Directive 2015/2366 of 25 November 2015 on payment services in the internal market […] (Second Payment Services Directive, Second Payment Services, PSD II or PSD2; to be implemented by the member states by January 13, 2018; in Germany by the Payment Services Supervision Act) is intended, among other things, to improve the offering in the EU retail payments market for consumers and to establish higher security standards for online payments. However, it also affects new providers (so-called third party payment service providers, TPPs), e.g., payment initiation service providers (“PISPs”) and account information service providers (“AISPs”). Banks will be required to set up interfaces through which third-party service providers can access bank customers’ payment accounts (“open banking”).
In Switzerland, PSD II does not apply (not even to cross-border payments from the EEA to Switzerland and vice versa; however, this is probably different for consumer contracts with customers in the EEA) and the Swiss Bankers Association has opposed the introduction of a corresponding regulation.
The PSD II contains several Provisions on data security and data protection, the questions in the Interaction with the GDPR The new law raises a number of issues, such as the provision that payment initiation and account information service providers may not misuse data, or the requirement that payment service providers retrieve, process, and store personal data necessary for payment services only with the “explicit consent” of the payment service user.
On these issues, the European Data Protection Committee (EDSA) has now published the second version of the Guidelines (Guidelines 06/2020 on the interplay of the Second Payment Services Directive and the GDPR, version 2.0, December 15, 2020.) published (according to the draft version of July 22, 2020).