With the PSD2, the European government hopes to streamline online payment methods across the EU and in doing so, support a strategic sector for the economy. To do so, it must push on three levers that will lead to a single result: the creation of an even more united, cohesive, and competitive European payments market. However, there is no shortage of grey areas.

Things are heating up for digital payments within the European Union.

On September 14, 2019 European Directive No. 2366 / 2015, the Payment Services Directive 2, or PSD2, officially comes into force in Italy. It will enrich the regulatory framework outlined by the previous legislation, Directive No. 64 / 2007.

This date is of fundamental importance since it marks the intervention of the European legislator in the strategic online payments sector.

A previous article stressed the importance of this area for the European economy, especially in terms of growth prospects for the key role that the development and spread of the online payments sector has played compared to other areas. But that’s not all.

The application of Directive no. 2366/2015 marks a significant change of pace for Italy and for the whole of Europe in general. The European legislator has preserved the inspiring principles of the previous directive and has strengthened it by introducing several important innovations.

Let’s start with a brief introduction.


What is PSD2 regulation?

PSD2 is the European Directive 2366/2015, a nationally binding law approved by the European Parliament that applies to digital payment services, and one that involves financial sector and the banking sector since the main operators are credit institutions.

Within this area, PSD2 identifies a series of rules and requirements for security, transparency, and conditions of service to ensure that the payments market is homogeneous and the treatment of customers is harmonized across all Member States. This, among other things, allows for better control by the central authorities and ensures that there are no grey areas in order to protect against reckless or illegal behaviour.

Although this uniform aim is the basis of PSD2, as was also the case for PSD1, it also has other goals.

According to some observers, the main objective of Directive 2366/2015 is to further promote the dissemination and development of increasingly advanced and refined digital payment services.

To pursue this result, the legislator substantially exploits three levers:
1. regulatory harmonization in the sector
2. competition between the various payment instruments available
3. a stronger and more centralized system of protection and security that benefits customers

Now we’ll look at the measures in place to implement these three points.

Regulatory harmonization: more defined limits for a single market

Among its main effects, Directive 2366/2015 reshapes the areas of application of PSD1.

PSD2 extends the obligations of transparency and correctness of the information, already present in PSD1, to all so-called “one leg” transactions, i.e. in which even only one of the two Payment Service Providers is located in the European Union, regardless of the currency in which the transaction takes place.

In addition, PSD2 has also revised the perimeter of the exceptions (the so-called “negative scope”), defining exclusions in a more stringent way.

This is the case, for example, of commercial agents, for whom Directive 2366/2015 amends what was provided for in Article 3, letter b, of PSD1, according to which the obligations did not apply to transactions from the payer to the payee carried out through a commercial agent authorized to negotiate or conclude the sale or purchase of goods or services on behalf of the payer or the payee.

If, on the other hand, the agent acts for both, then the agent can only benefit if it does not take possession of the clients’ funds at any time.

Another particularly interesting case of reshaping the waiver concerns instruments with limited expendability such as fuel cards, loyalty cards (where a payment function is associated), payment cards for public transport, meal vouchers, social vouchers, and gift vouchers, for example. For all of these instruments, the European legislator has intervened to ensure that citizens are protected.

To accomplish this, PSD2 lays down a series of obligations and requirements to be met in order to avoid fraudulent conduct.

These include, for example, the obligation for the provider to inform and consult with the competent authority before commencing business if the expected turnover exceeds a certain threshold, an average of €1 million per month, over a 12-month period.

Directive 2366/2015 also widens the audience of parties who must comply with the provisions of PSD2 to include non-banking players, thus widening the digital payments market.

More players for a more competitive market

The increased extension of the Directive reveals that the PSD2 will ensure greater competition within the sector.

The reference to the introduction of the “Third Party Payment Services Provider” (or simply TPP) entities who are entitled to provide access services to accounts other than banks or other credit institutions.

There may be two types of account access:

1. Payment Initiator Service Providers (PISPs), who may offer a payment service where the order is placed at the request of the customer in respect of a payment account held with another payment service provider

2. Account Information Services Providers (AISPs) who may offer an information service regarding the status of one or more payment accounts held by the customer with one or more payment service providers

This is perhaps one of the most disruptive changes in the legislation.

The legislator has decided to open the market to new parties who will be able to operate on current user accounts, managing money transfers and access to various types of information previously available only to institutional players.

This will undeniably give a boost to the entire market, hopefully for the benefit of both end-users and the average quality of service offered.

The first positive effects are already emerging. The non-profit organization, the Future of European Fintech (FoEF) has been formed by a group of European Fintech companies (the ETPPA) with the aim of assisting Third Parties in all the challenges related to the application of PSD2 and to ensure a healthy and fair competition in the provision of digital payment services between these and traditional players.

Obviously, PSD2 aims to create these market mechanisms, but it creates issues in terms of security and traceability in data management. To overcome this problem, Directive 2366/2015 provided that TTPs must obtain authorization to provide services, following a suitability check carried out by the competent national authority; for Italy, it is the Bank of Italy. In addition, each Member State is required to establish a public register indicating the services for which the payment institution is authorized or for which certain exemptions have been granted.

All of this information will then be incorporated into the EBA’s Central Electronic Registry, so that information on authorized parties is readily available.

In addition, any authorization is granted on the condition that the applicant holds a minimum amount of professional indemnity insurance established by EBA, valid in all territories where the services are offered.


Enhanced security: SCA and the new secure 3D system

To stimulate the spread of digital payment systems throughout Europe, the third lever that the legislator uses, together with the harmonization of legislation and the introduction of new players in the competitive environment, is security.

Remember, we are talking about very sensitive personal financial data, which can be handled by several parties within the same transaction. For this reason, security is an element that underlies all components of the PSD2, which introduces a series of key concepts to remember.

Importantly, Directive 2366/2015 introduces the concept of “Strong Customer Authentication,” SCA, which will become mandatory for all companies providing the financial services mentioned above.

The SCA is an additional security system that can uniquely recognize and authenticate the customer in order to minimize the threat of fraudulent operations committed by third parties.

It requires that anyone wishing to access an online account or have a digital payment must authenticate themselves using at least two of three tools: “knowledge” (using, for example, a personal password or PIN), “possession” (via a physical or mobile token that automatically generates a key) and, finally, “inherent” (such as facial recognition or fingerprint recognition).

In essence, PSD2 requires all providers to implement this protection system in the context of certain operations that can be performed by the user, such as access to the online payment account, the provision of an electronic payment (in this case providing elements that dynamically connect the transaction to the beneficiary or the specific amount) and, in general, any action taken at a distance that may involve a risk of payment fraud.

An interesting item to note: Strong Authentication prepared by the authorized subject must exceed certain technical security standards developed by the EBA itself. Also, in this case, there are exceptions to the obligation described above and these mainly concern recurring transactions or those less than €30 Euro or where the beneficiary of the payment is a person considered reliable.

Still with a view to increasing the security of operations, Directive 2366/2015 has pushed for the update and improvement of 3D Secure, the service aimed at increasing the security of transactions that transfers responsibility from traders to banks.

From September 14, 2019, PSD2 provides for the mandatory introduction of 3D Secure 2.0 to improve navigation for users, who before the reform, could be misled by false redirection pages that are used for phishing sites and, on the other hand, who had to remember numerous passwords.


In the event of fraud

The Directive 2366/2015 has also intervened to regulate cases where the end-user is the victim of computer fraud and cloning. While his area has unfortunately not been sufficiently simplified by the European legislator, there are two points to be emphasized.

First, the Directive reduces the deductible charged to the user as a result of unauthorized payment transactions, limited to €150. Second, although it is provided that, in the case of an incorrectly executed payment transaction, the burden of proof lies with the payment service provider, there are also scenarios where the liability of such persons is not easily attributable or distinguishable.

Since the provision of payment services is not subject to the existence of a contractual relationship, it may be necessary to conduct an investigation, which could result in significant costs for all involved.

It is clear that PSD2 contains novel elements, and we can expect the legislator to continue to update this issue as it evolves.


The digitalization of processes, products, and services in banks’ digital strategies must go hand in hand with an increasing focus on customers and their needs and expectations, even in the banking sector. Find out all trends to know in 2019, download the infographic:

New call-to-action