Revised Payment Services Directive (PSD2)

Yes. In the UK, PSD2 is enforced by the Financial Conduct Authority (FCA), which:

• Authorizes and registers third-party providers (TPPs)
• Oversees their compliance and reporting obligations under PSD2

In general, non-EU companies are also affected if they offer payment services to customers located in the EU or EEA.

There are a few differences between PSD1 and PSD2. For example:

• Open banking. PSD2 legally required banks to open their infrastructure to licensed TPPs via APIs.
• Third-party access. PSD2 introduced a framework for third-party providers (TPPs), including Payment Initiation Service Providers (PISPs) and Account Information Service Providers (AISPs).
• Expanded scope. PSD2 extended coverage to transactions where only one party is located in the EU.
• Strong Customer Authentication (SCA). PSD2 made multi-factor authentication mandatory for most online payments. 

PSD2 applies to any business that provides payment services within the European Economic Area (EEA). Ultimately, various financial service providers are required to comply. 

For example:

• Payment institutions
• Electronic money institutions (EMIs)
• Credit institutions (banks and building societies)
• Account Information Service Providers (AISPs)
• Payment Initiation Service Providers (PISPs)
• Merchants and e-commerce businesses that process card payments
• Fintech companies operating in the payments space

Under PSD2, Third-Party Providers (TPPs) are licensed companies that can access a customer’s bank account data or initiate payments on their behalf (with the customer’s explicit consent).

PSD2 defines two main categories:

• Account Information Service Providers (AISPs). These providers can read and aggregate a customer’s account data from one or more banks (financial dashboards, credit scoring tools, budgeting apps, etc.).
• Payment Initiation Service Providers (PISPs). These providers can initiate a payment from a customer’s bank account directly, without going through a card network (common in e-commerce and lending).

Under PSD1, marketplaces operated in a gray area (due to being often exempt) because they were seen more as facilitators and than payment providers. However, PSD2 solves this issue. 

If a platform handles payments on behalf of buyers and sellers, it needs to:

• Obtain the appropriate payments licence
• Comply with the same regulations as other payment service providers

PSD2 does not have a mandatory KYC process, but it works alongside the EU’s Anti-Money Laundering Directives (AMLDs) to ensure that payment service providers verify the identity of their customers. 

As a result, PSPs and TPPs must apply a risk-based approach and are expected to:

• Verify the identity of customers during onboarding (typically using government-issued ID and proof of address)
• Re-verify customers when there is reason to suspect unusual activity
• Apply Enhanced Due Diligence (EDD) for higher-risk customers or transactions
• Maintain records of verifications for a minimum of five years