PSD2

PSD2 is the new European Directive on consumer and business payments. PSD2 will affect us all. What is going to change, and what will we notice?

PSD2 infographic
PSD2 in short: download the infographic.

PSD2 and consumers

PSD2 enables you to use new online payment and account information services. The third parties (financial institutions) who provide these services need to be able to access your bank account. They need to obtain your consent to do so. Nothing will change if you don't give your consent, and you are not obliged to do so.

PSD2 and retailers

PSD2 will also affect you if you are a retailer. New providers of innovative electronic and online payment methods will step up to offer their services. As a retailer, you will be able to choose from more payment methods and providers. Your customers may expect you to provide these new payment methods. It is up to you to decide which payment methods you want to offer.

PSD2 and third parties

With the introduction of PSD2, new providers of new payment and account information services will enter the market. They will act as an online third party between you and your bank. These third parties may be other banks, for example, or FinTech companies. All providers must have a licence issued by DNB or by another supervisory authority in the European Union. PSD2 regulates the supervision of these third parties.


Information about PSD2
De Nederlandsche Bank (DNB) informs consumers and retailers about PSD2 on behalf of theNational Forum on the Payment System(NFPS). The NFPS is a platform representing fifteen civil society organisations for consumers, retailers and banks. You can also check out the websites of these organisations and your bank for more information about PSD2. No rights may be derived from the information on this website. We reserve the right to change this information and to make situation-specific decisions.

Frequently asked questions:

What is PSD2?

PSD2 is the revised version of the Payment Services Directive (2007). This is the European Directive regulating the payments of consumers and businesses.

PSD2 lays down the legal basis for payments between bank accounts in Europe. Each EU country transposes the Directive into its own national legislation – in the Netherlands, it will be incorporated in the Dutch Civil Code and the Financial Supervision Act (Wet op het financieel toezicht – Wft), for example. PSD2 is elaborated in technical standards and guidelines for banks and other organisations offering payment services, and the relevant supervisory authorities.

PSD2 has a number of exclusions. PSD2, for example, does not cover payments in banknotes and coins and covers non-cash payments only. DNB and other national and international supervisory authorities see to it that PSD2 is applied where appropriate.

What is regulated under PSD2?

Rights and obligations
PSD2 regulates

  • the rights and obligations of the parties involved in non-cash payments, such as consumers, businesses, banks and payment institutions;
  • the conditions governing payment transactions and the information provided about these transactions to users;
  • which parties are permitted to act as a payment institution, the conditions they must meet in order to enter the market, and their supervision.

Access to payment accounts – the account holder decides
The key innovation of PSD2 is that it enables account holders to use new payment services and payment account information services. Account
holders now have the right to allow third parties access to their account held with the bank. If account holders give their consent, banks are obliged to cooperate. For example, at the customer's request, these third parties can initiate payments (payment initiation services). They can also provide a comprehensive overview of a customer's accounts at one or more banks (account information services)

Security
PSD2 ensures that this access to your account is safe and secure. Under PSD2, all new payment institutions must be licensed to operate by a supervisory authority established in the Netherlands or another EU country. The Directive describes the supervisory requirements that institutions must meet, for example with respect to data protection, and defines the technical standards that apply. These standards further elaborate the requirements for transaction security and communications between the bank and the new parties.

Who will be affected by PSD2?

PSD2 affects almost everyone making or receiving non-cash payments – consumers, businesses, banks and payment institutions alike. For example, PSD2 regulates debit card payments at points of sale, and payment for online purchases. PSD2 does not regulate all types of payments, however. Payments in banknotes and coins, and most securities transactions are not regulated by PSD2.

Why would I need PSD2?

New services for consumers
The aim of PSD2 is to promote competition, innovation, consumer protection and security in the European payment system. PSD2 enables new payment services.

For example, payment initiation services can be an alternative for payments by iDEAL, PayPal or credit card. This comes in handy if an online retailer does not offer iDEAL because it is established abroad, or if customers do not have a credit card or a PayPal account. Licensed webshops can also initiate payments themselves, directly from the customer's account. This can make payments both easier and cheaper for retailers.

Account information services for example facilitate digital budget planners. These can provide a comprehensive overview of a customer's payments by category (such as food, clothing, transport, subscriptions and insurance) if a customer has multiple accounts at one or more banks. Subject to the customer's consent, account information services providers can also create an overview of receipts, payments and savings. This can be useful if the customer for example needs financial productssuch as consumer credit or a mortgage.

New payment methods at points of sale
PSD2 introduces new methods for electronic payments at points of sale. It also allows new payment method providers to enter
the market. Customers will have more options for making payments. Retailers will be able to choose from more payment methods and providers. It is up to retailers to decide which payment methods they wish to offer.

New opportunities for companies
Enterprises can apply for a licence to operate as a payment initiation service provider or an account information service provider.Such a licence allows them to offer the new payment services. They can ask the customer's consent to access their payment account. This allows them to integrate the payment process into apps for online service provision. Enterprises can also develop alternatives for debit card and credit card payments at points of sale. PSD2 enables service providers to check a customer's balance online. Customers first have to give their consent to do so.

New digital services
PSD2 creates new opportunities for existing and new businesses. It also encourages banks to actively cooperate with third parties.

For example, PSD2 enables new parties to integrate payment applications into their mobile services relatively easily. Banks can also use the expertiseand apps of these innovative parties to offer new services or integrate them into their own, existing services. PSD2 will lead to new forms of digital service provision by banks and third parties.

What is the difference between payment initiation services and account information services?

PSD2 regulates payment initiation services and account information services. Both types of services are based on a customer's consent to access their bank account. However these services are actually different. Payment initiation services involve a new method of making payments, in which money is transferred from your account. Account information services involve creating an overview of your account balances. No money is transferred from your account. Payment initiation services and account information services can also be combined.

Wat What does providing access to my bank account mean?

If you provide access to your bank account, this will allow new types of payment institutions to offer you new services. For example, they can check your balance, request your bank to initiate a payment (transfer) on your behalf, or create a comprehensive overview of your balances for you. It is important to note that these third parties can only do this with your consent. Providing access to your bank account does not mean that your account, your money and the information about your balance and payments become freely accessible to all.

Do I have to provide access to my account?

No, you do not have to provide access to your account to third parties – PSD2 only gives you the right to do so. To be precise: PSD2 gives you the right to use the services of a new type of provider, who needs access to your online account in order to provide these services.

If you give your consent, this means you are giving a third party access to your bank account. You should be aware of this.

If you don't give your consent, nothing will change. The third party will not gain access to your bank account.

What does it mean if I give consent to access my bank account?

If you give consent to access to your bank account, this will allow new types of payment institutions to offer new services. For example, they can check your balance, request your bank to initiate a payment or transfer on your behalf, or create a comprehensive overview of your accounts for you. You should note that your consent for a payment initiation service is always for a single instance, unless you have given consent for repeat payments to the same beneficiary. Your consent for account information services is valid for a period of 90 days. During this period, the account information service provider can access your bank account or accounts in order to update the overview of payments and receipts. After 90 days you must again give your explicit consent to access your bank account.

How do I give consent to access my bank account?

General
You can give consent to access your bank account to a payment initiation service provider or an account information service provider. Under PSD2, these providers are allowed to use your
bank's verification procedure. PSD2 prescribes that this must always be a two-step procedure, but the exact details may vary by bank or payment institution.

Giving consent to a payment initiation service provider to make a payment is very similar to initiating a payment order with your bank. The procedure for account information service providers is slightly different.

Payment initiation service
The procedure for giving consent to access your bank account is as follows:

1. Your bank or payment initiation service provider first verifies that you are the account holder. It does so byasking for a combination of at least two of the following elements:

  • something you have (e.g. a debit card, security calculator or a mobile phone),
  • something only you know (access code), and
  • biometric identification (e.g. fingerprint, iris scan).

2. Once your identity has been verified, a unique code is generated that is linked to the proposed transaction (amount and beneficiary). This code can only be used for this specific combination of amount and beneficiary: if the amount or beneficiary changes, the code will change too. By using the code, you give your consent to initiate the payment.

Combined with other security measures, this ensures that the payment service provider can only carry out transactions with your consent.

Account information service
The procedure for giving consent to access your bank account is as follows:

1. Your bank or account information service provider first verifies that you are the account holder by asking for a combination of at least two of the following elements:

  • something you have (e.g. a debit card or a mobile phone),
  • something only you know (access code), and
  • biometric identification (e.g. fingerprint, iris scan).

Please note that if you continue to use the account information service, this identity verification procedure will happen again 90 days after the first time you gave your consent.

2. Subsequently, the account information service provider will ask your explicit consent to use your account information. This request for consent must meet the requirements laid down in the European General Data Protection Regulation. The supervisory authorities are still working out the details for the Dutch situation.

What will happen if I don't give consent?

Without your consent, the new providers will not be able to access your bank account. As a consequence, they will not be able to provide services to you. This means you will have to use other ways to pay. Or you will have to find other methods of creating an overview of your accounts. In the Netherlands you can for example also pay in cash, or by debit card, iDEAL or credit card.

What is the reason for introducing PSD2?

PSD2 has the following five objectives:

  • Promoting competition in the European payments market
  • Facilitating innovations in the payments system
  • Improving consumer protection
  • Strengthening the security of payments
  • Contributing to a single European payments market

PSD2 allows new types of payment institutions to enter the market. This means more competition. PSD2 allows banks and new types of payment institutions to provide new types of services. This means greater innovation. PSD2 tightens the requirements for banks and payment institutions, which means better consumer protection and stronger payments security. These requirements and the agreements ensuing from them apply throughout the European Union. This means that the introduction of PSD2 is another step towards a single European payments market.

Who benefits from PSD2?

PSD2 offers new opportunities for old and new service providers, consumers and businesses. On the other hand, banks and payment institutions will have to face more competition.

PSD2 offers consumers new methods of payment, while retailers are no longer permitted to charge fees for most types of card transactions (i.e. debit card transactions and most credit card transactions). PSD2 offers alternatives for existing payment methods such as iDEAL and credit card payments. This offers more options to retailers. PSD2 allows payment institutions and banks to provide new types of services. Banks and payment institutions that fail to go along with this trend may lose part of their market share.

When will PSD2 enter into effect?

While PSD2 was supposed to be incorporated into the Dutch Civil Code and the Financial Supervision Act (Wet op het financieel toezicht – Wft) by 13 January 2018. However, this process has been delayed. The Minister of Finance expects PSD2 to enter into effect later this year. PSD2 will become effective in the Netherlands as soon as its incorporation into Dutch law is complete.


Who or what is a third party?

The payment initiation service providers and account information service providers are referred to as third parties. When they ask your consent to access your bank account in order to provide their services to you, they place themselves between you and your bank – as a third party. A third party can be a FinTech, telecom or wholesale company. It can also be another bank: under their banking licence, banks are also allowed to provide payment initiation and account information services. Other companies such as FinTech firms must first establish themselves as a payment initiation service provider or account information service provider and obtain the appropriate licence from the supervisory authorities.

Where can I find a list of registered third parties?

DNB maintains a register of banks and new types ofpayment institutions. You can consult this register onlinehere.Banks and payment institutions established in other countries are registered by the supervisory authorities of these countries. These registers too can be found online . The European Banking Authority (EBA) is working on linking all national registers and expects to complete this taskby the end of 2018.

What are the consequences of the delayed introduction of PSD2 in the Netherlands?

Until PSD2 is incorporated into Dutch law, consumers and businesses can only use the new payment services to a limited degree. Banks can already provide these services based on their banking licence. They can arrange this mutually on the basis of agreements. Foreign parties wishing to provide such services are currently dependent on the banks. Until PSD2 is incorporated into Dutch law, banks are not obliged to grant the new service providers access to their customers' bank accounts. New service providers wishing to establish themselves in the Netherlands can apply for a licence – which they are obliged to obtain under PSD2. Once the law has entered into force, DNB can grant the licence.

What measures have been taken to ensure a secure and reliable payment system?

The Dutch payment system is secure and reliable. Under PSD2, this will continue to be the case. PSD2 contains a number of safeguards to ensure this. The most important of these is the requirement for new types of payment service providers to obtain a licence from the relevant supervisory authority. In the Netherlands, this is DNB. The supervisory authorities must monitor the payment service providers' compliance with all applicable requirements, such as sound operational management. As a consumer, you do not have to check for yourself whether the party offering services is under supervision – it's your bank's job to check this. Of course you are free to check for yourself if you are in doubt.

A second safeguard is that PSD2, as well as the European regulations derived from it, contain several security requirements. These requirements for example describe how banks must verify your identity as the account holder

They also stipulate how banks and third parties must ensure secure communications. There are also requirements relating to the risk management systems of banks and payment institutions. They must immediately report any incidents to the supervisory authority, which may then require the banks and payment institutions to take appropriate measures.

A third safeguard is your own responsibility, as the account holder. PSD2 requires you to handle your bank's security codes with due care. Last but not least, the new providers need your explicit consent to access your bank account. Without consent, a payment initiation service provider cannot transfer money from your account.

In addition to these safeguards, the banks and payment institutions have their own security measures. For example, they continuously monitor all payment orders. If they detect anything unusual, they can block the order and contact the account holder. Banks in the Netherlands exchange information about unusual transactions and suspect counterparties. One of the reasons for this is to prevent fraud. They work together with the police and the judicial authorities to ensure a secure and reliable payment system.