PSD2: What It Is And Why It Matters


PSD2 has already had a significant impact on the payments industry but how does it affect the way firms implement AML compliance?

The Payment Services Directive 2 (PSD2) was adopted by the European Commission in 2015, replacing the original Payment Services Directive of 2007. Like its predecessor, PSD2 affects the regulation of payment services in the EU and EEA; it is intended to increase competition in the industry by allowing non-banks to participate and harmonize compliance standards for payment providers.

While it has been hailed as a revolution for the industry, PSD2 has also brought new compliance challenges, including AML/CFT concerns. With that in mind, it’s important that financial institutions understand how the directive works and how to comply with PSD2 regulations.

What is PSD2?

PSD2 came into legal effect on 13 January 2018, expanding the scope of the original directive in a number of ways. Most notably PSD2’s legislative reach was extended to online payments; it enhanced protections for online consumers and opened up the possibility of greater participation by online merchants in the payment services industry. 

In more detail, PSD2 builds on previous legislation and impacts three areas of the payment services industry:

  • Consumer rights: PSD2 expands customer rights, introducing a greater degree of transparency in payments, and new rules for surcharges, currency conversion, and the way complaints are handled.
  • Security: PSD2 introduced the Strong Customer Authentication criteria (SCA) which includes a two-factor ID requirement, amongst other security measures.
  • Third-party access: One of its most significant legislative effects, PSD2 enables third-party access to account information held by banks. 

Online Impact: The enabling of third-party access to account information effectively breaks a monopoly previously held by banks and opens the payment industry up to online merchants, like Amazon and Google, who may expand their own payment services. 

With customer authorization, these third-party companies may now retrieve account data from banks directly when they need to process a payment, without having to go through an intermediary service provider. That new access to customer bank accounts is managed by open APIs (developed and released by the banks themselves) which effectively enable third-parties to build a new market of financial services products on top of the existing infrastructure that banks have in place.

How To Comply With PSD2

The enabling of third-party access is also known as Open Banking and is obviously closely connected to the security and compliance regulations that PSD2 introduced. The need to deal with money laundering and the financing of terrorism should be a priority concern for any legislation which expands participation in the payment services industry, and this is reflected in the enhanced regulatory requirements necessary for PSD2 compliance. 

Secure Customer Authentication: SCA is the primary PSD2 AML and CFT mechanism, and essentially introduces a much stronger process of customer identification, known as ‘two-factor identification’, for almost all electronic payments. Under the two-factor verification process, electronic payments must be verified by at least two of the following three identifiers:

  • Knowledge: Customers can provide some token of knowledge, which could be a PIN number or password.
  • Possession: Customers may identify themselves with a physical payment object, which could be a payment card or a mobile phone (in the context of mobile wallet payments).
  • Biometric: Customers can verify their payment with biometric data which might manifest as a fingerprint or voice ID. 

Risk-Based: Merchants can apply a risk-based approach to PSD2 compliance. While certain lower risk transactions may be exempted from the two-factor verification process, higher risk transactions must be verified. Exemptions from the two-factor verification process are:

  • Single contactless face-to-face payments under €50, up to a cumulative value of over €150, or up to five separate transactions.
  • Single online transactions less than €30, up to a cumulative value of €100, or five separate transactions.
  • Corporate payments made as ‘secure virtual payments’ via virtual cards or B2B cards and initiated by the business rather than an individual consumer.

PISPs and AISPs: Third-party service providers enabled by PSD2 to interact with banks (via APIs) are known as Payment Initiation Service Providers (PISPs) and Account Information Service Providers (AISPs). PISPs ‘push’ payments from customer bank accounts to merchants, while Account Information Service Providers (AISPs), aggregate personal financial data (which may come from multiple accounts). It is important to remember that these new categories of service provider will also be subject to risk-based AML compliance requirements, ranging from two-factor SCA customer identification to sanctions checks.

Ongoing Implementation

PSD2 compliance should be a priority for all payment industry players, but aspects of the directive are still being legislated by the EU and will not be implemented until late 2019. Staying ahead of PSD2 regulation and ensuring ongoing compliance requires institutional flexibility and a proactive approach to integrating technology within a compliance solution.

Get Started Now

Meet and Exceed The Expectations of Global Regulators With Our AML Solutions.



Share your thoughts and start a conversation.

Leave a Reply

Related articles:

anti money laundering guidance
May 7, 2014

Anti-Money Laundering Guidance

Anti-Money Laundering Guidance Various government agencies and interest groups publish information regarding anti-money laundering. Australia:…
Read More
July 1, 2014


Why is Dodd-Frank important? The Dodd-Frank Wall Street Reform and Consumer Protection Act, commonly referred to as…
Read More
European Market Infrastructure Regulation
July 1, 2014

European Market Infrastructure Regulation

An Overview of the European Market Infrastructure Regulation (EMIR) The European Market Infrastructure Regulation, otherwise…
Read More
July 1, 2014

The Foreign Account Tax Compliance Act (FATCA)

The Effects Of FATCA On Foreign Accounts The Foreign Account Tax Compliance Act, otherwise known…
Read More
EU flag among the grey sky
July 1, 2014


Markets in Financial Instruments Directive (MiFID) The Markets in Financial Instruments Directive (MiFID) was created…
Read More
July 2, 2014


How MiFID II has affected the European investment market One of the most influential laws…
Read More
anti money laundering policies
July 4, 2014

Anti-Money Laundering Policies

The importance of anti-money laundering policies With financial crime more prevalent than ever, it is…
Read More
May 25, 2016

The Fourth Anti-Money Laundering Directive (4AMLD)

What is 4AMLD and What Does it Mean for Regulated Industries? The European Union Fourth…
Read More
cryptocurrency regulations around the world
July 4, 2018

Crypto Regulations Around The World

Crypto Regulations Around The World Learn how different nations approach coin and exchange regulation and…
Read More
September 6, 2018

The 5th EU Anti-Money Laundering Directive (5AMLD)

5AMLD - 5th EU Anti-Money Laundering Directive The Fifth Money Laundering Directive (5MLD) will come…
Read More
November 8, 2018


Managing AML Challenges Under GDPR With GDPR in effect, financial institutions in the EU and…
Read More
FATF Recommendations
June 18, 2019

FATF Recommendations

FATF Recommendations: What You Need To Know The Financial Action Task Force (FATF) an international, intergovernmental…
Read More

To make sure you get a great experience on our website, we use cookies. To confirm you consent to this, please click below. Read more about our Cookie Policy

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.