5-minute read

Non-financial firms turned PSD2 compliance gaps into business models by building solutions where regulation was unclear.

In the European Union, Open Banking is governed by PSD2, which requires banks to share customer data through APIs, digital interfaces that allow different systems to communicate. The goal is to democratize finance and create a more competitive market. To access user data, many PayTechs applied for a license that granted them legal access to these APIs. In theory, any PayTech could obtain a license and build advanced financial services without becoming a bank. However, in practice, implementation varied significantly across EU member states. Some banks delayed or limited access, while others imposed complex and costly technical procedures. It became increasingly clear: even with the keys, the door didn’t always open… it often stuck or only opened a little.

Facing these frictions, new market responses emerged. For many smaller players, the conclusion was simple: getting licensed wasn’t always worth it. Without the time, money, or technical capacity to navigate complex licensing requirements, they turned to Banking-as-a-Service (BaaS). These licensed platforms offered ready-made financial infrastructure and granted access to user data, allowing unlicensed firms to embed payments, accounts, or credit functions into their apps, often operating under the license of the BaaS provider. While not necessarily illegal, this model exists in a regulatory grey zone, raising questions about oversight and data responsibility. At the same time, API aggregators gained traction. These technical service providers merged dozens or even hundreds of bank APIs into a single, unified interface, giving small firms a shortcut to scale without building each connection manually, reducing costs, but also introducing new dependencies.

But the shadow market didn’t grow unnoticed. Traditional banks observed the market’s evolution and adjusted their strategies accordingly. Rather than opposing open banking, many sought to monetize and reclaim control within the new architecture. Some launched premium APIs, offering faster or more rich data access in exchange for fees, transforming a regulatory obligation into a new source of revenue. Others adopted a model known as Banking-as-a-Platform (BaaP), which differs from BaaS by integrating external fintech services into the bank’s own ecosystem. In this setup, banks host third-party tools such as investment apps or personal finance dashboards within their own interfaces, or incorporate fintech APIs into their internal operations. This approach enables banks to centralize the customer experience, retain control over user relationships, and strategically position themselves as platforms rather than just providers.

This is the landscape where embedded finance truly took off, not only as a product of innovation, but as a response to regulatory friction. Models like BaaS and API aggregators enabled even unlicensed companies to offer financial services without full regulatory oversight. Non-financial firms turned PSD2 compliance gaps into business models by building solutions where regulation was unclear. As a result, embedded finance didn’t grow only within the boundaries of regulation, but also in its blind spots. Now, with PSD3 and FIDA under negotiation, the European Commission is working to tighten definitions and close these grey zones, not to roll back innovation, but to ensure that customer data is protected and that access remains truly open for all players, not just the most powerful ones.