What Open Finance Is (and Isn’t)
Learning objectives
By the end of this module, you’ll be able to:
- Define open finance precisely, in one sentence.
- Distinguish it from open banking, embedded finance, and banking-as-a-service.
- Name the three forces that make 2026 the inflection year for the industry.
Watch · The opening
What open finance actually is
Open finance is the framework that lets your financial data — across banks, pensions, investments, insurance, and increasingly even tax records — move with your consent to whoever you authorise to receive it.
That is the entire concept. Everything else — the regulations, the APIs, the actors, the politics — is implementation.
It is not a product. Open finance is a regulatory framework plus a technical infrastructure. Not an app, not a company.
The catalyst is regulation, not technology. The technology to share data has existed for decades. What changed in 2018 is that European regulators forced banks to expose APIs.
What open finance is NOT
Not open banking
Open banking is a subset of open finance. Open banking covers payment accounts only — checking accounts, current accounts. Open finance covers everything financial: investments, mortgages, pensions, insurance. Mixing them up is the most common mistake in the industry.
Not embedded finance
Embedded finance is when a non-bank — Shopify, Uber, an airline — offers banking-like services through partnerships. Open finance is the infrastructure that makes embedded finance more powerful, but they are not the same thing.
Not banking-as-a-service
BaaS is the commercial layer where licensed banks rent out their permissions to fintechs. It is a B2B contract. Open finance is the regulatory layer where data flows by mandate, not by contract.
Open Banking, Open Finance and Embedded Finance are not a ladder. They are three distinct layers with different regulatory logics, different data models and different commercial propositions.
Open Banking is payment-account infrastructure. Open Finance is the portability of the entire financial life. Embedded Finance is the distribution of financial services through non-banks — and it can operate with or without Open Finance underneath.
Treating them as synonyms is what makes most industry conversations go in circles. Treating them as separate layers is what allows clean strategic decisions.
Why now · the three forces of 2026
Force 1 · The regulatory stack matured
PSD2 (2018) opened bank payment accounts. PSD3 + PSR (entering force in 2026) widen scope and tighten consent. FiDA (2026) extends the principle to all financial data. Three regulations, one direction.
Force 2 · The consent infrastructure scaled
Brazil reached 128 million active open finance consents by end of 2025. The UK passed seven million open banking payments per month. The market crossed the threshold where consumers expect data portability.
Force 3 · AI made the data productive
Until recently, raw bank data was hard to use without a team of analysts. Large language models can categorise, summarise, and surface patterns from financial data in seconds. The data was always there. AI made it valuable.
The first two forces are about supply (more regulation, more infrastructure). The third is about demand (AI made the data more valuable). When supply and demand both move at once, you get a market formation event. That is what 2026 is.
Lesson reflection
Pick one role in your work — a compliance officer, a product manager, a founder, a regulator. Which of the three forces (regulation, scale, AI) matters most to that role? Why?
What’s next
In the next module, we walk through the European regulatory stack in detail. PSD2 became PSD3 became FiDA. By the end you will know what each requires, who it applies to, and what it actually changes.
Module 2: Europe →Europe — The Regulatory Map
Learning objectives
- Read the European regulatory stack: PSD2, PSD3 + PSR, FiDA.
- Explain what each regulation actually requires (and what it deliberately does not).
- Identify the implementation gaps PSD2 left behind that PSD3 is designed to fix.
The European philosophy
Europe approaches open finance the way it approaches consumer protection: as a right, not a market opportunity. The premise is that your financial data is yours, and any regulated firm holding it is a custodian, not an owner. This is a moral position before it is a commercial one.
PSD2 · the foundation (2018)
What it did
The Second Payment Services Directive came into force in January 2018. Its core requirement: any bank holding payment accounts in the EU must expose those accounts via APIs to authorised third parties — with customer consent.
It created two new regulated roles: AISP (Account Information Service Provider, can read account data) and PISP (Payment Initiation Service Provider, can initiate payments). Both require licensing.
What it missed
- API quality. Banks complied with the letter but not the spirit. Latency, downtime, and undocumented errors plagued early TPPs.
- Liability ambiguity. When payments failed or breaches happened, no one knew who carried the loss.
- Fragmented consent UX. Each bank designed its own. Result: friction, drop-off, customer confusion.
- Limited scope. Investments, mortgages, insurance, pensions remained closed.
PSD3 + PSR · the upgrade (2026)
PSD3 paired with the Payment Services Regulation (PSR) is the European Commission’s response to PSD2’s gaps. It enters force across the EU through 2026.
- API performance standards. Banks must offer minimum uptime and response times. Regulators can sanction non-compliance.
- Clearer liability. When fraud occurs and the bank’s authentication has failed, liability moves toward the data custodian.
- Pan-European consent dashboards. One place where consumers see and revoke every active consent.
- Permission-free access. More obligations for banks to support open-banking APIs at no charge.
PSD3 is not a new system. It is PSD2 with the implementation problems fixed. If you have been waiting to enter the European open-banking market, 2026 is the year the rails actually work.
FiDA · the extension (2026)
The Financial Data Access Regulation (FiDA) is the European Commission’s expansion of the open-data principle from payment accounts to all financial data: savings, mortgages, consumer credit, investments, pensions, insurance.
Why it matters: PSD2 only opened payment accounts — about 20% of the average consumer’s financial life. FiDA opens the other 80%. This is where the strategic value moves.
- Aggregation. Consumers can finally see their full financial picture in a single app, with consent.
- Wealth and investments. Robo-advisors can build on data they previously had to manually request.
- Insurance. Insurers can offer dynamic pricing based on real income and asset data.
- Credit. Lenders can underwrite based on the consumer’s complete financial life.
Lesson reflection
If your firm operates in Europe, which regulation is most likely to affect your next 12 months: PSD3 (operational), FiDA (strategic), or both?
What’s next
Europe is the most mature regime, but not the only one. We cross the Atlantic. Brazil scaled an open-banking mandate faster than anyone. The US chose a different path — letting the market do the work.
Module 3: Americas →The Americas — Market vs Mandate
Four models of adoption — the mandate-vs-market dichotomy is not enough
The classical literature splits the world into two adoption models — regulator-driven (Europe, Latin America) and market-driven (United States). That binary is no longer sufficient in 2026. A serious comparative reading requires four archetypes, because the difference between them predicts speed of adoption, quality of the standard, and where commercial value accrues.
1 · Regulator-driven (compliance mandate)
The regulator orders, defines standards, sets deadlines. Banks implement out of obligation. APIs tend to meet the minimum. Time to market is slow but coverage is uniform. Canonical examples: the European Union with PSD2; Mexico with the Ley Fintech.
2 · Market-driven (commercial-first, regulation lags)
Private actors build the infrastructure first because consumer or business demand exists. Regulation arrives later to formalise what already exists. Use cases proliferate. The trade-off is fragmentation and dependency on a handful of dominant aggregators. Canonical example: the United States from 2010 to 2024 — and, after the October 2025 judicial suspension of CFPB Section 1033, arguably the United States again in 2026 by default.
3 · Hybrid (regulatory mandate plus market-grade incentives)
The most strategically sophisticated implementations combine the speed of mandate with the quality of market competition. Brazil is the canonical example: the Banco Central made the regulation binding while integrating Open Finance with the Pix instant payment system and the national fiscal identity (CPF). The result is an architecture more advanced than the European one, not a delayed copy of it. Australia’s Consumer Data Right — covering banking, energy and now telecom — sits in the same archetype.
4 · Public-utility (regulator-as-platform)
The regulator does not just write rules. It defines and operates the rails. India’s Account Aggregator framework, sitting on top of Aadhaar (identity) and UPI (payments) as part of India Stack, is the canonical example. The framework processes consent volumes that already dwarf the European Union, and it does so as a public good with private aggregators acting as licensed consent managers. This archetype is rare because it requires a regulator with technical capacity. Where it works, it bends the cost curve of the entire ecosystem.
Calling the United States ‘market-driven’ in 2026 is no longer accurate. Calling Brazil a ‘mandate’ country obscures the fact that Pix integration makes its architecture a category of its own. Treating India as an emerging market hides that it is the global volume leader in active consents.
Brazil · the most advanced operational implementation in the world
Brazil is not a follower of Europe. It is, in 2026, the most advanced operational Open Finance regime on the planet — ahead of Europe in scope, ahead of the United States in regulatory clarity, and uniquely integrated with adjacent national infrastructure. The Banco Central launched Open Banking Brasil in 2021 in four phases. By end of phase four, all regulated institutions were required to share data via standardised APIs. The regulator then progressed to Open Finance Brasil, expanding the perimeter to insurance, pensions and FX.
- Scale. More than 128 million active consents by end of 2025. The largest active user base in the world by absolute count outside India.
- Pix integration. Brazil’s instant payment rail is integrated natively. Most Open Finance consents settle on Pix in seconds. Europe has no equivalent.
- Civic-identity layer. Identity and tax data (CPF) flow through the same trust layer. Europe is still trying to design this through eIDAS 2.0.
- Already operating as Open Finance. The 2024 rebrand was not marketing. Insurance, pensions and FX are in scope, with crypto-asset data on the roadmap.
Mexico · the framework that took its time
Mexico’s Fintech Law (Ley Fintech) passed in 2018 with an open finance provision. But the secondary regulations — the rules that make it operational — took years. Implementation has been slower than Brazil’s. Aggregators like Belvo and Finerio built much of the practical infrastructure before formal regulation caught up.
Chile · entered mandatory phase 2026
Chile’s Fintech Law (December 2022) is more ambitious than Mexico’s. Mandatory data sharing entered force in April 2026, including pensions and insurance from day one — a leap that Europe is still working toward through FiDA.
Colombia · the interoperable hub
Colombia launched its framework in 2024 through the Superintendencia Financiera. The distinguishing feature: a centralised infrastructure layer (operated by ACH Colombia) that simplifies bank-to-TPP connections. Other LatAm countries are watching this approach as a potential model for smaller markets.
Argentina, Peru, Ecuador · emerging
Argentina is in early-stage discussion combining open banking with central bank digital currency planning. Peru has piloted limited initiatives. Ecuador has expressed intent through its national fintech association but lacks a binding regulatory timeline.
Latin America is not Brazil plus four other countries. It is a region with five-plus different regulatory paces, different institutional capacities, and different commercial incentives. Treating it as a single market is the most common mistake foreign operators make.
The United States · market-driven, regulator catching up
The US is structurally different. There is no federal open-banking mandate. Instead, an ecosystem of commercial aggregators — Plaid, Finicity (Mastercard), MX, Akoya — built bank-to-fintech connections starting in the early 2010s, often through screen scraping before banks offered APIs.
CFPB Section 1033 — the regulatory whiplash
In October 2024, the Consumer Financial Protection Bureau finalised the rule implementing Section 1033 of Dodd-Frank. The rule was framed as the US answer to PSD2 — granting consumers a right to their financial data and requiring banks to provide it via APIs without charge.
Then, in October 2025, a federal court suspended the rule following challenges from the banking industry. As of April 2026 it is in formal reconsideration. The US regulatory landscape has therefore moved from market-driven (2010–2024) to attempted regulator-driven (2024–2025) to a state of unsettled ambiguity (2026). This is the single most important factual update for any analyst working on Open Finance — and it breaks the assumption that Open Finance progresses linearly.
- Scenario A · reinstatement. If the rule is reinstated in modified form, expect the implementation timeline to extend well beyond the original 2030 horizon.
- Scenario B · rescission. If rescinded, the FDX standard (a private consortium) becomes the de facto US standard, with all the limitations of self-regulation.
- What did not change. Plaid, Finicity and MX continue to operate as the practical infrastructure. The market layer is what worked; the regulatory layer is what is contested.
The aggregator concentration problem
The pre-1033 market is dominated by a handful of aggregators. Plaid alone reportedly intermediates more than 75% of bank-to-fintech connections. Most US fintechs are exposed to one or two aggregators for their data flow. Section 1033 tries to address this indirectly by lowering barriers for new entrants — but the network effects are strong.
Why the US still has the largest commercial market
Despite the slowest regulation, the US has the largest open-finance market by revenue. Three reasons: the absolute size of the US financial sector dwarfs every other market; the deepest fintech ecosystem generates demand for data; and US consumers pay for financial services in ways European consumers do not (subscriptions, paid investment apps), creating revenue streams that subsidise the data infrastructure.
Lesson reflection
If you were advising a fintech entering the Americas region, which two countries would you prioritise? Would the answer change for a credit underwriter versus a personal finance app?
What’s next
Six minutes on the rest of the world. India built the rails as public infrastructure. Singapore curates. Australia includes energy and telecom. China doesn’t need open finance because Alipay and WeChat already are the ecosystem.
Module 4: Asia & Beyond →Asia & Beyond — Different Philosophies
India · the global volume leader, treated here as a central case
If you read only one country case in this course, read this one. India is the largest active Open Finance market in the world by volume of consents — by some estimates around six times the size of the European Union. It is also structurally distinct from every other regime described so far. Treating it as part of an “Asia & Beyond” appendix would misrepresent the global ecosystem.
The Account Aggregator framework
Launched by the Reserve Bank of India in 2021, the Account Aggregator (AA) framework is the public-utility model in its purest form. Licensed entities — themselves called Account Aggregators — act as pure consent managers. They hold consent artefacts and route encrypted data packets between data providers (banks, insurers, mutual funds) and data users (lenders, advisors, fintechs). Critically, AAs never decrypt or see the data. This separation of consent from data is unique in global Open Finance architecture and resolves a privacy problem that European and US frameworks still wrestle with.
Part of India Stack
The AA framework does not stand alone. It is one rail in India Stack — a digital public infrastructure that also includes Aadhaar (national digital identity, more than 1.3 billion enrolments) and UPI (the unified payments interface, processing more transactions monthly than Visa globally). Open Finance in India is therefore embedded in a wider citizen-data architecture, and that is what makes it a different kind of system from PSD2-derived regimes.
What it means strategically
- Volume leader. India processes more active financial consents than the European Union. By absolute volume, the centre of gravity of Open Finance has already shifted to Asia.
- Inclusion-driven use cases. Use cases at scale are concentrated in alternative credit underwriting for thin-file consumers and small businesses. The same data flows that Europe uses for budgeting apps, India uses to extend credit to first-time borrowers.
- Template for emerging markets. Several African and South Asian regulators are studying it explicitly, at lower cost than building bilateral integrations.
Singapore · the curated model
SGFinDex (2020) is not open-data in the European sense. It is a curated platform managed by the Monetary Authority of Singapore. Only approved institutions can connect. Trades scale for control.
Australia · the broadest legal framework
The Consumer Data Right (CDR), launched 2020, is the broadest open-data framework in the world. It does not stop at financial data. Same legal architecture, same consent infrastructure, applied across banking, energy, and telecommunications. Studied by the EU and Brazil as a possible future direction.
China · the closed-ecosystem alternative
China has no open-finance regulation in the European sense. It has something functionally similar that emerged commercially: the WeChat / Alipay duopoly. These platforms aggregate financial life into a single super-app. The data is open within the platform but closed to outsiders. Chinese consumers experience open-finance-like convenience without the consent infrastructure or interoperability.
The Chinese model is what some Western regulators worry about: a financial-data ecosystem that works for consumers but is captured by two private platforms. The mandate model in Europe and Latin America is in part a hedge against this outcome.
Africa, MENA and South-East Asia · the next 24 months
Three regions are building Open Finance frameworks in 2026 that will matter commercially within two to three years. Nigeria’s central bank issued its open-banking framework in 2023; South Africa is drafting. Saudi Arabia (under SAMA, 2022) and the UAE (the AlTareq framework, 2024) made Open Finance a Vision 2030 pillar, often drawing on UK implementation patterns. Indonesia, the Philippines and Vietnam are at earlier stages.
Each of these regions deserves more depth than this module can give. We treat them as a set here so the global mental map remains complete. The detailed analysis — country-by-country regulatory maturity, aggregator landscape, commercial opportunity windows — is the subject of Open Finance 201.
Lesson reflection
Of the four philosophies — public-good (India), curated (Singapore), cross-sector (Australia), closed-ecosystem (China) — which most resembles where your country is heading?
Module 5: The Plumbing →How It Actually Works — The Plumbing
The five actors
Every open-finance ecosystem, whatever the regime, has the same five actors. The names change. The functions don’t.
- The Consumer. You. The owner of the data. Authorise everything.
- The ASPSP (Account Servicing Payment Service Provider). Your bank, broker, insurer.
- The TPP (Third-Party Provider). The app or service that wants to use your data with your consent. Either AISP (read) or PISP (initiate payments).
- The Aggregator. Middleware connecting many TPPs to many ASPSPs. Two structurally different versions exist. The commercial aggregator (Plaid, Tink, Belvo, TrueLayer in the US, EU and Latin America) is a private company that sees the data, normalises it and sells access. The licensed aggregator (Account Aggregators in India, under RBI mandate) is a regulated entity that never sees the data — it only routes encrypted packets and holds the consent artefact. These are not the same business. They produce different risk profiles, different margins and different competitive dynamics.
- The Regulator. Sets rules, monitors compliance, approves licenses.
The data flow · five steps
- The TPP requests access. Packages a request: which data, why, for how long. Sent to the ASPSP via the regulated API.
- The bank shows the consent screen. Must show: who is asking, what they are asking for, how long, how to revoke.
- You authenticate (SCA). Strong Customer Authentication: two of three factors (know, have, are).
- A token is issued. Time-limited, scope-limited permission slip.
- Data flows on demand. The TPP calls the API repeatedly with the token until expiration or revocation.
SCA · why it matters
Strong Customer Authentication is more than 2FA. It is the legal mechanism that determines liability. If SCA was performed correctly and fraud occurs, the bank can argue the consumer authorised it. If SCA was bypassed or weak, the bank carries the loss. PSD3 introduces “low-friction SCA” for repeated, low-risk actions — keeping liability protection while reducing friction.
If you are building a TPP, treat the API as the unstable upstream system. Your engineering quality is the difference between consumers who renew consent and consumers who churn.
What’s next
The artefact you keep. A one-page matrix mapping the three layers (Open Banking, Open Finance, Embedded Finance) across the nine jurisdictions that move global volume. Print it. Pin it.
Module 6: The Matrix →The Layer × Jurisdiction × Maturity Matrix
Most cheat sheets in this market compare regulations. PSD3 versus 1033 versus Open Finance Brasil. That comparison is useful but secondary. The strategic question is almost never what does this regulation say — it is where, on what layer, and at what maturity is the ecosystem live. The matrix in this module is built around that question.
- Three layers map the framework from Module 1. Open Banking, Open Finance, Embedded Finance — they are not synonyms and they do not progress in the same order across countries.
- Nine jurisdictions. Six of these rarely appear together in a single comparative view. That absence is exactly the bias the course is correcting.
- Three maturity states. Operational at scale, regulated but not at scale, early-stage or absent. Finer gradations are noise at this resolution.
Preview
| Jurisdiction | Open Banking | Open Finance | Embedded Finance |
|---|---|---|---|
| United Kingdom | Operational (CMA9, OBL, VRP) | Scaling (Smart Data roadmap) | Mature commercial market |
| European Union | Operational (PSD2/PSD3) | Legislative (FiDA, 2026–2029) | Fragmented by member state |
| Brazil | Operational (Pix-integrated) | Operational (insurance, pensions, FX) | Scaling commercially |
| United States | Market-driven, regulation contested | Sectoral, no federal mandate | Most mature market globally |
| India | AA framework operational | Largest active consent volume worldwide | Embedded in India Stack flows |
| Australia | Operational (CDR banking) | Operational (CDR cross-sector) | Early-stage commercial |
| Singapore | Curated (SGFinDex) | Curated, public-private | Concentrated, hub-driven |
| South Korea | Operational (MyData) | Operational (MyData) | Scaling within MyData |
| Mexico | Regulated, slow rollout | Framework only, limited live | Aggregator-led (Belvo, Finerio) |
The downloadable PDF renders each cell with a colour state (solid navy, gold, light cream) and one source citation per data point.
Module 7: Who Wins, Who Loses →Who Wins, Who Loses
What follows is opinionated. Informed by four years of doctoral research, by the JRC working paper on PSD2 and investment dynamics, and by hundreds of conversations with regulators, banks, and fintechs. Not the only possible reading. The reading I will defend.
The six archetypes
1 · The Retreating Incumbent
Most large banks. Comply with regulation, expose APIs, meet the technical minimum. Don’t invest in turning the regulatory shift into a strategic opportunity. The bet: scale and trust will protect their margins. It will not. Open finance compresses the value of holding the account; value moves to whoever uses the data.
2 · The Reinventing Incumbent
A small minority of large banks. Use the regulatory shift to become both data-holder and data-user. Build their own aggregation layer, integrate competitor accounts into their own app, turn the customer relationship into a platform. BBVA is the most cited example. Reinventing incumbents may be the largest winners over a decade if execution holds.
3 · The Aggressive Aggregator
Plaid, Tink, Belvo, TrueLayer. Built the rails commercially before regulation made them free. Win on volume and developer experience near term. Structural risk: as regulation matures, the aggregation function commoditises. The smartest are moving up the stack — categorisation, payments, vertical solutions.
4 · The Infrastructure Player
Less visible, more durable. Token.io, Yapily. Provide white-labelled API infrastructure to banks that cannot or will not build their own. Win on stickiness; compete on price.
5 · The Regulator-as-Platform
India’s Sahamati and the Account Aggregator network. The regulator does not just write rules; it operates the rails. The dark-horse archetype. Rare, because most regulators lack technical capacity. Where it works, it dramatically lowers the cost of consent-based use cases. If India’s model spreads, this archetype becomes a major commercial influence.
6 · Big Tech
Apple, Google and Amazon are the actor that European and US regulators worry about most — and the actor most courses do not even mention. They do not need an Open Finance licence to win. They already control the point of experience: the wallet, the device, the super-app, the identity layer. Open Finance gives them access to data they could not previously obtain at scale, and they will use it not to build banking products but the layer above banking — the layer the consumer actually touches.
- Apple. Apple Pay processes more transactions per quarter than several mid-tier banks. Apple Wallet is becoming the default identity surface in three EU member states.
- Google. Google Pay sits on the most distributed mobile OS on earth. Their identity stack is what most fintech apps already authenticate against.
- Amazon. Amazon’s payment infrastructure is the back-end of an ecosystem that already embeds credit, insurance and FX inside a non-financial flow. The reference Embedded Finance operator.
The regulatory hedge against this is real but partial. eIDAS 2.0 in Europe tries to standardise digital identity precisely so no single platform monopolises the trust layer. The question for the next decade is whether public infrastructure can compete at the experience layer where Big Tech already wins.
There is one more not covered here: AI-native firms that treat Open Finance as raw material. They are the focus of Open Finance 201. The free course gives you the map. The paid course gives you the playbook.
Lesson reflection
Of the six archetypes, which most resembles your firm or the firms you advise? Which would you most want to be? What would have to change for the gap to close?
Module 8: Quiz & Certificate →What This Means for You
Implications by role
Monitor PSD3 (operational) and FiDA (strategic). PSD3 will create concrete obligations within 18 months. Build the inventory of where your firm sits on each.
The unit of competition changes from “who holds the account” to “who delivers the most useful experience over the data.” Audit your roadmap for any feature whose value depends on the consumer not having portability.
Open finance is a platform, not a feature. Build a product that would be impossible without open finance and that the consumer pays for.
Aggregator margins are compressing, infrastructure has stickiness, application-layer AI-native firms are early. Adjust your filter accordingly.
The quiz
Eight questions. Pass at 6 of 8. Each answer reveals immediate feedback.
Start the quiz →What’s next
You have completed the foundation. You can define open finance precisely, read the regulatory geography, trace the technical flow, and form an opinion on where the value is moving.
Open Finance 201 — AI × Strategy in Open Finance is the deep course. Hands-on AI tool, real case studies (Plaid, Tink, Belvo, BBVA) with real numbers, and a 2026-2028 forecast you can act on. Founding-member pricing for graduates of 101.
Join the 201 waitlist →Thank you for finishing. — Natasha
Natasha Cáceres 