FCA open banking regulation: the current position after the 21 April 2026 modernisation package
In short: FCA open banking regulation sits today across three separate sources of law: the Payment Services Regulations 2017, the CMA Retail Banking Market Investigation Order 2017, and Part 5 of the Financial Services (Banking Reform) Act 2013. The 21 April 2026 modernisation package proposes to give the FCA new statutory powers to regulate the future of Open Banking, including powers to underpin commercial schemes developed by industry, and to consolidate the Payment Systems Regulator into the FCA. Primary legislation is required and has not yet been introduced.
Anyone building a service that lets a third party initiate a payment from a customer’s bank account works under three separate sources of law. The Payment Services Regulations 2017 govern third party access at the firm level. The CMA Retail Banking Market Investigation Order 2017 obliges nine named banks to build and maintain standardised APIs. Part 5 of the Financial Services (Banking Reform) Act 2013 gives the Payment Systems Regulator authority over the underlying payment systems. None was designed to regulate an industry-led commercial scheme operator standing between the banks and the third party providers. The 21 April 2026 modernisation package proposes to fill that gap. This page sets out FCA open banking regulation as it stands today and the legislative changes proposed.
Key findings (HM Treasury modernisation package, 21 April 2026)
- HM Treasury will give the FCA new powers to regulate the future of Open Banking, including powers to underpin commercial open banking payments within commercial schemes developed by industry. Source: HM Treasury press release, 21 April 2026.
- HM Treasury will integrate the regulation of payment services and electronic money with the FSMA 2000 framework, establishing a single regulatory perimeter for traditional payments, stablecoin payments and tokenised deposits. Source: HM Treasury press release, 21 April 2026.
- The Payment Systems Regulator will consolidate into the FCA. Source: A Streamlined Approach to Payment Systems Regulation: government response, 21 April 2026.
- Primary legislation is required and has not yet been introduced. Source: HM Treasury government response, 21 April 2026.
- The FCA will consult on the open banking long-term regulatory framework interface rules in Q3 2026. Source: Payments Forward Plan, Payments Vision Delivery Committee, 26 February 2026.
The three sources of FCA open banking regulation today
FCA open banking regulation is built on three separate statutory and regulatory instruments. Each was put in place for a different purpose; together they regulate the firms, the infrastructure and the underlying payment systems. They do not, individually or in combination, regulate the operation of an industry-led commercial scheme that sits above the firm level. That is the gap the 21 April 2026 modernisation package proposes to address.
The Payment Services Regulations 2017
The Payment Services Regulations 2017 (SI 2017/752), assimilated EU law derived from PSD2, govern open banking at the firm level. Two regulated payment services sit at the heart of open banking: payment initiation services (provided by payment initiation service providers, or PISPs) and account information services (provided by account information service providers, or AISPs). Persons providing these services to UK customers must be authorised by the FCA as a payment institution under regulation 6 or registered under regulation 17 as account information service providers.
Under regulations 68 and 69 PSRs 2017, an account servicing payment service provider (ASPSP) that maintains an online accessible payment account must permit a PISP or AISP, where the customer has given explicit consent, to initiate payments and access account information. The ASPSP cannot require the third party provider to enter into a contract as a precondition of access. Regulation 100 and the Strong Customer Authentication and Common and Secure Methods of Communication Regulatory Technical Standards (the SCA-RTS, retained in UK law and onshored from the EU position) require strong customer authentication for third party initiated payments and for account access.
The PSRs 2017 regulate the firms providing and accessing payment services. They do not regulate the operation of any scheme that sits above the firm relationships.
The CMA Retail Banking Market Investigation Order 2017
The Retail Banking Market Investigation Order 2017 (the RBMI Order) was made by the Competition and Markets Authority on 2 February 2017 under section 161 of the Enterprise Act 2002 to give effect to the remedies in the CMA’s Retail Banking Market Investigation Final Report of 9 August 2016.
Part 2 of the RBMI Order required the nine largest providers of personal current accounts in the UK at the time (the CMA9, comprising Royal Bank of Scotland Group, Lloyds Banking Group, Barclays Bank, HSBC Group, Nationwide Building Society, Santander UK, Northern Bank, Bank of Ireland (UK) and AIB Group (UK)) to set up an Implementation Entity to design, consult on, implement and maintain common banking standards. Open Banking Limited was incorporated to act as that Implementation Entity. Article 14 of the Order set 13 January 2018 as the implementation deadline, the same date the PSRs 2017 took effect.
The RBMI Order goes further than the PSRs 2017 for the CMA9. It imposes a positive obligation to implement and maintain common API standards, set by Open Banking Limited, to a defined technical and security specification. The PSRs 2017 leave each ASPSP free to design its own API interface provided it meets minimum SCA-RTS requirements. The CMA Order has not been formally revoked. Until the post-Order governance framework being designed by the Joint Regulatory Oversight Committee is in place, the Order remains the primary statutory basis for the open banking infrastructure layer in the UK.
Part 5 of the Financial Services (Banking Reform) Act 2013
Part 5 of the Financial Services (Banking Reform) Act 2013 establishes the Payment Systems Regulator and confers its statutory functions over designated payment systems. The PSR was established as a subsidiary of the FCA with independent regulatory functions and a separate statutory mandate.
The PSR’s statutory objectives sit in section 50 (competition), section 51 (innovation) and section 52 (the interests of service users). Its principal tools are section 54 directions (general directions to participants in regulated payment systems) and section 55 system rules (requirements imposed on the operator of a regulated payment system to establish or change scheme rules). The designation power that brings a payment system within scope sits in section 43 and is exercised by HM Treasury.
The PSR regulates payment systems and their participants. It can direct the operator of a regulated payment system to set or change scheme rules. It does not directly authorise or supervise the operators of new commercial schemes that have not yet been designated under section 43, and the existing designated systems (Bacs, CHAPS, Faster Payments, LINK, Visa, Mastercard and the cheque clearing systems) do not include any industry-led commercial open banking scheme.
The 21 April 2026 modernisation package: what changes for FCA open banking regulation
On 21 April 2026, HM Treasury announced a package of measures on the opening day of UK FinTech Week. The Economic Secretary to the Treasury, Lucy Rigby, set out the proposals. The package proposes the most significant expansion of FCA open banking regulation since the original open banking framework took effect in January 2018. The substantive limbs of the package, taken from the HM Treasury press release, are as follows.
First, the government will integrate the regulation of payment services and electronic money with the UK’s core regulatory approach for financial services. The substance of the PSRs 2017 and the Electronic Money Regulations 2011 will be moved inside the Financial Services and Markets Act 2000 (FSMA 2000) architecture. This is intended to establish “a single, coherent framework for both traditional and tokenised payments, including both stablecoins and tokenised deposits”.
Second, the government will give the FCA new powers to regulate the future of Open Banking. In the words of the press release, the new powers will “include underpinning the development of new Open Banking payments within commercial schemes”. The detailed scope and design of those powers will follow in HM Treasury’s consultation on payment services and e-money regulation, expected in Q2 2026 per the Payments Forward Plan, and in the FCA’s open banking long-term regulatory framework interface rules consultation expected in Q3 2026.
Third, the government will regulate stablecoins for use in payments where issued under the forthcoming new regulated activity for stablecoin issuance in the UK. Stablecoins will sit inside the single payments framework rather than in a separate cryptoasset regime; tokenised deposits are expected to remain inside the deposit-taking perimeter.
Fourth, the government will consolidate the Payment Systems Regulator into the FCA. The A Streamlined Approach to Payment Systems Regulation consultation, published 8 September 2025, closed in October 2025. The government’s response was published on 21 April 2026, confirming that the FCA will take on the PSR’s responsibilities, including for promoting competition and innovation in payment systems and the services provided by payment systems, as well as supporting the interests of consumers and businesses.
Fifth, the government will examine how the regulation of payment services should adapt to payments conducted by AI agents, addressing consent and authentication issues under regulation 67 of the PSRs 2017. The AI agents workstream sits inside the payment services reform programme rather than as a separate exercise.
Comparison: FCA open banking regulation today and the proposed framework
The table below summarises FCA open banking regulation as at May 2026 and the framework the 21 April 2026 modernisation package proposes.
| Issue | Current architecture (as at May 2026) | Proposed FCA architecture (post-legislation) |
|---|---|---|
| Firm-level regulation of PISPs and AISPs | PSRs 2017, regulations 6, 17, 68, 69 and 100. Authorisation and registration with the FCA. | Substance of the PSRs 2017 moved inside the FSMA 2000 framework. FCA regulates payment services through ordinary supervisory toolkit and Handbook rules. |
| Infrastructure standards for the CMA9 | CMA Retail Banking Market Investigation Order 2017. Open Banking Limited as Implementation Entity. Common API standards mandatory for CMA9. | Post-Order governance framework designed by Joint Regulatory Oversight Committee. New FCA powers to regulate the future of Open Banking. CMA Order to be replaced when JROC framework is in place. |
| Regulation of underlying payment systems | Financial Services (Banking Reform) Act 2013, Part 5. PSR statutory objectives in sections 50 to 52. Section 54 directions and section 55 system rules. | PSR functions transferred to FCA. Designation power under section 43 FSBRA exercised by HM Treasury continues. Subject to primary legislation. |
| Regulation of industry-led commercial open banking schemes | No dedicated regulatory regime. Schemes operate at the contract level between participants. | FCA “new powers to regulate the future of Open Banking that will include underpinning the development of new Open Banking payments within commercial schemes”. |
| Stablecoin payments and tokenised deposits | Stablecoins outside payments perimeter; not regulated for use in payments. | Single regulatory perimeter inside FSMA 2000 for traditional payments, stablecoin payments and tokenised deposits. |
| AI agent payments | PSRs 2017 regulation 67 (consent) and regulation 100 (SCA) apply. No specific framework for AI agent initiation. | Government to examine how payments regulation should adapt to AI agents inside the PSRs 2017 reform programme. |
The Data (Use and Access) Act 2025 smart data regime
Part 1 of the Data (Use and Access) Act 2025 sits alongside the payments regime as the wider statutory basis for data sharing of the kind that open banking enables. Section 2 confers power on the Secretary of State and the Treasury to make regulations requiring a data holder to provide customer data to the customer or to an authorised person at the customer’s request. Section 4 confers an equivalent power in relation to business data. Section 7 confers power to establish interface bodies; section 8 confers power to set up monitoring and enforcement.
The DUAA 2025 is the legislative vehicle through which government can extend smart data regimes beyond FCA open banking regulation into utilities, energy, telecoms and elsewhere. For open banking specifically, the Payments Forward Plan indicates that a statutory instrument giving the FCA oversight of the open banking ecosystem will be laid in Parliament in Q4 2026.
The legislative path and the position as at May 2026
The reforms announced on 21 April 2026 require primary legislation. The legislation has not yet been introduced. The published timetable, drawing on the Payments Forward Plan published on 26 February 2026 by the Payments Vision Delivery Committee, runs as follows.
HM Treasury will publish a consultation in Q2 2026 on the future of the PSRs 2017 and the EMRs 2011. The FCA will publish an engagement paper between Q2 and Q4 2026 on the payments and e-money reform programme. The FCA will consult in Q3 2026 on the open banking long-term regulatory framework interface rules. The Data (Use and Access) Act 2025 statutory instrument giving the FCA oversight of the open banking ecosystem is to be laid in Parliament in Q4 2026. A statutory instrument giving the FCA direct rulemaking power over payment services is expected in 2027 or 2028.
Until the legislation passes and commences, the position remains as set out in the three sources of law above. The PSR remains a separate statutory body with the FSBRA 2013 toolkit unchanged. The CMA Retail Banking Market Investigation Order 2017 remains in force and binding on the CMA9. The PSRs 2017 and the EMRs 2011 continue to apply as the firm-level framework. The new FCA open banking regulation framework proposed by the package is not yet an operative regime.
Frequently asked questions
What powers will the FCA gain over open banking under the 21 April 2026 modernisation package?
The government has set out the proposal in headline form. The FCA will gain “new powers to regulate the future of Open Banking that will include underpinning the development of new Open Banking payments within commercial schemes“. The detailed scope and design of FCA open banking regulation will follow in HM Treasury’s consultation on payment services and e-money regulation expected in Q2 2026, and in the consultation on the FCA’s open banking long-term regulatory framework interface rules expected in Q3 2026.
Is the CMA Retail Banking Market Investigation Order 2017 still in force?
Yes. The CMA Order has not been formally revoked. It continues to bind the CMA9 to maintain Open Banking Limited as the Implementation Entity, to adopt the Open Banking Standards, and to participate in the conformance and dispute management processes. The Joint Regulatory Oversight Committee is designing the post-CMA-Order governance framework, but until that framework is in place the Order remains the primary statutory basis for the open banking infrastructure layer.
When does the Payment Systems Regulator consolidate into the FCA?
The government confirmed in its 21 April 2026 response to the September 2025 Streamlined Approach consultation that the PSR will consolidate into the FCA. The consolidation requires primary legislation, which the government has committed to introduce as soon as Parliamentary time allows. Until the legislation passes and commences, the PSR remains a statutory body and the Part 5 FSBRA 2013 toolkit continues to be exercised by the PSR. The FCA and the PSR already operate under a shared leadership structure, with a single Chair and a single Executive Director for Payments and Digital Finance.
When will the FCA’s open banking long-term regulatory framework consultation open?
The Payments Forward Plan published on 26 February 2026 indicates that the FCA will consult on the open banking long-term regulatory framework interface rules in Q3 2026. The consultation will be the route by which the FCA articulates the detailed scope and design of FCA open banking regulation under the proposed new powers.
Does the Data (Use and Access) Act 2025 give the FCA power to regulate open banking?
Not directly. Part 1 of the DUAA 2025 confers power on the Secretary of State and the Treasury to make regulations on customer data and business data, including the establishment of interface bodies and the appointment of decision-makers and enforcers. The statutory instrument expected to give the FCA oversight of the open banking ecosystem is to be laid in Parliament in Q4 2026 per the Payments Forward Plan. FCA open banking regulation will sit alongside the DUAA 2025 smart data architecture rather than inside it.
Where do industry-led commercial open banking schemes sit in the current regulatory architecture?
Outside it. The PSRs 2017 regulate PISPs, AISPs and ASPSPs at the level of the individual authorised firm. The CMA Order 2017 binds the CMA9 at the infrastructure level. Part 5 of the FSBRA 2013 regulates payment systems and their participants. None of those frameworks is designed to regulate the operator of a commercial scheme that sits between the bank and the third party provider and provides scheme rules, governance and member-level obligations. Industry-led commercial open banking schemes operate today at the contract level, outside FCA open banking regulation. The 21 April 2026 modernisation package proposes to address that position by giving the FCA new powers to underpin those schemes.
For guidance on a new payments proposition or scheme architecture, see our Payments Product, Safeguarding and Scheme Governance Advice page.
