What are the open banking regulations in the UK?

News

What are the open banking regulations in the UK?

UK open banking is primarily regulated under the Payment Services Regulations 2017 (PSRs 2017), which transposed the EU’s PSD2 directive into UK law. The Financial Conduct Authority (FCA) supervises all open banking providers. The Competition and Markets Authority (CMA) mandated the original open banking framework in 2016. Following Brexit, the UK is developing its own post-PSD2 framework under the Joint Regulatory Oversight Committee (JROC).

What is the role of the FCA in open banking regulation?

The FCA authorises and supervises all Third Party Providers (TPPs) operating in the UK open banking ecosystem — including AISPs and PISPs. Firms must meet strict requirements around consumer consent, data minimisation, Strong Customer Authentication (SCA), and complaint handling. The FCA’s Consumer Duty (effective July 2023) also applies to open banking providers, requiring them to demonstrate good outcomes for retail customers.

What is the JROC and what is it doing to open banking regulation?

The Joint Regulatory Oversight Committee (JROC), established in 2022 and co-chaired by the FCA and PSR, is overseeing the next phase of open banking in the UK. Its April 2023 roadmap set out priorities including Variable Recurring Payments (VRPs), a new governance body to replace Open Banking Ltd, and extending open banking to more use cases. The UK’s approach diverges from the EU’s PSD3 framework, giving UK regulators more flexibility.

Open Banking in Practice: The nine CMA-mandated banks — Barclays, HSBC, Lloyds, NatWest, Santander, Nationwide, AIB Group UK, Bank of Ireland UK, and Danske Bank — must all maintain open banking API infrastructure. Non-mandated banks may voluntarily participate. The PSR oversees the payment side, while the FCA oversees data access. Read our full regulatory guide on openfuture.world.

FAQ

Is the UK still following EU open banking rules after Brexit?

The UK retained PSD2 regulations but is now developing its own framework via JROC, which may diverge further from the EU’s PSD3 approach.

What is Strong Customer Authentication in open banking?

SCA requires users to verify their identity using at least two factors — such as a password and a one-time code — before granting open banking access.

Can I complain to the FCA if an open banking provider misuses my data?

Yes — you can report concerns to the FCA and also to the ICO if the issue relates to personal data protection under UK GDPR.