Open Banking APIs and Offshore Structures: Regulatory and Technical Intersections

The Open Banking Landscape in 2025

Open banking — the regulatory requirement for banks and payment institutions to provide third-party access to customer account data and payment initiation capabilities through standardised APIs — has transformed European financial services since the Payment Services Directive 2 (PSD2, Directive (EU) 2015/2366) came into full effect in September 2019.

For offshore-structured fintech businesses, open banking creates both opportunity and regulatory complexity. The opportunity lies in building innovative financial products on top of bank APIs without needing to hold customer deposits. The complexity lies in the extraterritorial reach of PSD2 and its successor framework, which captures any entity providing payment services to EU customers regardless of where the holding company is incorporated.

PSD2 and Its Successor: The Regulatory Framework

PSD2 Core Provisions

PSD2 introduced two new categories of regulated payment service that form the foundation of open banking:

Account Information Services (AIS) AIS providers aggregate account data from multiple banks into a single interface, with the account holder's consent. This enables personal finance management, creditworthiness assessment, and financial dashboards.

Payment Initiation Services (PIS) PIS providers initiate payments directly from a customer's bank account to a merchant or recipient, bypassing card networks. This enables bank-to-bank payments through the customer's online banking interface.

Both AIS and PIS are regulated payment services under PSD2. Providers must be either:

• Authorised as a payment institution (PI) under PSD2
• Registered as an Account Information Service Provider (AISP) — a lighter registration for firms providing AIS only
• Authorised as an EMI or credit institution that also provides AIS or PIS

PSD3 and the Payment Services Regulation

The European Commission proposed PSD3 (a new directive) and the Payment Services Regulation (PSR) in June 2023, which are expected to enter into force by 2026. Key changes relevant to open banking include:

• Enhanced API standards: More prescriptive requirements for bank APIs to ensure consistent performance and availability
• Dashboard for consent management: Customers must have access to a dashboard showing all third-party access to their accounts
• Expanded scope: The PSR will be directly applicable in all member states, eliminating inconsistencies in national transposition
• Liability framework: Clearer allocation of liability between banks, AISPs, and PISPs for unauthorised transactions

The Extraterritorial Question

When Does PSD2 Apply to Offshore Entities?

PSD2 applies to payment services provided "within the Union." The critical question for offshore-structured fintechs is whether the provision of AIS or PIS to EU-based customers by a group with an offshore holding company triggers PSD2.

The answer is clear: yes, if the payment service is provided to EU customers through an entity that either:

• Is established in the EU, or
• Provides services from outside the EU to customers located in the EU

In practice, this means:

• An offshore holding company (Cayman, BVI, Singapore) can own an EU-licensed payment institution that provides AIS and PIS — this is the standard structure
• The offshore parent does not itself require PSD2 authorisation, provided it does not directly provide payment services
• The EU subsidiary must hold a PI licence, EMI licence, or AISP registration in an EU member state
• The EU subsidiary must meet substance requirements in its licensing jurisdiction

Structuring for Open Banking

A typical offshore fintech structure for open banking services involves:

1. Offshore holding company (Cayman, BVI, or Singapore) — holds group IP, equity, and investment
2. EU-licensed operating entity (Lithuania, Ireland, Netherlands, or another EU member state) — holds the PI licence or AISP registration and provides open banking services
3. Technology subsidiary (UK, Portugal, or elsewhere) — employs the development team and manages the API infrastructure
4. Passporting — the EU-licensed entity passports its services across the EEA via PSD2's single market framework

Technical Infrastructure

Connecting to Bank APIs

Open banking APIs in the EU are standardised through several competing specifications:

Berlin Group (NextGenPSD2) The dominant API standard in continental Europe. Used by banks in Germany, France, Italy, Spain, and most other EU member states. Provides standardised endpoints for AIS (account information), PIS (payment initiation), and PIIS (payment instrument issuing) services.

Open Banking UK The UK's Open Banking Implementation Entity (OBIE) developed a comprehensive API standard used by all major UK banks. This standard is separate from Berlin Group and requires distinct technical integration.

STET (France) A French-specific API standard used by major French banks alongside Berlin Group.

Polish API Poland's banking association developed a national API standard that differs from Berlin Group.

In practice, a fintech building a pan-European open banking product must integrate with multiple API standards and potentially hundreds of individual bank APIs, each with their own implementation nuances.

API Aggregators

Rather than integrating directly with each bank, most fintechs use open banking API aggregators that provide a single integration point:

• Plaid: Originally US-focused, now covering EU and UK banks
• TrueLayer: UK and EU coverage with strong PIS capabilities
• Tink (Visa): Pan-European coverage acquired by Visa
• Yapily: EU and UK coverage with a developer-friendly API
• Salt Edge: Broad European coverage including Eastern European banks
• Nordigen (GoCardless): Free AIS API tier with good Northern European coverage

Using an aggregator significantly reduces integration complexity but introduces a dependency and margin cost.

Strong Customer Authentication (SCA)

All PSD2 payment services are subject to Strong Customer Authentication requirements (Commission Delegated Regulation (EU) 2018/389). For open banking:

• AIS: The customer must authenticate with their bank (typically through a redirect to the bank's authentication interface) before granting access. Re-authentication is required at least every 180 days for recurring access
• PIS: Each payment initiation requires SCA by the customer through the bank's authentication interface

SCA introduces friction into the user experience and is a significant design consideration for open banking products.

Commercial Applications

Account Aggregation

The most established open banking use case. Fintechs aggregate a customer's accounts across multiple banks into a single dashboard, providing:

• Consolidated balance and transaction views
• Spending categorisation and analytics
• Budgeting tools
• Credit score monitoring

Payment Initiation

PIS enables several commercial models:

• E-commerce payments: Bank-to-bank payments as an alternative to card payments, typically at lower cost to the merchant (0.1-0.5% vs. 1-3% for cards)
• Recurring payments: Variable recurring payments (VRPs) allow PISPs to initiate regular payments of varying amounts with the customer's standing consent
• Payroll: Direct salary payments from employer bank accounts to employee bank accounts
• Debt collection: Automated payment collection from debtor accounts (with consent)

Creditworthiness Assessment

AIS data enables lenders to assess creditworthiness by analysing a customer's transaction history directly, rather than relying solely on credit bureau data. This is particularly valuable for:

• Thin-file customers (those with limited credit history)
• Self-employed individuals
• Cross-border lending decisions

Verification Services

Open banking data can verify:

• Account ownership (confirming that a customer owns a specific bank account)
• Income verification (confirming salary deposits)
• Affordability assessment (analysing spending patterns against income)

Compliance Considerations for Offshore Fintechs

Licensing: AIS-only providers can register as AISPs under a lighter regime (no capital requirement in most jurisdictions). PIS providers must obtain a full PI licence with capital requirements of €50,000-€125,000.

Data protection: Open banking involves processing personal financial data. GDPR applies to all personal data of EU residents, regardless of where the data processor is located. The offshore holding company, if it processes personal data, must comply with GDPR, including appointing an EU representative under Article 27 if it has no EU establishment.

Consumer protection: PSD2 imposes liability obligations on PISPs for unauthorised transactions. The EU-licensed entity must have adequate insurance or own funds to cover potential claims.

Contractual framework: The relationship between the offshore holding company, the EU-licensed entity, and any technology subsidiaries must be documented with appropriate intra-group agreements covering data processing, technology services, and regulatory compliance responsibilities.

Key Takeaways

• PSD2 open banking requirements apply to any entity providing AIS or PIS to EU customers, regardless of where the group's holding company is incorporated — an EU-licensed subsidiary is required
• The standard structure for offshore fintechs in open banking is an offshore holding company with an EU-licensed PI or AISP subsidiary that passports across the EEA
• Multiple API standards exist across Europe (Berlin Group, Open Banking UK, STET), and API aggregators (Plaid, TrueLayer, Tink, Yapily) simplify integration at the cost of margin and dependency
• AIS-only businesses benefit from a lighter registration regime with no capital requirement; PIS businesses require full PI licensing with €50,000-€125,000 in capital
• PSD3 and the Payment Services Regulation will further standardise API performance requirements and introduce mandatory consent dashboards
• GDPR applies to all personal financial data processed through open banking, regardless of the processor's jurisdiction — offshore entities processing EU personal data must comply
• Open banking creates significant commercial opportunities in payment initiation, account aggregation, creditworthiness assessment, and verification services, all of which can be delivered through an offshore-structured fintech with appropriate EU licensing