Background: PSD2 and the Berlin Group
The following timeline gives a broad overview of the main steps of the work of the Berlin Group since the Revised Payment Services Directive became national law in January 2018. For more detailed information on the Berlin Group, go here.
PSD2 security measures related to Third Party Account Access and to Strong Customer Authentication enter into force
At the latest on September 14th 2019 banks and processors start operating their PSD2 ‘Access to Accounts’ (XS2A) infrastructures in production, enabling Account Access to the new ‘payment initiation’ and ‘account information’ services, operated by Third Party Providers (TPPs).
The NextGenPSD2 Implementation Support Program (NISP) is a pan-European initiative, initiated by a coalition of banks, banking associations, payment associations, payment schemes and interbank processors in SEPA operating across all EU Member States. NISP aims to support banks and interbank processors in implementing the Berlin Group NextGenPSD2 Framework, primarily in achieving swift compliance to all relevant European Union (EU) and European Banking Authority (EBA) regulatory and organisational requirements. NISP will also support NextGenPSD2 implementers to benefit from the exemption to implement a ‘fall-back’ interface solution. NISP also helps implementers with an efficient testing process, to optimise their implementations, to achieve maximum implementation quality levels, while solving interoperability issues and developer questions.
NISP is open to further participation from similar organisations.
Official publication of the necessary technical standards in the EU Official Journal
The European Banking Authority (EBA) has drafted the PSD2 security measures related to Third Party Account Access and to Strong Customer Authentication in an additional Regulatory Technical Standard (RTS). The EBA RTS enters into force on September 14th 2019 (18 months after the adoption by the European Commission, European Parliament and the Council of Ministers and the subsequent official publication in the EU Official Journal on March 13th 2018). EBA had to balance between a high degree of prescription in the standards on the one side and customer convenience and future innovation on the other side.
When the EBA RTS enters into force, banks are mandated to offer for online accessible accounts at least one communication interface to allow Third Parties (upon bank customer approval) to access the data they need in compliance with PSD2. In addition, banks need to make the documentation of their communication interface and a testing facility available, at least 6 months before the EBA RTS enter into force.
Berlin Group NextGenPSD2 Framework Version 1.0 publication
Berlin Group NextGenPSD2 offers a detailed ‘Access to Account’ (XS2A) Framework with data model (at conceptual, logical and physical data levels) and associated messaging, based on the Regulatory Technical Standards (RTS) of the European Banking Authority (EBA). The Berlin Group NextGenPSD2 Framework offers Operational Rules and Implementation Guideline documents with a modern, open, harmonised and interoperable set of Application Programming Interfaces (APIs) as the safest and most efficient way to provide data securely. The NextGenPSD2 Framework reduces XS2A complexity and costs, addresses the problem of multiple competing standards in Europe and enables European banking customers to benefit from innovative products and services (‘Banking as a Service’) by granting TPPs safe and secure (authenticated and authorised) access to their bank accounts and financial data.
The Framework integrates market requirements as expressed in the extensive market feedback from the public market consultation of October/November 2017, and also integrates applicable legislations and regulations as it is based on the EBA RTS. The Version 1.0 NextGenPSD2 Framework supports the PSD2 required account information (AIS), payment issuer instrument (PIIS) and payment initiation (PIS) services and is among others built on RESTful and JSON standards, relying on ISO20022 standards for the data elements to be exchanged.
The most recent version of the Berlin Group NextGenPSD2 Framework can be downloaded here
PSD2 transposition into national laws
The revised Payment Services Directive (EU 2015/2366, also known as PSD2) came into force on 12 January 2016 and for most of the provisions, Member States had until 13 January 2018 to implement them into national laws. The most debated and impactful parts of PSD2 are related to the provisions on Strong Customer Authentication (SCA) for online payments and on the introduction of new ‘payment initiation and account information services’, operated by third party providers (TPPs).