Open Banking Has Failed – Why PSD3 Will Restart It
7 min Read Time
Open Banking was supposed to revolutionize the financial market. The reality in Germany? Just 8.7 percent of all payment accounts are accessed by third-party providers via APIs. PSD2 – the directive meant to launch Open Banking in 2018 – failed to deliver on its promise. Now comes PSD3, with a fundamentally overhauled legal framework designed to correct its predecessor’s flaws. The EU finalized the legislative package under the Danish Council Presidency. Publication is expected in the first half of 2026. Here’s what’s different this time – and why full application still won’t happen until 2028.
The Key Takeaways
- Just 8.7% penetration: Only a tiny fraction of authorized third-party providers actually access bank accounts in practice. Open Banking has effectively failed in Germany – PSD2 did not meet expectations.
- PSD3 arrives H1 2026: Publication is expected in the first half of 2026. An 18-month national transposition deadline means applicability is likely in Q2/Q3 2028.
- PSR applies immediately: The Payment Services Regulation (PSR), a companion regulation, becomes directly applicable 20 days after publication – no national transposition required.
- API parity is mandatory: Banks must maintain their APIs to the same level of stability, functionality, and performance as their own digital channels – no more deliberately degraded interfaces.
- Open Finance via FiDA: Alongside PSD3, the EU is developing the Financial Data Access Regulation (FiDA), extending Open Banking principles to insurance, pensions, and investment products.
Why PSD2 Failed
The Payment Services Directive 2 (PSD2) entered into force in 2018 with the aim of opening up financial markets to third-party providers. Banks were required to provide APIs enabling authorized third parties to access account data and initiate payments. The vision: more competition, more innovation, better products for consumers.
In practice, it fell short. Many banks deployed APIs that technically complied – but were practically unusable: slow, unstable, and delivering incomplete data. While regulation mandated that APIs be provided, it did not specify how well they needed to perform. The result? Just 8.7 percent of all payment accounts in Germany use Open Banking access. Other EU countries face similar stagnation.
The root causes are structural. Banks had little incentive to build high-quality APIs – every successful third-party provider represented a potential competitor. Strong Customer Authentication (SCA) was implemented in ways that maximized user friction. And the lack of standardization meant each bank used different API specifications.
What Makes PSD3 Different
PSD3 systematically addresses PSD2’s weaknesses. Its most critical change is API parity: banks must ensure their APIs match the stability, functionality, and performance of their own online banking and mobile app channels. Mandatory quarterly reports on API availability and latency make quality measurable – and comparable.
Other key innovations:
● Expanded data access rights: Third-party providers gain access to broader account information – not just transactions and balances, but also product-level data such as interest rates, fees, and contractual terms.
● Mandatory dashboard requirement: Customers must be able to view, via a centralized dashboard, which third-party providers access their data – and revoke permissions at any time.
● Clear liability rules: PSD3 explicitly defines who bears responsibility in cases of fraud – a persistent problem under PSD2, where banks and third-party providers routinely shifted blame back and forth.
● Improved SCA: Strong Customer Authentication is redesigned to be more user-friendly – reducing friction for authorized access without compromising security.
“PSD2 opened the door a crack. PSD3 kicks it wide open. The API parity obligation is the decisive difference – banks can no longer slam the door shut on third parties through technical obstruction.”
Norton Rose Fulbright, PSD3 Policy Analysis, 2025
PSR: The Regulation That Takes Effect Immediately
Alongside PSD3 (a directive requiring national transposition), the EU is introducing the Payment Services Regulation (PSR) – a regulation that applies directly across all EU member states 20 days after publication. The PSR contains the technical and operational requirements: API standards, authentication rules, reporting obligations.
For businesses, this means PSR requirements arrive faster than anticipated. Companies offering or using payment services should analyze the technical specifications early – and launch implementation projects before deadlines expire.
From Open Banking to Open Finance
PSD3 is only one piece of the puzzle. The EU is simultaneously developing the Financial Data Access Regulation (FiDA), which extends Open Banking principles across the entire financial sector: insurance, pension funds, securities accounts, and credit agreements. Customers will gain the same data sovereignty over all their financial products as they now have over bank accounts.
For FinTechs and WealthTech providers, this is the real breakthrough. A single app aggregating all a customer’s bank accounts, investment portfolios, insurance policies, and pension entitlements – structured, in real time, via standardized APIs. That is the promise of Open Finance. Whether it delivers better than Open Banking depends entirely on whether the EU has learned from PSD2’s mistakes.
What Companies Should Do Now
Even though PSD3 won’t become fully applicable until 2028, now is the right time to prepare. Banks should audit their API infrastructure against the performance of their own digital channels. FinTechs should integrate expanded data access rights into their product roadmaps. And companies using payment services should proactively understand PSR requirements.
The biggest winners will be those who invest now in API-ready infrastructure and treat Open Banking not as a compliance burden – but as a business model.
Frequently Asked Questions
What’s the difference between PSD3 and PSR?
PSD3 is an EU directive requiring national transposition (with an 18-month deadline). PSR is an EU regulation that applies directly – 20 days after publication, with no national transposition needed. PSR contains the technical details; PSD3 sets the overarching legal framework.
When does PSD3 enter into force?
Publication is expected in the first half of 2026. After the 18-month national transposition period, PSD3 is expected to become applicable from Q2/Q3 2028. PSR takes effect significantly earlier – immediately upon publication.
Why has Open Banking failed in Germany so far?
Three main reasons: banks lacked incentives to build robust APIs (viewing third-party providers as competitors), Strong Customer Authentication was overly cumbersome for users, and the absence of standardization led to fragmented, incompatible API landscapes. PSD3 tackles all three issues head-on.
What does API parity mean?
Banks must maintain their APIs for third-party providers to the same level of stability, speed, and functionality as their own online banking and mobile app channels. Quarterly reports on availability and latency make compliance objectively measurable.
What is Open Finance – and how does it differ from Open Banking?
Open Banking covers only bank accounts and payment services. Open Finance (governed by FiDA) expands the principle across the entire financial sector: insurance, pensions, investments, and credit. Its goal is full data sovereignty across all financial products.
Further Reading
- What traditional banks can learn from neobanks
- Digital State: Germany’s public administration in the 21st century
- Cybersec Europe 2026: Brussels’ security conference (SecurityToday)
- FinOps: Getting cloud costs under control (cloudmagazin)
Header Image Source: Pexels / Monstera Production
