The Revised Payment Services Directive (PSD2), formally Directive (EU) 2015/2366, is the European Union's framework for regulating payment services across the internal market. Adopted on 25 November 2015, it replaced the original 2007 Payment Services Directive. Member States had to transpose and apply it from 13 January 2018. Its two headline reforms are open banking — giving licensed third parties access to bank accounts with the customer's consent — and strong customer authentication (SCA) to reduce fraud in electronic payments.

PSD2 is a directive, so its rules took effect through national implementing laws rather than directly. Detailed technical requirements for SCA and secure communication were set out in a separate, directly applicable EU regulation (the RTS, Commission Delegated Regulation (EU) 2018/389), which applied from 14 September 2019. The European Banking Authority (EBA) develops the technical standards and guidelines that operationalise the directive. PSD2 is now under review: in June 2023 the Commission proposed a successor package (PSD3 and the Payment Services Regulation).

Who and what does PSD2 cover?

PSD2 governs payment services provided in the EU and the firms that offer them. Regulated providers include:

  • Banks (credit institutions) offering payment accounts and services.
  • Payment institutions and electronic money institutions, licensed and supervised under the directive.
  • Third-party providers (TPPs) — a new regulated category, comprising:
    • Payment initiation service providers (PISPs), which initiate a payment from a user's online bank account at the user's request.
    • Account information service providers (AISPs), which aggregate online account information across one or more accounts.

The firm that holds the customer's account (typically a bank) is the account servicing payment service provider (ASPSP). PSD2 generally applies to electronic payment services; certain instruments and transactions are excluded or partly exempt under the directive's scope provisions.

What is strong customer authentication (SCA)?

SCA requires that electronic payments and account access be authenticated using at least two of three independent elements:

  • Knowledge — something only the user knows (e.g. a password or PIN).
  • Possession — something only the user has (e.g. a phone or hardware token).
  • Inherence — something the user is (e.g. a fingerprint or face).

The elements must be independent, so that breaching one does not compromise the others. For remote electronic transactions, SCA must also include dynamic linking — an authentication code tied to the specific amount and payee. SCA requirements applied from 14 September 2019. Specific exemptions exist (for example, certain low-value or low-risk transactions), defined in the RTS.

What did PSD2 change for open banking?

PSD2 created a legal right of access to accounts for licensed third-party providers, with the account holder's explicit consent:

  • A customer can authorise a PISP to initiate a payment directly from their bank account, or an AISP to retrieve account information.
  • Banks (ASPSPs) must enable this access on a non-discriminatory basis and cannot require a contract with the TPP.
  • TPPs must be authorised or registered and supervised, and must hold appropriate professional indemnity insurance.

This framework underpins much of European "open banking," enabling competition from regulated non-bank providers in payment initiation and account-information services.

What is the RTS on SCA and secure communication?

The detailed technical rules sit in the Regulatory Technical Standards (RTS), adopted as Commission Delegated Regulation (EU) 2018/389, developed by the EBA under a PSD2 mandate.

  • Adopted 27 November 2017; published in the Official Journal on 13 March 2018; applied from 14 September 2019.
  • Specifies the requirements for strong customer authentication, including dynamic linking and the independence of authentication elements.
  • Sets out the exemptions from SCA.
  • Defines common and secure standards of communication (CSC) between banks and third-party providers, including the use of secure interfaces (such as dedicated APIs).

Because it is a regulation, the RTS is directly applicable across all Member States without national transposition.

Who is liable for unauthorised transactions?

PSD2 sets harmonised liability rules for unauthorised payment transactions:

  • The payer's payment service provider must refund the amount of an unauthorised transaction, in principle by the end of the following business day after being notified (Article 73).
  • The payer may bear losses up to a maximum of €50 for transactions resulting from a lost, stolen or misappropriated payment instrument, subject to conditions (Article 74).
  • That €50 cap does not apply where the loss was not detectable by the payer or was caused by the provider; and there is no cap where the payer acted fraudulently or with gross negligence.
  • Where the provider does not require SCA, the payer generally bears no loss unless they acted fraudulently.

What are PSD3 and the Payment Services Regulation (PSR)?

On 28 June 2023, the European Commission proposed a package to revise and replace PSD2:

  • A third Payment Services Directive (PSD3), focused on the authorisation, licensing and supervision of payment and e-money institutions (and merging the e-money regime into the payments framework).
  • A directly applicable Payment Services Regulation (PSR), covering conduct-of-business rules such as SCA, transparency of fees, and open banking.

Stated objectives include strengthening fraud prevention (including measures on impersonation fraud and reimbursement), improving open-banking data access, and enhancing consumer protection. The proposals are part of the EU legislative process; firms should follow the official legislative timeline for adoption and application dates.

Frequently asked questions

When did PSD2 take effect?

PSD2 applied from 13 January 2018, the transposition deadline for Member States. The separate strong customer authentication and secure communication requirements (the RTS, Regulation (EU) 2018/389) applied later, from 14 September 2019.

Is PSD2 a directive or a regulation?

PSD2 is a directive (Directive (EU) 2015/2366), meaning it took effect through national implementing laws in each Member State. The accompanying technical standards on SCA and secure communication are a regulation (2018/389), which is directly applicable across the EU.

What is the difference between an AISP and a PISP?

An AISP (account information service provider) aggregates and presents online account information from one or more accounts. A PISP (payment initiation service provider) initiates a payment directly from the user's bank account at the user's request. Both are regulated third-party providers requiring the customer's consent.

When is strong customer authentication required?

SCA is generally required when a payer accesses a payment account online, initiates an electronic payment, or carries out an action through a remote channel that may imply fraud risk. It uses at least two of three independent factors, and remote payments require dynamic linking. Defined exemptions apply under the RTS.

How much can a customer lose from an unauthorised payment?

Under Article 74, a payer may bear up to €50 of losses from a lost, stolen or misappropriated instrument, subject to conditions. There is no cap if the payer acted fraudulently or with gross negligence. If the provider did not apply SCA, the payer generally bears no loss unless they acted fraudulently.

Will PSD2 be replaced by PSD3?

The European Commission proposed a successor package on 28 June 2023, comprising a third Payment Services Directive (PSD3) and a directly applicable Payment Services Regulation (PSR). These are proposals under the EU legislative process; consult the official EU legislative timeline for current status and application dates.

Official sources