[ FRAMEWORK · EUROPEAN UNION / UNITED KINGDOM ]
PSD2, tracked end to end.
The Second Payment Services Directive (PSD2) is the foundational EU/UK framework for electronic payments. It introduced payment initiation and account information services, mandated strong customer authentication (SCA), opened bank data via APIs, and prescribed incident reporting and security obligations.
[ LEGISLATION ]
PSD2 at a glance.
- Full name
- Second Payment Services Directive
- Jurisdiction
- European Union / United Kingdom
- Legal basis
- Directive (EU) 2015/2366
- In force
- 13 January 2018
[ WHO IT COVERS ]
Who has to comply with PSD2.
- •Banks and other account-servicing payment service providers
- •Payment institutions (PIs) and small payment institutions (SPIs)
- •Electronic-money institutions (EMIs) providing payment services
- •Account information service providers (AISPs) and payment initiation service providers (PISPs)
- •Merchants that process card-not-present transactions subject to SCA
[ KEY REQUIREMENTS ]
What PSD2 requires.
- 01Authorisation or registration as a payment institution proportionate to service scope
- 02Strong Customer Authentication for remote electronic payments, unless an exemption applies
- 03Secure open-banking APIs for AISP and PISP access under Commission Delegated Regulation 2018/389
- 04Incident reporting to the competent authority within stringent timeframes
- 05Safeguarding of customer funds under segregation or insurance arrangements
- 06Complaint handling, disclosure and consumer-protection rules under Titles III and IV
[ TRY IT ]
See every PSD2 obligation in your workspace.
14-day trial across up to 8 jurisdictions. PSD2 Level 2 standards, guidance, and enforcement — all tracked.
[ WHAT XHS™ MONITORS ]
PSD2 surface area, in one workspace.
- •EBA Guidelines on SCA, on incident reporting, on outsourcing, on fraud reporting
- •Commission Delegated Regulations under PSD2
- •National competent authority guidance and enforcement decisions
- •PSD3/PSR legislative process and its practical impact on PSD2 obligations
- •Cross-references with the e-IDAS framework and DORA ICT standards
- •Open Banking UK Standards maintained by OBIE / OBL
[ TIMELINE ]
PSD2 milestones.
- ›25 November 2015 — PSD2 published in the Official Journal
- ›13 January 2018 — PSD2 applicable in member states
- ›14 September 2019 — SCA and the Regulatory Technical Standards on SCA + CSC applied
- ›31 December 2020 — UK onshored PSD2 ahead of Brexit transition
- ›PSD3 / PSR expected — proposals published 28 June 2023
[ QUESTIONS ]
PSD2, answered.
How does XHS™ Copilot help with PSD2 compliance?
XHS™ Copilot tracks every EBA Guideline, Commission Delegated Regulation, and NCA decision under PSD2 — SCA, incident reporting, outsourcing, fraud reporting, API access — and delivers plain-English impact notes keyed to your payment-institution type.
What is Strong Customer Authentication (SCA)?
SCA is an authentication based on two or more of: knowledge (something only the user knows), possession (something only the user has) and inherence (something the user is). Under PSD2 and the SCA RTS, it is mandatory for most remote electronic payments initiated by the payer, with narrow exemptions for low-value, low-risk and recurring transactions.
Is PSD2 still in force?
Yes. PSD2 remains the applicable regime in both the EU and the UK. The European Commission has proposed PSD3 + the Payment Services Regulation (PSR) to replace PSD2, published on 28 June 2023 and currently progressing through the EU legislative process.
What is the difference between AISPs and PISPs?
Account Information Service Providers (AISPs) are authorised to access account information via APIs, typically to aggregate accounts, provide budgeting or credit-assessment services. Payment Initiation Service Providers (PISPs) initiate payments on behalf of the payer directly from the payer's bank account.
Does PSD2 apply in the UK post-Brexit?
Yes. PSD2 was onshored into UK law via the Payment Services Regulations 2017 (as amended). The FCA supervises compliance. Many EBA PSD2 Guidelines have also been adopted — with modifications — by the UK's conduct and prudential authorities.
See every PSD2 change in your workspace.
14-day free trial. Up to 8 jurisdictions. Cancel any time. No credit card.