Open banking’s promise has yet to deliver, policymakers search for reset button

This year marks the seventh anniversary of the second iteration of the EU Payment Services Directive (PSD2) coming into force. The directive ushered in a global wave of mandates and market-led endeavours to introduce so-called “open banking” environments for consumers. 

One major goal was to create a competitive landscape for fintech companies’ third-party applications by enabling customers to share bank account data with them.

Proponents have lauded PSD2 as a revolutionary force for consumer choice and increased competition in financial services. Open banking “has the potential to be one of the most useful regulations in 100 years” because the “concept of data portability is massive for any market transformation,” according to, according to Markos Zachariadis, chair of financial technology and professor of information systems at Alliance Manchester Business School (AMBS) at the University of Manchester.

However, this revolution hasn’t moved as fast as many had hoped, as seen in a 2024 strategic review by the Australian Banking Association and Accenture of the Consumer Data Right (CRD) regime to enable open banking in Australia. In the four years since its launch, the CRD had “not realised its potential”, the review concluded.

Innovation often starts slowly but can pick up over time, said Zachariadis. However, the “S-curve” of innovation is often like calligraphy, “with a very long tail at the beginning”. 

The UK — which adopted the PSD II in conjunction with an order from the Competition and Markets Authority (CMA) — had more than 12 million active users of open banking-enabled products and more than 223.9 million open banking payments made monthly, as of December 2024. This is according to Open Banking Ltd (OBL), which the CMA set up to enforce obligations of the open banking mandate on the UK’s nine largest banks. As according to the Financial Conduct Authority (FCA) 97% of the adult population hold a bank account, which is over 43 million people, open banking clearly has a lot of untapped growth.

API mandate slows adoption

From a regulatory perspective, open banking mandates force traditional banks to create application programming interfaces (APIs) that permit data sharing between customer accounts and third-party applications, such as those offered by fintechs. This data-sharing element is only allowed with consumer consent, but the APIs must be created to enable that sharing. Some say this mandate-led API creation by incumbent banks is the source of the slowdown. 

“The absence of a commercial model or overwhelming economic incentive leaving the industry to build APIs on its own, does not result in high performing APIs that conform to a common standard, and high connectivity or any real evidence of data sharing — that is, open banking,” said Ghela Boskovich, head of Europe at the Financial Data and Technology Association.

According to Boskovich, many regulatory mandates covering open banking did not acknowledge the need for a commercial incentive early enough. “The sooner the model is commercialised, the sooner the benefits of open banking are realised for industry and consumers,” she said. “The stick is the regulatory mandate; the carrot is the commercial model.”

To evolve, open banking needs to broaden its vision to include more types of financial data, Boskovich added, which could include property, land and registry data, as well as energy, communications, retail and transportation data. Future frameworks could include mandates to open government data sets such as tax and company registration and incorporation data, “which are so crucial in facilitating access to credit for individuals and small and medium-sized enterprises”. 

Heather Xiao, founder and chief executive of consulting firm Horizon Zero, agreed that updated regulatory frameworks are necessary to further advance open banking, open finance and smart data.

They need to include alignment of inter-value chain stakeholders and business models, to make open banking progress quicker, she said. These “strong business cases are essential for banks to willingly go beyond compliance and invest in quality open banking infrastructure, product and services”.

Bumpy road 

Work is ongoing globally to ensure open banking initiatives survive and evolve beyond their early goals — but it is not a smooth journey. 

In the UK, the commercial variable recurring payments scheme allows customers to set up a mandate for businesses to take payments from their accounts. Meanwhile, the Data (Use and Access) Bill is progressing through Parliament, which will create a long-term regulatory framework for open banking and the evolution into open finance. 

However, the European Commission’s proposed Financial Data Access (FiDA) regulation could be withdrawn, according to press reports, after extensive lobbying by several European financial services trade bodies, who complained about high costs and complexity. 

FiDA was introduced in June 2023 to require financial institutions such as banks, money managers and insurers to expand access to client data. The EU reached an agreement on the draft law in December 2024.

Australia revamps 

Following last year’s damning review of Australia’s CDR, the country’s authorities are now revamping the accreditation process for financial sector firms. 

The CDR has been extended to the energy sector, and regulations are imminent for non-bank lending, according to Jodi Ross, chief risk and compliance officer at platform provider Tiimely. 

However, the lack of uptake has supported “banks’ narrative that the costs of compliance outweigh the consumer benefits”, she said. “The counter view is that the [low] extent of uptake indicates the need for regulatory adjustments, rather than evidencing lack of consumer benefits.”

One factor affecting uptake has been the breadth of the regulation, which provided data portability rights and created a bespoke privacy regulatory regime for data received via CDR, said Ross. 

“The experience has been that the CDR-specific requirements for use of CDR data created a barrier to entry for the use of CDR by third-party data [because] it increased compliance costs,” she adds. 

Complicated landscape 

The landscape in the US is even more complicated.

The Consumer Financial Protection Bureau (CFPB) recently finalised its Personal Financial Data Rights rules stemming from the Dodd-Frank Act, which covers the regulation of consumer-authorised financial data sharing. The final rules were issued in October 2024 and established guidelines for how banks, fintechs and data aggregators manage access to consumers’ financial data.

However, the Trump administration has currently suspended the CFPB’s work.

According to Boskovich, the industry is coming together without government leadership to formalise rules for safe, secure and ethical data sharing. 

“Just because the government isn’t supportive of creating rules doesn’t mean the need for rules goes away, nor does the inevitability of a data-sharing economy,” she said. “The North American market needs to find its own way forward, irrespective of what current politicians tweet.”