PSD2 Explained: How European Regulation Lets Savyy Securely Access Your Banking Data

Your bank data belongs to you, and a European law makes that official

If you've ever connected a bank account to Savyy, you've probably had this thought: wait, how is this allowed? Can a third-party app really see my bank information? Is that safe?

Yes, it is. The whole thing rests on a European regulation called PSD2. It's the legal framework behind "open banking," which is how apps like Savyy can show you all your money across all your banks, without ever seeing your login credentials.

What is PSD2?

PSD2 stands for the Payment Services Directive 2. It's a law passed by the European Commission in 2015, which took effect across the EU in January 2018. A final set of security requirements, known as the RTS (Regulatory Technical Standards), kicked in on September 14, 2019.

It replaced an older directive from 2007 (PSD1), which had laid the groundwork for a single European payment market but didn't account for the rise of smartphones, fintech apps, and the growing demand for digital financial services.

In practice, PSD2 does two things:

• It forces banks to share your data, but only with your explicit permission and only with companies that have been vetted and licensed by financial regulators.
• It raises security requirements for online payments, making fraud harder to pull off.

Before PSD2, your bank was the only one who could see your account information. It was a closed system. PSD2 changed the principle: that data belongs to the customer, and if they want to share it with a licensed service, the bank has to allow it.

What changed with PSD2

Banks no longer have a monopoly on your financial data

Before PSD2, if you wanted to see all your finances in one place, you had to log into each bank separately and piece things together yourself. Banks had no obligation to share anything.

PSD2 changed that by requiring banks to open their systems through APIs (Application Programming Interfaces). An API is a secure channel that allows one piece of software to talk to another. Instead of giving your passwords to a third-party app, the bank provides a structured connection through which authorized companies can request specific information.

Two new types of licensed players

PSD2 created two categories of regulated third-party providers:

• AISPs (Account Information Service Providers) — These companies can access your account data in read-only mode. They see your balances, transactions, and account details, but they can't move your money or make changes. This is what powers financial aggregation — the ability to see all your bank accounts in a single dashboard.

• PISPs (Payment Initiation Service Providers) — These companies can trigger a payment from your bank account on your behalf, but they never handle the money themselves. It goes directly from your account to the recipient.

Both types must be licensed and supervised by a national financial authority. They go through strict vetting before they're allowed to handle anyone's data.

How PSD2 protects you

The flip side of opening up bank data is security. PSD2 came with strict rules about that too.

Strong Customer Authentication (SCA)

Every time a third-party provider accesses your bank data, the bank verifies that it's really you making the request. This is called Strong Customer Authentication, and it requires at least two of the following three factors:

1. Something you know — a password or PIN code
2. Something you have — your phone or a physical security key
3. Something you are — your fingerprint or facial recognition

So even if someone stole your password, they couldn't access your accounts without also having your phone or your fingerprint. You probably already use two-factor authentication for email or social media. PSD2 makes it mandatory for every financial data access.

Your consent is non-negotiable

Under PSD2, no one accesses your data without your explicit consent. That consent has a few important properties:

• It expires, typically after 90 days, and you'll need to re-confirm
• You can revoke it at any time, directly through your bank
• You choose what to share and with whom

No company can pull your bank data without you knowing about it.

How Bridge uses PSD2 to get your data for Savyy

Savyy doesn't connect to your bank directly. It works with Bridge, an open banking platform that handles the bank connection on our behalf.

Who is Bridge?

Bridge (legal entity: Perspecteev SAS) is the company behind Bankin', a well-known personal finance app in France. Bridge was the first company in Europe to receive PSD2 approval from the ACPR (Autorité de Contrôle Prudentiel et de Résolution), France's banking and insurance supervisor. They hold both AISP and PISP licenses under registration number #16918.

A few numbers to give you a sense of scale:

• Connected to over 350 financial institutions across 5 European countries
• Synchronizes 8 million bank accounts daily
• Backed by Groupe BPCE, one of France's largest banking groups

Bridge is a fully regulated financial infrastructure provider, audited by the same authority that supervises French banks. This isn't a gray area.

The connection process, step by step

When you connect a bank account through Savyy, here's what actually happens:

1. Savyy opens Bridge Connect, a secure widget provided by Bridge. It's a controlled environment where the bank connection takes place. Savyy doesn't touch this part directly.

2. You pick your bank from the list of supported institutions. Bridge covers all major French banks and hundreds of European ones.

3. You log in with your bank, using your bank's own login process, including Strong Customer Authentication. Your credentials go directly to your bank. Neither Savyy nor Bridge ever sees your password.

4. You give explicit consent. Your bank asks you to confirm that Bridge (as a licensed AISP) can access your account information.

5. Bridge fetches your data through the bank's official PSD2 API: account balances, transaction history, and basic account details.

6. Bridge sends the data to Savyy, encrypted. Savyy uses it to build your financial dashboard.

7. Your data stays current through regular synchronization. Bridge notifies Savyy whenever new transactions come in.

8. You can disconnect at any point, either from Savyy or by revoking consent directly through your bank's website.

The important thing here: Savyy never has access to your banking credentials. The authentication happens between you and your bank, with Bridge as the regulated intermediary.

What this means for you as a Savyy user

Because of PSD2 and Bridge, Savyy can show you all your bank accounts from different banks in one place, categorize your transactions automatically, and keep your budgets up to date through regular synchronization. The entire data chain, from your bank to Bridge to Savyy, follows European security standards.

And you never share a banking password with anyone other than your own bank.

What's coming next: PSD3

PSD2 got open banking started, but regulators saw some real problems in practice. Banks built their APIs differently from country to country, some connection experiences were frustrating for users, and new fraud techniques appeared that the original rules didn't anticipate.

So the European Commission proposed PSD3 in June 2023, along with a new regulation called the PSR (Payment Services Regulation). In November 2025, the European Parliament and the Council of the EU reached a provisional agreement on both texts.

What's actually changing

API standardization. Under PSD2, each bank built its API slightly differently, which created real problems for providers like Bridge. PSD3 pushes for much greater consistency across banks and countries. For users, that means fewer connection errors.

Fraud liability. PSD3 introduces a liability shift for fraud like spoofing, where criminals impersonate your bank to trick you. Banks will bear greater responsibility for preventing and compensating these attacks.

Digital identity. The regulation connects with eIDAS 2.0, a separate European framework for digital identity. Down the line, this could mean verifying yourself with a single government-backed digital ID across financial services.

Direct applicability. PSD2 was a directive, meaning each EU country had to write its own version into national law. The PSR is a regulation: it applies the same way everywhere. No more patchwork of national interpretations.

Consumer protections. More transparency on fees, clearer information requirements, and stronger recourse when something goes wrong.

What this means for Savyy users

PSD3 enforcement is expected between 2026 and 2028. Concretely, for Savyy users: fewer connection issues thanks to standardized APIs, faster data syncing, and stronger protections if something goes wrong.

Savyy and Bridge are already preparing for these changes.

To sum up

When you connect a bank account to Savyy, you're using a system designed by European regulators and operated by licensed, audited financial providers. You choose what to share, you authenticate directly with your bank, and you can revoke access whenever you want.

PSD2 made this possible. Bridge, as a regulated intermediary, handles the technical and compliance work. And when PSD3 arrives, the experience should get even more reliable.