A plain guide to PSD2 and the UK Payment Services Regulations 2017: strong customer authentication, open banking, AISPs, PISPs and what firms must do.

If you take card payments, run a payment app, or connect to your customers' bank accounts, PSD2 sets the rules you work within. In the UK, PSD2 is not a single standalone law you can point to. It was implemented through the Payment Services Regulations 2017, a statutory instrument (SI 2017/752) that came into force on 13 January 2018 and is enforced by the Financial Conduct Authority as competent authority.
PSD2 stands for the second Payment Services Directive. It did three big things: it tightened the security around electronic payments through strong customer authentication, it opened up bank account data and payment initiation to regulated third parties (what most people call open banking), and it brought two new activities into regulation for the first time. Those changes affect everyone from a small online shop to a fully authorised payment institution.
This guide explains what PSD2 and the Payment Services Regulations 2017 actually require, in plain terms. We cover strong customer authentication and its main exemptions, the open banking roles of account information service provider and payment initiation service provider, safeguarding of customer money, and the practical steps a UK business should take. Every rule below is drawn from the FCA, the Payment Services Regulations 2017 on legislation.gov.uk, and PSD2 itself.
PSD2 is the European Union's revised Payment Services Directive. Because a directive is not directly binding in the way a regulation is, each member state had to bring it into its own law. The UK did this through the Payment Services Regulations 2017. The FCA confirms that PSD2 was implemented in the UK on 13 January 2018, and that the Regulations set out who must be authorised or registered, the conduct of business rules, and the security requirements that payment firms must meet.
The UK retained this framework after leaving the EU. Rather than falling away, the Payment Services Regulations 2017 continue to apply as domestic law, with the FCA remaining the competent authority. So the practical answer to "is PSD2 still relevant in the UK?" is yes: its substance lives on in the PSRs 2017 and in FCA rules and guidance, notably the FCA's consolidated guidance "Payment Services and Electronic Money: Our Approach".
The Regulations reach a wide range of firms. They cover authorised payment institutions, small payment institutions, registered account information service providers, e-money issuers and banks offering payment services. If your business moves money for other people, holds it, gives access to it, or authenticates payments, PSD2 through the PSRs 2017 almost certainly touches what you do.
Strong customer authentication is the security backbone of PSD2. It requires that when a customer logs into their payment account online, initiates an electronic payment, or does anything remotely that could carry a fraud risk, they are checked using two or more independent factors. The Payment Services Regulations 2017 define these factors as knowledge (something only the user knows, such as a password or PIN), possession (something only the user has, such as a phone or card reader) and inherence (something the user is, such as a fingerprint or face scan).
The two factors must be independent, meaning the breach of one does not compromise the other. A password plus a one-time code sent to a registered device is the familiar pattern. The FCA states that the SCA rules came into effect on 14 September 2019, and that firms should offer several different authentication methods, including options that do not rely on a mobile phone, so that customers are not locked out.
For online card payments specifically, the FCA ran a phased introduction and extended the final deadline. The FCA confirmed that 14 March 2022 was the latest it expected full SCA compliance for e-commerce transactions. From that date, banks can decline online card payments that should have been authenticated but were not, which is why merchants had to adopt tools such as 3D Secure. If you sell online and see payments being declined, weak or missing SCA is a common cause.
| Concept | Plain meaning |
|---|---|
| Strong customer authentication (SCA) | Checking a customer using two or more independent factors from knowledge, possession and inherence before online access or an electronic payment. |
| Account information service provider (AISP) | A regulated firm that provides consolidated information on a customer's payment accounts held elsewhere, with the customer's consent. |
| Payment initiation service provider (PISP) | A regulated firm that initiates a payment from a customer's bank account at another provider, on the customer's instruction. |
| Safeguarding | Protecting customer funds a payment institution holds so they are returned to customers if the firm fails. |
| SCA exemptions | Defined situations, such as certain contactless payments, where SCA does not have to be applied if the conditions are met. |
SCA is the default, but it is not required for every single transaction. PSD2 and the FCA recognise a set of exemptions designed to keep low-risk payments smooth while still protecting customers. Exemptions are applied by the payment service provider, not the customer, and each comes with conditions that must be met before it can be used.
Two exemptions matter most for everyday UK businesses. The contactless exemption allows card issuers not to apply SCA to contactless point-of-sale transactions where the conditions are met, which is why you can tap your card for small amounts without entering a PIN every time. The reauthentication exemption under Article 10A means customers do not have to reauthenticate with their bank every 90 days when accessing account information through a third-party provider, provided the third party reconfirms the customer's explicit consent at least every 90 days.
There are further exemptions in the underlying rules, for example around trusted beneficiaries and low-value payments, each with monetary and cumulative limits set out in the technical standards. The key point for firms is that exemptions reduce friction but do not remove accountability: the provider applying an exemption must have transaction monitoring in place to detect fraudulent or unauthorised transactions.
SCA requires two or more independent factors drawn from these three categories, as defined in the Payment Services Regulations 2017.
The most visible innovation from PSD2 is open banking. The Payment Services Regulations 2017 brought two new activities under regulation for the first time: account information services and payment initiation services. Both rely on a customer's payment account being accessible online, and both require the customer's explicit consent before a third party can act.
An account information service is defined as an online service that provides consolidated information on one or more payment accounts held by the customer with other payment service providers. An account aggregation app that shows all your bank balances in one place is an AISP. A payment initiation service is defined as an online service that initiates a payment order at the request of the customer from a payment account held at another provider. A checkout that pushes a payment straight from your bank account, without a card, is using a PISP.
Banks and other providers that hold online-accessible payment accounts, known as account servicing payment service providers, must give AISPs and PISPs access to those accounts once the customer has consented and authenticated. This access requirement is what makes open banking work in practice. If you are building a product that reads balances or moves money on a customer's behalf, you will need the correct permission before you go live. You can see how this fits together on our payments product page.
Whether you need to be authorised or can register depends on what you do. A payment initiation service provider must be authorised and, per the FCA, must hold a minimum of 50,000 euros in initial capital, or a higher amount if it provides certain other payment services. A firm that only provides account information services has a lighter route: it can become a registered account information service provider (RAISP), which carries no capital requirement and fewer conditions than full authorisation.
Both AISPs and PISPs must hold professional indemnity insurance covering the liabilities that can arise from their activities, with the minimum amount determined using European Banking Authority guidelines. Firms also have to meet security requirements, including governance and incident-reporting obligations, before the FCA will grant permission.
Choosing the right permission is a design decision as much as a compliance one. If your roadmap will eventually move money, applying as an authorised PISP from the start can save a costly re-application later. Our authorisation product is built to help firms scope the right permission and prepare a credible application.
If your firm holds funds belonging to customers while it processes their payments, safeguarding is one of the most important obligations in the Payment Services Regulations 2017. Safeguarding means protecting relevant customer funds so that, if the firm fails, those funds can be returned to customers rather than being lost to the firm's own creditors.
In practice this usually means keeping customer money separate from the firm's own money, either in a designated safeguarding account with an authorised credit institution or covered by an appropriate insurance or guarantee arrangement. The funds must be identifiable and segregated from the moment they are received, and firms are expected to have clear records and reconciliations that evidence how much is being safeguarded at any time.
The FCA treats safeguarding failures seriously because they go to the heart of customer protection. Weak reconciliation, commingling of funds, or unclear records are common problems. Firms should document their safeguarding method, test it regularly, and make sure their finance and operations teams understand exactly which monies must be protected and when.
For merchants, PSD2 mostly shows up as strong customer authentication at the checkout. Online card payments that need SCA and do not have it can be declined by the customer's bank, so merchants must work with payment providers that support tools like 3D Secure and apply exemptions correctly for low-risk transactions. Handled well, SCA reduces fraud and chargebacks; handled badly, it costs sales through unnecessary declines and abandoned baskets.
PSD2 also gives merchants a card-free option through open banking. Accepting payments initiated directly from a customer's bank account, via a PISP, can cut card fees and settle quickly. For many businesses this is the most tangible upside of the framework rather than just a compliance cost.
For payment firms, PSD2 through the PSRs 2017 sets the perimeter you operate within: the permission you hold, the SCA you must apply, the consent you must capture, and the customer money you must safeguard. Getting these right at the design stage is far cheaper than retrofitting them after an FCA review. If you are unsure which obligations apply to your model, the practical next step is a scoping conversation before you build.
PSD2 is best understood through the lens of the Payment Services Regulations 2017, the UK law that gives it effect. It requires strong customer authentication for online access and electronic payments, it created the open banking roles of AISP and PISP, and it obliges firms to be authorised or registered, to hold professional indemnity insurance, and to safeguard customer money. These rules are enforced by the FCA and remain in force in the UK today.
The businesses that get the most from PSD2 are the ones that treat it as a design input rather than a box to tick. Build authentication that works without locking customers out, capture consent cleanly, choose the right permission early, and safeguard funds from day one. If you want help mapping these requirements to your product, explore our pricing at /pricing or book a demo.
Yes. PSD2 was implemented in the UK through the Payment Services Regulations 2017, which came into force on 13 January 2018 and continue to apply as domestic law. The FCA remains the competent authority overseeing payment services.
SCA is a security requirement to verify a customer using two or more independent factors from three categories: knowledge (something they know), possession (something they have) and inherence (something they are). The FCA says the SCA rules took effect on 14 September 2019.
The FCA extended the deadline for e-commerce card transactions and confirmed that 14 March 2022 was the latest it expected full SCA compliance for those payments. After that, banks can decline online card payments that should have been authenticated but were not.
An AISP (account information service provider) gives a customer consolidated information on payment accounts held with other providers. A PISP (payment initiation service provider) initiates a payment from the customer's account held at another provider, on the customer's instruction. Both need the customer's explicit consent.
A PISP must be authorised and, per the FCA, hold a minimum of 50,000 euros in initial capital, with higher amounts for certain other services. A firm offering only account information services can register as a RAISP with no capital requirement. Both must hold professional indemnity insurance.
Exemptions include the contactless exemption for eligible point-of-sale transactions, and the Article 10A reauthentication exemption, which lets customers avoid reauthenticating every 90 days when using a third-party provider that reconfirms explicit consent at least every 90 days. Exemptions are applied by the provider and require transaction monitoring.
Nasara Pay helps UK firms send and control payments with lower fees, better rates and full visibility.
Practical guides and updates for UK firms, straight to your inbox.