Data security and regulatory compliance PSD2 directive, GDPR

PSD2 regulations

Budget Insight is one of the very first companies to be licensed as a payment institution under the PSD2.

Since March 2018, we have been regulated, and are a payment institution authorized by the ACPR as a TPP (AISP and PISP).

This PSD2 authorization reflects our strict, rigorous standards. It serves as a guarantee to our clients that they are using technology that meets the highest level of security and regulatory requirements in the market. Whether or not you’re subject to banking regulations, our TPP authorization enables us to provide you with the right solution for your needs, with a responsive webview integration or one that matches your branding, while adhering to regulations.

Securely connect our API and focus on your service and the resulting user experience.

Data protection
and security

For our business, we handle and process confidential information that must be protected from all attempts at unauthorised access, usage, disclosure, tampering, and destruction.

Budget Insight, as a personal data controller and processor, complies with the provisions of GDPR and the recommendations of the CNIL and proactively seeks to protect data as a core function of its business.

Regulatory expertise
and influence

Our Risk and Compliance department are experts in European regulations in payment services. They play three roles:

• Ensuring strict adherence to legal and regulatory requirements in Europe and maintain our compliance; they oversee all internal control processes

• Enable our clients to anticipate and decode the latest regulatory requirements, and assist in their implementation (GDPR, PSD2, etc.)

• Represent out clients and participate in legislative processes, in direct concert with the Bank de France and the European Commission. Budget Insight actively participates in discussions with the EBA and ACPR in the context of PSD2.

Any questions, a project to launch?

Our experts answer your questions and help you design innovative financial services.


Answers to your questions

In France, the control of banks and insurance is ensured by The French Prudential Supervision and Resolution Authority (ACPR). 

The ACPR is an administrative authority whose independence in the fulfillment of its missions and financial autonomy is provided by the French monetary and financial code.

The ACPR oversees the banking and insurance sectors.

 It ensures the financial system and client protection’s stability.

PSD2 is a revision of the Payment Services Directive aim to modernise the payment service in Europe for the consumers and compagnies. It fosters online services and mobile payments, more secured payments and a better consumers’ protection.

At the same time, the directive aims to improve competitive conditions for payment services providers – including new players or Fintechs as Budget Insight. Many PSD2 elements have already been applied in the EU since January 13, 2018.

PSD2 solves the problem of online payment fraud:

  1. PSD2 introduces strict security requirements for online payments and the protection of consumer financial data to ensure that their privacy is respected by all market providers (since September 2019).
  2. PSD2 opens the EU payment market to competition: PSD2 settles the rules for the future. With online financial services constantly evolving, the new rules will apply to traditional banks, innovative payment services and new providers such as Fintechs. From now on, the third-party providers (TPP) will be ruled by the EU rules. Budget Insight initiates payment on the name of its clients and give the insurance to the retailers that the money is coming, or give them an outlook of the accounts and the available amount for their client’s bank accounts 
  3. PSD2 improves complaint procedures

A payment institution’ means a legal person that has been granted authorization in accordance with Article 11 of PSD 2 to provide and execute payment services throughout the Union and which is not a credit institution.

Payment services essentially comprise:

  • Services enabling cash to be deposited into or withdrawn from a payment account and the transactions required to manage such an account;
  • Execution of payment transactions associated with a payment account (card payments, credit transfers and direct debits);
  • Transmission of funds;
  • Issuance of means of payment and/or acquisition of payment orders.
  • Payment initiation and account information services (Services provided by Budget insight).

A payment institution is licensed by a national competent authority (in France: ACPR).

The main innovation of the PSD2 is the acknowledgement of two new payment services which allows a third party to interpose between a user and its banks or credit institutions: 

  1. Payment initiation service
  2. Account information service

Preliminary, only the payment accounts are included in the PSD2 perimeter. For example, bank accounts with a payment card or cheque are considered as payment accounts, which are under PSD2 perimeter. A “Livret A” is a saving account so it is not in the PSD2 perimeter. 

The providers who provide these services, like the other payment institutions, need to obtain an authorization from the ACPR (the French Prudential Supervision and Resolution Authority) and to be insured by an public liability insurance equal covering the territories where they provide their services. For more transparency, the authorized service providers are registered on the financial agents register (Regafi).

In BtoB cases, for example for the automatic accountancy service of the transiting operations on payment accounts, the customer loyalty program, the verification of the client’s solvency; three categories are available with different regulatory consequences: 

  1. White labels : the partner has to be authorized by the ACPR as a credit institution, or account information provider (PSIC) and/or payment initiation and has to comply with the requirements of this status as an insurance subscription of professional indemnity. It is important to remember that, as said in the 3rd November of 2014 concerning the internal control, the externalized service provider has to be authorized as a PSIC by the ACPR too.
  2. The Agent or the co-branding : The partner has to be  appointed as a payment service Agent of the PISC. The payment services are delivered under the responsibility of the PSIC who has a control power as stated in the L.523-3 article of the monetary and financial code.
  3. The partnership or redirect : No formality is required by the ACPR for the partner, who has no implication in the delivery of the payment services. The aggregation and the data security are the responsibility of the aggregation and payment initiation service provider.

Personal Data are not processed outside of France. Indeed, these are located in our servers managed by our subcontractor SEWAN located in France for the hosting of data.

Our supplier Sewan stored your data in France. In addition, those data are encrypted by GEMALTO (groupe Thalès) which is located in France. Our suppliers are GDPR-certified.

In order to be GDPR compliant, Budget insight has taken organizational and technical measures to ensure the confidentiality and security of the end user personal data.

Upon request of the end user to access their personal data in accordance to art. 15 of the GDPR (delete, copy, …) to , the data would be proceed accordingly to the consent of the data subject. Please read our personal data protection for further information:

An internal process regarding personal data breach is implemented and a data breach record is kept. 

In case of personal data breach, Budget insight would not later than 72 hours after having become aware of it: 

  • Assess the breach
  • If necessary, relevant service may be temporarily stop 
  • Carry out a technical audit and set up an emergency meeting
  • implement effective remedies and submit a post incident report
  • if appropriate, notify the CNIL

Budget Insight has taken the following security measures to ensure that your data are protected: 

  • access control systems
  • encryption of data
  • equipment authentication
  • organizational measures (clearance)
  • tracking (access logging)
  • monitoring (audit)
  • notification of security breaches to relevant entities and increase of security measures
  • Backup servers
  • Safety of materials (servers)
  • Maintenance
  • Archival storage

Budget Insight is covered by a cyber security insurance. The insurance certificate can be made available on request to

An API to cover all your open finance needs

Just integrate our API, and plug one or several of our products: Pay, Bank, Wealth, and Bill.

These days, a new app, payment solution, or SaaS subscription is only a click away. And users will simply gravitate to the most convenient experience.

You need more than just a gateway to financial data and payment services. We bring a platform specifically designed to create and manage the applications that use these data and services. To make the embedded apps that have all the winning ingredients for success.

We open up finance to empower consumers and businesses. We partner with banks, fintechs, and other start-ups to create open finance and payment experience that users will love.