What is the revised Second Payment Service Directive? (PSD2)

PSD2 is a new set of regulations focused on electronic payments. Published in November 2015, the Regulations came into force in January 2018, with a second phase, the Regulatory Technical Standards, due to come into force in September 2019.

Banks or Account Servicing Payment Service Providers (ASPSPs) are obligated by the Directive to provide Third Party Providers (TPPs) access to their clients' payment account information when authorised to do so by a client.

The Regulatory Technical Standards also include new security protocols and rules for transmission of client data over the internet, known as Strong Customer Authentication (SCA).

Access by TPPs is achieved through open Application Programming Interfaces (APIs) allowing them to build cash management applications and payment initiation tools on top of an ASPSP's data and infrastructure

For further information on how MUFG is implementing this directive please see PSD 2.

Where can I find further information about PSD2?

Detailed information regarding PSD2 can be found at the EBA website.

What is a Third Party Provider (TPP)?

A Third Party Provider (TPP) is a financial institution that is certified and authorised by a National Competent Authority (NCA). Banks or Account Servicing Payment Service Providers (ASPSPs) are obligated by the PSD2 Directive to implement and make available Application Programming Interfaces (APIs), which will allow TPPs to access account information when authorised by the client.

Only the client / holder of the account can authorise access for the TPP.

What are Payment Initiation Service Providers (PISPs)?

Payment Initiation Service Providers (PISPs) are a type of Third Party Provider (TPP) who, when authorised by an MUFG client, can initiate a payment from a client's bank account and act on behalf of the client in the transfer of funds. This service still requires the client to go through strong customer authentication each time a payment initiation is requested.

Only the client / holder of the account can authorise access for PISPs.

What are Account Information Service Providers (AISPs)?

Account Information Service Providers (AISPs) are a type of Third Party Provider (TPP) who, when authorised by a MUFG client, can gain access to the client's payment account information, balance and historical transaction data, through the bank's Application Programming Interfaces (APIs). Typically, AISPs allow a client to have visibility across a range of accounts in a dashboard display setting.

Only the client / holder of the account can authorise access for these service providers.

What is Strong Customer Authentication (SCA)?

Strong customer authentication is the term used for authentication based on the use of two or more elements categorised as:

  1. Knowledge - something only the user knows, e.g. a password
  2. Possession - something only the user possesses, e.g. a code generator device (token)
  3. Inherence - something the user is, e.g. a biometric identifier (fingerprint, voice)


What is the difference between an Account Servicing Payment Service Provider (ASPSP) (bank) and a Third Party Provider (TPP)?

An Account Servicing Payment Service Provider (ASPSP) is a provider of payment accounts; banks are ASPSPs. In contrast a Third Party Provider (TPP) only has access to the payment accounts. A bank can also become a TPP.


What are the Application Programming Interface (API) Services that MUFG has developed for its GCMS Plus payment accounts?

As part of the Revised Payment Services Directive (PSD2), we have implemented the COMSUITE API Service and released the developer's site. The Application Programming Interface (APIs) provide access to GCMS Plus payment accounts. It can be accessed at developer1.portal.bk.mufg.jp. There are local implementations of the API services in Germany and Italy.

The URLs for all developer sites or local sites are listed below:


What are the Application Programming Interface (API) Services that MUFG has developed for its WebCMS and CABEL payment accounts?

There are local implementations of the API services in Germany and Italy.

  • For German clients using WebCMS
  • For Italian clients using CABEL


To what extent will the Third Party Providers (TPPs) have access to information about my payment or bank account?

Third Party Providers (TPPs) will only gain access when authorised by you / the client as holder of the payment account.

TPPs will receive the information explicitly agreed by you / the client and access will only be granted for a 90-day period (AISP Services) before authorisation will be required again.

TPPs will require explicit client authorisation by you / the client each time a TPP wishes to initiate a payment (PISP Services).

The security credentials of you / the client shall not be accessible to TPPs and will only be transmitted through the banks existing online banking platforms.


Who can authorise Third Party Providers (TPP) access to my payment accounts?

Authorisation for a Third Party Provider (TPP) to access payment accounts is between you / the client and the TPP and is dependent on the processes you / the client put in place to manage the authorisation.


How do I withdraw my consent for a Third Party Providers (TPP) to access my account information?

We would expect the Third Party Provider (TPP) application to include a method for withdrawing consent. If you do not see this option, contact our ETBO Client Support Team.


Do I / the client need to register with the COMSUITE API Service to allow Third Party Providers (TPPs) to connect with my account?

No, a MUFG client does not need to register with any API service from MUFG unless you are creating a Third Party Provider (TPP) offering yourself.


Are there fees associated with this service to me/ the client or a Third Party Provider (TPP)?

MUFG does not charge fees for access to the Application Programming Interface (API).


Will the new rules also apply to international payments?

PSD2 expands the scope of payments covered by the original Payment Services Directive (2007) to include non-EEA currencies for intra-EEA payments and so-called "One Leg Out" transactions (i.e. payments into and/or out of the EEA).


Are there changes in the costs of payment transactions?

The new regulation mandates the use of the SHA (shared) charging option for all intra-EEA payments, irrespective of currency.


I am a Third Party Provider (TPP) and want to connect with the COMSUITE API service provided by MUFG, who can I contact?

Please contact our ETBO Client Support Team.


Under GDPR regulation can you please let me know what your policy is regarding my data and how you will use it?

Please view our privacy notices on our website for further information.