Open Banking Explained: What PSD2 and APIs Mean for Your Money
Open Banking Is a Power Struggle, Not a Tech Story
Banks spent forty years building a very specific kind of moat. Not a product moat — your savings account at Barclays is functionally identical to the one at HSBC. Not a price moat — rates are set by central banks. The moat was data. Your salary deposits, your rent payments, your coffee spending at 7am every weekday — banks accumulated a complete picture of your financial life and kept it locked inside their walls. That data asymmetry let banks cross-sell, underwrite, and retain customers at a scale no competitor could match.
Open banking tears that moat down. Not by accident, and not because banks volunteered. By law.
That is the real story. Not APIs, not fintechs, not the word "ecosystem." The story is regulatory coercion forcing incumbent institutions to hand their most valuable asset — data — to competitors, and what happens in the resulting power vacuum. Some of those competitors will build things banks never could. Some incumbents will adapt faster than expected. Some will not. The outcome will reshape retail banking for the next decade.
What Open Banking Actually Is
Strip away the jargon. Open banking means banks must share customer financial data with licensed third parties — but only when the customer explicitly consents. The mechanism is standardized APIs. The mandate is regulation.
Two core services sit at the center of every open banking regime:
Account Information Services (AIS): A third party reads your transaction history, account balances, and account metadata. The data stays read-only. This is what powers account aggregation apps — you connect your five bank accounts and see everything in one dashboard.
Payment Initiation Services (PIS): A third party initiates a payment directly from your bank account on your behalf. You authorize it; the money moves. No card network involved, no interchange fee, no payment processor standing in between.
The second one is the dangerous one — for banks and for card networks.
The deeper structural shift is what open banking does to banking's distribution advantage. Banks built customer loyalty on information asymmetry. They were the only institution that knew your full financial picture, which made them the natural starting point for every financial decision — a mortgage, a loan, a savings product. Open banking separates data from distribution. Once your financial data can travel to any licensed party, the bank is no longer the mandatory starting point. It becomes one option among many. That is not a small change. It is an existential one for banks that built strategy around captive customers.
PSD2 and the UK's OBIE: The Regulation in Practice
The EU's Revised Payment Services Directive — PSD2 — came into force in January 2018. In principle, it was sweeping: all EU banks above a threshold must expose standardized APIs to licensed third-party providers (TPPs). In practice, the rollout was a mess.
Banks were given latitude to implement their own APIs, and many used that latitude to implement bad ones. Slow responses, frequent downtime, inconsistent data formats, aggressive Strong Customer Authentication (SCA) requirements that forced users to re-authenticate every 90 days. The European Banking Authority intended SCA to improve security; it became a friction weapon. Banks that wanted to slow fintech adoption had regulatory cover to do so.
The UK went a different route. The Open Banking Implementation Entity (OBIE) was created in 2016, two years before PSD2, with a mandate to define a single, consistent API standard. Nine major UK banks were required to implement it identically. The result: UK open banking scaled where EU open banking sputtered. By 2023, the UK counted over seven million active open banking users. By the same point, EU adoption was fragmented and difficult to measure because there was no single standard to measure against.
The UK's next leap is Variable Recurring Payments (VRPs). Think of VRPs as programmable direct debits — a consumer authorizes a payment mandate with defined limits, and the payee can pull variable amounts within those limits without re-authorization for every transaction. That makes open banking viable for subscriptions, rent payments, and real-time credit repayments in a way that simple A2A transfers are not. VRPs are the infrastructure that could finally make card-on-file payments look expensive by comparison.
Meanwhile, the EU is not standing still. PSD3 and the Payment Services Regulation (PSR), under development through 2025 and 2026, aim to fix the implementation inconsistencies of PSD2. The ambition is open finance — extending data-sharing obligations beyond payment accounts to mortgages, investments, and insurance. The direction is right. The execution timeline remains the problem.
The US: A $13 Billion Market Built on a Hack
The United States has no PSD2. It has no equivalent mandate. What it has is Plaid.
For the better part of a decade, the US open banking industry ran on screen scraping — Plaid, MX, and Finicity logged into your bank account using your actual username and password, scraped the HTML, and parsed transaction data out of it. This is a fragile, legally dubious, and operationally fragile approach to financial data infrastructure. It also scaled to tens of millions of users because there was no regulated alternative.
Banks hated it, and many actively tried to break it. JPMorgan Chase locked out aggregators repeatedly. Wells Fargo sued. The practice of "credential stuffing" — storing and reusing customer bank passwords — created genuine security concerns. Banks used those concerns selectively, deploying them as justification for blocking access rather than offering a clean API alternative.
The CFPB's Section 1033, finalized in 2024, changes the calculus. It gives consumers a legal right to access and share their financial data, and it obligates financial institutions to provide that access — though it stops short of mandating API formats. The result is an accelerating shift from screen scraping to proper API connectivity, driven by liability pressure, regulatory direction, and the major banks' own self-interest in controlling how their APIs are accessed.
Plaid, valued at $13.4 billion before Visa's acquisition attempt collapsed under antitrust pressure in 2021, is the clearest indicator of how much value was extracted from this regulatory gap. Finicity, acquired by Mastercard for $825 million, is another. The screen-scraping era made data intermediaries extraordinarily valuable precisely because they solved a problem banks refused to solve themselves. That era is ending. The intermediaries built on it are scrambling to become something more durable.
What's Been Built on Open Banking
The practical output of open banking infrastructure falls into four categories:
Account aggregation. Mint, YNAB, and Emma in the UK aggregate accounts across institutions into a single view. The consumer value is obvious. The business model — selling premium tiers or financial product referrals — is harder to sustain at scale, as Intuit's 2023 shutdown of Mint demonstrated.
Automated savings and investment. Plum and Chip in the UK use transaction data to identify surplus cash and move it automatically into savings or investment products. The proposition only works if you trust a third party with both read access to your accounts and payment initiation. Open banking's consent framework makes that trust transfer possible.
Instant income and employment verification. This is where the business impact is most immediate. Plaid's income verification product is integrated into Fannie Mae's Day 1 Certainty program. DoorDash uses it to verify earnings for gig workers. Replacing a payslip with a real-time data pull eliminates fraud, reduces underwriting time, and opens credit access to people with non-standard income. This is open banking's most underrated application.
Account-to-account payments. GoCardless, TrueLayer, and Volt are building payment infrastructure that routes transactions directly between bank accounts. The merchant proposition is straightforward: A2A payments cost a fraction of card interchange. Card networks charge 1.5–2.5% per transaction. A2A payments cost pennies. At scale, that difference is enormous. The consumer proposition — fewer cards stored, faster checkout — is still developing.
The Winners and the Losers
Let me be direct about where this ends up.
The fintechs that built data infrastructure win. Plaid, Tink (acquired by Visa for $2.1 billion in 2022), and TrueLayer have established network positions that are genuinely difficult to replicate. They sit between banks and application developers, and their value grows with every new integration. Visa buying Tink after the Plaid deal collapsed is the most explicit statement of what card networks think about open banking: if you cannot beat the infrastructure, own it.
Merchants who adopt A2A payments win. Interchange is a tax on commerce that has persisted because there was no viable alternative. Open banking creates that alternative. Any merchant processing significant volume at 2% interchange has an immediate, quantifiable incentive to route transactions through A2A rails instead. The friction is consumer adoption, not merchant motivation.
Banks that become platforms win — eventually. The banks that move fastest to monetize their API access as a product, rather than treating it as a compliance cost, will find that open banking creates new revenue streams rather than destroying old ones. Goldman Sachs's Transaction Banking unit and BBVA's API Market are early examples. The majority of retail banks are not moving at that speed.
Banks that relied on data exclusivity lose. That is most retail banks. If your retention strategy was "customers don't leave because switching is hard and they don't know what they're worth to us," open banking eliminates both barriers. Data portability reduces switching costs; transparency destroys information asymmetry.
Card networks face structural pressure. Visa and Mastercard process roughly $10 trillion in annual transaction volume globally. A2A payments do not need them. The transition will be slow — card infrastructure is embedded in billions of merchant terminals and consumer habits — but the direction is clear. Visa's acquisition of Tink is a hedge, not a solution.
Credit bureaus face existential disruption. Experian, Equifax, and TransUnion have built businesses on a proxy for creditworthiness: historical credit behavior. Open banking offers something better — real-time transaction data. Your actual cash flow is a more accurate predictor of repayment ability than a FICO score derived from lagged reporting. If lenders can access live bank data directly, the intermediary role of credit bureaus diminishes materially.
Big tech is the wildcard. Apple, Google, and Amazon want the data open banking unlocks. They want to embed financial services into their existing consumer relationships. They do not want to be regulated as banks. Open banking is an opportunity if they can access data via API without triggering banking regulation, and a threat if regulators decide that controlling financial data flows makes you a financial institution. That regulatory question is unresolved.
Open Finance: Beyond Payments
Open banking covers payment accounts. Open finance is the logical extension: mortgages, pensions, investment portfolios, insurance policies — every financial product, API-accessible, with consumer consent.
The UK's FCA has published an open finance roadmap. The EU's FIDA (Financial Data Access) regulation is working its way through Brussels. But the most aggressive implementation is happening in Brazil.
Brazil's Sistema Financeiro Aberto, launched in 2021, is the most comprehensive open finance regime in the world. It covers not just payment accounts but credit products, investments, insurance, and pension funds. Participation is mandatory for institutions above a size threshold. The consent framework is consumer-controlled. By 2024, Brazil had recorded over 800 million data-sharing consents — more than any other country. This is what happens when a regulator is serious about implementation rather than ambition.
Variable Recurring Payments, when they scale, will disrupt the subscription economy. Every subscription business that currently charges a stored card is paying interchange on recurring revenue. VRPs eliminate that cost and give consumers more granular control over payment mandates. The subscription economy is worth over $600 billion annually. The infrastructure shift will take years, but the economic logic is inescapable.
The endpoint is what practitioners call "embedded finance" or "invisible banking." Financial services that are contextually integrated into the moment of need — lending offered at the point of purchase, insurance triggered by a transaction, savings automated by spending behavior — without the customer needing to interact with a bank directly. Open banking is the API layer that makes that possible.
Global Open Banking Implementation
| Country/Region | Mandate Type | Launch Year | Coverage | Key Use Cases | Maturity |
|---|---|---|---|---|---|
| United Kingdom | Regulatory mandate (OBIE/FCA) | 2018 | Payment accounts; VRPs in rollout | A2A payments, income verification, account aggregation | High — 7M+ active users, live VRP pilots |
| European Union | Regulatory mandate (PSD2 → PSD3/PSR) | 2018 | Payment accounts; open finance via FIDA | Account aggregation, payment initiation | Medium — fragmented standards, PSD3 pending |
| United States | Consumer right (CFPB Section 1033) | 2024 (rule finalized) | Payment accounts; no API standard mandated | Income verification, account aggregation, A2A (early) | Low-Medium — market-driven, screen scraping still common |
| Brazil | Regulatory mandate (Banco Central) | 2021 | Payments, credit, investments, insurance | Full open finance — lending, insurance, Pix integration | High — 800M+ consents, most ambitious globally |
| Australia | Consumer Data Right (CDR) | 2020 | Banking, energy, telecoms | Account switching, mortgage comparison, energy switching | Medium — slow consumer adoption, strong framework |
Key Takeaways
- Open banking is a regulatory redistribution of power, not a technology upgrade. Banks are being compelled to share the one asset that differentiated them: data. Every other consequence flows from that.
- The UK and Brazil have executed more effectively than the EU. Consistent standards matter more than ambitious mandates.
- A2A payments are the highest-stakes application. If they scale, the card networks lose a structural portion of their volume — not overnight, but irreversibly.
- The real-time transaction data that open banking unlocks is a direct threat to credit bureaus. FICO scores built on lagged, self-reported data cannot compete with live bank feeds as a risk signal.
- Fintechs that built data connectivity infrastructure — Plaid, Tink, TrueLayer — have established network positions with genuine defensibility. Visa's acquisition of Tink for $2.1 billion reflects exactly how seriously incumbents take that threat.
- Open finance is the destination. The current open banking regime covering payment accounts is the first phase of a longer transition that will eventually encompass mortgages, pensions, and insurance. Brazil is showing what the full picture looks like.
Related Reading
- How ACH Payments Work — and Why They Still Run the US Economy — Understanding the legacy payment rails that open banking is beginning to displace.
- Real-Time Payments Explained: RTP, FedNow, and What Comes Next — The infrastructure layer that makes account-to-account payments actually competitive with cards.
- How Visa Processes Transactions — and What It Costs You — The interchange economics that make A2A payments so attractive to merchants.