PSD2 / Open Banking
European legislation that requires banks to share customer account data with authorised third parties and mandates strong customer authentication for online payments.
Also known as: PSD2, Open Banking, SCA, Strong Customer Authentication
Last reviewed: 10 June 2026
The Second Payment Services Directive (PSD2), implemented across the EU and UK in phases from 2018, has two main pillars. First, Open Banking: banks must provide authorised third-party providers (TPPs) with API access to customer account data and the ability to initiate payments, subject to customer consent. Second, Strong Customer Authentication (SCA): online card payments must use at least two of the three authentication factors (knowledge, possession, inherence), replacing simple password-only verification.
Open Banking creates new fraud vectors: fraudsters attempt to trick consumers into granting account access to malicious TPPs disguised as legitimate apps. SCA reduces card-not-present fraud significantly but is sometimes circumvented through social engineering — convincing victims to approve authentication requests they did not initiate.
Consumers should only grant Open Banking consent through their bank's official app or website, review which TPPs they have authorised regularly, and never approve a payment authentication they did not personally initiate.