PSD2 / PSD3 — EU Payment Services Directive — 98% covered.

61 requirements · 59 enforced · 1 designed · 1 advisory · 0 deferred.

Source: Directive (EU) 2015/2366 (PSD2) + Commission Delegated Regulation (EU) 2018/389 (RTS on SCA & CSC) + PSD3 Directive proposal COM(2023)366

By category

Category	Reqs	Enforced	Designed	Advisory	Coverage
Open-Banking Interfaces (Article 30 RTS)	13	12	1	0	96%
Operational and Security Risk (Article 95)	6	6	0	0	100%
RTS Strong Customer Authentication (Articles 4-9)	28	28	0	0	100%
Third-Party Provider Access (Articles 32-36, 66-67)	14	13	0	1	95%

Every requirement → the KYE™ artefact that enforces it

ID	Title	Status	KYE™ enforcement
`psd2.RTS.30`	RTS Article 30 — General obligations for access interfaces — dedicated interface or modified customer-interface	enforced	audit_events: `kye.compliance.attestation.v1` engines: `internal`, `internal` constitution_refs: `constitution/16-EDGE-RUNTIME.md`, `constitution/40-IMPLEMENTATION-CANONICAL.md`
`psd2.RTS.30.1`	RTS Article 30(1) — Dedicated interface (or modified customer-interface fallback) — equivalent functionality, performance, and availability to the customer interface	enforced	audit_events: `kye.compliance.attestation.v1` engines: `internal`, `internal` constitution_refs: `constitution/16-EDGE-RUNTIME.md`, `constitution/40-IMPLEMENTATION-CANONICAL.md`
`psd2.RTS.30.2`	RTS Article 30(2) — Communication of confidential authentication data shall not be required	enforced	audit_events: `kye.purpose.admissibility.v1`, `kye.evidence.tool_call_pin.v1` engines: `internal`, `internal` constitution_refs: `constitution/12-PURPOSE-PERMISSION.md`
`psd2.RTS.30.3`	RTS Article 30(3) — Availability and performance — interface KPIs published, downtime alerting, contingency fallback	enforced	audit_events: `kye.signal.incident.opened.v1`, `kye.compliance.attestation.v1` engines: `internal`, `internal` constitution_refs: `constitution/13-RESILIENCE-LOOP.md`, `constitution/51-NO-SPOF.md`
`psd2.RTS.30.4`	RTS Article 30(4) — Service Level Targets and remediation plans must be published	enforced	audit_events: `kye.compliance.attestation.v1` engines: `internal` constitution_refs: `constitution/13-RESILIENCE-LOOP.md`
`psd2.RTS.30.5`	RTS Article 30(5) — Testing facility for TPPs (sandbox + onboarding) for at least 6 months before go-live	designed	constitution_refs: `constitution/07-SUBDOMAIN.md`, `constitution/40-IMPLEMENTATION-CANONICAL.md`
`psd2.RTS.31`	RTS Article 31 — Access interface options — dedicated interface vs. modified customer-interface	enforced	audit_events: `kye.compliance.attestation.v1`, `kye.evidence.decision_map.v1` engines: `internal` constitution_refs: `constitution/16-EDGE-RUNTIME.md`
`psd2.RTS.32`	RTS Article 32 — Fallback mechanism — if the dedicated interface fails SLA, TPPs may use the modified customer-interface route	enforced	audit_events: `kye.signal.incident.opened.v1`, `kye.signal.incident.closed.v1`, `kye.compliance.attestation.v1` engines: `internal`, `internal` constitution_refs: `constitution/13-RESILIENCE-LOOP.md`, `constitution/25-EDGE-GOVERNANCE.md`
`psd2.RTS.32.4`	RTS Article 32(4) — Conditions for exemption from contingency-interface obligation	enforced	audit_events: `kye.compliance.attestation.v1` engines: `internal` constitution_refs: `constitution/40-IMPLEMENTATION-CANONICAL.md`
`psd2.RTS.33`	RTS Article 33 — Common standards for communication — usage of standardised API specifications	enforced	audit_events: `kye.compliance.attestation.v1` engines: `internal` constitution_refs: `constitution/16-EDGE-RUNTIME.md`
`psd2.RTS.34`	RTS Article 34 — Certificates — qualified certificates for electronic seals / website authentication under eIDAS	enforced	audit_events: `kye.federation.cross_org_delegation.v1` engines: `internal`, `internal` constitution_refs: `constitution/25-EDGE-GOVERNANCE.md`
`psd2.RTS.35`	RTS Article 35 — Security of communication session — TLS 1.2+ with strong cipher suites	enforced	audit_events: `kye.compliance.attestation.v1` engines: `internal` constitution_refs: `constitution/16-EDGE-RUNTIME.md`
`psd2.RTS.36`	RTS Article 36 — Data exchanges — strong end-to-end encryption protecting PSU credentials	enforced	audit_events: `kye.evidence.tool_call_pin.v1`, `kye.compliance.attestation.v1` engines: `internal`, `internal` constitution_refs: `constitution/16-EDGE-RUNTIME.md`, `constitution/25-EDGE-GOVERNANCE.md`
`psd2.A95.1`	Article 95(1) — Establish a framework with appropriate mitigation and control mechanisms to manage operational and security risks	enforced	audit_events: `kye.compliance.attestation.v1`, `kye.assurance.risk_assessment.v1`, `kye.signal.drift.detected.v1` engines: `internal`, `internal`, `internal` constitution_refs: `constitution/13-RESILIENCE-LOOP.md`, `constitution/30-AUDIT-WORM-RETENTION.md`
`psd2.A95.2`	Article 95(2) — Annual operational and security risk assessment report to the competent authority	enforced	audit_events: `kye.compliance.attestation.v1`, `kye.evidence.pack.v1` engines: `internal`, `internal` constitution_refs: `constitution/30-AUDIT-WORM-RETENTION.md`
`psd2.A95.3`	Article 95(3) — Customer awareness of operational and security risks + mitigating actions	enforced	audit_events: `kye.comms.dispatch.v1`, `kye.compliance.attestation.v1` engines: `internal` constitution_refs: `constitution/38-COMMS-RAIL.md`
`psd2.A96`	Article 96 — Major operational or security incident — notify competent authority without undue delay; payment-service-user notification when adverse	enforced	audit_events: `kye.signal.incident.opened.v1`, `kye.signal.incident.closed.v1`, `kye.compliance.attestation.v1` engines: `internal`, `internal`, `internal` constitution_refs: `constitution/13-RESILIENCE-LOOP.md`, `constitution/38-COMMS-RAIL.md`
`psd2.A96.1`	Article 96(1) — Initial notification (≤4 hours) to competent authority + intermediate + final reports	enforced	audit_events: `kye.signal.incident.opened.v1`, `kye.evidence.pack.v1` engines: `internal`, `internal` constitution_refs: `constitution/13-RESILIENCE-LOOP.md`
`psd2.A98`	Article 98 — RTS on SCA + CSC published by EBA — applicable directly	enforced	constitution_refs: `constitution/40-IMPLEMENTATION-CANONICAL.md`
`psd2.RTS.1`	RTS Article 1 — Subject matter: technical requirements for SCA and CSC	enforced	audit_events: `kye.compliance.attestation.v1` engines: `internal`, `internal` constitution_refs: `constitution/12-PURPOSE-PERMISSION.md`, `constitution/40-IMPLEMENTATION-CANONICAL.md`
`psd2.RTS.2`	RTS Article 2 — General authentication requirements — robust technical features, monitoring of authentication procedures	enforced	audit_events: `kye.authority.grant.v1`, `kye.signal.drift.detected.v1` engines: `internal`, `internal` constitution_refs: `constitution/12-PURPOSE-PERMISSION.md`
`psd2.RTS.3`	RTS Article 3 — Authentication code review and testing — fraud-rate analysis, security audit	enforced	audit_events: `kye.compliance.attestation.v1`, `kye.assurance.audit_replay_report.v1` engines: `internal`, `internal` constitution_refs: `constitution/13-RESILIENCE-LOOP.md`
`psd2.RTS.4`	RTS Article 4 — Apply Strong Customer Authentication (SCA) with at least two independent elements from knowledge, possession, and inherence	enforced	audit_events: `kye.authority.grant.v1`, `kye.purpose.admissibility.v1`, `kye.evidence.decision_map.v1` engines: `internal`, `internal`, `internal` constitution_refs: `constitution/12-PURPOSE-PERMISSION.md`
`psd2.RTS.4.bis`	RTS Article 4 — Authentication code generation — non-replayable, single-use, cryptographically bound to the SCA elements	enforced	audit_events: `kye.authority.grant.v1`, `kye.payments.proof_bundle.v1`, `kye.replay.proof.v1` engines: `internal`, `internal` constitution_refs: `constitution/12-PURPOSE-PERMISSION.md`
`psd2.RTS.5`	RTS Article 5 — Dynamic linking — every payment authentication code linked to amount + payee, invalidated on tamper	enforced	audit_events: `kye.payments.intent.v1`, `kye.payments.authority.v1`, `kye.payments.proof_bundle.v1`, `kye.evidence.decision_map.v1` engines: `internal`, `internal` constitution_refs: `constitution/12-PURPOSE-PERMISSION.md`
`psd2.RTS.5.1`	RTS Article 5(1) — Amount of transaction and identity of payee shown to user during SCA	enforced	audit_events: `kye.payments.intent.v1`, `kye.governedui.action_proposal.v1`, `kye.evidence.decision_map.v1` engines: `internal` constitution_refs: `constitution/12-PURPOSE-PERMISSION.md`, `constitution/36-GOVERNEDUI.md`
`psd2.RTS.5.2`	RTS Article 5(2) — Confidentiality, authenticity, integrity of amount and payee maintained throughout the authentication channel	enforced	audit_events: `kye.payments.proof_bundle.v1`, `kye.evidence.tool_call_pin.v1` engines: `internal`, `internal` constitution_refs: `constitution/16-EDGE-RUNTIME.md`
`psd2.RTS.6`	RTS Article 6 — Knowledge-element requirements — guess-resistant, non-disclosure measures	enforced	audit_events: `kye.authority.grant.v1`, `kye.compliance.attestation.v1` engines: `internal`, `internal` constitution_refs: `constitution/12-PURPOSE-PERMISSION.md`, `constitution/51-NO-SPOF.md`
`psd2.RTS.7`	RTS Article 7 — Possession-element requirements — uniqueness, replication-resistance, non-disclosure	enforced	audit_events: `kye.authority.grant.v1` engines: `internal` constitution_refs: `constitution/12-PURPOSE-PERMISSION.md`
`psd2.RTS.8`	RTS Article 8 — Inherence-element requirements — false-acceptance + false-rejection rates within tolerance	enforced	audit_events: `kye.authority.grant.v1`, `kye.compliance.attestation.v1` engines: `internal` constitution_refs: `constitution/12-PURPOSE-PERMISSION.md`
`psd2.RTS.9`	RTS Article 9 — Independence of the elements — breach of one element does not compromise reliability of the others	enforced	audit_events: `kye.authority.grant.v1`, `kye.compliance.attestation.v1` engines: `internal`, `internal` constitution_refs: `constitution/12-PURPOSE-PERMISSION.md`, `constitution/51-NO-SPOF.md`
`psd2.RTS.10`	RTS Article 10 — Exemption for payment account information (read-only AISP, ≤180 days)	enforced	audit_events: `kye.consent.acceptance.v1`, `kye.purpose.grant.v1`, `kye.evidence.decision_map.v1` engines: `internal` constitution_refs: `constitution/12-PURPOSE-PERMISSION.md`
`psd2.RTS.11`	RTS Article 11 — Exemption for contactless payments at POS (≤€50 per transaction, cumulative limits)	enforced	audit_events: `kye.purpose.admissibility.v1`, `kye.evidence.decision_map.v1` engines: `internal`, `internal` constitution_refs: `constitution/12-PURPOSE-PERMISSION.md`
`psd2.RTS.12`	RTS Article 12 — Exemption for unattended terminals for transport fares + parking fees	enforced	audit_events: `kye.purpose.admissibility.v1` engines: `internal` constitution_refs: `constitution/12-PURPOSE-PERMISSION.md`
`psd2.RTS.13`	RTS Article 13 — Exemption for trusted beneficiaries — added to ASPSP whitelist via SCA	enforced	audit_events: `kye.authority.grant.v1`, `kye.purpose.admissibility.v1` engines: `internal`, `internal` constitution_refs: `constitution/12-PURPOSE-PERMISSION.md`
`psd2.RTS.14`	RTS Article 14 — Exemption for recurring transactions of same amount + same payee	enforced	audit_events: `kye.purpose.admissibility.v1`, `kye.payments.intent.v1` engines: `internal` constitution_refs: `constitution/12-PURPOSE-PERMISSION.md`
`psd2.RTS.15`	RTS Article 15 — Exemption for credit transfers between same natural-or-legal-person accounts	enforced	audit_events: `kye.purpose.admissibility.v1` engines: `internal` constitution_refs: `constitution/12-PURPOSE-PERMISSION.md`
`psd2.RTS.16`	RTS Article 16 — Exemption for low-value remote payments (≤€30, cumulative limits)	enforced	audit_events: `kye.purpose.admissibility.v1`, `kye.evidence.decision_map.v1` engines: `internal`, `internal` constitution_refs: `constitution/12-PURPOSE-PERMISSION.md`
`psd2.RTS.17`	RTS Article 17 — Exemption for secure corporate payment processes + protocols	enforced	audit_events: `kye.purpose.admissibility.v1`, `kye.federation.cross_org_delegation.v1` engines: `internal`, `internal` constitution_refs: `constitution/12-PURPOSE-PERMISSION.md`
`psd2.RTS.18`	RTS Article 18 — Transaction Risk Analysis (TRA) — exemption only available below value thresholds and with documented low-fraud-rate evidence	enforced	audit_events: `kye.evidence.decision_map.v1`, `kye.compliance.attestation.v1` engines: `internal`, `internal` constitution_refs: `constitution/13-RESILIENCE-LOOP.md`
`psd2.RTS.19`	RTS Article 19 — Monitoring of fraud-rate per payment-instrument category	enforced	audit_events: `kye.signal.drift.detected.v1`, `kye.compliance.attestation.v1` engines: `internal`, `internal` constitution_refs: `constitution/13-RESILIENCE-LOOP.md`
`psd2.RTS.20`	RTS Article 20 — Cessation of TRA exemption when fraud-rate exceeds reference rate	enforced	audit_events: `kye.purpose.admissibility.v1`, `kye.signal.drift.detected.v1` engines: `internal`, `internal` constitution_refs: `constitution/12-PURPOSE-PERMISSION.md`, `constitution/13-RESILIENCE-LOOP.md`
`psd2.RTS.21`	RTS Article 21 — Common and Secure Communication (CSC) — general requirements for identification + integrity + confidentiality	enforced	audit_events: `kye.federation.cross_org_delegation.v1`, `kye.compliance.attestation.v1` engines: `internal`, `internal` constitution_refs: `constitution/16-EDGE-RUNTIME.md`, `constitution/25-EDGE-GOVERNANCE.md`
`psd2.RTS.22`	RTS Article 22 — Identification — TPP eIDAS-QWAC bound to the access channel	enforced	audit_events: `kye.federation.cross_org_delegation.v1` engines: `internal`, `internal` constitution_refs: `constitution/25-EDGE-GOVERNANCE.md`
`psd2.RTS.23`	RTS Article 23 — Traceability — TPP requests logged with sufficient detail for audit	enforced	audit_events: `kye.audit.event.v1`, `kye.federation.cross_org_delegation.v1`, `kye.evidence.tool_call_pin.v1` engines: `internal` constitution_refs: `constitution/30-AUDIT-WORM-RETENTION.md`
`psd2.RTS.24`	RTS Article 24 — Session — protected; idle session timeout ≤5 minutes	enforced	audit_events: `kye.authority.grant.v1` engines: `internal`, `internal` constitution_refs: `constitution/12-PURPOSE-PERMISSION.md`
`psd3.SCA.evolved`	PSD3 — extension of SCA to instant payments, anti-APP-fraud confirmation-of-payee, accessibility carve-outs	enforced	audit_events: `kye.payments.intent.v1`, `kye.evidence.decision_map.v1` engines: `internal`, `internal`, `internal` constitution_refs: `constitution/12-PURPOSE-PERMISSION.md`
`psd2.A32`	Article 32 — TPP registration and authorisation — only licenced AISP/PISP/CBPII may access payment-account data via the dedicated interface	enforced	audit_events: `kye.federation.cross_org_delegation.v1`, `kye.authority.grant.v1`, `kye.evidence.decision_map.v1` engines: `internal`, `internal` constitution_refs: `constitution/12-PURPOSE-PERMISSION.md`, `constitution/25-EDGE-GOVERNANCE.md`
`psd2.A33`	Article 33 — TPP identification via eIDAS qualified certificates (QWAC for transport + QSealC for sealing)	enforced	audit_events: `kye.federation.cross_org_delegation.v1`, `kye.evidence.tool_call_pin.v1` engines: `internal`, `internal` constitution_refs: `constitution/25-EDGE-GOVERNANCE.md`
`psd2.A34`	Article 34 — Information requirements at TPP registration — name, licence number, NCA contact details	enforced	audit_events: `kye.federation.cross_org_delegation.v1`, `kye.compliance.attestation.v1` engines: `internal` constitution_refs: `constitution/12-PURPOSE-PERMISSION.md`
`psd2.A35`	Article 35 — Account servicing PSP must not impose contractual conditions or charges on TPP access	advisory	constitution_refs: `constitution/26-COMMERCIAL.md`
`psd2.A36`	Article 36 — Customer access to payment-account data — direct + through any AISP, with explicit customer consent	enforced	audit_events: `kye.consent.acceptance.v1`, `kye.purpose.grant.v1`, `kye.evidence.decision_map.v1` engines: `internal`, `internal` constitution_refs: `constitution/12-PURPOSE-PERMISSION.md`, `constitution/31-DATA-GOVERNANCE-PACK.md`
`psd2.A65`	Article 65 — Confirmation on availability of funds (CAF) — ASPSP responds yes/no to a CBPII query, consent-bound	enforced	audit_events: `kye.consent.acceptance.v1`, `kye.federation.cross_org_delegation.v1`, `kye.payments.intent.v1` engines: `internal`, `internal` constitution_refs: `constitution/12-PURPOSE-PERMISSION.md`
`psd2.A66`	Article 66 — Right to use a payment-initiation service (PIS) — ASPSP cooperation with the PISP without discrimination	enforced	audit_events: `kye.federation.cross_org_delegation.v1`, `kye.payments.intent.v1`, `kye.payments.proof_bundle.v1` engines: `internal`, `internal` constitution_refs: `constitution/12-PURPOSE-PERMISSION.md`
`psd2.A66.2`	Article 66(2) — PISP must not hold payer's funds and must transmit credentials securely	enforced	audit_events: `kye.evidence.tool_call_pin.v1`, `kye.federation.cross_org_delegation.v1` engines: `internal`, `internal` constitution_refs: `constitution/12-PURPOSE-PERMISSION.md`
`psd2.A66.3.b`	Article 66(3)(b) — PISP shall identify itself towards the ASPSP and communicate securely	enforced	audit_events: `kye.federation.cross_org_delegation.v1` engines: `internal`, `internal` constitution_refs: `constitution/25-EDGE-GOVERNANCE.md`
`psd2.A66.4`	Article 66(4) — ASPSP shall treat PIS-mediated transactions equally to direct transactions in timing, priority, charges	enforced	audit_events: `kye.purpose.permission.v1`, `kye.evidence.decision_map.v1` engines: `internal`, `internal` constitution_refs: `constitution/12-PURPOSE-PERMISSION.md`
`psd2.A67`	Article 67 — Right to use an account-information service (AIS) — read-only access to designated payment accounts, scoped consent	enforced	audit_events: `kye.consent.acceptance.v1`, `kye.purpose.grant.v1`, `kye.evidence.tool_call_pin.v1` engines: `internal`, `internal` constitution_refs: `constitution/12-PURPOSE-PERMISSION.md`, `constitution/31-DATA-GOVERNANCE-PACK.md`
`psd2.A67.2`	Article 67(2) — AISP must access only designated payment accounts + necessary associated information	enforced	audit_events: `kye.purpose.permission.v1`, `kye.evidence.tool_call_pin.v1` engines: `internal` constitution_refs: `constitution/12-PURPOSE-PERMISSION.md`
`psd2.A67.3`	Article 67(3) — AISP must not request sensitive payment data nor use data for other purposes	enforced	audit_events: `kye.purpose.admissibility.v1`, `kye.evidence.tool_call_pin.v1` engines: `internal` constitution_refs: `constitution/12-PURPOSE-PERMISSION.md`, `constitution/31-DATA-GOVERNANCE-PACK.md`
`psd2.A68`	Article 68 — Refusal of access by ASPSP — objectively justified, documented, reported to NCA	enforced	audit_events: `kye.signal.decision.denied.v1`, `kye.evidence.decision_map.v1`, `kye.compliance.attestation.v1` engines: `internal`, `internal` constitution_refs: `constitution/12-PURPOSE-PERMISSION.md`, `constitution/13-RESILIENCE-LOOP.md`