Back to Hawk Nest
Insights
PSD2 & DORA implications for AI in financial services
PSD2 and DORA together set the rules AI must follow inside a regulated financial institution. PSD2 governs strong customer authentication and third-party access to payment data; DORA adds operational-resilience duties — ICT risk management, incident reporting and oversight of third-party providers, now including LLM and cloud-AI vendors. Any AI deployment inherits both.
The full article is in progress. The summary and questions below capture the core argument; the complete piece — with reference-architecture diagrams and worked examples — is coming soon.
Related questions
- Does DORA treat an LLM provider as a third-party ICT provider?
- In practice, yes — a cloud LLM is an ICT third-party dependency, so it falls under DORA's risk-management, monitoring and exit-plan requirements. That means a documented vendor inventory, contractual controls and a tested way to switch or withdraw.
- What does PSD2 require when AI touches payment data?
- AI components inherit PSD2's strong customer authentication and access controls. Any system reading account or payment data must respect the same authentication, consent and least-privilege rules as the rest of the estate, with GDPR governing the personal-data dimension.