Open Banking in 2026: The Ultimate Guide
A 2026 deep dive into open banking: PSD2 to PSD3 and PSR in the EU, CMA Open Banking in the UK, CFPB Section 1033 in the US, the TPP ecosystem, account-to-account payments, VRP, and the shift to open finance.
What is open banking?
Open banking is the framework under which banks expose customer-consented data and payment initiation to regulated third parties through standardised APIs. The customer stays in control of the consent, the bank remains the account of record, and a licensed third party (a TPP) uses the rails to build something new on top: a budgeting app, a payments button, an underwriting model, a treasury tool.
What started as a compliance mandate under PSD2 in 2018 has become the default plumbing of modern fintech. In 2026 open banking powers roughly 12 billion API calls per month in Europe, and the UK alone has crossed 13 million active users. The phase of "will it work" is over. The phase of "how far does it go" has begun, and the answer is: well beyond payment accounts.
Consent-driven data
The customer decides what is shared, with whom, and for how long. Consent is revocable and time-boxed by regulation.
Payment initiation
Licensed PISPs trigger payments directly from the customer account, no card rail, no interchange.
Strong customer authentication
Every consent and every initiation is secured with SCA: two factors out of knowledge, possession and inherence.
Let's discuss your project and see how we can launch your digital banking product together
Request demoThe regulatory picture in 2026
Open banking is not a single regime, it is three parallel regimes that have converged on the same idea. By 2026 they are finally close enough in shape that building cross-border makes sense.
- PSD3 and PSR in the EU. The European Commission published the PSD3 and Payment Services Regulation proposals in 2023, co-legislators reached political agreement in late 2024 and early 2025, and the rulebook is now moving into national transposition with a target implementation window around 2026 and 2027. PSD3 keeps the licensing architecture, the PSR harmonises conduct rules directly, and both tighten fraud liability, SCA exemptions, and API quality obligations.
- FiDA and open finance. The Financial Data Access Regulation extends the open banking logic to savings, investments, pensions, mortgages and non-life insurance. This is the formal move from open banking to open finance inside the EU.
- CMA Open Banking in the UK. The CMA9 remedy has matured into a standing regime run by Open Banking Limited, with a long-term regulatory framework handed to the FCA and the Payment Systems Regulator. Variable Recurring Payments for commercial use cases are the 2026 growth story.
- CFPB Section 1033 in the US. The personal financial data rights rule was finalised by the CFPB in October 2024. Compliance phases in by institution size between 2026 and 2030, and the rule forces banks to expose standardised, no-screen-scraping APIs to consumer-authorised third parties.
Who is who: TPPs, AISPs, PISPs, CBPIIs
The jargon sounds bureaucratic but the roles are clean. Every open banking player is one of these.
| Role | What they do | Typical products |
|---|---|---|
| AISP | Account Information Service Provider. Reads consented account data from banks. | Aggregators, PFM apps, accounting automation, credit scoring. |
| PISP | Payment Initiation Service Provider. Initiates A2A payments from the user account. | Pay-by-bank at checkout, top-ups, bill payments, VRP. |
| CBPII | Card-Based Payment Instrument Issuer. Asks a bank for funds confirmation before charging a card-like instrument. | Decoupled debit, wallet-backed cards. |
| ASPSP | Account Servicing PSP. The bank or EMI holding the account and exposing the API. | Every licensed bank in scope of PSD2, PSD3, Section 1033 or the CMA order. |
| TPP | Umbrella term for any regulated third party (AISP, PISP, CBPII) acting on the customer data or account. | Plaid, Tink, TrueLayer, Yapily, FinAPI, Token, GoCardless. |
Getting authorised as a TPP is not optional, it is a licensing process. In the EU your national competent authority (BaFin, ACPR, Bank of Spain, CSSF, and so on) grants the permission and passports it across the single market. In the UK the FCA does the same. In the US you self-certify against the Section 1033 technical standard and register with a recognised standard-setting body.
Core concepts: consent, SCA, VRP
Three building blocks matter more than any other, because every use case is stacked on top of them.
Consent
Explicit, granular, revocable. In the EU a data consent is capped at 180 days before re-authentication. PSD3 keeps the clock and tightens the UX rules against dark patterns.
Strong Customer Authentication
Two factors out of knowledge, possession and inherence. PSD3 clarifies who is liable when SCA fails and adds new exemptions for low-risk flows.
Variable Recurring Payments
A single consent that authorises a stream of future payments inside agreed limits. VRP is the card-replacement story for subscriptions, utilities and tax.
VRP is worth a second look. In the UK, commercial VRP launched in 2025 on a phased rollout led by the Joint Regulatory Oversight Committee. The proposition is simple: the user grants a long-lived mandate, the PISP pulls payments inside the cap without re-SCA, the merchant avoids 1.5-2% of card interchange. If you sell SaaS, utilities or insurance, VRP is the first line item you should re-price in 2026.
Where open banking actually shows up
The technology is dull, the use cases are not. Six categories dominate real 2026 volume.
Account aggregation
Plaid, Tink, TrueLayer, Yapily and FinAPI pull balances and transactions into a single view. Powers neobank onboarding, PFM, and SME accounting tools like Xero and QuickBooks.
Account-to-account payments
Pay-by-bank at checkout, wallet top-ups, bill payments. A2A volume in Europe grew past 20% of e-commerce in several markets by 2026, driven by Instant SEPA and Faster Payments.
Credit underwriting
Lenders use real-time transaction data to replace or complement bureau data. Faster decisions, thinner files served, less fraud. The default stack in BNPL, SME lending and mortgage top-ups.
Personal finance management
Emma, Snoop, Revolut and the neobanks use open banking to categorise spend, surface subscriptions and run budgeting nudges across any connected account.
BNPL and checkout lending
Klarna, Clearpay and Afterpay combine open banking affordability checks with instant A2A collections to cut the cost of servicing.
SME treasury
Multi-bank cash management, automated reconciliation and sweep-and-invest logic built on top of AISP data plus PISP or VRP execution.
Open banking vs open finance vs BaaS vs embedded finance
These four terms are constantly confused, even in investor decks. They are not the same thing.
| Concept | What it is | Regulatory anchor |
|---|---|---|
| Open banking | Banks expose payment account data and payment initiation to regulated third parties with customer consent. | PSD2 and PSD3 and PSR in the EU, CMA Open Banking in the UK, Section 1033 in the US. |
| Open finance | Extends the same logic to savings, investments, pensions, mortgages and non-life insurance. | FiDA in the EU, Open Finance strategy of the FCA in the UK. |
| Banking-as-a-Service | A licensed bank rents out its regulated capabilities to non-banks via APIs, who build branded financial products on top. | The bank or EMI licence of the provider. |
| Embedded finance | The user-visible experience of consuming financial products inside a non-financial product. | Depends on the product (BaaS, insurance, broker-dealer, lending). |
Rule of thumb: open banking is how you read and pay from an account that already exists somewhere else. BaaS is how you create a new account, card or loan under a non-bank brand. Open finance is open banking extended to the rest of a customer's financial life. Embedded finance is what the end user actually sees.
The 2026 market in numbers
Two structural shifts sit under these numbers. First, payments. Card networks are no longer the only retail option thanks to Instant SEPA, FedNow and Faster Payments now plugged into A2A flows. Second, data. With FiDA and Section 1033 it becomes normal for consumers to authorise machine access to savings, pensions and mortgages, not just current accounts.
The ecosystem you will bump into
Open banking in 2026 is a layered stack. Knowing who plays where saves you months of procurement.
How Crassula fits in
Open banking is a regulatory obligation for every licensed bank and EMI, and a competitive weapon for every fintech. Both sides need the same thing: a platform that can expose standards-compliant APIs, orchestrate consent and SCA, plug into the right aggregators, and ship the consumer product on top.
Crassula is the orchestration and product layer. We provide the ledger, KYC, IBAN provisioning, card program, payments routing and admin back office, plus PSD2 and PSD3-ready APIs with Berlin Group NextGenPSD2 and UK Open Banking flavours out of the box. Partner with TrueLayer, Tink, Yapily, FinAPI, Plaid or Powens for aggregation, or use Crassula to become the ASPSP yourself. You ship a branded product in weeks instead of years, without rebuilding the regulated plumbing.
- For licensed institutions: PSD3-ready APIs, consent dashboard, SCA orchestration, FiDA-ready data surfaces.
- For fintechs and brands: aggregation-backed onboarding, A2A and VRP payment flows, affordability scoring hooks.
- For cross-border teams: one integration that covers EU passporting, UK Open Banking and Section 1033 in the US.
FAQ
Open banking is the regime that lets you ask your bank, with your explicit consent, to share your account data or initiate a payment on your behalf through a licensed third party. The bank keeps your account, the third party builds a new product on top (budgeting, lending, pay-by-bank, treasury).
PSD2 has been the EU law since 2018. PSD3 and the Payment Services Regulation, agreed politically in late 2024 and early 2025, replace it with two instruments: PSD3 for licensing and supervision, and the PSR for directly applicable conduct rules. The changes tighten fraud liability, improve SCA UX, and force better API quality at banks. Implementation lands around 2026 and 2027 depending on the member state.
Section 1033 of the Dodd-Frank Act gives US consumers a right to access their financial data. The CFPB finalised the implementing rule in October 2024. It requires banks to expose standardised, no-screen-scraping APIs to consumer-authorised third parties. The compliance calendar phases in by institution size from 2026 through 2030.
A TPP (Third Party Provider) is any regulated firm acting on a customer account under open banking rules. AISPs read account data, PISPs initiate payments, CBPIIs check funds availability for card-like instruments. All of them must be authorised by a national regulator (BaFin, ACPR, FCA, Bank of Spain and so on).
VRP is a single open banking consent that authorises a stream of future payments inside agreed limits, without re-authenticating every time. Commercial VRP launched in the UK in 2025 and is the leading card-replacement story for subscriptions, utilities, insurance and tax. Merchants save card interchange, consumers keep a single revocable mandate.
No. Open banking is about reading data and initiating payments on accounts that already exist at a bank. BaaS is about renting a bank licence so a non-bank can offer its own accounts, cards or loans. Most modern fintech stacks use both: open banking to connect existing accounts, BaaS to open new ones.
Open finance extends the open banking logic to savings, investments, pensions, mortgages and non-life insurance. In the EU this is codified by FiDA. In the UK the FCA has a dedicated open finance programme. The practical effect: the same consent plumbing that gave us pay-by-bank and PFM now covers the rest of the customer financial life.
Crassula gives licensed institutions and fintechs a platform that already speaks PSD2, PSD3 and UK Open Banking, with consent and SCA orchestration, aggregator integrations (TrueLayer, Tink, Yapily, FinAPI, Plaid, Powens), and ready-made A2A and VRP payment flows. You plug in your licence or one of our partners and ship a branded product in weeks.
