Six Common Open Banking Mistakes to Avoid

What is open banking, and what does it mean for financial institutions?

Open banking enables financial institutions to securely share customer data with authorised third parties through APIs. It fosters innovation by enabling fintech companies and banks to collaborate on new products and services, thereby improving customer experience and expanding revenue streams.

For banks, open banking presents an opportunity to move beyond traditional models, enabling personalised financial solutions, enhanced payment systems, and new business models such as embedded finance. However, realising these benefits depends on effective implementation and avoiding common mistakes.

Mistake 1: Treating open banking as compliance rather than strategy

Open banking is a growth opportunity, not just a regulatory obligation. Many European banks strictly adhere to PSD2 rules without leveraging them to expand their business. US banks have historically been cautious due to concerns about ROI and the absence of regulatory mandates. However, recent developments, such as the Consumer Financial Protection Bureau's (CFPB) new rules, are creating a clearer path to wider adoption.

Why it matters: Banks that treat open banking purely as a compliance task miss out on innovation, investment, and growth, leaving customer needs unmet.

According to a McKinsey survey, nearly half of respondents expect to reduce costs by more than 10% through their API initiatives. In comparison, one-third anticipated revenue growth exceeding 10%. A well-thought-out strategy converts compliance spend into measurable business value.

Missed opportunities include:

• New revenue streams from API-based financial products.
• Stronger customer retention through personalised banking experiences.
• Fintech partnerships that drive innovation and competitive advantage.

How to address it:

• Develop APIs that deliver value-added services beyond basic compliance.
• Collaborate with fintech companies to design embedded finance products.
• Use customer insights from open banking data to personalise experiences and increase engagement.

Mistake 2: Poor-quality APIs and weak developer experience

APIs are the building blocks of open banking. Still, poorly designed ones frustrate third-party providers, limit fintech integration, and slow adoption.

European banks often develop APIs to meet minimal compliance requirements, leaving out advanced functionality. US banks, meanwhile, struggle with inconsistency due to the absence of standardised guidelines.

Examples of advanced API functionality include real-time payment initiation and confirmation, personalised financial insights based on spending habits, smart authentication flows with biometric login, and Variable Recurring Payments (VRP) for flexible, user-approved transactions. These go beyond compliance and actively drive fintech adoption.

Why it matters: Without developer-friendly APIs, fintech companies may hesitate to integrate or avoid doing so altogether, damaging banks' reputations and limiting future partnerships.

How to address it:

• Provide clear, detailed API documentation and reliable test environments.
• Offer real-time data access for efficient integrations.
• Adhere to globally recognised API standards: Open Banking (UK), FDX (US), or Berlin Group (EU).

Mistake 3: Weak cyber security and consent management

Open banking expands the attack surface. Many banks underestimate the security and consent challenges this creates:

• Inconsistent Strong Customer Authentication (SCA) compliance under PSD2 in Europe.
• Fragmented cyber security practices in the US are increasing breach of risk.
• Overly complex consent flows that frustrate users and reduce adoption.

Why it matters: Expanding API access without rigorous vetting introduces vulnerabilities. Non-compliance with NIS2 in the EU can result in severe financial and reputational penalties. Poor security erodes customer trust and drives users toward more secure alternatives.

How to address it:

• Adopt proven authentication protocols such as OAuth 2.0 and OpenID Connect.
• Conduct rigorous third-party risk assessments before granting API access.
• Use advanced encryption for all data exchanges.
• Provide transparent, simple consent management tools for customers.
• Regularly audit third-party providers for security compliance.
• Rotate vendors for audits and penetration testing to surface a wider range of vulnerabilities.
• Align security frameworks with NIS2 (EU) or NIST (US) requirements.

Examples in practice: Banking apps that use OAuth 2.0 and OpenID Connect can allow customers to securely connect to personal finance management tools without exposing credentials. European banks meeting NIS2 access control requirements often implement multi-factor authentication (MFA). In contrast, US banks use the Advanced Encryption Standard (AES) to protect sensitive data.

Mistake 4: Failing to modernise legacy banking systems

Outdated core systems limit a bank's capacity to deliver innovative open banking solutions. EU banks frequently face high modernisation costs, while US banks struggle to connect modern APIs with ageing platforms.

Why it matters: Legacy infrastructure reduces flexibility, slows innovation, and raises operational costs, making banks less competitive in a rapidly evolving market.

How to address it:

• Adopt microservices and API gateways to bridge legacy and modern systems.
• Implement scalable, cloud-based solutions to improve agility.
• Partner with experienced technology providers to accelerate modernisation.

Banks that invest in modern infrastructure can deploy innovative services quickly and remain competitive in a digitally driven market.

Mistake 5: Overlooking real-time payments and data sharing

Instant transactions and timely data updates have become industry standards, yet many banks still rely on batch processing.

European PSD2 implementations often lack real-time capabilities, and SEPA Instant adoption remains uneven across the EU. In the US, real-time payment options are similarly fragmented. FedNow was introduced to enable instant payments, but adoption has been slow due to high implementation costs, ongoing fees, and fraud concerns. Many banks still rely on solutions like Zelle, which, despite its growth, operates on legacy infrastructure and is not fully real-time.

Why it matters: Delayed payments and stale data frustrate customers, impair timely financial decision-making, and reduce overall satisfaction with banking services.

How to address it:

• Adopt instant payment solutions such as SEPA Instant (EU) and FedNow (US).
• Transition to event-driven architectures to ensure timely data updates.
• Standardise data sharing using frameworks like ISO 20022.

Mistake 6: Neglecting customer experience

A complex or frustrating user experience is one of the biggest barriers to open banking adoption. EU banks often overcomplicate consent flows due to strict regulatory requirements. US banks, by contrast, sometimes fail to communicate clearly how customer data is used, leading to distrust.

A Mastercard report highlights that building trust is central to open banking success, with transparent data-use policies and simplified consent processes identified as essential to driving wider acceptance.

Why it matters: Poor user experiences reduce trust, lower adoption rates, and decrease long-term engagement, undermining the entire open banking proposition.

How to address it:

• Streamline customer journeys with simple, intuitive, and consent processes.
• Clearly communicate how customer data is used and protected.
• Provide easy-to-use dashboards for managing data permissions.

Frequently asked questions about open banking mistakes

What is the most common open banking mistake?  

Treating open banking as a compliance exercise rather than a strategic opportunity is the most widespread mistake. Banks that focus solely on meeting regulatory minimums miss out on the revenue growth, fintech partnerships, and customer loyalty benefits that a proactive strategy delivers.

How do EU and US open banking challenges differ?  

EU banks operate under prescriptive regulations (PSD2, PSD3, NIS2) that define what must be done but often result in minimal, compliance-only implementations. US banks face less regulatory pressure, but struggle with fragmentation, inconsistent API standards, uneven real-time payment adoption, and varied state regulations, making a cohesive strategy harder to execute.

How can banks improve their open banking API quality?  

Adopt recognised standards (FDX, Berlin Group, UK Open Banking), invest in comprehensive developer documentation, provide sandbox environments for testing, and build advanced features, such as real-time payment confirmation and variable recurring payments, that go beyond baseline compliance.

What security frameworks should banks follow for open banking?  

EU banks should align with NIS2 and implement OAuth 2.0, OpenID Connect, and MFA. US banks should follow NIST guidelines and apply AES encryption alongside rigorous third-party vetting. Rotating penetration testing vendors are also recommended to surface a broader range of vulnerabilities.

How does legacy infrastructure affect open banking?  

Legacy core systems lack the flexibility and speed needed for modern API-driven services. They increase integration costs, slow down deployment of new features, and make it difficult to support real-time payments. Microservices, API gateways, and cloud migration are the most effective paths forward.

Final thoughts on open banking mistakes

Banks that proactively address these six mistakes can fully leverage open banking potential. Prioritising strategic growth, robust security, modern infrastructure, real-time capabilities, and user-friendly experiences positions financial institutions to lead, not lag, in an increasingly digital industry.

At Baltic Amadeus, we help banks and financial institutions implement secure, scalable, and future-ready open banking solutions. Get in touch to explore how your institution can move from compliance to competitive advantage.