Open banking: the regulatory legacy of PSD2 in the UK
Open banking in the UK was initially driven by the Competition and Markets Authority's 2016 retail banking market investigation, which required the nine largest UK banks to implement standardised APIs allowing third parties to access customer account data and initiate payments with customer consent. The regulatory underpinning came from the EU's revised Payment Services Directive (PSD2), implemented in the UK through the Payment Services Regulations 2017 (PSRs). Since Brexit, the UK has retained the PSRs framework but has been developing a new, UK-specific approach through HM Treasury's consultation on the Payment Services Regulation (a new primary powers-based regime expected to replace the PSRs) and through the ongoing open banking transition from the CMA's order framework to a future commercial model.
The Open Banking Implementation Entity (OBIE), established to implement the CMA's order, has transitioned to Open Banking Limited (OBL) as the entity responsible for maintaining the open banking standards and ecosystem. For firms that are account information service providers (AISPs) or payment initiation service providers (PISPs), the transition has practical implications for technical standards, dispute resolution, and participation in the ecosystem's governance. Firms that have not updated their registration and compliance arrangements since the OBIE-to-OBL transition should review their obligations under both their FCA authorisation and the open banking standards.
Strong customer authentication (SCA) — the requirement to authenticate customers using two of three factors (knowledge, possession, inherence) for most payment transactions and account access — remains a compliance obligation under the PSRs. The FCA has issued enforcement action against firms that failed to implement SCA correctly, and continues to monitor compliance. The interaction between SCA requirements and the user experience demands of digital banking creates ongoing design tension that firms must manage carefully — exemptions from SCA are available in defined circumstances (low-value transactions, trusted beneficiaries, transaction risk analysis), and firms should have documented processes for applying exemptions correctly.
The forthcoming Payment Services Regulation (PSR) will replace the PSRs and is expected to introduce new provisions on payment fraud liability, updated open banking requirements reflecting the JROC roadmap, and new rules on payment firm governance and financial resilience. The FCA and PSR have signalled that the PSR will represent a significant reform rather than a consolidation of existing rules. Firms should begin tracking HM Treasury's consultation process and preparing gap analyses against proposed changes to authorisation, conduct, and prudential requirements.
TPP and ASPSP obligations
For account-servicing payment service providers (ASPSPs), the obligation to provide reliable, compliant APIs to authorised third-party providers (TPPs) remains a live compliance requirement. The FCA's supervisory attention to ASPSP API quality — including availability, performance, and adherence to the open banking standards — continues, and banks that have not invested adequately in their API infrastructure face regulatory risk as well as competitive disadvantage. Dedicated API interfaces must meet performance standards set by the OBIE/OBL and must have a robust fallback mechanism.