The Second Payment Services Directive - PSD2

Get ahead with Fiorano


PSD2 and the regulation of Europe’s Payments Markets

Fiorano PSD2 - A Revolution in Retail Banking

Aimed at Retail Banking, the PSD2 Directive is aimed at encouraging the role of third party providers in the retail Banking chain, in an attempt to transform the Banking industry via innovation.

For Third Party Providers (TPPs) to operate in the payments market, Banks are required to expose customer data, with customer consent. This enables options such as bypassing credit card companies and avoiding transaction fees that may or may not be transparent, leading to greater efficiency and transparency for the customer.

PSD2 mandates are implemented via the European Banking Authorities Regulatory Technical Standards (RTS). The RTS forms the basis of defining technology related steps mandated by PSD2, which need to be implemented by Banks in order to meet compliance.

Components of the PSD2 RTS’ standards, such as enhanced security, are designed not only as an impetus to change Banking practices, but are aimed at making the Banking experience more ‘customer-centric’. For example, an additional function of these standards is to secure additional Rights for Banking consumers which would offer a Right to Recourse as well as lower customer liability in case of breaches.

PSD2 Technology Mandates

XS2A via APIs

SCA and 2FA

Anomaly Detection, Fraud & Penetration monitoring

Customer On-boarding

X2SA via APIs

Banks are mandated to allow TPPs access to customer account data (X2SA), where the customer has provided Consent for information to be accessed. This access to customer consented information allows TPPs to deliver Account Information Services [AIS] as well as Payments Initiation Services [PIS]. Banks, under PSD2 and Open Banking, are required to use APIs to expose this information to third parties.

SCA and 2FA

Strong Customer Authentication (SCA) via 2-factor authentication (2FA) is mandated by the RTS to access customer account information using secure APIs. The authentication must meet two out of three personal criteria: Possession (something one possesses such as a token), Knowledge (something one knows such as a password) or Inherence (something unique to one such as an individual’s biometric reading).

Consent Management

Under the PSD2 regulation it is mandated that customer Consent is required to grant or remove access to customer specific account information given to Banks/TPPs. The directive is prescriptive about consented information being used only by the third party (TPP/AISP/PISP) who has been given consent, and about information being used only for the specific action that has been consented.

Fiorano PSD2 – Consent Management

Anomaly Detection, Fraud and Penetration monitoring

Layered security and Fraud Detection is enabled via OEM integration. The Fiorano PSD2 platform incorporates industry leading Threat and Anomaly detection technology to support transactional risk ranking and decision making. 

Class-leading Behavior analytics, Threat and Anomaly engines combine with optional end-user specific Biometrics and Device Finger-print tokens to provide full coverage as per the RTS specifications.

Customer On-boarding

Fiorano Consent Management, built on an Identity Engine, supports customer on-boarding out of the box with optional pre-configured OEM integration with Public eID schemes, Registry lookups, Consumer identities, Hosted identity methods and Digital Identity paper verification.

Fiorano PSD2 Accelerator

Fiorano’s PSD2 Accelerator is built to technology specifications mandated by the RTS and offers end-to-end PSD2 functionality:

Fiorano PSD2 Accelerator
Fiorano PSD2 Accelerator

Built on Fiorano’s enterprise grade and secure API Management platform and high-performance Enterprise Service Bus (ESB) architecture the PSD2 Accelerator comes pre-configured with both PSD2 APIs for integration with TPP systems and in-built Consent Management for SCA functionality that supports Consent requirements under both PSD2 and GDPR regulations, and essentially offers two stages or levels of implementation.

  • Level 1 implementation: Providing core API, Consent and integration infrastructure a bank requires to become compliant, without offering TPP functionality. The level 1 implementation implements over 60% of the RTS the remaining being specific to TPPs and covered under a Level 2 implementation
  • Level 2 implementation: Enables additional functionality and business benefits associated with being a full TPP, over and above the Level 1 compliance associated components.

Fiorano Universal Consent Platform – Aligning the GDPR and PSD2

Fiorano’s Universal Consent platform is open standards based and supports Consent Requirements under both GDPR (consent must be freely given, specific, informed, unambiguous and based on affirmative action) and PSD2 Regulations (based on Account Information Consent Requests and Payment Initiation Consent requests), allowing at a very basic level, end-user organizations the option to meet obligations of both requirements using a common Consent methodology and Identity Store, and think beyond basic compliance to good data governance :

Fiorano Universal Consent Platform – Aligning the GDPR and PSD2

Overview Technology PSD2 Accelerator Universal Consent Platform