PSD2: the quiet revolution that opened up your banking data
On January 13, 2018, a European directive little known to the general public profoundly changed the banking landscape: the Payment Services Directive 2 (PSD2). Its central principle is as simple as it is revolutionary: requiring banks to open their customer data — with the customer's consent — to authorized third-party service providers. This opening gave rise to open banking as we know it today.
Since it came into force, PSD2 has enabled the rise of hundreds of financial management applications, instant credit services, comparison tools, and more recently, personal carbon footprint analysis tools. But seven years after its adoption, this directive is beginning to show its limitations in the face of the rapid evolution of the financial sector and digital usage. That is where PSD3 comes in.
What PSD2 concretely changed for consumers
Before PSD2, accessing your banking data through a third-party application was an uphill battle — or even contrary to the banks' general terms of use. The directive normalized and secured these practices by defining two types of regulated services:
- Payment Initiation Services (PIS): allow a third-party application to initiate a transfer from your account without going through your bank's interface. Used notably for online merchant payments.
- Account Information Services (AIS): allow a third-party application to read your transactions, balances, and account information to offer you personalized analyses.
For these services, PSD2 required banks to set up standardized APIs (or, failing that, data access interfaces). It also introduced Strong Customer Authentication (SCA) — that well-known two-factor authentication that asks you to validate a transaction via your phone in addition to your password. To understand how these mechanisms work in daily life, our article a simple guide to open banking will give you a clear and accessible overview.
The limitations of PSD2: why an overhaul was needed
Despite its ambitions, PSD2 revealed several significant shortcomings in its implementation:
APIs of uneven quality
The directive gave banks wide latitude in the technical implementation of their APIs. The result: significant market fragmentation, with APIs that were sometimes poorly performing, poorly documented, or deliberately designed to discourage third-party players. Fintechs regularly reported high unavailability rates and insufficient data quality.
Limited data access
PSD2 only covered payment accounts — current accounts and payment cards. Savings accounts, investment portfolios, life insurance, and loans remained outside the scope of open banking. This limitation considerably reduced the richness of possible analyses for consumers.
Sometimes overly restrictive authentication rules
Strong authentication, while essential for security, created significant friction in the user experience, particularly for read-only data access. Exemptions exist but their implementation remains complex.
An imbalance in data access
A fundamental paradox of PSD2: it required banks to share their customer data with fintechs, but imposed no reciprocity. Large technology platforms (Apple Pay, Google Pay, Amazon) access banking data through PSD2 without being subject to the same sharing requirements as traditional banks.
PSD3: the major new developments expected
The European Commission presented its PSD3 proposal in June 2023. This text, still being finalized at the European level, brings major changes on several fronts.
Expanding the scope of data
PSD3 is accompanied by a complementary regulation on open financial data (FIDA — Financial Data Access). Together, these texts aim to extend open banking into a true open finance: the data covered will now include savings products, investments, insurance, and pensions. A revolution for consumers who will be able to get a 360-degree view of their assets and their financial impact.
More performant and standardized APIs
PSD3 provides for strengthened technical requirements for banking APIs: guaranteed availability, defined response times, standardized documentation. Banks will also be required to implement consent dashboards allowing users to easily view and manage all access authorizations granted to third parties.
Better fraud protection
PSD3 strengthens obligations for fraud detection and prevention, particularly regarding phishing and social engineering. Payment service providers will be required to share fraud data with each other to improve collective detection.
The Big Tech question
PSD3 attempts to level the playing field by subjecting technology giants offering payment services to the same obligations as traditional banking players. A significant step forward, even though some experts believe it remains insufficient given the market power of these players.
What PSD3 changes for your personal data
For consumers, the implications of PSD3 are concrete and significant:
- Clearer and more granular consent: you will be able to choose exactly which data to share, with whom, and for how long — with the ability to revoke these authorizations with a single click
- Enhanced portability: switching banks or financial management apps will become simpler thanks to standardized data formats
- Extended access rights: you will be able to ask your bank to share your data with a third party of your choice, including historical data
- Better readability of authorizations: consent dashboards will make visible what you have granted and to whom
"PSD3 marks the shift from banking open banking to a true open finance, where the consumer finally becomes the real owner of their financial data."
— Marianne Verdier, economist specializing in financial regulation
Spending management apps: what concretely changes
For users of spending analysis apps — whether for budget management or carbon footprint analysis — PSD3 represents a major opportunity:
- Access to a broader data scope will enable more comprehensive analyses of your financial and environmental situation
- Improved API quality will enhance synchronization reliability and reduce categorization errors
- Standardization will facilitate the development of new innovative features
- Consent dashboards will strengthen the confidence of users hesitant to share their data
To discover the best applications currently available for analyzing your spending, see our comparison: Spending analysis: 5 apps that decode your accounts.
Expected timeline and uncertainties
PSD3 follows the standard European legislative process, which involves negotiations between the European Commission, Parliament, and Council. Current estimates foresee:
- Final adoption: during 2025 or early 2026
- Transposition into national law: 18 to 24 months after adoption, i.e., 2027-2028 at the earliest
- Effective application: probably 2028-2029 for the main provisions
In the meantime, PSD2 remains the applicable regulatory reference. Market players are nonetheless preparing by anticipating the new requirements, particularly regarding API quality and consent management.
Conclusion: toward digital financial sovereignty for European citizens
The PSD2-to-PSD3 trajectory illustrates a coherent European ambition: to make open banking a lever for consumer empowerment, by giving them real control over their financial data and fostering competition and innovation in the banking sector. For users concerned about their environmental impact, this regulatory evolution opens fascinating prospects: tomorrow, your bank — or the app of your choice — will be able to offer you a complete and precise view of your financial carbon footprint, from current account to stock portfolio. Green finance also starts with data.