From Regulatory Text to System Behavior: Translating PSD3 & SEPA 2.0 into Technical Requirements
How Banking Teams Turn Compliance into Executable Architecture
Frameworks such as PSD3 and SEPA 2.0 do not simply introduce new rules. They reshape how systems must behave: how payments are authorized, how data is shared, how consent is managed, and how traceability is ensured. For engineering teams, the challenge is not understanding the regulation in isolation, but translating it into clear, implementable system behavior.
This translation layer is where Business Analysts, architects, and engineers converge. It is also where many organizations struggle—not because the regulation is unclear, but because the path from legal text to technical implementation is not systematically defined.
From Legal Language to Domain Understanding
Regulatory documents are written in legal and business terms. They describe obligations, constraints, and expected outcomes, but rarely specify how systems should implement them.
A typical PSD3 requirement might state:
- strong customer authentication must be enforced under specific conditions
- access to account data must be consent-driven
- third-party providers must be able to interact securely with banking APIs
For a Business Analyst, the first step is not technical. It is domain interpretation. This involves identifying: the business capabilities affected (payments, identity, access, consent), the actors involved (customers, banks, third-party providers), the conditions under which rules apply.
The result is a set of domain-level behaviors that can be understood across teams.
Identifying Impacted Domains and Bounded Contexts
Once the regulation is interpreted, the next step is mapping it to system boundaries. Modern banking platforms are typically organized into domains such as: payments, customer identity, account management, consent and authorization, API access and integration.
Each regulatory requirement affects one or more of these domains.
For example:
- Strong Customer Authentication (SCA) impacts identity and payments
- Open banking access affects API gateways and consent management
- Transaction transparency impacts reporting and ledger systems
The goal is to avoid treating regulation as a monolithic requirement. Instead, it must be decomposed into domain-specific responsibilities, aligned with bounded contexts. This prevents cross-domain coupling and ensures that each team understands its scope.
Building Traceability from Regulation to Code
One of the most critical aspects of compliance-driven engineering is traceability. Every requirement derived from PSD3 or SEPA 2.0 must be traceable: from the original regulatory clause, to business requirements, to system design, to implementation and testing. This is often achieved through traceability matrices.
A simplified example:
Regulatory Clause | SCA required for payments above threshold
Domain | Payments / Identity
System Component | Authentication Service
Implementation | MFA flow + risk-based checks
This structure ensures that no requirement is lost during implementation, auditors can verify compliance, teams can assess the impact of regulatory changes. Traceability is not just documentation. It is a control mechanism that ensures alignment between regulation and system behavior.
Mapping Regulatory Requirements to Microservices
In microservices architectures, each service is responsible for a specific domain capability. Regulatory requirements must therefore be mapped to services in a way that preserves both autonomy and compliance.
For example:
- an Authentication Service handles SCA logic
- a Consent Service manages user permissions for data access
- an API Gateway enforces access control for third-party providers
- a Payment Service ensures that transactions comply with regulatory rules
The key is to avoid duplicating regulatory logic across services. Instead, responsibilities should be clearly defined and centralized where appropriate. For example, SCA enforcement should not be implemented independently in every service that triggers payments. It should be handled through a dedicated component or shared service.
This approach reduces inconsistencies and simplifies compliance management.
Defining Non-Functional Requirements in Regulated Systems
Regulatory compliance is not limited to functional behavior. It also imposes strict non-functional requirements. These include:
- security: encryption, authentication, secure communication
- availability: systems must remain accessible for regulated operations
- auditability: all actions must be traceable and verifiable
- data protection: compliance with GDPR and data residency requirements
For example, PSD3 may require: detailed logging of access to account data, secure storage of consent records, real-time monitoring of suspicious activities.
These requirements influence system design at every level, from infrastructure to application logic.
In many cases, they shape architectural decisions more strongly than functional requirements.
From Requirements to Executable Behavior
Once requirements are mapped to domains and services, they must be translated into executable behavior. This involves:
- defining API contracts that enforce regulatory rules
- implementing validation and authorization logic
- designing workflows that reflect regulatory processes
- ensuring that edge cases are handled correctly
For example, a payment API may enforce SCA by: checking whether authentication is required, triggering an MFA flow if needed, validating the result before processing the transaction. This behavior must be consistent across all channels—web, mobile, and third-party integrations.
Testing and Validating Compliance
Compliance cannot be assumed. It must be verified. Testing strategies must include:
- functional tests for regulatory scenarios
- integration tests across services
- audit validation for traceability
- performance tests to ensure compliance under load
In many cases, compliance scenarios are more complex than standard business flows. They involve edge cases, conditional logic, and interactions between multiple systems.
Automated testing plays a key role in ensuring that these scenarios are consistently validated.
Collaboration Between Business and Engineering
Translating regulation into system behavior is not the responsibility of a single role.
Business Analysts interpret regulatory intent. Architects define system boundaries and responsibilities. Engineers implement and validate behavior.
This collaboration must be continuous.
When regulation changes (as it inevitably does) the system must adapt. Without strong alignment between teams, changes become slow, risky, and inconsistent.
Final Thoughts
PSD3 and SEPA 2.0 are not just regulatory updates. They are drivers of architectural change.
They require systems that are secure, transparent, and interoperable. They demand traceability from legal text to code. They force organizations to think in terms of domains, boundaries, and responsibilities. For engineering teams, the challenge is not simply to comply. It is to build systems where compliance is designed in, not added later.
At OceanoBe, this is where engineering excellence meets domain understanding—transforming regulatory complexity into scalable, maintainable, and trustworthy systems.
