Why PSD2 Still Applies to the UK Even After Brexit

Understanding PSD2's Role in UK Financial Services Post-Brexit

Britain might have left the EU at the end of 2020, but it’s still subject to a variety of European regulations in areas like financial services, data protection and technology.

Payment Services Directive 2 (PSD2) is one of those. Brought into effect in September 2019, among other things PSD2 creates a framework for banks to share personal account information directly with other regulated providers in order to foster the development of new services and products for bank customers. PSD2 was also introduced with the aim of rationalising financial transactions across European borders and protecting online payments.

It demands Strong Customer Authentication (SCA) for transactions which basically means Multi-Factor Authentication (MFA) for customers. PSD2 also requires Common and Secure Communication (CSC) which involves the use of two distinct certificates to protect transactions. The Qualified Certificate for Website Authentication (QWAC) is used to protect data in peer-to- peer communications as well as to identify who controls the endpoints involved. The Qualified Certificate for Electronic Seals (QSealC) is meant to protect data and documents and confirm their legal origin.

Although the UK left the European Union on December 31st 2020, PSD2 still applies to a great extent. In fact, sovereignty isn’t even the main issue – the UK government has adopted PSD2 into national law to bring the country in-line with its neighbouring supra-national bloc.

The UK government has done the same with several landmark pieces of EU regulation. In the run up to Brexit, the UK’s Information Commissioner’s Office (ICO) stated clearly that the UK would be complying with the General Data Protection Regulation (GDPR), whether it was in or out of the European Union. Though the UK is not formally under EU jurisdiction any longer, it is still subject to an act of law called the “UK GDPR” which mirrors the principles, rights and obligations of the GDPR. This is largely because GDPR compliance is the price of doing business for anyone who wants to use the data of European citizens.

Similarly, a “UK eIDAS” has been created tailoring the contents of the European eIDAS Regulation which governs the use of Qualified Trust Service Providers for legally-valid electronic signatures, among other things.

Whether the UK is in or out of the European Union, it is likely to be subject to European regulations especially when it comes to privacy and data protection. That’s not just true for the UK, but many other non-EU countries. The EU standards for implementing technical aspects of PSD2 were even widened as “Open Banking” standards precisely so the UK and other countries or regions might adopt them more readily.

This is less a question of state sovereignty than it is a confirmation of certain facts of modern life. This is about inexorable digital transformations all over the globe and the security of data in a world that gets more deeply connected by the day.

On the 31st of December 2020, the UK officially left the European Union, but it did so amid the tumult of a global pandemic.

The pandemic has deepened our reliance on online transactions as well as the security of those transactions. Furthermore, it has accelerated the world’s digital migration at breakneck speed. Governments and companies are now doubling down on digital transformations with the introduction of mass remote work and the new centrality of electronic identities in the form of vaccine passports. Business and connected technology pays less and less heed to national borders by the day and the pandemic spurred that process on.

Regulations like PSD2 are becoming ever more crucial to underpin these digital transformations and it may mean that not just the UK – but many other countries – will have to comply with EU regulations in some way.

The GDPR is useful as a representative example. When it was introduced in 2018 it brought in hefty fines for companies who failed to protect personal data and issued injunctions about how organisations should collect, protect and store that data. Critically, the regulation applies not just within European borders, but wherever the data of a European citizen is being processed. The EU is the largest trading bloc in the world and there are few organisations which would want to refuse the opportunity to do business there. Now, countries around the world are drafting data protection legislation which largely mirrors the statues of the GDPR.

PSD2, like the GDPR, may soon be adopted – at least in spirit – by other non-EU countries if not for the thoroughness of its regulations, then for the undeniable attraction of the European market.

These kinds of developments are irresistible to nation states – who want to protect citizens and companies from threats that don’t pay heed to borders. They can only do that by working in parallel with other countries. To that end, regulations like PSD2, GDPR or eIDAS may have been built for the EU, but are profoundly informing if not directly inspiring technological regulation all over the world.