The mandate. Why the US conversational- finance surface does not translate to Europe.
Up next
Author

📊 Full opportunity report: The mandate. Why the US conversational- finance surface does not translate to Europe. on ThorstenMeyerAI.com — validation score, market gap, and execution plan.

TL;DR

The US rolled out a permissionless conversational finance surface in May 2026, but Europe’s regulatory framework requires licensing and consent, radically changing how such services are built and operated. This difference impacts market entry, competition, and consumer outcomes.

OpenAI launched its personal-finance surface in the United States on May 15, 2026, using a permissionless, API-based approach that requires no licensing or regulatory approval. In contrast, Europe’s regulatory environment mandates licensing, consent, and compliance, preventing a direct US-style rollout. This fundamental difference means that the same product cannot simply be ported across the Atlantic without significant re-architecture.

In the US, the launch of OpenAI’s personal-finance surface relied on a permissionless model: users connect their bank accounts via Plaid, and the platform aggregates data without needing licenses or explicit regulatory approval. This approach is rooted in a private, permissionless infrastructure that treats account access as a technical capability.

Europe’s environment, however, is governed by a complex framework of regulations. The revised Payment Services Directive (PSD2) and its successor PSD3 establish a mandate for licensed third-party providers to access payment accounts, requiring explicit user consent and regulatory approval. The upcoming FIDA regulation extends open banking to investments, pensions, and other financial data, creating a new licensing category—Financial Information Service Providers—expected to be operational around 2029-2030.

Additionally, the EU AI Act classifies AI systems used for credit scoring as high-risk, with strict obligations enforced by financial regulators like BaFin. These overlapping regimes mean that a conversational-finance surface in Europe must be built around licensing, consent, and AI classification, rather than permissionless API access. The architecture shifts from a product-first approach to a compliance-first framework, fundamentally altering market dynamics and entry barriers.

The Mandate — Thorsten Meyer AI
MANDATE
● DISPATCH / MAY 2026
THORSTEN MEYER AI · AGENTIC COMMERCE · § 03
AGENTIC COMMERCE · 03
EUROPE / MANDATE
Essay · Regulatory-Architecture Reading · 2026-05-26

The mandate.
Why the US conversational-
finance surface does not
translate to Europe.

In the US, account access is a product you buy and consent is a button you tap. In Europe, both are mandates you are licensed and supervised to fulfill.
The US surface shipped permissionlessly — connect via Plaid, 12,000+ institutions, read-only, no license. That rollout does not translate. In Europe every layer is a mandate. The foundation: PSD2 → PSD3/PSR (provisional agreement Nov 27 2025) makes account access a licensed, API-quality-supervised activity under a directly-applicable rulebook. The expansion: FIDA extends mandated access to investments, pensions, insurance, mortgages under a new FISP license — operational ~2029-2030, with a contested data-access fee at its core. The overlay: the EU AI Act classifies credit-scoring AI as high-risk (full obligations Aug 2 2026), supervised not by a tech regulator but by financial supervisors like BaFin. The structural argument: the US surface is built on a permissionless private substrate, and Europe has no permissionless substrate — it has a mandate at every layer. In the US compliance is an afterthought. In Europe, compliance is the architecture, and the conversational experience is the thin layer on top.
Thorsten Meyer ThorstenMeyerAI.com Munich · Iffeldorf Essay · ~5,200 words Agentic Commerce · 03
3
Overlapping mandates — payments,
data, AI — vs zero in the US build
7%
Of global turnover · the EU AI Act
maximum penalty
2029-30
When FIDA — the full-picture data
mandate — is likely operational
0
Permissionless routes to a European’s
bank data · it is a licensed activity
THE MANDATE· US SHIPPED PERMISSIONLESSLY · PLAID· EUROPE HAS A MANDATE AT EVERY LAYER· PSD2 MADE ACCESS A LICENSED ACTIVITY· PSD3/PSR · PROVISIONAL AGREEMENT NOV 27 2025· PSR DIRECTLY APPLICABLE ACROSS 27 STATES· MANDATORY API QUALITY · NO SCREEN-SCRAPING· FIDA · NEW FISP LICENSE· OPEN FINANCE · INVESTMENTS PENSIONS INSURANCE· DATA-ACCESS FEE THE CONTESTED CORE· EU AI ACT · CREDIT SCORING HIGH-RISK· FULL OBLIGATIONS AUG 2 2026· SUPERVISED BY BAFIN, NOT A TECH REGULATOR· CONSENT IS A DASHBOARD, NOT A BUTTON· COMPLIANCE IS THE ARCHITECTURE· THE MANDATE FAVORS THE LICENSED INCUMBENT· IN EUROPE YOU LICENSE A FINANCE SURFACE· THE MANDATE· US SHIPPED PERMISSIONLESSLY · PLAID· EUROPE HAS A MANDATE AT EVERY LAYER· PSD2 MADE ACCESS A LICENSED ACTIVITY· PSD3/PSR · PROVISIONAL AGREEMENT NOV 27 2025· PSR DIRECTLY APPLICABLE ACROSS 27 STATES· MANDATORY API QUALITY · NO SCREEN-SCRAPING· FIDA · NEW FISP LICENSE· OPEN FINANCE · INVESTMENTS PENSIONS INSURANCE· DATA-ACCESS FEE THE CONTESTED CORE· EU AI ACT · CREDIT SCORING HIGH-RISK· FULL OBLIGATIONS AUG 2 2026· SUPERVISED BY BAFIN, NOT A TECH REGULATOR· CONSENT IS A DASHBOARD, NOT A BUTTON· COMPLIANCE IS THE ARCHITECTURE· THE MANDATE FAVORS THE LICENSED INCUMBENT· IN EUROPE YOU LICENSE A FINANCE SURFACE·
FIG. 01 — THE SUBSTRATE · PRIVATE PRODUCT VS PUBLIC MANDATE
The US built account access privately and permissionlessly · Europe built it as public mandate
One architectural difference at the foundation propagates through the entire stack
United States
A product you buy
  • Access built by private aggregators — Plaid, Yodlee, MX, Finicity
  • No banking license required to read bank data
  • Read-only design sidesteps money-transmission rules
  • No single federal open-banking statute · the surface ships as a product
European Union
A mandate you fulfill
  • Access is a licensed activity — AISP / PISP under PSD2
  • Regulator authorization required; no permissionless route
  • Explicit, revocable, SCA-governed consent regime
  • A directly-applicable rulebook (PSR) · the surface must be licensed
The US surface shipped because the account-access layer it needed was already built, privately and permissionlessly, by Plaid — and because a read-only design kept it clear of the activities that trigger heavy regulation. That is the precise feature Europe does not share. Reading a European’s bank data without the right license is not a product — it is an unauthorized activity. The very first layer of the US build, the permissionless connect, is in Europe a regulatory authorization.
FIG. 02 — THE THREE-MANDATE STACK · WHAT THE SURFACE MUST SATISFY IN EUROPE
Payments, data, and AI — three overlapping regimes, all enforced by financial regulators
The US surface faced none of these at launch; the European surface faces all three at once
PSD3 / PSRPayments mandate
Account access is a licensed activity (AISP/PISP). PSR directly applicable across 27 states. Mandatory API quality, screen-scraping eliminated, IBAN-name checks, expanded fraud liability.
FIDAData mandate
Extends mandated access to investments, pensions, insurance, mortgages, loans under a new FISP license. Standardized APIs + consent dashboards. A contested data-access fee may make aggregation cost money.
EU AI ActAI mandate
Credit scoring + creditworthiness = high-risk (Annex III). Conformity assessment, documentation, human oversight. Supervised by financial regulators (BaFin, CSSF). Fines up to 7% of global turnover.
A finance surface in Europe must be licensed for payment-data access (or partner with someone who is), prepare for a FISP license to aggregate the full financial picture, and classify itself under the AI Act — where the most commercially attractive features (“what loan can I get?”) sit closest to the high-risk line. The AI that is “just a chatbot” in the US is, in Europe, a regulated system whose classification depends on exactly how useful it tries to be.
FIG. 03 — THE STAGGERED TIMELINE · A MOVING REGULATORY TARGET
The mandate is not one event but a sequence — and the staggering is a filter
The firms that win architect for the end-state mandate, not the current one
Aug 2025
EU AI Act · GPAI obligations live · the frontier models that power a finance surface already carry systemic-risk obligations
Live
Nov 27 2025
PSD3/PSR provisional agreement · Parliament and Council reach political agreement; final texts expected in the Official Journal in 2026
Agreed
Aug 2 2026
EU AI Act · high-risk obligations land · credit-scoring / creditworthiness Annex III duties apply (subject to Digital Omnibus)
Operative
2027
PSD3/PSR core obligations · directly-applicable conduct rules land across the year after the transition
Landing
~2029-2030
FIDA operational · the full-picture data mandate and FISP license arrive, in staggered sector-by-sector “waves”
Forming
Building for PSD3 today while FIDA and the AI Act high-risk regime are still settling means building for a target that is still moving — which favors firms with the regulatory-intelligence capacity to track it and the patience to build for 2030 rather than ship for 2026. The staggered timeline is itself a filter: it selects for regulatory endurance over launch speed.
FIG. 04 — THE CONSENT ARCHITECTURE · WHAT REPLACES THE “CONNECT” BUTTON
The single most optimized moment of the US product is the single most regulated moment of the European one
The European surface cannot inherit the US onboarding · it must build a different, regulated core
US · the “connect” button
EU · the consent architecture
One tap, broad scope, single permissionless flow
Granular, revocable, dashboard-managed consent
Broad, ongoing access by default
Purpose-bound — GDPR data minimization applies
Consent is a button; the surface is the product
Consent is the product; the surface is the interface
Optimized for frictionlessness
Friction mandated by design — visible, auditable
The US default — collect broadly, use later — is the European violation. The consent dashboard, the granular permission model, the revocation flows, the purpose-binding, the audit trail are not features bolted onto the conversational experience; they are the regulated core that the experience sits on top of. The European surface is, by regulation, higher-friction at exactly the moment the US surface optimized for frictionlessness.
FIG. 05 — WHO BUILDS THE EUROPEAN SURFACE · THE REDISTRIBUTION OF ADVANTAGE
The mandate does not just slow the US surface — it changes who wins
Advantage moves from permissionless speed to licensed position
Disadvantaged
The US winners
A frontier lab + permissionless aggregator. Their core competency — permissionless speed and reach — is exactly what the mandate removes. No AISP/FISP license, no BaFin relationship. Arrive needing a license stack they don’t have.
Advantaged
Licensed EU fintechs
Already authorized AISPs/PISPs, PSD3-compliant API fleets, consent-native. “The lab + a licensed European partner” — and the partner holds more leverage than Plaid, because the license is scarcer than an API.
Advantaged
Incumbent banks
Already hold the data, licenses, consent relationships, supervisory standing. The incumbent disintermediated in the US thesis is, in Europe, structurally protected — the mandate that gates the challenger does not gate the bank.
In the US, the advantage went to whoever integrated the permissionless layer fastest and built the best surface on top. In Europe, it goes to whoever holds the licenses, the supervisory relationships, and the consent architecture. The mandate redistributes the advantage from the permissionless aggregator-and-lab toward the licensed incumbent-and-specialist — and Europe’s regulation is, among other things, an incumbent-protection architecture, whether or not that is its intent.
The architecture diverges at the foundation: the American surface treats account access as a product you buy and consent as a button you tap, while Europe treats both as mandates you are licensed and supervised to fulfill. In the US, you ship a finance surface. In Europe, you license one.
Thorsten Meyer · The Mandate · Agentic Commerce 03
Source dossier
  • Norton Rose Fulbright · PSD3 and PSR: 2026 readinessprovisional agreement Nov 27 2025 · Official Journal end Q2 2026 · PSR application 18 months after entry, IBAN/name verification at 24 months · existing PI/EMI licences grandfathered subject to re-authorization · FIDA still in trilogue · nortonrosefulbright.com
  • Morrison Foerster · PSD3/PSR Key DevelopmentsApr 22-23 2026 final compromise texts before national reps · PSR directly applicable (SCA, open banking, fraud liability) · EMIs become PI sub-category · mandatory IBAN-name check · regulators act “without delay” on poor APIs · mofo.com
  • FinlexPro · PSD3/PSR Fintech Guide 2026PSR directly applicable, no transposition · PSD2’s deliberately-poor “dedicated interface” failure · mandatory API dashboards · screen-scraping fallback elimination · Confirmation of Payee mandatory · status April 2026 · finlexpro.com
  • G+D Spotlight · EU Open Finance (FiDA)FIDA in the June 2023 package · expected adoption mid-2026, implementation late 2027 in staggered “waves” · covers mortgages/loans/savings/investments/insurance/pensions/crypto · user-consent, silo-removal, standardized APIs · gi-de.com
  • Crassula · PSD3/PSR + FIDAFIDA still in trilogue April 2026 · creates the FISP category · operational ~2029-2030 · compensation mechanism between data holders and data users the single most contested item · the regulatory layer vs the product layer · crassula.io
  • EU AI Act (official) · digital-strategy.ec.europa.euin force Aug 1 2024, fully applicable Aug 2 2026 · prohibited practices + AI literacy from Feb 2025 · GPAI from Aug 2 2025 · product-embedded high-risk to Aug 2 2028 under the AI omnibus · digital-strategy.ec.europa.eu
  • MIT HDSR · Credit Underwriting Under the AI Acthigh-risk credit-underwriting under Articles 9-19 (providers) / 26-27 (deployers) · Article 74(6): national financial supervisors (BaFin) are the market-surveillance authorities for high-risk AI connected to financial services · hdsr.mitpress.mit.edu
  • Rasa · EU AI Act & Financial ServicesAug 2 2026 critical deadline · credit scoring, insurance pricing, certain customer-service AI high-risk under Annex III · sits on GDPR, intersects DORA · Digital Omnibus may adjust but planning around delays is unwise · rasa.com
  • Decode the Future / Vision Compliance · EU AI Act 2026four tiers, fines up to €35M or 7% of global turnover · RAG/agent builders likely “deployers”; substantial fine-tuning reclassifies as “provider” · systemic-risk GPAI (>10²⁵ FLOPs) = largest frontier models · decodethefuture.org
  • The bank account in the chat / The unbundling of the budget app · Thorsten Meyer · Agentic Commerce 01-02 · the US surface launched May 15 2026 on Plaid, read-only, permissionless · the private-aggregator substrate this piece contrasts against the European mandate
Colophon

Set in Source Serif 4 (display, italic accent), EB Garamond (body), IBM Plex Sans (UI labels), IBM Plex Mono (mastheads, ticker, stamps). Paper-cool gray-cream #e6e7e4.

Chromatic register: structural-slate dominant (the institutional/regulatory-architecture register), transition-bronze for the US permissionless substrate, empirical-clay for the FIDA data-mandate forensic, labor-rose for the AI Act overlay and the consent-friction the mandate imposes, alternative-sage for the redistribution toward licensed players, synthesis-deep for close.

Key frame:

MANDATE · PRIVATE VS PUBLIC SUBSTRATE THE THREE-MANDATE STACK PSD3/PSR · FIDA · AI ACT A STAGGERED, MOVING TARGET CONSENT IS A DASHBOARD, NOT A BUTTON COMPLIANCE IS THE ARCHITECTURE ADVANTAGE TO THE LICENSED SUPERVISED BY BAFIN, NOT A TECH REGULATOR IN EUROPE YOU LICENSE A SURFACE

Impacts of Regulatory Architecture on Market Entry

This regulatory divergence significantly influences market structure, competition, and consumer outcomes. In the US, permissionless access lowers entry barriers, favoring new entrants and innovation. In Europe, licensing and consent requirements create a moat around incumbents, favoring licensed, compliant firms and potentially slowing innovation but increasing control and security.

Understanding this difference is crucial for firms planning to operate across borders, as the regulatory architecture determines not just compliance costs but also the fundamental design of the services they can offer and the competitive landscape they face.

AI Agent + API: How to Connect Your Agent to the Internet and Services

AI Agent + API: How to Connect Your Agent to the Internet and Services

AmazonView Latest Price

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

European Regulatory Frameworks Shaping Data Access

The US’s permissionless model, exemplified by Plaid’s API, emerged from a private sector-driven approach to open banking, with minimal regulatory intervention. Conversely, Europe’s approach is rooted in public regulation: PSD2, PSD3, and FIDA establish a layered, mandated structure for data access, with explicit licensing, consent, and AI classification requirements.

These frameworks are evolving, with final texts of PSD3 expected in 2026 and FIDA expected around 2029-2030. The AI Act’s high-risk classification for financial AI systems further complicates deployment, requiring supervised compliance and detailed assessments.

This layered regulatory environment transforms the architecture from one of permissionless innovation to a mandated, license-based system, fundamentally changing how financial data services are built and scaled in Europe compared to the US.

“The US surface is built on a permissionless substrate, while Europe’s is a mandate-driven architecture. This difference in design fundamentally inverts how these services are constructed and operated.”

— Thorsten Meyer

Express Schedule Free Employee Scheduling Software [PC/Mac Download]

Express Schedule Free Employee Scheduling Software [PC/Mac Download]

Simple shift planning via an easy drag & drop interface

AmazonView Latest Price

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Unclear Outcomes of Regulatory-Driven Market Shifts

It remains uncertain how these regulatory differences will impact consumer outcomes, innovation, and market competition over time. While the European model emphasizes control and security, it may also slow the pace of innovation and market entry, but this has yet to be conclusively demonstrated.

Further developments in the implementation of FIDA, PSD3, and AI regulation will shape the actual market impact, but the long-term effects remain uncertain.

Amazon

European PSD2 banking access devices

AmazonView Latest Price

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Next Steps in Regulatory and Market Development

European regulators are expected to finalize PSD3 and FIDA regulations by 2026-2027, with operational requirements beginning around 2029-2030. Firms interested in building European-compatible surfaces will need to obtain licenses and adapt to consent and AI classification regimes.

In parallel, US firms may need to adjust their models if they seek to expand into Europe, as the permissionless approach is incompatible with the mandated architecture. Monitoring regulatory updates and market responses will be critical in the coming years.

Credit Scoring and AI: How Machine Intelligence Is Transforming Risk, Fairness, and the Future of Lending (AI & Personal Finance Book 6)

Credit Scoring and AI: How Machine Intelligence Is Transforming Risk, Fairness, and the Future of Lending (AI & Personal Finance Book 6)

AmazonView Latest Price

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Key Questions

Why can’t US permissionless finance surfaces be directly used in Europe?

Because Europe’s regulations require licensing, explicit user consent, and compliance with AI and data access rules, which are fundamentally different from the permissionless, API-based US model.

What are the main regulatory frameworks affecting data access in Europe?

PSD2, PSD3, FIDA, and the AI Act are the key regulations, creating a layered, mandated, license-based environment for financial data and AI systems.

How does the European approach impact market competition?

The licensing and consent requirements raise barriers to entry, favor incumbents and licensed firms, and may slow innovation compared to the US permissionless environment.

When will the European open-finance regulations become fully operational?

FIDA is expected to be operational around 2029-2030, with PSD3 final texts likely in 2026, shaping the future landscape of data access and AI use in finance.

Will the European regulatory approach improve consumer protection?

While it aims to enhance security and control through licensing and consent, whether it leads to better consumer outcomes remains an open question and subject to ongoing evaluation.

Source: ThorstenMeyerAI.com

This content is for general information only and is not financial, tax or legal advice. Consult a qualified professional for decisions about your money.
You May Also Like
The pyramid cracks. What agentic AI does to the consulting leverage model.

The pyramid cracks. What agentic AI does to the consulting leverage model.

Generative AI is disrupting the traditional consulting pyramid, shifting value from analysis to deployment and causing structural industry changes.
15 companies headquartered in New Jersey among Fortune 500 list

15 companies headquartered in New Jersey among Fortune 500 list

Fifteen companies headquartered in New Jersey are on the 2026 Fortune 500 list, reflecting the state’s significant corporate presence and economic influence.
AI Trading Bot — Week Two: The candidate edge collapsed

AI Trading Bot — Week Two: The candidate edge collapsed

The promising BTC fair-value strategy lost nearly all its gains in week two, with all tested approaches now in the red, raising doubts about the viability of the bot’s methods.
The runway.How enterprise-revenuelock becomes the load-bearing valuation argument.

The runway.How enterprise-revenuelock becomes the load-bearing valuation argument.

OpenAI and Anthropic are preparing record-breaking IPOs, with enterprise revenue as the core valuation argument amid uncertain margins and profitability.