PSD2 & Open Banking


Reading Time: 3 minutes

PSD (Payment Services Directive) was adopted in 2007 to create rules and guidelines for simplified, efficient modern payment services in the European Union. However, as technology progressed PSD was not adequate enough to promote innovation, create competition, secure payments and protect consumers. As a result, PSD2 (The revised Payment Services Directive) came into play to increase security and create more innovative digital payments for today’s digital consumers.

Don’t miss out the latestCommencis Thoughts and News.

    Key aspects of the PSD2:

    • Banks to have stricter customer authentication

    • Banks to open their customer data with certified TPPs (Third Party Provider)

    The second point is the crux of the PDS2. It creates a new ecosystem in the market and breaks customers’ data monopoly held by the banks. It requires banks to open their customers’ data by exposing their APIs. Who consumes these APIs? There are now new players to innovate and bring products to the market faster by using the rich data passed by the banks. 

    There are three new main players that are third parties to provide services.

    PISP (Payment Initiation Service Provider): A TPP that provides payment services. PISPs can initiate a payment on behalf of their customers.

    AISP (Account Information Service Provider): A TPP that provides account information services. AISPs can aggregate account information data from multiple banks and give an overview of accounts, balances, beneficiaries, direct-debits etc. to their customers.

    CBPII (Card Based Payment Instrument Issuer): A TPP that issues card-based payment instruments.

    The name Open Banking might scare customers about their data protection. However, the new system is at least as secure as existing services. The account holder is the one doing the data sharing and customer’s explicit consent to any exchange is mandatory. Without the customer’s explicit consent, third parties cannot access the data and create orders on behalf of the customer. In addition, customers do not need to share their banking credentials with anyone other than the bank. Below is a simplified consent flow.


    Following PSD2 data sharing, there are standards emerging. For example, Open Banking in the UK aims to help support and speed up the process by setting the standards. The Berlin Group defines a common API specification called NextGenPSD2. PolishAPI and STET are also PSD2 API initiatives. PSD2 requires banks to open data to third parties, these API standards define they do so in a standard format. So, banks expose their APIs based on a standardized contract and TPPs know which APIs they will consume and how they will consume these APIs. It provides TPPs the opportunity to integrate with multiple banks based on the same API contract.

    PSD2 became applicable as of 13 January 2018, except for the security measures outlined in the RTS (Regulatory Technical Standard). RTS provides detailed specifications to achieve the strict security requirements for payment service providers in the European Union. By 14 March 2019, banks need to make their technical specifications available and provide their APIs to TPPs for testing and integration activities before the complete implementation deadline. From 14 September 2019, banks will need to comply with obligations set out in RTS security and functional requirements.

    Once PSD2 and its APIs are adopted by banks and TPPs, it is considered as revolutionary by changing the ecosystem in the market. It will enable customers to access products that adopt more digital operating models and it will give customers more control over their data.