Impact on Traditional Banks
Before PSD2, banks held a monopoly over customers' financial data. The directive reversed this paradigm: data belongs to the customer, not to the institution holding it. Banks had to reinvent themselves.
| Dimension | Before PSD2 | After PSD2 |
|---|---|---|
| Customer data | Exclusive bank property | Belongs to customer, shareable with authorised third parties |
| Account access | Only via the bank's own app | Also via third-party apps (TPPs) |
| Competition | Protected banking oligopoly | Open market for Fintechs and Big Tech |
| Innovation | Internal, slow, controlled | External, fast, competitive |
Technology investment
Development of EBA-compliant APIs and proprietary Open Banking infrastructure to avoid depending on third-party solutions.
Fintech partnerships
Turning potential competitors into allies through the Banking-as-a-Service model: acquire instead of fight.
Banking super-apps
Digital ecosystems with aggregation, robo-advisory, and instant payments to compete on Fintech ground.
๐ฆ Case study: Intesa Sanpaolo
Intesa responded by building an ecosystem integrating banking, insurance, and lifestyle services into one platform โ the "walled garden" model aims to make the experience so complete that customers have little reason to turn to third parties. A case of regulatory disruption paradoxically strengthening those who respond with strategic vision.
Peter Thiel, PayPal and the Fintech DNA
PayPal (1998) is the founding precedent: it didn't want to improve the banking system โ it wanted to replace it. Thiel's vision โ an independent global digital currency โ anticipated by twenty years the principles later codified by PSD2.
| Thiel's Principle | Fintech Application | Example |
|---|---|---|
| Technology monopoly | Dominate a niche before expanding | Revolut: free currency exchange |
| Network effect | Value grows with users | Klarna: more merchants โ more users |
| Zero to one | Don't optimise the old โ build something new | N26: no branches, mobile-only |
| Hidden secrets | Exploit information asymmetries | Fintechs use PSD2 data that banks undervalue |
Three entrepreneurial scenarios. One choice. Find out if you think like a founder.
You're launching a Fintech. How do you win your first users?
The "correct" answers reflect Thiel's logic โ not necessarily the objectively best choice!
๐ The PayPal Mafia and the multiplier effect
PayPal's co-founders went on to build LinkedIn, YouTube, Yelp, Palantir, Tesla, SpaceX. A similar phenomenon is emerging in Europe: ex-employees of Revolut, N26 and Klarna are founding the next generation of Fintechs.
Big Tech: The New Payment Monopoly
The true heirs of Thiel's vision are not European Fintech startups, but Apple, Google, Meta, Amazon โ applying Thiel's logic: dominate a niche first, then expand into financial services as a natural step toward monopolising the digital ecosystem.
๐ Click on each company to discover its financial expansion strategy.
Apple made the bank irrelevant in the user experience: by embedding payments into the iPhone's NFC chip, anyone wanting contactless payments on iOS must go through Apple Pay. Pure gatekeeper position.
iOS mobile payment dominance:
โ๏ธ EU antitrust investigation (2024)
The Commission concluded with an obligation to open NFC access to competitors โ exactly what PSD3 wants to extend to all.
Google leverages Search and Maps data to offer contextual financial services. In India via Google Pay on UPI, it became one of the largest payment operators โ 100M+ users โ without being a regulated bank.
Google Pay market share in India:
๐ก Google's secret
Unlike Apple, Google doesn't seek the walled garden: it wants transaction data. The payment service is almost a pretext to acquire behavioural financial data.
Meta integrated P2P payments into WhatsApp. The Libra/Diem project โ abandoned under regulatory pressure โ was Thiel's original PayPal vision, scaled to 3 billion users.
WhatsApp users reachable via WhatsApp Pay (%)
๐ Why Diem failed
Governments and central banks united in opposition: a private Meta currency would have eroded monetary sovereignty. The first case of Big Tech stopped by a global regulatory coalition.
Amazon Lending offers credit to merchants based on sales data โ without traditional collateral: the data is the collateral. The most advanced case of Embedded Finance.
Amazon Pay presence on top 1000 US e-commerce sites (%)
๐ฎ Thiel on Embedded Finance
The future of payments is not a "digital super-bank" but the dissolution of finance as a separate sector โ invisible infrastructure.
โ ๏ธ The digital monopoly paradox
Apple controls NFC access on iOS, Google dominates Android. Anyone wanting mobile payments must go through them โ despite not being regulated banks. PSD3 attempts to resolve this asymmetry.
How Do Fintechs Make Money?
Fintech business models are varied and often combined. Explore each one to understand the economic mechanics behind the app on your phone.
Native digital current account with no branches or technological legacy. Marginal cost is near zero compared to a traditional bank, making the free base plan sustainable.
How it earns
Initiates payments directly from the bank account without credit cards. The merchant saves Visa/Mastercard fees (1.5โ3%). Structurally impossible before PSD2.
How it earns
Unified multi-account view: users see all their accounts in one app. Turns banking data into personal financial intelligence. GDPR is however a critical constraint.
How it earns
โ ๏ธ GDPR tension
Consent must be specific to each purpose. Many apps collect generic consent โ a grey area that PSD3 intends to close.
Instant credit at checkout, often "interest-free" for the user. The merchant pays to increase conversions (+30%). BNPL acquires data on every purchase to build predictive profiles.
How it earns
Banking infrastructure via API for third parties. Any company can offer accounts, cards and loans without its own banking licence. It's the foundation of Amazon's and Shopify's Embedded Finance.
How it earns
| ๐ฃ Revolut | ๐ต N26 | |
|---|---|---|
| Founded | 2015, London | 2013, Berlin |
| Users (2024) | 45M+ globally | 8M+ in Europe |
| Revenue | Premium, crypto, stock trading, BaaS | Smart/You/Metal plans, credit |
| Thiel strategy | Global niche โ service expansion | Radical simplicity as barrier |
| Valuation | ~$45B USD (2024) | ~$9B USD (2021) |
Tension with GDPR
PSD2 data consent introduces a structural tension with GDPR: on one hand, the customer owns their financial data; on the other, consent mechanisms โ often designed as dark patterns โ risk turning free choice into an unwitting surrender of sensitive data.
๐ PSD2 says:
AISPs can collect banking data on customer consent. The goal is to enable innovation and competition.
๐ GDPR says:
Consent must be free, specific, informed and unambiguous, revocable without consequences. A blanket "catch-all" consent is not valid.
๐ GDPR and PSD2 are not ontologically contradictory
Effective protection requires not only technical regulation but also digital education. Coordinated enforcement between the two frameworks is still lacking in many member states, including Italy.
Fraud: Why PSD3 Is Needed
SCA dramatically reduced "traditional" fraud. But it opened the door to more sophisticated scams that exploit the human element โ something no technical system can eliminate.
Despite SCA, authorised fraud losses continue to rise. Technology cannot eliminate human deception.
You're using your Fintech app. A message arrives. What do you do?
30 seconds later you receive a call from a number appearing as "Revolut +39 02 3456789". The voice tells you to move your funds to a "temporary security account". What do you do?
You authorised the payment yourself โ technically SCA was respected. The bank may not reimburse you. No bank or Fintech will ever call asking you to move funds. The number can be faked (caller ID spoofing).
๐ UK 2022
APP Fraud losses exceeded ยฃ485 million. PSD3 introduces shared bank-merchant liability for these cases.
By calling the official number you confirmed there was no real problem. The original message was a spoofed SMS. Golden rule: never move funds on a phone request, even if the number looks legitimate.
๐ก IBAN/Name Matching โ PSD3
Before authorising a transfer, the bank will verify that the IBAN and the beneficiary's name match โ reducing transfers to fraudulent accounts.
Revolut Phishing (2022)
Criminals replicated Revolut's interface via fraudulent SMS. Thousands of users entered their credentials on an identical fake site โ revealing the vulnerability of SMS-based authentication.
Wirecard (2020)
One of the largest PSD2 processors declared bankruptcy after falsifying โฌ1.9 billion in assets. Millions of Fintech users had their cards blocked instantly.
SIM Swap Attack
The fraudster transfers the victim's number to a new SIM and intercepts all authentication SMS messages. PSD3 pushes toward app-based authenticators (TOTP) instead of SMS.
PSD3 and the New Balance
The European Commission published the PSD3 proposal in June 2023, alongside the PSR Regulation. Four critical areas for intervention, directly linked to the cases documented above.
Rising fraud
SCA protects against unauthorised access but not against deception. PSD3 introduces shared bank-merchant liability for APP Fraud and mandatory IBAN/Name Matching.
Underdeveloped Open Banking
Many banks deliberately implemented slow APIs to discourage competitors. PSD3 imposes mandatory harmonised standards with minimum SLAs and penalties.
Asymmetry with Big Tech
Apple and Google control NFC access while partially operating outside the PSD2 framework. PSD3 mandates open NFC access for all authorised providers.
GDPR coordination
Harmonised standards for PSD2-GDPR consent: explicit separation of consent by purpose and an explicit ban on dark patterns in Fintech interfaces.
๐ The real challenge for the coming years
It is not between banks and Fintechs โ but between the regulated European ecosystem and global Big Tech companies applying Thiel's monopoly logic at planetary scale. PSD3 is Europe's attempt to ensure this opening produces real benefits for consumers, without reproducing in digital form the same oligopolies the directive set out to dismantle.
Conclusion
PSD2 is the legal codification of a vision for an open and competitive digital economy. Just as PayPal didn't want to improve money transfers but to reinvent them, Fintechs born in the PSD2 ecosystem don't optimise the traditional bank: they redefine it.
๐ฏ Disruption
Fintechs apply the "zero to one" philosophy to create markets that previously did not exist
๐ Big Tech
The real clash is between the regulated European ecosystem and global digital monopolists
โ๏ธ GDPR
Data protection and financial innovation must coexist under clear rules
๐ฎ PSD3
Open NFC, APP Fraud protection, unified API standards โ Europe's answer