Start Free Trial

Open Banking UK vs EU PSD2 2026: CMA9, OBIE, Berlin Group

Open Banking UK vs EU PSD2 in 2026: CMA9, OBIE, Berlin Group, cross-border AISP licensing and why some UK apps will not work in the EU and vice versa.

Open Banking UK vs EU PSD2 (2026): CMA9, OBIE and Berlin Group — a Cross-Border AISP Deep Dive

TL;DR

UK Open Banking and EU PSD2 share a common ancestor — the 2015 EU Payment Services Directive 2 (2015/2366) — but have diverged since the UK's CMA Retail Banking Market Investigation Order of 2017 and the UK's exit from the EEA in 2020. The UK regime is narrower (the nine largest UK banks — "CMA9" — plus selected others), technically tighter (a single OBIE Read/Write API standard), supervised by the FCA with the Joint Regulatory Oversight Committee (JROC) and the new Open Banking Limited successor entity. The EU regime is broader (~6,000 ASPSPs across 30 EEA countries) but more fragmented (Berlin Group NextGenPSD2, STET, PolishAPI and bespoke dialects), supervised by EBA plus national competent authorities — BaFin (Germany), ACPR (France), Bank of Italy, Banco de España, DNB (Netherlands), KNF (Poland), Central Bank of Ireland. For users this means: a UK app may not see your German N26 unless it holds EEA permissions; an EU app may not connect to Monzo unless it holds FCA permissions. For developers it means: dual licensing, dual technical integration, dual consent flows.

Educational content, not legal, regulatory or vendor-selection advice. UK and EU rules diverge continuously; verify with the FCA and your national EU competent authority.

What changed: pre-PSD2, PSD2 era, and the post-Brexit divergence

Pre-2017: both the UK and the EU sat under PSD1 (2007/64/EC), which did not require open APIs. Screen-scraping aggregators existed in a legal grey zone on both sides of the Channel.

2017–2019: the UK CMA Retail Banking Market Investigation Order of February 2017 mandated the nine largest UK retail banks (Barclays, HSBC, Lloyds, Nationwide, RBS/NatWest, Santander UK, Bank of Ireland, Danske, Allied Irish Bank — the "CMA9") to fund and adopt a single Read/Write API standard, governed by Open Banking Implementation Entity (OBIE). The first version of the OBIE API went live January 2018, eight months before PSD2's RTS on SCA applied EU-wide.

September 2019: PSD2 RTS apply across the EEA. Berlin Group NextGenPSD2 emerges as the dominant standard in DACH, Benelux, CEE and Nordics; STET dominates France; PolishAPI in Poland; OBIE remains UK-only.

January 2020: the UK formally leaves the EU. Post-Brexit, UK transposition of PSD2 (the Payment Services Regulations 2017) remains in force, but the UK is no longer in the EEA — meaning no PSD2 passporting between UK and EU.

2022–2026: the UK roadmap moves beyond PSD2: Variable Recurring Payments live for sweeping, mandatory Authorised Push Payment (APP) fraud reimbursement live from October 2024, the JROC roadmap setting the "future entity" to replace OBIE. The EU prepares PSD3 / PSR / FIDA.

2026+ trajectory: the gap may widen further. UK accelerates on premium APIs, VRP and Smart Data; EU consolidates with PSD3 + FIDA. Cross-border app coverage requires dual permissions.

Stakeholders side by side

Role UK EU
Regulator FCA (conduct) + PSR (payment systems) + JROC EBA + national CAs (BaFin, ACPR, Bank of Italy, Banco de España, DNB, KNF, Central Bank of Ireland)
Standards body OBIE (transitioning to Open Banking Limited successor) Berlin Group / STET / PolishAPI / OBIE-equivalent dialects
In-scope banks CMA9 mandated + voluntary participants Every ASPSP in the EEA (~6,000)
AISP / PISP licensing FCA-authorised Payment Institution or Registered AISP National CA authorisation, EEA passport
End-user app Same patterns Same patterns
User UK consumer / business EEA consumer / business

UK

  • Payment Services Regulations 2017 — UK transposition of PSD2; remains in force post-Brexit, with FCA "smarter regulatory framework" amendments
  • CMA Retail Banking Market Investigation Order 2017 — mandated CMA9 to fund OBIE and adopt a single API standard
  • Payment Systems Regulator mandatory APP fraud reimbursement scheme effective 7 October 2024 — 50:50 split between sending and receiving PSPs up to £415,000 per claim
  • FCA SCA RTS — UK version of EU RTS 2018/389, retained post-Brexit, periodically updated
  • JROC (Joint Regulatory Oversight Committee) — FCA + PSR + HM Treasury + CMA, set the 2023–2024 strategic roadmap for open banking and Smart Data

EU

  • Directive (EU) 2015/2366 (PSD2) with national transposition: ZAG (Germany), Ordonnance 2017-1252 (France), D.lgs. 218/2017 (Italy), RDL 19/2018 (Spain), Wft (Netherlands), Ustawa o usługach płatniczych (Poland)
  • Commission Delegated Regulation (EU) 2018/389 — RTS on SCA
  • SEPA Instant Regulation (EU) 2024/886 — mandatory IBAN/name verification, instant SEPA universal availability from October 2025
  • DORA — Regulation (EU) 2022/2554 — ICT resilience, applicable since 17 January 2025
  • PSD3 + PSR + FIDA package — COM(2023)366 and COM(2023)360, in trilogue, application expected 2026–2028

API technical standards — one vs four

UK: OBIE Read/Write API

A single, mandatory standard for the CMA9. Comprehensive: account information (AIS), payment initiation (PIS), confirmation of funds (CoF), Variable Recurring Payments (VRP). Versioned and maintained by OBIE with industry working groups. Strong on developer experience; uniform sandboxes. Premium APIs are an OBIE-defined construct on top of the regulated baseline.

EU: four (or five) standards

  • Berlin Group NextGenPSD2 — DACH, Benelux, CEE, Nordics. Currently v1.3.13 / v1.4 with the openFinance API extension. Most widespread.
  • STET PSD2 API — France (BNP Paribas, Société Générale, Crédit Agricole, BPCE).
  • PolishAPI — Poland, maintained by the Polish Banking Association (ZBP), supervised by KNF.
  • Bespoke ASPSP dialects — many banks add proprietary endpoints on top of Berlin Group for enriched data.
  • Berlin Group openFinance API — emerging extension covering savings, investments, mortgages — positioned for FIDA endpoint.

This is precisely why pan-European aggregators (Tink, TrueLayer, Yapily, Salt Edge, Plaid, Finicity) exist: a single integration that hides the dialect zoo.

AISP / PISP licensing across the Channel

UK

  • FCA-authorised Payment Institution — full licence, similar to PSD2 thresholds: 50,000 GBP initial capital for PIS-only; £125,000 GBP for EMI
  • Registered AISP — lighter regime for pure AISPs without payment initiation
  • Professional indemnity insurance required, formula similar to EBA Guidelines EBA/GL/2017/08
  • Approval timeline — historically 4–8 months; FCA capacity has tightened post-2022
  • EEA passport — lost in 2020; UK firms now need EU permissions for EU customers

EU

  • National CA authorisation under PSD2 (e.g. KNF in Poland, BaFin in Germany)
  • Initial capital — same 50,000 EUR / 125,000 EUR / 350,000 EUR ladder
  • Professional indemnity insurance under EBA/GL/2017/08
  • Approval timeline — 6–12 months
  • EEA passport — one authorisation covers all 30 EEA countries

Cross-border practice

UK-origin aggregators (TrueLayer, Yapily, Plaid Europe) hold dual permissions: FCA in the UK plus an EEA entity (often Ireland, Netherlands, Lithuania) for EU passport. EU-origin AISPs (Tink, Salt Edge, GoCardless Bank Account Data) hold an FCA permission for UK coverage. End-user apps must verify their aggregator's permissions cover the geographies they target.

SCA: same DNA, different implementation maturity

Both regimes require Strong Customer Authentication: two of three factors among knowledge, possession, inherence. UK and EU both adopted EMVCo 3-D Secure 2 for cards.

SCA element UK EU
Source FCA SCA RTS (retained from 2018/389) Commission Delegated Regulation 2018/389
Low-value exemption ≤£30 single, cumulative caps ≤30 EUR single, cumulative caps
TRA thresholds Identical RFR bands (0.13 / 0.06 / 0.01 %) Same
AIS consent renewal 90 days 180 days since EBA March 2021 opinion
Behavioural biometrics FCA explicit guidance EBA opinion-level, codified in PSR
Mobile-first SCA adoption Very mature; some legacy SMS still live Very mature in DACH, France, Poland; legacy SMS persists in some southern EU markets

The 180-day EU vs 90-day UK consent gap is the single most user-visible difference: an EU customer using an aggregator gets two SCA renewals per year; a UK customer four.

Variable Recurring Payments — UK leads, EU follows

Variable Recurring Payments (VRP) allow a PISP to initiate multiple payments to a single payee within consumer-defined limits (max per payment, max per period) after a single SCA. The UK launched VRP for "sweeping" — moving funds between a consumer's own accounts — in 2022, with commercial VRP (for utility bills, subscriptions) live by 2025. The EU has no comparable production rollout under PSD2; PSD3 / PSR is expected to harmonise VRP across the EEA but the timeline is post-2026.

Confirmation of Payee / IBAN / name verification

UK launched Confirmation of Payee (CoP) in 2020 — when you initiate a transfer, the sending bank checks the name on the receiving account and warns you of mismatch. By 2024, CoP coverage expanded to ~99 % of UK retail payments.

EU launched mandatory IBAN/name verification (Verification of Payee, VOP) under the SEPA Instant Regulation (EU) 2024/886, applicable from October 2025. Coverage ramps through 2026.

The economic effect: dramatic reduction in misdirected-transfer losses and in APP fraud where fraudsters used legitimate-looking IBANs under false names.

Authorised Push Payment fraud reimbursement

The UK launched mandatory APP fraud reimbursement on 7 October 2024 via the Payment Systems Regulator. Customers tricked into authorising payments to fraudsters are reimbursed up to £415,000 per claim, with 50:50 cost split between sending and receiving PSP. Higher per-claim caps and faster timelines than any EU regime today.

The EU's PSR will introduce partial APP reimbursement rights, anchored in failure-to-VOP and spoofed-caller-ID liability, but not at the UK's blanket level. Expect divergence to persist.

Liability and refund timing

Liability element UK EU
Refund for unauthorised payment End of next business day (PSR 2017) End of next business day (PSD2 Art. 73)
Max user exposure on lost card £35 (FCA guidance to firms; statutory £50) 50 EUR
PISP liability for unauthorised initiation PISP-borne, with recourse against ASPSP Same
AISP read-only liability GDPR + FCA conduct rules GDPR + PSD2 conduct rules
APP fraud reimbursement Mandatory £415,000 cap since Oct 2024 Partial under PSR (failure-to-VOP, spoofed caller)

The future regulatory entity — UK transition

OBIE was scheduled to transition to a permanent successor body co-funded by industry beyond the original CMA9. As of 2026 the transition to a new entity (often referred to as the "Future Entity for Open Banking") is well advanced, with broader scope including Smart Data Schemes (HM Treasury's Data Protection and Digital Information framework) — analogous to the EU's FIDA. Expect UK Smart Data Schemes to leap-frog FIDA in some scopes (energy, telecom) where the UK enabling legislation moved faster.

For consumers — what to know if you live in both worlds

If you're a UK resident with EU accounts (or vice versa), and you want one personal finance app for everything:

  1. Verify aggregator coverage — does the app hold both FCA permission and an EEA AISP authorisation?
  2. Expect two consent renewal cycles — 90 days for UK accounts, 180 days for EU accounts
  3. Currency conversion — handled at bank level; your aggregator shows balances in their native currencies, conversion to a base currency happens in-app
  4. APP fraud rights — vary by jurisdiction; the UK 50:50 mandatory regime does not extend to EU-routed transfers
  5. VOP / CoP warnings — increasingly universal both sides; heed them

Many users benefit from AISP-integrated apps that aggregate accounts across both regimes; Freenance, an EU-native AI cashflow companion focused on Financial Freedom Runway across multi-bank balances, is one of the apps designed for cross-border EEA users.

For developers and founders building cross-border

  • Dual licensing — FCA + an EEA national CA (Ireland and Lithuania are popular for EEA passport)
  • Dual technical integration — OBIE Read/Write for UK CMA9 + an aggregator (Tink, Yapily, TrueLayer, Salt Edge) for EU breadth
  • Dual consent UX — 90 / 180 day cycles; clear copy explaining the cadence
  • Dual fraud-handling — UK PSR mandatory reimbursement vs EU PSR partial; align internal fraud-ops playbook
  • DORA in EU, FCA operational resilience SYSC 15A in UK — overlapping but distinct ICT resilience regimes
  • Smart Data Schemes (UK) vs FIDA (EU) — both moving toward open finance / open energy; design data model to cover both

Worked example — UK and EU expat under one app

Maria, 30, dual-citizen of Italy and the UK. Lives in London, owns a property in Milan. Accounts:

  • UK: Monzo current (GBP), Vanguard ISA, Nationwide savings
  • EU: N26 EUR (DE), Revolut EUR multi-currency, Italian Intesa Sanpaolo (mortgage + current)

Her chosen personal finance app uses TrueLayer (FCA + EU permissions). Connections:

  • Monzo, Nationwide → OBIE Read/Write API → SCA in Monzo / Nationwide app → 90-day renewal
  • N26, Revolut → Berlin Group NextGenPSD2 → SCA in N26 / Revolut app → 180-day renewal
  • Intesa Sanpaolo → Berlin Group + Italian bespoke → SCA in Intesa app → 180-day renewal
  • Vanguard ISA → outside PSD2 today, requires CSV upload until FIDA + UK Smart Data covers investments

Aggregated Financial Freedom Runway shown in EUR with live FX. Cross-border picture, one app, two regulatory regimes.

Polish reader angle: a UK-Polish bridge

Polish residents working remotely for UK companies, holding UK accounts:

  • Polish accounts (PKO BP, mBank, ING, Santander, Pekao, Millennium) sit under PolishAPI standard, KNF-supervised, 180-day renewal
  • UK accounts (Wise, Monzo, Revolut UK, Starling) sit under OBIE Read/Write, FCA-supervised, 90-day renewal
  • Revolut is special — Revolut Bank UAB (Lithuanian licence) for EEA + Revolut Ltd (FCA authorised EMI) for UK; same brand, two regulators

An aggregator covering both — Tink + TrueLayer combination, or Yapily with dual permissions — gives Polish-UK users a unified view. KNF and the FCA cooperate via the EBA-FCA memorandum but do not directly share authorisations; cross-licensing is required.

FAQ

Can a UK app see my German bank? Only if the app's underlying aggregator holds an EEA AISP authorisation (e.g. via an Irish, Dutch or Lithuanian entity). Otherwise the app simply does not list your German bank.

Can an EU app see my UK bank? Only if the aggregator holds FCA AISP permissions. Many do — Tink, Salt Edge, Plaid all hold dual permissions.

Why is the UK ahead on Variable Recurring Payments? Because the CMA9 had a single mandated standard (OBIE) able to add VRP as a versioned upgrade. The EU's fragmented standards make VRP rollout slower. PSD3 / PSR will harmonise.

Why is the UK ahead on APP fraud reimbursement? Political and regulatory will at the Payment Systems Regulator drove a mandatory regime in 2024. The EU's PSR proposes partial coverage but not the UK's blanket cap.

Is my UK Open Banking data subject to GDPR? The UK retained GDPR as "UK GDPR" post-Brexit. Both regimes apply broadly equivalent rules; adequacy decision in place allows EU-UK data flow.

Will the UK and EU converge again? Unlikely in the near term. The UK is signalling continued divergence (Smart Data, premium APIs, VRP); the EU is harmonising internally (PSR + FIDA). Expect two related but distinct regimes for the foreseeable future.

What about apps using only Wise / Revolut? Wise UK uses an FCA EMI permission; Wise Europe uses a Belgian authorisation. Revolut splits the same way. Their multi-currency wallets cross both regimes through internal accounts, but PSD2/UK Open Banking views them as separate connections.

Sources

  • Directive (EU) 2015/2366 (PSD2)
  • Commission Delegated Regulation (EU) 2018/389 (RTS on SCA)
  • UK Payment Services Regulations 2017
  • CMA Retail Banking Market Investigation Order 2017
  • European Commission proposal COM(2023)366 (PSD3 / PSR)
  • European Commission proposal COM(2023)360 (FIDA)
  • SEPA Instant Regulation (EU) 2024/886
  • UK Payment Systems Regulator mandatory APP fraud reimbursement scheme (October 2024)
  • OBIE Read/Write API specification
  • Berlin Group NextGenPSD2, STET, PolishAPI standards
  • DORA — Regulation (EU) 2022/2554
  • FCA SCA RTS (retained from 2018/389)
  • National competent authorities: EBA, FCA, JROC, BaFin, ACPR, Bank of Italy, Banco de España, DNB, KNF, Central Bank of Ireland

Want full control over your finances?

Try Freenance for free

Related Articles

Fintech

Best Bank in France for Expats 2026: FR Bank Comparison

Hybrid 2026 guide to the best bank in France for expats — BNP Paribas, Société Générale, Boursorama, Revolut and N26 — KYC, fees, mortgage prep, IBAN.

Read more →Fintech

Best Bank in Germany for Expats 2026: DE Bank Comparison

Hybrid 2026 guide to the best bank in Germany for expats — Deutsche Bank, Commerzbank, Sparkasse, Postbank, Revolut and N26 — KYC, fees, mortgage prep.

Read more →Fintech

Best Bank in Italy for Expats 2026: IT Bank Comparison

Hybrid 2026 guide to the best bank in Italy for expats — Intesa Sanpaolo, UniCredit, Fineco, Illimity plus Revolut and N26 — codice fiscale, KYC, mortgage prep.

Read more →Fintech

Best Bank in the Netherlands for Expats 2026: NL Comparison

Hybrid 2026 guide to the best bank in the Netherlands for expats — ING, ABN AMRO, Rabobank, SNS, bunq, Revolut and N26 — BSN, KYC, fees, mortgage prep.

Read more →
Start today

Your path to financial freedomstarts here

Join thousands of investors who use Freenance to manage their personal finances.

Start for free
14 days free
No credit card
256-bit encryption