Glossary

PSD2/PSD3 (Payment Services Directive)

PSD2 and PSD3 are EU regulations requiring banks to share payment data via APIs, enabling third-party fintech services.

Key Takeaways

  • PSD2 (Directive 2015/2366) required European banks to open secure APIs for licensed third-party providers, creating the legal foundation for open banking across the EU when it took effect in January 2018.
  • The directive introduced Strong Customer Authentication (SCA): multi-factor authentication for electronic payments using at least two of three factors (knowledge, possession, inherence).
  • PSD3, proposed in June 2023 alongside the Payment Services Regulation (PSR), closes PSD2 loopholes, adds APP fraud liability rules, merges the E-Money Directive into the payment framework, and clarifies how crypto-asset service providers interact with MiCA.

What Is the Payment Services Directive?

The Payment Services Directive (PSD) is the European Union's legislative framework governing payment services and payment service providers across the single market. PSD2, the second revision adopted in 2015 and enforced from January 2018, transformed European payments by mandating that banks expose standardized APIs so that authorized third-party providers can access customer account data and initiate payments with explicit customer consent.

Before PSD2, banks controlled every aspect of their customers' financial data. Screen-scraping was the only way fintech companies could aggregate account information, and banks could block access at will. PSD2 replaced this fragile arrangement with a legal right: account-to-account payments and data access became regulated activities that banks were obligated to support.

PSD3, proposed by the European Commission on 28 June 2023, addresses gaps that emerged during PSD2's first years. A provisional political agreement was reached in November 2025, with final compromise texts published in April 2026. The new regime is expected to take effect by late 2027, after an 18-month transposition period.

How PSD2 Works

PSD2 created two new categories of licensed payment service providers that can operate alongside banks:

  • AISPs (Account Information Service Providers): read-only access to customer account data for services like budgeting apps, financial aggregators, and credit scoring. AISPs can view balances and transaction history across multiple banks in a single interface.
  • PISPs (Payment Initiation Service Providers): the ability to initiate payments directly from a customer's bank account, bypassing card networks entirely. This enabled payment initiation services that move money without cards, reducing interchange fees for merchants.
  • ASPSPs (Account Servicing Payment Service Providers): the banks themselves, which hold customer accounts and are required to provide the API infrastructure that AISPs and PISPs connect to.

Strong Customer Authentication

PSD2's second major pillar is Strong Customer Authentication (SCA). Originally scheduled for September 2019, full enforcement was extended to 31 December 2020 due to merchant readiness concerns. SCA requires that electronic payments verify at least two of three independent factors:

  1. Knowledge: something only the user knows (PIN, password)
  2. Possession: something only the user has (phone, hardware token)
  3. Inherence: something the user is (fingerprint, facial recognition)

SCA applies to most electronic payments but includes exemptions for low-friction scenarios: transactions under EUR 30 (capped at EUR 100 cumulative or five transactions), recurring payments to the same payee (SCA on first transaction only), and trusted beneficiaries whitelisted by the customer. Merchants can also request Transaction Risk Analysis (TRA) exemptions based on fraud-rate thresholds: 0.13% for transactions up to EUR 100, 0.06% up to EUR 250, and 0.01% up to EUR 500.

API Standards

PSD2 mandated APIs but did not specify a single technical standard. Two dominant frameworks emerged:

  • Berlin Group NextGenPSD2: the XS2A (Access to Accounts) framework adopted by over 3,600 banks across 24 countries, covering more than 75% of European banks. It defines RESTful APIs for account information, payment initiation, and fund confirmation.
  • Open Banking UK: a UK-specific standard developed by the Open Banking Implementation Entity (OBIE), mandated for the nine largest UK banks. Post-Brexit, the UK continues to evolve this standard independently of PSD2.
// Simplified PSD2 API flow (Berlin Group XS2A)

// Step 1: Third-party requests consent from customer
POST /v1/consents
{
  "access": {
    "accounts": [{ "iban": "DE89370400440532013000" }],
    "balances": [{ "iban": "DE89370400440532013000" }],
    "transactions": [{ "iban": "DE89370400440532013000" }]
  },
  "recurringIndicator": true,
  "validUntil": "2026-12-31",
  "frequencyPerDay": 4
}

// Step 2: Customer authenticates with their bank (SCA)
// Step 3: Third-party accesses account data
GET /v1/accounts/{account-id}/transactions
Authorization: Bearer {access_token}

What PSD3 Changes

PSD3 arrives as part of a two-instrument package: PSD3 itself (a Directive requiring national transposition) and the Payment Services Regulation (PSR), which applies directly across all member states without transposition. The split ensures that core rules are uniform across Europe while allowing member states flexibility on licensing and supervision.

APP Fraud Liability

Authorized Push Payment (APP) fraud, where criminals trick victims into voluntarily sending money, was not adequately addressed by PSD2. PSD3 introduces specific protections: when a fraudster impersonates a payment service provider, the resulting transactions are treated as unauthorized, triggering full reimbursement. PSPs must implement risk-based transaction monitoring to detect and prevent these scams.

IBAN/Name Verification

The PSR mandates that payment service providers verify that a payee's name matches their IBAN before executing a transfer. This check, similar to the UK's Confirmation of Payee, must return results within seconds. If a PSP fails to perform the check and the customer suffers fraud as a result, liability shifts to the payer's PSP.

Open Banking Improvements

PSD3 addresses complaints about inconsistent API quality under PSD2. Banks must provide APIs with performance parity: third-party providers should receive the same quality of service as the bank's own digital channels. Mandatory permissions dashboards let customers see and revoke third-party access in one place. Structured contingency mechanisms replace the controversial fallback interface requirements.

PI/EMI Merger

PSD3 merges the E-Money Directive into the payment services framework. Electronic Money Institutions (EMIs) become a sub-category of Payment Institutions (PIs), simplifying the regulatory landscape. Existing EMI authorizations remain valid for 24 months (with a possible 6-month extension) while firms transition to the new regime.

Crypto and MiCA Interaction

The European Banking Authority clarified in February 2026 that crypto-asset activities involving e-money tokens (EMTs) may require dual authorization under both MiCA and PSD3/PSR. Crypto-asset service providers already authorized under PSD2 can continue EMT payment services, but unauthorized providers must cease operations or obtain proper licensing.

Impact on Payments

PSD2 fundamentally reshaped how money moves in Europe and created ripple effects worldwide. For a deeper analysis of how open banking has evolved globally, see the state of open banking research article.

Neobank Growth

By giving third parties legal access to bank data, PSD2 fueled the rise of neobanks like Revolut, N26, Wise, Monzo, and Starling. These companies built entire banking experiences on top of PSD2 APIs, offering multi-bank aggregation, cheaper foreign exchange, and faster cross-border payments. Europe now holds approximately 37% of the global neobanking market.

Reduced Card Dependency

Payment initiation services enabled merchants to accept bank-to-bank payments without card network intermediaries. This removed the interchange fees, scheme fees, and acquirer margins that typically add 1-3% to card transactions. The account-to-account payments revolution explores how this shift is accelerating.

Parallels to Crypto Payment Rails

PSD2's core insight: separating account holding from payment services creates competition and innovation. Cryptocurrency and stablecoin payment rails take this further by removing the bank entirely from the equation. Where PSD2 requires banks to open APIs, protocols like Bitcoin's Lightning Network and Spark provide instant settlement without needing bank infrastructure at all.

Risks and Considerations

API Fragmentation

Despite PSD2's mandate, the lack of a single API standard created fragmentation. Third-party providers must integrate with multiple API formats across different banks and countries. While the Berlin Group framework covers most of Europe, implementation varies significantly in data fields, authentication flows, and error handling. PSD3 attempts to address this with stricter performance parity requirements, but full standardization remains elusive.

Compliance Complexity

The PSD3/PSR package introduces new compliance obligations for payment service providers: APP fraud monitoring, IBAN verification systems, permissions dashboards, and updated SCA accessibility requirements. For firms operating across multiple EU jurisdictions, the 18-month transposition window means navigating different national implementation timelines. Companies handling e-money tokens face the additional complexity of dual MiCA/PSD3 licensing.

Security Tradeoffs

Opening bank APIs to third parties inherently expands the attack surface. PSD2 mitigated this with SCA requirements, qualified certificates, and regulatory supervision. But as the number of licensed providers grows, so does the risk of credential theft, API abuse, and social engineering attacks that exploit the trust customers place in authorized third parties.

Scope Limitations

PSD2 and PSD3 apply only within the EU and EEA. The UK, post-Brexit, operates its own open banking framework. Other jurisdictions like Australia, Brazil, and India have adopted their own versions of open banking with different rules and timelines. For businesses operating globally, PSD compliance is just one piece of a fragmented regulatory landscape.

This glossary entry is for informational purposes only and does not constitute financial or investment advice. Always do your own research before using any protocol or technology.