Open Banking and PSD2: Challenges for fintechs, app providers and banks

In this guest post Simon Newstead, Industry Strategy Director at VocaLink, looks back over recent developments in PSD2 and Open Banking and the challenges they have presented to banks and market participants.

For those of us lucky enough to have an interest in PSD2 and Open Banking, the last few months have been rather exciting.

The UK’s Open Banking Implementation Entity is in the process of setting up a comprehensive work programme and stakeholder engagement approach. The European Banking Authority has received a record-breaking number of responses to the consultation on their draft PSD2 Regulatory Technical Standards (RTS). If PIS and AIS mean something to you, these are interesting times indeed.

While we all may privately have hoped these developments might have provided a final, “right – go and build it”, level of clarity by now, this is not yet the case.  They have, however, made some of the challenges and next steps for all participants much clearer.

Taking the UK’s Open Banking initiative first, it probably helps to note that the ‘open’ does not exactly mean an open API in the classic go-and-play-with-it manner of Transport for London.  Customer data is not going to be exposed to developers without appropriate consent and controls; and it is not all fully open data in the sense of Google Maps‘ information. With that in mind, the question for banks and other market participants is – what they should be building?

Given that ‘open’ API is therefore a slight misnomer for what both Open Banking and PSD2 require, banks should be thinking of how best to product-manage an externally available set of APIs, with appropriate access controls. On the other side of the ecosystem, fintechs (and others) should be preparing to demonstrate their readiness to gain access to (and make use of!) customer data.

Moving to PSD2 for a moment, the current draft RTS (which are, of course, subject to change) place rather API-like requirements onto banks to offer a third party communication interface.  They also place a set of requirements onto TPPs (Third Party Providers), most notably with respect to electronic identification certification, referencing use of the eIDAS standards as one possible approach. For banks and fintechs/TPPs, the signals are clearly indicating some key considerations around appropriate security, and on requirements for management of the ‘other side’.

As time wears on for both Open Banking and PSD2, and we move inexorably closer to implementation, articles and whitepapers confidently stating that various parts of the market don’t yet seem to have a strategy in place have sprung up like mushrooms.  Given some of the partnerships and initiatives visible in the public eye, this seems a little unlikely.

In any event, what does seem clear is that ability to aggregate accounts and interrogate customer-level data is a massive opportunity for all firms in the market, with the potential to offer significant upside for banks, fintechs and – ultimately – consumers.

So both banks and TPPs need to carefully consider their strategic options.  Third parties, from existing large-scale aggregators to fintech start-ups need to think about how close they’d like to be to the banks – friend, partner, competitor or simply a user? Banks need to understand their approach – are they planning to build and support a developer community like TfL, or are they intending a bare-bones compliance-led approach?

Innovative firms clearly think the answer is “yes” to the former.  Tangible evidence of this can be seen already – they are setting up sandboxes, hiring Heads of Innovation, and working with API providers. Fintechs should therefore be thinking about how they can interface most efficiently with the banks, and vice-versa – particularly given the potential for a first-mover advantage for firms who partner early in the game and provide a great customer-facing product.

At the moment, we may well be in something of a chicken-and-egg situation whereby Open Banking looks to PSD2, and PSD2 requires the type of standards which Open Banking may deliver. Nonetheless, the time to act is fast approaching.  Rather than beginning to build technology to a standard that may change, banks and TPPs may wish to consider partnering – or at least thinking about their relationship strategy – to provide a robust platform for both Open Banking and PSD2.


With over 15 years’ experience in the payments industry, Simon Newstead is a senior payments practitioner with distinct expertise in engaging with the fast-changing regulatory and industry environment.  In 2016, he joined VocaLink as Industry Strategy Director. VocaLink is a global payments partner to banks, corporates and governments. It designs, builds and operates world-class platforms that make it easier to make payments confidently and securely. For more information, visit

Related reading

Contactless card being used at payment terminal
invest 2
Close-up of a person holding a smartphone with the words Online Banking across the top of the screen. One finger is resting on the screen.
image of a black atm on a large yellow wall