Open banking regulation has existed since versions were introduced in 2018 by the UK, the European Union and Mexico.
Since then, Brazil, India and South Korea have emerged as the biggest success stories for open banking. In Brazil and Korea, open banking – data-sharing around payments and bank deposits – has expanded to open finance, including insurance, investments, and pensions. In India, it is driving financial inclusion.
Several countries are also pursuing more expansive regulation, including Australia, Korea and the United Arab Emirates. Their frameworks incorporate non-financial sectors including energy, telecommunications, and healthcare.
Collectively these experiences provide a window into what open banking is, its variety, what it can achieve, and its limitations. They also illuminate the regulatory and design issues that other countries, including many in Asia, must consider as they look to promote open banking.
Open banking
Open banking is the sharing of customer information, upon the customer’s request or consent, with third parties by data holders (banks or other financial institutions). This may include orders to initiate a payment from the customer’s bank account to purchase a service with the third party.
Governments have different reasons to promote open banking: to expand financial inclusion, to foster competition, to grow the menu of services available to consumers, or to encourage innovation.
While none of these goals are mutually exclusive or incompatible, the enabling legislation or regulation must reside somewhere, which colors the way open banking unfolds.
For example, the UK and Australia drive open banking through their competition authorities, while the European Union’s framework stems from its payments regulation, and Brazil’s is pushed by its central bank.
It’s also worth noting that many countries have commercial open-banking relationships that are purely private-sector initiatives; or they have some more limited regimes, operated by banking regulators, with narrower scope – such as Switzerland, Singapore, and Hong Kong. India is unique in that it has a comprehensive open-banking framework, but it’s voluntary. The United States had a purely market-based approach until last year, when it passed long-awaited enabling legislation from the Dodd-Franks Act – but it is unclear whether the new Trump administration will honor it, or gut it.
This article will focus on the global leaders, however, as in aggregate they have the most useful lessons to share.
Why do it?
The biggest question about open banking is whether it’s worth the effort.
Data sharing isn’t a novelty. In the past it involved screen scraping, a longstanding practice by fintechs to copy information displayed on a web screen, and use that information for financial aggregation or another use. Scraping is messy, though, even if authorized by a customer. Data ownership is disputable; access to website information can be patchy; it’s slow; and it poses security risks.
Moving from this janky hacker approach to a smooth, consent-managed, licensed system where property rights are clear is a big reason why the UK and EU introduced open banking. This kind of sharing relies on application programming interfaces (APIs), connective software that allows streamlined, secure and efficient transmission of data.
But moving data via API also has its costs. Building and maintaining APIs, consent-management protocols, and related cybersecurity and data protection measures is expensive.
There are also risks.
Banks resist letting go of data they regard as theirs to keep, as stewards if not owners. While banks often resent open-API mandates, and treat them as compliance exercises, it’s also true that shifting too much power to fintechs could make commercial banking unprofitable. As the Silicon Valley Bank episode highlighted, highly digitalized systems with fluid money movements can catalyze a bank run; they also make cyberattacks more likely.
Poor guardrails mean data is used to discriminate against consumers, not empower them. And a badly regulated regime could allow third parties to abuse data or evade regulation.
Who’s using it?
The simplest way, therefore, to weigh the benefits against the costs and risks is to ask, are consumers using open banking to make payments and conduct other transactions?
The picture is mixed.
The earlier regimes took a long time to see users adopt open banking. The UK, for example, took six years to reach about 12 million users, or 13 percent of bank account holders. In Australia, the government doesn’t release user counts, but the Australian Bankers Association complains the numbers are negligible.
The pace of usage is increasing, however. The UK’s Open Banking Limited (the UK’s open banking authority) says people using open banking now make 22 million transactions a month. Additional reforms in Australia will now enable payment initiations (people can request third parties make transactions straight out of their bank accounts), beefing up the regime’s utility.
Other markets, meanwhile, have seen dramatic uptake. The biggest is Korea, where 54.8 million people use open finance. In Brazil it’s 35 million people. India’s open-banking regime is based on the ‘India Stack’, and 350 million people use its United Payments Interface.
In all three cases, authorities set out purposeful enabling regulation that began with targeted uses but quickly expanded. These efforts engaged banks, fintechs and third parties from the outset. They also rode on the back of critical payments infrastructure and a locally vibrant fintech industry. Finally, they both centralized API standards.
South Korea
Korea launched open banking in 2019, requiring banks to build APIs for sharing account balances and transaction histories. It soon expanded to include non-banks such as stockbrokers and insurers – and fintechs and Big Tech companies too, which must also share data upon request.
Seoul followed up with digital-ID initiatives and expanded the scope of data, as well as its granularity, so that all kinds of data – financial and non-financial – could be warehoused in one place. This led to use cases including loans, leases, insurance, pensions, credit cards, and paying telecom bills.
In 2022 the government took another important step by mandating consumers be allowed to take their data with them, including data related to healthcare records, energy usage, transportation, education, real estate, and more.
Portability isn’t necessarily best practice for open banking: it may be better to drive interoperability by letting people use their data in its original location, rather than move it from the platform. But where the law doesn’t mandate this, portability is another means of driving competition.
To turn information into useful services, fintechs have been empowered to use the data for advisory services, intermediation, marketing, and even direct provision of financial services. Creating this environment powered several of Korea’s biggest fintechs and digital banks, such as Toss.
This wouldn’t be possible without involving the traditional banks, though, which have also aggressively rolled out open-banking services. The competitive threat has made the likes of Shinhan Bank very digitally competitive.
The biggest takeaway from Korea is the need for collaboration among regulators, legislators, banks, and fintechs, to ensure interoperability. It helps that the retail payment system and the open-banking system are managed by the same regulator (The Korea Financial Telecommunications and Clearing Institute), which ensures APIs are compatible.
Brazil
Brazil is a newer entrant. Its Banco Central do Brasil and its affiliate responsible for monetary policies, the Conselho Monetário Nacional (CMN), launched open banking in 2021. In Year One, the system had as many users as the UK had managed in four years.
Like in Korea, complete interoperability (but based on in-place data, rather than portability) was key to success. So was a comprehensive legislative and regulatory framework. CMN defined API standards and enabled payment initiation services from the beginning. Within Latin America, this contrasts with Mexico, which was the first-mover in open banking. But Mexico didn’t standardize APIs or allow payment services initiation, and it was eclipsed.
Brazil drew on the existence of Pix, the central bank’s domestic real-time payments system built for mobile and online transacting, which only launched in 2020 but has become the primary way Brazilians make domestic payments. BCB reported in January that in 2024, it processed 64 billion Pix transactions, a 53 percent growth from 2023, far exceeding the volume of debit and credit card transactions.
With that backbone, open banking could quickly expand to open finance, incorporating savings, investments, mortgages, insurance, and pensions. It is now evolving to create banking-as-a-service models that will allow consumers to make payments for third-party services within the third party’s app, instead of having to switch back to a bank’s app.
India
India has combined a centralized, top-down approach to API standards and a compulsory digital infrastructure including Aadhaar, its identity platform, and voluntary services such as its Account Aggregator network, part of its United Payments Interface. These components of the India Stack allow businesses, consumers, and the government to transact electronically, based on a foundation of unique data identifiers.
Unlike Brazil and Korea, open banking in India is voluntary. This is possible because India’s commercial banks are already strong and digitally capable. Another facet in India is the ultra-low cost of data. In other countries such as the UK, making open banking compulsory has been critical to adoption, but India has opted use data law instead: in India, data is encrypted and aggregators cannot access or use it beyond an express purpose. This builds trust.
The Account Aggregator was introduced in 2021 to share financial information in order to improve credit access for customers, especially micro- and small businesses. Customers give an aggregator consent to share their information with a third party, be it a bank or a fintech lender. Importantly, the aggregators don’t have access to the data and can’t hold onto it: they can only collect and transfer it. As of end 2023, aggregators handled a cumulative 148 million customer requests, of which 40 million were fulfilled.
Consumer trust
India, Korea and Brazil have worked to broaden the scope of financial data that can be shared, while making the process very user-friendly. The sharing takes place among regulated entities. India and Korea base this on data-portability regulation, while in Brazil the authority is provided by the central bank.
Even in these places, however, consumer understanding of open banking is limited. People are wary of scams. They don’t necessarily trust third parties. If this is still true in Brazil, it’s even more so elsewhere. This cuts to the complaints that many banks make about open systems: there are no uses cases because customers don’t value this.
In Australia, the government budgeted A$88 million to launch open banking – mainly to mitigate integration costs for smaller banks, but also to support a marketing effort. It doesn’t seem to have made an impact.
The big lessons are an inclusive approach between banks, fintechs, and authorities; an existing IT payments infrastructure and a robust fintech or digital banking marketplace; and a comprehensive legislative and regulatory framework that has a clear progression but is staged, so as to not overwhelm the system. The Korean and Brazilian examples show that it doesn’t take long to evolve into an open finance regime, if the basics are established.
More questions
Other questions are not as clearly answered.
For example, should APIs be standardized by a central regulatory authority? For Brazil, India and Korea, the answer was yes, but this may not be gospel. Centralization has the advantage of clarity and speed. It could, however, hamper competition, differentiation, and innovation.
A decentralized approach may be better for cybersecurity, too. But if there’s not a mandated standard, there needs to be regulation to promote interoperability, which begins with data protection and portability.
Another question is treating third parties: should these be subjected to a government license, which implies an accreditation process? Will people trust them if they’re licensed? Or are banks better off deciding who meets their specifications? Should banks be allowed to work only with preferred partners, or should there be some threshold at which point the customer can insist on having their data shared with another party? There is a variety of approaches around the world and it’s too early to say if one model is the best.
Should data sharing be accompanied by payment initiation? Probably yes, although how this is managed may depend on the strength of the banks, to ensure they aren’t undermined. Initiation can lead to services like recurring payments, and is key to making the leap from open banking to open finance, but it requires a sensible regulatory framework.
What adjacent digital infrastructure is required? The leaders in open banking show the need for good payments rails. Many Asian countries boast world-beating domestic payment infrastructure. What’s more useful is connecting this to non-financial services, and to digital identity frameworks, as India has done (although there are other models for digital ID than a centralized database). These will allow the rapid expansion of open finance uses.
Thinking ahead
The UAE is a newcomer to open banking. Its blueprint calls for open banking to go live in 2026, but including insurance and lending from the outset – more of a big bang, which will be a good test for how quickly a user base can adopt these services. But the UAE is also driving regulation for crypto, licensing stablecoins, and experimenting with cross-border payments on blockchain in Project mBridge (with China, Hong Kong and Thailand).
The longer-term potential for open finance seems necessary for fully realizing the potential of emergent tech like AI agents and digital assets. In the crypto world, DeFi rails rule, and self-owned wallets allow all manner of assets and liabilities to be packaged as tokens. The world of conventional banking is based on accounts, not wallets. The real leap in open finance could be about adapting data-sharing consent mechanisms to connect the old world and the new.
