Payment Services Directive 2 (PSD2): Definition and Use in Compliance

What is Payment Services Directive 2 (PSD2)?

The Payment Services Directive 2 (PSD2) is the EU regulation, Directive (EU) 2015/2366, that governs electronic payments and payment providers across the European Economic Area. It replaced the 2007 directive and applied from January 2018. Two changes define it: open access to bank accounts for licensed third parties, and mandatory strong customer authentication on most electronic payments.

Before PSD2, a customer's account data sat behind the bank's own walls. PSD2 changed that. If a customer consents, the bank must let a regulated Account Information Service Provider read account data, or let a Payment Initiation Service Provider start a payment straight from the account. Banks build dedicated APIs for this. The directive made open banking a legal requirement rather than a voluntary experiment.

The second pillar is Strong Customer Authentication (SCA). For most electronic transactions, the payer must authenticate with two of three factors: knowledge, possession, and inherence. A password plus a one-time code on a registered phone qualifies. A password alone does not.

Take a concrete case. A shopper buys a €120 jacket online from a French retailer. Under PSD2, unless an exemption applies, the issuing bank challenges the shopper through 3-D Secure before approving the payment. The European Commission frames PSD2 as a tool for competition, innovation, and security in retail payments. See the European Commission's payment services overview for the official scope.

How is Payment Services Directive 2 (PSD2) used in practice?

Most teams interact with PSD2 through exemption strategy. The RTS lets banks skip SCA in defined cases: contactless payments under €50, recurring fixed-amount subscriptions, payments to trusted beneficiaries the customer whitelisted, and transactions a risk engine clears under Transaction Risk Analysis. Each exemption is conditional on staying under a fraud-rate ceiling measured in basis points. A payment provider running TRA exemptions up to €250, for example, must hold its fraud rate below the band the RTS sets for that value tier.

That ceiling turns compliance into a live metric. A fraud lead watches the rolling fraud rate and pulls back exemptions if it climbs, because losing the exemption means more authentication friction, abandoned baskets, and a lower Authorization Rate. The tradeoff is real: more SCA challenges cut fraud but cost conversions.

On the open banking side, the work is third-party governance. When an AISP requests access, the bank verifies its authorization through the relevant national regulator and the EBA register, then monitors the consent and API traffic. Unusual access patterns can signal Account Takeover (ATO) or data harvesting, so this feeds into Behavioral Analytics.

PSD2 also sets a major-incident reporting clock. When a payment provider hits a major operational or security incident, it notifies its national authority within set deadlines and updates as facts develop. Compliance teams keep templates and escalation paths ready so they don't miss the window during a live event.

Payment Services Directive 2 (PSD2) in regulatory context

PSD2 sits inside a layered European rulebook and overlaps with several other regimes. It does not replace anti-money-laundering law. A PISP or AISP still carries Anti-Money Laundering (AML) duties, must run Customer Due Diligence (CDD), and reports suspicion through its national Financial Intelligence Unit (FIU). PSD2 governs access and authentication; the AML directives govern who you can serve and what you report.

Data protection is the other heavyweight in the room. PSD2's account-access model only works with explicit customer consent, and that consent has to satisfy the General Data Protection Regulation (GDPR). The European Data Protection Board has published guidance on where the two interact, especially around the data a third party may process beyond the specific service a customer asked for.

The standards body work matters too. The European Banking Authority drafted the RTS, issues opinions, and runs the central register of authorized providers. Its opinion on the implementation of the RTS on SCA shaped how national regulators phased in card-payment enforcement.

Geography adds wrinkles. The UK kept PSD2 after Brexit and the Financial Conduct Authority enforces its domestic version. Inside the eurozone, PSD2 runs over Single Euro Payments Area (SEPA) rails. And the Commission has proposed PSD3 plus a Payment Services Regulation to fix gaps PSD2 left open, so the framework is still moving.

Common challenges and how to address them

The first headache is exemption management. Teams want to apply TRA exemptions aggressively to reduce friction, but the fraud-rate ceiling punishes that if losses creep up. The fix is disciplined measurement: track fraud basis points per value band in near real time, and build automatic fallback to full SCA when a band approaches its limit. Treat the exemption as a privilege the data has to keep earning.

The second is authentication friction itself. Poorly implemented SCA drives cart abandonment. After the 2019 to 2021 rollout, several markets saw conversion dips where 3-D Secure flows were clumsy. The answer is better risk scoring up front so genuinely low-risk transactions qualify for exemptions, paired with smooth challenge UX for the ones that don't. This is where strong Transaction Monitoring earns its keep.

Third, open banking opens a new fraud surface. Consent flows can be abused for Authorized Push Payment Fraud (APP Fraud), where a victim is socially engineered into authorizing a payment to a fraudster, often into a Money Mule Account. SCA does not stop a payment the customer was tricked into approving. Address this with behavioral signals, beneficiary risk checks, and payee-name confirmation.

Fourth, third-party oversight gets thin. Banks must verify every AISP and PISP and monitor their access, but registers change. Automate revalidation against the EBA register and national lists so a lapsed authorization triggers an alert instead of slipping through.

Related terms and concepts

PSD2 connects to a cluster of payments and compliance terms worth knowing together. Strong Customer Authentication (SCA) is the authentication backbone, and 3-D Secure is the protocol that delivers it for card payments. Both aim to cut Card-Not-Present Fraud (CNP), which spiked as commerce moved online.

On the rails side, PSD2 in the eurozone operates over Single Euro Payments Area (SEPA), and faster-payment schemes like the UK's Faster Payments Service (FPS) raise the same instant-settlement fraud questions PSD2 teams wrestle with.

Because open banking access carries financial-crime risk, PSD2 work touches core AML concepts: Know Your Customer (KYC) at onboarding, the Risk-Based Approach (RBA) to allocate scrutiny, and a Suspicious Activity Report (SAR) when something doesn't add up. Card disputes bring in Chargeback handling and the split between Issuer Bank and Acquirer Bank.

For teams building controls across these areas, Identity Verification and KYC/AML Automation and Payment Gateway Security show how authentication, screening, and monitoring fit into one workflow. The throughline: PSD2 made payments more open and better authenticated at once, and the operational job is keeping both true without strangling conversion.