Natasha Cáceres

---

5-minute read

Non-financial firms turned PSD2 compliance gaps into business models by building solutions where regulation was unclear.

In the European Union, Open Banking is governed by PSD2, which requires banks to share customer data through APIs, digital interfaces that allow different systems to communicate. The goal is to democratize finance and create a more competitive market. In theory, any PayTech could obtain a license, gain legal access to those APIs, and build advanced financial services without becoming a bank. In practice, implementation varied significantly across EU member states. Some banks delayed or restricted access. Others imposed technical requirements so complex and costly that compliance became its own barrier. Even with the keys, the door did not always open.

Facing that friction, smaller players made a pragmatic calculation: getting licensed was not always worth it. Without the time, capital, or technical capacity to navigate the licensing process, many turned to Banking-as-a-Service (BaaS). These licensed platforms offered ready-made financial infrastructure and data access, allowing unlicensed firms to embed payments, accounts, or credit functions into their products under someone else’s license. Not necessarily illegal, but operating in a regulatory grey zone where questions of oversight and data responsibility rarely had clear answers. Around the same time, API aggregators gained traction, merging dozens of bank APIs into a single unified interface. For smaller firms, it was a shortcut to scale. It also introduced new dependencies that few regulators had anticipated.

Traditional banks noticed. Rather than resisting Open Banking, many chose to monetize it. Some launched premium APIs, charging for faster or richer data access and turning a regulatory obligation into a revenue stream. Others moved toward Banking-as-a-Platform (BaaP), integrating external fintech services directly into their own ecosystems. Instead of competing with investment apps or personal finance tools, they hosted them, keeping the customer relationship inside their own interface while quietly centralizing control.

This is the environment where embedded finance truly took off, not only as a product of innovation, but as a response to regulatory friction. Non-financial firms identified the gaps in PSD2 and built business models around them. The result was a market that grew not just within the boundaries of regulation, but in its blind spots. PSD3 and FIDA are now attempting to close those gaps, not to roll back what was built, but to ensure that data protection holds and that open access remains genuinely open, rather than a privilege of the most resourced players.