What Is Open Banking? PSD2, AIS, PIS, CoF and Is It Safe
A complete explainer of the PSD2 directive, the three regulated services (AIS, PIS, CoF), TPP licensing, Strong Customer Authentication, and supported banks across Europe and the UK.
Open banking is a regulated framework under the European Union's PSD2 directive (Directive (EU) 2015/2366) and the UK's Open Banking standard. It requires banks to share account information and accept payment instructions from licensed third-party providers (TPPs), but only with the customer's explicit consent and only within the scope of that consent. PSD2 has been in force across the EU and EEA since January 2018; the regulatory technical standards (RTS), including the mandatory Strong Customer Authentication (SCA), have applied since 14 September 2019. Oversight is split between the European Banking Authority (EBA) at EU level and national regulators — the FCA in the UK, BaFin in Germany, ACPR in France, KNF in Poland, DNB in the Netherlands.
Key takeaways
- Open banking is regulated by PSD2 in the EU (in force since January 2018; SCA mandatory from 14 September 2019) and by the Open Banking standard in the UK
- PSD2 regulates three services: AIS, PIS, CoF — each with its own licence and its own consent
- Oversight is shared between the European Banking Authority (EBA) and national regulators (FCA, BaFin, ACPR, KNF, DNB, and others)
- AISP apps have read-only access only — they never see your password and cannot move money
- 500+ licensed TPPs operate across the EEA, with 2,500+ banks reachable through aggregators like GoCardless, Tink (Visa), Salt Edge and Plaid
What is open banking?
Open banking is a regulatory and technical framework that lets you, as a bank customer, authorise a licensed third-party provider (TPP) to access your account data or initiate payments on your behalf — through secure APIs, with read-only access by default. In the EU and EEA it exists because of the PSD2 directive; in the UK it is built on top of the Open Banking standard managed by the Open Banking Implementation Entity (OBIE), supervised by the FCA.
Before open banking, the only way to connect an app to your bank account was screen scraping: you gave your full login credentials to a third-party company that logged in as you. It had complete access and could theoretically make transfers. There was no regulation, no oversight, no limits.
Open banking replaces that model entirely. Your bank shares data through a secure API with built-in constraints. The legal source is Directive (EU) 2015/2366; the technical standards are set by the EBA in Commission Delegated Regulation (EU) 2018/389 (the RTS).
A reading room, not a vault
Think of open banking as a reading room pass to a library. The app can browse — but it cannot take any books home. And the librarian (your bank) can revoke the pass at any moment. Every consent is digitally verifiable, time-limited to 90 days, and revocable instantly.
AIS, PIS, CoF — the three regulated services
PSD2 carves out three distinct services that third parties can offer with bank-account access. Each requires a separate licence from a national regulator and a separate consent from the customer.
AIS — Account Information Service
AIS (Account Information Service) lets a licensed app read your account balances and transaction history, with your explicit consent and in read-only mode only. The provider is an AISP (Account Information Service Provider). Typical use cases: account aggregators (like Martia), budgeting apps, credit scoring, income verification for lenders. AIS consent expires after 90 days and must be renewed (RTS Article 10).
PIS — Payment Initiation Service
PIS (Payment Initiation Service) lets a third-party app initiate a payment from your bank account. Every single transaction requires your explicit authorisation and Strong Customer Authentication (SCA) at your bank. The provider is a PISP (Payment Initiation Service Provider). PIS is increasingly used as a lower-cost alternative to card payments in e-commerce checkouts because it bypasses card networks and interchange fees.
CoF — Confirmation of Funds
CoF (Confirmation of Funds) lets a card issuer ask your bank whether sufficient funds are available to cover a transaction. The bank replies only “yes” or “no” — it does not disclose your balance, history, or any other data. The provider is a PIISP (Payment Instrument Issuer Service Provider). CoF is the least known of the three services but underpins many fintech debit-card models, where the card is issued by one entity and the funds sit with another bank.
These three services are the entire scope of open-banking access under PSD2. Anything an app can do with your account through PSD2 falls into one of these categories. A budgeting app like Martia uses AIS only — transaction read.
The most common misconception
Myth: “An app connected through open banking can transfer money out of my account.”
Reality: Only if it holds a PISP licence and you authorise that specific transaction with SCA at your bank. AISP-only apps — which is most account aggregators and budgeting apps — have read-only access. They have no technical ability to move money.
TPPs — who is allowed to access your data
TPP (Third Party Provider) is the umbrella term for licensed third-party providers that PSD2 gives the right to access bank-account data. PSD2 distinguishes three categories of TPP — matching the three services above:
- AISP (Account Information Service Provider) — read-only access to account information.
- PISP (Payment Initiation Service Provider) — initiates payments with per-transaction SCA.
- PIISP (Payment Instrument Issuer Service Provider) — provides Confirmation of Funds (CoF). Receives only a yes/no answer, no balance.
How a TPP becomes licensed
TPP licences are granted by national regulators: the Financial Conduct Authority (FCA) in the UK, BaFin in Germany, ACPR in France, KNF in Poland, DNB in the Netherlands, Bank of Italy in Italy. A TPP licensed in any EU member state can operate across the entire EEA under the European passporting regime, subject to notification to the host country's regulator. The central, EU-wide register is maintained by the EBA:
EBA Register of authorised payment institutions — searchable list of every TPP authorised in the EEA. As of 2024, over 500 licensed providers were registered there.
How Martia connects to banks
Martia operates as an AISP — read-only access only. Technically, we connect to banks through GoCardless Bank Account Data, a UK-FCA-authorised AISP passporting into the EU under PSD2. That means Martia never initiates payments and has no technical ability to do so — reading transactions is all it can do.
How open banking works in practice
The open banking framework rests on three pillars: the legal mandate (PSD2 in the EU, the CMA Order in the UK), the technical standards (bank APIs implementing the EBA RTS or the UK Open Banking standard), and the licensed TPPs that build on top.
PSD2 — the law that opened the banks
PSD2 (Payment Services Directive 2) is Directive (EU) 2015/2366, adopted on 25 November 2015 and in force across the EU and EEA since January 2018. It mandates that every bank provide secure APIs for licensed TPPs to access customer data — with the customer's explicit consent. The directive also introduced Strong Customer Authentication (SCA), requiring at least two verification factors for every electronic payment.
How each country implemented it
Different countries implemented PSD2 differently. The UK mandated the nine largest banks (CMA9) to adopt a common API standard from day one. Poland created PolishAPI — a unified standard covering 20 commercial banks through a central hub operated by KIR (the national clearing house). Germany uses Berlin Group's NextGenPSD2 standard. Most other countries left implementation to individual banks, with aggregators like GoCardless, Tink (Visa), Salt Edge, and Plaid bridging the gaps.
The connection flow — step by step
1. You open the app (e.g. Martia) and select your bank.
2. The app redirects you to your bank's official login page — through a secure API.
3. You log in with your credentials. You're giving them to your bank, not the app. SCA requires a second factor — phone code, biometrics, hardware token.
4. Your bank issues a time-limited (90 days), read-only authorisation token (AIS consent).
5. The app receives transaction and balance data. Nothing else.
Open banking across Europe
Sources: EBA TPP Register, Kontomatik — Open Banking Statistics 2025
Which European banks support open banking?
Every bank operating in the EU, EEA, and UK is legally required to provide open banking APIs — it is a regulatory mandate, not an opt-in. In practice, if you have an account at any licensed European bank, you can connect it to a budgeting app.
| Bank | Markets | Available in Martia |
|---|---|---|
| ING | NL, DE, ES, PL, BE, + others | Yes |
| Santander | ES, UK, DE, PL, PT | Yes |
| BNP Paribas | FR, BE, IT, PL, LU | Yes |
| HSBC | UK, FR, DE | Yes |
| N26 | DE, AT, FR, ES, IT, + others | Yes |
| Revolut | EU-wide, UK | Yes |
| Monzo | UK | Yes |
| Wise | EU-wide, UK | Yes |
| Deutsche Bank | DE, IT, ES, UK | Yes |
| Commerzbank | DE | Yes |
Through aggregators like GoCardless (which Martia uses), a single integration gives access to 2,500+ banks across Europe. So whether you have a current account with HSBC, a savings account with N26, and a Revolut card — you can see them all in one place. See our guide on syncing your bank account with an app for the cross-country setup.
Is open banking safe? SCA, oversight, and licensing
Open banking safety rests on three pillars: Strong Customer Authentication (SCA), regulatory oversight and mandatory licensing, and technical scope limits on consent.
Strong Customer Authentication (SCA)
PSD2 requires that for every electronic payment (and every consent to AIS / PIS), your bank verifies your identity using at least two of three independent factors:
- Knowledge — something you know (password, PIN);
- Possession — something you have (phone, hardware token);
- Inherence — something you are (fingerprint, facial recognition, voice).
The technical requirements for SCA are set in Commission Delegated Regulation (EU) 2018/389 (the RTS), drafted by the EBA. It is the same mechanism you already use when logging into your mobile banking app.
Regulatory oversight and licensing
Every company accessing your bank data through open banking must hold a licence from a national regulator — the FCA in the UK, BaFin in Germany, ACPR in France, KNF in Poland, DNB in the Netherlands, Bank of Italy in Italy. This licence is not easy to obtain and comes with ongoing compliance requirements. Over 500 licensed TPPs operate across the EEA (EBA Register, 2024), each subject to regulatory scrutiny.
Read-only by design
A budgeting app like Martia uses an AISP licence. That means one thing: it can look, but it cannot touch. It sees your transactions and balances. It cannot initiate a payment, change a standing order, or even update your email address. The authorisation token issued by your bank is digitally restricted to the scope of AIS consent and expires after 90 days.
Myth vs. reality
Myth: “If I connect my account to an app, someone could steal my money.”
Reality: An AISP-licensed app has no technical ability to execute transactions. The authorisation token is restricted to read-only access, and every connection is supervised by both the bank and the national regulator. You can revoke consent at any time, directly in the app or through your bank's online banking.
Open banking vs. screen scraping
| Feature | Open Banking (PSD2) | Screen Scraping (old method) |
|---|---|---|
| Your password | Given to your bank, not the app | Given to the third party |
| Access scope | Read-only (AISP) | Full account access |
| Legal framework | PSD2, supervised by regulators | No regulation |
| Revoking access | Instant, digital | Change your password |
| Verdict | Secure, regulated | Risky, outdated |
Don't want to share your password with anyone? You don't have to.
Martia uses PSD2 (AIS service, AISP provider: GoCardless). You log in through your bank's own page. Martia never sees your credentials. Connecting takes 2 minutes.
What PSD2 changes for the everyday user
Most people associate PSD2 with open banking and budgeting apps. But the directive also introduced several concrete consumer protections that apply whether or not you ever use a TPP.
- Lower liability for unauthorised transactions. The limit on customer liability for unauthorised payments before notification was lowered from 150 EUR to 50 EUR.
- Faster complaint resolution. Banks must respond to payment-related complaints within 15 business days (down from a typical 30 calendar days), extendable to 35 in complex cases with a written explanation.
- Mandatory SCA for electronic payments. Every electronic payment above 30 EUR requires Strong Customer Authentication. Exceptions: low value, recurring transactions (subscriptions), and Merchant Initiated Transactions (MIT).
- Surcharging ban. Merchants in the EEA may not add surcharges to consumer debit or credit card payments.
- Account aggregation rights. You can connect your accounts at multiple banks to a single app (like Martia) and see all your transactions in one place — without sharing passwords.
- PIS as a card alternative. Merchants can offer account-to-account payments initiated by a PISP — typically faster and cheaper than cards because they bypass interchange fees.
The Martia One-Connection Method
Instead of logging into every banking app daily, connect all your accounts once — and check your finances in one place. Your full financial picture in 3 seconds instead of 3 minutes. This is not a time-saving hack — it's removing the barrier that stops most people from checking their finances at all.
How to connect your bank account via open banking
Connecting your bank account through open banking takes 2–3 minutes — less time than signing up for most websites.
Select your bank in the app
In Martia, pick your bank from the list. All major European and UK banks are supported through GoCardless, covering 2,500+ institutions.
Log in on your bank's official page
You are redirected to your bank's official login page. Your credentials go to your bank — Martia does not see them. SCA requires a second factor: SMS code, biometrics, or your banking app.
Approve AIS consent (read-only access)
Your bank asks if you consent to sharing transaction and balance data (AIS consent). Approve it — and from that moment, everything syncs automatically for 90 days.
That's it. No forms, no document scanning, no waiting for verification. The entire process happens in real time — because your bank is confirming your identity via SCA, not the app. For a detailed walkthrough with screenshots and security FAQs, see our step-by-step guide.
Adam, założyciel Martia
From the founder
I built Martia because I had 6 bank accounts and zero oversight. I would log into each one separately, manually add up balances in a spreadsheet, forget about subscriptions I was still paying for. Open banking changed that — but I had to build an app first to make use of it. Because the mechanism alone does nothing. It is what you do with it that matters.
3 accounts? 1 screen. 2 minutes to connect.
Connect all your bank accounts to Martia through PSD2. Secure, automatic, without sharing your password with anyone.
PSD3 and FIDA — what comes next
Open banking is not the end of the road. The EU is preparing two major regulatory updates that will significantly expand the scope of open financial data.
PSD3 and PSR — new rules, same direction
In November 2025, the European Parliament and Council reached a provisional political agreement on PSD3 and its companion regulation, PSR (Payment Services Regulation). The key change: the rules move from a directive (each country implements its own version) to a regulation (directly applicable across all EU member states). This means no more differences between how Germany, France, or Spain interpret the rules.
What changes in practice? Banks will have to provide APIs that match the performance of their own channels. Users will get a consent dashboard — one place to see which apps have access to their data. And victims of APP fraud (Authorised Push Payment scams) will get full refund protection. Publication in the EU Official Journal is expected in 2026, with implementation 18 months later.
FIDA — from open banking to open finance
Even more ambitious is FIDA (Financial Data Access Regulation) — a European Commission proposal under negotiation since 2025. FIDA extends the principle of open data to insurance policies, investment portfolios, pension accounts, and credit products. Imagine seeing not just your bank accounts, but also your pension fund balance, insurance policies, and investment portfolio in a single app. Adoption of FIDA is expected in the first half of 2026, with a 30–32 month adjustment period. Realistically, full open finance in Europe is a 2028–2029 prospect.
Frequently asked questions about open banking
What is open banking?
Open banking is a regulated framework under the EU's PSD2 directive (Directive (EU) 2015/2366) and the UK's Open Banking standard. It requires banks to share account information and accept payment instructions from licensed third-party providers (TPPs), but only with the customer's explicit consent. PSD2 has been in force across the EU and EEA since January 2018; the regulatory technical standards, including SCA, have applied since 14 September 2019.
Is open banking safe?
Yes. Open banking sits on three layers of safety: legal regulation (PSD2 and national transpositions), regulator oversight (FCA, BaFin, ACPR, KNF, DNB, and others), and Strong Customer Authentication. AISP-licensed apps have read-only access and never see your password. You log in through your bank's official page and can revoke consent at any time.
Can an app make payments from my account?
Not if it uses an AISP licence — AISP is read-only. To initiate payments, a company needs a separate PISP licence, and every single transaction requires your explicit authorisation and SCA at your bank. Martia uses GoCardless as an AISP, so it has read-only access only.
Who regulates open banking in Europe?
At the EU level, the European Banking Authority (EBA) sets the regulatory technical standards and maintains the central register of authorised TPPs. At the national level, each member state has its own regulator: FCA in the UK, BaFin in Germany, ACPR in France, KNF in Poland, DNB in the Netherlands, Bank of Italy in Italy. In the UK, the Open Banking Implementation Entity (OBIE) operates the technical standard for the CMA9 banks.
Which banks support open banking?
All banks operating in the EU, EEA, and UK are legally required to support open banking APIs — it is not optional. This includes traditional banks (ING, Santander, BNP Paribas, HSBC, Deutsche Bank, Commerzbank), digital banks (N26, Revolut, Monzo, Wise, Bunq), and licensed challengers. Through aggregators like GoCardless, Tink (Visa), Salt Edge, and Plaid, a single integration gives apps access to 2,500+ European banks.
What changes for a normal user under PSD2?
PSD2 introduced several consumer protections: liability for unauthorised transactions before notification capped at 50 EUR (down from 150 EUR); banks must respond to payment-related complaints within 15 business days; Strong Customer Authentication is mandatory for electronic payments above 30 EUR; merchant surcharging on consumer cards is prohibited; and banks cannot block licensed TPPs from accessing customer accounts with consent.
How do I revoke an app's access to my account?
You can revoke access at any time — directly in the app or through your bank's online banking. Once consent is withdrawn, the app immediately loses access. PSD2 consent also automatically expires after 90 days and must be renewed; this is a regulatory requirement under the RTS, not a decision the app makes.
What is PSD2?
PSD2 (Payment Services Directive 2) is EU Directive (EU) 2015/2366, adopted on 25 November 2015 and in force since January 2018. It requires banks to share account data with licensed third-party providers at the customer's request, introduces Strong Customer Authentication, regulates payment service providers, and protects consumers. PSD3 and the Payment Services Regulation (PSR) are set to update and replace it around 2027–2028.
Martia — the AI you talk to about your money
Ask in plain language — "how much did I spend on food in March?" or "where am I overpaying the most?" — and get an answer from your real transactions. No spreadsheets, no manual input.
Sources, regulations and references
- European Parliament and Council, 2015, Directive (EU) 2015/2366 on payment services (PSD2) — EUR-Lex
- European Commission, 2018, Commission Delegated Regulation (EU) 2018/389 — Regulatory Technical Standards on SCA — EUR-Lex
- European Banking Authority (EBA), central TPP register — euclid.eba.europa.eu
- Financial Conduct Authority (FCA, UK) — open banking and PSD2 guidance — fca.org.uk
- BaFin (Germany) — payment services and PSD2 — bafin.de
- Open Banking Implementation Entity (OBIE, UK), adoption data — openbanking.org.uk
- Kontomatik, 2025, “Open Banking Statistics Across Europe” — kontomatik.com
- Norton Rose Fulbright, 2026, “PSD3 and PSR — from provisional agreement to 2026 readiness” — nortonrosefulbright.com
- European Commission, 2023, FIDA (Financial Data Access Regulation) proposal — financial-data-access.com
- Juniper Research, 2024, “Open Banking: Key Opportunities, Regional Analysis & Market Forecasts 2024–2028”
Read more
Open Banking European Banks — Which Banks Support PSD2 →
Detailed list of European and UK banks with AIS and PIS coverage, plus API quality notes.
Bank Account Sync with an App →
How transaction syncing through open banking works and what you can do with it.
How to Connect Your Bank Account to a Budget App →
Step-by-step guide to connecting your account through PSD2 to Martia.
Automatic Expense Categorisation →
How AI categorises transactions from connected accounts and why it changes budgeting.