enables a Payment Service User (PSU) to pay companies directly from their bank account rather than using debit or credit card through a third-party such as Visa or MasterCard. Provider of this service is called a PISP (Payment Initiation Service Provider). PISP which is the payment initiation service providing bank can execute a payment transaction on the behalf of a customer once it has the explicit consent of the user before providing with this kind of service.
2. Account Information Services (AIS): Aggregation of account information from different bank accounts in one place online or in a mobile app with the Payment Service User’s consent. The provider of this service is called the Account Initiation Service Provider (AISP).
These service providers have brought innovation and competition, providing more, and often cheaper, alternatives for internet payments; but were previously unregulated under PSD. Bringing them within the scope of the PSD2 has boosted transparency, innovation and security in the single market and created a level playing field between different payment service providers.
Before PSD2 came along, Third Party Providers (TPPs) had to face multiple hurdles that prevented them from offering large scale solutions in the different countries of the European Union.
By eliminating these barriers, now there is greater competition due to the arrival of new players and the provision of these services by existing actors.
In return, the Third-Party Providers need to comply with the same rules as traditional payment service providers: registration, authorization and supervision by competent authorities.
The other major development in PSD2 is the introduction of new security requirements, what is known as Strong Customer Authentication (SCA). This involves the use of two authentication factors for bank operations that were not previously required, including payments and access to accounts online or via apps, as well as a stricter definition of what counts as an authentication factor.
Open Banking Vs PSD2:
The adoption of Open Banking is only mandatory for the nine largest bank providers of U.K. (although challenger banks have also happily jumped on the bandwagon). PSD2, however, applies to all payment account providers in the union, regardless of their size.
PSD2 is technology neutral and doesn’t really specify the details of how ASPSPs should secure their APIs with the EU leaving the technical details open to the market to decide. While the Competition and markets Authority, responsible for the UK Open Banking Standards, has already specified the use of OAuth 2.0.