As open banking adoption grows, control over financial data is dispersed across multiple parties, leading to new challenges around consent, privacy and consumer protections.
Open banking is starting to pose real competition to traditional payment methods such as card transactions, with e-commerce platforms like Amazon recently adding pay-by-bank at checkout in the UK.
It is also being embedded into financial management tools, where users can connect their bank account to a budgeting app and see balances and transaction history without logging into multiple banking platforms.
These use cases rely on open banking, but unlike traditional payments, they involve more than a one-off exchange of information. In many cases, they grant ongoing access to financial data, which introduces a different set of challenges.
This is because open banking relies on data sharing between banks and approved third parties through APIs.
As a result, responsibility for that data is no longer held by just banks. Third-party providers now play a direct role in how financial information is accessed, used and stored.
Therefore, as open banking becomes more mainstream, many of the questions it faces are on data, particularly around privacy, consent and consumer rights.
What open banking data includes
Depending on the service, third parties may access account balances, transaction histories, merchant information and spending patterns.
Information includes:
- Account data, including balances, transaction histories, merchant details and spending patterns
- Identity and verification data are used to support financial activity, and authentication and fraud checks
- Income and affordability data, recurring payments, salary deposits and spending patterns to assess creditworthiness
- Behavioural profiling, which involves the categorisation of spending habits, lifestyle indicators and merchant preferences
- Risk and anomaly signals to flag unusual transaction activity, which may point to fraud or financial distress
This level of visibility enables a wide range of open banking use cases, but it also means the data being shared is highly sensitive.
Privacy in a shared data ecosystem
Despite the term “open banking”, which is debated within the industry as being somewhat misleading, the system is generally considered secure.
APIs (application programming interfaces) act as connectors between systems and allow data to be shared without exposing login credentials, while customer authentication adds another layer of protection by ensuring users approve each request.
This means that data is shared across a network of regulated third-party providers, each operating its own systems, controls and security standards. As responsibility for data is no longer just held by banks, third-party providers play a significant role in how financial information is accessed, used and stored.
This increased level of access creates a greater surface area for risk, including technical vulnerabilities, operational failures and the potential for misuse.
How access is built on consent
Before any data is shared, users must approve the request through their bank’s authentication process. This involves reviewing the type of access being requested and confirming via methods such as passwords, PINs, biometrics, or multi‑factor authentication.
In a lot of frameworks, access is time-limited, requiring users to reauthorise connections after a set period. In addition, users can revoke access at any time, giving them ongoing control over who can interact with their data.
While this model aims to put user control first, its effectiveness heavily depends on how well it is understood.
Consent flows can be complex, as users may be presented with technical language or multiple permission requests, making it difficult to fully understand what they are agreeing to.
This creates a gap between compliance and informed consent, where a user may technically approve access, but without a proper understanding of the scope or implications.
Consumer rights and accountability
In addition to consent, open banking frameworks are built around a set of consumer rights intended to give users control over their data.
These include the ability to access their financial information, grant and withdraw permissions, and understand how their data is being used.
In the event of an issue, such as unauthorised access or misuse of data, users also have the right to seek redress.
However, enforcing these rights can be anything but simple due to the number of parties involved.
Banks, third-party providers and, in some cases, additional intermediaries all play a role in delivering open banking services. This shared model means that responsibility is distributed rather than centralised.
When something goes wrong, determining where liability sits is not always straightforward. It depends on the nature of the issue, the roles of each participant and the regulatory framework in place.
Another key challenge open banking faces in its battle against card payments is around consumer protections.
Card payments offer consumer protections such as chargebacks, whereas open banking transactions do not always offer the same safety net, which has been a big talking point around adoption in the UK.
This places more emphasis on clear accountability and transparent processes to build and maintain user confidence. Without strong safeguards, users risk losing the protections they have come to expect from traditional payment methods.
Regulatory frameworks in open banking
Open banking in the UK has been led by a structured framework, with standardised APIs and rules around data access and security. This has helped create a more consistent user experience and clear responsibilities.
In the European Union, open banking is based on the Payment Services Directive (PSD2), as well as other data protection requirements such as the General Data Protection Regulation (GDPR).
While this offers a legal foundation, adoption has been varied across member states. The European Commission has proposed PSD3 and a new Payment Services Regulation to solve these gaps, aiming to create more consistency and bolster consumer protections.
The US has taken a more market-led approach, with data sharing often governed by bilateral agreements rather than a single regulatory standard.
These differences affect how consistently privacy and consent are managed, and how easily users can understand and trust the system.
