Introduction
Open banking describes a regulatory and technological framework under which financial institutions are required or incentivised to make customer account data and payment initiation capabilities available to authorised third-party providers through standardised application programming interfaces (APIs). The framework shifts control of financial data from the exclusive custody of incumbent banks toward a model in which consumers can direct their data to be shared with licensed service providers of their choosing, under explicit consent protocols enforced by regulation.
The transition from legacy data-sharing methods — primarily credential-based screen scraping — to regulated API infrastructure represents a structural change in the competitive architecture of retail and commercial financial services. By enabling third parties to access real-time transaction data and initiate payments directly from bank accounts, open banking has created the technical foundation for a new generation of account aggregation, lending, payment, and financial management applications. It has simultaneously introduced new competitive pressures on incumbent financial institutions and raised material questions about data governance, market concentration, and systemic risk.
The Bank for International Settlements, the Financial Stability Board, and the International Monetary Fund have each examined open banking’s implications for financial stability, competition, and data governance. Regulatory bodies in over 50 countries are at varying stages of framework development, making open banking one of the most consequential ongoing structural reforms in global financial services. The frameworks most advanced in implementation — the European Union’s Payment Services Directive 2 and the United Kingdom’s Open Banking Standard — provide the primary reference models for jurisdictions developing their own approaches.
What Open Banking Is: Technical and Regulatory Definition
Open banking rests on two intersecting foundations: a technical standard governing how data is exchanged, and a regulatory mandate governing who must participate and under what conditions.
The technical foundation is the API — a structured, authenticated channel through which a bank’s systems can transmit customer account data or execute payment instructions to an authorised third party without exposing the customer’s banking credentials. Prior to open banking regulation, the dominant method by which third-party applications accessed bank account data was screen scraping: the practice of collecting a customer’s login credentials and using them to log into the bank’s systems on the customer’s behalf, extracting data by mimicking a human user.
Account aggregation services such as Mint and Personal Capital represented the pre-regulatory approach to multi-institution financial data consolidation. These platforms required users to supply banking usernames and passwords, which the services stored and used to extract data from account interfaces. This model carried significant security exposure through credential sharing, produced data inaccuracies from unreliable extraction processes, and frequently failed to capture the full range of a user’s financial accounts due to compatibility limitations. Regulated open banking replaces this with tokenised API access — a structurally more secure and reliable data-sharing mechanism.
When a customer authorises a third-party provider to access their account data under an open banking framework, the bank issues a time-limited access token to the provider. The provider presents this token on subsequent data requests; the customer’s credentials are never transmitted. Authorisations are discrete, revocable, and logged — the customer can view and cancel active connections through their bank’s interface at any time.
The regulatory foundation determines which institutions must implement these APIs, what data must be made accessible, what authentication standards apply, and which third parties are eligible to connect. Without regulatory mandates, incumbent banks have limited commercial incentive to build and maintain open API infrastructure for competitors’ benefit — the regulatory framework resolves this structural disincentive.
Principal Regulatory Frameworks: PSD2 and the UK Open Banking Standard
The European Union: Payment Services Directive 2 (PSD2)
The revised Payment Services Directive (PSD2), which came into effect across EU member states from January 2018, is the most comprehensive open banking regulatory framework implemented to date. It establishes binding obligations for account-servicing payment service providers — primarily banks — to provide API access to two categories of licensed third-party providers.
Account Information Service Providers (AISPs) are authorised to receive read-only access to customer account data — transaction history, balances, account details — across one or more accounts held at different institutions. This capability underpins account aggregation, personal financial management, and data-driven lending applications.
Payment Initiation Service Providers (PISPs) are authorised to instruct a bank to execute a payment from a customer’s account directly, without routing the transaction through a card network. This account-to-account payment capability bypasses the interchange fee structure of card payments and enables direct bank-to-bank settlement.
PSD2 also mandates Strong Customer Authentication for electronic payment transactions and API access authorisations — a multi-factor verification requirement designed to reduce fraud in the open banking ecosystem. Third-party providers operating under PSD2 must be registered with and supervised by their national competent authority within the EU regulatory framework.
The European Commission has proposed PSD3 and an accompanying Payment Services Regulation to address implementation inconsistencies that emerged under PSD2, including uneven API quality across institutions and barriers to consent portability. These proposals were under active legislative consideration as of mid-2025.
The United Kingdom: Open Banking Standard
The UK’s Open Banking Standard was developed by the Open Banking Implementation Entity, established by the Competition and Markets Authority following a 2016 retail banking market investigation. The standard initially applied to the nine largest current account providers in the UK, mandating a common API specification that has since been adopted more broadly across the sector.
The UK framework introduced Variable Recurring Payments — a payment mechanism that allows third-party providers to initiate a series of payments from a customer’s account within parameters the customer defines, without requiring individual authorisation for each transaction. VRPs represent a structural improvement over traditional direct debit mandates, offering greater consumer control and flexibility for subscription and utility payment use cases.
Following the UK’s departure from the EU, the Financial Conduct Authority and Payment Systems Regulator have been developing a successor framework — termed open finance — that would extend data portability obligations beyond current accounts to savings, investments, pensions, mortgages, and insurance products.
Global Regulatory Development
Beyond the EU and UK, open banking regulatory frameworks have been implemented or are in advanced development across multiple jurisdictions. Australia’s Consumer Data Right, operational since 2020, extends data portability obligations across banking, energy, and telecommunications sectors. Brazil’s open finance framework, implemented from 2021 under Banco Central do Brasil supervision, encompasses a broader scope of financial products than either PSD2 or the UK standard. Singapore, Hong Kong, India, and several Gulf Cooperation Council member states have developed API frameworks at varying levels of mandatory participation. The United States has not enacted federal open banking legislation, though the Consumer Financial Protection Bureau’s Section 1033 rulemaking under the Dodd-Frank Act is advancing a regulatory framework for consumer financial data rights.
Consumer Applications: Financial Products Enabled by Open Banking
Open banking infrastructure has enabled a range of consumer-facing financial products that were not previously viable at scale.
Account aggregation platforms connect multiple financial institutions through a single interface, providing a consolidated view of balances, transactions, and cash flow across a customer’s complete financial position. This capability replaces the credential-sharing aggregation model that preceded regulatory API frameworks and enables more accurate personal financial management than single-institution tools.
Data-driven lending platforms use real-time transaction data accessed through open banking APIs to underwrite credit decisions based on demonstrated income and expenditure patterns rather than solely on credit bureau scores. This approach can extend credit access to borrowers with limited credit history — including recent immigrants, younger borrowers, and self-employed individuals — whose creditworthiness is not adequately captured by traditional scoring models. For mortgage applicants specifically, open banking data provides underwriters with a more granular and current picture of affordability than static document submissions such as paper bank statements, reducing processing time and improving assessment accuracy.
Financial product comparison and switching services represent another application category. Transaction data accessed through AIS connections can identify patterns — recurring charges at above-market rates, savings account yields below available alternatives, or mortgage rates approaching refinancing thresholds — and surface more suitable products to consumers. The friction historically associated with financial product switching is reduced when account verification and income confirmation can be completed through API connections rather than manual documentation.
Accessibility applications constitute an emerging use case. Open banking data can support voice-controlled financial management tools for users with visual impairments, and automated affordability calculators for borrowers who may not be well-served by standardised lending guidelines. Industry observers note that the programmable nature of open banking APIs enables a degree of product personalisation not feasible within the constraints of traditional account interfaces.
Business Applications: Payments, Treasury, and Accounting Integration
For commercial users, open banking’s most significant near-term impact is the account-to-account payment channel.
A2A payments allow customers to authorise direct bank transfers to merchants without routing transactions through card networks. The cost differential is material: card payment processing typically costs merchants between 1.5 and 3 percent of transaction value in interchange and scheme fees, while A2A payment costs are substantially lower, typically structured as fixed fees per transaction rather than percentage-based charges. For high-volume, lower-margin sectors — including utilities, insurance, and B2B suppliers — this cost reduction is commercially significant.
Accounting and bookkeeping software integrates with bank accounts through open banking APIs to automate transaction categorisation and reconciliation, reducing manual data entry and improving the accuracy of real-time financial reporting for businesses. Small and medium-sized enterprises stand to benefit disproportionately from this automation, as manual reconciliation has historically consumed significant administrative resource in organisations without dedicated finance functions.
Treasury and working capital management platforms use real-time multi-bank account data to optimise cash positioning, automate sweep arrangements, and provide finance teams with accurate intraday liquidity visibility across banking relationships. Variable Recurring Payments enable more flexible commercial payment arrangements than traditional direct debit infrastructure, allowing payment amounts to vary within agreed parameters without requiring a new mandate for each transaction.
Competitive Dynamics: Incumbent Banks and Market Structure
Open banking’s regulatory design deliberately introduces competitive pressure on incumbent financial institutions by lowering barriers to entry for technology-native financial service providers. By mandating that banks make their customer data and payment infrastructure accessible through standardised APIs, regulation enables smaller, more agile competitors to build products on top of established banking infrastructure without replicating that infrastructure.
Industry analysts note that this pressure is expected to drive incumbent banks to accelerate product development, improve digital interfaces, and expand service personalisation. Banks that respond by using open banking infrastructure to deepen customer relationships — providing more useful financial management tools built on a customer’s complete data picture — are positioned to improve retention. Those that treat open banking compliance as an obligation rather than an opportunity risk ceding customer engagement to third-party providers who occupy the customer’s primary financial interface.
The scale and pace of competitive response varies considerably across institutions. Larger banks with greater technology investment capacity have in several cases launched their own open banking-adjacent products or acquired third-party providers. Smaller institutions face proportionally higher compliance costs relative to their resource base, potentially widening the competitive gap between large and small banks rather than narrowing it.
Risk Factors: Security, Data Governance, and Market Concentration
Open banking’s risk profile spans individual security exposure, systemic data governance concerns, and structural market risks that regulators and competition authorities have identified as requiring ongoing scrutiny.
Security and Fraud Risk — API-based open banking is structurally more secure than credential-sharing screen scraping, but it is not without vulnerability. Malicious or inadequately secured third-party applications represent a risk vector: a provider with authorised API access that is subsequently compromised, or that acts against customer interests, can access or misuse account data within the scope of granted permissions. Broader risks include data breaches at third-party providers resulting from inadequate security practices, insider threats, and social engineering attacks targeting the consent authorisation process. Strong Customer Authentication requirements reduce but do not eliminate these exposures.
Data Misuse and Privacy Risk — The aggregation of financial transaction data across a consumer’s complete account picture creates a detailed behavioural profile. Authorised use of this data for the purpose the consumer approved is regulated; secondary use — for marketing profiling, data sale, or algorithmic inference beyond the stated purpose — is subject to data protection regulation but has been a source of documented concern in analogous data-sharing ecosystems. Financial analysts note that the granularity of transaction data makes it among the most sensitive categories of personal data, and that regulatory enforcement of data use limitations requires active supervisory attention.
Market Concentration Risk — A structural risk identified by competition authorities and academic researchers is that open banking may, over time, accelerate market concentration rather than prevent it. The natural dynamics of data network effects — whereby larger aggregators accumulate richer datasets, enabling more accurate models and more personalised products, which in turn attract more users — could produce dominant platform positions among a small number of third-party providers. This pattern has been observed in other internet-mediated markets including search, social media, and e-commerce, where initial competitive fragmentation gave way to significant concentration. Financial analysts and regulators note that the resulting pricing power and data control of dominant platforms could offset consumer benefits from initial competition, and that prevention of this outcome requires proactive regulatory design rather than retrospective intervention.
Security Architecture and Consumer Control Mechanisms
The security architecture of regulated open banking provides several structural protections absent in the legacy screen-scraping model, though its effectiveness depends on consistent implementation across the ecosystem.
Strong Customer Authentication requirements mandate multi-factor verification at the point of each new authorisation. Third-party providers must maintain regulatory registration and demonstrate adequate operational and security standards to retain API access. Banks are required to verify registration status before granting connections. Consent is granular — each authorisation specifies the data scope and purpose — and revocable at any time through the customer’s bank interface.
Residual risks include authorisation fatigue, where customers approve connections without fully reviewing data access scope, and variation in the security posture of registered third-party providers across a large and growing ecosystem. Regulatory bodies in multiple jurisdictions have identified consumer awareness, third-party provider quality assurance, and incident reporting requirements as areas requiring ongoing supervisory development.
Future Outlook
Several structural developments are expected to shape open banking’s trajectory. The transition to open finance — extending data portability to savings, investments, pensions, mortgages, and insurance — is under regulatory development in the UK, EU, Australia, and Brazil. This expansion would significantly broaden the scope of data-driven financial services applications while amplifying the data governance and concentration risks already present in the current framework.
Embedded finance — the integration of financial services into non-financial platforms through API connectivity — depends substantially on open banking infrastructure and is expected to increase the volume and variety of API interactions significantly. Standardisation across jurisdictions remains an unsolved problem, with the proliferation of national frameworks creating friction for cross-border providers and limiting the global interoperability that would maximise open banking’s utility.
The relationship between open banking infrastructure and central bank digital currency architecture is an active area of policy analysis, with several central banks examining how programmable payment systems could interact with open banking consent frameworks.
Conclusion
Open banking represents a regulatory-driven restructuring of data access and payment initiation infrastructure in financial services, replacing insecure credential-sharing practices with standardised, consent-based API frameworks. PSD2 in the European Union and the Open Banking Standard in the United Kingdom have established the most advanced implementations, enabling ecosystems of account aggregation, data-driven lending, A2A payment, and financial management applications. The framework introduces genuine competitive benefits — lower barriers to entry for technology-native providers, improved product personalisation, and reduced payment costs — alongside material risks including data misuse, inadequate third-party security, and the structural possibility of market concentration among dominant data aggregators. Regulatory frameworks governing both participation obligations and data use limitations are advancing across major jurisdictions, reflecting recognition that the framework’s benefits are not self-executing and require active supervisory design to be sustained.
