The PSD2 (Payment Services Directive 2) is an EU Directive that regulates payment services and payment service providers, whose goal is
- to increase the security of payment transactions;
- to strengthen consumer protection;
- to promote innovation; and
- to increase the competition in the market.
The PSD2 applies to payments in EU/EEA currencies between payment service providers domiciled in the EU/EEA. Additionally, it also applies to some payments in non-EU/EEA currencies (e.g. US dollars or pounds sterling) or when a payment service provider is domiciled outside the EU/EEA (e.g. Switzerland or USA). However, a number of provisions of the PSD are excepted for such payments.
As of 13 January 2018, the new Payment Services Directive (PSD2) was implemented in national law. Some of the regulations, e.g. concerning the connection of third-party services (account information services, payment initiation services) and the new rules for strong customer authentication will only enter into force as of 14 September 2019.
Banks are required to amend their terms and conditions that are impacted by the PSD2 and inform their customers of this. Due to the statutory amendments that will apply from 15 September 2019, we have amended our "Special terms and conditions for the use of fund banking and the InfoManager". The amendments concern the online banking.
The PSD2 has introduced new regulations for third-party services. This applies to payment initiation and account information services (e.g. Amazon, PayPal). If the customer uses such third-party services in the context of the online banking, the bank must grant these third-party services access to the customer's payment account. The third-party services are now subject to the supervision of the Federal Financial Supervisory Authority (BaFin).
Additionally, the rights of bank customers are strengthened in certain areas such as the following:
- Unauthorised payments are refunded in less time.
- The rights in the event of late execution of a payment are regulated.
- Payment transactions within the European Economic area in a third-country currency (e.g. US dollars) are impacted more intensively by the payment service laws.
No. Currently, the amendments to the "Special terms and conditions for the use of fund banking and the InfoManager" do not affect the prices.
Through the online access of third-party service providers (e.g. PayPal), customers can request these to make payments or retrieve account information (e.g. for their financial planning). As these service providers are now legally recognised and subject to banking supervision, customers may disclose their banking PIN and TAN to these customers for specific transactions.
When you shop online, e.g. from Amazon or Ebay, the respective seller may use a service provider referred to as payment initiation service, e.g. PayPal. If the customer authorised the third-party service to do so, the third-party service will submit the transfer order to the bank on behalf of the customer. Thus, your approval is required.
The customer decides whether and which account data the third-party service may view in order to perform his service for the customer. To make sure they understand the implications of their approval, the customers should carefully read the third-party's information regarding its data access.
Account information services can retrieve account information such as transactions, balances and interim transactions of payment accounts, provided that the customer participates in his bank's online banking. This is especially attractive for customers who hold accounts with several banks and would like to have a better overview over their accounts.
Henceforth, these third-party services will be subject to supervision. Thus, payment initiation services need a licence from the national supervisory authority. In Germany, this is the Federal Financial Supervisory Authority (BaFin). Account information services are required to register with BaFin.
For the licence and registration, payment initiation and account information services are required to take out professional indemnity insurance or provide an equivalent guarantee. For the time being, services that have been active since before 2016 are permitted to keep their status.
The European Banking Authority and BaFin keep lists that can also be viewed on the Internet: A European list of all third-party services is made available by the European Banking Authority. By means of various search criteria, customers can search this list to check whether a particular third-party service has the needed licence or registration. BaFin publishes lists of registered and licensed third-party services. In the case of doubt, the customer can also ask BaFin directly.
If a payment not initiated or approved by the account holder has been booked to the payment account, the account holder can request a refund. The refund period has been reduced to one working day. Exception: The bank determines that the payment has been authorised by the account holder or the customer is suspected of fraud.
In the event of late execution of a payment, the payment service providers are under the obligation to compensate this delay vis-à-vis the payee.
In the event of abuse of the online banking PIN/TAN, the customer is currently liable for losses up to an amount of €150 unless he blocked his card or online account. This liability limit will drop to €50. Only in the case of intent or gross negligence, the customer will continue to be liable without any limitation.
For payments on the Internet, two-factor authentication is already mandatory. This means that the customer's authentication needs to take place via two factors that are conveyed through knowledge (e.g. PIN), possession (e.g. smartphone) or inherence (e.g. fingerprint, face ID).
What is new is that the authentication elements must dynamically link the payment transaction to a specific amount and a specific payee. For this reason, the iTAN procedure can no longer be used from 14 September 2019.
Henceforth, the PSD2 also requires this procedure for the login to the online banking and other actions that involve a risk of abuse.
This concerns, inter alia, payment orders by e-mail. These can no longer be accepted in future. Orders must be submitted either by fax or via the online portal of the fund custodian bank.
Due to statutory requirements for all banks, we are required to discontinue the iTAN procedure (paper iTAN list) for cash account transactions as of 14 September 2019.
For other online transactions, the iTAN procedure will be deactivated by the end of the first quarter of 2020.
From 9 August 2019, we will offer you our new pushTAN procedure.
Starting in July 2019, all customers who are affected by the change will receive additional information about the change by letter or via the InfoManager. Additionally, you can find a FAQ section about pTAN on this website.
On 27 November 2017, the European Commission published the Regulatory Technical Standards (RTS) for the secure communication and strong customer authentication for the PSD2. The European Commission has thus clearly expressed its support for access to payment accounts via secure interfaces (APIs). However, banks must also offer the third-party service providers an additional emergency solution. For this we will continue to make the option of “screen scraping” available for the payment service providers. Due to the regulations of PSD2 this emergency solution is only available to those providers who have previously identified themselves to us. As a result, “screen scraping” should only be used as an emergency solution and the service provider must first be authenticated for the use of the PSD2 interface in order to be able to use it. This serves the interests of customers and strengthens both the security of online banking and the transparency about the forwarding of data.
The PSD2 interface will be available from 14 September 2019.
Unable to find answers to your questions? Simply send an e-mail to firstname.lastname@example.org.