top of page
blue trudexia Trans Background.png
Russell

PSD2 Obligations Regarding Third-Party Service Providers and Outsourcing

Updated: Dec 5, 2024


PSD2 Obligations Regarding Third-Party Service Providers and Outsourcing

Introduction

The Payment Services Directive 2 (PSD2) is a key piece of legislation designed to modernize the European Union's payments landscape. Beyond promoting innovation and competition, it introduces several regulatory requirements aimed at enhancing security and consumer protection in payment services. One of the most significant changes in PSD2 is the regulation of third-party service providers (TPPs) and the outsourcing of services by entities within the payments sector.


This article delves into the obligations under PSD2 concerning TPPs and outsourcing service providers, providing clarity on what entities need to do to ensure compliance and mitigate risks.


Overview


PSD2 significantly alters the regulatory landscape for third-party service providers and outsourcing within the payments sector. Entities under PSD2 have clear obligations when working with TPPs, including granting access to payment accounts under secure conditions, ensuring compliance with security standards, and being transparent with consumers about their rights. Additionally, outsourcing arrangements must meet stringent due diligence and oversight requirements to ensure that outsourced functions do not compromise service delivery or regulatory compliance.


For financial institutions, it’s essential to understand these obligations in order to foster secure, innovative, and compliant payment services. Ensuring robust third-party and outsourcing practices will help mitigate risks and enhance operational efficiency in line with PSD2’s goals of greater security and consumer protection in the European payments market.


Understanding Third-Party Service Providers (TPPs) in PSD2


Under PSD2, TPPs are defined as entities that provide payment services to consumers or businesses, but are not themselves the account-holding institutions (banks or credit institutions). These include:

  • Payment Initiation Service Providers (PISPs): These providers initiate payments on behalf of users, allowing them to make online payments from their bank accounts.

  • Account Information Service Providers (AISPs): These providers aggregate and provide access to users' payment account information, allowing consumers to see balances and transaction history across multiple accounts.


PSD2 mandates that banks (referred to as Account Servicing Payment Service Providers or ASPSPs) must allow TPPs access to payment account information and initiate payments, provided that consumers have given their consent.


Obligations Regarding Third-Party Service Providers


  • Banks and financial institutions are required to grant TPPs access to account holders' payment account information, if the customer consents. This is the foundation of open banking under PSD2. Banks must ensure that the interfaces they provide for TPP access are secure, standardized, and easy to use. They must also ensure the integrity of the access by using appropriate security measures, such as Strong Customer Authentication (SCA).

 

  • Banks are required to verify that TPPs are registered or authorized by competent authorities before granting them access to customer accounts. TPPs must comply with PSD2’s security standards, particularly in relation to customer consent, data protection, and fraud prevention. Banks must establish clear procedures for responding to and blocking unauthorized access attempts or misuse by TPPs.

 

  • PSD2 stipulates clear rules regarding consumer protection in the context of TPP transactions. Banks and TPPs are liable for unauthorized payments or failures in services. TPPs must clearly inform users about their rights and liabilities, and ensure full transparency regarding any fees or charges.


Outsourcing Obligations Under PSD2

PSD2 also introduces important regulations for outsourcing arrangements within entities regulated by the directive. Payment service providers (PSPs), including banks, must adhere to specific rules if they outsource any critical or important operational functions.


Key Outsourcing Obligations:


  • Risk Assessment and Due Diligence When outsourcing critical services or functions, entities must conduct a thorough risk assessment and perform due diligence to ensure the service provider can meet regulatory requirements. This includes evaluating the provider's financial stability, operational capacity, and compliance with PSD2.

 

  • Operational Resilience and Oversight Entities must ensure that outsourcing arrangements do not compromise their ability to meet regulatory obligations. This includes maintaining control over outsourced services and ensuring that the service provider’s performance is regularly monitored. Payment service providers (PSPs) are still responsible for complying with PSD2, even if the function is outsourced.

 

  • Transparency and Accountability PSD2 requires that entities disclose any outsourcing arrangements to relevant supervisory authorities, particularly when outsourcing critical activities such as payment processing, fraud detection, or customer data management. The outsourcing contracts should also specify the terms for service delivery, reporting, and audits to ensure compliance.

 

  • Regulatory Access to Data Under PSD2, even if a function is outsourced, the financial institution must ensure that competent authorities (such as the national regulators or the European Central Bank) have access to any information they need for supervision. This means that outsourcing service providers must allow regulators access to the necessary data, records, and operations for oversight purposes.

 

  • Exit Strategy and Continuity Planning Entities must have a clear exit strategy in place in case they need to end the outsourcing relationship. This strategy should include a plan for transferring services back in-house or to another provider without disrupting payment services. Additionally, they must ensure that critical functions are able to continue during and after the transition.


How can Trudexia help?


Trudexia supports PSD2 compliance by offering comprehensive risk assessments and ongoing due diligence for third-party service providers and outsourcing arrangements. These features help organizations ensure that their suppliers meet PSD2's stringent security and compliance standards. By identifying vulnerabilities, continuously monitoring vendor ecosystems, and tailoring risk treatment plans, Trudexia aids in reducing risks associated with third-party relationships. Trudexia’s automated reporting simplifies regulatory oversight, ensures transparency and accountability while helping entities maintain operational resilience and compliance with PSD2 requirements.

bottom of page