Harmonizing open banking in the European Union: an analysis of PSD2 compliance and interrelation with cybersecurity frameworks and standards

Abstract

AbstractThis paper focuses on the security protocols enacted in banking transactions across the European Economic Area (EEA), as stipulated by the Second or Revised Payment Service Directive (commonly referred to as ‘PSD2’ or simply ‘the Directive’). The study aims to comprehensively analyse the implementation and efficacy of these security measures within the specified jurisdiction. The Directive incorporates fundamental rights and obligations that all stakeholders are compelled to adhere to and delineates specific security measures and standards that both traditional banking institutions and third-party providers (TPP) are mandated to implement. In particular, one of the cardinal mandates for banking and financial institutions under PSD2 is the obligation to facilitate third-party access to customer data via open application programming interfaces (API). While this open banking paradigm and the consequent proliferation of data sharing unquestionably bring about various advantages, such as enhanced consumer choice and market competition, they concurrently expose the financial ecosystem to a slew of potential security vulnerabilities and privacy risks. Upon conducting a comprehensive review of the security requirements and measures stipulated under PSD2 and a comparative analysis with essential cybersecurity frameworks and standards (NIS2, Cybersecurity Act, GDPR, ISO 27001:22 and PCI DSS), we have ascertained a discernible lack of harmonisation and clarity concerning the technical security specifications for its effective implementation. This lacuna substantiates the challenges banks face in fully grasping the extensive spectrum of compliance obligations mandated by PSD2. The aim of this research is to offer a valuable contribution to both the comprehension and the pragmatic deployment of security standards in the context of banking transactions, as regulated by the PSD2. The paper serves as a valuable resource for traditional banking institutions and relevant stakeholders by guiding them through the complexities of PSD2 implementation while also evaluating the effects of the security measures on transactional safeguards, data security, and the provision of payment services.