What is the Payment Services Directive (PSD2)?

The Payment Services Directive (PSD2) is the EU’s comprehensive legislation that regulates payment services and has significant consequences for accounting and financial reporting. The directive affects how companies handle means of payment , bank transactions and open banking.

Overview of the PSD2 Payment Services Directive

What is PSD2?

Payment Services Directive 2 (PSD2) is the EU’s second payment services directive that entered into force in 2018. The directive aims to:

  • Increase competition in the payment market
  • Improve consumer protection in payment services
  • Promote innovation through open banking
  • Harmonize the regulations across the EU/EEA area
  • Strengthen security for electronic payments

Main components of PSD2

PSD2 consists of several key elements that affect both payment services and accounting:

PSD2 main components and their relationship

1. Open Banking

Open banking requires banks to give third-party providers access to customers’ account information and payment services:

  • Account Information Services (AIS): Access to account information
  • Payment Initiation Services (PIS): Ability to initiate payments
  • Confirmation of Availability of Funds (CAF): Confirmation of available funds

2. Strong Customer Authentication (SCA)

Strong Customer Authentication requires two-factor authentication for electronic payments:

  • Something you know: PIN code, password
  • Something you have: Mobile phone, token
  • Something you are: Fingerprint, facial recognition

PSD2’s Impact on Accounting

Accounting for New Payment Services

PSD2 introduces new types of payment services that require specific accounting treatment:

Service TypeAccounting processingAccount ClassDocumentation
AIS ServicesCosting of service fees6xxxService Agreements
PIS ServicesTreatment as bank transactions19xxPayment order
E-Money ServicesSpecial treatment as means of payment19xxE-money contracts
Card IssuanceTreatment as financial instruments18xxCard Agreements

Internal control and Compliance

PSD2 sets stricter requirements for internal control and documentation:

PSD2 internal control and compliance requirements

Documentation requirements

  • Payment assignments: All electronic payments must be documented
  • Authorization Logs: Tracking of all authentication actions
  • API Transactions: Logging of all third party access
  • Security reports: Monthly reporting of security incidents

Accounting Consequences

Increased compliance costs:

Debet: 6840 Andre driftskostnader
Kredit: 2400 Leverandørgjeld

Investments in IT systems:

Debet: 1230 Driftsløsøre, inventar o.l.
Kredit: 1900 Bankinnskudd

Implementation in the UK

UK regulatory oversight

In the UK, PSD2 requirements are implemented through the Payment Services Regulations and supervised mainly by the Financial Conduct Authority (FCA), with the Payment Systems Regulator (PSR) covering parts of the payments ecosystem:

  • Authorisation and supervision of payment and e-money institutions
  • Ongoing compliance monitoring for safeguarding, security and conduct
  • Regulatory reporting under UK rules
  • Enforcement actions for breaches

Practical UK compliance points

UK firms usually focus on practical controls around these areas:

Focus areaTypical UK expectationAccounting impact
SafeguardingSegregation and reconciliation of client fundsAdditional control procedures and reconciliations
SCA / fraud controlsStrong customer authentication and monitoringInvestment in security tools and monitoring costs
Third-party access (AIS/PIS)Robust API access governance and consent controlsMore detailed logging and audit trails
Regulatory reportingOngoing incident and compliance reportingIncreased admin and compliance overhead
Operational resilienceClear contingency plans for payment disruptionsDocumented controls and periodic testing

Accounting of PSD2 Transactions

Basic Principles

Accounting for PSD2-related transactions follows normal accounting principles, but with special considerations:

PSD2 accounting process

1. Identification and Classification

All PSD2 transactions must be correctly identified and classified:

  • Type of payment: Direct, indirect or third party initiated
  • Fee structure: Fixed fees, percentage-based or combined
  • Currency: Domestic or foreign currency
  • Counterparty: Bank, payment service provider or customer

2. Timing and Periodization

The Periodization principle applies to all PSD2-related records:

Ved betalingsinitiering:
Debet: 1500 Kundefordringer
Kredit: 3000 Salgsinntekt

Ved gebyrbelastning:
Debet: 6700 Annen driftskostnad
Kredit: 1900 Bankinnskudd

Special Accounting Areas

API Costs and License Fees

Third-party access to bank data entails new cost types:

Cost typeAccountingPeriodizationExample
API FeesCurrent costingMonthlyNOK 5,000/month
License FeesPrepaid costsAnnual distributionNOK 50,000/year
Certification costsIntangible assetsDepreciation over 3 yearsNOK 100,000
Compliance CostsOperating costsOngoingNOK 20,000/month

Security investments

SCA implementation requires significant investment:

Investering i autentiseringssystem:
Debet: 1230 Driftsløsøre, inventar o.l.    500.000
Kredit: 2400 Leverandørgjeld                      500.000

Månedlig avskrivning (5 år):
Debet: 6040 Avskrivning på driftsløsøre     8.333
Kredit: 1239 Akk. avskr. driftsløsøre              8.333

Risk management and Internal control

PSD2-Specific Risks

New areas of risk as a result of PSD2:

PSD2 risk areas and control measures

Operational Risks

  • API Availability: Risk of system downtime
  • Data integration: Errors in automated processes
  • Dependence on third parties: Risk related to external suppliers
  • Cybersecurity: Increased exposure to digital threats

Financial Risks

  • Fee Volatility: Unpredictable transaction costs
  • Currency risk: Exposure from cross-border payments
  • Liquidity risk: Delays in payment settlements
  • Credit risk: Counterparty risk with new payment services

Control measures and Documentation

Monthly Control Activities

Systematic follow-up of PSD2 compliance:

  • Transaction control: Reconciliation of all PSD2 transactions
  • Fees analysis: Control of payment service fees
  • API Logging: Review of third-party accesses
  • Security reports: Evaluation of authentication failures

Quarterly Reporting

Regular reporting to management and authorities:

Report TypeContentsRecipientDeadline
Compliance ReportPSD2 ComplianceFCA / relevant regulator30 days after quarter
Risk ReportOperational risksBoard15 days after quarter
Cost AnalysisPSD2 related costsManagement10 days after quarter
Security ReportCyber ​​Security and SCAIT Committee5 days after quarter

Future Developments

PSD3 and Upcoming Changes

The EU Commission is working on PSD3 which will introduce further changes:

Timeline of PSD3 implementation

Expected Changes

  • Extended scope: More payment services are included
  • Stricter security requirements: Improved SCA and fraud detection
  • Increased transparency: Better price comparison and fee structure
  • Digital identity: Integration with eID solutions
  • Sustainability: Requirements for environmental reporting for payment services

Accounting Consequences

Preparations for PSD3 should start already now:

Avsetning for fremtidige compliance-kostnader:
Debet: 6840 Andre driftskostnader        200.000
Kredit: 2180 Annen kortsiktig gjeld              200.000

New technologies will affect PSD2 implementation:

  • Artificial intelligence: Automated fraud detection
  • Blockchain: Decentralized payment solutions
  • Biometrics: Advanced authentication methods
  • IoT Payments: Payments from connected devices
  • Cryptocurrency: Regulation of digital currencies

Practical advice for companies

Implementation strategy

Systematic approach to PSD2 compliance:

Phase 1: Mapping and Analysis (1-2 months)

  • Review of existing payment processes
  • Identification of PSD2 affected areas
  • Risk assessment of new requirements
  • Cost estimation for implementation

Phase 2: System adaptations (3-6 months)

  • IT system updates for SCA support
  • API integrations with third party services
  • Accounting system adjustments for new transaction types
  • Reporting tool for compliance monitoring

Phase 3: Testing and Validation (1-2 months)

  • Functional testing of all payment channels
  • Security testing of authentication solutions
  • Accounting testing of new transaction types
  • User training and procedural documentation

Phase 4: Production Setup and Monitoring (Ongoing)

  • Gradual rollout of new services
  • Continuous monitoring of performance and security
  • Regular reporting to authorities
  • Continuous improvement based on experience

Cost-Benefit Analysis

Evaluation of PSD2 investments:

Cost CategoryLump sumAnnual costsPotential savings
IT SystemsNOK 2,000,000NOK 300,000Reduced manual processes
ComplianceNOK 500,000NOK 600,000Avoided sanctions
TrainingNOK 200,000NOK 100,000Increased efficiency
ConsultantsNOK 800,000NOK 200,000Faster Implementation
TotalNOK 3,500,000NOK 1,200,000Varies per company

Selection of Suppliers

Criteria for choosing PSD2 suppliers:

Technical Requirements

  • API Compatibility: Support for PSD2 API standards
  • Security Certification: QWAC and QSEAL certificates
  • Scalability: Handling increasing transaction volume
  • Integration possibilities: Compatibility with existing systems

Commercial Relations

  • Pricing model: Transparent and predictable costs
  • SLA agreements: Guaranteed uptime and performance
  • Support: 24/7 technical support in Norwegian
  • Future-proofing: Roadmap for PSD3 preparation

Conclusion

The Payment Services Directive (PSD2) represents a fundamental change in the European payment landscape with significant consequences for accounting and financial reporting. Companies must adapt their processes, systems and controls to ensure compliance and utilize the opportunities that open banking provides.

Most important takeaways

  • PSD2 affects all aspects of payment handling and accounting
  • Open banking creates new opportunities and risks
  • Strong customer authentication requires significant technology investment
  • Compliance costs must be budgeted and followed up systematically
  • Future changes (PSD3) require continuous attention

Recommendations

  1. Start early with PSD2 implementation to avoid stress and extraordinary costs
  2. Invest in technology that supports both current and future requirements
  3. Establish robust controls to ensure compliance and reduce risk
  4. Educate the staff in PSD2 requirements and new working methods
  5. Follow the development of PSD3 and other regulatory changes

By taking a proactive approach to PSD2, companies can not only ensure compliance, but also position themselves to take advantage of the new opportunities that the digital payment landscape offers.