📊 Full opportunity report: The mandate. Why the US conversational- finance surface does not translate to Europe. on ThorstenMeyerAI.com — validation score, market gap, and execution plan.

TL;DR

The US rolled out its conversational-finance surface without regulatory constraints, while Europe’s approach is built on a complex mandate system. This fundamental difference impacts market access, compliance, and who can build these services.

OpenAI launched its personal-finance surface in the US on May 15, 2026, using a permissionless model that allows access to bank data without licensing or regulation hurdles. In contrast, Europe’s approach remains deeply regulated, requiring licenses, consent, and conformity assessments due to its open-banking and open-finance regimes.

In the United States, the launch was permissionless: companies could connect accounts via Plaid without needing licenses or regulatory approval, enabling rapid deployment of conversational finance tools. This model relies on a private, permissionless API layer that treats data access as a product feature.

Europe’s landscape is fundamentally different. Since 2018, the PSD2 regulation mandated that third-party providers operate under licenses and adhere to strict API standards. The upcoming PSD3 and Payment Services Regulation (PSR) are set to further embed these requirements, making data access a regulated activity. The open-finance framework extends these rules to include investments, pensions, and loans, creating a new licensing category, the Financial Information Service Provider, with operational dates projected around 2029–2030.

Additionally, the EU AI Act classifies AI systems used in credit scoring and financial assessments as high-risk, with strict obligations coming into force in August 2026. These regulations are enforced by financial regulators like Germany’s BaFin, not tech regulators, adding a layer of supervision that is absent in the US model.

The Mandate — Thorsten Meyer AI
MANDATE
● DISPATCH / MAY 2026
THORSTEN MEYER AI · AGENTIC COMMERCE · § 03
AGENTIC COMMERCE · 03
EUROPE / MANDATE
Essay · Regulatory-Architecture Reading · 2026-05-26

The mandate.
Why the US conversational-
finance surface does not
translate to Europe.

In the US, account access is a product you buy and consent is a button you tap. In Europe, both are mandates you are licensed and supervised to fulfill.
The US surface shipped permissionlessly — connect via Plaid, 12,000+ institutions, read-only, no license. That rollout does not translate. In Europe every layer is a mandate. The foundation: PSD2 → PSD3/PSR (provisional agreement Nov 27 2025) makes account access a licensed, API-quality-supervised activity under a directly-applicable rulebook. The expansion: FIDA extends mandated access to investments, pensions, insurance, mortgages under a new FISP license — operational ~2029-2030, with a contested data-access fee at its core. The overlay: the EU AI Act classifies credit-scoring AI as high-risk (full obligations Aug 2 2026), supervised not by a tech regulator but by financial supervisors like BaFin. The structural argument: the US surface is built on a permissionless private substrate, and Europe has no permissionless substrate — it has a mandate at every layer. In the US compliance is an afterthought. In Europe, compliance is the architecture, and the conversational experience is the thin layer on top.
3
Overlapping mandates — payments,
data, AI — vs zero in the US build
7%
Of global turnover · the EU AI Act
maximum penalty
2029-30
When FIDA — the full-picture data
mandate — is likely operational
0
Permissionless routes to a European’s
bank data · it is a licensed activity
THE MANDATE· US SHIPPED PERMISSIONLESSLY · PLAID· EUROPE HAS A MANDATE AT EVERY LAYER· PSD2 MADE ACCESS A LICENSED ACTIVITY· PSD3/PSR · PROVISIONAL AGREEMENT NOV 27 2025· PSR DIRECTLY APPLICABLE ACROSS 27 STATES· MANDATORY API QUALITY · NO SCREEN-SCRAPING· FIDA · NEW FISP LICENSE· OPEN FINANCE · INVESTMENTS PENSIONS INSURANCE· DATA-ACCESS FEE THE CONTESTED CORE· EU AI ACT · CREDIT SCORING HIGH-RISK· FULL OBLIGATIONS AUG 2 2026· SUPERVISED BY BAFIN, NOT A TECH REGULATOR· CONSENT IS A DASHBOARD, NOT A BUTTON· COMPLIANCE IS THE ARCHITECTURE· THE MANDATE FAVORS THE LICENSED INCUMBENT· IN EUROPE YOU LICENSE A FINANCE SURFACE· THE MANDATE· US SHIPPED PERMISSIONLESSLY · PLAID· EUROPE HAS A MANDATE AT EVERY LAYER· PSD2 MADE ACCESS A LICENSED ACTIVITY· PSD3/PSR · PROVISIONAL AGREEMENT NOV 27 2025· PSR DIRECTLY APPLICABLE ACROSS 27 STATES· MANDATORY API QUALITY · NO SCREEN-SCRAPING· FIDA · NEW FISP LICENSE· OPEN FINANCE · INVESTMENTS PENSIONS INSURANCE· DATA-ACCESS FEE THE CONTESTED CORE· EU AI ACT · CREDIT SCORING HIGH-RISK· FULL OBLIGATIONS AUG 2 2026· SUPERVISED BY BAFIN, NOT A TECH REGULATOR· CONSENT IS A DASHBOARD, NOT A BUTTON· COMPLIANCE IS THE ARCHITECTURE· THE MANDATE FAVORS THE LICENSED INCUMBENT· IN EUROPE YOU LICENSE A FINANCE SURFACE·
FIG. 01 — THE SUBSTRATE · PRIVATE PRODUCT VS PUBLIC MANDATE
The US built account access privately and permissionlessly · Europe built it as public mandate
One architectural difference at the foundation propagates through the entire stack
United States
A product you buy
  • Access built by private aggregators — Plaid, Yodlee, MX, Finicity
  • No banking license required to read bank data
  • Read-only design sidesteps money-transmission rules
  • No single federal open-banking statute · the surface ships as a product
European Union
A mandate you fulfill
  • Access is a licensed activity — AISP / PISP under PSD2
  • Regulator authorization required; no permissionless route
  • Explicit, revocable, SCA-governed consent regime
  • A directly-applicable rulebook (PSR) · the surface must be licensed
The US surface shipped because the account-access layer it needed was already built, privately and permissionlessly, by Plaid — and because a read-only design kept it clear of the activities that trigger heavy regulation. That is the precise feature Europe does not share. Reading a European’s bank data without the right license is not a product — it is an unauthorized activity. The very first layer of the US build, the permissionless connect, is in Europe a regulatory authorization.
FIG. 02 — THE THREE-MANDATE STACK · WHAT THE SURFACE MUST SATISFY IN EUROPE
Payments, data, and AI — three overlapping regimes, all enforced by financial regulators
The US surface faced none of these at launch; the European surface faces all three at once
PSD3 / PSRPayments mandate
Account access is a licensed activity (AISP/PISP). PSR directly applicable across 27 states. Mandatory API quality, screen-scraping eliminated, IBAN-name checks, expanded fraud liability.
FIDAData mandate
Extends mandated access to investments, pensions, insurance, mortgages, loans under a new FISP license. Standardized APIs + consent dashboards. A contested data-access fee may make aggregation cost money.
EU AI ActAI mandate
Credit scoring + creditworthiness = high-risk (Annex III). Conformity assessment, documentation, human oversight. Supervised by financial regulators (BaFin, CSSF). Fines up to 7% of global turnover.
A finance surface in Europe must be licensed for payment-data access (or partner with someone who is), prepare for a FISP license to aggregate the full financial picture, and classify itself under the AI Act — where the most commercially attractive features (“what loan can I get?”) sit closest to the high-risk line. The AI that is “just a chatbot” in the US is, in Europe, a regulated system whose classification depends on exactly how useful it tries to be.
FIG. 03 — THE STAGGERED TIMELINE · A MOVING REGULATORY TARGET
The mandate is not one event but a sequence — and the staggering is a filter
The firms that win architect for the end-state mandate, not the current one
Aug 2025
EU AI Act · GPAI obligations live · the frontier models that power a finance surface already carry systemic-risk obligations
Live
Nov 27 2025
PSD3/PSR provisional agreement · Parliament and Council reach political agreement; final texts expected in the Official Journal in 2026
Agreed
Aug 2 2026
EU AI Act · high-risk obligations land · credit-scoring / creditworthiness Annex III duties apply (subject to Digital Omnibus)
Operative
2027
PSD3/PSR core obligations · directly-applicable conduct rules land across the year after the transition
Landing
~2029-2030
FIDA operational · the full-picture data mandate and FISP license arrive, in staggered sector-by-sector “waves”
Forming
Building for PSD3 today while FIDA and the AI Act high-risk regime are still settling means building for a target that is still moving — which favors firms with the regulatory-intelligence capacity to track it and the patience to build for 2030 rather than ship for 2026. The staggered timeline is itself a filter: it selects for regulatory endurance over launch speed.
FIG. 04 — THE CONSENT ARCHITECTURE · WHAT REPLACES THE “CONNECT” BUTTON
The single most optimized moment of the US product is the single most regulated moment of the European one
The European surface cannot inherit the US onboarding · it must build a different, regulated core
The US default — collect broadly, use later — is the European violation. The consent dashboard, the granular permission model, the revocation flows, the purpose-binding, the audit trail are not features bolted onto the conversational experience; they are the regulated core that the experience sits on top of. The European surface is, by regulation, higher-friction at exactly the moment the US surface optimized for frictionlessness.
FIG. 05 — WHO BUILDS THE EUROPEAN SURFACE · THE REDISTRIBUTION OF ADVANTAGE
The mandate does not just slow the US surface — it changes who wins
Advantage moves from permissionless speed to licensed position
Disadvantaged
The US winners
A frontier lab + permissionless aggregator. Their core competency — permissionless speed and reach — is exactly what the mandate removes. No AISP/FISP license, no BaFin relationship. Arrive needing a license stack they don’t have.
Advantaged
Licensed EU fintechs
Already authorized AISPs/PISPs, PSD3-compliant API fleets, consent-native. “The lab + a licensed European partner” — and the partner holds more leverage than Plaid, because the license is scarcer than an API.
Advantaged
Incumbent banks
Already hold the data, licenses, consent relationships, supervisory standing. The incumbent disintermediated in the US thesis is, in Europe, structurally protected — the mandate that gates the challenger does not gate the bank.
In the US, the advantage went to whoever integrated the permissionless layer fastest and built the best surface on top. In Europe, it goes to whoever holds the licenses, the supervisory relationships, and the consent architecture. The mandate redistributes the advantage from the permissionless aggregator-and-lab toward the licensed incumbent-and-specialist — and Europe’s regulation is, among other things, an incumbent-protection architecture, whether or not that is its intent.
The architecture diverges at the foundation: the American surface treats account access as a product you buy and consent as a button you tap, while Europe treats both as mandates you are licensed and supervised to fulfill. In the US, you ship a finance surface. In Europe, you license one.
Thorsten Meyer · The Mandate · Agentic Commerce 03

European Regulatory Architecture Reshapes Market Access

The core difference between US and European approaches is architectural: the US treats the finance surface as a product built permissionlessly, with compliance as an afterthought. Europe’s system is built around licenses, consent dashboards, and AI classification, making compliance the foundation of the entire ecosystem. This shift favors incumbents with licenses and regulatory expertise, potentially slowing innovation but increasing control and consumer protection.

For consumers, this means European services will be more regulated, possibly more secure, but less agile. For firms, the barrier to entry is higher, and the competitive landscape favors those with existing licenses and regulatory relationships.

Amazon

open banking API developer tools

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

European Open-Banking and Open-Finance Legal Foundations

Europe’s open-banking regime was established by PSD2 in 2018, requiring licensed third-party providers to access bank data via regulated APIs. The upcoming PSD3 and PSR will strengthen these requirements, making account access a licensed activity. The open-finance framework, through FIDA, extends these principles beyond payments to include investments, pensions, and loans, creating a new licensing category, the Financial Information Service Provider, expected to become operational around 2029–2030.

Simultaneously, the EU AI Act, effective August 2026, classifies AI systems used in high-risk financial decision-making as high-risk, requiring strict compliance and supervision by financial authorities like BaFin. This layered regulatory environment fundamentally differs from the US permissionless model, where such regulation is minimal or absent.

“The US surface is built on permissionless access, while Europe’s is a license-driven architecture. This fundamental difference redefines who can build and how these services operate.”

— Thorsten Meyer

Connect 1-Semester Access Card for Financial Accounting

Connect 1-Semester Access Card for Financial Accounting

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Unclear Impact on Innovation and Consumer Outcomes

It remains uncertain whether Europe’s mandate-based architecture will lead to better consumer protection or result in slower, more concentrated innovation. The long-term effects of these regulatory differences are still being observed and debated. Learn more about the implications of regulatory architectures.

Machine Learning for Credit Risk with Python: A Practical Guide to Default Prediction, Credit Scoring, Model Explainability, and Portfolio Risk Analysis

Machine Learning for Credit Risk with Python: A Practical Guide to Default Prediction, Credit Scoring, Model Explainability, and Portfolio Risk Analysis

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Upcoming Regulatory Milestones and Market Shifts

Europe’s PSD3, PSR, and FIDA regulations are expected to become fully operational by 2029–2030, shaping the landscape for open-finance services. Meanwhile, AI obligations under the EU AI Act will be enforced starting August 2026, influencing how AI-driven financial tools are developed and deployed. Observers will watch how these regulations influence market entry, innovation, and consumer protection.

The Financial Crime Compliance Handbook: From Fundamentals to Advanced Techniques for Modern FinCrime Teams

The Financial Crime Compliance Handbook: From Fundamentals to Advanced Techniques for Modern FinCrime Teams

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Key Questions

How does the US permissionless model differ from Europe’s regulated approach?

The US model allows companies to connect bank accounts without licenses or regulation, relying on private APIs like Plaid. Europe’s approach mandates licenses, consent dashboards, and conformity assessments, making data access a regulated activity.

Will Europe’s regulatory framework slow down innovation?

It is possible. The higher barriers to entry and compliance requirements may favor established firms and slow the pace of new entrants, but could also lead to more secure and consumer-protective services.

What role will AI regulation play in European financial services?

The EU AI Act classifies high-risk AI systems used in finance as high-risk, imposing strict obligations starting August 2026. This will influence the development and deployment of AI tools in European financial markets.

Are there any companies currently building the European version of the US surface?

Yes, firms with existing licenses and regulatory compliance infrastructure are positioned to develop these services, but the landscape is still evolving as regulations finalize and become operational.

Could the European approach lead to better consumer protection?

It is a possibility, given the emphasis on licensing, consent, and AI oversight, but definitive outcomes will depend on implementation and market response over time.

Source: ThorstenMeyerAI.com

You May Also Like

Meta Data Center Water Discharges Suspended For Contaminating Water Supply

Meta has halted water discharges from its data center following reports of water supply contamination. Investigation ongoing, impact unclear.

The calendar technicality. Why Elon Musk’s lawsuit against Sam Altman and OpenAI lost on timing, not on substance.

A California jury dismissed Musk’s lawsuit against OpenAI on statute of limitations grounds, clearing IPO hurdles but leaving broader legal questions unresolved.

The referral. How AI search severs the content-for-traffic contract that funded the open web.

AI search now answers queries directly, cutting off traditional referral traffic to publishers, threatening their revenue model.

The rails. Why European agentic commerce is co-defined by two converging regimes.

Europe’s agentic commerce is being shaped by two converging regulatory regimes—PSD3/PSR and the AI Act—creating a complex, statutory infrastructure that differs from US models.