NextGenPSD2

The Berlin Group

Europe

Banking | Finance

Open Banking

• Account Information
• Payment Initiation

Open Finance

• Extended Payment Initiation Service
• Extended Services: single cards, loan accounts, savings accounts, securities accounts

The XS2A interface is required for obtaining consent to access account information, such as transaction history or account listings. The TPP must clearly explain to the PSU what rights they are granting, and the PSU must undergo strong authentication. After obtaining access rights, the TPP must provide the PSU with the outcome of the request. If the TPP cannot be identified at the XS2A interface, the transaction will be denied.

The standard defines four Strong Customer Authentication (SCA) models: redirect, OAuth2, decoupled, and embedded. It also includes dedicated consent management.

The framework consists of an introductory document, operational rules, detailed implementation guidelines, and an open API specification. Mobile Peer-to-Peer services, which use mobile devices to authenticate customers and release funds almost simultaneously, will require refinements to PSD2 processes. A public consultation occurred in March 2017, with version 1.2 released in November 2020.

Credit Cards | Investments | Current Accounts | Savings | Wallets or Prepaid | Lending

ISO 20022 | JSON | RESTful | XML

Regulated

The Berlin Group are following an open-source model for information sharing.

Premium

This initiative represents the Eurozone payment industry’s response to PSD2 legislation. The Berlin Group aims to enable payment systems across Europe to operate seamlessly across borders, like how they function within individual countries. As of January 2022, 69 organisations from 30 countries were collaborating to develop these standards.

The Berlin Group contributed to defining the “access to account” (XS2A) interface in alignment with PSD2 requirements. Under PSD2, an Account Servicing Payment Service Provider (ASPSP) must provide an interface allowing Third Party Payment Service Providers (TPPs) to access a Payment Service User’s (PSU) account. This access is required for initiating payments on behalf of a PSU, retrieving account information, or confirming fund availability.

The Berlin Group’s NextGenPSD2 XS2A interface is used by 3,600 banks—representing over 75% of European banks—and hundreds of TPPs across Europe. Banks outside PSD2-regulated regions are also adopting these standards to ensure interoperability and accessibility with PSD2 markets.

Open Finance builds upon and extends the foundations created by NextGenPSD2.

Registry | Certificates

OAuth

Heightened awareness of potential threats to the XS2A Framework has prompted the Berlin Group to add additional safeguards to the Implementation Guidelines. These enhancements include reducing the time allowed for authenticating the PSU, collecting more data points, such as IP address, for fraud detection, and only accepting fully completed transactions through the XS2A interface.

Secure client identification relies on qualified eIDAS certificates for both website-level authentication (QWACS at the TLS layer) and application-level verification (QSEALS). This model continues to evolve under Open Finance, which anticipates the mandatory use of directory services within API access schemes, whereas this was previously optional.

Looking ahead, the Berlin Group plans to adopt FAPI (Financial-grade API security standards) in the next version of the PSD2 framework.

App to App Redirect | Decoupled | Embedded | Browser Redirect

The execution of any transaction at the XS2A interface is subject to the consent of the PSU.

File Payments | Bulk Payments | Future Dated Payments | Other | Request to Pay | Pay Later | Single International Payments | Single Domestic Payments | Variable Recurring Payments | Standing Orders

Parties/contact information is included in AIS Accounts.

Operational Guidelines | API Specifications

Balances | Accounts | Cards | Beneficiaries | Direct Debits | Confirmation of Funds | Parties or Contacts | Other | Statements | Transactions | Standing Orders

The Berlin Group’s download portal provides full access to the complete specifications and documentation for their API frameworks. This includes API files, implementation guidelines, and operational rules for NextGenPSD2.

For implementation testing and support, organisations can refer to NISP (the NextGenPSD2 Implementation Support Program), which assists banks, associations, schemes, and interbank processors in deploying the Berlin Group’s NextGenPSD2 standards.

The Berlin Group was established in 2004 to support the vision of the European Central Bank, the European Commission, and the European Payments Council for the Single Euro Payments Area (SEPA). The goal was to extend the high standards of efficiency, security, brand recognition, convenience, and user experience found in domestic payments to all transactions within SEPA.

The Second Payment Services Directive (PSD2), which took effect in January 2016, was introduced to regulate electronic payments and payment service providers across the EU. It followed the first PSD adopted in 2007. PSD2 aimed to align APIs with the wide variety of banking services, online banking capabilities, local regulatory rules, and authentication methods in the European market.

In 2024, the Berlin Group continued advancing the full openFinance API Framework beyond core PSD2 services, with the European Parliament adopting its negotiating position in April 2024. By June 2025, the Council of the EU approved its negotiating mandate. During this transition, NextGen PSD2 continues to operate as a standard while evolving toward PSD3 requirements.

The Berlin Group states that the application of its standards is entirely the responsibility of market participants, as the group’s role is limited to developing the standards themselves.

• Related Standards
• Associated Legislation

Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC.

The Berlin Group is overseen by a Plenary, supported by multiple task forces that report to it. The group functions as a civil association with an informal governance structure, and participation is open to supply-side organizations active in the SEPA payments ecosystem.

Its task forces include the Authorisation Task Force, which focuses on standardizing the authorization application layer; the Clearing Task Force, which addresses clearing and settlement topics; and both the VPN and Security Task Forces, which work on network connection requirements. Additional NextGen task forces, including the Open Finance Task Force, are exploring areas such as tokenization, instant payments, and other emerging developments.

An Implementation Task Force has also been created to assist organizations in adopting the standards.