Consumer protection and PSD2

Find out how PSD2 continues to protect consumers from unauthorised transactions.

PSD2 continues to protect consumers from unauthorised transactions. It aims to further improve security measures and give payers certainty about security when they make payments. For example, all payment service providers (PSPs) e.g. banks and payment instructions will need to prove that they have put specific security measures in place to ensure safe and secure payments.

The following outlines some of the PSD2 changes to improve consumer protection:

Limiting payers’ liability when unauthorised transactions take place

Under the current regime payers’ liability for unauthorised transactions is currently capped at £50 in the UK - unless the payer has acted fraudulently or has, with intent or gross negligence, failed to comply with the conditions governing their use of a payment instrument or failed to notify the PSP without undue delay on becoming aware of its loss, theft, misappropriation or unauthorised use. Under PSD2, the liability cap is reduced to £35. Payers will only be liable in cases of user fraud, gross negligence or failing to notify their payment service provider without undue delay on becoming aware the loss. The European Commission will publish a leaflet by Q4 2017 which will explain the changes to the liability regime and consumers’ rights and obligations under PSD2.

Transactions which have been made incorrectly

PSD2 requires PSPs to be responsible for undertaking payments in an accurate and timely way. It also specifies that payers should always be entitled to make any relevant claims for refunds to their PSPs, whether or not other PSPs are involved in the transaction. These other PSPs will be liable to the payer’s PSP. However, each PSP’s liability is limited to correct execution within their area of competence. As with PSD, payers will need to notify the PSP of incorrect transactions as soon as possible and within a maximum of 13 months of the date the payment was made. If the payer has given the wrong unique customer identifier, the payee's PSP is now required to 'cooperate' in efforts to recover the funds.

Complaints handling

Under PSD2, payment service providers must give a full response to complaints that involve rights and obligations under PSD2 within 15 days. If there are exceptional circumstances, this is extended to a maximum of 35 days and the firm must send the payer a holding letter in the interim. 

Strong customer authentication

PSD2 requires Strong Customer Authentication (SCA), which is also known as two-factor authentication. Payment service users will need to use SCA whenever they access their payment accounts online, make an electronic payment or carry out any action through a remote channel which may carry a risk of fraud or abuse. SCA is made up of two or more elements, including knowledge (something you know, such as a password), possession (something you have, such as a card or mobile device) or 'inherence' (something you are, such as a fingerprint or voice recognition). Each element must be independent from the others so that if one is breached this does not compromise the integrity of another. The EBA is developing regulatory technical standards for SCA.