Loading field map
For most of modern banking history, a customer's financial data belonged to the bank. If you wanted to see your transactions in a budgeting app or apply for a loan through a comparison website, the app or website had to either ask you to download a statement or, more commonly, use your login credentials to "screen-scrape" the bank's online interface. This arrangement was fragile, insecure, and gave banks an effective veto over which third-party services could reach their customers. The central tension of open banking is whether financial data should be locked inside the institution that holds it or made portable at the customer's direction—and, if portable, under whose rules.
The earliest attempts to open bank data were voluntary, bilateral, and driven by commercial logic. In markets such as the United States and Canada, large banks began offering application programming interfaces (APIs) to selected partners—often fintech startups that could bring new customers or reduce the bank's own development costs. These arrangements were negotiated case by case: each API had its own authentication method, data format, and rate limits, and the bank could revoke access at any time. The model was an infrastructure-building exercise, not a rights-based reform.
Market-led open banking coexisted with screen-scraping, which remained the default for most third-party services. Banks tolerated scraping because it drove traffic, but they also used technical countermeasures—CAPTCHAs, IP blocking, session timeouts—to control the terms of access. The result was a fragmented landscape in which a fintech that wanted to serve customers at multiple banks had to maintain separate integrations for each one. Security was uneven: scraping required the customer to hand over their banking password, creating liability questions that no single framework resolved.
This first framework did not solve the data-access problem; it narrowed it to a set of commercial experiments. Its lasting contribution was to demonstrate that API-based access was technically feasible and commercially valuable. But because it left control entirely in the hands of each bank, it could not scale into a universal standard. The pressure for a more systematic approach came from regulators who saw that the voluntary model was leaving most customers and most fintechs without reliable access.
Beginning around 2015, regulators in Europe and the United Kingdom transformed open banking from a strategic option into a compliance obligation. The European Union's Revised Payment Services Directive (PSD2), implemented from 2018, required banks to give licensed third-party providers access to payment accounts via standardized APIs. The UK's Competition and Markets Authority (CMA) went further, mandating that the nine largest banks adopt a common API specification and publish performance dashboards. These interventions replaced the voluntary, bilateral model with a regulatory framework that defined who could access data, under what technical standards, and with what liability rules.
The shift was not merely a matter of compulsion. Regulatory-driven open banking introduced a new security architecture: third parties had to be licensed, authentication moved from shared passwords to token-based protocols, and banks were required to maintain dedicated API interfaces rather than tolerate scraping. Liability was reallocated—if a transaction went wrong because of a third party's error, the third party bore the loss; if the bank's API failed, the bank was responsible. This was a direct response to the unresolved liability questions of the market-led era.
Regulatory-driven open banking did not eliminate its predecessor. In jurisdictions without mandates—the United States, Canada, much of Asia—market-led arrangements continued to operate, and even in Europe, banks and fintechs negotiated commercial terms on top of the regulatory baseline. The two frameworks coexist, but with a clear division of labor: regulatory-driven frameworks set the floor for access and security, while market-led innovation builds additional services on top. The tension between them is visible in debates over API performance: regulators require minimum uptime and response times, but banks argue that stricter mandates stifle differentiation.
Almost as soon as regulatory-driven open banking began operating, its scope came to seem too narrow. PSD2 and the CMA order covered only payment accounts—current accounts, credit cards, and e-money wallets. Savings accounts, mortgages, insurance policies, and investment portfolios remained outside the mandate. A third framework, Open Finance and Consumer Data Rights, emerged around 2018 to push the boundary outward.
This framework reframes the question: instead of asking which products regulators should open, it treats financial data as belonging to the consumer, who should be able to direct its sharing across the entire financial system. Australia's Consumer Data Right (CDR), launched in 2020, is the most comprehensive example. Under the CDR, consumers can authorize accredited third parties to access data on their banking, energy, and telecommunications accounts, with a roadmap to include insurance, superannuation, and mortgages. Brazil's open banking regime, also launched in 2020, similarly extends beyond payment accounts to cover credit, foreign exchange, and investment data.
The Open Finance framework absorbs the earlier regulatory-driven model but transforms its logic. Where PSD2 was designed primarily to increase competition in payments, the CDR is built around data sovereignty: the consumer, not the bank, is the owner of the data, and the bank is merely a custodian. This shift has practical consequences. Liability rules become more consumer-centric—if a data breach occurs at a third party, the consumer's recourse is clearer because the data was shared at their explicit direction. The technical infrastructure also broadens: instead of a single API standard for payments, Open Finance requires a family of standards covering different product categories, with consistent authentication and consent management across all of them.
Open Finance does not replace regulatory-driven open banking; it extends and coexists with it. In Australia, the CDR's banking sector uses the same API specifications that were developed for the UK's CMA regime, adapted for a wider product set. In Europe, policymakers are discussing an Open Finance framework that would sit alongside PSD2, adding insurance and investment data without dismantling the payment-account rules. The three frameworks now form a layered landscape: market-led arrangements continue in unmandated markets, regulatory-driven mandates cover payment accounts in dozens of countries, and Open Finance pushes toward universal consumer data rights.
Today, all three frameworks agree on one core principle: API-based access is superior to screen-scraping. They also converge on the need for strong authentication, clear liability allocation, and consumer consent. The disagreements are about scope and governance. Market-led proponents argue that regulation should set only minimal standards—authentication and liability—and let banks and fintechs negotiate the rest. Regulatory-driven advocates counter that without mandated standards, large banks will use technical complexity to slow competition. Open Finance proponents add that even broad payment-account mandates are insufficient; the real prize is a cross-sector data right that treats financial information as the consumer's asset.
These disagreements are not merely theoretical. In the United States, the Consumer Financial Protection Bureau's Section 1033 rulemaking is grappling with exactly this choice: should it mandate a narrow set of payment-account data (regulatory-driven) or establish a broad consumer data right (Open Finance)? The outcome will determine whether the US follows the European or the Australian path. Meanwhile, in markets that already have regulatory-driven frameworks, the next frontier is whether Open Finance will be layered on top or whether the existing mandates will be expanded piece by piece.
The trajectory of open banking is not a clean succession of frameworks. Market-led experiments continue alongside regulatory mandates, and Open Finance ambitions are being pursued in jurisdictions that already have regulatory-driven systems. The subfield's history is one of expanding scope—from voluntary bilateral deals to regulated payment-account access to universal consumer data rights—and of persistent tension between commercial flexibility and regulatory standardization. That tension is unlikely to resolve; it is the engine that keeps the frameworks in productive competition.