Payment Service Directive (PSD2)

Attention! Swedbank expands Account Information Service and starts to provide other banks’ statements in Swedbank Internet Bank. Private and corporate customers who also have accounts in:

• AB SEB bankas in Lithuania;
• AS SEB banka in Latvia;
• AS SEB PANK in Estonia;
• AS LHV Pank in Estonia;
• AS CITADELE in Lithuania;
• AS CITADELE in Latvia;
• AS CITADELE in Estonia;
• AS Luminor Bank in Lithuania;
• AS Luminor Bank in Latvia;
• AS Luminor Bank in Estonia;

as well as Swedbank banks in other Baltic countries (Lithuania, Latvia and Estonia) are able to see the balances and statements of these accounts in their Swedbank internet bank facility. Customers can also manage their consents, given to view this information, in Swedbank internet bank. You can find out the most important information about Account Information service here.

• All access to account information requires the customer's consent. Third party provider will asl for your consent and you will be able to give it in its interface (for example, company’s providing such service, website).
• You will need to verify your consent with means of identification granted to you by Swedbank (for example, Smart-ID, PIN generator). Important: you will not be able to grant consent while using code cards.
• You can choose which information you want third party service provider to see: account number, account balance or account statement. Third party provider will only see information of the accounts you can make payments from.
• Customers can see their given consents when they log in to their internet bank for private customers or internet bank for corporate customers.

• Companies wishing to become TPPs must apply for, and obtain, a permit or be registered by the Financial Supervisory Authority.
• A customer who wishes to use a previously unknown TPP should first and foremost check that the TPP has the proper registration/ authorization with the local FSA. You can check this here.

• Legislation prohibits TPPs from using the data for purposes other than the one for which the customer’s approval has been granted.
• The TPPs should of course also comply with the General Data Protection Regulation.
• Important! You should remember that you must act carefully before granting the consent to third parties. Always familiarize yourself in detail with conditions of the contract that is being concluded.

• Customer must first report the transaction to the bank that provides the account from which the payment has been made. This needs to be done in time stated in the Payment Law (13 months from payment processed).
• A payment initiation service provider is responsible to the bank if the bank has given the customer compensation for a loss caused by the payment initiation service provider.
• Important! You could be obliged to pay the loss for unauthorized payment operations which sum dies not exceed 50 EUR if the loss was incurred due to lost or stolen means of payment use or illegal appropriation of mean of payment.

On 14 September 2019 in EU, an amendment to Second Payment Service Directive (PSD2) Regulatory technical standards (RTS) comes into force, defining practical implementation measures for PSD2. Requirements for Strong Customer Authentication (SCA) and common open standards for communication between different service providers will come into force to make payments even more secure.

New technical standards for online card purchases take effect on 1 January 2021.

Among many other requirements to which service providers will gradually adopt their payment processes, for online card payments it means that SCA will be required.

Strong Customer Authentication (SCA) means that an authentication is made based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is).

For SCA authentication elements are categorised:

• Something the customer knows: e.g., password or PIN
• Something the customer has: e.g., phone or hardware token
• Something the customer is: e.g., fingerprint or face recognition

Authentication methods compliant with SCA provided by Swedbank:

• Smart-ID: your smart device combined with your pin code
• Mobile ID: SIM card in your smart device combined with your pin code
• PIN Generator: your PIN device combined with your pin code
• National ID: your eID card combined with your pin code
• Payment card: your payment card combined with your pin code
• Biometrics via Swedbank app: your smart device combined with your biometric data

Payments in store:

Payments in store will be processed as usual either by confirming the payment with the PIN code or using contactless card, smart watch or other device.

Online payments:

Along with implementation of RTS, stronger authentication means will be used for online shopping. It indicates that merchants will be verifying identity of cardholder by requesting SCA. This would require merchants to ensure technical solution called 3D-Secure – identity confirmation method in web environment already used by e-commerce merchants today.

It is important to note, that more and more online shops will ask to authenticate payment strongly, that means to reapprove it with authentication measures: Smart -ID, Mobile ID, National ID, or PIN generator.