Authorized Payment Institution (PSD2) Guide
An authorized payment institution is a finance business registered within the terms of the European Banking Authority directive PDS2.
Within the European Single market, made up of the European Union (EU) and the European Economic Area (EEA) countries, the European Banking Authority (EBA) established a central register that contains information about payment and electronic money institutions authorised or registered to conduct business as financial service providers. The register is established based on the requirement of Article 15(1) of Directive (EU) 2015/2366 on payment services in the internal market – also known as PSD2.
The EU Payment Services Directive 2 (PSD2) aims, inter alia, to enhance the transparency of the operation of payment institutions that are authorised by, or registered with, competent authorities (CAs) of the member states, and ensure a high level of consumer protection in the EU, by providing for easy public access to the list of all natural and legal persons providing payment services.
Article 15(1) of PSD2 payment services regulations requires the central payment services regulator (the European Banking Authority – EBA), to develop, operate and maintain an electronic central register that contains information as notified by competent authorities in accordance with paragraph 2 of Article 15. The paragraph further specifies that the EBA must make the register publicly available on its website, and allow for easy access to and easy search for the information listed, free of charge.
The European Union (EU) established the Second Payment Services Directive (PSD2) as a rule to promote competition and innovation in the banking industry by mandating banks to grant third-party providers access to account information and payment initiation services via APIs.
Regulation: The PSD2 is a regulation that all EU member states must abide by as of January 13, 2018. It aspires to create a level playing field for all payment service providers, including fintech companies, to make payments in the EU safer, more effective, and more innovative by:
- mandating banks to grant API access to third parties so they can access client account information and payment initiation services
require two-factor authentication from all payment service providers for all transactions.
- establishing a legal framework for the registration and control of third-party service providers, sometimes referred to as Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs) (PISPs).
- Countries: The PSD2 must be implemented by all EU member states. The regulation hasn’t, however, been applied uniformly across the EU. While other nations have fallen behind, some have been more proactive in their adoption. Open banking service providers must abide by the rules established by the European Banking Authority (EBA) and the PSD2; this is the responsibility of the national competent authorities (NCAs).
Update in 12.1.2023
Although the PSD2 has been put into effect, the rule has received certain updates and clarifications. To safeguard the security of open banking transactions, the EBA has published standards on strong customer authentication and common, secure communication. For the implementation of the PSD2, the EBA has also released a number of technical standards and guidelines, including those on the usage of APIs and the access to account information.
Timeline for open banking: The European Commission first suggested the PSD2 in 2013, and the EU formally implemented it in 2015. It became effective on January 13, 2018, and EU member states had two years to implement it. Banks had until September 14, 2019, to adhere to the rule.
To sum up, the PSD2 is a rule that the European Union (EU) established to promote competition and innovation in the banking industry by requiring banks to grant third-party providers access to consumer account information and payment initiation services via APIs. It is applicable to all EU member states and went into effect in January 2018. The EBA has issued updates to protect the security of open banking transactions, but the regulation’s implementation has not been uniform across the EU. The development of a more advanced and effective payment system in the EU will be aided by this rule.
Which countries does PSD2 apply to?
The Second Payment Services Directive (PSD2) is a regulation implemented by the European Union (EU) that applies to all EU member states. This means that the regulation applies to the following countries:
- Czech Republic
- United Kingdom
Please note that the United Kingdom has left the EU on January 31st, 2020, and the PSD2 is still in effect for the EU member states, however, the Brexit agreement establishes that the PSD2 will still apply to the UK until the end of the transition period on December 31, 2020. The regulatory environment for the UK may change after that.
What would be a positive impact of PSD2?
The European Union (EU) established the Second Payment Services Directive (PSD2) as a rule to promote competition and innovation in the banking industry by mandating banks to grant third-party providers access to account information and payment initiation services via APIs. The banking industry and customers should expect this rule to have a number of advantageous effects.
Increased competition: PSD2 gives non-bank businesses, including fintech firms, access to client data so they can create new goods and services based on the information and capabilities of banks. It is anticipated that this heightened competition will give consumers more options and better prices.
Enhanced security: Under PSD2, banks must provide a secure communication route for third-party providers to access client data, and all payment service providers must employ two-factor authentication for all transactions. This guarantees the security of transactions and the protection of consumer data.
Increased transparency: PSD2 gives clients access to all of their financial data in one location, making it easier for them to understand their spending and saving patterns and to decide how best to manage their money.
Improved regulatory oversight: PSD2 establishes a legal framework for third-party provider registration and supervision, ensuring that these providers are appropriately financed and have suitable governance, risk management, and security mechanisms in place. This enhances the financial system’s general safety and stability.
What are payment services?
The payment services definition was made by the EU payment services directive, that established the same set of rules on payments across the whole European Economic Area covering all types of electronic and non-cash payments, such as:
- Credit transfers
- Direct debits
- Card payments
- Mobile and online payments
The directive laid down rules about the information that payment services providers have to give to consumers and about the rights and obligations linked to the use of payment services.
What is European Payment Services Directive PSD2?
The PSD2 contains two main sections:
- The “market rules” described which type of organizations can provide payment services. Next to credit institutions (i.e. banks) and certain authorities (e.g. central banks, government bodies), PSD2 talks about electronic money institutions (EMI), created by the E-Money Directive, and created the new category of “payment institutions” (PI) with its own prudential regime rules. Organizations that are neither credit institutions or EMIs can apply for authorization as a payment institution if they meet certain capital and risk management requirements. The application can be made in any EU country where they are established and they could then “passport” their payment services into all other EU member states without additional PI requirements.
- The “business conduct rules” specify what transparency of information payment service institutions need to provide, including any charges, exchange rates, transaction references and maximum execution time. It stipulates the rights and obligations for both payment service providers and users, how to authorize and execute transactions, liability in case of unauthorized use of payment instruments, refunds on payments, revoking payment orders, and value dating of payments.
Each country has to designate a “competent authority” for prudential supervision of the PIs and to monitor compliance with business conduct rules, as transposed into national legislation. A payment service provider license is issued by the competent authority, and is valid in all other EU and EEA countries.
How will PSD2 affect banks?
The rise of Electronic Money Institutions (EMIs) and Payment Institutions (PIs) has been the greatest threat to the conventional banking markets, and most “bricks and mortar” banks are struggling to catch up with the growth of this sector, in many cases by buying out new EMIs in order to get a head start. All banks are starting to offer the wide range of services for electronic transactions covered by PSD2, but the smaller and less restricted financial institutions are able to keep costs down by not having to support street branches, and so can generally provide the same services for lower charges, and offer better interest rates for deposits.
Does PSD2 apply to credit cards?
Due to PSD2 customers are seeing the lifting of additional fees for online payment via credit card or bank transfer. It also changes some of the rules by which transactions can be paid for with credit cards, mainly because of the need now for two-level authentication. PSD2 rules state that it is no longer sufficient to simply ask for a customer’s credit card and CVV for online transactions, but a double authentication method is now required to authorize the transaction. This double authentication is known as SCA or Strong Customer Authentication, and it’s about having to use something additional to the PIN or CVV when paying with a card, like a temporary security code or token sent by SMS or a mobile app for example.