PSD2 (Payment Services Directive)

What is PSD2?

PSD2, or the Second Payment Services Directive, is the European Union legal framework governing payment services in the internal market. It is based primarily on Directive (EU) 2015/2366 on payment services in the internal market and is supplemented by delegated and regulatory technical standards, including Commission Delegated Regulation (EU) 2018/389 on strong customer authentication and common and secure communication. In practice, PSD2 sets rules for payment institutions, banks, electronic money institutions, third-party payment providers and, in some cases, merchants using payment interfaces.

The directive was introduced to increase competition in the payments sector, improve consumer protection, support innovation and strengthen the security of electronic payments. One of its key effects was opening access to payment account data – subject to the customer’s consent – to licensed third-party providers. This created the legal basis for services such as account information services and payment initiation services, often referred to as open banking.

PSD2 is relevant not only to regulated financial institutions. It also affects fintech companies, online platforms, e-commerce businesses, software providers and merchants integrating payment services into their operations. In legal and compliance terms, PSD2 determines who may provide specific payment services, on what licensing basis, under what security requirements and with what contractual and information duties toward users.

What does PSD2 regulate in practice?

PSD2 regulates several core areas of the payment services market. First, it defines categories of payment services and the entities authorised to provide them. Depending on the business model, an entity may require authorisation as a payment institution, registration as an account information service provider, reliance on an exemption, or cooperation with a licensed partner. Determining the correct regulatory status is often one of the first legal issues in a payment project.

Second, PSD2 sets out rules for access to payment accounts. A payment service user may allow a third-party provider to access account information or initiate a payment from the user’s account held with another provider. This access must take place through secure communication mechanisms and under a regulatory framework designed to prevent misuse, data leakage and unauthorised transactions.

Third, PSD2 introduced strong customer authentication, commonly referred to as SCA. Under Article 97 of Directive (EU) 2015/2366, payment service providers must apply strong customer authentication in specified situations, including when a payer accesses a payment account online, initiates an electronic payment transaction, or carries out any action through a remote channel which may imply a risk of payment fraud or other abuses. Detailed requirements were later specified in Delegated Regulation (EU) 2018/389. In simplified terms, SCA requires authentication based on at least two independent elements from the categories of knowledge, possession and inherence, subject to limited exemptions.

Fourth, PSD2 regulates liability for unauthorised transactions, transparency of fees and exchange rates, complaint handling, refund rights for certain transactions and information obligations before and after payment services are provided. These rules are particularly important in disputes between users and providers concerning fraud, execution errors, delayed transfers or allegedly unauthorised payments.

When is PSD2 important?

PSD2 becomes important whenever a business model involves handling payments, accessing bank account data, embedding payment functionality in digital products or outsourcing regulated payment activities. For example, a fintech startup offering a dashboard that aggregates bank account information from multiple banks may fall within the account information services regime. A platform enabling users to make direct bank transfers through its interface may need to assess whether it is providing payment initiation services or another regulated activity.

For banks and other account servicing payment service providers, PSD2 is important because it imposes technical, operational and contractual obligations relating to access interfaces, authentication, fraud controls and communication with third-party providers. For merchants and online service providers, PSD2 is relevant because the application of SCA can directly affect checkout design, conversion rates, recurring payment flows and dispute handling.

For consumers and businesses using payment services, PSD2 matters because it shapes their rights and protections. It can determine whether a payment provider acted lawfully, whether customer authentication was properly applied, whether a refund should be available and whether a third party had a valid legal basis to access account data.

Early legal review of a payment model may help avoid licensing mistakes, compliance failures, contractual disputes, supervisory intervention or financial loss. This is particularly important where a business assumes that technology, outsourcing or partnership structures automatically remove regulatory risk. In many cases, the legal classification of a service depends on its actual function rather than its commercial label.

Support from a law firm in matters related to PSD2 may include in particular:

assessment of whether a planned service falls within the scope of PSD2,
analysis of licensing, registration and exemption requirements,
legal support for open banking, account information and payment initiation models,
review of SCA implementation and compliance with Delegated Regulation (EU) 2018/389,
drafting and reviewing contracts, terms and internal policies for payment services,
advice on liability for unauthorised transactions and user claims,
support in dealings with regulators and in cross-border payment projects,
compliance analysis for fintech, e-commerce and embedded finance solutions.

Need legal support regarding PSD2? Contact us.

PSD2 (Payment Services Directive)