bunq’s API keys have full access to the monetary accounts. You can make payments without any seconds authentication like TouchID/FaceID, passphrase or fingerprint scan.

At the same time, PSD2 requires a “strong customer authentication” (https://eba.europa.eu/regulation-and-policy/payment-services-and-electronic-money/regulatory-technical-standards-on-strong-customer-authentication-and-secure-communication-under-psd2?p_p_auth=lUfM78gw&p_p_id=169&p_p_lifecycle=0&p_p_state=maximized&p_p_col_id=column-2&p_p_col_pos=1&p_p_col_count=2&169_struts_action=%2Fdynamic_data_list_display%2Fview_record&169_recordId=1361779) — a second factor like a transaction number or something else.

How does bunq complies with that requirement?

In bunq, a second factor could be a confirmation within the app like with iDEAL payments (QR code etc.).