The Second Payments Services Directive (PSD2) is a European Union directive introduced in January 2018 that expands on the original 2007 Payment Services Directive. It aims to increase competition and innovation among payment providers by opening the payments industry to new players such as technology companies and FinTech startups.
To comply with PSD2, banks must open their customer data platform APIs (Application Programming Interfaces) to allow approved third-party providers access to account information and initiate payments on behalf of customers. This will enable these third-party providers - such as online banking aggregators, price comparison websites and mobile wallets - to offer innovative services such as instant account notifications or one-click checkout for e-commerce transactions.
The PSD2 Regulation also requires financial institutions to provide Strong Customer Authentication (SCA) when carrying out certain transactions, such as money transfers or bill payments. This will help protect consumers from fraud and identity theft and ensure they always retain control over their finances.
Among its many provisions, PSD2 requires banks to provide third-party providers with access to customer account data – a move that will potentially enable these companies to offer innovative new services such as instant account notifications or one-click checkout for e-commerce transactions.
While this may seem like bad news for traditional card schemes (which could see their market share eroded as consumers switch to alternative payment methods), some important card companies have responded positively to PSD2, recognizing that there are many opportunities for them to capitalize on the changes brought about by the directive.
In particular, they have been busy developing APIs (Application Programming Interfaces) that will allow third-party providers direct access to their systems; this will not only make it easier for those providers to implement support for their cards but also give them greater visibility into customers’ spending habits.
To comply with PSD2, businesses need to ensure that they are compliant with its core requirements, which include:
- Licensing & Registration: All entities providing payment services must hold authorization from their financial regulator.
- Customer Identification: Customers must be identified before providing any payment service. This includes verifying customers’ identities against lists of known terrorist financiers maintained by government agencies.
- Data Protection & Security: Personal data relating to customers must be protected using appropriate security measures. This includes ensuring customer data is appropriately encrypted when transmitted or stored electronically.
Failure to meet these requirements could result in fines or penalties from financial regulators.
There is no one-size-fits-all answer to this question, as the requirements for becoming PSD2 compliant will vary depending on the specific business. However, there are some general steps that businesses can take to become compliant with the new regulations:
- Familiarize yourself with PSD2 and its requirements. This includes understanding what activities fall within the scope of PSD2 and ensuring that your business is effectively preparing for compliance by implementing relevant processes and procedures.
- Review your data protection safeguards to ensure they meet current standards. This includes using appropriate security measures (such as encryption) to protect customer data from unauthorized access or theft.
- Ensure all employees interacting with customers know their obligations under PSD2, including verifying customers’ identity before providing payment services.