When the second Payment Services Directive (PSD2) was introduced in 2018, it promised a revolution by promoting greater competition, more innovation, and increased power for consumers.

However, seven years later, we must soberly acknowledge that this revolution never truly happened. Instead, it became a patchwork of technical solutions, regulatory gray areas, and disappointed expectations, with frustrating technical implementation, complex integration, and regulatory ambivalence replacing disruptive innovation.

As the CEO of wealthAPI, a leading provider of financial data aggregation, I have experienced firsthand how wide the gap between regulatory aspirations and operational reality has become. While PSD2 opened a door for Europe, it only opened it partway; with PSD3, we now have the chance to finally push it open completely. Europe is at a turning point, and this is the opportunity to fulfill the promise of Open Banking or to let it fail completely.

PSD2: Good Intentions, Poor Implementation

One cannot accuse PSD2 of being unambitious; the basic idea was sound: customers should be able to grant Third Party Providers (TPPs) access to their account data so they can develop better digital financial products. It was intended to foster competition, enable innovation, and give end-users more control over their financial data. This was meant to create innovation-friendly competition for the benefit of consumers and to modernize the financial sector. On paper, it sounded good.

However, theory and practice diverged. What followed was a regulatory experiment where the market had to bear the risks. The European Banking Authority (EBA) and the relevant national authorities imposed new obligations on banks but did not provide an enforceable framework. The result was a proliferation of APIs, security mechanisms, and interpretations of the regulation.

The Greatest Failures of PSD2

1. Technical chaos instead of standardization

PSD2 mandated that banks provide Application Programming Interfaces (APIs), but the specifics of their implementation remained vague. The Regulatory Technical Standards (RTS) were simply too weak. The result:

• Every bank is developing its own unique technical solution.
• The authentication procedures, data models, formats, and error messages differ fundamentally.
• Some banks don’t offer any functional APIs at all or block requests with deliberately restrictive logic.

For a company like wealthAPI, this means we have to develop, integrate, test, and maintain unique interfaces for each bank. This results in an enormous technical and operational overhead, which prevents economies of scale. Integrating a new bank is not a plug-and-play process; it’s a project that takes several weeks. This is not what an API economy should look like.

2. A lack of data parity and no real Open Banking

A particularly frustrating point is the lack of data parity. Many banks do not release all the data through their APIs that is available to end consumers in online banking. The data often doesn’t match what is shown in online banking. Typical examples include:

• Overdraft facilities are not displayed or are shown incompletely.
• Standing orders are missing from the overview or can only be retrieved in a rudimentary form.
• The names of payment partners’ account holders are missing—an essential piece of information for transaction analyses or fraud detection.

What’s the point of having access to an account if you only get half the information? Open Banking without complete data is like Google without search results: possible, but useless. This is not only frustrating but also a step backward for the idea of an open financial ecosystem.

3. A user experience disaster caused by over-bureaucratic security

The introduction of Strong Customer Authentication (SCA) was a necessary step for greater security in payment transactions. No one disputes the need for security, but what the PSD2 enabled under the banner of SCA is a prime example of regulation that is far removed from practical application. In its implementation, it has caused serious user experience problems:

• Interruptions between apps, browsers, and SMS tokens.
• Interrupts in authentication processes, especially with mobile applications.
• Incompatibilities with older devices or operating systems.
• A jungle of transaction authentication number (TAN) procedures and inconsistent user guidance.

Even worse, the variety of SCA methods is a technical ordeal for TPPs. We have to implement dozens of variants and constantly update them when something changes. Every authentication becomes a case-by-case review. Users who try to connect accounts via third-party providers often need patience or simply give up in frustration. Innovation needs security, but it also needs usability.

4. Regulation without strength: no sanctions, no improvements

Perhaps the greatest failing of the PSD2 was the inadequate enforcement by national supervisory authorities. There were no real consequences for banks that didn’t follow the rules. The supervisory authorities too often looked the other way or gave banks too much time. Banks that violate the regulations or provide poor APIs have faced, and continue to face, very few sanctions.

So, why should banks invest in high-quality APIs if no one is forcing them to? This gap between the rule and reality has massively undermined the goal of PSD2. The market was left behind. Without enforcement, every set of rules remains a paper tiger.

PSD3: The last opportunity to get it right

With the planned PSD3 and the supplementary Financial Data Access Framework (FIDA) Europe now has the opportunity to correct the mistakes of PSD2. We are getting a second chance, but it must be used more decisively. It must finally have the courage to make what was previously only vaguely hinted at legally binding. For this to succeed, cosmetic corrections are not enough; a real system change is needed.

1. Binding standards instead of technical arbitrariness

The PSD3 must no longer contain non-binding wish lists. It must establish uniform, mandatory requirements for all APIs. Clear technical standards that apply throughout Europe are needed, including:

• Uniform data models and data formats
• Defined communication protocols (e.g., REST + OAuth2)
• Verifiable authentication procedures
• Standardized error codes and error messages
• Clear testing and certification procedures
• Interoperable interfaces

Interoperability can no longer be an option; it must become a requirement. Only then can FinTechs scale and banks demonstrate their innovative strength. Only then is Open Banking more than just a technical fig leaf.

2. Full Data Parity Plus Extension

What is visible in online banking must be fully accessible via APIs. Period. No exceptions, no restrictions. And this applies not only to payment accounts but to the entire financial world. In addition, the PSD3 must extend the scope beyond payment accounts to include things like:

• Savings accounts
• Securities accounts
• Loan agreements
• Insurance products

If we are to speak of “Open Finance,” we must also mean it. Otherwise, we will remain stuck in a semi-open state. Only then can new, holistic, digital business models emerge, ranging from automated financial advice to dynamic risk management. Open Banking was well-conceived, Open Finance, and Open Wealth are the logical next steps.

3. Rethinking SCA: yes to security, but user-centric.

Security requirements must no longer serve as an excuse for a poor user experience. The PSD3 should not only define security goals but also include user experience guidelines for SCA procedures. It needs to provide banks with clear guardrails on how SCA is to be implemented: securely, yes, but also smoothly, understandably, and flexibly. This includes

• a consistent user experience
• preferred mobile procedures
• fewer interruptions
• flexible, secure options for Third-Party Providers

A binding user experience governance belongs in the regulation. Secure access should not be a hurdle but must be the starting point for digital excellence.

4. Enforcement with strength: rules must be followed.

Without effective sanctions, PSD3 will also fail. Rules are only as strong as their enforcement. The PSD3 needs:

• a European harmonization of supervision
• mandatory sanctions for violations
• clear liability regulations between banks and TPPs

Supervisory authorities, both at the national and EU levels, must be equipped with clear sanction mechanisms. Those who do not follow the rules must face real consequences. Those who block progress must be sanctioned. Those who deliver must be protected. Only in this way can a fair market be created.

PSD3 must not be an evolution; it must be a correction

Europe is under pressure in the digital financial world. The big platform providers from the USA and increasingly from Asia are not sleeping. The USA, the United Kingdom, and Asian markets are developing at a rapid pace. Europe must have the ambition not just to keep up but to lead.

As an API platform for financial data, we experience daily what Open Banking could achieve and where it is failing. We also know that the problems are solvable. What is lacking is not know-how, but rather the political will and regulatory clarity. Open Banking and Open Finance are our chance to build an innovation-friendly, user-centric financial ecosystem that upholds European values such as Data protection, competition, and transparency. PSD3 and FIDA offer a historic opportunity to restart Open Banking.

But for that to happen, the PSD3 must deliver what the PSD2 failed to: clarity, binding rules, and enforcement. If we don’t act now, we’ll leave the field to other regions. We at wealthAPI are ready to do our part, but the direction must be right.

What Europe started with PSD2 was brave and correct. What it became was half-hearted. The PSD3 is our chance to turn a politically motivated fragment into a truly viable foundation for the digital financial sector, because Open Finance isn’t a “nice-to-have.” It is the basis for the next chapter in European finance. I am convinced that if we do it right, Open Finance will not just be a buzzword, but an engine of growth for Europe’s digital future.