Skip to main content

UK Open Banking

UK Open Banking requires major banks to share account data and enable payments through standardized, secure APIs with customer consent. It is enforced by the CMA and FCA and underpins a regulated ecosystem of account-information and payment-initiation providers.

Jurisdiction
United Kingdom

What UK Open Banking Is and Why It Exists

UK Open Banking is a framework that requires the country's largest banks to let customers securely share their account data, and authorize payments, through standardized application programming interfaces (APIs). It grew out of a 2016 order by the Competition and Markets Authority and was implemented alongside the EU's PSD2, with the Open Banking Implementation Entity creating common technical and operational standards. It went live in January 2018.

Open Banking exists to increase competition and innovation in UK financial services. By giving regulated third parties controlled access to bank data, it enables new budgeting, lending, and payment products that the customer, not the bank, controls.

Who It Applies To

The original mandate applied to the nine largest UK current-account providers (the "CMA9"), which were required to build compliant APIs. The broader ecosystem includes Account Information Service Providers and Payment Initiation Service Providers authorized by the Financial Conduct Authority. Many smaller banks and building societies have since adopted the standards voluntarily to participate in the ecosystem.

Key Requirements

  • Standardized APIs: mandated banks must expose Open Banking Standard APIs for account information and payment initiation.
  • Strong Customer Authentication: access and payments require SCA, consistent with the UK's payment-services rules.
  • Consent and control: customers must explicitly grant, view, and revoke third-party access.
  • Security and identity: the framework relies on OAuth 2.0 and OpenID Connect patterns and a directory for identifying participants.
  • Reliability: APIs must meet availability and performance expectations and report on them.

Penalties for Non-Compliance

Enforcement runs through the Competition and Markets Authority for the original order and the Financial Conduct Authority for payment-services obligations. Consequences include directions to remedy deficiencies, public reporting of poor API performance, and the broader penalties available under UK payment-services regulation, such as fines and restrictions on authorization. Persistent API outages or non-compliance also bring competitive and reputational costs.

How to Comply

  • For mandated banks, implement and maintain the Open Banking Standard APIs to the required quality and availability.
  • Apply Strong Customer Authentication and robust consent management.
  • Use the central directory and security profiles for trusted identification of third-party providers.
  • Monitor and publish API performance metrics.
  • For third parties, obtain FCA authorization and integrate against the published standards.

UK Open Banking is widely regarded as a leading real-world implementation of standardized, consent-driven financial data sharing.

Governance Transition and Future Direction

The UK Open Banking ecosystem has matured beyond its original CMA mandate, with oversight transitioning toward a longer-term regulatory and commercial framework and a future entity to steward standards. Attention is shifting from basic data access toward variable recurring payments, premium APIs, and the broader vision of "smart data" and open finance across more sectors. For builders, the stable foundations, standardized APIs, strong customer authentication, and consent management remain essential, while new commercial models are emerging on top. Firms that maintain high-quality, reliable API implementations and clear consent experiences are best placed to participate as the ecosystem expands beyond its initial banking scope.