Skip to main content
NormaGrid

Payment Service Directive 2 (PSD2) (PSD2)

In force Finance Directive Adopted: 25 November 2015 · Applies from: 13 January 2018

AI-assisted content notice: this page includes AI-assisted summaries, FAQs, and glossary entries prepared for navigation purposes. Verify the underlying legal text before relying on this content.

Summary

Directive (EU) 2015/2366 (PSD2) establishes harmonised rules for payment services across the EU, including requirements for payment service providers, security measures, and consumer protections. As of 2023, the European Commission has proposed a new Payment Services Regulation (PSR) and a new Payment Services Directive (PSD3) to update and partially replace PSD2, but these proposals are still under negotiation.

Who is affected?

Payment service providers (banks, payment institutions, e-money institutions), third-party providers (payment initiation and account information services), merchants, and consumers using electronic payments in the EU. National competent authorities and central banks are also affected through supervision and enforcement responsibilities.

Scope

Applies to payment services provided in the EU, covering rights and obligations for payment transactions and the authorisation, supervision, and operational/security requirements of payment service providers.

Key Points

  • Sets authorisation, prudential, and operational requirements for payment institutions operating in the EU.
  • Introduces regulated third-party access to payment accounts (open banking) with customer consent.
  • Mandates strong customer authentication (SCA) and security/incident reporting obligations for payment service providers.
  • Establishes transparency, information, and consumer protection requirements, including liability for unauthorised transactions.
  • Provides rules on access to payment systems and accounts, and cooperation between national authorities.
  • Currently under review, with proposed updates (PSR/PSD3) under negotiation as of 2023.

Related Regulations

Frequently Asked Questions

Who must comply with PSD2?

PSD2 applies to all payment service providers operating within the EU, including banks, payment institutions, e-money institutions, and authorised third-party providers such as those offering payment initiation or account information services. Merchants and consumers are also affected, especially regarding rights and obligations in electronic payments.

What is the scope of PSD2?

PSD2 covers payment services provided within the EU, including the authorisation, supervision, and operational requirements for payment service providers. It also sets out rules for payment transactions, consumer rights, and regulated access to payment accounts by third parties.

What are the key obligations for payment service providers under PSD2?

Key obligations include obtaining proper authorisation, implementing strong customer authentication (SCA), ensuring transparency on fees and terms, reporting security incidents, and providing consumer protections such as clear liability rules for unauthorised transactions.

What is 'open banking' under PSD2?

Open banking refers to the regulated access for authorised third-party providers to payment account information and payment initiation services, with the account holder's consent. This enables new services and greater competition in the payments market.

What are the penalties for non-compliance with PSD2?

Penalties for non-compliance are determined by national competent authorities and can include fines, suspension, or withdrawal of authorisation to provide payment services. The severity depends on the nature and extent of the breach.

How does PSD2 interact with other EU regulations?

PSD2 interacts with other financial and data protection regulations, such as the General Data Protection Regulation (GDPR) for handling personal data, and the Anti-Money Laundering Directive (AMLD) for customer due diligence. It also aligns with the SEPA framework for euro payments.

What are the timelines for compliance with PSD2?

PSD2 entered into force in January 2016 and became applicable in January 2018. Certain technical requirements, such as strong customer authentication, had phased implementation deadlines, but all core obligations are now in effect.

What practical steps should payment service providers take to comply with PSD2?

Providers should ensure they are properly authorised, implement strong customer authentication, update customer information and transparency measures, establish incident reporting procedures, and enable secure access for authorised third-party providers. Regular staff training and compliance reviews are also recommended.

How is PSD2 being updated or replaced?

In 2023, the European Commission proposed a new Payment Services Regulation (PSR) and a new Payment Services Directive (PSD3) to modernise and strengthen the existing framework. These proposals are currently under negotiation and have not yet replaced PSD2.

Key Terms

Payment Service Provider (PSP)
An entity authorised to provide payment services, such as banks, payment institutions, and e-money institutions, under the PSD2 framework.
Third-Party Provider (TPP)
A regulated entity authorised to access payment accounts to provide payment initiation or account information services with the account holder's consent.
Payment Initiation Service (PIS)
A service that enables a third party to initiate a payment transaction from a user's account at their request and with their consent.
Account Information Service (AIS)
A service that allows a third party to access consolidated information on one or more payment accounts held by a user with one or more payment service providers.
Strong Customer Authentication (SCA)
A security requirement mandating multi-factor authentication for electronic payments to reduce fraud and increase transaction security.
Open Banking
A regulatory framework enabling secure, standardised access to payment accounts by authorised third parties, fostering innovation and competition.
Consumer Protection
A set of rules under PSD2 that safeguard users of payment services, including liability limits for unauthorised transactions and clear information requirements.
Incident Reporting
The obligation for payment service providers to promptly report major operational or security incidents to national competent authorities.
National Competent Authority (NCA)
The designated regulatory body in each EU Member State responsible for supervising and enforcing PSD2 compliance.
Authorisation
The formal process by which payment service providers obtain permission from national authorities to operate under PSD2.