Explained: Payment Service Directive 2 (PSD2)

Explained: Payment Service Directive 2 (PSD2)

Payment Service Directive 2 (PSD2) is the implementation of a European guideline designed to further harmonize money transfers inside the EU. The ultimate goal of this directive is to simplify payments across borders so that it’s as easy as transferring money within the same country. Since the EU was set up to diminish the borders between its member states, this make sense. The implementation offers a legal framework for all payments made within the EU.

After the introduction of PSD in 2009, and with the Single Euro Payments Area (SEPA) migration completed, the EU introduced PSD2 on January 13, 2018. However, this new harmonizing plan came with a catch— the use of new online payment and account information services provided by third parties, such as financial institutions, who needed to be able to access the bank accounts of EU users. While they first need to obtain users’ consent to do so, we all know consent is not always freely given or with a full understanding of the implications. Still, it must be noted: Nothing will change if you don’t give your consent, and you are not obliged to do so.

Which providers

Before these institutions are allowed to ask for consent, they have to be authorized and registered under PSD2. The PSD2 already sets out information requirements for the application as payment institution and for the registration as account information services provider (AISP). The European Banking Authority (EBA) published guidelines on the information to be provided by applicants intending to obtain authorization as payment and electronic money institutions, as well as to register as an AISP.

From the pages of the Dutch National Bank (De Nederlandsche Bank):

“In this register are also (foreign) Account information service providers based upon the European Passport. These Account information service providers are supervised by the home supervisor. Account information service providers from other countries of the European Economic Area (EEA) could issue Account information services based upon the European Passport through an Agent in the Netherlands. DNB registers these agents of foreign Account information service providers without obligation to register. The registration of these agents are an extra service to the public. However the possibility may exist that the registration of incoming agents differs from the registration of the home supervisor.”

So, an AISP can obtain a European Passport to conduct its services across the entire EU, while only being obligated to register in its country of origin. And even though the European Union is supposed to be equal across the board, the reality is, in some countries, it’s easier to worm yourself into a comfortable position than in others.

Access to bank account = more services

Wait a minute. What exactly does all of this mean? Third parties often live under a separate set of rules and are not always subject to the same scrutiny. (Case in point: AISPs can move to register in “easier” countries and get away with much more.) So while that offers an AISP better flexibility to provide smooth transfer services, it would also allow those payment institutions to offer new services based on their view into your bank account. That includes a wealth of information, such as:

  • How much money is coming into and out of the account each month
  • Spending habits: what you spend money on and where you spend it
  • Payment habits: Are you paying bills way ahead of deadline or tardy?

AISPs can check your balance, request your bank to initiate a payment (transfer) on your behalf, or create a comprehensive overview of your balances for you.

Simple example: There is an AISP service that keeps tabs on your payments and income and shows you how much you can spend freely until your next payment is expected to come in. This is useful information to have when you are wondering if you can make your money last until the end of the month if you buy that dress.

However, imagine this information in the hands of a commercial party that wants to sell you something. They would be able to figure out how much you are spending with their competitors and make you a better offer. Or pepper you with ads tailored to your spending habits. Is that a problem? Yes, because why did you choose your current provider in the first place? Better service or product? Customer friendliness? Exactly what you needed? In short, the competitor might use your information to help themselves, and not necessarily you.

What is worrying about PSD2?

Consumer consent is a good thing. But if we can learn from history, as we should, it will not be too long before consumers are being tricked into clicking a big green button that gives a less trustworthy provider access to their banking information. Maybe they don’t even have to click it themselves. We can imagine Man-in-the-Middle attacks that sign you up for such a service.

Any offer of a service that requires your consent to access banking information should be carefully examined. How will AISPs that work for free make money? Likely by advertising to you or selling your data.

And then there is the possibility for “soft extortion,” like a mortgage provider that doesn’t want to do business with you unless you provide them with the access to your banking information. Or will offer you a better deal if you do.

In all of these scenarios, consent was given in one way or another, but is the deal really all that beneficial for the customer?

What we’d like to see

Some of the points below may already be under consideration in some or all of the EU member states, but we think they offer a good framework for the implementation of these new services.

  • We only want AISPs that work for the consumer and not for commercial third parties. In fairness, the consumer will pay the AISP for their services so that abuse or misuse of free product business models does not take place.
  • AISPs that want to do business in a country should be registered in that country, as well as in other countries where they want to do business.
  • AISPs should be constantly monitored, with the option to revoke their license if they misbehave. Note that GDPR already requires companies to delete data after services have stopped or when consent is withdrawn.
  • Access to banking information should not be used as a requirement for unrelated business models, or be traded for a discount on certain products.
  • GDPR regulations should be applied with extra care in this sensitive area. Some data- and privacy-related bodies have already expressed concerns about the discrepancies between GDPR and PSD2, even though they come from the same source.
  • Obligatory double-check through another medium by the AISP whether the customer has signed up out of their own free will, with a cooling-off period during which they can withdraw the permission.

Would anyone consent to PSD2 access?

For the moment, it’s hard to imagine a reason for allowing another financial institution or other business access to personal banking information. But despite the obvious red flags, it’s possible that people might be convinced with discounts, denials of service, or appealing benefits to give their consent.

And some of our wishes could very well be implemented as some kinks are still being ironed out. The Dutch Data Protection Authority (DPA) has pointed out that there are discrepancies between GDPR and PSD2 and expressed their concern about them. The DPA acknowledges this in their recommendation on the Implementation Act, and most recently in the Implementation Decree.

In both recommendations, the DPA concludes, in essence, that the GDPR has not been taken in consideration adequately in the course of the Dutch implementation of PSD2. The same may happen in other EU member states. Of course, the financial world tells us that licenses will not be issued to just anybody, but the public has not entirely forgotten the global 2008 banking crisis.

On top of that, there are major lawsuits in progress against insurance companies and other companies that sold products constructed in a way the general public could not possibly understand. These products are now considered misleading, and some even fraudulent. To put it mildly, the trust of the European public in financials is not high at the moment.

And we are not just looking at traditional financials.

Did you know that Google has obtained an eMoney license in Lithuania and that Facebook did the same in Ireland?

Are you worried now? Let me explain that all of these concerns have been brought up before, and the general consensus is that the regulations are strict enough to warrant an introduction of PSD2 that will only allow trustworthy partners which have been vetted and will be monitored by the authorities.

Nevertheless, you can rest assured that we will keep an eye on this development. When the times comes that PSD2 is introduced to the public, it might also turn out to be a subject that phishers are interested in. We can already imagine the “Thank you for allowing us to access your bank account; click here to revoke permission” email buried in junk mail.

Stay safe, everyone!


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.