Open Finance in the UAE - What’s new since PSD2?
Yup, I need to get better at prompting Gemini to generate these images.
From a policy perspective, open finance is a rather successful European export. While the idea was working in a regulatory vacuum in the US (and later in Europe) for a little while, the first regulatory material to codify it was the Revised Payment Services Directive of the EU (PSD2). Since then, many countries have adopted it with open arms as a policy, including Brazil, Australia, Saudi Arabia, India, and the UAE.
What was the original motivation for Open Banking policies?
Interestingly, PSD2 has no explicit references to the idea of “open banking”. In fact, you will not find the expression open banking in the 53,194 words that comprise the directive. Based on the PSD2 recitals, it may appear that the emphasis on account openness was a reaction to the emergence of Payment Initiation Service Providers such as Sofort (Sofortbanking, now acquired by Klarna). These entities, like others in the US, accessed accounts via screen scraping in a regulatory vacuum. After closer inspection, it seems clear that this reactive concern was not the only motivation for the Open Banking ethos in the PSD2. In fact, the very first policy material for Open Banking is thought to be the 2011 GREEN PAPER Towards an integrated European market for card, internet and mobile payments (COM/2011/0941). This policy material does not expressly mention open banking but is probably the first to elaborate on one of the main concerns that motivated PSD2, namely the issue of access to information on the availability of funds:
“In many business models for payment services, prior information on the availability of funds — necessary for authorisation and/or payment guarantee of a specific payment transaction — is a key element. As keepers of the bank account, banks have a ‘gateway function’ that effectively determines the viability of many business models. Even if for certain new payment services consumers would agree that information on the availability of funds on their bank account is given to payment service providers of their choice, banks may refuse to give other payment service providers access to this information. Given the importance of secure payments and confidence in the payment system in general and the fact that banks are subject to supervision, such refusals may be justified in some cases. However, it creates a conflict of interest for banks, which may have an incentive to refuse to cooperate, despite the willingness of their customers. This could unduly hinder the emergence of safe and efficient alternative payment solutions, even if they are subject to prudential requirements.”
After that paper planted the seed, the impact assessment that accompanied the formal proposal for PSD2 in 2013 (SWD/2013/0288) followed with a slightly more thorough elaboration of the policy goals for open banking, amongst others:
Market integration is critical and Open Banking is a driver for it in the payments space: "Market integration is necessary to fully unlock a number of benefits for European citizens. These benefits include more competition between payment service providers and more choice, innovation and security for payment service users, especially consumers."
Open Banking alternatives such as Payment Initiation Service Providers will foster competition and decrease cost of payment:“The merchants, even the SMEs, which have far less negotiation power than big corporations versus the card schemes, would benefit from a less expensive and more tailor-made online payment facility. Costs for account servicing PSPs are minimal and necessary investments by third parties will be recovered by the increase in their revenues."
"These services facilitate the use of the consumer's online banking platform to initiate immediate internet payments (typically on the basis of credit transfers) to the accounts of retailers, providing added value for consumers (easy to use, no possession of a credit card is required) and merchants (low cost, payment initiation confirmation, payment reconciliation)."
Let’s keep in mind here, for context, the tortured relationship that European institutions have had with the Visa-mastercard duopoly and all the attempts they have made at regulating interchange fees and creating european “sovereign” competitors.
Current open banking players are operating in a legal vacuum and must be regulated, partly to ensure adequate consumer protection“Since the PSD was passed in 2007, new services have emerged in the area of internet payments where so called third party providers offer e-merchants specific payment solutions which do not necessarily require customers to open accounts with the third party provider. ... In order to provide these two types of services, the third party providers need to access the accounts of the customers, using the existing account infrastructure put in place by banks and the customers' credentials."
"Access to consumer online banking credentials by third parties raises a series of issues, ranging from consumer protection, security, liability to competition and data protection".
This is where the Open Banking ethos in PSD2 becomes slightly reactive: Sofortbanking and other players are already doing it and there are some risks to consumers, therefore we have to regulate
All in all, when you look at the political strain that mandating banks to open their accounts for third parties was expected to cause, it is rather surprising that the case for openness in the impact assessment that accompanied the proposal for PSD2 was not stronger and more expressly articulated. But that’s a separate story. The genie of open banking is now out of the bottle.
How is Open Banking Faring in the EU?
The European Commission released an evaluation report of PSD2 to accompany their proposal for PSD3. When it comes to open banking, the assessment takes a rather optimistic outlook, identifying a few challenges ahead that can serve as lessons learned for both PSD3 and the future adopters of open banking policies in other jurisdictions.
The evaluation seems to suggest that PSD2’s crown achievement on Open Banking is its positive effect in increasing the choice of payment instruments for Payment Service Users: The evaluation relied on consultations that showed that 70% of consumers who participated in the public consultation have the perception that there are more options available to make payment transactions than five years ago, and 60% of stakeholders that took part in a more targeted consultation hold the view that PSD2 has contributed to market players developing more convenient payment solutions. In the words of the report:
The PSD2 has laid important stepping-stones towards its goal of enabling innovative PSPs to reach broader markets by outlining the regulatory foundations for an Open Banking framework in the EU, particularly the framework for access to customers’ account data held by ASPSPs. As further detailed in Annex 11, the PSD2 has enabled TPPs (PISPs and AISPs) who build on ASPSPs’ existing data and infrastructure to provide PSUs a range of new services for managing their finances, and/or providing cheaper payment solutions.
What didn’t go so well in the EU:
There are question marks about which accounts are subject to open banking: In fact, there are many interpretations of the definition of “payment account” leading to discrepancies in the types of account data accessible by open finance firms. A paradigmatic example is that some AISPs are able to access credit card data in some jurisdictions but not in others.
Banks complain about lack of incentives because they can’t charge for access to the data. They are also unhappy about having to bear most of the cost of API development: This is not surprising. However, the prevailing policy sentiment in the evaluation seems to be that allowing banks to charge for mere access to accounts would imperil the goal of driving down the cost of payments. This position appears well-founded. The question of who should bear the costs of API development, however, is slightly more complicated and leaves room for imagining a program manager financed by the EU that could effectively bear at least some of the cost of the infrastructure.
Overall, the evaluation indicates that “According to the VVA/CEPS study, a majority of credit institutions and banking associations consulted for the study suggested that the costs of the PSD2 largely outweigh the benefits. National authorities and TPPs established before PSD2 was introduced were more positive about the general impact, but they tended to agree with the overall assessment. This is also in line with the responses received to the targeted consultation. As regards the question whether the aggregated benefits stemming from the implementation of PSD2 outweigh its implementation costs, only 18 (27%) respondents answered with “yes” and 48 (73%) with “no”. Of the 48 respondents who gave a negative answer, 29 (60%) are from the banking sector.”
Banks are not implementing the APIs or at least not at the right quality: In fact, the evaluation suggests that there are still some banks, especially small and medium-sized, who over-rely on customer interfaces as primary access interfaces for access to data or payment initiation. “In this respect, it is the EBA’s view that the choice given to ASPSPs to use their customer interface as fallback access mechanism does not create incentives for ASPSPs to provide and use high-quality APIs, while it increases the efforts that TPPs must put into integrating different customer interfaces”. On the other hand, the operators of open finance suggest that “(...) given the different APIs set up by ASPSPs as well as, oftentimes, their insufficient quality, free access via ASPSPs direct user interfaces must always be an option to access account data.
When it comes to the quality or adequacy of the APIs, the sentiment seems to be that the regulatory technical standards issued by the EBA on open banking are lacking the right specificity to ensure that open banking operators are not forced to build tailor made solutions for connecting with the APIs of each bank. In France, for example, it seems that the six major banks have implemented harmonized API standards but the foreign banks operating in French territory have adopted their own API standards based on the Berlin Group standard. It seems that what is missing are clearer infrastructure-first technical standards at the right level of detail.
The EBA has not been very good at setting effective standards for consent and permission management: In practice, this translates into Payment Service Users who are not properly informed of what their consent means, which is particularly tricky in the context of Open banking because users may be reluctant to use their account credentials and shared their data with open banking operators if they are not entirely sure what they are consenting to.
Enforcement action to ensure banks are compliant is not particularly effective: There are reiterated complaints about the long time it takes banks to resolve instances of non-compliance and in general about the effectiveness of regulatory enforcement whenever this is required to ensure accounts are open and APIs are meeting the operational requirements. This, in part because there is no program manager responsible for managing and enforcing Open Banking at a pan-European level (like the OBIE in the UK.
These challenges in the European Open Banking experience are not surprising. Open Banking is an extremely ambitious idea: it requires banks to build APIs that enable potential competitors to access their customers’ data and initiate payments from the accounts they service, it requires payment users to trust non-banks with access to their accounts, and it requires those non-banks to integrate with the banks’ APIs as opposed to using screen scraping. That is a lot to ask.
What is new in the UAE Open Finance regulation?
The Open Finance regulation in the UAE is set out in Circular No. 03/2025. There are a few departures from PSD2 that are worth mentioning:
Open Finance, not Open Banking: This is a very interesting development. Under PSD2, Open Banking is mostly conceived as payments openness. The actual obligation is aimed at regulated institutions that provide and maintain payment accounts, which are typically banks, payment service providers, and e-money institutions. This means that only the accounts that meet the definition of “payment accounts” would need to be open to open finance firms. In contrast, the approach of the UAE regulation seems to follow the Brazilian model, which is to broaden the obligation to encompass non-banking financial institutions. In fact, the UAE regulation also applies to Finance Companies, Exchange Houses, Loan-based Crowdfunding Companies, Insurance Brokers, and Insurance Companies, and it gives the Central Bank the faculty to include other types of entities in scope.
This is in principle a desirable feature of the UAE regulation, but it makes the vision significantly harder to implement in practice. As mentioned above, the European experience shows that even when the obligation exclusively applies to payment accounts, there are many plausible interpretations of what the definition of payment account encompasses. Perhaps drawing from that experience, the drafters of the UAE regulation were much more precise and avoided an open-ended definition in favor of a more exhaustive list of accounts or products that are subject to the openness obligations set out in Art. 5.1 of the regulation: basically anything from deposits to payment accounts to mortgages to insurance products.
In practice, even if the UAE has managed to avoid the vagueness around what constitutes a “payment account”, the sheer breadth of the products and services that are in scope of open finance will likely raise many questions about what data must be subject to portability in say, an insurance product as opposed to a mortgage product. It would be very interesting to see how the UAE institutions navigate these nuances in the future.
There will be a centralized Program Manager: This is one important way in which the UAE Open Finance framework seems to have drawn from the lessons of the European experience. Nebras Open Finance LLC (Nebras), a subsidiary of Al Etihad Payments, will act as the technical and operational entity that ensures that the Open Finance infrastructure works as it should. It will manage the central API hub that connects all licensed financial institutions and the open finance firms, so it should be able to avoid the fragmented approach to API design and implementation that took place in Europe. It should also be able to set clear use cases for each of the financial products in scope, avoiding the european unclarity about what data is in scope of the openness obligation. While there is not much information online about Nebras, it seems that it will also operate the consumer-facing brand (Al Tareq), which in turn will operate a Consent Mobile App that should rule out the lack of trust issues that still plague the European experience, where the adoption of open finance has been hampered by users’ mistrust of open finance operators as guardians of their banking authentication credentials and data.
It is very telling that instead of having a traditional website, Al Tareq has put in place a Confluence page where it readily makes available comprehensive guidance regarding integration into and usage of the Open Finance Platform. This developer friendly approach indicates that Nebras is very clear about its role as an operator of the key open finance infrastructure and standard-setter for the APIs. This role of the public sphere (of the state, if you will) in enabling critical banking infrastructure is innovative in itself, so it would be very exciting to see how it plays out.
Screen Scraping is strictly forbidden: While the European experience was marked by some level of tolerance for screen scraping as a last resort whenever banks failed to implement workable APIs, Art. 15 (2) of the UAE open finance regulation is clear in stating that: “No Person shall engage in data scraping, or any other similar data extraction activity, whether or not in conjunction with automated data entry, in order to undertake any activities subject to this Regulation except as permitted under applicable laws.”
While this seems to spell the end of screen scraping in the UAE, the European experience shows that this type of prohibition is more complicated in practice. Firstly, it is critical to consider that there are already account information service providers operating in the UAE, including Tarabut Gateway, Lean Technologies and SaltEdge. It is highly likely that most if not all of these firms have based their data extraction methods on screen scraping, which means that an instantly enforced prohibition may simply take them out of business. This issue is compounded by the fact that, as the European experience shows, many banks take considerable amounts of time in building the open finance APIs and/or simply implement APIs that are not adequate for the proper functioning of the framework. Therefore, unless the banking sector and the other entities subject to the openness obligations make rapid demonstrable progress in implementing adequate APIs, the Central Bank of the UAE should carefully consider keeping screen scraping as a fallback option to protect the very ecosystem of firms that already have a big stake in open finance and are the likeliest to make the framework come to life. As I wrote 9 years ago when the same discussion was taking place in Europe, it is important not to demonize screen scraping and to understand that banks have an incentive to keep a tight leash on their customers’ data. The potential role of Nebras in calling balls and strikes in this regard will be very critical and is a feature that the PSD2 framework didn’t have.
As usual, the open finance policy of the UAE shows that the country thinks very big. Al Tareq, together with AANI, have the potential to bring a revolution of data portability that could result in financial services that are extremely customer-centric: Either you build the best product possible or your customers will easily migrate to the competition. Moreover, the potential for disintermediating the world of payments is very real: If AANI and Open-finance-based payment initiation work as they should, merchants and individual payers will have a very low cost alternative to privately maintained payment rails that are dominated by card schemes who set their prices like a veritable oligopoly.
Disclaimer: This does not constitute legal advice but mere commentary. The views expressed in this article are solely mine and do not represent the views of my employer or any other third party.
