Prestatech has been recognized among the World’s Top FinTech Companies 2025 by CNBC
English--

14 minutes

CCD2 Compliance for Lenders: What the New Consumer Credit Directive Means for Creditworthiness Assessments in 2026

The Consumer Credit Directive 2 (CCD2) takes full effect on 20 November 2026, and it will fundamentally change how lenders across Europe assess creditworthiness. For traditional banks, digital lenders, and — for the first time — Buy Now, Pay Later providers, the directive introduces mandatory affordability checks, stricter data requirements, and transparency obligations that many existing processes are not built to handle.

This guide explains what CCD2 requires, which products and institutions fall under its scope, how the creditworthiness assessment rules work in practice, and how lenders can build compliant processes that also improve lending quality and reduce portfolio risk.

What Is CCD2 and Why Does It Matter Now?

CCD2 (Directive 2023/2225) is the EU's replacement for the original Consumer Credit Directive that has governed consumer lending since 2008. The original directive was designed for a world of branch-based banking and traditional personal loans. Since then, the consumer credit market has transformed: digital lending, embedded finance, BNPL services, and micro-credit products have created a landscape the old rules were never designed to regulate.

CCD2 closes those gaps. It was published in the EU Official Journal on 30 October 2023, and EU member states were required to transpose it into national law by 20 November 2025. The implementing measures take effect on 20 November 2026, which is also when the original directive (CCD1) is formally repealed.

The timing matters for lenders because most member states are now in the transposition phase — turning the EU directive into country-specific legislation. While the directive sets the framework, the final interpretation will vary by country. Germany, France, Italy, and the Nordics are all expected to introduce additional measures or country-specific interpretations. Lenders operating across multiple EU markets face the compounded challenge of complying with a harmonised directive that will nonetheless look different in each jurisdiction.

Which Products and Institutions Are Now In Scope?

CCD2 dramatically expands the range of credit products subject to regulation. Under CCD1, the rules applied to consumer credit agreements between €200 and €75,000. CCD2 changes both boundaries.

The lower threshold is effectively removed. CCD2 covers credit agreements below €200, bringing micro-loans, small instalment plans, and low-value deferred payment arrangements into regulatory scope. Member states may exempt certain narrow categories (such as interest-free credit below €200 repayable within three months with only insignificant charges), but the default position is inclusion.

The upper threshold increases to €100,000. This captures a broader range of consumer finance products that were previously outside the directive's scope.

The most significant expansion is to new product categories. CCD2 now explicitly covers:

Buy Now, Pay Later services. For the first time, BNPL is classified as consumer credit under EU law. Providers must conduct creditworthiness assessments, provide standardised pre-contractual information, and comply with advertising rules — the same obligations that apply to traditional lenders.

Overdraft facilities. These remain regulated consumer loans, but CCD2 introduces expanded information requirements, particularly for persistent overdrafts.

Leasing agreements with a purchase option. Consumer electronics leasing, vehicle leasing with buy-out clauses, and similar arrangements now fall under the directive.

Interest-free instalment plans offered by retailers. A retailer offering a "pay in 5 instalments" option at checkout is now, in regulatory terms, offering consumer credit — with all the obligations that entails.

What remains outside scope: Mortgage credit (covered by the separate Mortgage Credit Directive), credit agreements above €100,000, employer-to-employee credit on preferential terms, and certain government-backed social lending programmes.

The practical consequence is that the population of entities that must comply with CCD2 extends far beyond traditional banks. BNPL providers, e-commerce platforms with embedded financing, telecommunications companies offering device instalment plans, furniture retailers with payment plans, and any marketplace or platform that intermediates credit are all potentially in scope.

The Creditworthiness Assessment: What CCD2 Actually Requires

The creditworthiness assessment is the core operational requirement of CCD2 — and the area where most lenders will need to make the most significant process changes. Under CCD1, the obligation to assess creditworthiness existed but was loosely defined, with limited guidance on what data to use or what outcome to require. CCD2 is substantially more prescriptive.

The Assessment Must Be Based on Verified Financial Data

Article 18 of CCD2 requires that creditworthiness assessments be based on "relevant and accurate information regarding the consumer's income and expenses and other financial and economic circumstances." This is a meaningful shift from CCD1.

In practice, this means:

Income must be verified, not self-declared. Lenders can no longer rely solely on an applicant's stated income. The assessment must draw on data that confirms the consumer's actual financial position — bank transaction records, payroll data, tax records, or equivalent verified sources.

Expenses and existing commitments must be considered. The assessment cannot look at income in isolation. The directive requires a holistic view that accounts for recurring expenses, existing debt obligations, and other financial commitments. For BNPL providers, this is particularly challenging: they must now assess whether a consumer's existing payment obligations — including BNPL commitments with other providers — leave sufficient capacity for the new credit.

The outcome must be positive before credit is granted. Under CCD1, there was ambiguity about what a lender should do with a negative assessment. CCD2 removes that ambiguity: credit may only be made available if the creditworthiness assessment concludes that the consumer can afford the repayments. Deviations are permitted only in specific, narrowly defined cases such as loans for healthcare expenses.

Credit Databases Must Be Consulted

Articles 18 and 19 require creditors to consult relevant credit databases — both public and private — before approving credit. In countries with centralised credit registries (such as the BKR in the Netherlands, CRIF in Italy, or SCHUFA in Germany), this means systematic consultation is now mandatory, not optional. For cross-border lenders, navigating the different national credit registry systems adds complexity.

Automated Decisions Must Be Explainable

When the creditworthiness assessment is based on automated processing — including algorithmic credit scoring — CCD2 gives consumers the right to request a meaningful explanation of the assessment, to express their point of view, and to contest the result. This aligns with GDPR's provisions on automated decision-making but makes the requirement explicit in the credit context.

For lenders using machine learning-based credit models, this creates a practical challenge: the model must be explainable to a non-technical consumer. Black-box scoring approaches that cannot articulate why a specific decision was reached will not meet this standard.

Proportionality Is Permitted

CCD2 does allow a risk-based approach to the depth of the creditworthiness assessment. A small, short-term, low-risk credit product does not require the same depth of analysis as a large, long-term loan. Lenders can calibrate the intensity of their assessment to the nature, duration, amount, and risk profile of the credit.

In practice, this means a BNPL provider processing a €50 transaction can apply a lighter-touch assessment than a bank approving a €50,000 personal loan. However, the assessment must still occur, it must still be based on relevant financial data, and the lender must still be able to demonstrate that it was conducted.

How Open Banking and Cash Flow Analytics Meet CCD2 Requirements

The creditworthiness assessment requirements of CCD2 create a specific data problem: where does the "relevant and accurate information regarding the consumer's income and expenses" come from?

Traditionally, lenders have relied on three sources: self-declared information from the applicant, credit bureau data, and submitted documents (primarily bank statements). Each has limitations in the CCD2 context.

Self-declaration is insufficient on its own. CCD2's emphasis on "accurate" information means that unverified self-reported income does not meet the standard.

Credit bureau data is backward-looking. Bureau records show historical credit behaviour and existing obligations, which is valuable, but they do not provide a current picture of income, expenses, and cash flow dynamics. A consumer's bureau record may show no defaults, but that does not confirm they can afford a new credit commitment today.

Document submission is slow and fraud-prone. Bank statements provide the data lenders need — income, expenses, existing commitments — but manual document submission introduces processing delays, creates fraud vulnerability (as discussed in our guide to bank statement fraud detection), and scales poorly for high-volume lending.

Open Banking as a CCD2 Compliance Channel

PSD2 open banking provides a direct, verified data channel that addresses several CCD2 requirements simultaneously. When a consumer consents to share their bank account data via a PSD2-regulated API, the lender receives:

Verified income data. Salary deposits, freelance payments, rental income, and other inflows are visible directly from the bank's records — not self-reported, not document-based, but verified at source.

Real-time expense data. Recurring commitments, subscription payments, existing loan repayments, rent, utilities, and discretionary spending are all visible in the transaction feed. This enables a genuine affordability assessment that considers the consumer's full financial picture.

Existing credit obligations. Payments to other lenders, credit card repayments, and BNPL instalment payments are visible in the transaction data — even obligations that may not yet appear in credit bureau records.

Timeliness. Open banking data is current. Unlike bureau data that may be weeks or months old, or bank statements that represent a historical snapshot, open banking provides the consumer's financial position as of today.

Where Open Banking Falls Short

Open banking is not a complete solution for CCD2 compliance. Consent rates vary by market and demographic — not every consumer will opt in to sharing their bank data. Some consumers hold accounts at institutions with limited API coverage. And open banking data alone does not satisfy the requirement to consult credit databases, which must still be done separately.

This is where complementary data channels become important. For applications where the consumer does not provide open banking consent, bank statement analysis — automated document parsing with fraud detection — provides an alternative path to the same financial data. The key is that the data, however sourced, must be verified and accurate.

Cash Flow Analytics as the Assessment Engine

Whether the source data comes from open banking or document parsing, the raw transaction data must be transformed into a creditworthiness assessment. This is where cash flow analytics comes in.

Cash flow scoring analyses the consumer's transaction history to compute affordability indicators: income stability, expense regularity, debt service coverage, discretionary spending patterns, and net cash position trends. These indicators map directly to what CCD2 requires — a forward-looking assessment of whether the consumer can sustain the repayments.

The advantage of cash flow-based assessment over traditional credit scoring in the CCD2 context is that it is inherently explainable. The model can articulate: "This consumer has a verified monthly income of X, recurring commitments of Y, and a net disposable income of Z, which exceeds the proposed monthly repayment by a factor of N." That explanation satisfies both the regulatory requirement for explainability and the consumer's right to understand the basis of the decision.

BNPL Providers: The Biggest Operational Shift

For traditional banks, CCD2 tightens existing requirements but does not introduce a fundamentally new obligation — banks have been conducting creditworthiness assessments for years. The more disruptive impact falls on BNPL providers and embedded finance platforms that are entering the regulated lending space for the first time.

The operational challenge for BNPL is acute because the business model depends on speed and friction reduction. A consumer choosing to split a €200 purchase into four instalments expects the process to take seconds, not minutes. Introducing a creditworthiness assessment into that flow — without destroying the conversion rate — requires the assessment to be automated, real-time, and invisible to the consumer.

This is feasible with the right technology stack. Open banking-based affordability checks can execute in seconds. Cash flow scoring models return a result in real time. The assessment happens in the background while the consumer completes the checkout. But it requires infrastructure that most BNPL providers do not currently have: connections to open banking data sources, transaction categorisation and enrichment capabilities, scoring models calibrated to the specific risk profile of micro-credit, and integration with national credit registries.

BNPL providers that build this infrastructure gain a compliance capability that also reduces default rates and improves portfolio quality. BNPL providers that treat CCD2 as a pure compliance cost — bolting on the minimum viable assessment — will likely see higher default rates, weaker portfolio performance, and continued regulatory scrutiny.

Country-Level Variations to Watch

While CCD2 sets a harmonised framework, the transposition into national law introduces variations that cross-border lenders must navigate.

Germany: BaFin's oversight now extends to retailers and BNPL providers offering instalment plans. The German transposition is expected to include additional requirements around employee competence and qualification for credit intermediaries. Interest-free instalment plans from retailers are explicitly treated as consumer credit, bringing a large population of non-bank entities under supervision for the first time.

Italy: Banca d'Italia and CONSOB share oversight. Italy's implementation is expected to align closely with the directive's core provisions, with particular attention to the creditworthiness assessment obligations for BNPL. Italy's relatively high BNPL adoption rate makes enforcement a priority.

France: The French market, home to large BNPL players like Alma, Pledg, and Oney, will see significant impact. The AMF and ACPR are expected to enforce the advertising restrictions and creditworthiness obligations rigorously. France may introduce additional consumer protection measures beyond the directive's minimum requirements.

Netherlands: The AFM has already signalled that the current €250 threshold for creditworthiness assessments and BKR credit registration is insufficient. The Dutch implementation is expected to lower this threshold significantly, capturing a large volume of small credit transactions that were previously unregulated.

Nordics: Denmark has already published updated guidance on creditworthiness assessments that aligns with CCD2's direction. The Nordic countries generally favour strong consumer protection and are likely to implement CCD2 at or above the directive's minimum standard.

For lenders operating across multiple markets, the practical implication is that a single compliance approach may not be sufficient. The creditworthiness assessment that satisfies the German regulator may not satisfy the Dutch one if the Dutch implementation includes a lower threshold or additional data requirements.

A Practical CCD2 Compliance Checklist for Lenders

For lenders preparing for the November 2026 enforcement date, these are the concrete operational steps to prioritise.

Audit your product scope. Identify every product you offer or intermediate that could fall under CCD2's expanded definition of consumer credit. This includes instalment plans, deferred payment options, overdrafts with purchase features, and any BNPL arrangements — whether offered directly or through partners.

Map your creditworthiness assessment process against CCD2 requirements. Document how you currently assess affordability. Identify gaps between your current process and CCD2's requirements for verified financial data, credit database consultation, and explainability. Flag any automated decision-making that cannot currently be explained to a consumer.

Establish verified data channels. Implement open banking connections for real-time financial data access. Deploy automated bank statement analysis with fraud detection for applications where open banking consent is not available. Ensure you have systematic access to relevant national credit registries in every market you serve.

Build or integrate cash flow analytics. Deploy transaction categorisation and cash flow scoring that can compute affordability indicators from verified data — income, expenses, debt service, discretionary capacity. Ensure the scoring model can produce an explanation that a non-technical consumer can understand.

Review pre-contractual information processes. CCD2 requires standardised disclosure via the Standard European Consumer Credit Information (SECCI) form, with key terms presented prominently on the first page. Information must be adapted for mobile screens. Ensure your digital lending journey provides this information at the right point and in the required format.

Update advertising and marketing compliance. CCD2 introduces stricter rules on credit advertising. Marketing materials must include mandatory risk warnings, must not be misleading, and must not create unrealistic expectations about credit availability or cost. Review all active campaigns, automated marketing, and partner marketing materials.

Implement forbearance processes. CCD2 requires creditors to exercise reasonable forbearance when consumers experience financial difficulty, and to make reasonable attempts to resolve the situation before initiating enforcement proceedings. Document your forbearance procedures and ensure they are systematically applied.

Prepare for multi-market variation. If you operate in more than one EU country, map the national transposition differences. Build compliance processes that can accommodate the most stringent market you serve, then adjust for markets with lighter requirements. Avoid building to the minimum common denominator.

CCD2 as a Competitive Opportunity

The compliance-only view of CCD2 treats the directive as a cost centre: process changes, technology investments, and operational overhead with no revenue upside. The strategic view recognises that the infrastructure required for CCD2 compliance — verified data access, real-time affordability assessment, cash flow analytics, automated decisioning — is the same infrastructure that improves lending quality.

Lenders who invest in robust creditworthiness assessment capabilities do not just tick a regulatory box. They make better lending decisions, reduce default rates, expand access to creditworthy borrowers who were previously declined by less sophisticated models, and build portfolios that perform better over time.

CCD2 is raising the floor for the entire European consumer lending market. Lenders who see this as an opportunity to raise their ceiling — to differentiate on the quality and speed of their creditworthiness assessment — will gain market share from those who treat the directive as a compliance exercise to be completed at minimum cost.

The enforcement date is 20 November 2026. For lenders who have not yet begun their implementation, the time to start is now.

Prestatech's credit intelligence platform helps European banks and lenders build CCD2-compliant creditworthiness assessment processes. Our pGET engine extracts and verifies financial data from bank statements with built-in fraud detection. Our pSCORE module analyses transaction data to generate explainable cash flow scores. And our pLEND module automates credit decisioning based on configurable affordability rules. Together, they provide the verified data, real-time analytics, and explainable outcomes that CCD2 demands. Schedule a demo to see how the platform works, or explore our cash flow scoring and document automation capabilities.

Related articles