Bank AI
Get the app
Open banking7 min read

If you've heard the acronym 'PSD2' on a finance podcast and quietly wondered what it actually means, you are not alone. PSD2 is the European Union directive that turned open banking from a fintech experiment into a regulated framework. It is the reason your bank account can be read by a licensed app you trust, and the reason no app can do that without your consent. Here is what it is, what it does, and what is changing in 2026 and 2027.

What PSD2 is

PSD2 stands for the Second Payment Services Directive. It is an EU-level directive (Directive 2015/2366) that came into force in January 2018 and was transposed into the national law of every EU member state, plus the UK (which transposed it before Brexit and has retained the substance under the Electronic Money Regulations and the Payment Services Regulations 2017).

The directive does two things. First, it modernises the rules for retail payments - things like surcharging, dispute rights and strong customer authentication. Second - and this is the part that matters for open banking - it forces banks to expose your account data and payment-initiation capabilities to licensed third parties, with your consent, through standardised interfaces. Banks cannot block this and cannot charge for it.

Two licence types: AISP and PISP

Under PSD2, the right to access bank account data is gated by a regulator-issued licence. There are two licence types and most consumer apps hold one or both via a partner.

  • AISP - Account Information Service Provider. Read-only access to account data with the user's explicit consent. Bank AI uses an AISP partner (Powens) to surface your accounts and positions in one place.
  • PISP - Payment Initiation Service Provider. The right to initiate a payment from a user's account on the user's instruction. Useful for 'pay by bank' checkout flows; Bank AI does not hold a PISP licence and does not initiate payments.

Strong Customer Authentication

PSD2's other big idea is Strong Customer Authentication (SCA). For most online card payments above a low-value threshold, and for every initial open-banking consent, SCA must be done with at least two of three independent factors: something you know (a password or PIN), something you have (a phone or hardware key) or something you are (a biometric).

This is why every time you connect a bank to a new app you go through the bank's own authentication flow. It is also why renewing consent every 90 days requires you to re-authenticate. SCA was the most user-visible change PSD2 brought in. It is also the reason fraud rates on European card payments have measurably fallen since 2018.

What PSD2 covers - and what it does not

PSD2's scope is payment accounts. That means current accounts, joint accounts and most prepaid e-money accounts. It does not strictly cover pensions, brokerages, life-insurance wrappers or savings products.

In practice, large UK platforms (Hargreaves Lansdown, AJ Bell, Interactive Investor, Vanguard) and EU brokers (Trade Republic, Saxo, Boursorama, Linxea) have extended their open-banking surface to cover ISAs, SIPPs, PEAs, assurance-vie wrappers and Depots, even though PSD2 does not strictly require them to. Coverage of private-bank wrappers, trustee-held DC pensions and small specialist platforms remains thinner.

What is changing: PSD3 / PSR1

The European Commission published the draft PSD3 and Payment Services Regulation (PSR1) in June 2023. As of 2026 the package is moving through the legislative pipeline at the European Parliament and Council; final adoption is expected in 2026 with a transposition window into 2027.

Three changes are worth flagging. First, the scope is being widened: PSD3 explicitly extends open-banking access to investment, pension and savings products, closing today's coverage gaps. Second, AISPs and PISPs will be regulated under a single 'payment institution' framework with stricter capital and reporting requirements - which is healthy for end-users, less so for thinly capitalised aggregators. Third, the European Banking Authority gets a stronger central role in supervising cross-border AISP / PISP activity, replacing today's patchwork of national regulators.

What it means for you in 2026

If you are an EU or UK consumer using money apps, the practical effects of PSD2 in 2026 are: you can grant licensed apps read-only access to your bank accounts in minutes; that access expires every 90 days unless you renew it; the bank cannot charge you, slow you down or steer you to its own product; and apps that hold the data have to defend it under GDPR and the EBA's technical standards.

If you are a professional looking at the regulatory horizon: the directive is solid bedrock today, but PSD3 will widen coverage materially in 2026-2027. Plan platform decisions assuming wider open-banking access, not narrower. Bank AI's product roadmap is built on that assumption.

Frequently asked questions

Is PSD2 the same as open banking?

Open banking is the broader concept; PSD2 is the EU legal framework that codified it. The UK has its own Open Banking Implementation Entity (OBIE) standards, which sit on top of the same PSD2 obligations transposed under UK law. Outside Europe, similar frameworks are emerging (CDR in Australia, Open Banking Brazil) but PSD2 remains the model.

Does PSD2 still apply to the UK after Brexit?

Yes. PSD2 was transposed into UK law before Brexit through the Payment Services Regulations 2017 and the Electronic Money Regulations 2011. The substance is retained, with the FCA as the lead regulator and OBIE setting the technical standards. Where the UK and EU regimes diverge in future is a live policy question, but as of 2026 they are functionally aligned.

Keep reading