PSD2 (Payment Services Directive 2) is the revised European payments directive that has been in effect in the Netherlands since February 2019. This law requires banks, with explicit customer consent, to allow third parties such as FinTech companies to access payment account data. The aim is to stimulate competition and innovation in the payments market, allow new players and promote customer-centric payment services.

Under PSD2, service providers can apply to De Nederlandsche Bank for two types of licenses:

• Account Information Service Providers (AISP): parties allowed to view and aggregate payment data, for example, in apps that combine multiple bank accounts.

• Payment Initiation Service Providers (PISP): parties that may make payments on behalf of customers from their bank accounts.

Access to payment data raises significant privacy and security issues. Because it involves highly sensitive personal data, strict rules apply to processing and storage. Data may only be used for specific services and not for commercial purposes without explicit and renewable customer consent.

In practice, PSD2 has led to new services, such as personal financial dashboards and alternative payment services, as well as concerns about data sharing with large technology companies, the risks of fraud, and the need for robust IT security.

Current discussion points around PSD2 include:

• The balance between innovation and personal data protection.

• The interpretation and enforcement of "explicit consent.

• Coherence with new European regulations such as the Payment Services Regulation (PSR) and the Digital Operational Resilience Act (DORA).

• The role of PSD2 in the broader European push for an integrated digital financial market.

PSD2 has broken the monopoly of banks on payments, but it also makes clear that the core of our financial system - and the privacy of payment data - is increasingly in tension between technological innovation and stricter safeguards for consumers.