PSD2

The Second Payment Services Directive (PSD2)

Objectives and national implementation of regulation

Directive (EU) 2015/2366 of the European Parliament and of the Council on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC was published on 23 December 2015. The deadline for the transposition into national law of this Second Payment Services Directive was 13 January 2018.

The objective of the Directive is to extend the scope of regulation to the various types of payment services and to update payment services regulation in line with market developments.

In Finland, the Directive was transposed in two parts. The Payment Services Act was amended by Act 898/2017 and the Payment Institutions Act was amended by Act 890/2017. The amendments entered into force for the most part on 13 January 2018.

Key changes to payment services legislation

The scope of application of the Payment Services Act was extended by bringing Third Party Providers (TPPs) within the scope of regulation and supervision.

The new providers of payment services are:

  • Payment Initiation Service Providers (PISP)
  • Account Information Service Providers (AISP)

Account servicing banks must provide these Third Party Providers access to customer accounts with the explicit consent of the customer. The payment initiation service provider and the account information service provider have the right to utilise strong customer authentication procedures provided to the customer by the account servicing bank.

The scope of regulation also includes the issuing of card-based payment instruments connected to an account provided by another payment service provider (Card-based Payment Instrument Issuer, CBPII).

The Directive also requires the payment service provider to apply strong customer authentication when the customer initiates an electronic payment transactions and accesses its payment account online. The requirement to apply strong customer authentication enters into force on 14 September 2019, i.e. 18 months following the publication of the Commission Delegated Regulation with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication. Derogations from the requirement to apply strong customer authentication are provided in the aforementioned Commission Delegated Regulation.

Monitoring Group

In autumn 2017, the Financial Supervisory Authority established a PSD2 Monitoring Group. The objective of the Group is to disseminate topical information to the industry, discuss interpretation issues and give guidance and advice to supervised entities. The PSD2 Monitoring Group convenes approximately once a month and is planned to operate at least until autumn 2019.

Level 2 regulations

The Directive is supplemented by Commission Delegated Regulations and guidelines issued by the European Banking Authority (EBA).

Commission delegated regulations (regulatory technical standards)

European Banking Authority's draft regulatory technical standards

European Banking Authority's guidelines

European Banking Authority's opinions

See also: