Konsentus Powering Trust in Open Ecosystems

The Mandate for Trust in the FiDA Era – A New Approach to Data Security & Ecosystem Assurance

The first paper in our FiDA Readiness Series examines why a new trust model is needed for the open finance era and how PSD2/3, PSR and FiDA are reshaping risk, responsibility and operational demand.

Share This Post

The Emergence of a New Financial Data Ecosystem

Over the past decade, Europe has led the world in reimagining how financial data flows. With the introduction of PSD2, banks and financial institutions were required, often for the first time, to open their doors to regulated Third Party Providers (TPPs). This enabled customers to connect their bank accounts to new services, finance applications, budgeting tools and payment initiators. It was the beginning of what is now widely known as Open Banking.

For consumers, the benefits were clear: greater choice, more innovation and faster, more intuitive digital experiences. For the financial sector, PSD2 marked the start of a profound transformation. It forced established institutions to think beyond traditional boundaries, embrace interoperability and operate in a more dynamic, competitive landscape.

Now, with the proposed EU Financial Data Access (FiDA) Regulation, Europe is preparing to go significantly further. Where PSD2/3 & PSR focus primarily on payment accounts, FiDA will expand open data access across the entire financial services landscape, covering mortgages, investments, pensions, insurance, savings, loans and creditworthiness information. This is Open Finance in its fullest form: a multi-sector data-sharing ecosystem with a vastly expanded pool of participants.

Yet with this newfound openness comes an equally profound challenge: How can financial institutions remain secure, compliant and resilient in a world where data is meant to flow freely across dozens, or even hundreds, of interconnected entities that they do not control?

This paper argues that the answer lies in a new operational paradigm: real-time, continuous trust, across the entire ecosystem.

A Structural Shift: The Bank as a Mandatory Data Gateway

One of the most impactful characteristics of PSD2/3 & PSR is that banks must provide TPPs with access to customer data and payment initiation services even if the institution would not have chosen these parties as partners. The customer, not the bank, decides who can access their data, and once consent is granted, the bank is legally obligated to facilitate the connection.

Crucially, PSD2 only permits a bank to refuse access when there is an objectively justified, evidence-based suspicion of fraud or unauthorised activity. This is a high threshold. In most cases, institutions must give the benefit of the doubt to the external party, not themselves.

FiDA preserves and extends this principle. Under the new framework, data holders, including not only banks but also insurers, pension providers, investment managers, credit bureaus and other financial institutions, must share customer data with any authorised “data user” (i.e. PSD2/3 & PSR: Third-Party Provider – TPP, FiDA: Financial Information Service Provider – FISP), provided the customer has granted permission, and this data must be provided continuously, without undue delay and in real time.

As a result, financial institutions become obligated data gateways serving external entities they did not select, do not supervise and may not fully understand. This represents a complete inversion of traditional security assumptions, where institutions once had total control over access to their systems and information.

The regulatory expectation is clear:

  • Openness is mandatory
  • Refusal is exceptional
  • Trust must be evidence-based and continuously verified

A Larger, More Complex and More Interdependent Ecosystem

FiDA significantly increases the number of participants in the financial data ecosystem. Where PSD2 introduced new data users (i.e. Third-Party Providers excluding financial institutions acting as TPPs(*1), numbering 346 as of 30th September 2025(*2)), FiDA will introduce hundreds more new market players (i.e. FISPs). FISPs will sit between institutions, consuming and redistributing sensitive data.

The types of data being exchanged will also expand dramatically, from account balances and transactions to mortgage files, insurance claims, investment portfolios, pension details, creditworthiness assessments and potentially biometric identities.

This enlarged ecosystem carries corresponding increases in:

  • Cyber exposure
  • Operational complexity
  • Data lineage ambiguity
  • Regulatory obligations
  • Incident and liability risk

As more institutions become connected, the ecosystem begins to behave more like a network than a series of bilateral relationships. In such networks, the security of each participant depends not only on their own controls but also on the controls of every other member, and the controls of their vendors, subcontractors and cloud providers.

The weakest participant becomes the risk amplifier for everyone else.

An Estimate of Market Participants

In the European Commission’s Impact Assessment(*3) that accompanies the FiDA proposal, the following assumptions have been highlighted:

  • There is an estimated count of appropriately 17,745data holders” (i.e. financial institutions) comprising banks, insurers, IORPs (Institutions for Occupational Retirement Provision), investment firms etc. in scope.
  • About 30% of these financial institutions (excluding IORPs) are expected to also act as ‘data users’, resulting in 3,488 FI-based data users. When adding the Commission’s estimate of 350 future financial information service providers (FISPs), the total number of “data usersbecomes 3,838(*4).

Therefore, the number of participating organisations in the data sharing ecosystem under the EU FiDA Regulation, whether data holders or data users, is set to expand significantly.

It should be noted that financial institutions which offer payment accounts under PSD2, as well as wider financial services covered by FiDA (such as insurance or pensions), face an increasingly complex challenge: understanding exactly who is accessing their customers’ data.

PSD2/3 & PSR and FiDA are separate regulatory regimes, and the rules for accessing data differ between them. A “data user” regulated under PSD2/3 (e.g. a TPP accessing payment account data) is not automatically allowed to access FiDA-regulated data. Likewise, a FiDA-regulated FISP cannot access PSD2/3 data without separate authorisation. As a result, data users will need distinct regulatory permissions for each regime and separate access credentials (i.e. eIDAS digital certificates), depending on the type of data they access.

Ecosystem Growth and the Rise of Third Parties as the Primary Attack Surface

As the financial-data ecosystem expands to include a far broader range of participants, the security perimeter of a bank effectively stretches with it. Every new fintech, intermediary, analytics provider or infrastructure vendor becomes another point through which sensitive data flows and another point where vulnerabilities can emerge.

In this increasingly interconnected environment, risk is no longer concentrated within the bank’s own systems. Instead, it often originates in the surrounding organisations that now form essential links in the open finance data chain

Recent global incidents highlight this pattern:

  • A breach at a major banking-technology provider(*5) exposed sensitive data exchanged with many of the world’s top financial institutions
  • A flaw in widely used file-transfer software(*6) caused a cascading breach that impacted thousands of organisations, including banks, pension funds and financial processors
  • A real-estate finance processor(*7) handling mortgage data for major banks suffered a significant exfiltration event
  • Fintechs offering account-aggregation & financial-planning services(*8) experienced breaches originating not in their own environments but in upstream analytics or DevOps tools

These incidents share one theme:

  1. The bank itself was not compromised; however,
  2. Its data was compromised elsewhere

Customers instinctively trust their bank the most, but banks bear the reputational fallout even when they are powerless to prevent it.

Ultimately, if a third-party provider is the source of a data breach or unauthorised use of information, the consequences fall hardest on the Financial Institution, regardless of who was actually at fault or who is financially liable. Customers don’t draw distinctions between their primary provider (the Financial Institution) and the external third party providers operating in the ecosystem; to the customer, the Financial Institution is the primary guardian of their financial data.

When something goes wrong, it is the bank’s brand that appears in the headlines, the bank’s call centres that absorb the backlash and the bank’s leadership that must answer for the failure. This is why robust, continuous oversight of all third-party providers is not optional but a critical component of any serious risk-mitigation strategy. Effective monitoring, real-time authorisation checks and proactive governance are essential to protect financial institutions from reputational fallout that can arise even when the root cause lies entirely elsewhere.

The new reality of Open Finance is “security is only as strong as the least secure participant in the chain”.

Identity is not Authorisation

Under PSD2, the identification of TPPs to financial institutions is well defined; TPPs must use eIDAS certificates (QWACs or QSealCs) to authenticate their identity when connecting to a financial institution’s APIs. The eIDAS certificate provides the Data Holder with a European standards-based regulatory approach to positively identify the TPP. This approach, set out in PSD2’s Regulatory Technical Standards, ensures that only regulated, authorised TPPs can access customer payment account data, with the certificate linked the TPP’s identity and its regulatory license, at the time of issuance.

The FiDA proposal, in contrast, does not explicitly mandate the use of eIDAS certificates in its legal text. However, FiDA sets up a broader trust framework via Financial Data Sharing Schemes (FDSS). All data holders and data users must enrol in one or more FDSS schemes and these schemes will establish the technical standards, security requirements and governance rules for data access across each financial sector. FiDA empowers scheme governance, or potentially regulatory technical standards, to determine how participants identify and authenticate each other. It is a commonly held market view that all FDSS operators, or potential regulatory technical standards, will adopt the same practices as used in PSD2.

However, it is essential that FiDA avoids repeating the key failures observed under PSD2, particularly the confusion between identity and authorisation status.

Under PSD2, eIDAS certificates include the TPP authorised roles at the time of issue; it reflects the state of an organisation at a specific moment in time, not the evolving reality of its operations.

The reality is that a TPP or FISP may be authorised today, yet circumstances change over time and it may subsequently:

  • Have its authorised roles restricted
  • Have its authorised roles withdrawn
  • Have its authorised roles amended (i.e. authorised to passport to additional EEA countries)
  • Have joined a FDSS
  • Have joined additional FDSS (to access additional data sets)
  • Have been withdrawn from one or more FDSS

Static trust does not reflect dynamic risk! FiDA depends on continuous data access, meaning risk is dynamic by design and financial institutions need a way to monitor, verify and respond to this evolving landscape in real time.

The Rise of Ecosystem-Level Defences

Financial institutions are now recognising that managing open-finance risk requires a shift away from traditional perimeter defences towards something broader: ecosystem-level trust frameworks that operate in real time.

Institutions are beginning to invest in capabilities that enable:

  • Continuous Authorisation Verification: Every call to the API must confirm that the TPP/FISP is still authorised, still licensed for the correct services, and still operating legitimately
  • Behavioural Monitoring and Anomaly Detection: By analysing patterns of access, organisations can identify unusual or suspicious behaviour, creating the evidence base required to temporarily block access under PSD2 and FiDA rules
  • Consent Governance and Permission Oversight: PSD2/3 & FiDA’s requirement for permission dashboards aligns with the need to ensure that the data requested by a TPP/FISP always matches the scope of the customer consent
  • Supply-Chain Mapping and Sub-Processor Transparency: Institutions must understand not only the TPPs/FISPs connecting to them but also the vendors, cloud providers and subcontractors that those TPPs depend upon
  • Resilient Multi-Entity Incident Response: Open ecosystems require coordinated response plans that involve banks, TPPs, FISPs, processors, regulators and customers
  • Compliance with the Digital Operational Resilience Act (DORA): DORA reinforces the necessity of robust third-party oversight and requires institutions to formalise critical vendor relationships and test their resilience.

These capabilities work together to create what can best be described as a continuous trust fabric, a protective layer that spans all participants in Open Finance.

From Defensive Obligation to Competitive Advantage

FiDA introduces new responsibilities for financial institutions; however, as has been learnt in Open Banking, they also create opportunities for differentiation.

Financial institutions that adopt continuous, real-time trust frameworks will:

  • Strengthen their reputation as safe, reliable data stewards
  • Reduce fraud and unauthorised access
  • Lower compliance and audit burdens through automation
  • Improve operational resilience
  • Accelerate time-to-market for new open-finance products
  • Meet regulator expectations more confidently
  • Provide customers with the transparency and control they increasingly expect
  • Position themselves as leaders in the emerging open-finance landscape

As Open Finance matures, trust will become the currency of the ecosystem.
The financial institutions that can demonstrate consistent, verifiable oversight of their data-sharing partners will be best positioned to thrive.

The Future of Security Is Trust at Scale

Europe’s transition from Open Banking to full Open Finance marks one of the most significant shifts in the history of financial services. Financial institutions are moving from a world of closed data and controlled perimeters to one where openness is mandated and connections are many.

This shift presents regulatory complexity, operational challenges and new categories of risk but it also offers extraordinary potential.

By adopting continuous trust mechanisms such as real-time authorisation verification, behavioural monitoring, consent governance, vendor transparency and ecosystem-level incident response, financial institutions can not only protect themselves in this new environment but also lead it.

In a fully open financial ecosystem, competitive advantage will no longer come only from product features or customer experience. It will come from the ability to guarantee, prove and maintain trust at scale.

Open Finance may make data flow, but it is “trust” that will make it work!

As Europe transitions from Open Banking to fully Open Finance, the central challenge becomes clear: institutions must be able to demonstrate trust continuously, across a rapidly expanding and increasingly interconnected ecosystem. Understanding how FiDA, PSD2/3 and the PSR will reshape risk, authorisation, security obligations and operational demand is essential for preparing effectively.

If you would like support in evaluating your ecosystem exposure, assessing regulatory expectations or designing a strategy for building trust at scale, our team is deeply engaged in these developments and can help you move forward with confidence.

Get in touch
Picture of Brendan Jones

Brendan Jones

COO Konsentus

Reference

*1

“In the original PSD2 impact assessment (SWD(2013) 288 final), the European Commission characterises third-party providers (PIS/AIS) as a niche segment with a limited number of existing providers, most of whom were not licensed PSPs. However, the assessment does not provide a quantitative forecast of how many ASPSPs would also act as TPPs; it focuses instead on the expected market entry of new specialist providers and the need to remove obstacles to their access.” (European Commission)

*2

Konsentus TPP Tracker Q3 2025 TPP Open Banking Tracker

*3

COMMISSION STAFF WORKING DOCUMENT IMPACT ASSESSMENT REPORT Accompanying the document Proposal for a Regulation of the European Parliament and of the Council on a framework for Financial Data Access and amending Regulations (EU) No 1093/2010, (EU) No 1094/2010, (EU) No 1095/2010 and (EU) 2022/2554 (European Commission

*4

Commission Staff Working Document (Impact Assessment) accompanying the Proposal for a Regulation on a framework for Financial Data Access (FiDA) — SWD(2023) 224, Section 4.2.2 “Market actors” (European Comission)

*5

A breach at a major banking-technology provider exposed sensitive data exchanged with many of the world’s top financial institutions.  (The Wall Street Journal)

*6

A flaw in widely used file-transfer software (MOVEit Transfer) caused a cascading breach that impacted thousands of organisations, including banks, pension funds and financial processors. (orx.org)

*7

A real-estate finance processor handling mortgage data for major banks suffered a significant exfiltration event now under FBI investigation. (Bloomberg)

*8

Fintechs offering account-aggregation and financial-planning services experienced breaches originating not in their own environments but in upstream analytics or DevOps tools. (Finextra Research)

Subscribe To Our Newsletter

Keep up to date with all our news and publications.

More To Explore

Simplify Compliance, Strengthen Security

Discover how our trusted solutions ensure secure, compliant, and efficient interactions across open ecosystems

Find out more
Konsentus Rebrand Button - Konsentus Dot-23-23

Find out how our technology can protect your customers within open ecosystems.

This field is for validation purposes and should be left unchanged.
Name(Required)

Opt-in

On completion of this form you will be sharing your personal data with Konsentus Ltd (company number 1115059) (“Konsentus”/”we”/”us”). We will process such information for the purposes of sending you the requested information. We may also send you marketing communications and information which we consider may be of interest to you from time to time. This may include sending information by email, or us contacting you by telephone, where relevant details are provided. We rely on our legitimate interests as the lawful basis for processing your data in this way. Under certain circumstances, you have rights under data protection laws in relation to your personal data, including the right to receive a copy of the data we hold about you. You also have the right to opt out of marketing communications at any time using the details in an email sent to you or by contacting us at insights@konsentus.com.