The Transformation of Open Banking Ecosystems

Open banking ecosystems are undergoing a significant transformation. While the first versions of regulatory standards, such as Europe’s PSD2, focused primarily on data access, the emphasis is now shifting toward data protection, control, and accountability for breaches. How are regulators responding to new cyber threats? What API requirements are likely to become mandatory in the coming years? And how will the fintech landscape change under the pressure of tightening regulations?

From Data Access to Data Protection

The first wave of open banking, launched in Europe with the adoption of PSD2, established a framework for sharing financial information through standardized APIs. Banks were required to open access to payment account data, and fintech companies gained the ability to offer personalized services. However, as the ecosystem grew, its vulnerabilities became apparent: incidents of fraud related to data access consents increased, and some banks’ APIs proved insufficiently protected against attacks.

Regulators responded to these challenges by tightening requirements. The European Union is preparing PSD3, which is expected to introduce stricter authentication standards, such as mandatory use of biometrics for access confirmation, expanded bank liability for data breaches caused by their negligence, and new rules for data aggregators, including requirements for backup and encryption.

Key Security Challenges in Open Banking

The primary issue in modern open banking systems is the fragmentation of standards. Even in the EU, where PSD2 established unified rules, banks implement APIs differently, complicating their protection. For instance, some use outdated OAuth 2.0 protocols without additional request verification mechanisms, making them vulnerable to attacks such as “consent fraud.”

Another risk is insufficient oversight of third parties. Many fintech companies with access to banking data do not always adhere to strict information storage standards. Several European regulators identified cases where aggregators transmitted data to subcontractors without proper encryption.

The response to these threats includes unified security certificates. In the UK, for example, all open banking providers must undergo regular audits to comply with FAPI (Financial-grade API) standards. Similar requirements are being developed for the EU under PSD3.

The Future of Open Banking: Balancing Innovation and Security

The next phase of open banking will be shaped by two conflicting trends. On one hand, regulators want to enable fintech to create even more sophisticated services, such as cross-bank investment platforms. On the other hand, stricter security requirements could slow innovation, particularly for startups with limited resources.

A likely compromise is the division of the market into access tiers. Simple financial services, like account aggregation and basic spending analysis, may be offered even by small companies with lightweight licenses. However, access to sensitive data, such as large transaction information, will require higher security certifications.

Another important trend is the globalization of standards. Currently, each country has its own rules: the EU follows PSD2, the UK has local open banking standards, and Brazil uses the Pix model. Yet, large fintech companies are increasingly calling for unification to reduce adaptation costs. The International Organization of Securities Commissions (IOSCO) is taking initial steps in this direction by developing global principles for Open Finance.

Open banking is transitioning from an experimental stage to a mature ecosystem. If the initial goal was to “open data,” the key question now is “how to protect it without stifling innovation.” The answer will determine whether open banking becomes a truly widespread phenomenon or remains a niche tool for technologically advanced users.