Waygrid AI Gateway is now in General Availability. Secure, streamline, and simplify your AI initiatives. Learn more →

PSD2 applies from this week. Open banking begins in earnest.

Financial institutions entering the open banking era

As of this week, the revised Payment Services Directive applies across the Union. After two years of transposition and a great deal of conference-stage speculation, the era in which a bank could treat its customer data as accessible to no one but itself is legally over. Licensed third parties have a right to access accounts, with the customer's consent, and banks have an obligation to make that access work.

The technical standards fleshing out how, secure communication, strong authentication, arrive with their own deadlines over the next eighteen months. But the strategic fact is settled now, and it is worth stating plainly: the bank's interface is no longer an integration detail. It is a regulated product.

Two ways to read the obligation

Read defensively, PSD2 is a compliance cost: build the mandated access, minimally, and hope the fintechs lose interest. Read ambitiously, it is a forced apprenticeship in a skill banks will need regardless: publishing APIs that external developers can discover, understand, and rely on, with the availability and support of any other banking channel.

The regulator is compelling banks to learn, on a deadline, what technology companies learned by choice: an interface used by outsiders is a product, and products are judged.

The defensive reading is more expensive than it looks

The minimal reading feels like the prudent, cost-controlled choice, and that is its trap. Building the smallest interface that satisfies the letter of the directive still requires standing up third-party authentication, consent handling, secure communication, and the monitoring to prove it all works, which is to say, most of the hard engineering. Having paid for the foundation, the defensive institution then deliberately declines to build anything valuable on top of it.

Meanwhile, the same capability the bank built grudgingly is one its competitors are building deliberately, and the developers deciding which bank to integrate with will notice the difference. A poorly documented, barely-maintained mandated interface is a signal, and not a flattering one. The defensive reading does not actually avoid the cost of becoming an API provider; it just ensures the bank gets the cost without the return.

What the ambitious reading requires

  • Interfaces treated with product discipline: documented, versioned, monitored, with someone accountable for their quality.
  • Onboarding a third party can complete without a relationship manager and three committee meetings.
  • Operational evidence, availability, response times, incident history, because supervisors will ask, and because partners choose the banks that can show it.

The banks that take the ambitious reading will discover the same interfaces serve corporate clients, partnerships, and their own channels. Compliance pays for the foundation; what gets built on it is up to the institution. This week the choice becomes real.

Share this article
X LinkedIn Email

Ready to see Waygrid in action?

Book a personalized demo. A solutions engineer will walk you through how Waygrid can help streamline your architecture, eliminate inefficiencies, and maximize your innovation.