The Second Payment Services Directive (PSD2)
Objectives and national implementation of regulation
Directive (EU) 2015/2366 of the European Parliament and of the Council on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC was published on 23 December 2015. The deadline for the transposition into national law of this Second Payment Services Directive was 13 January 2018.
The objective of the Directive is to extend the scope of regulation to the various types of payment services and to update payment services regulation in line with market developments.
In Finland, the Directive was transposed in two parts. The Payment Services Act was amended by Act 898/2017 and the Payment Institutions Act was amended by Act 890/2017. The amendments entered into force for the most part on 13 January 2018.
Key changes to payment services legislation
The scope of application of the Payment Services Act was extended by bringing Third Party Providers (TPPs) within the scope of regulation and supervision.
The new providers of payment services are:
- Payment Initiation Service Providers (PISP)
- Account Information Service Providers (AISP)
Account servicing banks must provide these Third Party Providers access to customer accounts with the explicit consent of the customer. The payment initiation service provider and the account information service provider have the right to utilise strong customer authentication procedures provided to the customer by the account servicing bank.
The scope of regulation also includes the issuing of card-based payment instruments connected to an account provided by another payment service provider (Card-based Payment Instrument Issuer, CBPII).
The Directive also requires the payment service provider to apply strong customer authentication when the customer initiates an electronic payment transactions and accesses its payment account online. The requirement to apply strong customer authentication enters into force on 14 September 2019, i.e. 18 months following the publication of the Commission Delegated Regulation with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication. Derogations from the requirement to apply strong customer authentication are provided in the aforementioned Commission Delegated Regulation.
In autumn 2017, the Financial Supervisory Authority established a PSD2 Monitoring Group. The objective of the Group is to disseminate topical information to the industry, discuss interpretation issues and give guidance and advice to supervised entities. The PSD2 Monitoring Group convenes approximately once a month and is planned to operate at least until autumn 2019.
PSD2 Monitoring Group’s material is published in Finnish.
Level 2 regulations
The Directive is supplemented by Commission Delegated Regulations and guidelines issued by the European Banking Authority (EBA).
Commission delegated regulations (regulatory technical standards)
- COMMISSION DELEGATED REGULATION (EU) 2019/411 of 29 November 2018 supplementing Directive (EU) 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards setting technical requirements on development, operation and maintenance of the electronic central register within the field of payment services and on access to the information contained therein (pdf)
- COMMISSION DELEGATED REGULATION (EU) 2018/1108 of 7 May 2018 supplementing Directive (EU) 2015/849 of the European Parliament and of the Council with regulatory technical standards on the criteria for the appointment of central contact points for electronic money issuers and payment service providers and with rules on their functions (pdf)
- COMMISSION DELEGATED REGULATION (EU) 2017/2055 of 23 June 2017 supplementing Directive (EU) 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for the cooperation and exchange of information between competent authorities relating to the exercise of the right of establishment and the freedom to provide services of payment institutions (pdf)
- COMMISSION DELEGATED REGULATION (EU) 2018/389 of 27 November 2017 supplementing Directive (EU) 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication (pdf)
European Banking Authority's draft regulatory technical standards
- EBA RTS on the supervision of PIs on a cross-border basis under Art 29(6)
- EBA RTS on Central Contact Points under Art. 29(5) PSD2
- EBA RTS on Technical Requirements for Central Register under Art. 15(4)
European Banking Authority's guidelines
- Guidelines on the criteria on how to stipulate the minimum monetary amount of the professional indemnity insurance or other comparable guarantee under Article 5(4) of Directive (EU) 2015/2366 (pdf)
- Guidelines on the information to be provided for the authorisation of payment institutions and e-money institutions and for the registration of account information service providers under Article 5(5) of Directive (EU) 2015/2366 (pdf)
- Guidelines on major incident reporting under Directive (EU) 2015/2366 (PSD2)
- Guidelines on procedures for complaints of alleged infringements of Payment Services Directive 2 (pdf)
- Guidelines on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2) (pdf)
- Guidelines on reporting requirements for fraud data under Article 96(6) PSD2 (pdf)
- EBA guidelines on the conditions to be met to benefit from an exemption from contingency measures under Article 33(6) of Regulation (EU) 2018/389 (RTS on SCA & CSC) (pdf)
European Banking Authority's opinions
- EBA opinion on the deadline for the migration to SCA for e-commerce card-based payment transactions 16 October 2019
- EBA opinion on the implementation of the RTS on SCA and CSC 13 June 2018 (pdf)
- Opinion of the European Banking Authority on the use of eIDAS certificates under the RTS on SCA and CSC 10 December 2018 (pdf)
- Opinion of the European Banking Authority on the elements of strong customer authentication under PSD2 21 June 2019 (pdf)
- EBA's key tips to protect yourself when choosing online or mobile banking services (pdf)
- Supervision release 21 October 2019 – 54/2019: Financial Supervisory Authority complies with EBA-proposed additional time for strong customer authentication in e-commerce card-based payments – requirements must be implemented by 31 December 2020
- Supervision release 1 July 2019 – 33/2019: Reporting of fraud data related to payment services
- Supervision release 24 June 2019 – 29/2019: New security requirements for strong customer authentication in payment services
- Statement on online banking code lists as part of strong customer authentication 24 June 2019
- COMMISSION DELEGATED REGULATION (EU) 2018/389 on regulatory technical standards for strong customer authentication and common and secure open standards of communication (pdf)
- Statement on PSD2 transitional issues 10 January 2018
- PSD2 – the supervisor's perspective, Slush side event, Bank of Finland Museum, 29 November 2017 (in Finnish)
- Ministry of Finance press release 19 October 2017 (in Finnish)
- Ministry of Justice press release 5 October 2017 (in Finnish)
- PSD2 (pdf)
- Payment services and electronic money (EBA website)
- FinTech and regulation: How will the Payment Services Directive change the world?, Slush side event, Bank of Finland Museum 30 November 2016 (in Finnish)
- Register of delegated acts