PSD2 compliance to enter the era of Open Banking

PSD2 (EU Directive 2015/2366 on Payment Services in the Internal Market) is the second European Payment Services Directive, published in the Official Journal of the EU on 23 December 2015. Its primary objectives are to open access to bank payment account data for licensed third-party providers (TPPs), strengthen consumer protection and payment security through Strong Customer Authentication (SCA), promote innovation and competition in the payments market, and create a harmonized European payments framework applicable across all EU member states.

XS2A stands for Access to Accounts: the technical mechanism by which PSD2 requires banks and account-holding payment service providers (ASPSPs) to grant licensed third-party providers access to customer payment account data and payment initiation services via secure APIs. XS2A is the cornerstone of Open Banking under PSD2: it mandates the API interface, defines the security and authentication requirements (SCA, certificate-based authorization), and specifies the operational obligations (availability, performance, TPP support) that ASPSPs must fulfil. 

LUXHUB’s PSD2 XS2A is a fully managed, mutualized compliance platform that provides ASPSPs (Account Servicing Payment Service Providers) with a complete technical and operational solution for meeting PSD2’s Regulatory Technical Standards. It encompasses API management and hosting, TPP (Third-Party Provider) identification and authorization, monitoring and performance reporting dashboards, 24/7 infrastructure management, mandatory TPP Helpdesk support, regulatory alerts, and support for legal reporting obligations. The platform is hosted in a Tier IV data center in Luxembourg.

LUXHUB’s PSD2 XS2A platform has been adopted by more than 40 ASPSPs across Europe, making it one of the largest Open Banking hubs on the continent. The platform handles millions of API calls monthly, reflecting its scale, reliability, and the breadth of its adoption across banks of different sizes and in multiple European jurisdictions. LUXHUB was founded specifically to address PSD2 compliance when the directive first came into force in 2018. 

LUXHUB’s XS2A solution provides a comprehensive suite of technical services: complete management of ASPSP XS2A APIs across three technical environments (integration, pre-production, production); identification and authorisation of licensed TPPs using eIDAS certificates and European regulatory registers, real-time API performance monitoring and availability tracking; regulatory monitoring when PSD2 technical standards change; and legal reporting support for national competent authority submissions.

Mutualization is the founding concept behind LUXHUB: rather than each bank independently building and maintaining its own PSD2 XS2A API infrastructure, LUXHUB provides a shared platform where multiple ASPSPs participate. This dramatically reduces each institution’s individual compliance investment, accelerates time-to-market, and ensures continuous alignment with evolving regulatory requirements without each bank having to maintain dedicated compliance teams. Mutualized costs and shared infrastructure are particularly valuable for smaller institutions that would otherwise face disproportionate compliance burdens. 

SCA (Strong Customer Authentication) is a PSD2 requirement mandating that electronic payment transactions and account access be authenticated using at least two of three independent elements: something the customer knows (e.g. PIN or password), something they possess (e.g. mobile device or card reader), and something they are (e.g. fingerprint or facial recognition). LUXHUB’s XS2A platform manages the complete SCA flow between the ASPSP and TPPs, ensuring that all access to payment accounts is authenticated in line with the PSD2 Delegated Regulation (EU) 2018/389.

LUXHUB’s XS2A platform is designed to serve all three types of PSD2-authorised third-party providers: AISPs (Account Information Service Providers) that retrieve account balances and transaction history; PISPs (Payment Initiation Service Providers) that initiate payment orders from the customer’s account; and CBPIIs (Card-Based Payment Instrument Issuers) that verify the availability of funds. LUXHUB manages the identification and authorisation of all these TPP categories using eIDAS certificates validated against European regulatory registers.

An ASPSP (Account Servicing Payment Service Provider) is any financial institution that provides and maintains payment accounts for customers, typically a bank, credit institution, or e-money institution. Under PSD2, ASPSPs must provide licensed TPPs with non-discriminatory API-based access to customer payment account data (with customer consent), maintain 99.9%+ availability, offer dedicated sandbox and production environments, operate a mandatory TPP Helpdesk, and report to their National Competent Authority on API performance and contingency measures. 

A PSD2 contingency mechanism is a fallback access method that ASPSPs must maintain to allow TPPs to continue accessing customer account data if the dedicated XS2A API is unavailable. Under the PSD2 Regulatory Technical Standards, ASPSPs that have received an exemption from the contingency interface requirement must ensure their dedicated API achieves high availability and performance thresholds. LUXHUB’s XS2A platform is designed to meet these performance requirements and manages the associated monitoring and reporting obligations on behalf of its ASPSP clients.

The European Commission has proposed replacing PSD2 with a new framework consisting of PSD3 (a revised directive) and PSR (Payment Services Regulation), which will introduce more prescriptive, directly applicable rules across EU member states. PSR is expected to strengthen Open Banking API standards, expand TPP access rights, enhance fraud prevention obligations (including fraud information sharing), and extend consumer protections. LUXHUB is actively involved in European industry working groups, and is developing its platform to adapt to PSD3/PSR requirements as they are finalised.

LUXHUB holds a Support Professional of the Financial Sector (Support PFS) status granted by Luxembourg’s Ministry of Finance, operating under CSSF supervision. It also holds ISO 27001 information security certification and AISP/PISP licences under PSD2. LUXHUB was created by and initially served four of Luxembourg’s major banks, giving it deep institutional credibility and regulatory familiarity. Its XS2A platform has been externally validated through adoption by 40+ ASPSPs across Europe. 

To begin the PSD2 XS2A onboarding process with LUXHUB, financial institutions can request a consultation via the dedicated contact form, download the XS2A product brochure, or contact LUXHUB directly at info@luxhub.com or +352 288 076. LUXHUB’s team will assess your current API infrastructure, define the integration architecture, provide a timeline and cost estimate, and guide your institution through the full compliance journey from sandbox testing to production go-live.