Contractor Compliance (Directory PSD2)

Learn how PSD2 relates to contractor payments, platform workflows, payment security, and business compliance considerations.

· Business · Mert Bulut
Business reviewing PSD2 payment compliance for contractor workflows

Important disclaimer: This article provides general information about PSD2 and its implications for contractor payment infrastructure. It reflects EU rules in force and proposals as of July 2026. It does not constitute legal, tax, or financial advice. For guidance specific to your business situation, consult a qualified legal or compliance professional.

Paying contractors across Europe involves more regulatory infrastructure than most businesses account for. PSD2 does not sit on your compliance checklist the same way DAC7 or IR35 does. It works differently. It regulates the payment providers your money moves through, not your contractor relationships directly.

That distinction matters. The infrastructure powering your contractor payments is entirely shaped by PSD2. Understanding where it applies, and where it stops, lets you build payment operations that are secure, predictable, and built on compliant rails.

What PSD2 Is and What It Regulates

PSD2 is the Revised Payment Services Directive, formally Directive (EU) 2015/2366. It entered into force on 12 January 2016, and EU member states were required to transpose it into national law by 13 January 2018. The directive covers the European Union and the European Economic Area, which includes Iceland, Norway, and Liechtenstein alongside all EU member states.

The primary targets of PSD2 are payment service providers: banks, e-money institutions, payment processors, and fintechs operating in the EU and EEA. These are the entities PSD2 directly regulates.

Three core objectives drive the directive. First, to level the playing field for payment services by opening access to providers beyond traditional banks. Second, to enable open banking through licensed third-party access to account data and payment initiation. Third, to improve payment security through mandatory Strong Customer Authentication for electronic transactions.

Your company, as a business paying contractors, is not PSD2’s primary regulatory target. You do not need a payment services license to pay contractors. You do not need to restructure your contractor relationships because of PSD2. What the directive does is reshape the infrastructure your payments travel through, and that has direct consequences for how you select, evaluate, and rely on contractor payment platforms.

PSD2 Requirements That Affect Contractor Payment Processes

Strong Customer Authentication

Strong Customer Authentication (SCA) is PSD2’s core security mechanism for electronic payments. Payment service providers must verify transactions using at least two of three factors: something the payer knows (a PIN or password); something they have (a phone or hardware token); or something they are (a fingerprint or face ID).

When you initiate contractor payments through a banking platform or payment provider operating in the EU, SCA may apply to the authentication step. That means additional verification before a payment processes 3D Secure prompts for card payments, app-based confirmations for bank transfers, or SMS codes from your payment platform.

For corporate B2B payments, PSD2 includes an exemption. Payments made between two businesses using dedicated corporate payment instruments can be exempt from SCA. The scope of this exemption varies by member state, and whether it applies in practice depends on the issuing bank accepting the exemption request. Not all do, consistently.

When building contractor payment workflows at scale, confirm directly with your payment provider how SCA applies to your payment type and volume, and whether the B2B exemption is available for your instruments. Assuming the exemption applies without verification creates unnecessary friction later.

Open Banking and Payment Initiation

PSD2’s open banking framework requires banks to give licensed third-party providers access to account data and payment initiation, with customer consent. This enabled two categories of licensed provider: Account Information Service Providers (AISPs), which consolidate financial data across accounts, and Payment Initiation Service Providers (PISPs), which initiate payments directly from business bank accounts.

For contractor payments, the relevant development is PISPs. An open banking-enabled payment platform can initiate a payment directly from your business account to a contractor, without routing it through traditional bank transfer infrastructure. These are SEPA Credit Transfers, and they are final: no chargebacks, no reversals. The tradeoff is speed and cost PISP-initiated transfers often settle faster and at lower cost than conventional bank-to-bank payments.

Several contractor payment platforms built their infrastructure on the open banking framework PSD2 created. If you are evaluating payment infrastructure for contractor payouts in the EU, whether a platform uses PISP capabilities, and how that affects settlement timing and costs, is worth examining during due diligence.

Fee and Exchange Rate Transparency

PSD2 requires payment service providers to disclose payment conditions before and after each transaction. Fees, exchange rates, execution timelines, and complaint procedures must all be provided. As a business using payment services to pay contractors, you have the right to this information.

The current picture is imperfect. For credit transfers, PSD2’s exchange rate mark-up disclosure requirements have been inconsistently applied. Most providers across the EU do not proactively disclose the spread built into exchange rates for international transfers, particularly for non-card transactions. The European Banking Authority confirmed in 2023 that the mark-up requirement does not currently apply to credit transfers under PSD2, which explains the gap.

The incoming Payment Services Regulation, part of the PSD3 package covered below, addresses this directly. Currency conversion fees will be required to be disclosed as a percentage mark-up over the ECB’s official FX rate, shown before the transaction is initiated.

For now, when selecting a platform for cross-border contractor payments, ask your provider directly for the exchange rate methodology and any mark-up applied. You have the right to that information. Whether you receive it depends on the provider you choose.

Payment Execution Times

For EU credit transfers within the SEPA zone, PSD2 mandates that the payment amount reaches the payee’s payment service provider by the end of the following business day after the payment order is received. Article 87(1) of PSD2 specifies that the credit value date for the payee’s account is no later than the business day on which the amount is credited to the payee’s payment service provider.

In practice, standard SEPA credit transfers settle same-day or by D+1, depending on the sending provider’s cut-off times. Payments initiated after a provider’s cut-off may be treated as received on the next business day. SEPA Instant transfers settle in under 10 seconds where supported.

For businesses paying contractors across the EU, this sets a reliable baseline. Contractors should receive funds within one business day of a properly initiated SEPA transfer. If your current provider takes longer, the issue is not PSD2’s framework it is your provider’s implementation.

Choosing a PSD2-Compliant Payment Platform for Contractor Payments

For EU contractor payments, PSD2 compliance from your payment provider is a baseline requirement, not a differentiator. Every legitimate provider processing EU payments must be licensed or registered under PSD2 through their relevant national competent authority.

The European Banking Authority maintains a central register of authorized payment institutions and e-money institutions. National competent authorities update it at least once per day. Before committing to any platform for EU contractor payouts, you can verify its authorization status directly through the EBA’s register.

When evaluating a provider, check the following:

  1. Licensing verify registration in an EU member state through the EBA register or a national regulator (such as BaFin in Germany or the Central Bank of Ireland).
  2. SCA support confirm the platform supports SCA-compliant payment flows for EU transactions.
  3. Fee and FX disclosure review how they present fees and exchange rates as required under PSD2.
  4. SEPA execution confirm they execute within the D+1 mandated timeframe.
  5. Open banking capabilities if relevant to your payment volume, ask whether the provider uses PISP infrastructure for lower-cost account-to-account payouts.

What PSD2 Does Not Require Businesses to Do

Compliance confusion around PSD2 is common. Businesses often overestimate how far the directive reaches into their own operations.

PSD2 does not require your business to obtain a payment services license. That obligation belongs to the payment provider you use. Your role as the payer does not trigger a licensing requirement under PSD2.

PSD2 does not require you to change how you structure contractor relationships. The directive regulates payment infrastructure. It has no bearing on employment classification, worker status, or the terms of your contractor agreements.

PSD2 does not replace your other contractor compliance obligations. DAC7 governs digital platform tax reporting. The EU Platform Work Directive addresses worker classification. W-8BEN and 1099 documentation, IR35 assessments in the UK, and VAT invoice requirements all continue to apply independently. PSD2 operates in parallel with these frameworks, not above them.

PSD2 does not apply to payments where both the payer and payee are outside the European Economic Area. Payments to contractors in non-EEA jurisdictions fall outside PSD2’s scope, though other regulations may apply depending on the territory.

How PSD2 Interacts with Other Contractor Compliance Frameworks

PSD2 sits alongside several regulatory regimes that affect global contractor work. Understanding the boundaries prevents compliance confusion and helps you assign ownership correctly across your teams.

  • DAC7 covers tax reporting obligations for digital platforms and marketplaces. It does not address payment service licensing, SCA, or customer authentication. Ownership: tax/finance.
  • IR35 (UK) determines whether a contractor is a disguised employee for tax purposes. It does not regulate payment providers or how you process online payments. Ownership: HR/legal.
  • EU Platform Work Directive deals with worker classification and working conditions on digital labour platforms. It is separate from payment services regulation entirely. Ownership: HR/legal.
  • GDPR applies to the personal and financial data your payment providers handle on your behalf. Ensure any platform processing contractor payment data is GDPR-compliant. Ownership: legal/DPO.

In practice, an EU-based contractor might be covered by PSD2-regulated payments, DAC7 income reporting, and national labour law simultaneously. When designing contractor payment infrastructure, map all applicable frameworks and assign ownership across finance, tax, and HR. Document which system or provider handles which piece this evidences due diligence if regulators ask.

PSD3: The Revision That Changes the Framework

PSD2 is not the end state for EU payment services regulation. The European Commission proposed PSD3 in June 2023. A provisional political agreement between the European Parliament and the Council of the EU was reached in November 2025. The Council published final compromise texts on 23 April 2026, according to a client alert by Morrison Foerster.

Publication in the EU Official Journal is anticipated for June or July 2026, though it may slip to September. The accompanying Payment Services Regulation (PSR) enters into application approximately 21 months after its entry into force. For most businesses, the new regime will take effect in late 2027.

The structural shift is significant. PSD3 is a directive requiring national transposition. The PSR is directly applicable regulation: conduct rules will apply uniformly across all EU member states without the variation that defined PSD2 implementation. The fragmentation that allowed different member states to interpret identical rules differently ends with the PSR.

Three PSD3 changes are directly relevant to contractor payment operations:

  • Expanded open banking obligations stricter API performance standards and uptime guarantees from payment platforms, improving reliability for B2B payment flows.
  • Verification of payee PSPs must verify that payee names match their IBAN before processing payments, reducing authorised push payment fraud and requiring payment platforms to update their validation infrastructure.
  • FX transparency currency conversion fees must be disclosed as a mark-up over the ECB reference rate before transaction initiation, closing the gap that exists under current PSD2.

As of July 2026, PSD3 and the PSR are not yet in force. Businesses that rely heavily on EU payment infrastructure should monitor legislative developments through qualified advisors and begin assessing how their current payment providers will adapt.

The Agent of Record Model and PSD2

When a business uses an Agent of Record platform for contractor payments, the PSD2-regulated layer of the payment sits with the AOR, not with the business.

The AOR is the licensed payment service provider. It handles SCA requirements, executes payments within the SEPA D+1 framework, and provides the PSD2-required payment condition information. The business’s role is straightforward: pay the AOR. The regulated payment infrastructure is the AOR’s responsibility.

This is one of the practical advantages of the Agent of Record model for businesses paying contractors across the EU. You are not monitoring PSD2 licensing compliance across multiple contractor payment platforms. You work through one regulated entity that carries the compliance obligations the infrastructure requires.

Ruul operates as a PSD2-regulated payment platform. Businesses using Ruul’s Agent of Record model benefit from compliant EU payment infrastructure including SCA-compliant payment flows, D+1 SEPA execution, and clear fee disclosure without managing licensing verification directly. Contractors can invoice without a registered company entity, and payouts are processed within one business day after client payment. Transaction records are centralised and exportable for tax readiness and audit purposes. See how Ruul handles contractor invoicing and payments at ruul.io/invoice-clients.

Practical Checklist: PSD2-Aligned Contractor Payment Processes

Use this checklist to assess whether your current contractor payment flows align with PSD2 requirements:

  • Map all regions where your contractors are based and identify where PSD2 or equivalent rules apply
  • Review all banks and platforms used for payouts; confirm each is a licensed payment service provider in the relevant EU member state via the EBA register
  • Document SCA flows used for payment approvals and ensure finance staff have immediate access to required devices and banking apps
  • Confirm whether the B2B SCA exemption applies to your payment instruments with your provider directly do not assume
  • Standardise how you collect and store contractor banking details, including IBAN verification for EU contractors
  • Confirm your provider discloses FX mark-ups before execution; if not, request this information directly
  • Verify payment execution SLAs: EU contractor payments should reach the payee’s PSP within D+1 of a properly initiated SEPA transfer
  • Centralise payment documentation and exportable transaction records to support internal audits and tax reporting
  • Assign regulatory ownership across teams: PSD2-related provider choice to finance; DAC7 and similar to tax; worker classification to HR/legal
  • Begin tracking PSD3 / PSR legislative progress if your payment volume in the EU is significant; expect material changes from late 2027

FAQs

Do I need PSD2 compliance if my company is outside the EU but pays EU contractors?

Even if your business is registered outside the EU or EEA, PSD2 affects your payments whenever the banks or payment providers involved are located in the EU or EEA. You do not need your own PSD2 license, but you need to work with PSD2-compliant providers and be prepared for SCA and other security requirements on those payments. The EBA and national competent authorities oversee the licensed providers you rely on.

Are payments to contractors covered by the same PSD2 protections as consumer payments?

Many PSD2 safeguards including fee transparency and protection against unauthorised transactions apply to both consumer and business payment service users. However, some protections, such as the unconditional 8-week refund right for direct debits, can differ for corporate accounts. Review your provider’s terms to understand exactly which protections cover business-initiated outbound transfers to contractors.

How does PSD2 interact with crypto or stablecoin payments to contractors?

PSD2 primarily covers payment services based on funds held in bank accounts or e-money, so pure on-chain crypto transfers may fall outside its scope. However, fiat on-ramps and off-ramps used to convert between crypto and traditional currency are generally regulated as payment services. If you want to pay contractors with digital assets, treat this as a separate compliance topic and check applicable local financial regulation beyond PSD2.

Can I avoid SCA friction by using recurring or batch payments for contractors?

Some recurring and merchant-initiated transactions may benefit from SCA exemptions, but the final decision rests with the payment service provider and issuing bank. Discuss batch or scheduled payout options with your provider to understand what exemptions are available for your specific payment type and volume.

What is the difference between PSD2 and PSD3, and do I need to act now?

PSD2 is the current framework. PSD3 and the PSR are its replacement, currently finalised at the EU level but not yet in force. The new regime is expected to apply from late 2027. You do not need to change anything now, but businesses with significant EU payment volume should begin tracking how their providers plan to adapt particularly on IBAN/name verification and FX disclosure requirements.