PSD2 & Payment Services
Payment service directive compliance, strong customer authentication implementation, API security audits, and open banking regulatory frameworks.
Regulations Covered
PSD2, PSD3 & PSR (upcoming), CJEU case law
Status
PSD2 Applicable Since 2018
Why This Matters
Extraterritorial Reach
PSD2 applies to any payment service provider offering services to EU residents or processing payments in EU currencies, regardless of where the provider is established. Non-EU payment service providers serving European customers must comply with PSD2 requirements including strong customer authentication, consumer protection obligations, and operational standards.
US payment processors serving European merchants must implement SCA
Asian fintech companies offering services to EU customers need PSD2 compliance
Global payment platforms must meet open banking API requirements
Significant Penalties
National competent authorities can impose administrative penalties for PSD2 violations including fines up to €5M or 3-5% of annual turnover for serious breaches. Penalties apply for failures in strong customer authentication, unauthorized access to payment accounts, inadequate consumer protection, and operational requirement violations.
Maximum Administrative Fine
€5M or 3-5% of turnover
SCA Non-Compliance
Penalties for inadequate authentication systems
Regulatory Evolution
PSD3 and PSR are expected to become applicable in 2026, introducing enhanced consumer protection, improved open banking requirements, and harmonized implementation across Member States. Financial institutions must prepare for stricter fraud prevention measures, enhanced API performance standards, and more uniform enforcement while maintaining current PSD2 compliance.
Mandatory payee name and IBAN verification
Enhanced open banking API performance requirements
User dashboards for open banking permission management
PSD2 Core Pillars
Four foundational elements establishing the European payments framework
Third-Party Payment Service Providers
PSD2 opens the EU payments market to third-party payment service providers offering services based on access to payment account information. We help financial institutions implement secure access frameworks for payment initiation services (PIS) and account information services (AIS), ensuring compliance with regulatory technical standards while maintaining operational security.
Strong Customer Authentication
PSD2 requires strong customer authentication for electronic payments, based on two or more independent elements (knowledge, possession, inherence). We implement SCA frameworks with dynamic linking to transaction amounts and payees, manage exemptions for low-risk transactions, and ensure frictionless payment experiences while maintaining security standards.
Enhanced Consumer Protection
PSD2 strengthens consumer rights including immediate refunds for unauthorized transactions, liability limits of €50 for lost payment instruments, and unconditional refund rights for direct debits. We help payment service providers implement compliant consumer protection frameworks, complaint handling systems, and transparent fee disclosure mechanisms.
Open Banking Infrastructure
PSD2 mandates that account servicing payment service providers provide access to payment accounts for authorized third-party providers. We design and implement PSD2-compliant APIs, ensure adherence to regulatory technical standards on secure communication, and establish robust authentication and authorization frameworks for open banking services.
PSD3 & PSR Evolution
Building on PSD2 to address market developments and implementation challenges
Increased Consumer Protection
PSD3 strengthens fraud prevention with mandatory payee name and IBAN checks, enhanced refund guidelines addressing spoofing fraud, and improved transaction statement requirements. We help financial institutions implement these enhanced consumer protection measures while maintaining operational efficiency and customer experience.
Open Banking Enhancement
PSD3 improves open banking competitiveness by setting stricter requirements for API functionality and performance, requiring open banking providers to offer user dashboards for monitoring permissions, and increasing transparency around open banking services. We build compliant open banking infrastructure that meets these enhanced technical and operational standards.
Harmonized Implementation
PSD3 addresses inconsistent implementation across Member States by replacing the directive with a directly applicable regulation (PSR) for most provisions. We help payment service providers prepare for this regulatory shift, ensuring compliance frameworks are adaptable to the more uniform enforcement landscape expected under PSD3/PSR.
Forward-Looking Approach
PSD3 takes a forward-looking approach to accommodate rapid digitization and evolving payment methods. We help financial institutions build flexible compliance frameworks that can adapt to future regulatory developments while maintaining current PSD2 compliance during the transition period.
Key Difference: Directive vs Regulation
PSD3 (Directive)
Focuses on licensing and supervision of payment service providers. Requires transposition into national law by Member States, allowing for some national variation in implementation.
PSR (Regulation)
Covers security, strong customer authentication, and PSP obligations. Directly applicable across all EU Member States without national transposition, ensuring uniform implementation and enforcement.
Payment Services Regulation (PSR)
Key provisions in the upcoming PSR that will transform European payment services
IBAN Verification Service
PSR introduces mandatory IBAN and payee name verification for all credit transfers. Payment service providers must offer verification services allowing payers to check if the IBAN matches the intended payee name before executing transactions. This requirement aims to prevent misdirected payments and reduce fraud through impersonation and spoofing attacks.
Real-time IBAN and payee name matching verification
Mandatory for all credit transfers within the EU
Application 24 months after PSR entry into force
Enhanced Fraud Prevention
PSR strengthens fraud prevention requirements including liability provisions for impersonation fraud (spoofing), mandatory transaction monitoring mechanisms, and fraud data sharing between payment service providers. These measures address the growing threat of authorized push payment fraud where users are tricked into authorizing fraudulent transactions.
Conditional reversal of liability for authorized push payment fraud
Mandatory transaction monitoring and fraud detection systems
Fraud data sharing mechanisms between PSPs
SCA Accessibility Requirements
PSR introduces accessibility requirements for strong customer authentication, ensuring that authentication methods are accessible to users with disabilities. Payment service providers must offer alternative authentication methods that accommodate different user needs while maintaining security standards required under the regulation.
Accessible authentication methods for users with disabilities
Multiple authentication options meeting accessibility standards
Compliance with EU accessibility directive requirements
Open Banking Improvements
PSR enhances open banking requirements by mandating dedicated interfaces with specific performance standards, requiring user dashboards for managing open banking permissions, and establishing more detailed technical specifications. These improvements aim to increase open banking adoption and ensure consistent service quality across the European Union.
Mandatory dedicated interfaces with performance standards
User dashboards for open banking permission management
Enhanced technical specifications for API interoperability
Strengthened Enforcement
PSR replaces most PSD2 provisions with a directly applicable regulation, eliminating inconsistencies in national implementation. The regulation strengthens penalties for non-compliance and grants the European Banking Authority product intervention powers to address emerging risks in payment services markets across the European Union.
Directly applicable across all EU Member States
Enhanced penalties for regulatory violations
EBA product intervention powers for emerging risks
Payment System Access
PSR strengthens rights of payment institutions and e-money institutions to access payment systems and bank accounts. The regulation establishes clearer rules for direct participation in payment systems and prohibits unjustified refusals of account access, promoting competition and innovation in European payment services markets.
Enhanced rights for non-bank PSPs to access payment systems
Prohibition of unjustified account access refusals
Level playing field for payment institutions and banks
Strong Customer Authentication
Multi-factor authentication requirements for electronic payments
Multi-Factor Authentication
SCA requires authentication based on two or more independent elements: knowledge (password, PIN), possession (card, mobile device), or inherence (fingerprint, facial recognition). We implement multi-factor authentication systems that meet PSD2 requirements while ensuring user-friendly experiences across digital channels.
Knowledge-based authentication (passwords, PINs, security questions)
Possession-based authentication (payment cards, mobile devices, hardware tokens)
Inherence-based authentication (biometrics including fingerprint, facial recognition, voice)
Independence verification ensuring breach of one element doesn't compromise others
Dynamic Linking
For remote transactions, PSD2 requires dynamic linking to the transaction amount and payee account. We implement authentication systems that generate unique codes linked to specific transaction details, protecting users against man-in-the-middle attacks and unauthorized transaction modifications.
Transaction-specific authentication codes linked to amount and payee
Real-time generation of dynamic authentication elements
Tamper-proof display of transaction details during authentication
Cryptographic binding between authentication and transaction parameters
SCA Exemptions
PSD2 allows exemptions from SCA for low-risk transactions including low-value payments, recurring transactions, and trusted beneficiaries. We help payment service providers implement risk-based authentication systems that apply appropriate exemptions while maintaining security and monitoring fraud rates to ensure exemption eligibility.
Low-value transactions (under €30 at point of sale, under €500 for remote transactions)
Recurring transactions with same amount and payee
Trusted beneficiary lists managed by payment service users
Transaction risk analysis for exemption eligibility assessment
Open Banking Framework
Secure access to payment accounts for authorized third-party providers
Payment Initiation Services
PIS providers initiate payment orders at the request of the payer with respect to a payment account held at another payment service provider. We help financial institutions implement secure PIS frameworks including API endpoints for payment initiation, strong customer authentication integration, and real-time payment status notifications.
Key Requirements
Secure API endpoints for payment initiation requests
Integration with account servicing PSP authentication systems
Real-time payment status updates and confirmation mechanisms
Liability framework implementation for unauthorized transactions
Account Information Services
AIS providers consolidate information from multiple payment accounts held with different account servicing PSPs. We build compliant AIS infrastructure including secure data access APIs, consent management systems, and data aggregation frameworks that respect user privacy while enabling comprehensive financial overview services.
Key Requirements
Secure API endpoints for account information retrieval
Explicit consent management and permission tracking systems
Data minimization ensuring only necessary information is accessed
Secure data transmission and storage meeting PSD2 security standards
API Technical Standards
PSD2 regulatory technical standards specify requirements for secure communication between account servicing PSPs and third-party providers. We implement compliant API infrastructure including qualified certificates for authentication, secure communication protocols, and standardized data formats ensuring interoperability across the European payments ecosystem.
Key Requirements
Qualified certificates issued by qualified trust service providers
TLS encryption for all API communications
Standardized API specifications ensuring cross-border interoperability
API performance monitoring meeting regulatory availability requirements
Implementation Timeline
From PSD2 application to PSD3/PSR expected implementation
January 13, 2018
PSD2 Transposition Deadline
EU Member States required to transpose PSD2 into national law. Most provisions became applicable, establishing the legal framework for payment services, third-party providers, and enhanced consumer protection across the European Union.
September 14, 2019
SCA Implementation
Strong Customer Authentication requirements became mandatory for electronic payments. Payment service providers required to implement multi-factor authentication with dynamic linking for remote transactions, with limited exemptions for low-risk payments.
June 2023
PSD3 Proposal Published
European Commission published draft PSD3 directive and PSR regulation, introducing enhanced consumer protection, improved open banking requirements, and harmonized implementation across Member States to address inconsistencies in PSD2 application.
2026 (Expected)
PSD3/PSR Application
PSD3 directive and PSR regulation expected to become applicable after legislative process completion and 18-month transposition period. Enhanced requirements for fraud prevention, open banking, and cross-border payments will take effect across the European Union.
Financial Services Use Cases
PSD2 compliance across different payment service provider categories
Traditional Banks
Challenge
Implementing PSD2-compliant APIs while maintaining legacy system security and ensuring seamless integration with third-party providers.
Our Solution
We build secure API gateways that connect legacy core banking systems with PSD2-compliant interfaces, implement strong customer authentication frameworks, and establish monitoring systems for third-party access. Our solutions ensure regulatory compliance while protecting existing infrastructure and customer data.
Digital Banks & Neobanks
Challenge
Balancing open banking innovation with PSD2 security requirements and consumer protection obligations while scaling digital-first operations.
Our Solution
We design cloud-native PSD2 compliance frameworks with built-in SCA, implement real-time fraud monitoring systems, and build flexible API infrastructure supporting both account servicing and third-party provider roles. Our solutions enable rapid scaling while maintaining regulatory compliance and operational security.
Payment Institutions
Challenge
Obtaining and maintaining payment institution licenses while implementing operational requirements including safeguarding, incident reporting, and business continuity planning.
Our Solution
We guide payment institutions through the licensing process, implement safeguarding frameworks for customer funds, establish incident reporting systems meeting regulatory requirements, and build operational resilience frameworks. Our solutions ensure ongoing compliance with PSD2 operational and prudential requirements.
Fintech Payment Providers
Challenge
Navigating PSD2 licensing requirements for payment initiation and account information services while building scalable technical infrastructure.
Our Solution
We support fintech providers through registration and authorization processes, implement secure API integration with multiple account servicing PSPs, build consent management systems, and establish professional indemnity insurance frameworks. Our solutions enable compliant market entry and sustainable growth in the European payments market.
Our PSD2 Compliance Framework
Comprehensive solutions for payment service providers across the European Union
PSD2 Licensing & Authorization
We guide financial institutions through PSD2 licensing processes including payment institution authorization, e-money institution licensing, and registration for account information service providers. Our team prepares comprehensive applications, coordinates with national competent authorities, and ensures all documentation meets regulatory requirements for successful authorization.
Strong Customer Authentication Implementation
We design and implement SCA frameworks meeting PSD2 requirements including multi-factor authentication systems, dynamic linking for remote transactions, and risk-based exemption management. Our solutions balance security requirements with user experience, ensuring frictionless payments while maintaining regulatory compliance and fraud prevention capabilities.
Open Banking API Development
We build PSD2-compliant API infrastructure for account servicing PSPs including secure endpoints for payment initiation and account information services. Our systems implement regulatory technical standards for secure communication, qualified certificate authentication, and standardized data formats ensuring interoperability across the European payments ecosystem.
API Security & Penetration Testing
We conduct comprehensive security assessments of payment APIs including penetration testing, vulnerability assessments, and ongoing security monitoring. Our security audits verify compliance with PSD2 security requirements, identify potential vulnerabilities, and provide remediation guidance ensuring robust protection of payment account data and transaction integrity.
Operational Requirements Implementation
We establish PSD2-compliant operational frameworks including safeguarding requirements for customer funds, complaint handling procedures, incident reporting systems, and business continuity planning. Our solutions ensure payment service providers meet ongoing operational obligations while maintaining service quality and customer protection.
PSD3 Transition Planning
We help financial institutions prepare for PSD3/PSR implementation by monitoring regulatory developments, assessing impact on current operations, and building forward-compatible compliance frameworks. Our transition planning ensures seamless adaptation to enhanced requirements while maintaining current PSD2 compliance during the regulatory evolution.
Ready to Achieve PSD2 Compliance?
Start with a comprehensive payment services assessment
Apply for Partnership