top of page

Open Banking's Awkward Adolescence: PSD3 Inches Forward, BaaS Grows Up, and Core Banking Hits Its $20bn Moment

Open Banking's Awkward Adolescence: PSD3 Inches Forward, BaaS Grows Up, and Core Banking Hits Its $20bn Moment

PSD3 is no longer a rumour, BaaS has finally outgrown "growth at all costs," and core banking modernization has quietly become a $20 billion software-category bet. This week, the plumbing got serious.

If 2024 was open banking's loud adolescence, mid-2026 is the bit where it gets a job, files its taxes and stops pretending it isn't regulated. Following last week's flurry of updates, from PSD3's near-final compromise texts to fresh API-governance offerings from CSI and Alkami, three storylines are pulling in the same direction: regulation is tightening, BaaS is consolidating, and core banking modernization has become a category serious investors price like enterprise software, not fintech narrative.


PSD3: Almost Here, Already Reshaping Roadmaps


As of this week, PSD3 and the accompanying Payment Services Regulation (PSR) sit in a familiar Brussels limbo: politically agreed since 27 November 2025, final compromise texts published 23 April 2026, and awaiting the final European Parliament vote and Official Journal publication. According to Norton Rose Fulbright's June update, publication is "currently anticipated for June/July 2026, though it may slip to September." After that, the standard 21-month application clock starts ticking, putting practical compliance squarely in 2027–2028.


What's actually changing

The shift from a Directive to a Regulation is the headline that gets reused in every white paper, and for good reason. As Freshfields notes, the PSR will apply directly across member states, no national transposition, no twenty-seven gently diverging interpretations.


For open banking specifically, Morrison Foerster's recent briefing summarises the substantive moves: more granular, enforceable obligations on banks to provide functional APIs, with contingency mechanisms where they don't. Strong customer authentication gets refined, APP fraud liability gets recalibrated, and payment institution and e-money institution licenses get merged, a structural simplification long requested by the industry.


DLA Piper's March 2026 client note flagged the parallel Financial Data Access (FIDA) framework as the piece worth watching for institutions outside payments: pensions, insurance and savings get pulled into the same consent-based data-sharing perimeter that has, until now, mostly applied to current accounts.


Why this matters now

For banks, the practical question isn't "will PSD3 ship", it's "are our APIs actually usable?" Adyen's PSD3 explainer puts it bluntly: under PSR, weak or flaky open banking APIs are not just a developer-experience problem, they're a supervisory one. J.P. Morgan's payments team has been making a similar argument in client briefings, framing PSR as the moment when API performance becomes a regulated service level rather than a vendor scorecard.


BaaS Grows Up and Slims Down


The Banking-as-a-Service narrative has spent the last 18 months in a public reckoning. Following coverage from The Financial Brand and PYMNTS this month, the "growth at all costs" era is decisively over. Banks that quietly powered sprawling fintech programs without enough compliance scaffolding have either retooled, rationalised partnerships, or left the category entirely.


The numbers still look good, for the right players

According to Research and Markets, the broader BaaS market is forecast to grow from $836 billion in 2025 to $1.01 trillion in 2026 at a 20.9% CAGR. The narrower "pure BaaS" segment, i.e., banks renting their charter and core stack to fintechs, sits at roughly $35–45 billion globally in 2026, with projections to $75–90 billion by 2030–2031, per Global Market Insights and SDK.finance research summaries.


The story is bifurcation. Sponsor banks with mature compliance programs are taking share. Sub-scale, under-resourced players are getting out. Velmie's June 2026 top-providers list reads less like a hype piece and more like a survivor's guide.


Core Bank joins the BaaS Association

A small but telling item from this week: Core Bank announced its membership in the Banking-as-a-Service Association, positioning itself alongside peers like Coastal Community Bank and Lead Bank as sponsor institutions trying to standardise oversight, KYC and audit expectations across the sector. It's a structural play, the kind of move that signals an industry getting serious about its own guardrails.


Compliance becomes the product

PYMNTS's recent reporting on banks confronting "cloud contracts built for yesterday" captures the operational reality. Many BaaS sponsor banks signed multi-year cloud and core deals before AI-driven fraud, real-time settlement and PSR-style API service levels were on the radar. Those contracts are now being renegotiated with monitoring, evidence and exit clauses that look more like enterprise IT than fintech partnerships.


Core Banking Modernization Becomes a $20bn Category


The third storyline is the quiet one, which means it's probably the biggest. According to MEXC's coverage of the US core-banking landscape, modernization in the United States alone has hardened into a roughly $20 billion software category, the system-of-record rewrite that everyone's been promising since the global financial crisis is, finally, ticketing real budgets.


Cloud-native winners take the lift

Thought Machine, Mambu and 10x Banking remain the cloud-native names showing up on every shortlist, per analysis from SDK.finance, Gartner Peer Insights and Crassula. Thought Machine's Vault Core powers Lloyds and Standard Chartered. 10x Banking's SuperCore runs at Chase UK and Westpac. Mambu remains the speed play, prized for time-to-market in challenger-bank builds.


The pattern McKinsey's "next-generation core banking platforms" research surfaces is consistent: tier-one banks no longer treat core replacement as a single big-bang program. They carve off a product line, a savings book, a card portfolio, a single subsidiary, and prove the new stack alongside the legacy mainframe before scaling.


Cloud, contracts and AI converge

AWS's recent strategic guide for financial leaders makes the operating-model argument: modern cores aren't just cheaper, they're a precondition for AI-driven personalisation, real-time risk decisioning and the kind of API surface PSR is about to mandate. Innovasolutions's analysis frames the same thesis as "seizing the digital opportunity", banks that modernise the core get optionality on every adjacent investment.


Settlement quietly compresses

One of the more underrated structural shifts: PYMNTS's reporting this month notes that the rise of what it calls "Atomic Settlement" is dismantling T+2 in important corners of the market, moving reconciliation from delayed batch to real-time event. For core platforms, that's a generational change in how ledgers, payments and risk talk to each other.


API Governance: From "Move Fast" to "Move Auditably"


Tying all three threads together is a fresh focus on API governance. PYMNTS reported this week that bank-fintech partnerships are forcing institutions to fix oversight of APIs, credentials, user permissions and third-party connections across expanding digital ecosystems. New offerings from CSI and Alkami illustrate centralised governance as a category, what used to be a developer-portal problem is now a board-level risk question.


FDX hits a milestone

Alkami's recent expansion of direct Financial Data Exchange (FDX) API integrations with Yodlee, replacing credential-based aggregation with standards-based, consent-driven data sharing, is the kind of plumbing move that doesn't make headlines but reshapes the market. According to FDX figures referenced by Alkami, API connections between companies grew 50% in the past year to roughly 114 million, and have more than tripled since 2022.


Where this lands

By 2026, full interoperability between banks, fintechs and third parties is increasingly the default expectation rather than a roadmap item. PSD3 in Europe, evolving frameworks in Latin America and Section 1033 maturation in the US are all converging on the same outcome: open banking as table stakes, with governance, not access, becoming the differentiator.


What to Watch Next


Three things on the radar for the next 30 days. First, whether PSD3/PSR hits the Official Journal before Brussels goes on holiday, a September slip is still in play and changes 2027 budgeting. Second, the next BaaS sponsor-bank exit or acquisition; consolidation in this corner of the market tends to come in clusters. Third, any RFP from a top-30 bank naming a cloud-native core vendor as preferred bidder, those announcements have started to move stock prices in adjacent enterprise-software names.


Bottom line

Open banking's awkward adolescence is ending, and the resulting structure is more boring and more bankable. PSR turns API quality into a supervisory line item. BaaS becomes a club for compliant sponsors. Core banking modernization, finally, looks like a real software market. The fintech moves that mattered this week weren't loud, they were structural.

 
 
bottom of page