TL;DR: PSD2 still requires Strong Customer Authentication for nearly all remote and electronic payments, while UK firms continue to face FCA scrutiny over fraud detection, exemption use, and audit trails, according to Sift. As payment flows shift toward wallets, open banking, and account-to-account payments, the governance problem is no longer just compliance, but control consistency across channels.
NHIMG editorial — based on content published by Sift: PSD2 Compliance: A Checklist to Secure Payments and Fraud Prevention
Questions worth separating out
Q: What breaks when PSD2 exemptions are used without strong fraud monitoring?
A: Exemptions stop being a friction-reduction tool and become a hidden trust channel.
Q: Why do SCA and consent controls matter for open banking transactions?
A: Open banking relies on both authentication and transaction-specific consent.
Q: How do you know if PSD2 controls are actually working?
A: Look for evidence across the whole payment path, not just approval rates.
Practitioner guidance
- Map every payment journey to a distinct authentication rule Document which checkout, wallet, open banking, and merchant-initiated flows require SCA, which qualify for exemptions, and which fallback paths exist when 3D Secure or app-based challenges fail.
- Track exemption performance against fraud thresholds Measure challenge rate, approval rate, soft decline rate, chargeback rate, and fraud rate for every exemption type, then review those metrics against the thresholds that justify continued use.
- Bind consent and payment intent together For account-to-account and open banking flows, require dynamic linking so the authentication event is tied to the exact amount and payee, and retain consent records in an auditable form.
What's in the full article
Sift's full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step guidance on implementing Strong Customer Authentication across card-not-present, wallet, and open banking flows
- Practical advice on using PSD2 exemptions without drifting outside fraud thresholds or audit expectations
- Detailed handling patterns for soft declines, mobile challenge drop-off, and issuer-side authentication failures
- A checklist for preparing for PSD3 and the UK’s evolving payment-services regime
👉 Read Sift's PSD2 compliance checklist for payments and fraud prevention →
PSD2 compliance in 2025: are SCA and exemption controls enough?
Explore further
PSD2 compliance is now an identity governance problem, not just a payments-rule problem. The article shows that authentication, consent, and transaction binding are the real control surfaces. That means payment teams, IAM teams, and fraud teams have to share a common assurance model rather than manage separate checkpoints. Practitioners should treat PSD2 as a transaction identity framework, not just a legal checklist.
A question worth separating out:
Q: Who is accountable when delegated payment authentication fails?
A: Accountability depends on where the authentication decision was made, who owned the exemption or delegation policy, and whether the evidence trail is complete. If a merchant, wallet, or issuer participates in the assurance chain, each party needs clear ownership for logging, review, and dispute handling under SCA governance.
👉 Read our full editorial: PSD2 compliance now hinges on stronger authentication and fraud control