Share this post:


The European Union wants to make banking transactions on the internet convenient, cheaper and consistent. Regulators also wish to create an environment which fosters innovation and competition. Second Payment Services Directive (PSD2) is the directive that will be administered in European Union to achieve these goals.

Impact on Banks

From a business perspective, banks are required to allow third party providers (TPP) to offer services which were traditionally offered only by the bank. This change permits the bank’s customers to use third party services to access certain payment and account services instead of interacting directly with the bank.

From a technology perspective, banks need to expose APIs that will allow TPPs to consume account information and trigger payment transactions after the bank obtains the customer’s consent.

Worldwide initiative

Across the world different countries are implementing similar directives. Banks doing business in a region where the directive applies need to adhere to the regional directive’s standards. Open Banking in United Kingdom, STET in France, Open API in Hong Kong, Payments NZ in New Zealand are some examples of directives similar to PSD2.

Security Implications

There are security implications on the bank when these services are exposed via APIs. Banks need to ensure that customer data is protected, third party providers are trusted, customers give consent to third party providers after completing strong authentication, customers are protected from fraud and malware, transactions are safe, etc.

Meeting the PSD2 requirements

In order to meet the PSD2 requirements the bank needs to expose and manage APIs, implement strong customer authentication and protect the customer from fraud.  IBM has been working with many financial customers to design and deliver solutions to meet these challenges, using both IBM and non-IBM technologies. For more information, you can read the Beyond PSD2 Paper by clicking on the link below.


The paper captures the technology and architecture requirements.  This paper focuses on Identity and Access Management technologies in a vendor agnostic manner and will help you build a solution that will meet future requirements in this space.


This space is evolving fast. Please feel free to send any feedback to the author by sending email to


Click here to rate this article

Rate this article :

IT Security Specialist

More Access and Authentication stories
By Martin Schmidt on May 17, 2019

Modernizing your B2C Portal Security – A thoughtful approach

As we have described the situation that many of our customers are in today, and our proposal for a better future state, we come to realize that for many, this transition is a journey, and a single big bang transition is not practical for many.  This blog entry will outline an approach to start such […]

Continue reading

By Martin Schmidt on May 4, 2019

Modernizing your B2C Portal Security – Desired End State

Proposition: As we have seen in part one of this series, managing customer identities for a portal can be a challenge and distraction for the business.  In this part of the series we will outline how a modernized solution for a portal security can simplify operations and free your team up to focus on the […]

Continue reading

By Martin Schmidt on April 19, 2019

Modernizing your B2C Portal Security – Introduction and Challenges

Introduction: Business to Consumer (B2C) is an incredibly common kind of identity and access management implementation. This implementation allows consumers to self-register and self-manage their digital identities for a given retailer or service provider.  The provider does this so that they can streamline subsequent interactions with consumers and to provide a seamless user experience while […]

Continue reading