EU starts to implement PSD2
29 November 2017 15:44 GMT

The European Commission has adopted rules that it says will make electronic payments in shops and online safer.

These rules implement the EU's recently-revised Payment Services Directive (PSD2) which aims to modernise Europe's payment services so as to keep pace with this rapidly evolving market .

The EU has said the rules allow consumers to use innovative services offered by third party providers, also known as FinTech companies, while maintaining rigorous data protection and security for EU consumers and businesses. These include payment solutions and tools for managing one's personal finances by aggregating information from various accounts.

Valdis Dombrovskis, Vice-President in charge of Financial Stability, Financial Services and Capital Markets Union said: "These new rules will guide all market players, old and new, to offer better payment services to consumers while ensuring their security."

A key objective of PSD2 is to increase the level of security and confidence of electronic payment. In particular, PSD2 requires payment service providers to develop strong customer authentication (SCA). Today's rules therefore have stringent, built-in security provisions to significantly reduce payment fraud levels and to protect the confidentiality of users' financial data, especially relevant for online payments. They require a combination of at least two independent elements, which could be a physical item - a card or mobile phone - combined with a password or a biometric feature, such as fingerprints before making a payment.

PSD2 also establishes a framework for new services linked to consumer payment accounts, such as the so-called payment initiation services and account information services. These innovative services are already on offer in many EU countries but thanks to PSD2 they will be available to consumers across the EU, subject to strict security requirements. The rules specify the requirements for common and secure standards of communication between banks and FinTech companies.

Following the adoption of the Regulatory Technical Standards by the Commission, the European Parliament and the Council have three months to scrutinise them. Subject to the scrutiny period, the new rules will be published in the Official Journal of the EU. Banks and other payment services providers will then have 18 months to put the security measures and communication tools in place.