PSD2: Europe's Mandate for Open Finance

Key Takeaways

• Open Banking: PSD2 requires EU banks to grant third-party providers access to customer account data.
• Enhanced Security: It mandates Strong Customer Authentication (SCA) for most online payments within Europe.
• Market Competition: The directive fosters innovation by opening the market to new fintech service providers.

What is PSD2?

PSD2, or the second Payment Services Directive, is a European Union regulation that became fully active in 2019. Its main purpose is to make payments more secure, increase consumer protections, and stimulate competition within the financial services industry. The directive mandates that banks must grant access to customer account information, with consent, to authorized third-party financial service providers.

This directive also introduced a security measure called Strong Customer Authentication (SCA) for most online payments exceeding €30. This requires at least two forms of verification for a transaction. For those familiar with the open nature of the Bitcoin network, PSD2 can be seen as an attempt by regulators to bring a new degree of openness and competition to the established banking system.

Regulatory Scope and Jurisdiction under PSD2

PSD2's authority extends across the European Economic Area (EEA), applying to any payment service provider operating within its borders. The directive's influence also reaches transactions where only one party is in the EEA, known as "one-leg-out" transactions. This gives the regulation a global footprint, affecting companies worldwide that do business with European customers.

The rules are not limited to Euro-denominated payments; they apply to transactions in any currency. This wide-ranging scope impacts global e-commerce and financial platforms that process payments for users inside the EEA. It's a clear signal of Europe's intent to set a worldwide standard for payment security and openness.

Strong Customer Authentication (SCA) and Security Standards in PSD2

A central pillar of PSD2 is Strong Customer Authentication (SCA), a measure designed to fortify online payment security. For most electronic transactions, it requires verification using at least two independent elements. These factors fall into three categories: knowledge (something only the user knows), possession (something only the user possesses), and inherence (something the user is). This multi-factor approach significantly reduces the risk of fraud for consumers and businesses across the European Economic Area.

Open Banking APIs and Third‑Party Access Enabled by PSD2

PSD2 compels banks to create secure channels for sharing customer data through Application Programming Interfaces (APIs). This framework, known as Open Banking, allows authorized third-party providers (TPPs) to build new financial products on top of existing bank infrastructure. This shift introduces a new competitive dynamic to the financial sector, always requiring user permission.

• AISP: Providers that aggregate account data from multiple banks into one place.
• PISP: Providers that initiate payments directly from a user's bank account.
• Consent: Customer approval is mandatory for any data access or payment initiation.

Operational Impacts of PSD2 on Banks, Fintechs, and Bitcoin/Crypto Platforms

PSD2 reshapes how financial institutions operate, forcing banks to modernize legacy systems while creating openings for fintechs and crypto platforms. This regulation introduces a new degree of required cooperation and market competition. The effects vary significantly across these sectors.

• Compliance: Banks face significant costs to update their infrastructure for API access and SCA requirements.
• Innovation: Fintechs gain direct access to bank data, allowing them to build new services and compete with established institutions.
• Integration: Crypto platforms can use PSD2's framework to offer more direct fiat on-ramps, connecting traditional banking with digital assets.

Compliance Timelines, Enforcement, and the Road from PSD2 to PSD3

The transition to PSD2 was a multi-year process, with enforcement now handled by national authorities across the EEA. As the financial world adapts, regulators are already looking ahead to the next evolution of payment services regulation. This signals a continuous push for a more integrated and secure European payments market.

• Implementation: The directive became fully effective in September 2019, with a final SCA deadline in late 2020.
• Oversight: National regulators in each member state monitor and enforce the rules within their jurisdictions.
• Penalties: Non-compliance can result in significant fines and operational restrictions for payment service providers.
• Future: A review is underway for PSD3 and a new Payment Services Regulation to refine the current framework.

Lightspark Grid: Achieving PSD2’s Vision on a Global Scale with Bitcoin

While PSD2 opened up Europe's banking system, Lightspark Grid extends that vision globally using Bitcoin as a universal settlement layer. Grid offers a single API for payments across fiat and crypto, mirroring the open access goals of the directive. Its built-in compliance controls and interoperability with banks and wallets provide a framework for financial innovation. By abstracting the complexity of cross-border transactions, Grid offers a practical path to the open, real-time payment network that PSD2 originally imagined for Europe.

Commands For Money

With a set of simple commands, you can now programmatically move value across currencies and borders as easily as data. To see how you can build with this global payment infrastructure, request early access to Lightspark Grid and be among the first to explore its capabilities.