what do you need to be PSD2 compliant?
The European Union’s Revised Payment Services Directive (PSD2) has been in effect since 2018. As a business, you might be wondering exactly what it takes to be PSD2-compliant. Although the exact legislation may differ slightly across EU member states, the ground rules are all the same. We will set out some of the main requirements for you here.
If you want to find out some more background information about PSD2 in general, please be sure to read our dedicated blog post.
What are the new rules under PSD2?
PSD2 opens the European financial services market, making it more integrated and more efficient. One major new change introduced by PSD2 was that banks and account-holding institutions must provide secure access to their accounts through APIs. Another purpose of the directive was to enable external service providers (so-called Third-Party Providers, or TPPs) to offer information and payment services directly to consumers.
Who must comply with PSD2?
PSD2 affects most anyone dealing with (digital) financial services. Its impact differs, though, depending on the focus of your business. For financial services providers, PSD2 has created new opportunities, as they can qualify as Third Party Providers (read more about the opportunities for TPPs in our dedicated article). Businesses that were using (bank-owned) payment or information services were able to obtain a TPP license under PSD2 to take those services in-house and reap the benefits of a range of insights based on payment behaviour.
For banks, PSD2 has meant increased competition from non-banking institutions for payment and information services, as well as the need to create APIs to give external service providers secure access to accounts. But banks can also choose to get in on the action by becoming TPPs themselves, allowing them to retain and improve their customer relationships by competing with external providers. Consumers have benefited from more innovative payment and financial services, and thanks to the more competitive market, prices for these services have dropped.
For banks and account-holding institutions:
- Set up a Consumer Identity and Access Management (IAM or CIAM) solution
- Strong Customer Authentication (multi-factor and continuous authentication)
- Create APIs to access transactional payment data that support:
- Fine-grained access control
- Real-time access
- Provide Access to Account (XS2A)
- Obtain a Payment Initiator Service Provider (PISP) or Account Information Service Provider (AISP) licence
- Implement a Consumer Identity and Access Management solution to facilitate:
- Strong Customer Authentication (multi-factor or continuous authentication)
- Know Your Customer (KYC) and identity proofing capabilities
- Build secure applications featuring
- User consent
- Fine-grained access control
Strong Customer Authentication
One of the key PSD2 requirements for TPPs is to ensure strong authentication for their customers, as noted above. PSD2 defines strong authentication in the traditional way: something you have, something you know and something you are.
So, Strong Customer Authentication (SCA) means using a two- or multi-factor authentication (MFA) event from the very start. Although SmartCards, USB tokens and software tokens had been used for strong authentication in enterprise contexts in the past, banks and TPPs have been reluctant to use these IAM technologies under PSD2, because they are not user-friendly for consumers. Instead, banks and TPPs have greatly expanded their use of mobile apps, especially biometrics on smartphones.
How can OneWelcome help?
OneWelcome offers a CIAM platform you can use to start a TPP or become PSD2-compliant. Aside from offering a range of features to facilitate PSD2 compliance, the OneWelcome Cloud Identity Platform also allows you to create a tailor-made, frictionless login and authentication experience for your customers.
The OneWelcome Cloud Identity Platform provides a range of authenticators including advanced MFA mechanisms for both web and mobile authentication to meet and exceed the Strong Customer Authentication criteria. OneWelcome offers multiple levels of authentication including mobile push notifications, QR code logins, mobile biometrics and Single Sign-On (SSO).
Via our identity proofing module, you can easily set your required Identity Assurance Level (IAL) and choose from commercial and governmental bring-your-own-identity (BYOI) providers or document-centric identity proofing services.
In addition, via our consent management module, we embed consent in the user journey and allow consumers to view, edit, download and delete their personal and consent data. Deputy Privacy Officers can govern data and privacy protection processes in real time.
|checklist||Banks||TPPs||Supported by OneWelcome|
|Multi factor authentication||✓||✓||✓|
|ISO 27001 certification||✓||✓|
|KYC and Identity Proofing||✓||✓||✓|
|A flexible platform with many integrations||✓||✓||✓|
Verify your PSD2 compliance today
Not sure whether your organisation is fully PSD2-compliant? We’re always happy to advise you on the best way forward—even if that doesn’t include our platform (although we are sure we can offer you great added value!). So, please feel free to contact us for a no-strings consultation.