Open banking and PSD2 explained — regulation, roles and licensed providers (2026)

PSD2 in three sentences — the legal basis

PSD2 is Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market. It replaced PSD1 (2007) and introduced three things its predecessor did not have: mandatory bank APIs, two new regulated services (AIS and PIS), and a strict requirement for Strong Customer Authentication (SCA). The technical detail lives in the Commission Delegated Regulation (EU) 2018/389 (RTS on SCA and CSC), which is what most engineers actually read.

Why the dates matter

The directive itself had a transposition deadline of 13 January 2018 — that is when member states had to have national legislation in place. But the operationally critical date is 14 September 2019: the day the RTS 2018/389 became enforceable. That is when bank APIs had to be live in production, when SCA had to be applied across the board, and when screen-scraping was effectively outlawed. Most of the European open-banking ecosystem dates its real birthday from this day, not from the directive itself.

Who enforces PSD2

PSD2 is supervised at two levels. National competent authorities (BaFin in Germany, ACPR in France, AFM/DNB in the Netherlands, Bank of Lithuania, etc.) handle licensing, day-to-day supervision and complaints. The European Banking Authority (EBA) coordinates across the EU and runs the central EBA Register of authorised institutions. On the technical side, two industry bodies do most of the standard-setting: the Berlin Group (NextGenPSD2, used by the vast majority of European banks) and, in the UK, OBIE (Open Banking Implementation Entity).

The three roles in the PSD2 ecosystem: ASPSP, AISP, PISP

PSD2 introduces three regulated participant roles. Each has different privileges, different licensing requirements and a different scope of access to your data. Knowing them is the single best filter for judging whether a financial app is actually safe to use.

ASPSP — the bank that holds your account

ASPSP (Account Servicing Payment Service Provider) is the institution that holds your payment account. That is your bank in almost every case, but it also includes credit unions and licensed e-money institutions that issue accounts (think Revolut, N26, Wise — each is an ASPSP for the accounts it issues). Under PSD2 Article 66–67 the ASPSP is obliged to expose a free API and may not charge for it, nor discriminate against third-party providers compared with its own interfaces.

AISP — read-only access to account data

AISP (Account Information Service Provider) is a licensed provider that, with your consent, only reads data: balances, transaction history, account metadata. It cannot initiate a payment, cannot move a single euro. This is the licence category that every European budgeting and personal finance app sits in — Martia included. To act as an AISP in any European country, the provider needs either a national licence (from BaFin, ACPR, FCA, etc.) or a passporting right from another EU/EEA member state — for example, GoCardless holds an Irish authorisation and passports it across the EU.

PISP — initiating payments on your behalf

PISP (Payment Initiation Service Provider) holds broader privileges — it can, on your behalf, initiate a transfer from your account. In practice these are the providers powering pay-by-bank flows at checkout (an alternative to card payments — Trustly, GoCardless, Stripe Financial Connections, certain Tink and TrueLayer products). PISP requires a separate, stricter authorisation precisely because the abuse surface is much larger than AISP's. For the record: Martia is strictly an AISP, never a PISP — we read history, we don't move money.

How PSD2 is implemented across Europe

The directive is uniform; the implementation is anything but. Each member state transposed PSD2 into its own national legislation, and each large bank chose between two dominant technical standards. The result is a mostly-consistent European open banking layer with significant per-country quirks.

Two pieces of nuance worth knowing. First: the 90-day historical data limit in Article 10 of the RTS applies everywhere — a freshly-connected account in Germany or in Spain will surface the last 3 months by default. Deeper history needs an explicit user-initiated action. Second: API quality varies wildly between banks, even within the same country and the same standard. The directive mandates the existence of an API, not its excellence — which is exactly what PSD3 sets out to fix.

Licensed AISP infrastructure providers in Europe

Most consumer-facing apps don't build their own bank-by-bank PSD2 integrations — they sit on top of an infrastructure provider that has done it for them. Knowing the major players helps you see who is really behind any open-banking app you use.

Two registers to verify any licence

1. The EBA Register — euclid.eba.europa.eu/register. The European Banking Authority's central register of every authorised payment and e-money institution in the EU and EEA. Search by name, by country, or by activity (AIS, PIS, etc.).

2. National competent authority registers — BaFin, ACPR, FCA, Banco de España, AFM/DNB, Banca d'Italia, etc. Each maintains a public list of the providers it has authorised, plus the foreign providers operating in its jurisdiction via passporting. Always available, always free to search.

What PSD2 actually guarantees you

PSD2 is not only a regulation aimed at banks and fintechs — it also defines concrete consumer rights. Five of them are worth internalising, because they directly shape every interaction you have with any open-banking app.

1. Strong Customer Authentication (SCA) — at least two factors

SCA is defined in PSD2 Article 97 and detailed in the RTS 2018/389. It requires every authentication to combine at least two of three independent factor categories: knowledge (PIN, password), possession (phone with a banking app, hardware token) and inherence (fingerprint, FaceID). Crucially, when you log in via an AISP, the SCA happens on the bank's own surface — the third-party app never handles the credentials.

2. Maximum 180-day consent, refreshed every 90 days

PSD2 Article 67(2) caps a single AISP consent at 180 days. Separately, RTS Article 10 requires SCA to be refreshed at least every 90 days if you are not actively interacting with the third-party app. This is the source of the recurring 'reconnect your bank' prompt — not a bug, a regulatory requirement.

3. The right to revoke consent at any time

You can revoke an AISP's access either in the app itself or directly inside your bank's online banking (usually a section called 'Third-party providers' or 'PSD2 access', name varies by bank). Revocation is immediate — the bank must block further API calls from that AISP regardless of whether the third party has yet refreshed its own token store.

4. The screen-scraping ban

Before PSD2, many account aggregators worked via screen-scraping — the user would hand over their online-banking username and password, and the app would log in 'as them' to the bank's website to pull data. Article 32 of the RTS 2018/389 bans this. Today, if an app asks you for your banking password, it is not PSD2-compliant. End of discussion.

5. No bank fees for using AISP services

PSD2 Article 67(4) prohibits a bank from charging the consumer for using an AISP. The bank also cannot block or throttle a licensed AISP's API access compared to its own interfaces (RTS Article 32(3)). What the AISP itself charges its end users — subscription, freemium, etc. — is purely a matter of its own business model.

PSD3 and PSR — what changes from 2026 onward

PSD3 (Payment Services Directive 3) and the parallel PSR (Payment Services Regulation) are the European Commission's proposed successor framework, published in June 2023. As of May 2026, trilogue negotiations between the Commission, Parliament and Council are in their final stages — with realistic national implementation expected through 2026-2027.

The end of 90-day re-authentication

The most visible user-facing change: PSD3 removes the requirement to perform a fresh SCA at the bank every 90 days. Confirming the ongoing consent inside the AISP itself (a tap on a notification, a quick confirmation in the app) will be enough. Banks will keep the right to force re-authentication if they detect suspicious activity — but the default cadence becomes a single consent that lasts for years.

Enforceable SLAs on bank APIs

PSD2 made bank APIs mandatory but the quality was wildly uneven — timeouts, missing data, capricious authorisation errors. PSR introduces concrete, enforceable service-level requirements for bank APIs, with financial penalties for non-compliance. Net effect for users: fewer broken connections and dropped syncs.

Better protection against authorised push payment fraud

PSR introduces a mandatory IBAN-check: the recipient's bank confirms whether the account holder name actually matches the entered IBAN. If they diverge, you get a warning before confirming the transfer. This directly targets fast-growing 'wrong recipient' and fake-invoice scams. The UK's equivalent mechanism (Confirmation of Payee) has reportedly cut that fraud category by tens of percent.

What about the UK after Brexit

The UK transposed PSD2 into the Payment Services Regulations 2017 (PSRs 2017), which still apply post-Brexit. UK open banking is also enforced through the Open Banking Implementation Entity (OBIE) framework, mandated originally by the Competition and Markets Authority (CMA) — that is the regime behind the OBIE Open Banking Standard, which is widely seen as the most mature implementation of open banking in Europe.

What changed post-Brexit is the licensing geography. EU AISPs and PISPs no longer have automatic UK rights via passporting, and UK-authorised providers cannot freely passport into the EU. Cross-border providers (TrueLayer, Yapily, Plaid) have responded by holding parallel authorisations — typically one with the FCA in the UK and another with a national competent authority inside the EU (Lithuania, Ireland or the Netherlands are popular choices for the EU vehicle).

How Martia uses PSD2

Martia is an AISP-based app — I only read account data, I never initiate payments, and I have no technical capability to move money. The underlying licensed infrastructure provider is GoCardless (authorised by the Central Bank of Ireland, passported across the EU and listed in the EBA Register).

What the bank-connect flow actually looks like

You tap 'Connect bank' → choose your institution → I redirect you to your bank's own page or app → you sign in there and confirm SCA (SMS code, push notification, FaceID — depending on your bank) → the bank issues a scoped token (read-only access to balances and history up to 90 days back) → the token comes back to Martia. I never see your banking credentials — it is not technically possible, because you enter them on the bank's surface, not on mine. A step-by-step walkthrough lives in How to connect your bank account to a budget app — step by step.

What I read, what I don't read

I read: balances, transaction list (date, amount, description, counterparty), account number, currency, bank name.
I do not read: passwords, PINs, login credentials, card limits, history older than 90 days (PSD2 RTS Article 10), credit history from any bureau, anyone else's data.
I do not do: transfers, limit changes, account opening, account closing — no active operations of any kind.

More on the safety mechanics and how PSD2 differs from pre-2019 aggregators is in Bank account sync with an app — how it works and is it safe. For a wider survey of PSD2-based apps across the EU and UK, see Open banking and European banks — coverage in 2026.

Frequently asked questions about PSD2

Does a PSD2 app see my online banking password?

No. Article 32 of the RTS 2018/389 bans screen-scraping. You log in on your bank's own page or app, confirm with SCA, and the bank issues a scoped token to the AISP. The app never sees, stores or transmits your banking credentials.

Can I revoke access at any time?

Yes. Revoke it in the app itself or directly in your online banking (under 'Third-party providers' or 'PSD2 access'). The bank must block further API calls from that AISP immediately, even if the app hasn't refreshed its token store yet.

Why must I re-authenticate every 90 days?

Because RTS 2018/389, Article 10(1), requires a fresh SCA at least every 90 days for AIS access that happens without an active user interaction. It's a deliberate reminder that a third party still has access to your data. The upcoming PSD3 (expected 2026-2027) removes this requirement.

How do I check whether an app actually holds an AISP licence?

Search the EBA Register at euclid.eba.europa.eu/register, or the national competent authority's public register (BaFin, ACPR, FCA, Bank of Lithuania, etc.). Every AISP must appear in at least one of them. No entry = no licence = no legal right to act as an AISP.

What happens to my account if the PSD2 app goes bust?

Nothing. An AISP holds no money — it only reads data. Your bank remains the sole custodian of your funds. If the app shuts down, you lose its categorisation and analytics, but the underlying transactions are still in the bank. AISPs are not covered by any deposit guarantee scheme (FSCS, ECDGS, etc.) because they have no deposits to guarantee.

Who are ASPSPs, AISPs and PISPs?

ASPSP — the bank that holds your account and exposes the API. AISP — a licensed third party that only reads account data (Martia is one, via GoCardless). PISP — a licensed third party that can initiate a payment on your behalf (used by 'pay-by-bank' flows at checkout). Each role is governed by separate PSD2 articles and a separate licensing category.

What is PSD3 and when does it apply?

PSD3 and PSR are the European Commission's proposed successor framework — published in June 2023, in final trilogue stages in 2026. Highlights: removal of the 90-day re-authentication rule, enforceable SLAs for bank APIs, mandatory IBAN-check to combat APP fraud, and clearer consumer rights. Realistic national implementation: 2026-2027.

Does PSD2 still apply in the UK after Brexit?

Yes — under the UK Payment Services Regulations 2017, plus the OBIE Open Banking Standard. Licensing is now domestic: EU AISPs need a UK FCA authorisation to serve UK accounts, and vice versa. EU passporting no longer applies.

Sources and legal references

• European Parliament and Council, 2015, Directive (EU) 2015/2366 on payment services in the internal market (PSD2), EUR-Lex.
• European Commission, 2018, Commission Delegated Regulation (EU) 2018/389 (RTS on SCA and Common and Secure Communication), EUR-Lex.
• European Banking Authority, EBA Register of Payment and E-money Institutions, euclid.eba.europa.eu/register.
• European Commission, June 2023, proposal for Payment Services Directive 3 (PSD3) and Payment Services Regulation (PSR), finance.ec.europa.eu.
• UK government, 2017, The Payment Services Regulations 2017, legislation.gov.uk.
• Open Banking Implementation Entity (OBIE), UK standard, openbanking.org.uk.
• Berlin Group, NextGenPSD2 technical standard, berlin-group.org.