Open Finance Oversight and Supervision: Emerging Practices and Early Lessons

Table of Contents

• Executive Summary
• Section 1: Introduction
• Section 2: The Impact of Model Design on Oversight and Supervision
  • 2.1 Regulatory Powers and Regulatory Approach
  • 2.2 Centralization of Key Operational Elements
• Section 3: Emerging Supervisory Practices and Early Lessons
  • 3.1 Interagency Collaboration
  • 3.2 Internal Organization
  • 3.3 Leveraging Implementation Bodies for Oversight and Supervision
  • 3.4 An Effective Approach to Open Finance Oversight and Supervision
  • 3.5 Supervision of Ecosystem Participants
  • 3.6 Supervisory Data and Technology
  • 3.7 Licensing and Onboarding of TPPs
• Section 4: Impact Measurement and Public Dissemination
• Conclusion
• Annex: Examples of Supervisory Analyses in Key Areas of Concern
• Footnotes
• References

Executive Summary

The global expansion of open finance is reshaping financial systems by enabling customer-permissioned data sharing across financial and non-financial institutions. While this transformation offers significant opportunities for innovation, competition, and financial inclusion, it also introduces new risks and enhances existing ones. For financial sector authorities (FSAs) in emerging markets, effective oversight and supervision are essential to unlock the benefits of open finance while mitigating its risks. Oversight and supervision should not be an afterthought but a foundational element of open finance design. By embedding supervisory considerations early in regulatory design and leveraging the experience of early movers, FSAs in emerging markets and developing economies (EMDEs) can build resilient, inclusive, and competitive open finance ecosystems.

Despite the early stage of open finance oversight and supervision, this paper draws emerging lessons from current practices, focusing on the role of FSAs and drawing on global experiences and interviews with authorities and other stakeholders. The objective is to inform policy and regulatory design, as many EMDEs are now at this stage.

Key lessons that apply to both open finance and open banking revolve around leveraging and adapting existing approaches and resources, ensuring internal and external coordination, and building rich data infrastructure to support effective oversight and supervision. Specifically, FSAs need to:

1. Start early: Planning for oversight and supervision during the regulatory design phase will help avoid challenges such as data gaps, misallocation of resources and duplication of efforts, and difficulty embedding policy goals in supervisory activities and staff training. Early planning should also ensure that all ecosystem participants are subject to regulation and supervision. Planning should include topics such as supervisory models — e.g., interagency cooperation; how to incorporate new players into the FSA's remit and open finance into existing risk-based approaches; how to organize the licensing process; how to design the reporting framework; and whether and how implementation bodies will be leveraged to support oversight and supervision — and the potential need for additional human resources and technology.
2. Clarify roles and coordinate: Multiple FSAs and non-financial sector authorities may be involved in open finance implementation. FSAs and cross-sector authorities, such as data protection, competition, and consumer protection authorities, should clarify their respective roles in line with their legal mandates and coordinate to ensure clarity, coherence, and complementarity of their responses. Among FSAs, collaboration is crucial to achieve oversight of the entire ecosystem, and joint oversight arrangements may also be considered.
3. Adopt a risk-based approach, with robust oversight as the foundation, and leverage existing models, skills, resources, and structures: While oversight focuses on the open finance ecosystem, supervision focuses on individual participants. Supervision will often combine entities that are already subject to supervision with those newly brought to the FSA's remit (e.g., payment initiation service providers (PISPs), account information service providers (AISPs), and implementation bodies). Given the dynamics of open finance ecosystems and the policy objectives, an effective approach is to prioritize building robust oversight as the foundation, complemented by supervision. Both functions should leverage existing models, skills, resources, and structures.
4. Embed policy goals in oversight and supervision and focus on key priorities for the initial years of implementation: FSAs should focus on priorities in the initial years of open finance implementation, based on the experience of FSAs to date. Four early-stage priorities are: maintaining high levels of ecosystem performance; ensuring excellent user experience with open finance services; confirming that participants mitigate fraud and data protection risks; and monitoring the evolution of use cases implemented by participants. These priorities align with key policy objectives articulated in many open finance frameworks, such as competition, innovation, financial inclusion, and consumer empowerment and user experience. Achieving these priorities requires oversight and supervision to foster good business practices, rather than being limited to compliance checks.
5. Ensure open finance oversight specialization and close collaboration between oversight and supervision: Effective oversight requires monitoring new, potentially voluminous data and developing new expertise to monitor ecosystem performance and assess alignment with policy goals. Existing oversight skills and organizational arrangements can be leveraged, but early experience suggests that greater specialization is needed. Whether FSAs establish a dedicated team for open finance oversight will depend on factors such as budget, the ecosystem's size and stage of development, the expertise of available staff, the availability of supervisory technology (SupTech), and whether and how implementation bodies are leveraged for oversight and supervision. Close collaboration between oversight and supervision is crucial: robust oversight will support risk-based supervision through the timely detection of issues for supervisory action and serve as a key input into supervisory planning.
6. Leverage (and adapt, as needed) existing risk-based supervision models and teams: In the case of ecosystem participants that are already supervised, open finance can be integrated into existing risk-based supervision models and teams. For new participants such as AISPs and PISPs, FSAs may adapt existing risk assessment models for lower-complexity entities, such as small payment service providers, emphasizing areas such as data and cybersecurity. As open finance is a cross-sector ecosystem, cross-team collaboration becomes crucial, particularly between generalist supervisors and IT and cybersecurity specialists, and between these groups and the oversight team.
7. Focus on prompt corrective measures while using enforcement powers as a credible deterrent: Open finance oversight and supervision require prompt action by FSAs to meet key priorities that support policy goals. FSAs should enable and prioritize corrective measures to solve operational or conduct issues that could affect ecosystem performance and public trust if left unaddressed. This approach can be more effective in the fast-paced open finance context than pursuing formal enforcement for all situations. At the same time, the threat of proportionate enforcement should always exist and work as a credible deterrent against misconduct and non-compliance. Timely course correction relies on more informal and constant engagement with participants, for example, via phone calls, which may differ from current practices. It also depends on the quality of oversight and the effectiveness of cross-team information-sharing.
8. Use comprehensive, high-frequency data and leverage technology: Ideally, data used for open finance oversight and supervision must be comprehensive and high frequency, include rich quantitative and qualitative information, and cover all participants through a regulatory reporting regime. However, reporting content and frequency must align with the FSA's capacity to absorb such data and the open finance implementation model, which affects data collection methods and related costs. Early planning of the FSA's reporting regime, aligned with the chosen implementation model, should aim to produce a rich oversight dashboard and the needed risk indicators for supervision, while containing compliance costs for participants. Early planning will help FSAs identify internal and external hurdles to the frequent collection of high-quality data and address them before the open finance ecosystem expands. FSAs may need to gradually implement their reporting regime and pilot it with a few participants. When handling large data volumes, FSAs may need to invest in SupTech tools for automated data cleaning, analysis, visualization, and benchmarking.
9. Leverage implementation bodies and subject them to oversight and supervision: Where they exist, FSAs can leverage implementation bodies to support oversight and supervision. Experience to date shows that, with adequate capacity, implementation bodies can undertake a range of tasks, from first-level ecosystem monitoring to the aggregation of reporting for the FSA. This model may reduce the burden on FSAs, particularly when resources are limited. Crucially, the regulatory design phase must address how implementation bodies will be brought within the FSA's supervisory remit. To date, there is no global experience with supervising these bodies, as most are not directly regulated or supervised by FSAs, and others are still being established. The scope of supervision for these entities will vary depending on the centralized services they offer, including whether they provide shared infrastructure such as Application Programming Interface (API) hubs. The global experience with auxiliary and delegated supervision may offer useful lessons for FSAs supervising implementation bodies and leveraging them for oversight and supervision of open finance.
10. Support regulatory improvement, impact measurement, and public dissemination: Supervisory data and outputs should be used to inform regulatory improvements, including adjustments to accommodate emerging market practices and business niches, and to calibrate compliance costs for participants. They can also support impact analysis of market structure, consumer outcomes, and cost-effectiveness. FSAs may adopt a phased approach to impact measurement, prioritizing the use of existing data to minimize costs. Public dissemination efforts should be low-cost and high-impact, with early campaigns focused on building trust, especially around data security and consumer benefits.

Section 1: Introduction

Open finance refers to a range of financial data exchanges that allow consumers to direct financial service providers (FSPs) to share their financial information with other participating providers in a secure, standardized, and multilateral model. By breaking down data silos and fostering a level playing field (Plaitakis and Staschen 2020), open finance reshapes the relationship between customers and FSPs.¹ It promotes greater competition and innovation while advancing financial inclusion (Kumaraswamy and Salman 2025; Salman et al. 2025; AFI 2025; Vidal and Sirtaine 2024). Open finance enhances inclusion by reducing costs and improving customer access, product fit, and user experience (Vidal and Sirtaine 2024). Moreover, open finance can empower consumers by giving them greater visibility and control over their financial data (CGAP, BIS, IMF, UNSGSA, and World Bank 2024; IDB 2023). Early evidence points to positive impacts, including improved financial performance of fintech firms through access to data and greater market entry (Polasik et al. 2020); improved loan terms and reduced lending costs (Doerr et al. 2023; Nam 2024); and increased financial access for underserved consumers and small enterprises (Alok et al. 2024; Babina et al. 2024; Nam 2024).

In countries where open finance is mature, the volume of activity can be staggering. For example, Brazil records billions of data exchanges every week and has more than 700 participating institutions; India has more than 100 million financial accounts consented to share financial data through the account aggregator ecosystem; and in the United Kingdom, one in five consumers use open banking. The high volumes of activity, the sensitivity of the data exchanged, and the vast networks of participants in open finance require robust oversight and supervision to mitigate the risks while maximizing benefits.² Effective oversight and supervision promote responsible product offerings and support customer trust and adoption. They can also support impact measurement and regulatory improvements by generating valuable data and insights.

While there is a growing body of guidance to help FSAs strike the right balance in open finance policy and regulatory design (for example, Mazer and Farrell 2025; Mazer and Dias 2025; Arner et al. 2025; CCAF 2024; World Bank 2023; Medine and Plaitakis 2023; Plaitakis and Staschen 2020), there is limited guidance on how to oversee and supervise open finance ecosystems and their participants, including implementation bodies. CGAP, BIS, IMF, UNSGSA, and World Bank (2024) offer key considerations for designing an inclusive open finance framework across 10 elements, including oversight and supervision, which is the focus of this paper.

Open finance oversight and supervision involve monitoring complex, potentially vast ecosystems that process large transaction volumes while advancing broader policy goals such as competition, innovation, inclusion, and consumer empowerment and experience. For covering an infrastructure-based ecosystem, open finance oversight has similarities with payment system oversight as it requires monitoring ecosystem performance and shared infrastructure and services, depending on the design model. But unlike payments, these ecosystems do not exchange funds.³ The main assets are customer data and consent. Open finance generates new types of relationships (e.g., between data holders and data users and between customers and data users) that amount to risks subject to supervisory scrutiny.

Financial sector authorities (FSAs) will need to develop new analytical capabilities and manage new types of data, while addressing more conventional concerns such as cybersecurity, and managing the overall level of effort, given that open finance is unlikely to be the FSA's top supervisory priority.

A key lesson from early implementers (Mazer and Dias 2025) is the importance of designing the oversight and supervision approach before the formal launch of open finance. Early design helps avoid challenges such as data gaps, misallocation of resources, duplication of efforts, difficulty embedding policy goals into supervisory activities, and staff training. Importantly, early planning should ensure that all ecosystem participants are subject to regulation and supervision. The oversight framework — in particular, offsite monitoring using high-frequency granular data — must also be designed early in the process, as the reporting regime shapes the design of open finance products and services, to ensure that the required reporting data can be generated for each product and service.

This paper explores the implications of model design on oversight and supervision by FSAs, outlines emerging supervisory practices, and distills early lessons, drawing on desk research and in-depth interviews with financial and non-financial authorities responsible for open finance, as well as other stakeholders. It also provides illustrative examples of supervisory analyses in priority areas in the Annex. This paper does not analyze implementation models or provide policy advice. It considers model design only to the extent that different options affect oversight and supervision. The objective is to help FSAs in EMDEs integrate supervisory considerations early in their policy and regulatory journey — thereby anticipating and avoiding implementation challenges and identifying, in a timely manner, adjustments to draft regulations or laws that might otherwise become difficult to address at a later stage. Where open banking schemes are sector-wide rather than based on individual initiatives and bilateral arrangements, this paper is also relevant for open banking supervision and oversight.

Section 2: The Impact of Model Design on Oversight and Supervision

CGAP, BIS, IMF, UNSGSA, and the World Bank (2024) present 10 key considerations for open finance and emphasize that design choices made under one element will impact other elements. Oversight and supervision roles played by FSAs are not only determined by their legal mandates — which interact with those of non-financial authorities such as data protection and competition agencies — but also by choices related to technical infrastructure and architecture (for example, whether to have a centralized API hub) and governance (for example, whether to have an implementation body). A key issue is whether an implementation body is created and which services it provides to the ecosystem in a centralized or partially centralized manner.⁴ Oversight and supervision will also be affected by the FSA's approach to further regulatory development and by the extent of its participation in ecosystem governance. Finally, a key issue is whether FSAs have supervisory and enforcement powers over all participants, including third-party service providers (TPPs), such as AISPs and PISPs, as well as implementation bodies, when they exist. This section further explores these issues.

2.1 Regulatory Powers and Regulatory Approach

First, the regulatory framework should ensure that FSAs have the necessary enforcement powers and resources to oversee the ecosystem, as well as the ability to apply proportionate supervision to all participants (CGAP et al. 2024). Without this foundation, effective oversight and supervision — and the continued refinement of the regulatory framework — are difficult. FSAs should have powers to oversee and supervise key aspects of the ecosystem, including: governance arrangements; cost-sharing agreements; pricing rules; user interfaces; dispute resolution and liability among participants; centralized infrastructure or services provided by implementation bodies; and the operational performance, risk management, and conduct of all ecosystem participants.⁵ FSAs should also be empowered to impose reporting requirements on all participants, including implementation bodies.

Second, the FSA's regulatory approach and level of involvement in the ecosystem governance can indirectly affect the availability of resources for oversight and supervision. Operational rules may require several refinements after the ecosystem is operational. The FSA's approach to developing regulations determines the level of effort required.

In Brazil, for instance, despite the creation of an implementation body, Open Finance Brasil, with a board and technical working groups to develop detailed technical rules and standards, the Central Bank of Brazil (CBB) maintains weekly calls with the implementation body.⁶ Both regulatory and supervisory CBB staff share this work. CBB formalizes most changes to technical rules developed through Open Finance Brasil, following decisions made among participants.⁷ While detailed regulations and close interaction with the industry governance structures provide greater certainty, they demand substantial effort from the FSA. The level of effort required to sustain continuous regulatory refinement should be considered early in the design phase to ensure that FSAs are adequately prepared to fulfill both their regulatory and oversight and supervision responsibilities.

Third, regulatory design should ensure that all open finance participants can be brought under the FSA's authority, including implementation bodies. Bringing AISPs and PISPs within the FSA's remit often requires the creation of new licensing categories, which may necessitate legal reforms.⁸ The same applies to implementation bodies. While these bodies will not exist in all models — for example, in Colombia and Mexico — they are becoming increasingly common, including in Brazil, India, Nigeria, United Arab Emirates (UAE), United Kingdom (UK), South Korea, and Türkiye. However, in most open finance frameworks these bodies are not explicitly brought under the FSA's remit. For instance, while the CBB has required the industry to establish Open Finance Brasil and set rules for its governance and operations, including imposing oversight and reporting obligations through its powers over individual open finance participants, it does not have the legal power to apply enforcement tools to Open Finance Brasil itself. Acquiring such powers would require legal reform. Even Chile and Mexico, where open finance was introduced through legal reform, have not addressed this topic. FSAs currently designing open finance models should strive to provide clarity regarding their powers over implementation bodies in initial laws and regulations.

2.2 Centralization of Key Operational Elements

FSAs are impacted by decisions on whether key operational elements are centralized, and the role they play in such centralization. Operational elements include infrastructure and services needed for the functioning of the open finance ecosystem. These may include accrediting participants, operating the participant directory, managing the API library or directory, and resolving errors and disputes among participants.

While all open finance schemes centralize participant and API directories, the extent of centralization in other aspects varies. Centralizing some aspects can benefit ecosystem efficiency and support oversight and supervision. Box 1 presents some of the benefits of centralizing error resolution and regulatory reporting.

Other aspects that can be centralized include shared fraud and scam monitoring services, billing systems, participant accreditation, and API connections (via API hubs). Centralization can also help level the playing field for participants and reduce compliance costs over the long run. For instance, Open Finance Brasil reported that, by providing an advanced monitoring platform (see section 3.3), it encourages smaller players to enter the ecosystem on a voluntary basis because they see value in these services as a way to reduce compliance costs. By increasing efficiency and participation, centralization can ultimately support the policy goals of greater competition, inclusion, and consumer empowerment and user experience.

Where centralization is done through an implementation body, participants (or a subset of them) may face high initial costs to establish and operate such a body. While the literature provides figures for the cost of some such bodies (for example, Open Finance Brasil 2025), it is early to conclude when such costs are offset by the benefits generated.

Across jurisdictions, FSAs assume different levels of responsibility in centralizing operational elements. Centralization occurs in two ways: either by FSAs or other authorities, such as competition authorities, or by implementation bodies. Variation in the allocation of these and other open finance elements, including governance and regulation, gives rise to what Mazer and Dias (2025) describe as the five implementation archetypes. CCAF (2024) refers to a continuum from market-driven models to regulation-led models.

Countries can be placed on a continuum reflecting the extent of public- versus private-sector leadership in these roles (Figure 1). In Archetypes 1–3, FSAs have little or no role in operational elements, and their role in regulation begins in Archetype 3. From Archetype 4, regulations become mandatory, and Brazil's case shows that FSAs can become quite involved in codifying operational rules, even when they do not operate shared infrastructure. Towards Archetype 5, FSAs start centralizing operational elements. For example, the Australian Competition and Consumer Commission (ACCC) operates the participant directory (CDR Register) and accredits and onboards Accredited Data Recipients (ADRs). Chile's CMF is responsible for the participant directory, the developer portal, the API standards library, the technical sandbox, and for accrediting participants before including them in the directory. All of these functions are performed by the industry in Brazil and the UK. In Azerbaijan, the central bank goes one step further by operating an API hub to centralize connections.

In a growing number of countries, including Brazil, the UAE, and the UK, an implementation body has been created to centralize operational elements. These bodies centralize functions such as participant and API directories (in Brazil, Korea, Türkiye, the UAE and the UK); error and dispute resolution among participants (in Brazil, the UAE, and the UK); compliance monitoring (in Brazil and the UAE); and API connections via an API hub (for example, in South Korea through the Fair Trade Commission (KFTC), in Türkiye through the Interbank Card Center (BKM), and in the UAE through Nebras Open Finance). Implementation bodies in Brazil and the UK also undertake public dissemination activities, such as publishing statistics and promoting consumer awareness. There are also implementation bodies in Europe (for example, the Berlin Group and Open Banking Europe–Konsentus) that support financial institutions subject to the Payments Directive (PSD2), but participation in these bodies is not mandatory, and they are not regulated entities.

While FSAs may decide to centralize operational elements, this could strain resources and indirectly affect oversight and supervision. For instance, building and maintaining the participant directory can be costly, time-consuming, and technically challenging for many FSAs. It is crucial to ensure that new costs and responsibilities do not affect the allocation of resources and capacity for oversight and supervision. Decisions to centralize functions may be influenced by concerns about ecosystem efficiency and power imbalances among participants, but these concerns can be mitigated through regulation. For instance, the open finance regulation in Brazil sets principles and specific rules for error resolution to mitigate potential discrimination and improve ecosystem efficiency. It also establishes governance rules for the implementation body, such as voting rights to counter power imbalances between large and small participants.

As with other infrastructure operated by FSAs (e.g., payment systems), centralizing open finance elements may expose FSAs to legal liability. For instance, data leakage from the participant directory could expose the FSA to legal liability to participants. Liability can also stem from operational issues that delay or impede API calls, when the directory is linked to API infrastructure. Managing centralized error and dispute resolution mechanisms may also create liability risks. To mitigate these risks, it is crucial that oversight covers infrastructure and centralized services when provided by the FSA, in line with international standards for market infrastructure oversight.

If centralization is the preferred model but the legal power to mandate the creation of an implementation body is missing, FSAs could foster their voluntary creation by coordinating with the industry, while ensuring they have the powers to bring such bodies under their regulatory remit. Regardless of how they are formed, implementation bodies, including those formed on a voluntary basis, must be subject to regulation and supervision (CGAP et al. 2024).

India's Sahamati, for instance, was not established by regulation, and currently enforces standards amongst members through its code of conduct (Sahamati 2025). However, in 2025, the Reserve Bank of India (RBI) issued the "Framework for Recognising Self-Regulatory Organisations (SROs) for the Account Aggregator Ecosystem," which establishes regulatory requirements for Sahamati (and any other self-regulatory organization created in the data aggregator ecosystem) covering governance, dispute resolution, member monitoring, and regulatory reporting (Reserve Bank of India 2025). A similar model has been proposed in the European Union to support the creation and regulation of standard-setting bodies under the Financial Information and Data Act (FIDA).

Section 3: Emerging Supervisory Practices and Early Lessons

When designing their open finance model, FSAs need to consider the requirements for effective oversight and supervision. Early design helps avoid challenges such as data gaps, misallocation of resources, duplication of efforts, and difficulty embedding policy goals in supervisory activities. Planning should include topics such as how to incorporate AISPs and PISPs into existing structures; how to incorporate open finance into existing risk-based approaches for currently supervised participants; how to organize licensing processes; what the reporting framework should look like and how to collect or access data; whether and how to leverage implementation bodies for oversight and supervision; and the potential need for additional human resources and technology.

3.1 Interagency Collaboration

The oversight and supervision roles of different FSAs and other authorities are determined by their respective legal mandates and the legal framework underpinning open finance development. As in other infrastructure-based ecosystems, government authorities may play a range of complementary roles ranging from catalysts (including policymaking and regulation) to operators (see section 2.2), as well as overseers and supervisors (CPMI and World Bank Group 2026; BIS 2020). Based on the regulated open finance frameworks reviewed for this paper, three models emerge in relation to oversight and supervision arrangements at the national level (Table 1): (1) leadership by an FSA; (2) leadership by more than one FSA; and (3) leadership by a non-financial sector authority.

To date, the role of non-financial sector authorities in oversight and supervision by FSAs has been limited, but there is a need to clarify their roles and ensure inter-agency coordination, especially as open finance expands. With the exception of Australia and, in the early days of open banking, the UK, non-financial authorities have not played a prominent role in open finance oversight and supervision. Nonetheless, as ecosystems expand, data protection, consumer protection, and competition agencies are expected to become more involved, not least because open finance frameworks rely on national data protection laws and closely interact with consumer protection and competition laws. Interagency coordination is likely to become more important, for example, to standardize consumer complaints data across agencies and to enable joint or coordinated actions in cases of data protection breaches or anti-competitive practices. Finally, potential cross-border open finance arrangements — especially relevant for smaller markets (CGAP et al. 2024) — will require inter-agency coordination at national and international levels.

Across FSAs, cooperation for oversight and supervision — for example, joint oversight arrangements — will be crucial in some contexts. The cross-sectoral nature of open finance means that in some jurisdictions there will be more than one FSA involved in oversight and supervision. This amplifies the need to clarify their roles and establish effective cooperation arrangements when needed. For instance, the future leading role of Peru's SBS — which is designing an open finance framework for the banking, microfinance, insurance, and pension sectors — will interact with the role of the BCRP, which regulates and oversees payments and is preparing regulation on payments initiation. In addition to coordination during the design phase, this multi-FSA arrangement will require coordination on oversight of the open finance ecosystem to avoid duplication of efforts and limit compliance costs for participants. A different situation is seen in Brazil, where CBB, SUSEP and CVM are leading the implementation of data sharing schemes within the confines of their respective markets. However, CBB and SUSEP are required by regulation (Joint SUSEP and CBB Resolution 5/2022) to enable future connection of their ecosystems, which currently operate independently. This has required close coordination from the early stages of design, a need that will increase when the ecosystems are connected, particularly for effective oversight, and especially if shared infrastructures are created. In many contexts, FSAs may consider creating joint oversight structures or committees (CGAP et al. 2024) to facilitate cooperation.

Click the image below to enlarge

×

3.2 Internal Organization

The key functions of FSAs in open finance implementation are regulatory development, oversight, supervision, and supporting functions (for example, public dissemination and impact measurement). Open finance implementation requires constant regulatory development (see section 2.1) and may involve impact measurement and public dissemination efforts (see section 4). Oversight involves monitoring the open finance ecosystem through offsite monitoring and other tools, such as cross-sector thematic reviews. Supervision focuses on the operations of individual participants to ensure compliance with open finance regulations and to support mandates such as consumer protection, prudential supervision and anti-money laundering (AML) and countering of financing of terrorism (CFT), using tools such as offsite and onsite examinations.

Early experience suggests that specialization — potentially with the creation of a dedicated team for open finance oversight — is essential. FSAs differ in their internal organization for open finance oversight and supervision (see Box 2). This area remains fluid, but building oversight specialization can enhance effectiveness in monitoring ecosystem performance, identifying poor practices by participants (which can be referred to the responsible supervisor or followed up directly by the oversight team), and assessing alignment of ecosystem development with broad policy goals.

Oversight involves monitoring new, potentially voluminous data, requiring new knowledge and expertise. Existing oversight skills and organizational arrangements can and should be leveraged. Whether FSAs create a dedicated team for open finance oversight will depend on factors such as their budget, the size and stage of development of the ecosystem, the expertise of available staff, the availability of supervisory technology (SupTech), and whether and how the implementation bodies are involved in oversight and supervision (see section 3.3).

The cross-sectoral nature of open finance amplifies the need for cross-team cooperation. Open finance requires close collaboration between teams undertaking different functions (including regulatory development, oversight, and supervision), and between supervisory teams covering different types of ecosystem participants. Close collaboration between oversight and supervision is particularly important: robust oversight supports risk-based supervision through the timely detection of issues for supervisory action and serves as a key input for supervisory planning. Supervisory findings can further enhance the focus of oversight and its outputs such as periodic reports.

3.3 Leveraging Implementation Bodies for Oversight and Supervision

Early experience shows that FSAs can leverage implementation bodies to support oversight and supervision and potentially reduce costs for both participants and FSAs. While implementation bodies do not replace oversight and supervision by FSAs, they can be mandated by regulation to carry out defined monitoring and reporting activities. If FSAs lack the power to mandate the implementation body to conduct such activities, they may use moral suasion. This remains an evolving area of practice, but Brazil's experience (see Box 3) offers a reference for jurisdictions seeking to implement such a model. For example, instead of creating its own oversight dashboard, the CBB leverages a dashboard with near real-time data built by the industry within the implementation body, Open Finance Brasil. This approach reduces the cost and burden of building such tools in-house. The CBB has required the creation of, and has access to the outputs of, other monitoring tools operated by Open Finance Brasil (see Box 3). A similar model is followed by the Brazilian insurance supervisor, SUSEP, although the monitoring capabilities of the implementation body in this case are still under development, largely based on the experience of Open Finance Brasil. The central bank of the UAE (CBUAE) is also building a similar model, focusing on monitoring tools and real-time data managed by the implementation body, Nebras Open Finance. In Türkiye, the central bank leverages the API monitoring reports provided by the implementation body, BKM. In Korea and India, it is not clear whether the implementation bodies are leveraged for supervision by FSAs.

Such a model has parallels with, and can draw on, the more extensive global experience with "auxiliary" and "delegated" supervision that leverages umbrella organizations for the supervision. These models are used in sectors such as capital markets, credit cooperatives, credit unions, and rural banks (see, for instance, BCBS 2016). When properly equipped, open finance implementation bodies can help FSAs prioritize risks and respond more swiftly to emerging issues through prompt action. In all cases, such bodies themselves must be subject to supervision by FSAs (see section 2.1).

3.4 An Effective Approach to Open Finance Oversight and Supervision

An effective risk-based approach to open finance oversight and supervision prioritizes building robust oversight, taking prompt supervisory action, a focus on key priorities, and the leveraging of existing models, skills, resources, and structure (see Figure 2). The experience so far highlights the importance of robust oversight covering the entire ecosystem (see section 3.4.3), particularly through offsite monitoring based on high-quality, frequent data, as the foundation of the approach. Participant-level supervision (see section 3.5) should be conducted by leveraging existing risk-based models and structures, with a focus on prompt action (see section 3.4.4) while using inspections and formal enforcement strategically. Both oversight and supervision should focus on key priorities in the first years of implementation (see section 3.4.2) and leverage existing models, skills, resources, and structure (see section 3.2). Efficient licensing (see section 3.7) complements these elements. This approach is particularly well suited to environments with a large number of participants, where relying more heavily on supervision, for example inspections, and formal enforcement would strain FSA capacity and be ineffective. In fact, if FSA resources are scarce but data quality is high, oversight may temporarily be the only supervisory activity. However, participant-level supervision will need to be strengthened as the ecosystem expands.

A supervisory approach that emphasizes oversight and prompt action is not only cost-effective but also enables FSAs to identify opportunities for regulatory refinement in pursuit of policy goals. For example, CBB's detailed offsite monitoring based on highly granular data and continuous engagement with participants has revealed the emergence of niche segments within the open finance ecosystem. Certain FSPs and TPPs specialize in limited API categories, such as investment and foreign exchange. This creates scope for more flexible participation models, where entities could engage with only a subset of mandatory APIs instead of the whole set currently imposed on all participants, thereby reducing compliance costs and more closely aligning regulatory obligations with actual API usage to foster competition and innovation.

3.4.1 Embed Policy Goals and Principles

FSAs must align oversight and supervision activities with policy goals, rather than limiting analyses to basic compliance checks. Supervisors should ensure compliance with specific regulatory requirements such as API performance (for example, availability and response time), but a range of additional analyses should be conducted to help the ecosystem meet policy objectives. Most open finance frameworks set goals such as enhancing competition and innovation (CCAF 2024), which add to FSA's existing mandates such as stability, consumer protection, and market integrity. These goals inform oversight analyses and supervisory assessments. Broad principles that are sometimes included in open finance frameworks (see Table 2 for examples) complement policy goals, providing a stronger basis for supervisory action. The principles of non-discrimination and ethical conduct, for instance, can support actions to curb practices such as poor resolution of operational issues affecting specific participants and discriminatory pricing, especially in the absence of specific requirements.

Open finance frameworks may also set principles for certain areas, such as customer consent, user interfaces, and user experience, which can further support oversight and supervision.

3.4.2 Focus on Key Priorities in the First Years

Interviews with authorities indicate that in the first few years of open finance implementation, oversight and supervision should focus on four key aspects that will help foster customer adoption and trust: (1) ecosystem performance; (2) user experience; (3) fraud mitigation and data protection; and (4) use cases. The importance of other topics, such as data quality and pricing practices, may increase over time as open finance adoption grows (the Annex gives examples of supervisory analyses covering these topics).

Overall, offsite monitoring based on high-quality, frequent data will be the main tool for addressing these priorities, but thematic reviews will also be important, particularly in the first years of implementation. This will be complemented by risk-based participant-level supervision, with the potential imposition of prompt corrective measures and enforcement actions.

Source: websites of financial authorities.

High levels of ecosystem performance, particularly among the top data holders and users, are crucial. This requires monitoring participants' compliance with minimum regulatory standards such as API uptime, their performance in fixing errors and resolving disputes, and overall performance across a broader range of metrics (see section 3.6). Resolution of errors and disputes, for instance, may not be easily recognized by supervisors as an issue that deserves attention, but the prompt resolution of technical errors and minor disputes between participants is essential for the smooth functioning of the ecosystem. Data on error and dispute resolution complements API usage and other metrics, and a centralized error and dispute resolution system (also known as a "ticketing system") facilitates this work (see section 2.2).

Excellent user experience (UX) and user interface (UI) is also critical for securing public trust and incentivizing customer adoption, thereby creating value for the entire ecosystem. During the initial phases of open finance implementation, FSAs should prioritize evaluating customer interfaces as poor user experience can undermine trust and adoption. This assessment should determine whether UX/UI principles (for example, simplicity, clarity, accessibility) are effectively implemented and whether compliance with defined standards — such as specific rules for the consent journey and related disclosures — is monitored. While early evaluations, such as those in Brazil, the European Union (EU) and the UK, have relied on manual methods such as app testing and screenshot reviews, FSAs may be able to improve scale and efficiency by using novel methods such as requiring remote access to live production environments. However, there is limited experience with technology-based techniques in the context of open finance (see section 3.6).

Monitoring use cases helps FSAs understand the pace and direction of market development, and whether use cases are aligned with objectives such as financial inclusion. For instance, if an obstacle for micro and small enterprises (MSEs) to obtain finance is their lack of collateral and credit history, FSAs would want to see multiple use cases — and related products and services — around creditworthiness assessments using transactional data from various ecosystem participants. Monitoring use cases can also help FSAs identify the need for regulatory refinement or other actions. In Brazil, the CBB collects use case information through a biannual survey of participants. Combined with continuous engagement with the industry, this has helped the CBB identify potentially impactful use cases (from financial inclusion and competition perspectives).

3.4.3 Strong Oversight as the Foundation

Open finance often expands FSA's roles beyond existing prudential and conduct supervision mandates, requiring the strategic use of oversight — particularly offsite monitoring and thematic reviews — as the foundation of an effective approach. For many FSAs, competition goals and related principles (for example, non-discrimination) represent a significant addition, as they require both oversight and supervision to identify — and act on — practices such as discriminatory API access or pricing. Robust oversight requires new types of information, such as the growth and diversity among participants, the types of API calls, error and dispute resolution processes among participants, and the types of use cases developed.

FSAs should strive to include all participants in their offsite monitoring based on granular and frequent data (see section 3.6), while other tools such as thematic reviews should be used strategically on an as-needed basis. So far, the limited experience with highly granular API call data, such as those used by the CBB in Brazil and currently being implemented in the UAE, shows that this type of data permits deep and timely analyses through offsite monitoring, enabling early detection and prompt correction of operational issues (for example, API performance) and misconduct (for example, discrimination) that could affect other participants, customers, or the broader ecosystem.

If FSAs lack the capacity to process granular data covering the entire ecosystem, they should prioritize the largest participants in terms of volume of API calls received and made, across the range of APIs mandated by regulation and those used for the most relevant use cases, as well as participants with the largest number of clients, and gradually expand monitoring — and the underlying reporting regime.

Offsite monitoring should combine basic compliance checks with trend and growth analyses. Most open finance frameworks, including those in Australia, Brazil, Chile, and the UAE, establish specific API performance thresholds, including for minimum API uptime, maximum response time, and maximum error rate. Oversight will, at the very least, monitor participants' compliance with such standards. Monitoring trends through other metrics such as growth of customer accounts by type of customer, errors and dispute resolution, and API calls by API type (each supporting different use cases) provides FSAs with a more complete view of how the ecosystem evolves in its composition (number and types of participants) and its usefulness for different users and their customers.

Performance benchmarks can be created over time, for international comparison and to serve as an early warning system to trigger supervisory action. Initially, data from other jurisdictions may serve as a reference for internal benchmarking, but FSAs need to tailor benchmarks to their local context to ensure relevance. Benchmarking may also be adjusted for open finance in more traditional areas, such as cybersecurity and fraud monitoring. Experience to date indicates that open finance may exhibit lower levels of fraud and cyber incidents than other types of fast payment systems in some contexts (see Open Banking Limited 2025), which could justify the creation of tailored benchmarks. SupTech tools can assist in benchmarking, compliance checks, trend and other analyses (see section 3.6).

Given the broad policy goals pursued by open finance frameworks, FSAs should incorporate a more strategic layer into their oversight analysis. This requires expertise in open finance and a mix of quantitative and qualitative data (see section 3.6), supplemented by findings from tools such as thematic reviews and inspections. The goal is to enable the FSA to address strategic questions. (The Annex develops these further.)

1. Ecosystem performance and growth: Do the observed ecosystem performance levels enable the effective realization of a range of use cases by a variety of participants? Does it indicate genuine efforts by the industry — including large data holders — to help open finance achieve its goals?
2. Ecosystem robustness and resilience: Do the trends in operational issues, errors, fraud, and data breaches, as well as the actions taken by participants to solve these problems, indicate progress toward the desired stabilization of ecosystem robustness and resilience?
3. Competition and market dynamics: Can performance weaknesses among key participants indicate misconduct intended to curb competition?
4. Innovation and inclusion: Do trends in customer consents, growth in the use of different API types, and use cases reported by participants, support innovations that could help overcome pre-identified financial inclusion gaps?
5. Consumer protection: Is the open finance ecosystem creating undue risks for consumers, based on information about consumer complaints, fraud, data breaches, and product uptake (for example, increased consumer lending)?

Thematic reviews can be particularly useful to help FSAs identify and compare emerging industry practices. For instance, thematic reviews of UX/UI can examine compliance with regulatory principles (for example, simplicity, clarity, accessibility, and ease of use) and specific rules or standards for the customer journey, disclosures, and the use of common logos when these exist. Reviews can extend beyond the initial consent flow to include ongoing tools for viewing, modifying, and revoking consent (see the Annex for a detailed description). This type of cross-sector review has been conducted by the CBB and the EBA. Thematic reviews can be conducted by the open finance oversight team, participant-focused supervisors (for example, banking, payments, insurance), risk-focused supervisors (for example, conduct risk), or other teams, depending on the FSA's organizational structure.

3.4.4 Focus on Prompt Supervisory Action

Open finance supervision should not focus primarily on formal enforcement but on prompt corrective measures, while using enforcement powers as a credible deterrent. Interviews with authorities in Australia, Brazil, and the UK indicate that enforcement-heavy strategies are costly, slow, and may not be the most effective tool when one of the priorities is to ensure high ecosystem performance and responsible business conduct in the fast-paced context of open finance. In the early stages of open finance implementation, performance issues are quite common, and applying fines for all cases is less important than addressing these issues swiftly. Delays in addressing low performance or misconduct can erode customer trust, ultimately undermining public confidence and broad adoption. Supervisors must be empowered and equipped to push participants to resolve detected issues promptly. However, proportional enforcement should be used when appropriate, and the threat of enforcement should always exist to deter misconduct and non-compliance.

The experience of Brazil's CBB shows that prioritizing prompt action for timely course correction demands more informal and continuous engagement with participants, as well as intense internal collaboration across the open finance oversight and other teams, including IT and other supervisory teams. This approach may differ from current practices in many jurisdictions that prefer more formal external engagement and prioritize structured, planned supervisory actions such as inspections. It also depends heavily on the quality of oversight — particularly offsite monitoring using granular, frequent data, which, in the case of Brazil, is done by the implementation body (see section 3.3).

Robust oversight is therefore critical in supporting risk-based supervision of individual participants by generating timely insights to guide the targeted use of a mix of supervisory tools, such as:

• Moral suasion and other informal measures can be used to push for prompt correction of minor or isolated operational and conduct issues, including via phone calls and in-person meetings.
• Targeted remote or onsite inspections of individual participants to verify more serious issues, particularly involving major ecosystem participants, such as data and cybersecurity, data privacy, persistent low API performance, low quality of customer data, and use of third parties.
• Formal investigations and enforcement actions, including fines, suspension from the open finance ecosystem, or revocation of accreditation or a license. A credible threat of enforcement, proportionate to the severity of misconduct or non-compliance, must always exist within a supervisory approach, even where the focus is on prompt action.

3.5 Supervision of Ecosystem Participants

3.5.1 Data Holders and Data Users

For currently supervised participants, open finance can be incorporated as an additional topic in the existing risk-based models, especially within operational risk — including IT risk, fraud, and cybersecurity — and conduct risk supervision. Our interviews indicate that open finance has not triggered changes to existing risk-based models for participants that were previously supervised (for example, banks, payment service providers). Open finance is seen by FSAs as an additional source of risk, and even in markets where open finance ecosystems have reached scale, it has not led to significant additional risks from prudential and consumer protection perspectives.

Hence, there are no clear examples of dedicated inspections focused specifically on open finance, such as additional cybersecurity inspections or new fraud monitoring mechanisms, or changes to existing risk scoring models. Open finance has more often been absorbed by existing models and inspection schedules.

Supervisors will need to evaluate whether the new risk vectors and the emerging data on fraud, cyber incidents and other issues specifically related to open finance, justify additional reviews. Oversight will serve as a valuable input for such planning.

Additionally, FSAs may want to ensure their approaches to third-party risk remain adequate in the context of open finance. A recurring concern raised in the interviews relates to the ability of participants (acting as principals) to effectively oversee outsourced parties — for example, data aggregators in Brazil and CDR representatives in Australia. Third parties can deliver a wide range of services to open finance participants (their principals), potentially enhancing the efficiency, security, and scalability of the ecosystem. These services include API gateway management, cloud infrastructure hosting, data aggregation, cybersecurity and risk management solutions, UX and UI design support, customer authentication tools, and advanced analytics. In most jurisdictions, existing outsourcing regulations ensure that authorized principals remain responsible for third parties. Two primary risks arising from ineffective oversight by principals are unauthorized access to customer data and sharing of data by third parties.

As open finance schemes scale, third-party risk may become more prominent, underscoring the need for clear liability frameworks (Mazer and Farrell 2025) and adequate supervisory approaches in line with evolving international guidance (see, for example, FSB 2025; Gambacorta and Shreeti 2025; FSB 2024; FSB 2023; and BCBS 2024). In Brazil, CBB is conducting a special regulatory review of onward data sharing by third parties used by ecosystem participants.

Regarding TPP supervision, when TPPs are newly authorized or licensed, risk-based supervision can leverage existing teams and models. There is a clear distinction in how PISPs and AISPs are treated, with PISPs typically prioritized. Both AISPs and PISPs are usually integrated into existing teams conducting risk-based supervision, often retail payments supervision or market conduct supervision teams. AISPs tend to be deprioritized in risk-based supervision due to their limited complexity and scope of activities, being mostly covered by oversight, which can flag issues for prudential and conduct supervisors to address. Consequently, developing specialized risk assessment methodologies for AISPs is not an immediate priority for FSAs in the early stages of implementation, while existing risk-based models for small retail payment service providers can be adapted for PISPs.

When specific analyses related to open finance are conducted, these should focus on the priority areas previously mentioned (see section 3.4.2), including API performance, potential anti-competitive conduct, cybersecurity, data protection and operational resilience. Robust oversight will provide key inputs for prioritizing analytical efforts, in addition to existing knowledge of risk management quality at currently supervised participants, particularly large data holders and users. In Brazil, for instance, most ecosystem participants were already supervised by the CBB. Examples of questions that can be explored in participant-level analyses (or cross-sector thematic reviews) include:

• Are participants complying with the performance thresholds established in the regulation (for example, minimum API uptime, maximum response time, characters per page, maximum time to respond to tickets in the error and dispute resolution mechanism)?
• If not, why are they not compliant? What are the root causes? What risks could this situation produce?
• Are key participants (in terms of API calls received and made) experiencing such fast growth that this growth could impact their ability to manage cybersecurity and data security risks, and consequently privacy risks? Do they have adequate operational preparedness to manage the fast growth of API requests?
• Are key participants using third parties to manage critical aspects of their open finance operations? How effectively are they managing third-party risks, including the risk of unauthorized sharing of customer data in a potential breach of the data protection law?

3.5.2 Implementation Bodies

FSAs should build a supervisory approach for implementation bodies. FSAs must subject implementation bodies to proportionate supervision (CGAP et al. 2024). Crucially, the regulatory design phase must address how implementation bodies will be brought under the FSA's supervisory remit (see section 2.1). The scope of supervision and oversight of these entities will vary depending on the centralized services they offer, including whether they provide shared infrastructure, such as API hubs. The global experience with auxiliary and delegated supervision in sectors such as cooperatives and capital markets may be valuable for FSAs supervising implementation bodies while also leveraging them to support oversight and supervision of open finance ecosystems.

To date, there is no global experience with supervision of these implementation bodies, as most are not directly regulated and supervised by FSAs, and others are only now being established. Although the CBB has regulated many aspects of the open finance implementation body, it has done so by imposing regulatory obligations on its owners — the ecosystem participants, as a group — over which it has unquestionable and full regulatory and supervisory powers. The CBB cannot impose corrective or enforcement actions directly on the implementation body, so it relies heavily on close collaboration with the body. If the body does not comply with the determinations of the CBB, the ecosystem participants could face enforcement actions. Brazil's example illustrates how much can be achieved without waiting for difficult legal reforms, but it also highlights the associated limitations.

3.6 Supervisory Data and Technology

3.6.1 Data Sources and Regulatory Reporting

Robust oversight — especially offsite monitoring — requires comprehensive, high-quality, and frequent data. FSAs seeking to build an effective oversight function should strive to develop solid data infrastructure and analytical capacity. The regulatory design phase should ensure that FSAs have the power to obtain information from all participants (CGAP et al. 2024).

Open finance oversight and supervision rely on three types of information sources: the regulatory reporting regime, other internal supervisory data, and external third-party sources (see Figure 3), with regulatory reporting playing a prominent role.

Regarding regulatory reporting, FSAs currently use two methods to collect data: reporting by each individual participant and centralized reporting by the implementation body. Where they exist, FSAs should leverage implementation bodies for reporting. This is particularly important for granular and frequent data, such as API call data, which may pose a significant burden on FSAs and participants. Brazil's CBB and SUSEP, as well as the central banks in Türkiye and the UAE, all collect data via implementation bodies. In Australia, a mixture of reporting is used. Participants are required to submit more traditional, bi-annual reports to the ACCC and OAIC. In addition, the ACCC centrally collects and reports daily participant performance metrics, transmitted directly from participant systems to the CDR Register via APIs. In other jurisdictions, such as Colombia, the EU, and the UK, the focus is on individual reporting by each participant, with lower-frequency submission.⁹ In Türkiye and the UAE, implementation bodies operate API hubs, meaning that they do not need to collect and clean data sent by participants, as API call data is generated within the implementation body's own infrastructure. The Central Bank of Azerbaijan also operates an API Portal, eliminating the need for externally collecting the data.

Also, data collection models can evolve over time, and the overall approach may mix different methods. Until recently, the Central Bank of Brazil required each open finance participant to report API call data periodically, but this approach is being fully replaced by centralized reporting to the implementation body with remote access to this data by CBB (some reporting is still done via traditional Excel templates). FSAs may need to consider temporary data collection arrangements until a definitive model is implemented.

Given that FSAs may require a range of data types (see Table 3), data collection may mix different methods, with some qualitative data reported directly by participants and other data collected through the implementation body, when there is one.

The data needed for oversight and supervision is largely new compared to data traditionally used in other areas of financial and payments oversight and supervision. Data used across the authorities interviewed can be broadly divided into the categories listed in Table 3. Most quantitative data in Table 3 — such as API performance, ecosystem development, and error and dispute resolution — can be highly standardized and incorporated into existing reporting mechanisms, as implemented — to varying degrees — in Australia, Brazil, Colombia, Türkiye, the UAE, and the UK. These three categories should be prioritized, especially where supervisory or reporting capacity constraints require a phased implementation of reporting requirements. If an FSA does not currently have capacity to collect and analyze highly granular and frequent API data, it may start collecting less frequent, more aggregated data using existing reporting channels while investing in building such capacity. Alternatively, it should consider leveraging the implementation body, where one exists (see section 3.3).

Qualitative data — such as UX/UI, emerging use cases, proportionality of data collection, and data quality — requires a tailored approach. FSAs should define the frequency, format, and scope of these items based on institutional capacity (internal and external) and strategic priorities. Nonetheless, UX/UI and use case information should be prioritized from the outset, because they provide crucial information about customer experience (which affects adoption and the overall value of the ecosystem) and alignment of use cases with policy goals. For example, Brazil's CBB conducts surveys on use cases and product uptake, and the UK's FCA collects information on fraud, twice a year. Australia's ACCC receives information on uptake of CDR and use cases twice a year, as part of its reporting framework.

To collect the necessary data, FSAs must develop new reporting formats tailored to open finance oversight and supervision and adapt existing formats. For instance, existing templates for consumer complaints, fraud, cyber threats, and operational incidents can be adapted to consider open finance-specific elements. Chile's open finance regulation (NCG 514/2024, Annex III) defines categories of operational incidents specific to open finance, which are incorporated into existing operational incident reporting by participants already supervised by CMF. The CBB has added new categories of issues encountered by customers when using open finance, such as inaccurate account records or the use of data beyond consented-to purposes, into its existing reporting templates. New complaint categories should also be adopted by the FSA's own complaint-handling mechanism (if any) and potentially in external dispute resolution bodies, such as ombudsman systems.

3.6.2 High Frequency, Comprehensive Data

A key insight from our interviews is that effective oversight and supervision of open finance require comprehensive, high-frequency data. The reporting regime should cover, as broadly as possible, the information listed in Table 3. For the quantitative data, traditional reporting intervals — such as monthly or quarterly — are insufficient, as they do not enable FSAs to detect and respond promptly to operational or conduct issues in the dynamic context of open finance. As an illustration of the volume that API calls can achieve, open finance participants in Brazil make an average of 12 data requests about the same client, daily (Ernst & Young 2025). However, the scope, frequency, and level of granularity of reporting should be defined considering the capacity of both the FSA and participants. If necessary, temporary and gradual arrangements should be considered.

FSAs should ensure that all participants, including newly authorized TPPs and implementation bodies themselves, are subject to reporting obligations, and consider piloting reporting regimes. Where the implementation body is not leveraged for data aggregation, every participant will need to report directly to the FSA. Contrary to common assumptions, interviews suggest that large institutions — such as large retail banks — may face greater challenges than smaller TPPs in meeting new reporting requirements due to fragmentation of legacy systems and the sheer volume of data involved. Hence, to mitigate implementation risks, FSAs may consider piloting new reporting regimes including a diverse group of large and small participants, prior to the official launch of open finance operations and during the early stages of development of the oversight framework. Chile's CMF is planning to conduct such a pilot prior to the launch of open finance operations.

3.6.3 Using Technology for Oversight and Supervision

Oversight based on high-frequency granular data necessitates investment in technology. "High-frequency" ideally means real-time or near real-time and "granular" ideally means detailed API call metadata (in addition to data that does not require such levels of granularity and frequency, as listed in Table 3). However, despite its benefits, high-frequency granular data can place a significant burden on FSAs' analytical resources, data storage capacity, data security, and cybersecurity capabilities, and require investment in technology to process large volumes of data, including to automate validation checks. As noted earlier (see section 3.3), the bulk of such investment may be borne by an implementation body, if such a body is able to develop adequate resources and governance to produce reliable statistics and analytics for supervisory use and for the benefit of the ecosystem participants.

There are no current examples of advanced SupTech developed or being used directly by FSAs in the context of open finance oversight and supervision, but the experience in Brazil provides a useful reference. In Brazil, the oversight model makes extensive use of technology (see section 3.3) to collect and treat almost real-time, granular data on billions of API calls and monitor hundreds of open finance participants across a range of criteria. However, such technology is developed and used by the implementation body, not by the CBB. This will also be the case of the CBUAE once Nebras effectively begins its ecosystem monitoring activities.

As Brazil's experience shows, technology can enhance oversight by enabling automated data validation, compliance checks, dynamic scoring models, benchmarking, and other applications. FSAs could explore the use of technology for similar purposes. For instance, FSAs can set up automated alerts to flag non-compliance with specific regulatory thresholds or internal benchmarks, or detect issues affecting individual participants that may disrupt services or affect the broader ecosystem. In the early stages of implementation, basic tools such as Excel can support simple alert systems. However, SupTech solutions will be needed if the volume, granularity, and frequency of data increases with the expansion of open finance ecosystems. Better technology is needed not only for processing and de-duplicating granular data in models without an API hub, but also for applying advanced analytics to identify patterns, including potential anti-competitive conduct. SupTech tools powered by machine learning and other AI applications could support FSAs, for example, to set and continuously refine benchmarks for acceptable and desired performance at both the participant and ecosystem levels — beyond the minimum thresholds defined in regulation.

Technology can also help supervisors conduct qualitative assessments of UX/UI and data quality. For UX/UI, FSAs currently rely on manual methods such as screenshot analysis or live app testing, but scaling these efforts may require more advanced approaches, including remote access to mirrored production environments. UX/UI assessments can be conducted during licensing, through thematic reviews, or during specialized inspections planned based on insights from oversight — such as API usage patterns, participant activity, and consumer complaints. Technology can also be used to assess the quality of data shared in the ecosystem, as described in the Annex.

3.7 Licensing and Onboarding of TPPs

FSAs should design their licensing processes early, develop internal guidance for analysts, and ensure adequate resources for this function. FSAs are often responsible for licensing AISPs and PISPs before they can operate. These are new categories, introduced through recent regulatory frameworks that set out minimum entry requirements. Licensing criteria and procedures — such as decision timelines and grounds for rejection — must be fair and transparent, and ensure a balance between safety and the policy goal of encouraging the entry of innovative TPPs. In addition to assessing key elements such as fitness and propriety, capital requirements, and cybersecurity, the licensing process also provides an opportunity for an early review of UX/UI aspects by evaluating the customer interfaces developed by applicants (see Annex for details).

FSAs should develop a strategy to manage potentially high numbers of licensing applications. The expansion of the FSA's regulatory remit may generate a surge of applications in the first years of open finance implementation, for which FSAs should prepare adequately by allocating a sufficient number of qualified staff to this function and preparing internal processes and guidance in advance. FSAs may conduct market scans before launching open finance to estimate the likely volume of applications. To help manage potentially high volumes, some FSAs have begun with limited pilots in voluntary settings. Pilots can be conducted through existing mechanisms such as regulatory sandboxes or through special one-off pilots, such as in the Philippines, where the central bank is leading a voluntary pilot of data sharing for Personal Equity and Retirement Account (PERA), involving a mix of banks, payment service providers, pension administrators, and technology service providers (Lesaca 2025).

Where FSAs become responsible for onboarding participants,¹⁰ they can consider leveraging third-party certification services. In addition to licensing TPPs, some authorities — such as Chile's CMF — are also responsible for accrediting TPPs for compliance with the technical and operational standards of their respective open finance frameworks, such as API specifications, prior to their inclusion in participant directories. This represents an additional responsibility that, in other jurisdictions, remains either with implementation bodies (for example, in Brazil, Korea, Türkiye, the UAE, and the UK) or is conducted by individual data holders (for example, most of Europe, Hong Kong, Indonesia, the Philippines, and Singapore). In Australia, the ACCC is responsible for onboarding ADRs and it also conducts technical conformance testing (Conformance Test Suite [CTS]) of both ADRs and Data Holders against a subset of API specifications, such as security requirements, prior to including them in the CDR Register. In contexts where the FSA assumes similar roles and capacity is limited, it can engage third-party certification services. As an example, Chile's regulation mandates third-party certification of TPPs as a prerequisite for accreditation and sets minimum standards for certifying entities. To further support this process, the CMF will establish a technical sandbox where these companies can conduct certification tests.

Section 4: Impact Measurement and Public Dissemination

Supervisory data and outputs are vital to support impact measurement and public dissemination. FSAs should consider these needs when designing regulatory reporting regimes. Experience to date shows that customer trust and concerns about data security can limit uptake, while access to lower-cost transactions and loans can incentivize adoption (Vidal et al. 2023). Impact measurement and public dissemination are important to build trust and help FSAs adjust their regulatory frameworks over time, ultimately supporting supervisory objectives. In some cases, these functions are a formal requirement for FSAs. The Chilean CMF, for instance, is required by the Fintech Law to prepare annual reports about open finance. A key enabler for impact measurement and public dissemination is a centralized indicators dashboard. Implementation bodies in Brazil, India, and the UK, for instance, have developed systems that allow for detailed tracking of API statistics, usage patterns, service quality, dispute resolution, and consent activity. At the same time, it is important that these efforts do not impose excessive costs on participants and FSAs and remain commensurate with expected benefits.

An impact measurement strategy could prioritize five areas in the first years of open finance implementation (Mazer 2026): (1) market innovation (for example, changes in the number and diversity of participants); (2) quality of open finance information and transactions; (3) consumer use and benefits (for example, new products accessed and better product terms) across different consumer segments; (4) shifts in costs and pricing over time; and (5) market conduct and consumer risks. Where resources are available, FSAs could also gauge the level of public awareness of and trust in open finance through surveys.

Data needed for the above analyses varies in complexity and imposes different cost levels on participants and the FSAs. To ensure proportionality, FSAs may consider a phased approach. FSAs may start by using existing supervisory data and gradually add other sources as capacity allows. In the absence of a centralized indicators dashboard, FSAs could begin impact measurement based on a sample of large participants, especially when they represent a significant share of total customer accounts. In the UK, for example, Open Banking Limited's Impact Report (Open Banking Limited 2025) — now in its seventh edition — draws primarily from the nine banks mandated under the Competition and Markets Authority's initial open banking order, as they account for the majority of overall open banking activity.

FSAs may promote consumer awareness and understanding of open finance opportunities and risks, considering low-cost, higher-impact efforts. It is important to raise public awareness, especially in the growth stage of open finance implementation (Shastri and Jeník 2024). This is particularly important for encouraging uptake and continuous use among traditionally excluded and underserved segments (CGAP et al. 2024). Globally, dissemination efforts related to open finance have often lacked evidence of their impact on consumer adoption. One interviewee cited low viewership rates for costly, professionally produced online video campaigns. In light of this, FSAs may consider alternatives such as earned media exposure through "finfluencers" or popular news programs around the launch of open finance. FSAs may also want to focus on embedding awareness-raising efforts within existing activities, such as content and product information disseminated by participants; public dashboards built automatically from supervisory data; hackathons, forums and expos; and consumer and industry surveys. Experience from broader financial education efforts offers important lessons: keep content focused on simple messages directly tied to an action; deliver content at the point of consumer decision-making; and make content convenient and entertaining.

Additionally, disseminating statistics about the open finance ecosystem, impact studies, and non-confidential information about regulatory, supervisory, and enforcement activities can help build trust across a broader range of players, such as politicians, investors and consumer advocates, and place pressure on open finance participants when their performance is subject to public scrutiny.

Conclusion

To realize the transformative potential of open finance, FSAs must build an effective oversight and supervisory approach, embedding oversight and supervision into policy and regulatory design rather than treating them as an afterthought. An effective approach prioritizes robust ecosystem-wide oversight as its foundation, using high-frequency, granular data to monitor ecosystem performance and help ensure good user experience and effective fraud mitigation. FSAs may also leverage implementation bodies and SupTech for oversight and supervision while maintaining the agility required for prompt corrective action in a fast-paced environment. Finally, proactive interagency coordination and regulatory refinements based on supervisory findings will help FSAs build the public trust, which is essential for widespread adoption of open finance.

Annex: Examples of Supervisory Analyses in Key Areas of Concern

This Annex describes some analyses that FSAs can do in the context of open finance, mostly using the data and approach described in this paper. It does not include all topics and all analyses that could be included in open finance oversight and supervision (for example, fraud monitoring, cybersecurity assessment, and third-party risk management are not included, as these are not new areas for most supervisors). Rather, it focuses on a few priority topics that can be covered by offsite monitoring, thematic reviews, or during inspections of individual participants. Specifically, this annex covers: offsite monitoring strategic analyses, user experience (UX/UI), error and dispute resolution among participants, pricing practices, and quality of data shared via open finance.

A Strategic Take on Oversight

FSAs can enrich their analysis of regulatory compliance — done mostly through offsite monitoring — with strategic questioning, aligned with the policy objectives pursued by the open finance framework. Below are some examples of such broader questions that complement those listed in this paper.

Ecosystem Performance and Growth

• Is the ecosystem maintaining excellent levels of API performance, potentially above minimum regulatory thresholds?
• Which types of participants and which specific participants are the main data holders and users? Is there concentration in API calls in the ecosystem?
• Are the API error rates, rejection rates, and slow response times concentrated in specific participants or API types? Could this indicate a risk for the ecosystem? Could this indicate misconduct?
• Which types of APIs are driving ecosystem growth? Do they support the policy goals (competition, inclusion, innovation, consumer empowerment and experience)? Do they align with reported use cases?
• What are the patterns in call withdrawal rates and API call rejection rates? Do they point towards underlying technical weaknesses or misconduct by specific participants?

Ecosystem Robustness and Resilience

• What is the evolution of operational and cyber incidents reported in the ecosystem? Are these concentrated in some participants? Could some participants become a risk for the ecosystem?
• What is the evolution of scams targeting the open finance ecosystem or participants such as TPPs? What risks could this trend introduce or exacerbate?
• Is there a correlation between the number of operational incidents (like outages or cyber events) reported by a participant and their overall API performance (uptime and success rate)? Should the issue be reported to the prudential supervisor? Is there a need for in-depth investigation of these issues, such as through an inspection?

Competition and Market Dynamics

• Could any of the performance issues identified (for example, high rejection and error rates, high rate of call withdrawal) be, in fact, a misconduct issue? Is there any indication of discriminatory conduct by any participant against other participants or group of participants? This analysis is particularly important regarding the largest data holders.
• Are TPPs, including new and smaller participants (especially voluntary ones) gaining market share in API calls? What types of APIs are they mostly using and how does this relate to the reported use cases? Do these uses support the broad policy goals?
• Is there evidence that product portability is being used for purposes such as lowering interest rates on loans, accessing free accounts, salary account portability, or appropriate insurance coverage?
• Is there any identifiable correlation between the growth of the open finance ecosystem operations and any changes in the concentration levels of total deposits, credit, and insurance?

Innovation and Inclusion

• Is the growth in active consents and linked accounts translating into a proportional increase in use cases and use of action initiation APIs (for example, payment initiation, product portability), or are consumers consenting to share data without accessing new services and products? The conclusions in this regard will differ according to the phase of implementation in a particular jurisdiction, because the industry may take some time to fully develop their use cases. In the first year of open finance there could be a large gap between active customer consents and the actual implementation of use cases with product and service uptake. The gap between the two should reduce over time.
• Are the new use cases and the rate of new product uptake concentrated in simple data aggregation services, or are they more sophisticated innovations in areas that promote deeper financial inclusion, such as lending to underserved segments such as micro-entrepreneurs, new savings tools, novel ways to use the fast payment system, financial management tools targeting underserved segments, or customized insurance?
• Which participants are leading in the development of novel use cases for financial inclusion, and how are they using open finance data? Is there any evidence that pricing practices or the cost-sharing arrangement introduce obstacles for the viability of these use cases?

Consumer Protection

• Is there a correlation between participants with high consumer open finance-related complaint volumes, long dispute resolution times, and poor UX/UI assessments? Does this pattern suggest a business model that prioritizes aggressive data acquisition over consumer value?
• Based on the analysis of proportionality in data collection, is there any evidence that some participants are collecting excessive consumer data that is not essential for the service being offered, thereby creating unnecessary privacy risks? Is there any evidence that they are sharing customer data with third parties that are not clearly involved in service design or delivery, according to the reported use cases?
• Do the types of consumer complaints related to open finance align with technical issues identified via API error rates and the dispute/error resolution data, suggesting that operational performance is a potential cause of consumer harm or poor experience?
• Is there any correlation in open finance-related complaints with the growth of other types of consumer complaints (for example, aggressive sales, unsolicited offers) that could indicate misconduct?
• Are there any concerns with the consumer risks introduced by the products and services being offered via open finance? For instance, the suitability or transparency of micro-loans or MSE loans using open finance data? Is there any evidence that open finance could lead to poor consumer outcomes and financial health?

Customer Interfaces: UX/UI Aspects

The evaluation of customer interfaces is one of the most critical and time-sensitive tasks for FSAs during the early stages of open finance implementation. A poor user experience at this stage can have long-lasting effects on customer trust and adoption. Therefore, FSAs should prioritize the assessment of user interfaces developed by participants, particularly in the first and potentially second year of implementation. This assessment should serve as a basis for determining whether existing regulatory requirements related to UX/UI are sufficient or need to be strengthened. FSAs may consider tightening these requirements using their broad regulatory powers, depending on the findings.

The evaluation should cover two areas:

1. Compliance with existing standards: This includes adherence to regulatory and industry-defined requirements, such as:
   • Consent mechanism
   • Minimum disclosures
   • Use of a common logo, if any
   • Other elements of the customer journey that may be subject to specific rules
2. Alignment with broader regulatory principles: Even in the absence of detailed standards, interfaces should reflect principles set in the regulation such as simplicity, clarity, and accessibility. Key aspects include:
   • Number of steps or screens
   • Clear and concise language
   • Readability and visual clarity
   • Avoidance of unnecessary redirects (for example, to external apps)
   • Availability in the local language

Importantly, the assessment should go beyond the initial consent journey — when customers authorize data sharing — and include the tools provided for ongoing consent management, such as the ability to easily view, modify, or revoke data-sharing permissions.

Authorities interviewed for this study have used relatively simple methods for these analyses, such as reviewing screenshots or testing apps themselves in a live environment. While effective, these approaches are time-consuming and limit the number of interfaces that can be assessed. To scale up and improve efficiency, FSAs could adopt more advanced techniques, although there is no live example of these techniques. For example, they could require participants to provide remote access to a mirrored version of their production environment. This would allow supervisors to test the full customer journey and consent management tools directly from their offices, without needing to simulate the experience as end-users.

A key opportunity to conduct UX/UI assessments is during the licensing process. If conducting this assessment at this stage is not possible, or if updates are needed following an initial review, supervisors can conduct thematic reviews targeting a sample of major open finance participants. To plan these reviews effectively, supervisors can leverage insights from offsite monitoring, including the most frequently used APIs, the most active participants (both data holders and data users), patterns in disputes, system errors, and consumer complaints.

Where resources permit, these assessments can be enriched through complementary tools such as consumer surveys, to gather direct feedback on user experiences with open finance interfaces, and participant self-assessments, which may include structured questionnaires and, where appropriate, validation by third-party assessors.

Error and Dispute Resolution Among Participants

The prompt resolution of technical errors and disputes between participants is essential for the smooth functioning of the open finance ecosystem. Information on such issues — whether raised by participants or implementation bodies — provides a critical complement to performance metrics such as API availability and response times.

In most cases, technical problems should be addressed immediately by the participant receiving the request or by the implementation body, depending on the governance model. As highlighted in this paper, the existence of a centralized ticketing system can significantly enhance the efficiency and consistency of error and dispute resolution. Such a system not only streamlines communication and accountability among participants but also facilitates the generation of structured data for supervisory analysis.

The questions FSAs can ask when analyzing error and dispute resolution data include:

• Are participants complying with the maximum time to respond to the ticketing system?
• Which types of errors or disputes are taking the longest to be resolved? What could be the reasons behind this trend? Could this indicate a conduct issue or an important operational issue?
• Which participants have low performance in this aspect? Are they important players in the open finance ecosystem (major data holders or users)? Why are the issues not being timely resolved?
• Is there any indication that major participants could be engaging in misconduct by repeating errors and other technical issues specifically when interacting with a particular participant or group of participants?
• If left unresolved or if continuing to repeat, could these issues impact the ecosystem? Could they lead to prudential or conduct risks outside the open finance ecosystem? Should these issues be reported to the prudential or conduct supervisor?
• What are the good and poor emerging practices in the responses given by participants who are demanded by others or by the implementation body?
• Does the ticketing system itself seem to be working properly? Do the categories of tickets and their prioritization seem to be working properly? Should improvements be introduced?
• How should the regulation be adjusted to address common errors and technical problems, or weaknesses in the ticketing system?

Pricing Practices

In the initial years of open finance implementation, analyzing pricing practices may not be an immediate supervisory priority — particularly when regulation establishes minimum thresholds (for example, API call volumes) below which participants are not permitted to charge one another. Experience to date suggests that it often takes several years for API usage to reach these thresholds. Nonetheless, it is important for supervisors to begin preparing for this type of analysis early on. This includes ensuring access to high-quality information on pricing levels and commercial practices. Such information could include a combination of quantitative and qualitative data, such as:

• Types and levels of charges applied
• Terms and conditions associated with those charges
• Disclosure formats used for both participants and consumers
• Methodologies used to determine charges, particularly where regulation requires proportionality between fees and underlying costs
• The actual charges paid by participants to other participants¹¹
• Complementary sources of information include whistleblowing, dispute resolution data, and findings from thematic reviews or inspections.

Analyses of pricing practices may cover:

• Compliance with regulatory thresholds, for example, minimum API call volumes required before charges can be applied.
• Adherence to regulatory principles aimed at protecting competition and consumers, including:
  • Proportionality of charges in relation to cost recovery.
  • Non-discrimination among participants.
• Transparency requirements, particularly the effectiveness of pricing disclosures.

While verifying compliance with regulatory thresholds is relatively straightforward, the broader assessments — such as evaluating proportionality, fairness, and transparency — are more complex and resource-intensive. As such, these should be conducted based on information collected through offsite monitoring, limited to the most relevant ecosystem participants, or in response to specific triggers, such as whistleblower reports, or complaints from other participants.

To assess whether charging practices are aligned with the policy goals, supervisors could explore the following questions:

• Impact on ecosystem dynamics: By comparing ecosystem data — such as the volume and types of API calls by participant type — before and after charges were introduced, is there any indication that fees have reduced the dynamism of the ecosystem or dampened participants' appetite to make API calls? Have smaller or newer participants been disproportionately affected? Do reported use cases show any visible decline or shift?
• Potential anti-competitive practices: Based on the detailed charges reported, is there any evidence that fees are being applied in a discriminatory manner that could stifle competition or discourage participation in open finance?
• Intent behind the charging methodology: Does the methodology used to determine charges suggest that fees are being used not for cost recovery, but as a strategic tool to deter usage and protect incumbents from competition? Are the charges disproportionately high relative to the services provided?
• Transparency of charges: Are the fees clearly and transparently communicated to all participants? Is the pricing structure easy to understand and accessible?

Quality of Data Shared

In our interviews, FSAs consistently emphasized their concern with ensuring the quality of data shared within open finance ecosystems.¹² However, this type of assessment — like other qualitative assessments such as those related to pricing practices — is not easily integrated into routine oversight activities.

Offsite monitoring may include basic indicators of data quality — such as pagination, error and dispute resolution data, or consumer complaints statistics — while more robust analyses tend to be resource-intensive. Some open finance regulations such as those in Chile and Brazil define a set of core data quality dimensions that all participants must adhere to. While the exact terminology may vary, these typically include accuracy, completeness, integrity, timeliness (i.e., data is up to date), validity, and uniqueness.

The primary sources of information for assessing these dimensions are the following: self-assessments conducted by participants, as mandated by regulation; third-party assessments commissioned by the FSA; and direct assessments by the FSA itself, where resources and technical expertise permit, or through monitoring activities conducted by the implementation body.

For example, the Office of the Australian Information Commissioner (OAIC) conducted a data quality assessment of one of the country's largest banks, Westpac, and published the findings on its website. The review focused on Westpac's policies and processes for maintaining the quality of relevant data. The OAIC recommended that Westpac reviews its incident reporting process and suggested it reviews its staff training materials.

A contrasting approach has been adopted by the Central Bank of Brazil (CBB). As described in this paper, the CBB places monitoring responsibilities on the implementation body. One of its obligations was to develop a Data Quality Motor — a diagnostic tool that must be used by ecosystem participants. The tool automatically sends results to the implementation body, which can trigger a ticket for follow-up action by the participant. Issues can be reported to the CBB for potential supervisory action. This type of automated, industry-based approach could offer a practical model for other jurisdictions, enabling data quality oversight with significantly fewer supervisory resources.

Footnotes

1. This document uses the definition given by CGAP, BIS, IMF, UNSGSA, and World Bank (2024). Open finance is the sharing of customer-permissioned data by banks and other providers of accounts and products (e.g., insurance) with other bank and nonbank financial institutions and third parties, through a sector-wide arrangement. Open finance covers a broad suite of financial products in addition to basic banking and payments services, such as investments, insurance, and pensions. The main services facilitated through open finance are account information services and payment initiation services. ↩
2. Open finance introduces risks such as to data privacy (Medine and Plaitakis 2023), consumer protection (Duflos 2024; Mazer 2023; Mazer and Farrell 2025), and cybersecurity. Also, it may reinforce market concentration among a few dominant players (CGAP et al. 2024). ↩
3. Open finance is closely linked with interoperable payments systems, as they increasingly include payments initiation as a regulated activity within the open finance framework. ↩
4. CGAP, BIS, IMF, UNSGSA, and World Bank (2024) refer to this type of body as "supporting body or an entity created to organize and support the ecosystem." ↩
5. Topics that may be addressed in regulation include: APIs and data standards, minimum performance thresholds, data and cybersecurity standards, data privacy standards, user experience (UX) and user interface (UI) standards, liability rules, error and dispute resolution processes, pricing rules, cost-sharing arrangements (when infrastructure/services are shared), and authorization criteria for TPPs. ↩
6. CBB is not a member of the board or any other structure of the implementation body, nor does it invest in this body in any way. The body has working groups covering topics such as API architecture, UX/UI, risk and compliance, and fraud prevention. ↩
7. For this purpose, CBB uses Normative Instructions, which are instruments that can be changed quickly within the CBB's structure. Normative Instructions are compiled into a set of "manuals," such as User Experience and Security Manuals, all available online at the CBB's open finance participants page: https://www.bcb.gov.br/estabilidadefinanceira/openfinance_participantes ↩
8. In Chile, Law 21521/2023, known as the Fintech Law, gave powers to the Financial Market Commission (CMF) to regulate and oversee open finance, as well as regulate, authorize, and supervise AISPs and PISPs. However, it does not explicitly address regulation and supervision of implementation bodies. ↩
9. A recent report by the UK's FCA (Murray and Buckenham 2025) emphasized that "advancements in centralized API ecosystems highlight the opportunity for the UK to explore more automated real-time reporting mechanisms," suggesting that the FCA may change its current approach to data collection to enable advanced, specialized open banking oversight. ↩
10. Onboarding focuses on verifying that participants comply with the API, data, cybersecurity and other standards established specifically for the ecosystem. Accredited participants are included in the participant directory and may be excluded if they cease to comply with the requirements. Licensing (or authorization) is the process of verifying that an organization meets the minimum requirements to become a regulated entity, covering issues such as fit and proper and minimum capital. Licensed entities are usually included in a registry published by FSAs. While onboarding can be more dynamic and adapt to the ecosystem's evolving needs and changing standards, licensing is more static. ↩
11. When the implementation body offers a centralized billing system, this information is easily retrievable. When there is no such shared service, the supervisor may collect this data directly from each participant in an aggregated or granular format. ↩
12. In Brazil, a survey found that 21 percent of consumer complaints related to open finance are due to outdated data, and this number increases to 70 percent when considering only the complaints against the largest data holders (Ernst & Young, 2025). ↩

References

Alliance for Financial Inclusion. 2025. Policy Development and Implementation Guide for Inclusive Open Finance. Guideline Note No. 56. Kuala Lumpur: Alliance for Financial Inclusion. https://www.afi-global.org/wp-content/uploads/2025/02/Policy-Development-and-Implementation-Guide-for-Inclusive-Open-Finance.pdf

Alok, Shashwat, Pulak Ghosh, Nirupama Kulkarni, and Manju Puri. 2024. Open Banking and Digital Payments: Implications for Credit Access. Mumbai: Centre for Advanced Financial Research and Learning. https://www.cafral.org.in/sfControl/content/Speech/129202464026PMNKDec2024.pdf

Arner, Douglas W., Ross P. Buckley, Christine M. Wang, and Dirk A. Zetzsche. 2025. "Building Open Finance." Notre Dame Journal of International and Comparative Law 15(1): Article 5. https://scholarship.law.nd.edu/ndjicl/vol15/iss1/5/

Babina, Tania, Saleem Bahaj, Greg Buchak, Filippo De Marco, Angus Foulis, Will Gornall, Francesco Mazzola, and Tong Yu. 2024. "Customer Data Access and Fintech Entry: Early Evidence from Open Banking." Bank of England Staff Working Paper No. 1,059. February. London: Bank of England. https://www.bankofengland.co.uk/-/media/boe/files/working-paper/2024/customer-data-access-and-fintech-entry-early-evidence-from-open-banking.pdf

Basel Committee on Banking Supervision. 2016. Guidance on the Application of the Basel Core Principles for Effective Banking Supervision to the Regulation and Supervision of Institutions Relevant to Financial Inclusion. Basel: Bank for International Settlements. https://www.bis.org/bcbs/publ/d383.pdf

Basel Committee on Banking Supervision. 2024. Principles for Sound Management of Third-Party Risk. Consultative document. Basel: Bank for International Settlements. https://www.bis.org/bcbs/publ/d577.pdf

Bank for International Settlements. 2020. "Central banks and payments in the digital era." In BIS Annual Economic Report. Chapter III. Basel: Bank for International Settlements. https://www.bis.org/publ/arpdf/ar2020e3.htm

Cambridge Center for Alternative Finance. 2024. The Global State of Open Banking and Open Finance. Cambridge: Cambridge Judge Business School, University of Cambridge. https://www.jbs.cam.ac.uk/wp-content/uploads/2024/11/2024-ccaf-the-global-state-of-open-banking-and-open-finance.pdf

CGAP, Bank for International Settlements, International Monetary Fund, United Nations Secretary-General's Special Advocate for Financial Inclusion for Development, and World Bank. 2025. Key Considerations for Open Finance. Washington, D.C.: World Bank. http://hdl.handle.net/10986/42617

Committee on Payments and Market Infrastructures and World Bank Group. 2016. Payment Aspects of Financial Inclusion. Basel: Bank for International Settlements. https://www.bis.org/cpmi/publ/d144.pdf

Doerr, Sebastian, Leonardo Gambacorta, Luigi Guiso, and Marina Sanchez del Villar. 2023. "Privacy Regulation and Fintech Lending." BIS Working Papers, No. 1103. Basel: Bank for International Settlements. https://www.bis.org/publ/work1103.htm

Duflos, Eric. 2024. "Ensuring Responsible Open Finance for Consumers and Their Data." CGAP Blog, 11 December. https://www.cgap.org/blog/ensuring-responsible-open-finance-for-consumers-and-their-data

Ernst & Young. 2025. Open Talks 2025: E Se o Future Estiver Acontecendo Agora… Sua Empresa Está Pronta para o Inimaginável? https://www.ey.com/content/dam/ey-unified-site/ey-com/pt-br/industries/financial-services/documents/ey-open-talks-2025.pdf

Fernandez Vidal, Maria, Ivo Jeník, and Arisha Salman. 2023. "Success in Open Finance Requires Trust — Lessons from Brazil." CGAP Blog, October 11. https://www.cgap.org/blog/success-in-open-finance-requires-trust-lessons-brazil

Fernandez Vidal, Maria, and Sophie Sirtaine. 2024. "Open Finance Can Reduce Financial Inclusion Gaps: Here's How." CGAP Leadership Essay, March 10. https://www.cgap.org/blog/open-finance-can-reduce-financial-inclusion-gaps-heres-how

Financial Conduct Authority. 2025. FS25/4: Design of the Future Entity for UK Open Banking. https://www.fca.org.uk/publications/feedback-statements/fs25-4-design-future-entity-open-banking

Financial Stability Board. 2025. Monitoring Adoption of Artificial Intelligence and Related Vulnerabilities in the Financial Sector. October 10. https://www.fsb.org/uploads/P101025.pdf

Financial Stability Board. 2024. The Financial Stability Implications of Artificial Intelligence. November. https://www.fsb.org/2024/11/the-financial-stability-implications-of-artificial-intelligence/

Financial Stability Board. 2023. Enhancing Third-Party Risk Management and Oversight — A Toolkit for Financial Institutions and Financial Authorities. https://www.fsb.org/2023/12/final-report-on-enhancing-third-party-risk-management-and-oversight-a-toolkit-for-financial-institutions-and-financial-authorities/

Gambacorta, Leonardo, and Vatsala Shreeti. 2025. The AI Supply Chain. BIS Papers No. 154. Basel: Bank for International Settlements. https://www.bis.org/publ/bppdf/bispap154.htm

Inter-American Development Bank. 2023. Open Finance in Latin America and the Caribbean: Great Opportunities, Large Challenges. Washington, D.C.: Inter-American Development Bank. https://publications.iadb.org/en/open-finance-latin-america-and-caribbean-great-opportunities-large-challenges

Kumaraswamy, Sai Khrishna, and Arisha Salman. 2025. "Six Ways Open Finance Can Drive Competition and Inclusion." CGAP Blog, September 9. https://www.cgap.org/blog/six-ways-open-finance-can-drive-competition-and-inclusion

Lesaca, Thony Rose. 2025. "Bangko Sentral Rolls Out Open Finance to Encourage Retirement Savings in PH." Manila Standard, August 4. https://manilastandard.net/business/314625923/bangko-sentral-rolls-out-open-finance-to-encourage-retirement-savings-in-ph.html

Mazer, Rafe. 2026. "Impact Measurement in Open Finance." Fair Finance Consulting. https://rafemazer.com/Mazer_Impact_Measurement_in_Open_Finance_2026.pdf

Mazer, Rafe. 2025. Unlocking Open Finance in Kenya: Opportunities for Kenya's Financial Sector. Nairobi: Association of Fintechs in Kenya, FSD Kenya, and Kenya Bankers Association. https://www.fsdkenya.org/wp-content/uploads/2025/09/Unlocking-open-finance-in-Kenya-Opportunities-for-Kenyas-financial-sector.pdf

Mazer, Rafe, and Scott Farrell. 2025. "Liability Frameworks in Open Finance: Enabling Trust and Participation." TechREG Chronicle, August. https://www.pymnts.com/cpi-posts/liability-frameworks-in-open-finance-enabling-trust-and-participation

Mazer, Rafe, and Denise Dias. 2025. Open Finance Implementation: Global Lessons from the First Wave of Innovation. Fair Finance Consulting. https://www.findevgateway.org/sites/default/files/publications/2026/Open%20Finance%20Implementation%20White%20Paper%20-%20Mazer-Dias%20-%20March%202025.pdf

Mazer, Rafe. 2023. "Consumer Protection for Open Finance Ecosystems." https://www.findevgateway.org/paper/2023/04/consumer-protection-for-open-finance-ecosystems

Medine, David, and Ariadne Plaitakis. 2023. Combining Open Finance and Data Protection for Low-Income Customers. CGAP Technical Note. Washington, D.C.: CGAP. https://www.cgap.org/sites/default/files/publications/20230216_Medine_TN_OpenFinanceDataProtection.pdf

Murray, Aimee, and Jed Buckenham. 2025. Open Banking and Open Finance in the UK. Research Note. October 6. London: Financial Conduct Authority. https://www.fca.org.uk/publications/research-notes/open-banking-open-finance-uk

Nam, Rachel J. 2024. "Open Banking and Customer Data Sharing: Implications for FinTech Borrowers." https://www.racheljnam.com/_files/ugd/5173e2_e56a351bb8584d5abf9be886e926cdda.pdf

Open Banking Limited. 2025. OBL Impact Report 7: Open Banking Delivers Real-World Impact as Adoption Accelerates Year-on-Year. May 16. London: Open Banking Limited. https://www.openbanking.org.uk/insights/obl-impact-report-7-open-banking-delivers-real-world-impact-as-adoption-accelerates-year-on-year/

Open Banking Limited. 2025. Financial Crime Within Open Banking Journeys. London: Open Banking Limited. https://www.openbanking.org.uk/wp-content/uploads/OBLs-Financial-Crime-Report-Dec-2024.pdf

Open Banking Limited. 2023. Mitigating the Risks of Financial Crime: Framework for Data Collection on Financial Crime. London: Open Banking Limited. https://www.openbanking.org.uk/wp-content/uploads/Framework-for-data-collection-on-financial-crime.pdf

Open Finance Brasil. 2025. Annual Report 2024. https://ob-wp-media-files.s3.amazonaws.com/wp-content/uploads/2025/05/14093844/Open-Finance-Brazil-%E2%80%93-Annual-Report-2024.pdf

Plaitakis, Ariadne, and Stefan Staschen. 2020. Open Banking: How to Design for Financial Inclusion. Working Paper. Washington, D.C.: CGAP. https://www.cgap.org/research/publication/open-banking-how-to-design-for-financial-inclusion

Polasik, Michal, Agnieszka Huterska, Rehan Iftikhar, and Stepan Mikula. 2020. "The Impact of Payment Services Directive 2 on the PayTech Sector Development in Europe." Journal of Economic Behavior and Organization, Volume 178 (October 2020): 385–401. https://www.sciencedirect.com/science/article/pii/S0167268120302328

Remolina Leon, Nydia. 2023. "Open Finance: Regulatory Challenges of the Evolution of Data Sharing Arrangements in the Financial Sector." Banking and Finance Law Review 40(1): 35–66. https://ink.library.smu.edu.sg/sol_research/4611

Reserve Bank of India. 2025. Framework for Recognising Self-Regulatory Organisations (SROs) for the Account Aggregator Ecosystem. https://sahamati.org.in/wp-content/uploads/2025/10/Framework-for-recognising-SROs-for-the-AA-Ecosystem-1.pdf

Salman, Arisha, Maria Fernandez Vidal, and Rutvik Paikine. 2025. "Convenience Drives Rapid Adoption of Account Aggregators in India." CGAP Blog, April 3. https://www.cgap.org/blog/convenience-drives-rapid-adoption-of-account-aggregators-in-india

Sahamati. 2025. Code of Conduct for Sahamati Members. Version June 11. https://sahamati.org.in/wp-content/uploads/2025/09/Code-of-Conduct-For-Sahamati-Members-v2.0-June-11-2025-2.pdf

Shastri, Shilpi, and Ivo Jeník. 2024. Open Finance Self-Assessment Tool and Development Roadmap. CGAP Technical Guide. Washington, D.C.: CGAP. https://www.cgap.org/research/publication/open-finance-self-assessment-tool-and-development-roadmap

World Bank. 2023. Open Banking in the Context of Fast Payments. Focus Note. Project FAST. Washington, D.C.: World Bank. https://fastpayments.worldbank.org/sites/default/files/2023-09/Open%20Banking%20and%20FPS_Final_August%2028.pdf