EU Directive 2015/2366 that opened banking data and mandated strong customer authentication across European payments.

Who must comply with PSD2?

Banks, payment institutions, e-money issuers and licensed third-party providers operating in the EEA.

A 2023 proposal to update PSD2 with stronger fraud refunds, wider settlement access and a new EU Payment Services Regulation, expected to apply from 2026.

Payments Service Directive: PSD2

Q: What is Strong Customer Authentication?

Two independent authentication factors—knowledge, possession or inherence—required for most electronic payments and account access.

What is PSD2?

PSD2 modernises EU payments by mandating secure, standardised account-access APIs so that payment-initiation and account-information service providers can innovate on top of bank data. It introduces Strong Customer Authentication (SCA), two independent factors for most card and online payments, and sets clear liability rules to protect consumers from unauthorised or push-payment fraud. All payment service providers must report major incidents to regulators and follow new transparency rules on disputes and charges. A 2022 EBA RTS amendment added an SCA exemption for account access, while the 2023 PSD3/PSR draft aims to tighten fraud refunds and widen direct access to EU settlement systems.

Key Features of PSD

PSD2 Regulation explores various facets of financial services compliance:

Open Banking

Open Banking to allow TPP access to bank data

This feature mandates banks to provide Third-Party Providers (TPPs) access to their customers' financial data, given the customers' consent. It paves the way for a more integrated financial ecosystem, where consumers can benefit from personalized financial services, including budgeting, financial management tools, and more competitive payment solutions.

SCA

Enhanced Customer Protection with strong customer authentication (SCA)

To increase the security of electronic payments and reduce the risk of fraud, PSD introduces strict customer authentication requirements. These requirements ensure that electronic payments are performed with multi-factor authentication, providing an additional layer of security that protects consumers' financial data.

Competition

Increased Competition by enabling third-party payment services

By requiring banks to open their payment services to third parties, PSD fosters a competitive environment where non-bank financial service providers can offer payment and account services. This competition is intended to lead to better services, lower costs, and innovation in the payments industry.

Security Requirements

Stricter Security Requirements for electronic payments

PSD sets out higher security standards for electronic payments and the protection of financial data. These include rigorous technical and operational requirements for all parties involved in electronic payments, aiming to ensure the integrity and security of payment services and protect users against fraud and other security risks.

Implications of PSD

PSPs must deploy secure REST APIs, embed SCA flows, update customer consent terms, monitor fraud in real time and store incident logs. Banks should prepare for PSD3 by validating confirmation-of-payee checks and reviewing APP-fraud refund processes well ahead of the expected 2026 application date.

Book a Demo

Grand: Enhancing PSD Compliance

ROI & Regulatory Change Management

Dynamically integrates changes from any regulation into compliance frameworks, ensuring entities are continuously aligned with current and evolving requirements.

Risk Management Software

Delivers tailored, automated risk assessments, directly supporting compliance every regulatory framework.

Regulatory News Monitoring

Grand's AI-driven tool scans for regulatory updates across the board, ensuring entities stay ahead of all compliance requirements.

Compliance Management: Governance and Documentation

Centralizes and simplifies the documentation and tracking of compliance efforts, making regulatory governance more manageable across all requirements.

AI Compliance Assistant

Quick, chat-based access to a wide range of regulatory documents supports informed decision-making for compliance with diverse regulations.

How Grand Helps

Each component of Grand.io's GRC software suite is designed to seamlessly align with the PSD2 regulation, targeting critical areas such as transaction security, third-party provider (TPP) access management, customer authentication protocols, and ongoing adjustments to legislative updates.

Covering Every Regulation

Discover how Grand makes compliance across every regulation easier and faster

Frequently Asked Questions

What is PSD2?

EU Directive 2015/2366 that opened banking data and enforced two-factor authentication across EU payments.

How does PSD affect consumer protection and security?

PSD strengthens consumer protection and security by requiring strong customer authentication for electronic payments and setting clear rules for the liability of unauthorized transactions. It mandates that payment service providers apply measures to safeguard the confidentiality and integrity of users' security credentials and personal data

What is Strong Customer Authentication?

Two independent factors (knowledge, possession, inherence) required for most online or card payments and account access. (European Banking Authority)

What’s happening with PSD3?

A 2023 proposal would merge PSD2 e-money rules into a new Payment-Services Regulation, enhance fraud refunds and extend settlement access, target application 2026.

Opt for Grand
Where innovation meets your GRC needs

Reduce your
compliance risks

PSD2 Compliance: Revised Payment Services Directive

What is PSD2?

Key Features of PSD

Open Banking to allow TPP access to bank data

Enhanced Customer Protection with strong customer authentication (SCA)

Increased Competition by enabling third-party payment services

Stricter Security Requirements for electronic payments

Implications of PSD