PSD2 Access to Bank Accounts

Last updated: 21 December 2018

The revised Payment Services Directive (EU 2015/2366, also known as PSD2) came into force on 12 January 2016 and for most of the provisions, Member States had until 13 January 2018 to implement them into national laws.

The most debated and impactful parts of the PSD2 are related to the provisions on strong customer authentication for online payments and on the introduction of new 'payment initiation and account information services', operated by third party providers. The PSD2 security measures related to third party account access and to strong customer authentication enter into force on 14 September 2019 (18 months after the adoption by the European Commission, European Parliament and the Council of Ministers and the subsequent official publication of the necessary technical standards in the EU Official Journal on 13 March 2018).

 

Related to the PSD2 requirements on third party account access and strong customer authentication, many different organisations in Europe have already worked on high-level business and functional requirements. In a Joint Initiative together with additional banks (ASPSPs) and payment associations, the Berlin Group has worked on a detailed 'Access to Account Framework' with data model (at conceptual, logical and physical data levels) and associated messaging, based on the EBA Regulatory Technical Standards (RTS). The EBA had to balance between a high degree of prescription in the standards on the one side and customer convenience and future innovation on the other side.

Considering the stringent timelines needed for implementation, the Joint Initative published a full detailed Version 1.0 of the NextGenPSD2 'Access to Accounts Framework' with Operational Rules and Implementation Guideline documents on 8 February 2018. The NextGenPSD2 Framework Version 1.0 offers a modern, open, harmonised and interoperable set of Application Programming Interfaces (APIs) as the safest and most efficient way to provide data securely. The NextGenPSD2 Framework reduces XS2A complexity and costs, addresses the problem of multiple competing standards in Europe and, aligned with the goals of the Euro Retail Payments Board, enables European banking customers to benefit from innovative products and services (‘Banking as a Service’) by granting TPPs safe and secure (authenticated and authorised) access to their bank accounts and financial data.

 

The Framework integrates market requirements as expressed in the extensive market feedback from the public market consultation of October/November 2017 for which a total of approximately 1,000 market comments from 59 organisations have been processed. The Framework also integrates applicable legislations and regulations as it is based on the EBA RTS. The Version 1.0 NextGenPSD2 Framework comprises Operational Rules and Implementation Guidelines, supports the PSD2 required account information (AIS), payment issuer instrument (PIIS) and payment initiation (PIS) services and is among others built on RESTful and JSON standards, relying on ISO20022 standards for the data elements to be exchanged. A Version 1.1 release update of the Implementation Guidelines has been published on 11 May 2018 and integrates the results of convergence discussions with other API initiatives, as well as some additional functionality and errata. A Version 1.2 release update of the Implementation Guidelines has been published on 25 July 2018 and integrates amongst others Multiple SCA (Strong Customer Authentication) for corporates, payment cancellations, signing baskets and a redesigned resource structure, separating payment and consent resources from authorisation and cancellation authorisation sub-resources. A Compliancy Version 1.3 of the Implementation Guidelines was published on 19 October 2018, complemented with an updated Version 1.3 of the Operational Rules on 21 December 2018. The Version 1.3 Framework documents have also been complemented with a Version 1.3 OpenAPI file as a reference documentation. Please note that the normative reference still is the Implementation Guidelines document.

The documents are ready to be used by banks and TPPs for implementing PSD2-required bank account access. Although the market consultation has closed, market feedback with suggestions for improvement is certainly still welcomed at info@berlin-group.org.

Future work

A Version 2.0 is being prepared for publication in 2019 which introduces extended value-added services that describe functionalities beyond the core compliancy services.

 

Further market involvement

Participants of the NextGenPSD2 Taskforce represent the market supply-side, that is mandated by PSD2 and EBA RTS to provide an XS2A interface and is liable for any damages. However, NextGenPSD2 is interested in further engagement to involve broader market interests as well. To this end, a NextGenPSD2 Advisory Board with a balanced multi-stakeholder representation from the market demand- and supply-side is being explored for which market participants could register their interest until 30 April 2018. An Advisory Board would offer participants the opportunity to liaise, interact and engage in a 2-way dialogue on strategic, business and technical topics related to the use and evolution of the NextGenPSD2 standards and beyond, ensuring up-to-date information on all NextGenPSD2 activities and future specification development from inception. The NextGenPSD2 Advisory Board will offer every opportunity to discuss and feed input into the NextGenPSD2 standards development process. As such, the Advisory Board would offer a Forum for debate and should help to foster adoption of NextGenPSD2, remove barriers, find optimisation potentials, ensure usability of NextGenPSD2 for implementers, and contribute to pan-European harmonisation with improved interoperability across the PSD2 XS2A value chain. Above all, the Advisory Board should take a solution-oriented approach.

Schedule of Events

  • On 19 October 2018, a Version 1.3 release update of the NextGenPSD2 Implementation Guidelines has been published, complemented on 21 December 2018 with an updated Operational Rules document, an errata document and a Version 1.3 OpenAPI file.

  • On 5 October 2018, a dedicated website for the NextGenPSD2 Conference 2018 was launched at www.xs2a-inpractice.eu

  • On 14 September 2018, a Bulletin (Bulletin 01) has been published on the NextGenPSD2 downloads page, announcing important changes within the Berlin Group NextGenPSD2 Framework which will be covered in Version 1.3, relative to Version 1.2.

  • On 25 July 2018, a Version 1.2 release update of the NextGenPSD2 Implementation Guidelines has been published.

  • On 6 July 2018, a first webinar conference call of the future NextGenPSD2 Advisory Board took place. As a matter of transparency, please find the presentation slides here and a consolidated Q&A document listing the questions and answers that resulted from the audience in this first meeting can be found here.

  • On 8 June 2018, a market consultation resolved issues document has been published.

  • On 18 May 2018, a detailed change log from Version 1.0 to 1.1 has been published.

  • On 11 May 2018, a Version 1.1 release update of the NextGenPSD2 Implementation Guidelines has been published.

  • Registration for a NextGenPSD2 Advisory Board was possible until 30 April 2018.

  • On 8 February 2018 the NextGenPSD2 Framework Version 1.0 was published and announced in a press release.

  • A NextGenPSD2 Public Market Consultation was organised from 02 October 2017 until 17 November 2017.

  • On 25 October 2017 a NextGenPSD2 Conference has been organised in Berlin.

  • On 27 September 2017 the launch of the NextGenPSD2 Public Market Consultation was announced in a press release.

  • On 13 June 2017 the creation of the 'Access to Account Framework' was announced in a press release.

Public Articles

All public articles are made available in PDF or PPSX format. Upon request files can be made available in MS Office formats as well.

Technical Specifications

  • NextGenPSD2 Framework Version 1.3 can be downloaded here.

Archive

© The Berlin Group - Disclaimer and Dataprivacy Policy