PSD2

PSD2 is the foundational regulatory text for European payments. Its two major commercial impacts — SCA requirements and open banking mandates — have reshaped how payments are built and priced in the EU and EEA.

Key Provisions

Strong Customer Authentication: PSD2 mandated SCA for electronic transactions, requiring multi-factor authentication for most card-not-present payments. The SCA requirements took effect progressively between 2019 and 2021 after enforcement delays, with full enforcement varying by market.

Open Banking / Account Access: Banks with more than a certain payment account threshold must provide API access to licensed TPPs. This created two new categories of regulated entity:

• AISPs (Account Information Service Providers): Can read account data with customer consent
• PISPs (Payment Initiation Service Providers): Can initiate payments from a customer’s bank account directly

Liability shift: PSD2 formalized liability rules for unauthorized transactions and introduced the concept of strict liability for PSPs, with narrower fraud claim windows for consumers.

Surcharging prohibition: PSD2 prohibits merchants from surcharging consumers for using regulated payment instruments (consumer credit and debit cards within the EU), though the rules for commercial cards and three-party schemes are more complex.

Open Banking in Practice

The open banking provisions of PSD2 have had mixed uptake. While the technical standards (defined in the RTS and implemented via common API frameworks like Berlin Group / NextGenPSD2 and Open Banking UK) are in place, merchant and consumer adoption of PISP-initiated payments has grown slowly in most markets.

The notable exception is account-to-account (A2A) payments in markets with strong instant payment infrastructure — the Netherlands (iDEAL), Poland (BLIK), and increasingly across the SEPA Instant Credit Transfer network. In these markets, PSD2-enabled payment initiation sits alongside card payments as a genuine alternative, typically at lower cost to merchants.

PSD2 vs. PSD3 / PSR

The European Commission published proposals for PSD3 and a new Payment Services Regulation (PSR) in 2023. The PSR would convert key PSD2 provisions into directly applicable EU regulation (removing national transposition variations), while PSD3 would update the directive for remaining areas. As of 2025, these remain in legislative process.

Southeast Asia Comparison

PSD2 has no direct equivalent in Southeast Asia. The region’s regulatory landscape is fragmented across national central banks:

• Singapore (MAS) has its own Payment Services Act (PSA), which licenses payment institutions across multiple activity classes but does not mandate open API access in the same way
• Malaysia (BNM) and Indonesia (OJK) are developing open banking frameworks that draw partial inspiration from PSD2 but are earlier in implementation
• Thailand (BOT) and Philippines (BSP) have issued open finance roadmaps

For operators building global payment products, PSD2 compliance is non-negotiable for EU exposure. The SCA technical stack — 3DS2 integration, exemption engine, soft-decline handling — must be maintained as distinct infrastructure from the APAC stack, which operates under different authentication norms.

Operational Impact for PSPs

PSPs operating under PSD2 must hold appropriate licenses (PI or EMI) for payment initiation and account access activities. Operating outside licensed scope in an EEA market is a regulatory breach, not merely a commercial risk. License passporting allows a license obtained in one EEA state to cover activity across the EEA, though Brexit eliminated UK passporting.