Applications under PSD2

PSD2 makes some important changes to the scope of regulation in the UK. Read more about the new information firms will have to provide, both when we authorise or register them and if they are currently authorised or registered.

Authorisation and registration requirements under PSD2

PSD2 has been implemented in the UK through the Payment Services Regulations 2017 (PSRs 2017). We issued a consultation to reflect the Treasury’s new regulations in April 2017. This included some proposals relating to authorisation, and changes to our perimeter guidance to throw further light on the specific types of business and activity that will need to be authorised or registered under PSD2. We issued a smaller, follow-up consultation on certain authorisation and registration forms under PSD2 in July 2017. We published our Policy Statement in September 2017 confirming the revised Approach Document and Handbook changes following consultation feedback.

New information required at authorisation

Prospective payment and e-money institutions, applying under the PSRs 2017 and amended EMRs respectively, will have to provide more information than they do currently, including:

  • Procedures for incident reporting.
  • Processes in place to file, monitor, track and restrict access to sensitive payment data.
  • Principles and definitions they apply for collecting statistical data on performance, transactions and fraud.
  • Arrangements for business continuity and the procedure for testing and reviewing these plans.
  • Security policy, including risk assessment and mitigation measures to adequately protect payment service users against identified risks, including fraud and illegal use of sensitive and personal data.
  • Description of checks on agents and branches.
  • Professional indemnity insurance held (for firms that propose providing account information or payment initiation services).

Security requirements for providers of account information or payment initiation services seeking authorisation or registration under Payment Services Directive 2 (PSD2)

European Banking Authority (EBA) guidelines

The EBA has developed guidelines for competent authorities on the exact information required for applicants to become authorised payment institutions and authorised e-money institutions. This also applies to firms which only provide account information services who will be able to seek registration, and will have to provide us with less information than firms which seek full authorisation.

Guidelines on the information to be provided for the authorisation as payment institutions and e-money institutions and for the registration as account information service providers 

Information requirements and transitional provisions for existing firms

Existing small payment institutions may carry on their activities until 12 January 2019. If they want to continue providing payment services after this date then they will have to apply to us before 23:59 on the 12 October 2018 and give us any relevant information we request if they have not already done so.

Key dates for existing firms registered under PSD1

Firm type

Can provide new information from:

Must apply for re-registration before:

... in order to continue providing payment services on or after:

Small payment institutions
(Small PIs)

13 October 2017

23:59 on the 12 October 2018

13 January 2019