PSD2, or the Second Payment Services Directive, is a regulatory framework implemented by the European Union to govern payment services and providers within the EU and EEA. It aims to enhance the security of electronic payments, foster competition, and improve consumer protection.
Key elements include Access to Account (XS2A), which permits third-party providers to access a customer’s financial data with consent, and Strong Customer Authentication (SCA), which requires robust authentication for electronic payments. PSD2 has led to the emergence of innovative services and increased security measures in the European payment industry.
Here are the key things businesses need to know about PSD2 compliance:
- Scope of PSD2:
PSD2 applies to businesses that provide or facilitate payment services within the European Economic Area (EEA). This includes banks, payment service providers, e-commerce platforms, and other financial institutions.
- Strong Customer Authentication (SCA):
One of the key provisions of PSD2 is the requirement for Strong Customer Authentication. This means that for most electronic payments, customers need to provide at least two forms of authentication. This could be something they know (e.g., a password), something they have (e.g., a mobile device), or something they are (e.g., biometric data like a fingerprint).
- Exemptions from SCA:
Some transactions are exempt from SCA, such as low-value payments (under £30) or recurring transactions of the same amount and payee. However, even in these cases, businesses need to employ risk analysis to ensure security.
- Access to account (XS2A):
PSD2 mandates that banks must allow third-party providers access to their customers’ accounts through Application Programming Interfaces (APIs). This enables new financial services and products to be developed and offered by fintech companies.
- Consent and data privacy:
Businesses must obtain explicit consent from customers before accessing their payment account data. Additionally, businesses must comply with GDPR regulations to ensure the protection of customer data.
- Liability and security:
PSD2 places greater liability on payment service providers in the event of unauthorised or fraudulent transactions. It also requires businesses to implement robust security measures to protect customer data and transactions.
- Notification of security incidents:
Businesses must notify the relevant regulatory authorities of any significant security incidents or data breaches.
- Regulatory reporting and compliance:
Organisations must provide accurate and timely reports to regulatory authorities to demonstrate compliance with PSD2 requirements.
- Customer education:
Businesses are encouraged to educate their customers about the changes brought about by PSD2, especially regarding SCA and how it may affect their online transactions.
- Penalties for non-compliance:
Non-compliance with PSD2 can lead to fines and other penalties imposed by regulatory authorities. It’s crucial for companies to ensure they are fully compliant with the regulation.
- Continued monitoring and adaptation:
The payments landscape is continually evolving, and businesses must stay updated on any changes in PSD2 requirements or related regulations. This may involve making updates to their systems and processes where necessary.
- International impact:
While PSD2 is a European regulation, it can have implications for businesses outside the EU that conduct transactions with EU-based customers or operate within the EU.
It’s important for businesses affected by PSD2 to work closely with legal and compliance teams, as well as technology providers, to ensure full compliance with the regulation.
It is important for financial institutions and service providers to stay updated with any amendments or additional guidelines related to PSD2, as the regulatory landscape is subject to change. With security and protection measures increasing, compliance teams will have to adapt business models and ensure requirements are met. Additionally, seeking legal and regulatory advice from experts is crucial for ensuring compliance with PSD2.