Interactive timeline

Our timeline shows the publication and implementation dates for the various legislative
initiatives around the Payment Services Directive 2 (PSD2) and the Open Banking Initiative.

Please explore the timeline below by clicking an event, scrolling or selecting a filter on the right

View all

Key events - PSD2 and Open Banking Standards

Download current selection
  • 2015
    01.08
    01August
    2015

    01 August 2015

    EBA Guidelines on security of internet payments apply

    Find out more
  • 09.2015
    September
    2015

    September 2015

    Open Banking Working Group set up

    Find out more
  • 2016
    12.01
    12January
    2016

    12 January 2016

    PSD2 enters into force

    Find out more
  • 08.02
    08February
    2016

    08 February 2016

    Open Banking Working Group publishes Open Banking Standard

    Find out more
  • 10.02
    10February
    2016

    10 February 2016

    FCA publishes Call for Input on approach to current UK payment services regime

    Find out more
  • 23.03
    23March
    2016

    23 March 2016

    FCA Call for Input on approach to current UK payment services regime closes

  • 01.07
    01July
    2016

    01 July 2016

    eIDAS Regulation enters into force

    Find out more
  • 18.07
    18July
    2016

    18 July 2016

    FCA publishes update to Cash Savings Market Study

    Find out more
  • 03.08
    03August
    2016

    03 August 2016

    Open Data Institute launches Open Banking Development Group

    Find out more
  • 08.08
    08August
    2016

    08 August 2016

    NIS Directive enters into force

    Find out more
  • 09.08
    09August
    2016

    09 August 2016

    CMA publishes Retail Banking Market Investigation Final Report

    Find out more
  • 12.08
    12August
    2016

    12 August 2016

    EBA consults on draft RTS on strong customer authentication and common and secure communication under PSD2

    Find out more
  • 22.09
    22September
    2016

    22 September 2016

    EBA consults on draft guidelines on criteria for professional indemnity insurance or other comparable guarantee under PSD2

    Find out more
  • 23.09
    23September
    2016

    23 September 2016

    EBA Public Hearing on draft RTS on strong customer authentication and common and secure communication under PSD2

  • 12.10
    12October
    2016

    12 October 2016

    Closing date for responses to EBA consultation on draft RTS for strong customer authentication and common and secure communication under PSD2

  • 03.11
    03November
    2016

    03 November 2016

    EBA consults on draft guidelines on authorisation and registration under PSD2

    Find out more
  • 30.11
    30November
    2016

    30 November 2016

    Closing date for responses to EBA consultation on draft guidelines on criteria for professional indemnity insurance or other comparable guarantee under PSD2

    Find out more
  • 07.12
    07December
    2016

    07 December 2016

    EBA consults on guidelines on major incidents reporting under PSD2

    Find out more
  • End
    2016
    END2016

    End 2016

    Target for launch of a viable product for an Open Banking API

    Find out more
  • 2017
    13.01
    13January
    2017

    13 January 2017

    Deadline for EBA to submit draft RTS on strong customer authentication and common and secure communication under PSD2 to European Commission

    Find out more
  • 13.01
    13January
    2017

    13 January 2017

    Deadline for EBA to issue guidelines on professional indemnity insurance or other comparable guarantee under PSD2

    Find out more
  • 02.02
    02February
    2017

    02 February 2017

    CMA publishes final form Retail Banking Market Investigation Order 2017

    Find out more
  • 02.02
    02February
    2017

    02 February 2017

    HMT publishes consultation paper on UK PSD2 implementation and draft Payment Services Regulations 2017

    Find out more
  • 03.02
    03February
    2017

    03 February 2017

    Closing date for EBA consultation on draft guidelines on authorisation and registration under PSD2

  • 16.02
    16February
    2017

    16 February 2017

    EBA consults on draft guidelines for complaints procedures for infringements of PSD2

    Find out more
  • 23.02
    23February
    2017

    23 February 2017

    EBA publishes final draft RTS on strong customer authentication and common and secure communication under PSD2

    Find out more
  • 07.03
    07March
    2017

    07 March 2017

    Closing date for EBA consultation on draft guidelines on major incidents reporting under PSD2

  • 16.03
    16March
    2017

    16 March 2017

    Closing date for HM Treasury consultation on PSD2 implementation

  • 31.03
    31March
    2017

    31 March 2017

    Deadline for largest UK banks to release and make open data available through an open API

    Find out more
  • 13.04
    13April
    2017

    13 April 2017

    FCA publishes consultation on PSD2 revisions to guidance in its Payment Services Approach Document and its Handbook rules

    Find out more
  • 08.06
    08June
    2017

    08 June 2017

    Closing date for FCA consultation on PSD2 revisions to guidance in Payment Services Approach Document and Handbook rules

    Find out more
  • 01.07
    01July
    2017

    01 July 2017

    Q3 2017 is FCA target for publication of Policy Statement containing final rules and revised Payment Services Approach Document for PSD2

    Find out more
  • 16.05
    16May
    2017

    16 May 2017

    Closing date for responses to EBA consultation on draft guidelines for complaints procedures for infringements of PSD2

  • 13.07
    13July
    2017

    13 July 2017

    Deadline for EBA to issue guidelines on security measures under PSD2

    Find out more
  • 2018
    13.01
    13January
    2018

    13 January 2018

    Deadline for transposition of PSD2 into national law

    Find out more
  • 13.01
    13January
    2018

    13 January 2018

    Deadline for EBA to issue guidelines in relation to incident reporting

    Find out more
  • 13.01
    13January
    2018

    13 January 2018

    Deadline for largest UK banks to make PCA and BCA data available through an open API

    Find out more
  • 11.2018
    November
    2018

    November 2018

    Earliest date that EBA's RTS on strong customer authentication and common and secure communication under PSD2 are expected to apply

    Find out more
  • 2019
    By
    2019
    BY2019

    BY 2019

    OBWG's target for full scope of the Open Banking Standard to be reached

    Find out more
2015
2016
2017
2018
2019
01 August 2015

These guidelines (EBA GL/2014/12) set out the minimum requirements for security of internet payment services. They define strong customer authentication as two-factor authentication (as a minimum), but allow payment service providers (PSPs) offering acquiring services for card-based internet payments to use alternative authentication measures for pre-identified categories of low-risk transactions.

The guidelines were intended to provide a uniform approach to the security of internet payments across the EU until the implementation of PSD2 – they will be in force until the application of the EBA's Regulatory Technical Standards on strong customer authentication and common and secure communication under PSD2 (expected to be October 2018 at the earliest).

September 2015

The Open Banking Working Group (OBWG) was set up at the request of HM Treasury primarily to deliver a framework for the design and development of an open Application Programming Interface (API) standard in UK banking, focussing on personal and business current accounts.

Its initial scope of work included defining:

  • the scope of the open API standard;
  • the scope of data to be covered by the open API standard and open data;
  • the rules on data access and permissions (to accord with data protection and other regulatory and legislative obligations); and
  • the security parameters and framework around data release, permissions and use, especially the vetting process and procedure for 3rd party access

The OBWG was directed to consider the implications of concurrent regulatory initiatives in the UK (including PSD2), and align where practicable.

12 January 2016

Directive (EU) 2015/2366 on payment services in the internal market (PSD2) updates the EU framework for payment services under the current Payment Services Directive (2007/64/EC). Key changes include:

  • introducing two new payment services to cover the activity of third-party payment service providers: payment initiation services and account information services;
  • improving the security of payment services by bringing about major changes to the way that payment service providers (PSPs) authenticate payments; and
  • enhancing the transparency of payment services through greater information provision and pricing restrictions for international payments.
08 February 2016

The OBWG report sets out a detailed framework for delivering open banking in the UK.

The Open Banking Standard is promoted as a guide to "how open banking data should be created, shared and used by its owners and those who access it". It recommends the use of open APIs to provide open access to open data (eg market information, banking product information) and shared access to private data, like customer data. Access to private data should be facilitated only where bank account holders have given "informed consent". Open APIs will be available under a free licence and will encourage existing standards and structures to be re-used.

The recommendations will be carried out by a purpose-built Open Banking Implementation Entity.

10 February 2016

Before the FCA starts to update its guidance for PSD2, it has sought views on whether the guidance has kept pace with market developments and the growth in payment services. The guidance consists of its payment services approach document and chapter 15 of its Perimeter Guidance manual (PERG), published in 2009 as part of PSD1 implementation.

There will be further proactive engagement with relevant stakeholders over the coming months (eg via the FCA PSD2 Stakeholder Liaison Group). An FCA consultation on revised PSD2 guidance is due in Q1/Q2 2017. HM Treasury is also due to consult on PSD2 implementing regulations in 2016.

23 March 2016
01 July 2016

The eIDAS Regulation ((EU) No 910/2014) on electronic identification and trust services for electronic transactions in the internal market establishes a new legal structure for electronic identification, signatures, seals and documents throughout the EU. It replaces the Electronic Signature Directive (Directive 1999/93/EC) and creates specific electronic signature types that are recognised across the EU.

The EBA's draft RTS on strong customer authentication and common and secure communication under PSD2 mandate that payment system participants will authenticate each other using certificates issued by a qualified trust service provider (QTSP). A QTSP is a certification authority that meets the stringent requirements of the eIDAS Regulation (eg rules on security and liability) and has been granted qualified status by the relevant supervisory body in the Member State.

For the EBA's requirement to work there will need to be QTSPs by the time the RTS come into force – no provider has been designated so far. The EBA has flagged this as an issue in its consultation paper on the draft RTS and asked for specific feedback on its approach.

18 July 2016

In its update (MS14/2.4) to its Cash Savings Market Study following its Policy Statement published in December 2015 (PS15/27) on measures to improve competition, the FCA sets out its latest thinking on remedies including a "convenience remedy" involving adoption of account aggregation services so that customers can view and manage their savings and other accounts in a single place. The FCA has indicated they will deal with this through PSD2 implementation (as PSD2 covers a new payment service of account information services).

However, as many cash savings accounts will not be payment accounts, it is currently unclear whether this will apply to them or be brought in through the FCA's Retail Banking Conduct of Business Handbook (BCOBS).

03 August 2016

The Open Banking Development Group (OBDG) has been set up by the Open Data Initiative (ODI) to "drive innovation around an open banking standard on a UK and international basis". The ODI highlights that any open banking standard needs to be supported by a broad community that embraces an open environment.

Building on the work already carried out by the Open Banking Working Group, the OBDG aims to create a global community of open banking leaders that will play an important role in shaping any open banking initiatives. This will include the EBA's regulatory technical standards for PSD2 and the CMA's remedies following its retail banking market investigation.

08 August 2016

Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union (the NIS Directive) represents the first EU-wide rules on cybersecurity.

It includes risk management and incident reporting obligations for "operators of essential services" and digital service providers. Each Member State has until 9 November 2018 to identify the operators of essential services with an establishment in its territory – this will include credit institutions that meet a defined set of criteria. A credit institution that is subject to PSD2 and the NIS Directive will need to take account of the risk management and incident reporting obligations under both.

09 August 2016

According to the UK Competition Markets Authority (CMA) in its final report, competition for personal customers and SMEs in the retail banking sector is not working as well as it should be, with so-called 'challenger' banks struggling to win market share off the UK's more established players. It does not believe the banks' size and number are the problem. Rather, the low level of switching between banks is caused by customers' inability to easily access, assess and act on information regarding the cost of their banking. In response, the CMA has proposed a "wide-ranging" package of remedies which aim to better inform and engage customers, prompting and giving them more confidence to switch.

The CMA's "central reform" is to mandate that the UK's nine largest banks develop 'open application program interfaces' (APIs), enabling banks to share customer data with each other and FinTech businesses. It is hoped that this "Open Banking revolution" will remove information asymmetries, encourage innovation and boost competition. The CMA believes that Open Banking will also allow banks to fulfil their information-sharing obligations required under PSD2.

12 August 2016

The draft regulatory technical standards (RTS) (EBA-CP-2016-11) have been developed under Article 98 of PSD2, which requires the EBA to issue regulatory technical standards ensuring an appropriate level of security for customers and payment service providers.

The requirements cover strong customer authentication, enhanced protection of customers' security credentials, and common and secure open standards for communications between the various types of providers in the payments sector.

22 September 2016

Article 5(4) of PSD2 mandates the EBA to issue guidelines addressed to the competent authorities in member states on the criteria on how to stipulate the minimum monetary amount of the professional indemnity insurance (PII) or other comparable guarantee to be held by undertakings that will apply for authorisation to provide payment initiation services (PIS) and/or registration to provide account information services (AIS).

As PIS and AIS were not subject to PSD1, they were not necessarily supervised by competent authorities and were not required to comply with PSD1. This raised a series of legal issues, such as consumer protection, security and liability as well as competition and data protection issues. Therefore PSD2 aims to respond to these issues by setting out specific conditions for providers of PIS and AIS, including requirements they have to fulfil when applying for authorisation and/or registration.

23 September 2016
12 October 2016
03 November 2016

Article 5(5) of PSD2 mandates the EBA to issue guidelines on the information to be provided to the competent authorities in the application for authorisation of payment institutions. 

The type of information requested from applicants varies depending on the different nature of the payment service provider. The Guidelines are therefore structured into three separate sections for payment institutions, AISP, and electronic money institutions respectively.

The information requirements specified in the draft Guidelines include: details on the applicant’s programme of operations; its business plan; evidence of initial capital; the measures taken for safeguarding payment service users’ funds; the applicant’s governance arrangements and internal control mechanisms; the procedures in place to monitor, handle and follow up a security incident and security related customer complaints and to file, monitor, track and restrict access to sensitive payment data; and the identity, and evidence of the suitability, of persons holding qualifying holdings and of persons responsible for the management of the payment institution.

30 November 2016

The final guidelines will be published after the end of the consultation period.

07 December 2016

Article 96(3) of PSD2 mandates the EBA, in close cooperation with the ECB, to issue guidelines addressed to payment service providers on the classification and notification of major operational or security incidents, and to competent authorities on the criteria to assess their relevance and the details to be shared with other domestic authorities.

The draft guidelines specify (i) the criteria for classifying operational or security incidents as major, (ii) the template to be used by payment service providers when notifying them to the competent authorities and (iii) the indicators that competent authorities need to use when assessing the relevance of such incidents.

End 2016

In its report on the Open Banking Standard, the Open Banking Working Group sets out its intention to launch a viable product for an Open Banking API based on open data by the end of 2016 and personal account transaction data included on a read-only basis starting from the beginning of 2017.

13 January 2017

The deadline has been set by Article 98(4) of PSD2.

The Commission will have 3 months to decide whether to endorse the RTS (Article 10(1) of Regulation (EU) No 1093/2010). Where the Commission intends not to endorse or to endorse in part or with amendments, the draft RTS are sent back to the EBA and the EBA then has 6 weeks in which to amend them on the basis of the Commission’s feedback and resubmit.

Power is delegated to the Commission to adopt the RTS. The RTS will come into force on the date of publication in the Official Journal of the EU.

13 January 2017

This deadline has been set by Art 5(4) of PSD2.

02 February 2017

According to the UK Competition and Markets Authority (CMA) in its final report (August 2016), competition for personal customers and SMEs in the retail banking sector is not working as well as it should be.

The CMA's "central reform" is to mandate that the UK's nine largest banks develop 'open application program interfaces' (APIs), enabling banks to share customer data with each other and FinTech businesses. It is hoped that this "Open Banking revolution" will remove information asymmetries, encourage innovation and boost competition. The CMA believes that Open Banking will also allow banks to fulfil their information-sharing obligations required under PSD2.

Part 2 of the Order relates to open API standards and data sharing, and provides for the creation of an Implementation Entity which will develop, agree, implement, maintain and make widely available without charge open and common banking standards for read only open access to data, and common standards for both read and write access, allowing third parties to initiate a payment on behalf of a customer. Following consultation, the CMA amended this part of the Order to clarify the importance of consistency with PSD2.

02 February 2017

HM Treasury is consulting on UK implementation of PSD2, including draft Payment Services Regulations 2017, for a short 6 week consultation period ending on 16 March 2017.

The consultation paper states that the Government aims to finalise and lay the final implementing legislation in Parliament in 'early 2017 to provide industry with as much time as possible to adjust to any changes required'.  The FCA issued a consultation on PSD2 revisions to the guidance in its Payment Services Approach Document and its Handbook rules on 13 April 2017 (closing 8 June 2017).

03 February 2017
16 February 2017

Article 100(6) of PSD2 mandates the EBA, after consulting the European Central Bank (ECB), to issue guidelines, addressed to national competent authorities, on the complaints procedures to be taken into consideration to ensure and monitor effective compliance with PSD2. 

The draft guidelines govern the process relating to complaints that payment service users and other interested parties, including consumer associations, can submit to competent authorities (CAs) with regard to PSPs’ alleged infringements of the PSD2. In particular, the draft guidelines specify:

  • the requirements for the channels to be used by complainants to file their complaints;

  • the information that CAs should request from complainants when complaints are submitted to them; and

  • the information CAs should include in their responses to complaints.

 The proposed guidelines also require CAs to:

  • make an aggregate analysis of the complaints received;

  • document their internal complaints procedures; and

  • make information related to their procedures for complaints of alleged infringements of PSD2 publicly available.

 The draft guidelines apply only to complaints addressed to CAs about alleged infringements of PSD2 and do not cover other issues that payment service users or other interested parties may complain about. They also do not cover the role of CAs in ADR procedures for the settlement of disputes between payment service users and PSPs.

The consultation closes on 16 May 2017.

23 February 2017

The final draft regulatory technical standards (RTS) (EBA/RTS/2017/02) have been developed under Article 98 of PSD2, which requires the EBA to issue regulatory technical standards ensuring an appropriate level of security for customers and payment service providers.

The requirements cover strong customer authentication, enhanced protection of customers' security credentials, and common and secure open standards for communications between the various types of providers in the payments sector.

The changes from the previous draft of the RTS (August 2016) should not come as a surprise to the industry. They will nevertheless require detailed consideration to determine both the impact and the intention behind them (including over 100 pages of the EBA's reaction to consultation responses).

The final draft RTS will now be submitted to the European Commission for adoption, following which they will be subject to scrutiny by the European Parliament and the Council.

Under PSD2, the RTS will be applicable 18 months after its entry into force, which suggests November 2018 at the earliest. In its final report on the RTS, the EBA comments that the "intervening period provides the industry with time to develop industry standards and/or technological solutions that are compliant with the EBA’s RTS."

07 March 2017
16 March 2017
31 March 2017

The CMA's Retail Banking Market Investigation report requires nine named institutions to release and make available certain reference and product information through an open API by this date. After that, these organisations have to maintain this data as open data.

The open data will be:

  • prices, charges, terms and conditions and customer eligibility criteria (for loans) for all personal current account and business current account products (including overdrafts) and SME lending products, and
  • certain Reference Data specified by the CMA, including ATM and branch locations and branch opening hours
13 April 2017

The FCA has published a consultation (CP17/11) on PSD2 revisions to the guidance in its Payment Services Approach Document and its Handbook rules.

The proposed PSD2 updates include changes to:

  • the FCA Payment Services Approach Document;
  • the FCA Handbook (including the Banking: Conduct of Business sourcebook BCOBS); and
  • the FCA Perimeter Guidance Manual (PERG).

The Payment Systems Regulator has also published a separate draft Approach Document on the aspects of the draft UK implementing regulations, the Payment Services Regulations 2017 (PSRs 2017), for which it is solely responsible.

The consultation for both Approach Documents is being co-ordinated through the FCA and closes on 8 June 2017. The FCA intends to publish its final rules and revised Approach Document in a Policy Statement in Q3 2017, after HM Treasury finalises the PSRs 2017, so that it can take into account any further changes to the implementing legislation.

The FCA's proposed changes would take effect from 13 January 2018, unless stated otherwise in the consultation paper.

A further FCA consultation on matters related to the EBA mandates under PSD2 (such as the Regulatory Technical Standards on strong customer authentication and common and secure communication) will be issued in mid-2017 and the proposals finalised in autumn 2017, subject to progress on the various EBA workstreams.

08 June 2017

The FCA intends to publish its final rules and revised Approach Document in a Policy Statement in Q3 2017, after HM Treasury finalises the PSRs 2017, so that it can take into account any further changes to the implementing legislation.

A further FCA consultation on matters related to the EBA mandates under PSD2 (such as the Regulatory Technical Standard on strong customer authentication and common and secure open standards of communication) will be issued in mid-2017 and the proposals finalised in autumn 2017, subject to progress on the various EBA workstreams.

01 July 2017

The FCA intends to publish its final rules and revised Approach Document in a Policy Statement in Q3 2017, after HM Treasury finalises the PSRs 2017, so that it can take into account any further changes to the implementing legislation.

A further FCA consultation on matters related to the EBA mandates under PSD2 (such as the Regulatory Technical Standard on strong customer authentication and common and secure open standards of communication) will be issued in mid-2017 and the proposals finalised in autumn 2017, subject to progress on the various EBA workstreams.

16 May 2017 Next key event
13 July 2017

The deadline is set by Article 95(3) of PSD2, which requires the EBA to issue guidelines in relation to the establishment, implementation and monitoring of the security measures that payment service providers (PSPs) are required to put in place.

Under PSD2, PSPs will have to establish appropriate mitigation and control mechanisms to manage the operational and security risks relating to the payment services they provide. This has to include effective incident management procedures. These guidelines will complement the EBA's regulatory technical standards (RTS) on strong customer authentication and secure communication.

Note that guidelines are not the same as binding regulatory technical standards. Article 16 of Regulation (EU) No 1093/2010 (under which the guidelines will be issued) states: "The competent authorities and financial institutions shall make every effort to comply with those guidelines and recommendations." However, the European Commission will review how the guidelines are being applied, and it has the power under PSD2 to direct the EBA to produce binding regulatory technical standards around security measures. 

13 January 2018

The deadline has been set by Article 115 of PSD2.

The impact of Brexit is unknown currently.

13 January 2018

The deadline has been set by Article 96 of PSD2, under which a payment service provider (PSP) must notify a major operational or security incident "without undue delay" to the competent authority.

The guidelines on incident reporting will be addressed to:

(a) PSPs on (i) the classification of major operational or security incidents that PSPs have to notify, (ii) the content and format of notifications (including standard notification templates) and (iii) the procedures for notification; and

(b) competent authorities on the criteria for how to assess the relevance of the incident and the details of the incident reports to be shared with other domestic authorities.

Once adopted, the guidelines have to be reviewed at least every 2 years.

13 January 2018

The CMA's Retail Banking Market Investigation report requires the nine named institutions to make personal and business current account transaction data available through open APIs by this date.

November 2018

The EBA has admitted that this date could move into 2019.

Under PSD2, Members States must ensure the application of the security measures referred to in Articles 65 (Confirmation on the availability of funds), 66 (Rules on access to payment account in the case of payment initiation services), 67 (Rules on access to and use of payment account information in the case of account information services) and 97 (Authentication) from 18 months after the date of entry into force of the RTS (the date of publication of the final RTS in the Official Journal of the EU).

BY 2019

In its report setting out the Open Banking Standard, the UK Open Banking Working Group (OBWG) states its intention that the full scope of the Open Banking Standard (including business, customer and transactional data) should be reached by 2019.