Embracing PSD2 for open banking innovation
In 2012, the European Market Infrastructure Regulation (EMIR) fundamentally changed derivatives reporting for financial and non-financial counterparties. EMIR regulation shifted again in 2024 with EMIR Refit updates introducing new mandatory requirements. So how can derivatives market participants navigate EMIR reporting and build the correct EU market infrastructure to ensure ongoing compliance?
Written by a human
Across the EU, over 94% of licensed banks are now PSD2-compliant. Alongside strengthening consumer protection and reducing fraud, it standardized the fragmented digital banking systems across member states, producing a more level playing field across all market participants.
Read on to learn more about PSD2 mandates, common barriers in this EU payment services regulation and how to overcome them as we approach the rollout of PSD3.
Essential PSD2 mandates for payment providers
Essential PSD2 directive mandates include:
- SCA
- API standards
- Consent management
The legislation is governed by Regulatory Technical Standards (RTS), which define the precise rules.
| Mandate | Details | Compliance |
| Strong Customer Authentication | Require multi-factor authentication for electronic payment transactions, and when a customer accesses their account online | Require the customer to log-in with two of the following three factors: Knowledge – ie password or pin Possession – ie a code to mobile device Biometrics – ie a face or fingerprint scan |
| API standards | Firms are required to provide an online communication interface to enable third parties to access customer data or initiate payments. | Replace screen scraping with dedicated, secure and resilient API |
| Consent management | Firms must gain explicit and granular consent from customers before they access accounts or initiate a payment | Authorized third parties are registered with the national authority and use electronic identification, authentication and trust certificates to verify consent |
Exemptions
It’s important to note that there are some exemptions to these rules. For example, PSD2 SCA requirements are not in place for subsequent, fixed-amount payments to the same beneficiary after the initial transaction is approved.
Similarly, payments under €30 are generally exempt from these rules, providing wider spending limits haven’t been met.
Challenges in PSD2 adoption and how to mitigate them
While PSD2 laid the groundwork for Open Banking compliance, its real-world adoption hasn’t been smooth sailing, with issues involving:
- API integration
- Fraud risks
API integration
One of the most significant challenges has been the struggle of account servicing payment service providers integrating modern technology with legacy systems. Without solid open API standards, the industry suffered from:
- Fragmentation: without a single, unified governance standard, third-party payment providers were forced to build their own costly and complex integration to every bank’s unique API
- Data conflicts: incompatible systems contribute to poor data availability, limiting performance and services
- Operational efficiency issues: slow down processing times and costly tech created a strain on resources
Solving these issues requires extensive API testing, including from functional and security perspectives. PSD2 required member states to transpose the rules into their national laws, but this exacerbated the challenge. Inconsistent API standards application and widespread inconsistencies in exemptions are two of the most common issues.
Testing the entire customer flow, from TPP initiation to bank authentication and transaction execution is the best bet in solving this problem.
Fraud risks
SCA successfully reduced traditional card-not-present fraud by 12% between 2018 and 2023, but criminals have also adapted. This has led to other types of fraud increasing, such as:
- Authorised push payment (APP) fraud: social engineering tactics have been used to coerce the customer into approving an outgoing payment
- Account takeover: a customer inadvertently gives their credentials, or grants account access, to a fraudster
Because Open Banking has brought the benefits of real-time transactions, it also makes it harder to reverse transfers after they have been made. But advanced transaction risk analysis tools can help to identify anomalous activity in real-time, and automated account locking tools can work against the clock to protect accounts, even if fraudsters get through.
Tech enablement for PSD2 success
PSD2 requires technology to be an enabler beyond just a compliance tool. And while the central hurdles focus on legacy incompatibility, firms can use tech to their advantage.
For example, replacing a batch-processed interface with a secure API will unlock the ability to exchange high volumes of data in real-time. For PIS and AIS, this is an essential cloud security requirement.
Similarly, replacing tightly coupled core banking systems with API gateways will enable rapid iteration and maintenance without touching the core technology. While banks used to take 2-3 cycles for this type of update work, it can now happen on the fly.
Finally, traditional data access techniques require complex and time-consuming queries and data extraction processes. But using dedicated modules for user consent allows for simpler data transfer in standardized formats, meaning that it’s immediately ready for use.
The PSD2 directive is the driving force behind inclusive finance
Ultimately, PSD2 mandates the sharing of financial data and lowers the barrier to entry to new market participants. Democratizing the financial industry has been positive for competition and user trust, but firms must continue to consider how they keep their confidential and personally identifiable data secure.
Global Relay’s secure messaging and archiving solution is built to integrate with PSD2 data flows, capturing information across over 100 data types. For complete control over your data lifecycle, and both recordkeeping and audit capabilities, it’s a single-source solution for compliance. For tailored Open Banking compliance support, learn more.