Risk & Compliance

Complying with PSD2: training for every line of defense

Date:October 27, 2023

In today’s technological world, it is essential for banks and payment service providers to be aware of regulatory and compliance requirements. Since the introduction of the Revised Payment Services Directive (PSD2), it has become imperative for financial institutions to ensure effective compliance and protection of customer data. To meet these requirements, it is critical for the “Three Lines of Defense” within your organization to be aware of all aspects of compliance with PSD2.

The legal framework surrounding PSD2 represents a complex set of requirements that the Three Lines of Defense of banks and payment service providers regularly get caught up in. It is therefore important that compliance and internal audit understand where the risks are greatest and the first line understands how the second and third lines are monitoring this.

Three lines of defence  

  1. First line of defense – The business line:
    The first line of defense, also known as the business line, consists of the frontline employees who have direct contact with customers. They play a crucial role in ensuring PSD2 compliance. It is essential that they are aware of the requirements related to obtaining customer consents, managing personal data and protecting privacy. Training on compliance with PSD2 can equip them with the knowledge and guidance needed to comply with these obligations and adequately protect customer data.
  2. Second line of defense – Risk management and compliance:
    The second line of defense consists of the organization’s risk management and compliance departments. They are responsible for developing and implementing effective policies and procedures to ensure PSD2 compliance. PSD2 training can also be useful for the second line of defense to help them understand the specific risks and challenges posed by the directive. This will make it easier for them to develop appropriate controls and monitoring mechanisms to manage these risks.
  3. Third line of defense – Internal audit:
    The third line of defense is responsible for monitoring and managing compliance risks. It is critical that these professionals have a thorough understanding of the requirements of PSD2 to ensure their organizations are compliant and avoid potential fines and reputational damage.

PSD2 training

Projective Group’s consultants have substantive knowledge and practical experience at a large number of financial institutions. These have been incorporated into an interactive training where participants are taken through the essential topics of PSD2 at a fast pace during a 3.5-hour training session. The focus of the training is a deep-dive into the legal framework of PSD2, including the Regulatory Technical Standard and EBA Guidelines. This will include zooming in on at least:

  1. Acces to the account (XS2A)
  2. Strong Customer Authentication (SCA)
  3. The interplay between GDPR and PSD2
  4. Liabilities and refunds
  5. ICT and Security Risk management

Because the entire legal framework surrounding PSD2 serves as a starting point, there is also the opportunity to dwell on topics that participants want to know more about and to make excursions into daily practice. The training is designed to captivate participants of any knowledge level and quickly goes from a basic level into depth. The training can be delivered both in English and in Dutch.

Benefits of the training

  1. Up-to-date knowledge: PSD2 compliance training provides professionals across all lines of defense with the opportunity to update their knowledge and stay abreast of the latest regulations and best practices.
  2. Practical skills: The training is designed to provide professionals with hands-on experience and practical skills. They learn how to implement the increased security and privacy requirements of PSD2 and how to identify and address potential risks. This includes learning how internal audit, compliance and first-line look at PSD2 compliance and what tools can be used to do so.
  3. Legal basis for business, compliance and audit: The training takes the PSD2 law as a starting point through it step by step and connects it to the relevant Regulatory Technical Standards and Guidelines of the EBA and EDPB. In this way, professionals are enabled to put their finger on the sore spot in the organization.
  4. Opportunity for all lines of defense to ask vulnerable and pressing questions: Based on previous trainings, our experience is that knowledge levels can vary greatly between the different lines of defense. This training provides an opportunity for professionals to be vulnerable in front of an independent expert. In this way, all lines of defense come up to speed.


Are you interested in a PSD2 training for your organisation? Consultant Maarten van Denzen will be happy to tell you more about the trainings for the first, second and third line. Feel free to contact him at