PSD2: what has changed?


What has changed?

Scope extended to all currencies and one-leg transactions

PSD2 extends the conduct of business and transparency requirements to consumer transactions[2] with ‘one leg’ in the EU (i.e. payments to/from third countries where one of the payment services providers (PSPs) are located in the EU). PSD2 applies to intra-EEA and one-leg transactions in any currency (not just EEA currencies).

Changes to the scope of the exclusions

PSD2 amends the scope of exclusions that existed under PSD1:

  • Electronic communications exclusion. Under PSD1, payments made through a telecom operator were not covered where the telecom operator acted as an intermediary between the consumer and the PSP. PSD2 narrows this exclusion, and it now covers only payments made through telecom operators for the purchase of digital services such as music and digital newspapers that are downloaded on a digital device or of electronic tickets or donations to charities (subject to per-transaction and cumulative monetary thresholds).
  • Limited Network exclusion. Under PSD1, there was an exclusion for payment services that are based on instruments[3] used to acquire goods or services in or on the issuer’s premises or within a limited network of service providers, or for a limited range of goods or services. The scope of this exclusion under PSD1, was believed to offer no legal protection for payment service users (“PSUs”) and had disadvantages for regulated market actors. Under PSD2, the relevant national regulator must be notified if the total value of transactions exceeds €1m in any 12-month period. The PSD2 exclusion now applies to instruments that either: <br/> <br/>Allow the holder to acquire good or services only in the premises of the issuer, or within a limited network of service providers under a direct commercial agreement with a professional issuer; or<br/> <br/> <br/>Can be used to acquire a very limited range of goods and services.<br/>
  • Commercial agent exclusion. This PSD1 exemption was found to be applied very differently across Member States. Under PSD2, the exemption only applies where the commercial agent is authorised to negotiate or conclude the sale or purchase of goods or services on behalf of only the payor or payee. Where agents act for both parties, the exclusion applies only where the agent does not enter into possession or control of client funds.

Enhanced consumer rights

This includes:

  • Reduced liability for unauthorised payments from €150 to €50;
  • Unconditional right to refund for direct debits in EUR;
  • Removal of surcharges for the use of a consumer debit or credit card.

New providers and new payment services

PSD2 introduces new third-party access rules, which enables third-party service providers (“TPPs") to access consumers’ payment account data[4] traditionally held by banks or any other PSPs providing payment accounts that are accessible online. PSPs cannot make this information sharing conditional on having a contract in place with the TPP. This poses challenges and opportunities for incumbent PSPs.

New services provided by TTPs include:

  • account information services, which allow a payment service user to have an overview of their financial situation at any time, allowing users to better manage their personal finances;
  • payment initiation services, which allow consumers to pay via simple credit transfer for their online purchases, while providing merchants with the assurance that the payment has been initiated so that goods can be released or services provided without delay.

Operational and security risk management

In order to be PSD2 compliant, PSPs will likely need to make changes to processes and procedures.

PSD2 introduces a number of new requirements, such as:

  • All PSPs are required to report major operations or security incidents to their national regulator and notify customers without undue delay if a security incident could affect the financial interests of those customers;
  • PSPs must provide, on an annual basis, information on their assessment of operational and security risks associated with their payment services as well as their risk mitigation and control measures;
  • PSPs are required to apply strong customer authentication[5] (“SCA”) when a payer initiates an electronic payment. There are limited exemptions to this SCA requirement; including, low-value payments at the point of sale (to facilitate mobile/contactless payments) and online transactions.

Forthcoming technical standards under PSD2

The European Banking Authority drafted regulatory technical standards (“RTS”) and guidelines in relation to SCA and secure communication requirements. The Commission adopted the RTS on 27 November 2017. The adopted version differs significantly from the draft RTS submitted in February 2017, and to a lesser extent the Commission amended RTS of May 2017.

In addition to the SCA exemptions mentioned above, the adopted RTS also includes:

  • the ‘fall-back option’. The Commission adopted a compromise position where service providers are permitted to access information using the customer interface in cases where the dedicated interface of e.g. a bank is unavailable or performing inadequately. National regulators may exempt banks from providing a fall-back mechanism on the condition that the dedicated interface meets certain criteria. The Commission is in the process of setting up a market group for vetting the different national and pan-EU standardised dedicated interfaces; this will ensure that banks and other PSPs do not face different SCA requirements depending on the Member State in which they operate.


The majority of legal requirements under PSD2 applied from 13 January 2018. The European Parliament and Council’s scrutiny period for the RTS on SCA and secure communication requirements will end on 28 February 2018. If not opposed by the Parliament or Council, the RTS will be published in the Official Journal between February and June 2018. The RTS will become directly applicable 18 months after their publication in the Official Journal.

[1] Certain regulatory technical standards under PSD2 are not yet in force or effect. PSD2 repeals and replaces the original Payment Services Directive 2007/64/EC (“PSD1”).

[2] PSD2 still allows for PSPs to opt-out of certain information and conduct requirements where they are dealing with business customers.

[3] For example, gift cards, fuel cards or shopping centre cards.

[4] This is conditional on consent being given by the customer.

[5] Customer authentication is based on the use of two or more elements categorised as knowledge (something only the user knows, e.g. a password or a PIN), possession (something only the user possesses, e.g. the card or an authentication code generating device) and inherence (something the user is, e.g. the use of a fingerprint or voice recognition) to validate the user or the transaction. For remote transactions, such as online payments, the security requirements go even further, requiring a dynamic link to the amount of the transaction and the account of the payee, to further protect the user by minimising the risks in case of mistakes or fraudulent attacks.