What is open banking (account access / XS2A) under PSD2?

PSD2 (Directive (EU) 2015/2366) forced banks for the first time to give authorised third parties access to payment accounts **with the customer's consent** — the “access to the account” principle, in short **XS2A**. Three roles carry the model: the **ASPSP** (account-servicing payment service provider — the bank holding the account), the **PISP** (payment initiation service provider — initiates payments directly from the account, Art. 66) and the **AISP** (account information service provider — aggregates account data, Art. 67). Both third-party roles are regulated, supervised activities ^[1].

The mechanics sit in the **SCA-RTS (Commission Delegated Regulation (EU) 2018/389)**: banks provide a **dedicated interface (API)** or an adapted customer interface through which PISPs and AISPs connect — protected by **strong customer authentication (SCA)**. Where a dedicated API is used, “screen scraping” can be blocked, but absent an exemption a **fallback / contingency mechanism** must exist so the third-party services are not cut off if the API fails. That balance — reliable access without compromising security — is the standing friction point between banks and third parties ^[2].

Two proposed acts would evolve open banking — both **not yet law**. The **PSD3/PSR** (the Commission's June 2023 package; provisional political agreement 27 Nov 2025, not yet in the Official Journal) would improve API access and create a list of **prohibited access obstacles**. The **FIDA Regulation** (Financial Data Access, COM(2023) 360) would extend the data-sharing principle beyond payment accounts to a broader set of financial data — the jump from “open banking” to “open finance”. We track both as a status-tagged pipeline, without presenting them as law until they are published.