Payment services directive

• LINK_POOL:
  • INTERNAL LINKS:
    • payment processing
    • financial regulation
    • consumer protection
    • data security
    • electronic payments
    • open banking
    • API
    • fintech
    • third-party providers
    • payment initiation services
    • account information services
    • fraud prevention
    • identity verification
    • transaction monitoring
    • digital payments
  • EXTERNAL LINKS:
    • European Commission - Payment Services Directive (PSD2)
    • Central Bank of Ireland - PSD2
    • Citizens Information - Payment Services Directive
    • Legislation.gov.uk - Directive (EU) 2015/2366

What Is Payment Services Directive?

The Payment Services Directive (PSD) is a comprehensive legislative framework within the European Union (EU) and European Economic Area (EEA) that regulates payment processing and payment service providers. Falling under the broader category of financial regulation, the Payment Services Directive aims to enhance consumer protection, foster competition, and promote innovation in the European payments market. It sets out rules for various electronic payments, including credit transfers, direct debits, and card payments, and addresses the evolving landscape of digital payments⁴⁷, ⁴⁸.

History and Origin

The journey of the Payment Services Directive began in 2007 with the adoption of the first Payment Services Directive (PSD1). This initial directive laid the groundwork for a single EU market for payments, striving to make cross-border transactions within the EU as straightforward, efficient, and secure as national payments⁴⁵, ⁴⁶. PSD1 fostered the Single Euro Payments Area (SEPA), which harmonized payment products, infrastructures, and technical standards for euro transactions across the EEA and Switzerland⁴⁴.

Recognizing the rapid advancements in payment technology and the emergence of new service providers, the European Commission proposed a review of PSD1 in 2013⁴², ⁴³. This led to the adoption of the revised Payment Services Directive, known as PSD2 (Directive (EU) 2015/2366), in 2015⁴¹. PSD2, which repealed and replaced PSD1 in January 2018, broadened the scope of its predecessor to include new services like payment initiation services and account information services, bringing them under a regulated framework³⁸, ³⁹, ⁴⁰. The primary objectives of PSD2 were to further integrate the European payments market, improve security measures, and strengthen consumer protection³⁶, ³⁷. For more detailed information on the official text, refer to the European Commission's website.

Key Takeaways

• The Payment Services Directive (PSD) is an EU legislative framework designed to regulate payment services and payment service providers.
• Its primary goals are to enhance consumer protection, increase competition, and drive innovation within the European payments market.
• PSD2 (the second iteration of the directive) introduced key measures like Strong Customer Authentication (SCA) and facilitated open banking.
• The directive governs various electronic payments and covers both traditional banks and new fintech entrants.
• Consumers benefit from improved security, clearer rights, and a cap on liability for unauthorized transactions.

Interpreting the Payment Services Directive

The Payment Services Directive, particularly PSD2, is interpreted as a foundational element for a more secure and innovative digital economy in Europe. It mandates banks to open up their systems to approved third-party providers (TPPs) through secure interfaces, often utilizing API technology, provided the customer grants consent³⁴, ³⁵. This provision underpins the concept of open banking, allowing new financial services to emerge that leverage customer financial data, with appropriate safeguards³³.

A key aspect of interpreting the Payment Services Directive is understanding the concept of Strong Customer Authentication (SCA). SCA requires multi-factor authentication for most electronic payments and access to payment accounts, enhancing data security and fraud prevention³¹, ³². This means that customers must authenticate their identity using at least two independent elements from categories such as knowledge (something only the user knows, like a password), possession (something only the user has, like a mobile phone or card), or inherence (something the user is, like a fingerprint)²⁹, ³⁰.

Hypothetical Example

Consider Sarah, a consumer in Germany, who uses an online budgeting app that offers consolidated views of her bank accounts from different financial institutions. Before PSD2, this might have involved Sarah manually providing her banking credentials to the app, which then "scraped" the data.

Under PSD2, this process is formalized and secured. When Sarah links her bank accounts to the budgeting app, the app (acting as an account information service provider, or AISP) must be authorized and regulated. When Sarah initiates the linking process, her bank, compliant with PSD2, will prompt her for Strong Customer Authentication (SCA). This might involve her entering her banking password and then approving the connection via a fingerprint scan on her mobile banking app. The app then accesses her account information securely through an API provided by her bank, rather than direct credential sharing. This example illustrates how the Payment Services Directive facilitates secure data sharing and new financial services through regulated third-party access and robust identity verification.

Practical Applications

The Payment Services Directive has numerous practical applications across the European financial landscape:

• Enhanced Payment Security: The directive mandates Strong Customer Authentication (SCA) for most online transactions, significantly reducing fraud risk in electronic payments²⁷, ²⁸. This is a critical component of fraud prevention in the digital age.
• Facilitating Open Banking: PSD2 has been instrumental in the development of open banking in Europe, compelling banks to securely share customer data with authorized third-party providers (TPPs) with explicit customer consent²⁵, ²⁶. This has spurred innovation in financial services.
• New Payment Services: It has enabled the rise of Payment Initiation Service Providers (PISPs) and Account Information Service Providers (AISPs), which offer innovative ways for consumers to manage their finances and make payments²³, ²⁴.
• Consumer Rights: The directive has strengthened consumer protection by limiting liability for unauthorized transactions (generally to €50) and banning surcharging for debit and credit card payments in most cases. ²¹, ²²Consumers also have enhanced refund rights for direct debits. ²⁰For more details on consumer rights, the Central Bank of Ireland provides a useful overview.
• Increased Competition: By leveling the playing field for new market entrants, PSD2 has stimulated competition among payment service providers, leading to more choice and potentially better pricing for consumers. ¹⁸, ¹⁹The Citizens Information website further outlines the practical protections for consumers.

Limitations and Criticisms

Despite its significant contributions, the Payment Services Directive has faced certain limitations and criticisms since its implementation. One prominent challenge has been the inconsistent adoption and enforcement of PSD2 across different EU member states, leading to variations in the practical application of the directive. ¹⁷This can create complexities for fintech companies and third-party providers seeking to operate across borders.

Banks have also encountered significant hurdles in fully implementing Strong Customer Authentication (SCA), requiring substantial investment in new technologies and processes to integrate SCA with existing payment processing systems. ¹⁶Some critics argue that the frequent re-authentication requirements for account information services (AIS) can negatively impact user experience, creating friction for consumers.
¹⁵
Furthermore, some concerns have been raised regarding the handling of transaction monitoring and chargeback processes under the new regulations, with arguments that the directive's focus on fraud prevention may not fully address all types of payment disputes. ¹⁴There have also been criticisms from privacy organizations suggesting that while the directive promotes competition and innovation, it may not adequately prioritize the privacy interests of account holders in the context of open banking.

Payment Services Directive vs. E-money Directive

While both the Payment Services Directive (PSD) and the E-money Directive (EMD) relate to financial services in the EU, they govern distinct aspects of the market. The Payment Services Directive focuses broadly on regulating payment services and payment service providers (PSPs), encompassing activities like credit transfers, direct debits, and card payments, and introducing concepts like open banking and Strong Customer Authentication. ¹², ¹³Its aim is to create a harmonized and secure market for electronic payments, facilitating competition and strengthening consumer protection.
¹¹
In contrast, the E-money Directive specifically regulates the issuance and redemption of electronic money (e-money). E-money is defined as electronically stored monetary value as represented by a claim on the issuer, which is issued on receipt of funds for the purpose of making payment transactions, and which is accepted by a person other than the electronic money issuer. While electronic money institutions (EMIs) are a type of payment service provider under the broader umbrella of the PSD framework, the EMD sets out the specific prudential and operational requirements for these entities. ¹⁰The PSD primarily regulates the services, while the EMD focuses on the nature of the financial instrument itself and the institutions that issue it.

FAQs

What is the primary goal of the Payment Services Directive?

The primary goal of the Payment Services Directive is to create a more integrated, efficient, and secure European payments market. This involves enhancing consumer protection, promoting competition among payment service providers, and fostering innovation in electronic payments.
⁸, ⁹

What is Strong Customer Authentication (SCA) under PSD2?

Strong Customer Authentication (SCA) is a security requirement introduced by PSD2 that mandates multi-factor authentication for most online payment transactions and when accessing payment accounts. It requires users to verify their identity using at least two independent elements from distinct categories: knowledge (e.g., a password), possession (e.g., a mobile device), and inherence (e.g., a fingerprint). ⁶, ⁷This measure aims to bolster data security and reduce fraud.

How does the Payment Services Directive affect consumers?

The Payment Services Directive significantly impacts consumers by providing enhanced rights and protections. Key benefits include increased fraud prevention through SCA, limited liability for unauthorized transactions (typically capped at €50), the prohibition of surcharging on most card payments, and extended refund rights for direct debits. It also promotes greater transparency regarding fees and execution times for payment services.

#⁴, ⁵## Does the Payment Services Directive apply outside the EU?

The Payment Services Directive is an EU directive and primarily applies within the European Union and European Economic Area. However, its influence can extend beyond these borders as global companies engaging in payment services with EU/EEA customers may need to comply with its requirements, particularly concerning cross-border transactions where one leg of the transaction occurs within the EU.

#³## What is the future of the Payment Services Directive?

The European Commission periodically reviews the Payment Services Directive to ensure its continued relevance and effectiveness in a rapidly evolving digital landscape. Discussions are ongoing regarding potential further revisions or new legislative proposals to address emerging challenges and opportunities, aiming to build on the successes of PSD2 and potentially move towards broader open finance initiatives.¹, ²