Regulation · Open Banking · Explainer
Open banking, PSD2, and PSD3 are three terms that appear constantly in fintech coverage — and are constantly confused. They are related but distinct: one is a global concept, one is European legislation, and one is the next evolution of that legislation. Understanding how they connect — and where they diverge — is essential for any business operating in digital payments, financial data infrastructure, or regulated financial services.
This guide breaks down all three frameworks, compares them side by side, maps the regulatory timeline from PSD1 through PSD3, and explains what each means for financial institutions, third-party providers, and consumers in practice.
Open Banking vs PSD2 vs PSD3: Side-by-Side Comparison
| Dimension | Open Banking (Global Concept) | PSD2 (EU Directive) | PSD3 (EU Regulation) |
|---|---|---|---|
| What it is | A global movement enabling third-party access to financial data via APIs | EU legislation mandating banks to open payment systems and data to licensed TPPs | Successor regulation consolidating PSD2 with direct enforceability across EU |
| Geographic scope | Global — implemented differently by market (UK, EU, Australia, Brazil, etc.) | European Union member states | European Union member states |
| Legal status | Concept / initiative — not legislation itself | Directive — member states must transpose into national law | Regulation — directly applicable in all EU member states without transposition |
| Enforcement body | Varies by market (CMA in UK, national regulators elsewhere) | National regulators in each EU member state | National regulators + European Banking Authority (EBA) |
| Data sharing approach | Varies — UK mandates standardised APIs; other markets differ | Mandates banks open APIs but does not prescribe technical standards | Improves API quality and performance standards; aims for consistency |
| Authentication | Market-specific (UK uses SCA via Open Banking Standard) | Requires Strong Customer Authentication (SCA) for electronic payments | Simplifies SCA requirements while maintaining security |
| Key participants | Banks, TPPs (AISPs, PISPs), consumers | Banks, payment institutions, e-money institutions, AISPs, PISPs | Same as PSD2 + potential new categories of payment service providers |
| Year introduced | UK: 2018 mandate (CMA9). Other markets vary. | 2018 (replaced PSD1 from 2007) | Draft published June 2023. Expected enforcement 2026. |
The critical distinction: open banking is the blueprint, PSD2 provides the legal foundation in Europe, and PSD3 tightens that foundation into a directly enforceable regulation. The UK’s Open Banking initiative sits within PSD2’s framework but goes further — mandating that the nine largest banks (the CMA9) share data in a specific standardised format using dedicated APIs, rather than leaving technical implementation to each bank’s discretion.
Regulatory Timeline: From PSD1 to PSD3
| Year | Event | Significance |
|---|---|---|
| 2007 | PSD1 adopted by the European Parliament | Created a single payments market in the EU. Established the legal basis for SEPA and licensed payment institutions for the first time. |
| 2013 | European Commission proposes PSD2 revision | Response to market developments: rise of fintech, mobile payments, and third-party services operating outside PSD1 scope. |
| 2015 | PSD2 formally adopted | Introduced two new categories of licensed providers: AISPs (account information) and PISPs (payment initiation). Mandated API access. |
| 2016 | UK Competition and Markets Authority orders Open Banking | Required the nine largest UK banks (CMA9) to share data via standardised APIs. Created the Open Banking Implementation Entity (OBIE). |
| 2018 | PSD2 enters into force across the EU | Banks required to open APIs to licensed TPPs. Strong Customer Authentication (SCA) mandated for electronic payments. |
| 2019 | SCA enforcement deadline (extended in some markets) | Full SCA enforcement delayed to March 2021 in some EU markets and December 2020 in the UK due to industry readiness concerns. |
| 2022 | European Commission begins PSD2 review | Assessment of PSD2 effectiveness. Identified gaps in API quality, fraud prevention, and inconsistent national implementation. |
| 2023 | PSD3 draft legislation published (June) | Shifts from directive to regulation for uniform enforcement. Introduces improved API standards, simplified SCA, and a new Financial Data Access (FIDA) framework. |
| 2025–2026 | PSD3 expected finalisation and enforcement | Will replace PSD2 as the primary EU payments regulation. Extends scope to include new payment types and data-sharing frameworks. |
The trajectory is clear: each iteration tightens the regulatory framework, expands the scope of who must participate, and raises the bar for API quality and consumer protection. PSD3’s shift from directive to regulation is particularly significant — it eliminates the inconsistencies that arose from each EU member state transposing PSD2 differently, creating a genuinely unified payments market for the first time.
UK Open Banking vs EU PSD2: Implementation Differences
| Factor | UK Open Banking | EU PSD2 |
|---|---|---|
| Mandate origin | Competition and Markets Authority (CMA) | European Parliament and Council |
| Banks covered | Nine largest banks (CMA9) initially, now expanding | All banks and payment service providers in EU member states |
| API standards | Prescriptive — Open Banking Standard with specific technical specs | Broad — mandates API access but does not dictate format |
| Governance body | Open Banking Limited (formerly OBIE) | National regulators in each member state |
| Data format | Standardised JSON format across all CMA9 banks | Varies by bank and market — no single standard |
| Consumer consent | Explicit consent with granular permissions | Explicit consent required but implementation varies |
| Post-Brexit status | UK retained PSD2 framework but now evolving independently | PSD2 continues as EU law; PSD3 will replace it |
The UK’s approach is more prescriptive and has generally been regarded as further ahead in implementation maturity. The standardised API format means that third-party providers building on UK Open Banking can expect consistent data structures across all major banks — something EU TPPs cannot rely on, where API quality and format vary significantly between institutions and countries. PSD3 aims to close this gap by mandating higher API performance standards across the EU.
What PSD3 Changes: Key Shifts from PSD2
| Area | PSD2 Approach | PSD3 Approach |
|---|---|---|
| Legal instrument | Directive — requires transposition by each member state | Regulation — directly applicable, no transposition needed |
| API standards | Mandates access but no quality benchmarks | Introduces performance and quality standards for APIs |
| Authentication | Strong Customer Authentication (SCA) with strict rules | Simplified SCA with risk-based exemptions |
| Fraud liability | Limited provisions for fraud allocation | Strengthened fraud prevention and clearer liability rules |
| Data sharing scope | Payment account data only | Expanded via FIDA (Financial Data Access) framework to include insurance, investments, pensions |
| Enforcement consistency | Varies by member state | European Banking Authority given stronger coordination role |
The most consequential change is the introduction of FIDA — the Financial Data Access framework. Under PSD2, open banking applies only to payment account data. FIDA extends the data-sharing principle to insurance products, investments, pensions, and other financial instruments. This moves Europe from open banking to open finance — a significantly broader infrastructure that will enable new categories of financial products and services built on cross-sector data.
Frequently Asked Questions
Open Banking, PSD2, and PSD3
Is open banking the same as PSD2?
No. Open banking is a global concept — the idea that consumers should be able to share their financial data with regulated third parties via secure APIs. PSD2 is a specific piece of European legislation that provides the legal framework for open banking across EU member states. The UK’s Open Banking initiative is a further layer — a specific implementation mandate from the Competition and Markets Authority that sits within PSD2 but goes further by prescribing standardised API formats. In short: open banking is the idea, PSD2 is one legal framework for it, and the UK’s Open Banking is one prescriptive implementation of that framework.
When will PSD3 come into force?
The European Commission published its draft PSD3 legislation in June 2023. The finalisation process is expected to conclude by 2025, with enforcement anticipated in 2026. Unlike PSD2, which was a directive requiring each member state to transpose it into national law, PSD3 is structured as a regulation — meaning it will be directly applicable across all EU member states without the need for national transposition. This is designed to eliminate the implementation inconsistencies that characterised the PSD2 rollout.
What is FIDA and how does it extend open banking?
FIDA — the Financial Data Access framework — is proposed alongside PSD3 and represents the expansion from open banking to open finance. Under PSD2, data-sharing obligations apply only to payment account data. FIDA extends this principle to a much broader range of financial products including insurance policies, investment portfolios, pensions, and savings products. With consumer consent, regulated third parties will be able to access this data to build products such as consolidated financial dashboards, automated financial planning tools, and cross-product comparison services. FIDA is expected to create entirely new categories of financial services that were not possible under the payment-account-only scope of PSD2.
Does the UK still follow PSD2 after Brexit?
Yes, the UK retained PSD2 as part of its domestic law after Brexit through the European Union (Withdrawal) Act 2018. However, the UK is now free to evolve its payments regulation independently of the EU. The UK is not expected to adopt PSD3 or FIDA. Instead, the UK government and the FCA are developing their own open banking and open finance frameworks, building on the foundation that the CMA’s Open Banking initiative established. This means that UK and EU regulatory frameworks, which were once aligned, will increasingly diverge — creating both opportunities and compliance challenges for businesses operating across both markets.