The second Payment Services Directive (PSD2) is a European directive which aims to promote competition, innovation, and security in the payments industry. It replaces the Payment Services Directive (PSD) of 2007, which created a single market for payments in the European Union.
PSD2 came into force in January 2016, after an amendment proposed by the European Commission in 2013. Member states had two years to transpose the directive into national law. There was a further deadline in September 2019 to comply with the Regulatory Technical Standard (RTS), at which point PSD2 open banking became operational in Europe.
PSD2 developed the original PSD with further regulation around authentication processes and third parties, focusing on increasing customer rights and security. Specifically, PSD2 established the regulatory framework for open banking in Europe. It introduced new regulated players called third party providers (TPPs), which have the legal right to access bank account information on behalf of their customers.
TPPs – or open banking fintechs – had been around for years before PSD2. However, without regulation, the companies struggled to compete against established financial institutions and offer large-scale, disruptive solutions with compatibility across all banks. With PSD2, banks are legally required to open their systems to third parties via Application Programming Interfaces (APIs).
As a result, there has been an explosion in newly regulated TPPs and innovative products and services. In addition, TPPs are now authorised and supervised by National Competent Authorities (NCAs), increasing the transparency and security of the ecosystem. There are now over 338 TPPs in the EEA alone, with a further 221 TPPs based in the UK.
PSD2 focused on two types of TPPs: Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs).
PSD2 requires financial institutions to give TPPs instant and reliable access to customer data. This introduced a great deal of risk: financial institutions were now in need of a process to vet these third parties to ensure that their customers’ data and funds were not falling into the wrong hands. PSD2 makes it clear that banks are fully liable for any unauthorised or fraudulent open banking transactions.
In 2019, when transaction volumes were still small, banks could get away with makeshift solutions or minimal security measures. But as the ecosystem has grown, the risk has also increased. Monthly open banking transactions in the UK alone have more than doubled from 410 million in May 2020 to over 1 billion in May 2022. In addition to TPPs, there are hundreds of entities, known as ‘agents’ that rent TPP licences to provide services, thousands of financial institutions using their own open banking permissions, and TPPs passporting their services across Europe. The complexity of the ecosystem has created new problems for financial institutions.
To remain compliant with financial regulation and protect customers’ data and funds, financial institutions require a solution which can validate the identity and authorisation status of a third party in real-time.
Konsentus already provides this capability to over 500 Financial Institutions in Europe. With a proven, cutting-edge suite of products, Konsentus helps financial institutions secure their open banking transactions enabling the full benefits of the open ecosystem to be enjoyed. By consolidating the latest available source data on a TPP and providing it back to a Financial Institution through a single API in real-time, Konsentus removes complexity and shields customers from any unnecessary risk.
To learn more about liability under PSD2, read our whitepaper here.