PSD2 Reporting Requirements for Payment Institutions: Complete Practitioner Guide

Last updated: March 2026

Introduction

PSD2 reporting is not optional – payment institutions face multiple overlapping reporting obligations including statistical, prudential, fraud, incident, and complaint reporting, each with distinct deadlines, data sources, and regulatory recipients. Payment Services Directive 2 (Directive (EU) 2015/2366) fundamentally reshaped how payment institutions, e-money institutions (EMIs), account information service providers (AISPs), and payment initiation service providers (PISPs) operate in Europe. Beyond the open banking requirements that captured industry attention, PSD2 introduced a comprehensive reporting framework that demands significant operational discipline and data governance.

For compliance practitioners managing these obligations, reporting accuracy matters deeply. Supervisory authorities, particularly the Commission de Surveillance du Secteur Financier (CSSF) that regulates many pan-European payment institutions licensed in Luxembourg, enforce PSD2 reporting requirements with material consequences. Non-compliance carries fines, licence conditions, enforcement actions, and reputational damage in a sector where regulatory standing determines counterparty trust.

PSD2 reporting isn’t a single exercise. It comprises multiple concurrent streams – statistical reporting to central banks, prudential reporting to supervisors, fraud reporting capturing emerging threats, major incident notification requiring rapid escalation, and complaint handling metrics tracking consumer protection. Each stream has different data sources, classification rules, validation procedures, and submission deadlines.

This guide walks practitioners through the PSD2 reporting landscape with focus on implementation realities. We cover what gets reported, when, to whom, and why the mechanics matter more than most institutions realize.

Legal Basis and Regulatory Framework

PSD2 Legal Foundation

PSD2 reporting derives from multiple legislative and regulatory layers, each adding specificity to what institutions must report.

Primary legal instrument: Directive (EU) 2015/2366

• Article 95 establishes obligations for management of operational and security risks
• Article 96 establishes incident reporting (paragraphs 1-5) and fraud data reporting (paragraph 6)
• Article 97 establishes strong customer authentication (SCA) requirements
• Article 98 mandates the EBA to develop regulatory technical standards on SCA and secure communication

EBA Implementation:

The European Banking Authority published:

• Guidelines on Fraud Reporting (EBA/GL/2018/05, amended by EBA/GL/2020/01): Specifies fraud categorization, reporting frequency, data elements, and methodology. Developed in close cooperation with the ECB.
• Guidelines on Major Incident Reporting (EBA/GL/2017/10, revised by EBA/GL/2021/03): Defines what constitutes a major incident and the notification process and timelines.
• Regulatory Technical Standards on SCA (Commission Delegated Regulation (EU) 2018/389): Establishes SCA requirements and exemptions, generating SCA-related fraud reporting data.

Member State Transposition:

Each member state transposes PSD2 into national law with some discretionary elements. Luxembourg’s implementation includes:

• CSSF circulars providing guidance and interpretation (including Circular CSSF 19/712 on fraud reporting)
• Operational collaboration between the CSSF and the Banque centrale du Luxembourg (BCL) for certain reporting streams
• Direct supervision communications with institutions

Other jurisdictions interpret requirements differently, creating complexity for multi-national payment institutions.

Who Must Report Under PSD2

The reporting scope is defined by PSD2 but nuanced based on entity type.

Payment Institutions (PIs)

Full license holders are primary reporting entities. PIs include full-service payment processors, pan-European payment platforms, mobile payment providers, card acquirers and issuers (if licensed as PI), and money remittance providers.

Small payment institutions (registered under PSD2 Article 32, with average monthly payment transactions not exceeding EUR 3 million):

• Face lighter prudential reporting requirements
• Still report fraud and incident data
• May report fraud data annually rather than semi-annually

E-Money Institutions (EMIs)

EMIs operating as payment service providers (offering payment services beyond e-money issuance) fall within PSD2 reporting scope:

• Report prudential data (capital, safeguarding)
• Report fraud and incident data
• Face hybrid reporting regime (E-Money Directive requirements + PSD2 requirements)

Small EMIs (registered under Article 9 of the E-Money Directive) may benefit from simplified reporting, including annual fraud reporting.

Account Information Service Providers (AISPs)

AISPs (account aggregation platforms) have a narrower reporting scope. Importantly, AISPs are excluded from the fraud data reporting requirements under Article 96(6) PSD2, as clarified by the EBA. This is because AISPs do not handle payment transactions directly – they provide account information services. AISPs still report:

• Major incidents affecting their services
• Complaint handling data
• Operational and security risk information

Payment Initiation Service Providers (PISPs)

PISPs report:

• Fraud data on payment transactions they initiate (within the Article 96(6) framework)
• Major incidents
• Complaint handling data

Exclusions

Excluded payment service providers (entities providing payment services excluded under PSD2 Article 3, such as commercial agents acting on behalf of only the payer or only the payee) have no PSD2 reporting obligations.

Types of PSD2 Reporting Obligations

PSD2 reporting breaks into distinct categories, each serving different supervisory objectives.

1. Fraud Reporting: The Core Article 96(6) Obligation

Fraud reporting under EBA Guidelines (EBA/GL/2018/05) is the most operationally significant PSD2-specific reporting stream. Article 96(6) requires PSPs to provide statistical data on fraud relating to different means of payment.

What gets reported:

• Total payment transaction volumes and values (both fraudulent and non-fraudulent), broken down by payment instrument type (credit transfers, direct debits, card payments, e-money, money remittances)
• Fraudulent payment transactions, categorized into two types: unauthorized payment transactions and payment transactions resulting from manipulation of the payer (e.g., social engineering, phishing)
• Breakdown by whether SCA was applied, an exemption was used, or SCA was not required
• Breakdown by channel (remote vs. non-remote)
• Gross fraud losses by liability bearer (PSP vs. payment service user)
• Geographic breakdown (domestic, cross-border within EEA, cross-border outside EEA)

Reporting frequency: Semi-annual – data is reported on an annual basis, broken down into two periods of six months (H1 and H2). This is a key point many institutions get wrong – the EBA explicitly moved from the originally proposed quarterly reporting to semi-annual reporting based on industry consultation feedback. Small PIs and small EMIs may report annually.

Important clarifications:

• Only “executed” transactions are reported – meaning the payment has been processed and funds transferred
• “Payer acting fraudulently” (first-party fraud) is excluded from the reporting scope
• Refunds under the 8-week direct debit refund right are not automatically reported as fraud
• AISPs are excluded from fraud reporting

In Luxembourg: Based on operational collaboration between the CSSF and the BCL, fraud reporting data is submitted to the Banque centrale du Luxembourg. From January 2022, Luxembourg fraud reporting has been integrated into the CDDP6 reporting framework.

2. Statistical Reporting: Payment System Activity Metrics

Statistical reporting captures volumes and values of overall payment system activity. This data supports ECB analysis of market structure and payment behavior trends, governed by ECB Regulation (EU) 2020/2011 on payment statistics.

What gets reported:

• Number of payment transactions processed, disaggregated by type (card, credit transfer, direct debit, e-money, other)
• Corresponding transaction values
• Number of active payment service users
• Geographic and channel breakdowns

Reporting frequency: Quarterly or annual, depending on the specific data elements and reporting entity classification. Exact timelines are set by the national central bank.

Note that statistical reporting to the ECB via national central banks is a separate obligation from the PSD2 fraud reporting to competent authorities. The two streams have different data elements, different recipients, and different timelines, though they share some overlapping transaction data.

3. Prudential Reporting: Capital and Safeguarding

Prudential reporting demonstrates compliance with capital and safeguarding requirements. For payment institutions, own funds calculations and safeguarding status are core.

What gets reported:

• Own funds (capital) in line with PSD2 capital adequacy requirements (Methods A, B, or C under PSD2 Article 9)
• Safeguarding status – confirmation that customer funds are appropriately segregated and protected (via deposit in a separate account at a credit institution or covered by an insurance policy/guarantee)
• Balance sheet and key financial metrics

Reporting structure:

• Small PIs: Basic balance sheet, own funds calculation
• Larger PIs: More detailed prudential templates
• Submission timelines vary by jurisdiction and supervisor expectations

4. Major Incident Reporting: Rapid Escalation

Major incidents require rapid notification to supervisors. Unlike fraud reporting (periodic/historical), incident reporting demands immediacy.

Definition of “major incident”:

Under EBA Guidelines (EBA/GL/2021/03, which revised the original EBA/GL/2017/10), a major incident is classified based on specific quantitative criteria and thresholds, including:

• Number of payment service users affected
• Duration of the incident
• Economic impact
• Whether internal escalation procedures were activated
• Impact on other PSPs or relevant infrastructures

The EBA guidelines provide a classification methodology with specific thresholds. An incident is classified as major if it meets the criteria in at least two of the impact categories or if it meets a single criterion that exceeds the “high impact” threshold.

Process and timelines (per EBA/GL/2021/03):

1. Initial notification: Submit to the competent authority within 4 hours of classifying the incident as major
2. Intermediate report: Submit within 3 business days of the initial notification, with updated information
3. Final report: Submit within 2 weeks of operations returning to normal, including root cause analysis and remediation measures

Luxembourg CSSF procedures:

• Dedicated incident reporting channel
• Delayed incident reporting draws supervisory attention regardless of incident materiality
• Relationship managers may follow up on major incidents

5. Complaint Handling Reports: Consumer Protection Metrics

Complaints reporting captures how payment institutions resolve customer disputes and informs supervisory assessment of consumer protection practices.

What gets reported:

• Total number of complaints received
• Complaints by category (authorization disputes, transaction errors, service quality, pricing, data protection, other)
• Average resolution time
• Percentage upheld, partially upheld, rejected
• Outstanding complaints (pending resolution)

Reporting frequency: Varies by jurisdiction – typically semi-annual or annual.

Reporting Recipients: Where Reports Go

Reports go to different destinations depending on data type.

Fraud reporting (Article 96(6)): To competent authorities (the CSSF in Luxembourg, though operationally submitted via the BCL). Competent authorities then provide aggregated data to the EBA and ECB.

Statistical reporting: To national central banks (the BCL in Luxembourg), which forward to the ECB.

Prudential reporting: To the primary supervisor (CSSF for Luxembourg-licensed PIs/EMIs).

Incident reporting: To the primary supervisor via dedicated incident reporting channels.

Complaint reporting: To the primary supervisor.

For multi-entity groups with entities licensed in different jurisdictions, each entity reports to its own primary supervisor. Consolidated group reporting may also be required depending on supervisory expectations.

Common PSD2 Reporting Errors

Experienced compliance practitioners recognize recurring errors.

Fraud Reporting Frequency Confusion

Many institutions assume fraud reporting is quarterly. It is not. The EBA Guidelines specify semi-annual reporting (annual data broken down into two six-month periods). Quarterly fraud reporting was proposed in the original consultation but explicitly changed to semi-annual in the final guidelines due to industry feedback on administrative burden. Check your national supervisor’s specific implementation, as some jurisdictions may have supplemented the EBA minimum frequency.

Transaction Categorization Misclassification

Misclassifying transactions by type (direct debit as credit transfer, card as other) is common, especially when source system payment type codes don’t align with PSD2 reporting categories. Develop explicit mappings from source system categorization to reporting categories and validate them against sample transactions quarterly.

SCA Exemption Reporting Inaccuracy

Reporting exemption data incorrectly because exemption decision logic differs from exemption reporting logic. Customers may be exempt per policy, but transaction-level rules override exemption. Fallback logic (exemption requested but declined) sometimes gets classified incorrectly. Implement comprehensive SCA logging capturing the full decision chain: SCA required (yes/no and reason), exemption requested (yes/no, which type), exemption granted (yes/no), and authentication result.

Double Counting in Multi-Entity Groups

Transactions processed by Entity A (PI executing payment) and Entity B (PISP initiating payment) sometimes get counted twice. Establish group-wide reporting governance clarifying which entity reports which transactions.

Fraud Case Misclassification

Classifying based on initial indicator rather than actual determination. A transaction initially flagged as phishing may be confirmed as a different fraud type after investigation. Report based on final determination, not initial flag.

Undocumented Incident Non-Reporting

Material incidents occurring but not escalated to supervisors due to misunderstanding of the classification criteria, lack of 24/7 monitoring, or incidents being remediated without escalation. Implement clear incident classification training using the EBA’s criteria-based methodology.

Luxembourg Specifics: CSSF Expectations

For payment institutions supervised by the CSSF, specific expectations apply:

Data Quality Standards: CSSF expects clean, reconciled reporting data. Unexplained variance between reporting and source systems generates supervisory correspondence.

Timely Correction: Institutions should submit amended/corrected data rather than ignoring errors. CSSF prefers accurate late data to timely inaccurate data.

Incident Escalation: CSSF maintains a low threshold for incident reporting. Material operational issues, security breaches, or customer impact events warrant immediate notification. Delayed reporting draws supervisory attention.

SCA Compliance Focus: CSSF closely monitors SCA exemption usage. Elevated exemption rates or anomalous patterns attract supervisory questions. Institutions must demonstrate risk controls justify exemption use.

Relationship Management: CSSF designates relationship managers for significant payment institutions, enabling regular dialogue on reporting expectations beyond published guidance.

PSD2 Reporting Evolution: PSR and PSD3

The reporting landscape is evolving. The EU is replacing PSD2 with a new framework consisting of the Payment Services Regulation (PSR) and a revised Payment Services Directive (PSD3). The PSR, being a regulation rather than a directive, will apply directly across all member states without national transposition, creating greater harmonization.

Expected changes under PSR/PSD3:

1. Enhanced fraud reporting: More detailed categorization and potentially shorter reporting cycles
2. IBAN-name verification: New requirements around payee verification will generate related data and reporting
3. Open finance expansion: As open banking matures into open finance, reporting on data sharing and third-party interactions may intensify
4. Operational resilience alignment: Alignment with DORA (Digital Operational Resilience Act) requirements for ICT incident reporting
5. Real-time payments focus: With instant payments mandated across the EU, reporting frameworks may adapt to cover real-time transaction monitoring

Strategic implication: Institutions should architect reporting systems with flexibility. Robust data governance and clean data foundations established now adapt more readily to evolved frameworks.

Coming Soon: Template-by-Template Deep Dives

We’re building detailed, template-level guides for each reporting framework covered on RegReportingDesk. Whether you need a field-by-field walkthrough of specific templates, field mappings, or reporting requirements, these guides are on the way. Bookmark this page and check back soon.

Frequently Asked Questions

What is PSD2 reporting and which payment institutions must report?

PSD2 reporting is a multi-stream framework requiring payment institutions, e-money institutions, and PISPs to report fraud, incident, prudential, statistical, and complaint data to supervisors and central banks. AISPs have a narrower scope – they are excluded from fraud reporting but must report incidents and complaints. Most payment institutions must report; exemptions apply only to entities providing excluded payment services under PSD2 Article 3.

How often is fraud data reported under PSD2?

Semi-annually, not quarterly. The EBA Guidelines (EBA/GL/2018/05) require data to be reported on an annual basis broken down into two six-month periods. Small PIs and small EMIs may report annually. This is a common source of confusion – quarterly reporting was originally proposed but changed to semi-annual in the final guidelines.

When are PSD2 reports due in Luxembourg?

Timelines vary by report type. Fraud reporting deadlines are set by the BCL under the CDDP6 framework. Prudential reporting deadlines are set by the CSSF. Major incidents require initial notification within 4 hours of classification. Always confirm specific deadlines with your supervisor’s published reporting calendar.

What is the difference between statistical and fraud reporting under PSD2?

Statistical reporting captures overall payment system volumes and values for ECB monetary/economic analysis and is submitted to the national central bank. Fraud reporting under Article 96(6) captures fraudulent transaction data and SCA-related breakdowns for supervisory purposes and is submitted to the competent authority. Both use transaction data but serve different purposes, have different recipients, and different data granularity.

What happens if a payment institution fails to report on time?

Late reporting generates supervisory follow-up, relationship manager inquiries, and potential enforcement action. Repeated late reporting or material data quality issues trigger compliance examinations, conditions on authorization, or fines. Supervisors take reporting discipline seriously.

Are AISPs required to report fraud data?

No. The EBA explicitly clarified that AISPs are excluded from the fraud data reporting requirements under Article 96(6) PSD2, because AISPs do not execute payment transactions. AISPs must still report major incidents and complaints.

Key Takeaways

• PSD2 reporting comprises multiple concurrent streams (fraud, statistical, prudential, incident, complaint), each with different data sources, classification rules, and submission timelines. Coordinating these streams requires robust data governance.
• Fraud reporting under Article 96(6) is semi-annual, not quarterly. This is one of the most common misunderstandings. The EBA Guidelines specify annual data broken down into two six-month periods. Check your national implementation for any supplementary requirements.
• AISPs are excluded from fraud reporting but must report incidents and complaints. PISPs report on payment transactions they initiate. Know your entity type’s specific obligations.
• Major incident reporting requires notification within 4 hours of classification under the revised EBA Guidelines. This requires 24/7 monitoring and escalation procedures, not sequential reporting after operational resolution.
• Luxembourg fraud reporting goes to the BCL (not directly to the CSSF), based on operational collaboration between the two authorities. From 2022, this is integrated into the CDDP6 framework.
• Common errors include transaction miscategorization, SCA exemption confusion, double counting in multi-entity groups, and fraud classification based on initial flags rather than final determination. These are preventable with investment in data governance and classification rules.
• Multi-jurisdictional payment institutions must navigate different supervisory expectations, format requirements, and categorization interpretations across member states. Centralized data governance with jurisdiction-specific mapping layers is the practical solution.
• PSR/PSD3 will likely expand and harmonize requirements. Building flexible reporting infrastructure now reduces future adaptation costs.

Disclaimer: The information on RegReportingDesk.com is for educational and informational purposes only. It does not constitute legal, regulatory, tax, or compliance advice. Always consult your compliance officer, legal counsel, or the relevant supervisory authority for guidance specific to your institution.

Sources and References

• Directive (EU) 2015/2366 (PSD2) – Payment Services Directive 2 – legal framework for payment services including reporting obligations https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32015L2366
• EBA Guidelines on Fraud Reporting (EBA/GL/2018/05, amended by EBA/GL/2020/01) – Guidelines on reporting requirements for fraud data under PSD2 Article 96(6) https://www.eba.europa.eu/activities/single-rulebook/regulatory-activities/payment-services-and-electronic-money/guidelines-fraud-reporting-under-psd2
• EBA Guidelines on Major Incident Reporting (EBA/GL/2021/03) – Revised guidelines on major incident reporting under PSD2 https://www.eba.europa.eu/activities/single-rulebook/regulatory-activities/payment-services-and-electronic-money/guidelines-major-incidents-reporting-under-psd2
• Commission Delegated Regulation (EU) 2018/389 (RTS on SCA) – Regulatory technical standards on strong customer authentication and secure communication https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32018R0389
• ECB Regulation (EU) 2020/2011 – ECB requirements for statistical reporting on payment transactions https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32020R2011
• CSSF Circular 19/712 – Luxembourg implementation of EBA fraud reporting guidelines https://www.cssf.lu/
• BCL – PSD2 Fraud Reporting – Luxembourg fraud reporting submission via the Banque centrale du Luxembourg https://www.bcl.lu/en/payment-systems/Fraud-Reporting-PSD2/index.html
• CSSF – Payment Institutions Supervision – Luxembourg-specific guidance on PSD2 implementation https://www.cssf.lu/en/supervision/payment-institutions/