📊 Full opportunity report: The mandate. Why the US conversational- finance surface does not translate to Europe. on ThorstenMeyerAI.com — validation score, market gap, and execution plan.

TL;DR

The US launched its personal-finance surface permissionlessly, while Europe’s regulatory framework requires licensing and consent. This fundamental difference alters how financial surfaces are built and who can build them.

OpenAI’s personal-finance surface launched in the US on May 15, 2026, without regulatory approval, using permissionless account aggregation. In Europe, this approach is impossible due to strict licensing and consent requirements embedded in existing and upcoming regulations, fundamentally changing how such surfaces can be built.

In the US, the launch was permissionless: companies could connect user accounts across thousands of institutions via APIs like Plaid without needing licenses or regulatory approval. This facilitated rapid deployment and innovation, making the platform a product built on a permissionless, open substrate.

In contrast, Europe’s regulatory environment treats account access as a regulated activity. The PSD2 directive, enacted in 2018, established a licensing regime for third-party providers (TPPs), requiring them to operate under strict rules. The upcoming PSD3 and the Payment Services Regulation (PSR), expected to be finalized in 2026 and implemented by 2027-2028, will extend this licensing requirement to cover open finance, including investments, pensions, and loans, through the FIDA regulation, which is still in trilogue and likely operational around 2029-2030.

Additionally, the EU AI Act classifies AI systems used for credit scoring and financial assessments as high-risk, with obligations starting August 2026. These rules are enforced by financial regulators like BaFin in Germany, not tech regulators, adding a layer of oversight that is absent in the US environment.

As a result, the European version of a permissionless finance surface is not a simple port but a licensed, consent-driven product. It involves compliance with multiple overlapping regimes—licensing, consent architecture, AI classification—and is built around a regulatory framework that emphasizes consent dashboards, conformity assessments, and licensing as core components.

The Mandate — Thorsten Meyer AI

MANDATE

● DISPATCH / MAY 2026

THORSTEN MEYER AI · AGENTIC COMMERCE · § 03

AGENTIC COMMERCE · 03

EUROPE / MANDATE

Essay · Regulatory-Architecture Reading · 2026-05-26

The mandate.
Why the US conversational-
finance surface does not
translate to Europe.

In the US, account access is a product you buy and consent is a button you tap. In Europe, both are mandates you are licensed and supervised to fulfill.

The US surface shipped permissionlessly — connect via Plaid, 12,000+ institutions, read-only, no license. That rollout does not translate. In Europe every layer is a mandate. The foundation: PSD2 → PSD3/PSR (provisional agreement Nov 27 2025) makes account access a licensed, API-quality-supervised activity under a directly-applicable rulebook. The expansion: FIDA extends mandated access to investments, pensions, insurance, mortgages under a new FISP license — operational ~2029-2030, with a contested data-access fee at its core. The overlay: the EU AI Act classifies credit-scoring AI as high-risk (full obligations Aug 2 2026), supervised not by a tech regulator but by financial supervisors like BaFin. The structural argument: the US surface is built on a permissionless private substrate, and Europe has no permissionless substrate — it has a mandate at every layer. In the US compliance is an afterthought. In Europe, compliance is the architecture, and the conversational experience is the thin layer on top.

Thorsten Meyer ThorstenMeyerAI.com Munich · Iffeldorf Essay · ~5,200 words Agentic Commerce · 03

Overlapping mandates — payments,
data, AI — vs zero in the US build

Of global turnover · the EU AI Act
maximum penalty

2029-30

When FIDA — the full-picture data
mandate — is likely operational

Permissionless routes to a European’s
bank data · it is a licensed activity

THE MANDATE· US SHIPPED PERMISSIONLESSLY · PLAID· EUROPE HAS A MANDATE AT EVERY LAYER· PSD2 MADE ACCESS A LICENSED ACTIVITY· PSD3/PSR · PROVISIONAL AGREEMENT NOV 27 2025· PSR DIRECTLY APPLICABLE ACROSS 27 STATES· MANDATORY API QUALITY · NO SCREEN-SCRAPING· FIDA · NEW FISP LICENSE· OPEN FINANCE · INVESTMENTS PENSIONS INSURANCE· DATA-ACCESS FEE THE CONTESTED CORE· EU AI ACT · CREDIT SCORING HIGH-RISK· FULL OBLIGATIONS AUG 2 2026· SUPERVISED BY BAFIN, NOT A TECH REGULATOR· CONSENT IS A DASHBOARD, NOT A BUTTON· COMPLIANCE IS THE ARCHITECTURE· THE MANDATE FAVORS THE LICENSED INCUMBENT· IN EUROPE YOU LICENSE A FINANCE SURFACE· THE MANDATE· US SHIPPED PERMISSIONLESSLY · PLAID· EUROPE HAS A MANDATE AT EVERY LAYER· PSD2 MADE ACCESS A LICENSED ACTIVITY· PSD3/PSR · PROVISIONAL AGREEMENT NOV 27 2025· PSR DIRECTLY APPLICABLE ACROSS 27 STATES· MANDATORY API QUALITY · NO SCREEN-SCRAPING· FIDA · NEW FISP LICENSE· OPEN FINANCE · INVESTMENTS PENSIONS INSURANCE· DATA-ACCESS FEE THE CONTESTED CORE· EU AI ACT · CREDIT SCORING HIGH-RISK· FULL OBLIGATIONS AUG 2 2026· SUPERVISED BY BAFIN, NOT A TECH REGULATOR· CONSENT IS A DASHBOARD, NOT A BUTTON· COMPLIANCE IS THE ARCHITECTURE· THE MANDATE FAVORS THE LICENSED INCUMBENT· IN EUROPE YOU LICENSE A FINANCE SURFACE·

FIG. 01 — THE SUBSTRATE · PRIVATE PRODUCT VS PUBLIC MANDATE

The US built account access privately and permissionlessly · Europe built it as public mandate

One architectural difference at the foundation propagates through the entire stack

United States

A product you buy

Access built by private aggregators — Plaid, Yodlee, MX, Finicity
No banking license required to read bank data
Read-only design sidesteps money-transmission rules
No single federal open-banking statute · the surface ships as a product

European Union

A mandate you fulfill

Access is a licensed activity — AISP / PISP under PSD2
Regulator authorization required; no permissionless route
Explicit, revocable, SCA-governed consent regime
A directly-applicable rulebook (PSR) · the surface must be licensed

The US surface shipped because the account-access layer it needed was already built, privately and permissionlessly, by Plaid — and because a read-only design kept it clear of the activities that trigger heavy regulation. That is the precise feature Europe does not share. Reading a European’s bank data without the right license is not a product — it is an unauthorized activity. The very first layer of the US build, the permissionless connect, is in Europe a regulatory authorization.

FIG. 02 — THE THREE-MANDATE STACK · WHAT THE SURFACE MUST SATISFY IN EUROPE

Payments, data, and AI — three overlapping regimes, all enforced by financial regulators

The US surface faced none of these at launch; the European surface faces all three at once

PSD3 / PSRPayments mandate
Account access is a licensed activity (AISP/PISP). PSR directly applicable across 27 states. Mandatory API quality, screen-scraping eliminated, IBAN-name checks, expanded fraud liability.
FIDAData mandate
Extends mandated access to investments, pensions, insurance, mortgages, loans under a new FISP license. Standardized APIs + consent dashboards. A contested data-access fee may make aggregation cost money.
EU AI ActAI mandate
Credit scoring + creditworthiness = high-risk (Annex III). Conformity assessment, documentation, human oversight. Supervised by financial regulators (BaFin, CSSF). Fines up to 7% of global turnover.

A finance surface in Europe must be licensed for payment-data access (or partner with someone who is), prepare for a FISP license to aggregate the full financial picture, and classify itself under the AI Act — where the most commercially attractive features (“what loan can I get?”) sit closest to the high-risk line. The AI that is “just a chatbot” in the US is, in Europe, a regulated system whose classification depends on exactly how useful it tries to be.

FIG. 03 — THE STAGGERED TIMELINE · A MOVING REGULATORY TARGET

The mandate is not one event but a sequence — and the staggering is a filter

The firms that win architect for the end-state mandate, not the current one

Aug 2025

EU AI Act · GPAI obligations live · the frontier models that power a finance surface already carry systemic-risk obligations

Live

Nov 27 2025

PSD3/PSR provisional agreement · Parliament and Council reach political agreement; final texts expected in the Official Journal in 2026

Agreed

Aug 2 2026

EU AI Act · high-risk obligations land · credit-scoring / creditworthiness Annex III duties apply (subject to Digital Omnibus)

Operative

2027

PSD3/PSR core obligations · directly-applicable conduct rules land across the year after the transition

Landing

~2029-2030

FIDA operational · the full-picture data mandate and FISP license arrive, in staggered sector-by-sector “waves”

Forming

Building for PSD3 today while FIDA and the AI Act high-risk regime are still settling means building for a target that is still moving — which favors firms with the regulatory-intelligence capacity to track it and the patience to build for 2030 rather than ship for 2026. The staggered timeline is itself a filter: it selects for regulatory endurance over launch speed.

FIG. 04 — THE CONSENT ARCHITECTURE · WHAT REPLACES THE “CONNECT” BUTTON

The single most optimized moment of the US product is the single most regulated moment of the European one

The European surface cannot inherit the US onboarding · it must build a different, regulated core

The US default — collect broadly, use later — is the European violation. The consent dashboard, the granular permission model, the revocation flows, the purpose-binding, the audit trail are not features bolted onto the conversational experience; they are the regulated core that the experience sits on top of. The European surface is, by regulation, higher-friction at exactly the moment the US surface optimized for frictionlessness.

FIG. 05 — WHO BUILDS THE EUROPEAN SURFACE · THE REDISTRIBUTION OF ADVANTAGE

The mandate does not just slow the US surface — it changes who wins

Advantage moves from permissionless speed to licensed position

Disadvantaged

The US winners

A frontier lab + permissionless aggregator. Their core competency — permissionless speed and reach — is exactly what the mandate removes. No AISP/FISP license, no BaFin relationship. Arrive needing a license stack they don’t have.

Advantaged

Licensed EU fintechs

Already authorized AISPs/PISPs, PSD3-compliant API fleets, consent-native. “The lab + a licensed European partner” — and the partner holds more leverage than Plaid, because the license is scarcer than an API.

Advantaged

Incumbent banks

Already hold the data, licenses, consent relationships, supervisory standing. The incumbent disintermediated in the US thesis is, in Europe, structurally protected — the mandate that gates the challenger does not gate the bank.

In the US, the advantage went to whoever integrated the permissionless layer fastest and built the best surface on top. In Europe, it goes to whoever holds the licenses, the supervisory relationships, and the consent architecture. The mandate redistributes the advantage from the permissionless aggregator-and-lab toward the licensed incumbent-and-specialist — and Europe’s regulation is, among other things, an incumbent-protection architecture, whether or not that is its intent.

The architecture diverges at the foundation: the American surface treats account access as a product you buy and consent as a button you tap, while Europe treats both as mandates you are licensed and supervised to fulfill. In the US, you ship a finance surface. In Europe, you license one.

Thorsten Meyer · The Mandate · Agentic Commerce 03

Source dossier

Norton Rose Fulbright · PSD3 and PSR: 2026 readiness — provisional agreement Nov 27 2025 · Official Journal end Q2 2026 · PSR application 18 months after entry, IBAN/name verification at 24 months · existing PI/EMI licences grandfathered subject to re-authorization · FIDA still in trilogue · nortonrosefulbright.com
Morrison Foerster · PSD3/PSR Key Developments — Apr 22-23 2026 final compromise texts before national reps · PSR directly applicable (SCA, open banking, fraud liability) · EMIs become PI sub-category · mandatory IBAN-name check · regulators act “without delay” on poor APIs · mofo.com
FinlexPro · PSD3/PSR Fintech Guide 2026 — PSR directly applicable, no transposition · PSD2’s deliberately-poor “dedicated interface” failure · mandatory API dashboards · screen-scraping fallback elimination · Confirmation of Payee mandatory · status April 2026 · finlexpro.com
G+D Spotlight · EU Open Finance (FiDA) — FIDA in the June 2023 package · expected adoption mid-2026, implementation late 2027 in staggered “waves” · covers mortgages/loans/savings/investments/insurance/pensions/crypto · user-consent, silo-removal, standardized APIs · gi-de.com
Crassula · PSD3/PSR + FIDA — FIDA still in trilogue April 2026 · creates the FISP category · operational ~2029-2030 · compensation mechanism between data holders and data users the single most contested item · the regulatory layer vs the product layer · crassula.io
EU AI Act (official) · digital-strategy.ec.europa.eu — in force Aug 1 2024, fully applicable Aug 2 2026 · prohibited practices + AI literacy from Feb 2025 · GPAI from Aug 2 2025 · product-embedded high-risk to Aug 2 2028 under the AI omnibus · digital-strategy.ec.europa.eu
MIT HDSR · Credit Underwriting Under the AI Act — high-risk credit-underwriting under Articles 9-19 (providers) / 26-27 (deployers) · Article 74(6): national financial supervisors (BaFin) are the market-surveillance authorities for high-risk AI connected to financial services · hdsr.mitpress.mit.edu
Rasa · EU AI Act & Financial Services — Aug 2 2026 critical deadline · credit scoring, insurance pricing, certain customer-service AI high-risk under Annex III · sits on GDPR, intersects DORA · Digital Omnibus may adjust but planning around delays is unwise · rasa.com
Decode the Future / Vision Compliance · EU AI Act 2026 — four tiers, fines up to €35M or 7% of global turnover · RAG/agent builders likely “deployers”; substantial fine-tuning reclassifies as “provider” · systemic-risk GPAI (>10²⁵ FLOPs) = largest frontier models · decodethefuture.org
The bank account in the chat / The unbundling of the budget app · Thorsten Meyer · Agentic Commerce 01-02 · the US surface launched May 15 2026 on Plaid, read-only, permissionless · the private-aggregator substrate this piece contrasts against the European mandate

Colophon

Set in Source Serif 4 (display, italic accent), EB Garamond (body), IBM Plex Sans (UI labels), IBM Plex Mono (mastheads, ticker, stamps). Paper-cool gray-cream #e6e7e4.

Chromatic register: structural-slate dominant (the institutional/regulatory-architecture register), transition-bronze for the US permissionless substrate, empirical-clay for the FIDA data-mandate forensic, labor-rose for the AI Act overlay and the consent-friction the mandate imposes, alternative-sage for the redistribution toward licensed players, synthesis-deep for close.

Key frame:

MANDATE · PRIVATE VS PUBLIC SUBSTRATE THE THREE-MANDATE STACK PSD3/PSR · FIDA · AI ACT A STAGGERED, MOVING TARGET CONSENT IS A DASHBOARD, NOT A BUTTON COMPLIANCE IS THE ARCHITECTURE ADVANTAGE TO THE LICENSED SUPERVISED BY BAFIN, NOT A TECH REGULATOR IN EUROPE YOU LICENSE A SURFACE

Implications of Regulatory Divergence for Market Entry

This fundamental architectural difference means that US firms cannot simply replicate their permissionless platforms in Europe. Instead, they must navigate a complex licensing and consent regime, which favors incumbents and licensed players over permissionless aggregators. This reshapes the competitive landscape, potentially leading to slower innovation, higher entry costs, and increased market concentration. Whether this results in better consumer outcomes or simply a more controlled, slower market remains an open question, but the structural shift is clear: in Europe, building a financial surface is a licensing project, not a product launch.

Amazon

account aggregation API tools

As an affiliate, we earn on qualifying purchases.

European Regulatory Framework for Open Finance and AI

The European Union’s approach to open finance is built on a foundation of regulation rather than permissionless APIs. PSD2, enacted in 2018, established a licensing regime for third-party providers accessing bank data. The upcoming PSD3 and PSR are extending this model, with the FIDA regulation aiming to cover broader financial data types, including investments and loans. These frameworks are still in development, with operational dates expected around 2029-2030.

Simultaneously, the EU AI Act, finalized in 2026, classifies certain AI systems used in finance as high-risk, imposing strict obligations on their development and deployment. These rules are enforced by financial regulators such as BaFin, not solely by tech authorities, adding complexity to compliance.

In the US, the environment is characterized by a largely unregulated, permissionless infrastructure, where API keys and aggregator platforms like Plaid operate without licensing. The divergence in regulatory architecture underscores why the same product approach cannot be simply transposed across the Atlantic.

“The American permissionless finance surface is built on a substrate that Europe cannot replicate. Its architecture is fundamentally different, governed by mandates and licenses, not APIs and permissionless access.”
— Thorsten Meyer

Amazon

European open finance licensing software

As an affiliate, we earn on qualifying purchases.

Unclear Impact on Market Competition and Innovation

It remains uncertain whether Europe’s licensing and consent-driven approach will lead to better consumer protection, more innovation, or increased market concentration. The long-term effects of the regulatory architecture on competitive dynamics and technological development are still unfolding, and the actual market behavior post-implementation of PSD3, FIDA, and the AI Act is yet to be observed.

Amazon

As an affiliate, we earn on qualifying purchases.

Next Steps for Regulatory Implementation and Market Entry

European regulators are expected to finalize PSD3, PSR, and FIDA regulations in 2026, with operational phases beginning around 2029-2030. Meanwhile, US firms are assessing how to adapt their permissionless platforms to meet these new regulatory requirements, potentially leading to the emergence of licensed European equivalents. The ongoing development of AI obligations will further shape the landscape, influencing how AI-driven financial services are built and regulated across the continent.

Amazon

PSD2 compliant financial APIs

As an affiliate, we earn on qualifying purchases.

Key Questions

Why can’t US permissionless finance platforms operate directly in Europe?

Because European regulations treat account access as a licensed activity, requiring firms to obtain licenses, consent mechanisms, and comply with strict AI and data rules. US permissionless models are built on unregulated API access, which is incompatible with Europe’s mandate-driven framework.

What are the main regulatory regimes affecting European financial surfaces?

The main regimes are PSD2/PSD3 for open banking, FIDA for open finance, and the AI Act for AI systems. These create a layered, license-based architecture that differs from the US permissionless approach.

Who is likely to build the European version of a financial surface?

Licensed, consent-native firms that are compliant with the complex regulatory regimes are better positioned. US firms that rely on permissionless APIs face significant barriers to entry.

Will this regulatory approach lead to better consumer outcomes?

The impact is still uncertain. The architecture prioritizes compliance and safety, which could improve consumer protection, but may also slow innovation and concentrate market power among incumbents.

Source: ThorstenMeyerAI.com

Nothing in this article is financial or investment advice. Cryptocurrency and precious-metal investments carry significant risk — do your own research and consider a licensed advisor.

The mandate. Why the US conversational- finance surface does not translate to Europe.

Up next

The Defender’s Window Is Closing Faster Than Anyone Is Counting

Author

Bitcoin News Day Team

Share article

The mandate.
Why the US conversational-
finance surface does not
translate to Europe.