Open Banking & PSD2 glossary

Strong authentication protocol for online card payments. The current version, 3DS2, enables biometrics, frictionless payments and the application of SCA exemptions.

India's national digital identity system run by the UIDAI, assigning a unique 12-digit number to more than 1.3 billion Indians. A mass-identity model that has become the foundation of financial inclusion (India Stack) and an inspiration for eIDAS 2 / the EUDI Wallet.

France's regulator for banks, insurers and fintechs. It is the ACPR that grants PSP, AISP and PISP authorisations — and that can withdraw them.

In the four-corner card payment model, the issuer is the cardholder's bank and the acquirer is the merchant's. Two symmetrical roles, but two very different businesses in practice.

A model that lets an unauthorised player distribute the services of a PSP (PI or EMI) under its own brand, relying on the authorisation of the 'principal'. The standard of Banking-as-a-Service.

An AISP's core service: bringing together in one place the PSU's account data held across several banks. The common building block beneath PFM, BFM, scoring and embedded finance.

An authorised provider that reads your bank accounts — balances and transactions — with your consent. It views, it never initiates a payment.

The family of obligations that require financial players to know their customers (KYC), monitor their transactions and report any suspicious activity to TRACFIN. Framed by the European AML directives and the upcoming AMLR / AMLA regulation.

Fraud in which the victim is manipulated into authorising a transfer themselves to an account controlled by the fraudster. The #1 target of instant transfers and SCT Inst, capped by the PSR / 2026 reform.

This is the bank. It holds your accounts and, since PSD2, is obliged to expose their data and payment functions to the TPPs you authorise.

A model where a credit institution or EMI exposes its authorisations and infrastructure (accounts, cards, payments) via API to fintechs or non-banking brands. Treezor, Swan, Solaris, Modulr in Europe.

The French central bank. Beyond monetary policy, it hosts the ACPR, operates the national payment systems and safeguards financial stability.

European consortium of banks and providers that maintains the NextGenPSD2 standard — the most widely adopted PSD2 API standard in Europe outside France.

The international SWIFT code that identifies a bank (8 or 11 characters). No longer mandatory within SEPA since 2016, but essential for international transfers outside the euro area.

A payment solution that lets a consumer buy now and pay later, typically in 3 to 12 interest-free instalments or on a deferred basis. A market dominated by Klarna, Alma, Younited Pay, FLOA and PayPal Pay in 4. Subject to tighter oversight under the Consumer Credit Directive 2 (CCD2).

A French fintech providing bank account aggregation (AISP) and payment initiation (PISP) APIs. The B2B brand spun out of Bankin' (Perspecteev SAS), separated from the consumer business in 2022 with Groupe BPCE and Truffle Capital taking a stake.

A credit-granting method based on analysing actual bank flows (AIS) rather than payslips and credit bureaus alone. It makes it possible to score poorly covered profiles (freelancers, first-time borrowers, SMEs).

The step that turns a raw label ("CB CARREFOUR 23/04") into a useful category ("Groceries › Supermarket"). An invisible but critical building block for PFM, BFM, scoring and automated accounting.

France's historic card payment scheme, operated by the GIE CB. Most cards in France are co-badged CB + Visa or CB + Mastercard, with priority routing over CB domestically.

The issuer of a card backed by an account held at another bank. Before each payment, it asks that bank a single question: "are the funds available?"

Australia's Open Data regime covering banking, energy and soon telecoms. Broader than PSD2 from the outset, it introduces the notion of "Action Initiation" that goes beyond classic payment initiation.

A procedure governed by the card schemes that lets a cardholder, through their issuing bank, dispute a transaction and obtain an automatic refund. A major economic risk for e-commerce merchants.

A French status for advising a client on financial instruments (equities, collective investment schemes, financial contracts). Registration with ORIAS and membership of an AMF-approved professional association.

The executive of the European Union. It is the body that proposes the directives and regulations (PSD2, PSD3, FIDA, MiCA, etc.) that shape the whole of European fintech.

A European regulation that took effect in January 2025, imposing a strict IT resilience framework on all financial players — banks, fintechs, insurers, CASPs.

European directive that took effect in 2018 and created Open Banking in Europe: it requires banks to open up their APIs and gave rise to AISPs, PISPs and CBPIIs.

Successor to DSP2, proposed in June 2023. It strengthens the fight against fraud, raises the expected API quality and clarifies liabilities. Targeted application: 2026–2027.

The European Banking Authority. It writes the technical standards (RTS) and guidelines that every bank and fintech in the EEA must apply.

The classic 'bank' in the regulatory sense: the only status allowed to take deposits from the public and grant credit. Licensed by the ACPR + ECB for the largest ones.

Regulation (EU) 2024/1183 modernising the 2014 eIDAS framework, creating the European Digital Identity Wallet (EUDI Wallet) that Member States and major private players must recognise from 2026-2027.

Qualified trusted third party that issues the QWAC and QSealC certificates every TPP needs to identify itself to European banks.

Native integration of financial services (account, payment, credit, insurance) within a non-financial product. Uber pays its drivers with a built-in wallet; Shopify offers credit to its merchants.

A specific status for issuing and managing electronic money: wallets, prepaid cards, Banking-as-a-Service accounts. Treezor, Swan and Sumeria are French EMEs.

EMV is the worldwide chip card standard (1996, Europay-Mastercard-Visa) that eliminated fraud from magnetic-stripe copying. NFC is the contactless radio layer that sits on top of EMV.

A layer on top of categorisation: it adds the merchant logo, company profile, MCC, geolocation, a normalised merchant identifier, subscription identification, and more.

A status created by DSP1 for players specialising in payment services (transfers, direct debits, acquiring, AIS, PIS) without deposits or credit. Typical cases: Lydia, Qonto, Fintecture, Bridge.

A mobile app provided by each Member State, containing the citizen's official identity, their verified attributes (driving licence, diploma, etc.) and a qualified signature key. The operational building block of eIDAS 2.

An OAuth 2.0 / OpenID Connect security profile designed specifically for financial APIs. Standardised by the OpenID Foundation, FAPI 1.0 (final 2021) and FAPI 2.0 (final 2024) strengthen authentication, token binding and protection against attacks. Used by OBIE UK, CDR Australia, Open Finance Brazil.

The US Open Banking API standard, driven by the industry (banks + fintechs) rather than by a regulator. It is the US counterpart to the Berlin Group, pre-positioned for the CFPB's upcoming Section 1033.

The US instant payment system launched by the Federal Reserve in July 2023. Available 24/7, it competes with TCH's private RTP rail in a US landscape that is fragmented and slow to adopt instant payments.

A European regulation proposed in June 2023 that extends Open Banking to all financial data: savings, lending, insurance, investment. This is official Open Finance.

A French fintech that is a pure-play PSD2 payment initiation provider (PISP), founded in 2018. It specializes in B2B and high-ticket e-commerce payments via SCT Inst, competing head-on with cards for payments above €1,000.

The 3 strong-authentication modes set out by PSD2. Each bank favours one or another, and the choice directly drives conversion and user experience.

France's identity federation system operated by the DINUM, letting users access more than 1,500 public and private services through a single third-party account (Impôts, Ameli, La Poste, MSA, etc.). A pre-EUDI building block for France.

An IETF standard (RFC 9421, finalized 2024) defining a mechanism for signing HTTP requests and responses. It provides application-level integrity/authenticity on top of TLS, required by PSD2 RTS-SCA for TPPs in the EU (signed with a QSealC).

The unique, international identifier of a bank account. In France, 27 characters that encode the bank, the branch, the account number and a check key all at once.

A mechanism by which a client sends a unique identifier with a mutating API request (POST), ensuring that on a network retry the operation will be executed only once on the server side. A critical best practice for payment APIs.

A French status that governs the brokerage of credit and banking services. Registration with the ORIAS, in 4 categories depending on whether you act as a bank's agent, a client's agent, a broker or a MIOBSP.

An ISO standard published in 2004 and gradually adopted as the common language of financial messages (payments, securities, FX, trade finance). It replaces SWIFT MT and ISO 8583. A major migration in 2022-2025 for SEPA, SWIFT, CHAPS and Fedwire.

An ISO standard published in 1987 defining the format of messages exchanged between card players (POS terminal, acquiring PSP, scheme, issuer). It remains the dominant standard for card authorization, acquiring and settlement. Visa, Mastercard, CB and Amex all use it.

A family of IETF standards (RFC 7515-7519) defining a compact format for carrying signed and/or encrypted claims. A fundamental building block of modern authentication (OAuth, OIDC, FAPI), application-level signing and the secure transport of structured data.

A regulatory obligation to verify the identity of every customer (KYC) or business (KYB) before opening an account. A pillar of anti-money-laundering, imposed on every fintech.

Card-scheme mechanism whereby liability for a fraudulent transaction shifts from the merchant to the issuing bank when 3DS2 was used. A major economic incentive for pushing 3DS2.

Breakdown of the fees a merchant pays to accept a card: interchange (to the issuer) + scheme fees (to the scheme) + acquirer fee (to the PSP) = MDR. Capped in the EEA by the IFR.

European regulation that entered into force in 2024–2025 to govern crypto-assets: CASP authorisation, oversight of stablecoins and investor protection.

Two-way TLS: the client presents a certificate to the server, just as the server presents one to the client. This is the mechanism that lets a bank recognise a TPP on every call.

The national financial regulator of each EEA country. In France it is the ACPR, in Germany BaFin, in the UK the FCA. They all apply the same European rules.

Delegated-authorization standard used everywhere on the web. In PSD2, it is what materialises the PSU's consent and governs the access tokens of the TPPs.

The UK's Open Banking regime, launched in 2018 under a CMA mandate. A global pioneer, more structured than PSD2, it inspired most of the world's other Open Banking regimes.

Brazil's Open Finance regime, the most ambitious in the world by scope. It already covers accounts, credit, investments, FX, pensions and insurance — far beyond PSD2 or Open Banking UK.

The owner of the account that will be debited in a transaction. The term comes into its own when the payer is not the direct user of the payment service.

Mechanism that lets a PSP authorised in one EEA Member State operate in the other 29 without a new authorisation, either under the freedom to provide services (FPS) or via a branch (FoE).

The historic payment wallet (1998), a pioneer of global e-commerce. It acts at once as a consumer wallet ("Pay with PayPal"), a third-party acquirer for merchants, and an EMI in Europe. More than 400M active accounts.

A person who holds or has held a prominent public function (head of state, minister, member of parliament, judge, head of a public enterprise…), or someone in their close circle. Subject to enhanced AML/CFT due diligence.

Categories of apps that build on aggregation and enrichment to offer budgeting, tracking, forecasting and advice. PFM on the consumer side (Bankin', Linxo), BFM on the business side (Pennylane, Qonto, Indy).

A regulated provider that initiates a transfer straight from your bank account — directly, with no card and no traditional payment intermediary.

A free instant payment system launched by the Central Bank of Brazil in 2020. In four years it overtook cards by volume and became a global benchmark for the success of a public payment rail.

Three US Open Banking leaders: Plaid (founded 2013, the undisputed leader, connected to 12,000+ banks), MX (Utah, 2010, more enterprise-focused), Akoya (founded 2018 by Fidelity + 11 banks, a data exchange model based on API tokens rather than screen scraping). A fragmented US market — more tech-driven than the EU but less regulated.

The family of in-person acceptance solutions. The traditional terminal (Ingenico, Verifone), mPOS (a Bluetooth reader + smartphone, e.g. SumUp), SoftPOS (Tap to Pay on the merchant's own phone, with no dedicated hardware).

The beneficiary of a payment: the person or company whose account will be credited. Always identified by their IBAN in PSD2 APIs.

Crypto statuses: PSAN is the French registration/authorisation (PACTE law, 2019), while CASP is the single European authorisation introduced by MiCA. PSAN is being phased out in favour of CASP by the end of 2026.

The player that contracts with merchants to let them accept payments (cards, transfers, wallets). Stripe, Adyen, Worldline, Mollie and Checkout.com are the European leaders.

The European regulation paired with PSD3. Unlike a directive, it applies directly in every member state — with no transposition and no local interpretation.

The PSU is you: the end user of a payment service, individual or business, who holds the account and gives (or refuses) consent.

The electronic signature at the highest eIDAS level, carrying the same legal value as a handwritten signature throughout the EU. It relies on a qualified certificate issued by a qualified TSP and a secure creation device (QSCD).

The eIDAS certificate that signs every HTTP request from a TPP at the application level. It is the legally enforceable proof that survives proxies, logs and intermediaries.

The eIDAS certificate that proves a TPP's identity at the transport level (mTLS). It is the passport every fintech must present on each call to a banking API.

An EPC scheme that standardises payment requests between PSPs. It lets a payee (merchant, creditor) push a payment request to the payer, who decides whether to accept and execute it (typically as an SCT Inst). The underlying building block for Wero merchant and SEPA Instant e-commerce payments.

Binding technical standards drafted by the EBA and adopted by the Commission. They spell out how to apply a European directive in practice.

Strong authentication mandated by PSD2: to validate a payment or a sensitive access, you must prove two things out of 'something you know, something you have, something you are'.

Assessing a borrower's creditworthiness using data beyond the traditional credit bureau: AIS bank flows, payments, digital behaviour, telecom data.

Systematic, ongoing verification that a customer, counterparty or transaction does not appear on international sanctions lists (OFAC, EU, UN, national NCAs). An operational pillar of AML/CFT.

The classic SEPA credit transfer. Max one business day, free or near-free between EUR accounts; it is the instrument used for salaries, invoices and supplier payments.

The instant SEPA credit transfer: under 10 seconds, 24/7, up to €100,000. Mandatory across the eurozone since 2025. It is the new standard for European payments.

The SEPA direct debit. It is the payee that debits your account based on a mandate you have signed. Ideal for subscriptions and recurring invoices.

The single euro payments area. Around forty countries, with common rules to transfer, debit and pay in EUR as if it were a single domestic market.

A crypto-asset whose value is stabilised by being backed by a traditional currency (USD, EUR) or a basket of assets. The market is dominated by USDT (Tether), USDC (Circle), EURC. Regulated in the EU by MiCA since June 2024.

A French company that operates the CORE(FR) clearing system and publishes the reference PSD2 API in France — the one implemented by BNP, Société Générale, BPCE, Crédit Agricole and others.

Four global leaders among acquiring PSPs (acquirers / payment processors): Stripe (US, the cloud-native leader), Adyen (NL, the enterprise unified-commerce leader), Mollie (NL, the EU SMB leader), Worldline (FR, the European incumbent by volume). Together they process a significant share of the world's digital payments.

A Swedish fintech founded in Stockholm in 2012, the European Open Banking leader, acquired by Visa in 2022 for €1.8bn. It covers AIS, PIS, KYC, credit scoring and transaction enrichment across 18 European markets with more than 3,400 banks.

Central-bank-money instant payment settlement platform operated by the ECB since 2018. Settles SCT Inst payments between PSPs in a matter of seconds, 24/7/365. A cornerstone of Europe's Instant Payments infrastructure.

Replacing the PAN (the card's 16 digits) with a token specific to a merchant, wallet or device. Limits exposure of the real card number and improves the authorization rate.

Umbrella term for any authorised third-party provider that plugs into banks' APIs. Three possible roles: read (AISP), pay (PISP), check funds (CBPII).

France's financial intelligence unit (FIU), attached to the Ministry of Finance. It receives suspicious activity reports from AML/CFT obliged entities, analyses them, and forwards them to the relevant judicial or administrative authorities.

Real-time or batch monitoring of a customer's flows to detect atypical (AML/CFT) or fraudulent operations. A key operational building block between KYC and a TRACFIN suspicious activity report.

Three major Banking-as-a-Service (BaaS) players in Europe: Treezor (FR, acquired by Société Générale in 2019), Swan (FR, independent EMI from 2019), Solaris (DE, formerly Solarisbank). They let fintechs and non-banking companies embed banking services (account, card, transfer, IBAN) without being banks themselves.

A British fintech founded in London in 2016, the UK leader in payment initiation (PIS) and account aggregation (AIS). A pioneer of Pay by Bank in e-commerce and an early mover on Variable Recurring Payments (VRP). Active in the UK + Ireland + continental EU.

India's instant payment system, launched in 2016 by the NPCI. It is the largest payment system in the world by volume — more than 16 billion transactions a month at the end of 2024.

The two dominant global card schemes, listed on the NYSE. They set the rules and interchange and operate the authorisation and clearing rails, but do not themselves issue cards or acquire merchants.

A service that checks the consistency between the payee name entered and the actual holder of an IBAN, mandatory for all SEPA transfers since October 2025. The flagship APP-fraud measure of the IPR.

A W3C / FIDO2 standard for strong authentication using asymmetric cryptography, enabling sign-in via biometrics or a physical key with no password. Passkeys are the synced, multi-device evolution, now standard on iOS, Android and Windows.

Two integration models for notifying a client of a server-side state change. The webhook (push) is triggered by the server, while polling (pull) consists of querying periodically. A defining choice in fintech API integration.

A European payment wallet launched in 2024 by EPI (European Payments Initiative), a consortium of 16 European banks (BNP, SG, BPCE, Crédit Mutuel, ING, Deutsche Bank, etc.). The ambition: a sovereign alternative to Visa, Mastercard, PayPal and Apple Pay, built on SEPA Instant.

Payment wallets built into mobile OSes that tokenise bank cards (DPAN) and use biometrics for SCA. They account for a growing share of in-store and e-commerce payments.

A British fintech founded in London in 2017, positioned as the purest API-first, headless player in European Open Banking. It covers AIS and PIS across 19 EEA+UK countries. It favours an interface-free integration, aimed at tech companies that want to embed Open Banking in their product.