Payment Services Directive

The Revised Payment Services Directive (PSD2, Directive (EU) 2015/2366, which replaced the Payment Services Directive (PSD), Directive 2007/64/EC ) is an EU Directive, administered by the European Commission (Directorate General Internal Market) to regulate payment services and payment service providers throughout the European Union (EU) and European Economic Area (EEA). The PSD's purpose was to increase pan-European competition and participation in the payments industry also from non-banks, and to provide for a level playing field by harmonizing consumer protection and the rights and obligations of payment providers and users. The key objectives of the PSD2 directive are creating a more integrated European payments market, making payments more secure and protecting consumers.

Overview
The SEPA (Single Euro Payments Area) is a self-regulatory initiative by the European banking sector represented in the European Payments Council, which defines the harmonization of payment products, infrastructures and technical standards (Rulebooks for credit transfer/direct debit, BIC, IBAN, ISO 20022 XML message format, EMV chip cards/terminals). The PSD provides the legal framework within which all payment service providers must operate.

The PSD's purpose in regard to the payments industry was to increase pan-European competition with participation also from non-banks, and to provide for a level playing field by harmonizing consumer protection and the rights and obligations for payment providers and users. The PSD's purpose in regard to consumers was to increase customer rights, guarantee faster payments (no later than next day since 1 January 2012), describe refund rights, and give clearer information on payments. Although the PSD was a maximum harmonisation directive, certain elements allowed for different options by individual countries.

The final adopted text of PSD went into force 25 December 2007 and was transposed into national legislation by all EU and EEA member states by 1 November 2009.

Technical overview
The PSD contained two main sections:


 * 1) The "market rules" described which type of organisations could provide payment services. Next to credit institutions (i.e. banks) and certain authorities (e.g. central banks, government bodies), the PSD mentioned electronic money institutions (EMI), created by the E-Money Directive in 2000, and created the new category of "payment institutions" (PI) with its own prudential regime rules. Organisations that are neither credit institutions nor EMIs could apply for an authorisation as a payment institution if they met certain capital and risk management requirements. The application could be made in any EU country where they are established and they could then "passport" their payment services into all other EU member states without additional PI requirements.
 * 2) The "business conduct rules" specified what transparency of information payment service institutions needed to provide, including any charges, exchange rates, transaction references and maximum execution time. It stipulated the rights and obligations for both payment service providers and users, how to authorise and execute transactions, liability in case of unauthorised use of payment instruments, refunds on payments, payment orders, and value dating of payments.

Each country had to designate a "competent authority" for prudential supervision of the PIs and to monitor compliance with business conduct rules, as transposed into national legislation.

Updates
The PSD was updated in 2009 (EC Regulation 924/2009) and 2012 (EU Regulation 260/2012). An implementation report from 2013 found the PSD facilitated "provision of uniform payment services across the EU" and reduced legal and production costs for many payment service providers and that "the expected benefits have not yet been fully realised". The same report found the 2009 update "to be functioning well. For example, charges for €100 transfers followed a further downward trend to €0.50 euro-area average for transfers initiated online and remained low, at €3.10 for transfers initiated at the bank counter".

In October 2021 the EBA launched a public consultation on the amendment of its Regulatory Technical Standards (RTS) on strong customer authentication and secure communication (SCA&CSC) under the Payment Services Directive (PSD2) with regard to 90-day exemption from SCA for account access. In the UK, the FCA published PS 21/19 (“policy statement”) for “Changes to the SCA-RTS and to the guidance in ‘Payment Services and Electronic Money – Our Approach’ and the Perimeter Guidance Manual”. This document proposed a number of modifications including to Article 10 of the UK- RTS, by replacing the requirement for the PSU to re-authenticate with their ASPSP every 90 days to allow AISP access with the requirement for the PSU to reconfirm their consent with their AISP directly.

Remaining issues

 * 1) The PSD only applied to payments within the European Economic Area, but not to transactions to or from third countries.
 * 2) PSD exemptions related to payment activities left users unprotected.
 * 3) The PSD option for merchants to charge a fee or give a rebate, combined with the option for countries to limit this, led to "extreme heterogeneity in the market".
 * 4) So-called "third party payment service providers" emerged, which facilitated online shopping by offering low cost payments on the Internet by using the customers' home online banking application with their agreement, and informing merchants that the money is on its way. Other "account information services" offer consolidated information on different accounts of a payments service user. Harmonisation of refund rules regarding direct debits, a reduction of the scope of the "simplified regime" for so-called "small payment institutions" and addressing security, access to information on payment accounts or data privacy with possible licensing and supervision were proposed.

Revised Directive on Payment Services (PSD2)
On 8 October 2015, the European Parliament adopted the European Commission proposal to create safer and more innovative European payments (PSD2, Directive (EU) 2015/2366). The current rules aim to better protect consumers when they pay online, promote the development and use of innovative online and mobile payments such as through open banking, and make cross-border European payment services safer.

Then-Commissioner Jonathan Hill, responsible for Financial Stability, Financial Services and Capital Markets Union, said, "This legislation is a step towards a digital single market; it will benefit consumers and businesses, and help the economy grow."

On 16 November 2015, the Council of the European Union passed PSD2. Member states then had two years to incorporate the directive into their national laws and regulations. On 27 November 2017, Commission delegated Regulation (EU) 2018/389 supplemented PSD2 with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication.

The EU and many banks pushed this development with the new Payments Service Directive 2 (PSD2), which came into force on 13 January 2018. Banks then adapted to these changes which opened many technical challenges, but also many strategic opportunities, such as collaborating with fintech providers, for the future.

An important element of PSD2 is the requirement for strong customer authentication on the majority of electronic payments.

Another important element of the directive is the demand for common and secure communication (CSC). eIDAS-defined qualified certificates for are demanded for website authentication and electronic seals used for communication between financial services players. The technical specification ETSI TS 119 495 defines a standard for implementing these requirements.

PSD2 went into full effect on 14 September 2019, but due to delays in the implementation, the European Banking Authority allowed for a time extension of the strong customer authentication (SCA) until 31 December 2020.

Key dates

 * March 2000: Lisbon Agenda to make Europe "the world's most competitive and dynamic knowledge-driven economy" by 2010
 * December 2001: regulation EC 2560/2001 on cross-border payments in Euro
 * 2002: European Payments Council created by the banking industry, driving the Single Euro Payments Area initiative to harmonise the main non-cash payment instruments across the Euro area (by end 2010)
 * 2001–2004: consultation period and preparation of PSD
 * December 2005: proposal for PSD by DG Internal Market Commissioner McCreevy
 * 25 December 2007: PSD entered into force
 * 1 November 2009: deadline for transposition in national legislation
 * 2009 update: eliminated differences in charges for cross-border and national payments in euro (EC Regulation 924/2009)
 * 2012 update: Regulation on cross-border payments, "multilateral interchange fees" (EU Regulation 260/2012)
 * July 2013: report on implementation of PSD and its two updates
 * 16 November 2015: The Council of the European Union passes PSD2, giving member states two years to incorporate the directive into their national laws and regulations.
 * 13 January 2018: Directive 2007/64/EC is repealed and replaced by Directive (EU) 2015/2366
 * 14 March 2019: All Financial Institutions offering an API solution must have it available for external testing by PISPs and AISPs.
 * 14 September 2019: The final deadline for all companies within the EU to comply with PSD2's Regulatory Technical Standard (RTS) pertaining to directive (EU) 2015/2366 (PSD2)
 * 31 December 2020: Extended deadline for all companies within the EU to implement PSD2's Strong Customer Authentication (SCA)
 * 29 November 2021: FCA publishes changes to 90-day reauthentication rules in the UK

Privacy concerns
Privacy First, a privacy organisation, criticised the open banking elements of the new legislation, claiming it focuses too much on improving competition and innovation while the privacy interests of account holders are overlooked.