When OpenAI launched its personal-finance surface in the United States on May 15, 2026, it did so the American way: permissionlessly. Connect your accounts through Plaid, across more than 12,000 institutions, and the surface builds a picture of your money — no license required, no regulator consulted, no mandate invoked. The aggregator layer existed, the read-only access was available, and the product shipped.

That rollout does not translate to Europe. In the EU, every layer the US surface treated as permissionless is, instead, a mandate — a licensed, consent-governed, API-quality-regulated activity defined by a stack of regulation with no American equivalent.

The foundation is the open-banking regime. PSD2 made account access a regulated activity in 2018; its successor, the Payment Services Regulation and Third Payment Services Directive, reached provisional agreement on November 27, 2025, with final texts expected in the Official Journal in 2026 and core obligations landing across 2027. In Europe, a service that reads your bank data is a licensed third-party provider operating under a directly-applicable rulebook — not a company that bought an API key.

The expansion is the open-finance regime. The Financial Data Access regulation — FIDA — extends open-banking logic from payment accounts to investments, pensions, insurance, mortgages, and loans, and creates an entirely new licensed category, the Financial Information Service Provider, to govern who may touch that data. FIDA was still in trilogue as of April 2026, with operational dates likely around 2029-2030. The data the US surface aggregates freely is, in Europe, data whose access is being purpose-built into a consent-and-license regime.

The overlay is the AI regime. The EU AI Act classifies AI systems used for credit scoring and creditworthiness assessment as high-risk, with full obligations landing August 2, 2026, and it is supervised — for systems connected to financial services — not by a tech regulator but by financial supervisors like Germany’s BaFin. A general-purpose model grounded in a user’s complete financial life sits uncomfortably close to the high-risk line, and the obligations escalate sharply if it crosses it.

The structural argument I want to make: the US conversational-finance surface is a product built on a permissionless substrate, and Europe does not have a permissionless substrate — it has a mandate at every layer. The same surface, brought to Europe, is not a product launch. It is a licensing project, a consent-architecture project, and an AI-classification project, conducted under three overlapping regimes enforced by financial regulators with the power to fine 7% of global turnover.

The headline integrative finding: Europe’s regulation is not merely a slower or stricter version of the American environment — it is a different architecture, and the difference inverts the build. In the US, the surface is the product and compliance is an afterthought. In Europe, compliance is the product — the license, the consent dashboard, the API conformity, the AI classification are the architecture, and the conversational experience is the thin layer on top. The European version of the US surface is not the US surface with a GDPR banner. It is a different company, built mandate-first, and the firms positioned to build it are not the ones that won the US.

This essay walks the permissionless American substrate, the PSD2-to-PSD3 open-banking mandate, the FIDA open-finance expansion, the AI Act overlay, the consent architecture that replaces the US “connect” button, who is actually positioned to build the European surface, and the structural reading of a market where compliance is the architecture rather than the constraint.

By Thorsten Meyer — May 2026

This is the third dispatch in the AI Agentic Commerce track. The first walked the launch of OpenAI’s personal-finance surface; the second walked the unbundling of the personal-finance-management apps that surface threatens. Both were US stories, built on the US substrate. This one asks what happens at the water’s edge — why the surface that reorganizes American consumer finance hits, in Europe, a wall of mandate that changes not just its speed but its shape.

The structural argument I want to make: the American AI-finance surface was possible because the United States built its open-banking layer privately and permissionlessly — Plaid, not a regulator, defined account access — while Europe built the same layer as public regulation. That single architectural difference, compounded across payments (PSD3/PSR), data (FIDA), and AI (the AI Act), means the European surface cannot be the American surface ported across the Atlantic. It must be re-architected around the mandate, and re-architecting around the mandate favors firms that are licensed, consent-native, and financially supervised — which the American winners, by and large, are not.

The headline integrative finding: The mandate is not only a barrier; it is also a moat and a market structure. It raises the cost of entry (you need licenses, not just an API key), it reshapes the product (consent dashboards and conformity assessments, not a “connect” button), and it redistributes the advantage (toward incumbents and licensed specialists, away from permissionless aggregators). Whether that produces a better consumer outcome or merely a slower, more concentrated one is the open question — but the architecture is unambiguous: in Europe, you do not ship a finance surface. You license one.

This essay walks the permissionless American substrate (Section I), the PSD2-to-PSD3 open-banking mandate (Section II), the FIDA open-finance expansion (Section III), the AI Act overlay (Section IV), the consent architecture (Section V), who is positioned to build the European surface (Section VI), and the structural reading of compliance-as-architecture (Section VII).

I · The permissionless American substrate · why the US surface shipped

The substrate crystallization. To understand why the US surface does not translate, you have to understand the thing it was built on — a privately-built, permissionless account-access layer that simply does not exist in the same form anywhere else.

How the US built account access

The private route: in the United States, account aggregation was built by private companies — Plaid, Yodlee, MX, Finicity — not mandated by a regulator. These aggregators negotiated access to bank data through a mix of API agreements and, historically, screen-scraping, and they assembled connectivity to thousands of institutions as a commercial product.

The permissionless quality: a developer who wants to read a user’s bank data in the US does not need a banking license, a regulator’s authorization, or a statutory consent framework. They need a Plaid account and the user’s credentials-based consent. Account access is a product you buy, not a permission you are granted.

Why this made the surface possible

The integration was off-the-shelf: when OpenAI built its finance surface, the hard part — connecting to 12,000+ institutions — was already solved by Plaid as a commercial integration. The surface plugged into an existing permissionless layer and inherited its reach instantly.

The read-only design sidestepped the rest: by keeping the surface read-only — no money movement, no trades, no bill payment — OpenAI stayed clear of the activities that do trigger heavy US regulation (money transmission, broker-dealer rules). The combination of a permissionless aggregator and a read-only design meant the surface could ship as a product, with compliance as a manageable afterthought rather than the foundation.

The American regulatory backdrop

Lighter and fragmented: the US has no single federal open-banking statute equivalent to PSD2. Open banking has been shaped by private aggregators and, more recently, by a contested CFPB rulemaking, against a state-by-state patchwork rather than a unified federal mandate. The regulatory environment was permissive enough, and fragmented enough, that the private layer filled the vacuum.

The substrate observation

The US surface shipped because the United States had already built, privately and permissionlessly, the account-access layer the surface needed — and because a read-only design kept it clear of the activities that trigger heavy regulation. The product was possible because the substrate was permissionless. That is the precise feature Europe does not share, and its absence is why the same product, in Europe, is not a product at all but a licensing project.

II · The open-banking mandate · PSD2 to PSD3/PSR

The payments-regime crystallization. Europe built the account-access layer the opposite way: not as a private product but as a public mandate, and that mandate is now being upgraded into something more prescriptive still.

What PSD2 already established

Access as a regulated activity: PSD2, applicable from 2018, made account access a licensed activity. A company that reads bank data is an Account Information Service Provider (AISP); a company that initiates payments is a Payment Initiation Service Provider (PISP). Both require authorization from a financial regulator. There is no permissionless route — reading a European’s bank data without the right license is not a product, it is an unauthorized activity.

Consent and SCA: PSD2 mandated strong customer authentication and an explicit, revocable consent regime. Access is granted by the customer through a regulated flow, not captured through credentials handed to an aggregator.

What PSD3/PSR change

The directly-applicable rulebook: on November 27, 2025, the European Parliament and Council reached provisional agreement on the Payment Services Regulation (PSR) and the Third Payment Services Directive (PSD3). The crucial structural move: most conduct rules — SCA, open banking, fraud liability, API standards — move into the PSR, a regulation that is directly applicable across all 27 member states without national transposition. PSD2’s fragmentation, where each member state interpreted the rules differently, is being replaced by a single rulebook. Final texts are expected in the Official Journal in 2026, with core obligations landing across 2027 after the transition.

Mandatory API quality: one of PSD2’s biggest failures was that banks could offer deliberately poor “dedicated interfaces” while technically complying. PSD3/PSR introduce mandatory, regulator-enforced API performance standards — real-time dashboards showing availability and performance, the elimination of screen-scraping fallbacks, and a requirement that national regulators act “without delay” against interfaces that underperform. Access is not just licensed; its technical quality is now a regulated, supervised obligation.

Expanded fraud liability: mandatory IBAN-name checks, broader refund rights for fraud victims, and fraud-information sharing between providers. The liability for getting it wrong sits, increasingly, on the provider.

What this means for the surface

A finance surface in Europe is an AISP: any product that reads a European user’s payment-account data is performing a regulated activity that requires authorization. The surface cannot “buy a Plaid key” — there is no permissionless aggregator to buy from; there is a licensed activity to be authorized for, or a licensed provider to partner with.

The open-banking observation

Europe made account access a public mandate where the US made it a private product, and PSD3/PSR are sharpening that mandate into a directly-applicable, quality-supervised, liability-laden rulebook. The American surface inherited account access off-the-shelf; the European surface must be licensed for it or partner with someone who is. The very first layer of the US build — the permissionless connect — is, in Europe, a regulatory authorization. The architecture diverges at the foundation.

III · The open-finance expansion · FIDA and the FISP license

The data-regime crystallization. PSD2/PSD3 govern payment-account data. But the US surface aggregates more than payments — it builds a picture of investments, balances, and net worth. In Europe, extending access to that data is a separate, still-forming mandate: FIDA.

What FIDA does

Beyond payment accounts: the Financial Data Access regulation extends open-banking-style mandated access from payment accounts to a much broader set — investments, pensions, insurance, mortgages, loans, savings, and crypto-assets. It is the “open finance” expansion of “open banking.”

A new license: FIDA creates a new regulated category, the Financial Information Service Provider (FISP). A company that wants to aggregate a European’s full financial picture across these categories must be a licensed FISP. The full-net-worth dashboard the US surface generates as a side effect of connection is, in Europe, an activity that requires a license that does not yet fully exist.

Mandated, standardized, consent-governed sharing: FIDA requires data holders (banks, insurers, pension providers) to make data available through standardized APIs, with the user’s explicit, dashboard-managed consent — connecting the data silos that are currently isolated, but only through a regulated, consent-first framework.

The timeline and the contested core

Still forming: FIDA was proposed alongside PSD3/PSR in June 2023 but, as of April 2026, remains in trilogue — less certain than PSD3/PSR. Likely scenarios put political agreement in 2026-2027 and operational dates around 2029-2030, with a staggered, sector-by-sector “wave” rollout.

The compensation fight: the single most contested item is the compensation mechanism between data holders and data users — what banks and insurers can charge the FISPs that access their data. Unlike PSD2’s largely free-access model, FIDA contemplates that data holders may be compensated, which changes the economics of aggregation entirely. A surface that aggregates European financial data may have to pay for the access the US surface gets, in effect, for free.

What this means for the surface

The full-picture aggregation is a future-licensed activity with a cost: the comprehensive financial view that is trivial in the US — connect everything, see everything — is, in Europe, gated behind a license that is still being written and an access cost that is still being fought over. The surface’s core value proposition (one place to see all your money) maps, in Europe, onto a regulated category that will not be fully operational until the end of the decade and may carry per-access fees.

The open-finance observation

FIDA is Europe building, as public mandate, the open-finance layer the US surface assumes as a free private capability — and building it slowly, with a new license and a contested access-cost regime at its center. The American surface aggregates everything because aggregation is a permissionless product; the European surface faces a future where aggregating everything requires a FISP license and possibly a payment to each data holder. The breadth that makes the US surface powerful is, in Europe, the dimension most heavily gated by an emerging mandate.

Complete Guide to Film Scoring – The Art and Business of Writing Music for Movies and TV | Berklee Guide for Composers and Songwriters | Learn Film Composition, Royalties and Contracts

Pages: 424

AmazonView Latest Price

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

IV · The AI overlay · the EU AI Act and the high-risk line

The AI-regime crystallization. On top of the payments mandate and the data mandate sits a third regime the US surface never had to consider at launch: a horizontal AI law that classifies financial AI by risk and supervises it through financial regulators.

The risk-tier structure

Four tiers: the EU AI Act classifies AI systems into prohibited, high-risk, limited-risk, and minimal-risk tiers, with penalties up to €35 million or 7% of global turnover. The classification determines the weight of obligation.

The high-risk financial uses: Annex III explicitly classifies AI systems used for credit scoring and creditworthiness assessment as high-risk, along with risk assessment and pricing in life and health insurance. The moment a finance AI moves from describing your spending to assessing your creditworthiness, it crosses into high-risk territory — with conformity assessments, technical documentation, human-oversight requirements, and database registration before it can be placed on the market.

The timeline

Already live: prohibited-practice rules and AI-literacy obligations applied from February 2025; GPAI (general-purpose AI) model obligations applied from August 2025. The frontier models that would power a finance surface — the largest models from the major labs — are already classified as GPAI with systemic risk and carry obligations today.

Landing August 2, 2026: full obligations for high-risk Annex III systems — including financial credit-scoring uses — apply from August 2, 2026, though the Digital Omnibus simplification proposal (introduced November 2025, still in process) may adjust some timelines. The prudent assumption is that August 2026 is operative.

Who supervises it

Financial regulators, not tech regulators: this is the structural surprise. Under the AI Act, high-risk AI systems deployed by financial institutions and directly connected to financial services are supervised by the existing financial market-surveillance authorities — BaFin in Germany, the CSSF in Luxembourg, and their equivalents — not by a separate AI agency. A finance AI surface in Europe answers to the same regulators that supervise banks, under both the financial rulebook and the AI rulebook simultaneously.

The classification knife-edge

Description vs. assessment: a surface that summarizes spending and answers questions about your money may stay in the limited-risk tier (with transparency obligations — users must know they are talking to an AI). But the line to high-risk is close: the moment the surface assesses creditworthiness, recommends products in a way that constitutes scoring, or makes eligibility-style determinations, it risks crossing into Annex III. The product-design choices that are commercially attractive — “should I refinance?”, “what loan can I get?” — are precisely the ones that push the surface toward the high-risk classification and its full compliance spine.

The AI-overlay observation

The AI Act adds a third mandate the US surface never faced at launch: a horizontal AI law that classifies financial AI by risk, supervises it through financial regulators, and places the most commercially attractive features closest to the high-risk line. A European finance surface must classify itself, document itself, and very possibly submit to conformity assessment — under the supervision of the same authorities that regulate banks. The AI that is “just a chatbot” in the US is, in Europe, a regulated system whose classification depends on exactly how useful it tries to be.

Financial Management Core Concepts

AmazonView Latest Price

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

V · The consent architecture · what replaces the “connect” button

The product-shape crystallization. The cumulative effect of the three mandates is most visible at the single most important point of the product: the moment the user grants access. In the US, that is a button. In Europe, it is an architecture.

The US “connect” moment

One tap, broad scope: in the US, the user taps “connect,” authenticates through the aggregator, and grants broad, ongoing access in a single permissionless flow. The consent is real but lightweight, and the scope is wide by default.

The European consent regime

Granular, revocable, dashboard-managed: the European mandate requires explicit, granular, revocable consent, managed through a consent dashboard where the user can see exactly who has access to what data, for what purpose, and can revoke it. PSD3/PSR sharpen this for payment data; FIDA extends it, with mandated permission dashboards, to the full financial picture. Consent is not a button; it is an ongoing, auditable, user-controlled relationship.

Purpose limitation and data minimization: layered on top is GDPR, which requires that data be collected for specified purposes and minimized to what is necessary. A surface that aggregates everything “in case it is useful” runs directly into purpose-limitation and minimization principles. The US default — collect broadly, use later — is the European violation.

What this does to the product

The consent architecture is the product: building the European surface means building the consent dashboard, the granular permission model, the revocation flows, the purpose-binding, the audit trail — and these are not features bolted onto the conversational experience; they are the regulated core that the conversational experience sits on top of. In the US, the surface is the product and consent is a button. In Europe, consent is the product and the surface is the interface.

The friction is mandated: the lightweight, broad, one-tap US consent is not available in Europe by design. The mandate requires friction — granular choices, explicit purposes, visible revocation — that the US surface was specifically designed to minimize. The European surface is, by regulation, higher-friction at exactly the moment the US surface optimized for frictionlessness.

The consent-architecture observation

The three mandates converge at the consent moment, and they replace the US “connect” button with a regulated consent architecture — granular, revocable, purpose-bound, dashboard-managed, and GDPR-governed. This is where the divergence becomes concrete and visible: the single most optimized moment of the US product is the single most regulated moment of the European one. The European surface cannot inherit the US onboarding; it must build a different one, and the different one is the regulated core, not a cosmetic layer.

VI · Who builds the European surface · the redistribution of advantage

The competitive crystallization. If the European surface must be built mandate-first, the question becomes who is positioned to build it — and the answer is not, by default, the firms that won the US.

Why the US winners are disadvantaged

Permissionless-native, not license-native: the firms that won the US surface — a frontier-model lab plus a permissionless aggregator — are built around exactly the capabilities that Europe regulates. Their advantage was speed and reach through permissionless access; in Europe, speed and permissionless reach are precisely what the mandate removes. The US winners’ core competency is the thing Europe does not allow.

No license, no supervision relationship: a frontier lab is not an authorized AISP, is not a prospective FISP, and does not have a supervisory relationship with BaFin or the CSSF. Building those is slow, capital-intensive, and outside the lab’s core competency. The US winner arrives in Europe needing a license stack and a regulator relationship it does not have.

Who is positioned instead

Licensed European fintechs and aggregators: firms that are already authorized AISPs/PISPs, already running PSD2/PSD3-compliant API fleets, already consent-native — the European open-banking infrastructure players — hold the licenses and the supervisory relationships the surface needs. They can supply the regulated substrate the lab cannot build quickly. The European equivalent of “the surface plus Plaid” is “the lab plus a licensed European infrastructure partner,” and the licensed partner holds more leverage than Plaid did, because the license is scarcer than an API.

Incumbent banks: European banks already hold the data, the licenses, the consent relationships, and the supervisory standing. A bank deploying a finance AI surface to its own customers does not face the access mandate — it already has the data and the consent. The incumbent that was disintermediated in the US thesis is, in Europe, structurally advantaged, because the mandate that gates the challenger does not gate the bank that already holds the relationship.

Compliance-native challengers: new entrants built mandate-first — licensed from inception, consent-native, AI-Act-classified by design — can compete, but they compete on compliance architecture as much as on product. The European winner is selected partly by who builds the regulated core best, not only by who builds the best conversational experience.

The redistribution

The advantage moves from permissionless speed to licensed position: in the US, the advantage went to whoever could integrate the permissionless layer fastest and build the best surface on top. In Europe, the advantage goes to whoever holds the licenses, the supervisory relationships, and the consent architecture. The mandate redistributes the advantage from the permissionless aggregator-and-lab toward the licensed incumbent-and-specialist.

The competitive observation

The mandate does not just slow the US surface in Europe; it changes who wins. The permissionless-native firms that won the US arrive in Europe needing a license stack and a regulator relationship outside their competency, while licensed European fintechs and incumbent banks hold exactly what the mandate makes scarce. In the US, the surface won. In Europe, the mandate selects for the licensed — and the licensed are mostly not the US winners.

VII · The structural reading · compliance as architecture, not constraint

The synthesis crystallization. The European AI-finance environment is usually described as “stricter regulation” — a higher hurdle on the same track. The structural reality is that it is a different track. The regulation is not a constraint on the architecture; it is the architecture.

Observation 1 · The substrate is public, not private — and that changes everything downstream

The empirical signal: the US built account access privately and permissionlessly (Plaid); Europe built it as public mandate (PSD2→PSD3/PSR), and is extending it as public mandate (FIDA).

The structural reading: the single architectural difference — public mandate vs. private product at the access layer — propagates through the entire stack. It determines whether the surface is licensed or bought, whether consent is a button or a dashboard, whether aggregation is free or compensated, whether the AI is unsupervised or financially-supervised. Everything that looks like “stricter rules” is downstream of one fact: in Europe, the substrate is a mandate.

Observation 2 · Compliance is the product, not the constraint

The empirical signal: the regulated elements — the license, the consent dashboard, the API conformity, the AI classification — are not features added to the surface; they are the surface’s foundation.

The structural reading: in the US, you build the product and then handle compliance; in Europe, you build the compliance and the product is the interface on top. This inverts the build order, the cost structure, and the team. The European surface is led by licensing, supervised relationships, and consent architecture, with the conversational experience as the last layer. The firms that treat European compliance as a constraint to be minimized will lose to the firms that treat it as the architecture to be built.

Observation 3 · The mandate is a moat that favors the incumbent and the licensed

The empirical signal: the mandate raises entry cost (licenses, not API keys), reshapes the product (consent architecture), and redistributes advantage (toward licensed incumbents and specialists).

The structural reading: the mandate functions as a moat, and moats favor those already inside them. The European banks and licensed fintechs that hold the data, the authorizations, and the supervisory relationships are advantaged exactly where the permissionless US challenger is disadvantaged. The disintermediation thesis that drives the US story — the surface absorbs the bank’s relationship — runs into a mandate that protects the licensed incumbent. Europe’s regulation is, among other things, an incumbent-protection architecture, whether or not that is its intent.

Observation 4 · The timeline is staggered, and the staggering is strategic

The empirical signal: PSD3/PSR land across 2027; the AI Act high-risk obligations land August 2026; FIDA arrives around 2029-2030. The mandate is not one event but a sequence.

The structural reading: the European surface faces a moving regulatory target, and the firms that win will architect for the end-state mandate, not the current one. Building for PSD3 today while FIDA and the AI Act high-risk regime are still settling means building for a target that is still moving — which favors firms with the regulatory-intelligence capacity to track it and the patience to build for 2030 rather than ship for 2026. The staggered timeline is itself a filter: it selects for regulatory endurance over launch speed.

What this is not

It is not a claim that the surface cannot come to Europe. It can, and will — but as a re-architected, licensed, consent-native, AI-classified product, built mandate-first, most plausibly by or with licensed European players.

It is not a claim that the mandate is purely protectionist. The consent architecture, the API quality standards, and the AI classification deliver real consumer protections the US permissionless model does not. The mandate has genuine benefits; it also has the structural effect of protecting incumbents and slowing challengers.

It is not a claim that Europe is simply behind. Europe is not building a slower version of the US surface. It is building a different architecture, in which the consumer’s data rights, consent, and AI protections are structural rather than optional — at the cost of speed, frictionlessness, and challenger entry.

The synthesis observation

The US conversational-finance surface was built on a permissionless private substrate, and Europe has no permissionless private substrate — it has a public mandate at the payments layer (PSD3/PSR), an emerging public mandate at the data layer (FIDA), and a horizontal AI mandate on top (the AI Act), all enforced by financial regulators with the power to fine 7% of global turnover. The same surface, brought to Europe, is not a product launch but a licensing-and-consent-and-classification project, and the advantage shifts from the permissionless aggregator-and-lab that won the US to the licensed incumbents and specialists the mandate favors.

There is no single answer. Anyone offering one is selling something. What is unambiguous is that the architecture diverges at the foundation: the American surface treats account access as a product you buy and consent as a button you tap, while the European environment treats both as mandates you are licensed and supervised to fulfill. In the US, you ship a finance surface. In Europe, you license one — and the difference between shipping and licensing is the difference between the company that won America and the company that will win Europe.

That is the structural editorial question the mandate sits on top of. It is a public substrate where the US has a private one. It is compliance as architecture where the US has compliance as afterthought. It is a moat that favors the licensed incumbent where the US favored the permissionless challenger. And it is the layer where the European future of agentic consumer finance gets decided — not in who builds the best conversational experience, but in who builds the regulated core that the experience is, in Europe, legally required to sit on top of.

About the Author

Thorsten Meyer is a Munich-based futurist, post-labor economist, and recipient of OpenAI’s 10 Billion Token Award. He spent two decades managing €1B+ portfolios in enterprise ICT before deciding that writing about the transition was more useful than managing quarterly slides through it. He runs StrongMocha News Group, a network of more than 450 niche WordPress magazines built on the DojoClaw editorial engine. More at ThorstenMeyerAI.com.

Related Reading · the AI Agentic Commerce track

This dispatch

• This piece · The mandate · why the US conversational-finance surface does not translate to Europe — a public-mandate substrate (PSD3/PSR, FIDA) and a horizontal AI law (the AI Act) that make compliance the architecture rather than the constraint · structural-slate dominant, transition-bronze and labor-rose balance

The track

• The bank account in the chat · Agentic Commerce 01 · the launch of OpenAI’s US personal-finance surface and the seven-tier intermediation map — the US substrate this piece contrasts against
• The unbundling of the budget app · Agentic Commerce 02 · what the US surface does to the personal-finance-management apps — the consumer-side disruption that the European mandate slows
• Forthcoming · The action boundary · what happens when the surface moves from read-only analysis to moving money — and why that boundary is even harder to cross in Europe under PSD3/PSR · synthesis-deep register
• Forthcoming · The aggregator’s position · why Plaid wins in the US regardless of surface, and why the European equivalent — the licensed AISP/FISP — holds even more leverage · transition-bronze register

Adjacent tracks

• The clause · AI Governance 03 · the contractual governance of the lab whose surface this piece brings to Europe
• The cleaner cap table · AI Governance 02 · the corporate structure of the labs building the surfaces
• The CFO’s new operating system · Enterprise Reorg 01 · the enterprise mirror of the same agentic-finance substrate

Sources

The open-banking mandate · PSD2 to PSD3/PSR

• Norton Rose Fulbright · PSD3 and PSR: From provisional agreement to 2026 readiness — provisional political agreement Nov 27 2025 · Official Journal expected end of Q2 2026 · PSR enters application 18 months after entry into force, payee-name/IBAN verification at 24 months · PSD3 transposition within 18 months · FIDA still in trilogue · existing PI/EMI licences grandfathered subject to re-authorization · nortonrosefulbright.com
• Morrison Foerster · PSD3 and the PSR: Key Developments — Apr 22 2026 text put before national representatives; Apr 23 Council ‘I’ Item Note with final compromise texts · PSR directly applicable (conduct rules: SCA, transparency, open banking, fraud liability) · PSD3 governs authorization/supervision/licensing · EMIs become a sub-category of PIs requiring re-authorization · mandatory IBAN-name check · regulators act “without delay” on poor APIs · mofo.com
• FinlexPro · PSD3/PSR Fintech Guide 2026 — PSR directly applicable, no transposition; PSD3 amends authorization/supervision · PSD2’s “dedicated interface” failure (banks made APIs deliberately hard) · mandatory API dashboards (real-time availability/performance) · fallback (screen-scraping) elimination · Confirmation of Payee mandatory · status as of April 2026 · finlexpro.com
• Crassula · PSD3 and PSR 2026 — provisional agreement Nov 27 2025, publication H1 2026, entry into force 2027, 21-month transition · PI and EMI merge · the regulatory layer (PSD3/PSR) vs the product layer · retrofitting a PSD2 stack mid-2027 is a multi-quarter project · crassula.io
• Powens · EU Fintech Regulations 2026 — the nine 2026 frameworks: PSD3/PSR, IPR, FiDA, CCD2, DORA, AML, EU AI Act, MiCA, e-invoicing · entry into force end Q1/early Q2 2026, 21-month transition · PSR/PSD3 six goals (fraud, consumer rights, ADR, level playing field) · IPR mandates instant transfers at no premium · powens.com

The open-finance expansion · FIDA

• G+D Spotlight · EU Open Finance (FiDA) — FIDA in the same June 2023 package as PSD3/PSR · expected formal adoption mid-2026, implementation late 2027 in staggered “waves” · covers mortgages, loans, savings, investments, insurance, pensions, crypto-assets · user-consent, silo-removal, standardized APIs · gi-de.com
• Crassula / Norton Rose (FIDA detail) — FIDA proposed June 28 2023, still in trilogue April 2026 · creates the Financial Information Service Provider (FISP) category · extends access to investments/pensions/insurance/mortgages/loans · operational ~2029-2030 (best case 2029, base case late 2029-2030) · compensation mechanism between data holders and data users the single most contested item · crassula.io

The AI overlay · the EU AI Act

• EU AI Act (official) · Shaping Europe’s digital future — entered into force Aug 1 2024, fully applicable Aug 2 2026 · prohibited practices + AI literacy from Feb 2025 · GPAI obligations from Aug 2 2025 · product-embedded high-risk extended to Aug 2 2028 under the AI omnibus · digital-strategy.ec.europa.eu
• Rasa · EU AI Act & Data Sovereignty for Financial Institutions — Aug 2 2026 the critical deadline for high-risk financial AI · credit scoring, insurance pricing, certain customer-service AI explicitly high-risk under Annex III · sits on top of GDPR, intersects with DORA · Digital Omnibus (Nov 2025) may adjust timelines but planning around delays is unwise · rasa.com
• MIT / HDSR · Credit Underwriting and Insurance Under the EU AI Act — high-risk classification places credit-underwriting under Articles 9-19 (providers) and 26-27 (deployers) · Article 74(6): national financial supervisors (e.g., BaFin) are the market-surveillance authorities for high-risk AI directly connected to financial services · hdsr.mitpress.mit.edu
• EYReact · EU AI Act Summary for Financial Services — provider vs deployer duties · for financial institutions the relevant category is almost always high-risk · sector regulators supervise (EBA banks, ESMA investment firms, EIOPA insurers) plus national authorities; AI Office oversees GPAI · non-EU institutions covered if outputs affect EU residents · eyreact.com
• Decode the Future / Vision Compliance · EU AI Act 2026 — four risk tiers, fines up to €35M or 7% of global turnover · GPAI rules enforceable as of early 2026 · high-risk Annex III obligations from Aug 2 2026 (subject to Digital Omnibus) · RAG/agent builders likely “deployers”; substantial fine-tuning can reclassify as “provider” · systemic-risk GPAI (>10^25 FLOPs) includes the largest frontier models · decodethefuture.org

The US-substrate contrast

• The bank account in the chat / The unbundling of the budget app · Thorsten Meyer · Agentic Commerce 01-02 · the US surface launched May 15 2026 on Plaid (12,000+ institutions), read-only, permissionless · the US private-aggregator open-banking model · the seven-tier intermediation map · the substrate this piece contrasts against the European mandate

Key reference figures crystallized

• The US substrate: account access built privately and permissionlessly (Plaid, Yodlee, MX, Finicity) · no banking license required · read-only design sidesteps money-transmission/broker rules · no single federal open-banking statute · the surface ships as a product
• PSD2 → PSD3/PSR: PSD2 (2018) made access a licensed activity (AISP/PISP) · provisional agreement Nov 27 2025 · PSR directly applicable across 27 states (SCA, open banking, fraud liability, API standards) · mandatory API quality + dashboards + fallback elimination · IBAN-name check · core obligations across 2027
• FIDA: extends access to investments/pensions/insurance/mortgages/loans/crypto · new FISP license · standardized APIs + consent dashboards · still in trilogue April 2026 · operational ~2029-2030 · compensation mechanism (data holders may charge data users) the most contested item
• The EU AI Act: four tiers, fines up to €35M / 7% of global turnover · credit scoring + creditworthiness + insurance pricing high-risk (Annex III) · GPAI obligations live since Aug 2025; high-risk obligations from Aug 2 2026 · supervised by financial regulators (BaFin, CSSF) under Article 74(6) · description vs. assessment is the classification knife-edge
• The structural inversion: US = private substrate, compliance as afterthought, permissionless challenger wins · EU = public mandate, compliance as architecture, licensed incumbent/specialist favored · “in the US you ship a finance surface; in Europe you license one”