Open Banking: The Regulatory Map in 2026 and the Risks That Come With It

Open banking is past the stage of being a regulatory experiment. PSD2 has been live in the EU since 2018. The UK's Open Banking Implementation Entity has processed over twelve billion API calls. India's UPI processed 185.8 billion transactions in FY25. The infrastructure is built and operating at scale. The regulatory question in 2026 is not whether to implement open banking. It is how to govern the risk surface that comes with it, and how to keep that governance current as the regulatory map shifts.

The map is shifting in several directions simultaneously. PSD3 is in trilogue. India is building account aggregation infrastructure that reaches beyond payments. BIS Project Nexus is creating an ASEAN-India real-time payments corridor. For practitioners operating across these jurisdictions, the compliance picture in 2026 looks materially different from the one that existed when most open banking risk frameworks were designed.

The EU: PSD2 to PSD3

PSD2 established the foundational model: banks must provide licensed third-party providers access to customer payment account data via standardised APIs, with customer consent. It introduced Strong Customer Authentication (SCA) and created the regulatory categories of Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs).

PSD3 was proposed by the European Commission in June 2023 and is currently in trilogue negotiations between the Commission, Parliament, and Council, with implementation expected no earlier than 2026 or 2027. The key changes from a risk and compliance perspective are: enhanced SCA requirements, strengthened fraud liability rules that shift more responsibility to payment service providers for mule account fraud, improved access to payment systems for non-bank PSPs, and the introduction of Financial Data Access (FIDA) as a separate regulation that extends open banking principles beyond payment accounts to investment, insurance, and savings products.

The FIDA regulation is the material development that most open banking risk frameworks have not yet addressed. When it enters into force, the API access obligation extends to a substantially wider dataset than PSD2 covered. The security surface expands accordingly. Institutions that built their open banking controls for payment account APIs will need to reassess their architecture against a broader data scope.

The UK: Post-Brexit Divergence

The UK's open banking framework has evolved independently since Brexit. The Joint Regulatory Oversight Committee (JROC) published its roadmap for the next phase of open banking in 2023, with variable recurring payments (VRPs) as the primary commercial development. VRPs allow third parties to initiate recurring payments with customer-set parameters, creating a direct alternative to card-based recurring payments.

The PSR and FCA are developing the long-term regulatory framework for open banking under the umbrella of Smart Data, which extends the data portability principle to energy, telecoms, and other sectors. For financial services practitioners, the UK framework is diverging from EU PSD3 in its commercial model (industry-led rather than mandated access) while maintaining alignment on SCA and fraud liability principles. Firms operating in both jurisdictions need to track this divergence actively, as the compliance requirements for a UK AISP and an EU AISP are no longer equivalent.

India: Account Aggregator and OCEN

India's open finance architecture is the most significant development that receives the least attention in Western regulatory analysis. The Account Aggregator (AA) framework, developed by RBI with SEBI, IRDAI, and PFRDA, enables consent-based financial data sharing across banks, NBFCs, insurance, and investments through a standardised consent artefact. Over 1.1 billion accounts are live on the AA network as of early 2026.

The Open Credit Enablement Network (OCEN) is built on top of the AA framework to enable embedded lending. By allowing lenders to access cash flow data directly through the AA consent mechanism, OCEN enables real-time credit assessment for underserved segments that traditional credit scoring cannot reach. BIS estimates that AI-driven credit decisioning on AA data could expand credit access to an additional 50 to 55 million borrowers.

The risk surface in India's framework is different from Europe's. GDPR-style individual rights enforcement is not the primary risk vector. The risks are consent fatigue (users granting broad data access without understanding the scope), data localisation requirements under DPDP 2023 that affect cross-border data flows, and the security of the consent artefact itself against manipulation or forgery. India's DPDP Act 2023 is still developing its secondary regulations, so the compliance picture for international institutions operating in India remains incomplete.

BIS Project Nexus: Cross-Border Corridor Risk

BIS Project Nexus is building a multi-country real-time payments corridor connecting Singapore's PayNow, Malaysia's DuitNow, Thailand's PromptPay, the Philippines' InstaPay, and India's UPI. Phase 3 targeting live implementation began in 2024. When operational, it creates a payment corridor covering a combined population of over 1.7 billion people and significant trade flows between ASEAN and India.

For compliance and risk functions, Project Nexus creates cross-border regulatory complexity that open banking frameworks have not historically needed to address. A payment initiated through UPI and settled across the Project Nexus corridor into a PayNow recipient account involves RBI's payment system regulations, MAS' payment services framework, and the bilateral settlement rules of the Nexus corridor itself. Fraud liability, dispute resolution, and AML transaction monitoring all need to work across this architecture. Most firms operating across these corridors are still at the early stages of understanding what that compliance picture looks like.

The Risk Surface Across All Three Frameworks

The security risks in open banking are consistent across jurisdictions even where the regulatory frameworks differ: API authentication vulnerabilities, third-party access control failures, consent management weaknesses, and transaction fraud enabled by account information access.

API security is the foundational control. Financial-grade API (FAPI) profiles developed by the OpenID Foundation establish the security baseline for open banking APIs, with FAPI 2.0 as the current standard. PSD2's RTS on SCA mandated FAPI-aligned security for EU implementations. The UK's Open Banking security profile is aligned to FAPI. India's AA framework uses a similar consent artefact architecture. Institutions that have implemented open banking APIs that are not FAPI 2.0 compliant have a material security gap.

Third-party access governance is where most control failures originate. The control question is not just whether a TPP is licensed at the point of onboarding. It is whether the institution has ongoing monitoring of TPP activity, whether it can detect abnormal data access patterns, and whether it has the operational capability to revoke access in real time when a TPP is compromised or decertified. The MOVEit and Change Healthcare incidents demonstrate what cascading third-party compromise looks like. Open banking creates a structured API channel for that same attack surface.

For GRC and IT audit functions, open banking risk is no longer a specialised domain. It is mainstream ICT risk management, with a regulatory layer that is actively evolving across every major jurisdiction.