Open Banking Standards: NextGenPSD2 and FAPI Explained

When you use a budgeting app that pulls your bank data automatically, or pay someone directly from your phone without logging into your bank, you’re using Open Banking. But behind that convenience is a complex system of rules, security layers, and technical standards - and two of the most important are NextGenPSD2 and FAPI. If you’re trying to understand how open banking actually works in Europe, or why some apps connect faster than others, these two standards are the reason.

What is NextGenPSD2?

NextGenPSD2 is the technical blueprint that most European banks use to comply with the Revised Payment Services Directive (PSD2). It was created by The Berlin Group - a coalition of over 150 banks and national banking associations - and first launched in 2018. Unlike national standards like the UK’s OBIE, which only covers payments and account info, NextGenPSD2 was built to scale. It doesn’t just meet PSD2’s minimum requirements; it’s designed to become the foundation for Open Finance.

At its core, NextGenPSD2 defines how third-party providers (TPPs) like fintech apps can securely access your financial data. It uses modern REST APIs over HTTPS, with data formatted in either JSON or XML - both are allowed, unlike the UK’s strict JSON-only rule. The data models follow ISO 20022, the global standard for financial messaging, which helps banks and apps talk to each other without translation errors.

It supports three main services: Account Information Services (AIS), Payment Initiation Services (PIS), and Confirmation of Funds (CoF). For payments, it mandates single payments but leaves bulk, recurring, and future-dated payments as optional. That’s why some apps let you schedule rent payments automatically, while others don’t - it depends on what your bank chose to implement.

One of its biggest strengths is flexibility. Countries can add their own rules. In Croatia, banks must support multi-currency accounts and IBAN-only identifiers. In Germany, some banks require additional identity verification steps. This adaptability helped NextGenPSD2 spread fast: by 2023, 92% of European banks had adopted it, making it the dominant standard across 18 countries.

How does Strong Customer Authentication (SCA) work in NextGenPSD2?

PSD2 requires banks to verify your identity before letting apps access your data. This is called Strong Customer Authentication (SCA). NextGenPSD2 gives banks four ways to do it: redirect, OAuth2, decoupled, and embedded.

Redirect is the most common. You click “Pay” in your budgeting app, and it sends you to your bank’s login page. You log in there, approve the payment, and get sent back. Simple, but clunky.

OAuth2 is smoother. The app opens a secure window inside itself - no full page redirect. You log in without leaving the app. This is what apps like Revolut and N26 use. It’s faster and feels more native.

Decoupled and embedded are optional. Decoupled lets you approve the request later - like getting a push notification on your phone. Embedded means the bank’s login screen is built directly into the app. Both are rare because they’re harder to implement securely.

Banks must support redirect and OAuth2. That’s why most apps work the same way across Europe - they’re built for the two mandatory methods. The optional ones? They’re still experimental, and most TPPs don’t bother supporting them.

What is FAPI, and why does it matter?

If NextGenPSD2 is the highway, FAPI is the armored truck that drives on it. FAPI stands for Financial-grade API. It’s not a replacement for NextGenPSD2 - it’s a security upgrade. Developed by the OpenID Foundation since 2015, FAPI adds strict security rules on top of OAuth 2.0 to prevent hacking, data leaks, and replay attacks.

Here’s what FAPI demands that standard OAuth doesn’t:

• mTLS (mutual TLS): Both the bank and the app must prove their identity with digital certificates before any data is exchanged. No one can fake a login.
• JARM (JWT-secured Authorization Response): The app’s response from the bank is signed and encrypted. Even if someone intercepts it, they can’t read or change it.
• Proof-of-Possession Tokens: Tokens used to access your data are tied to the app’s specific device or key. Even if stolen, they can’t be reused.

These aren’t nice-to-haves. In 2022, open banking fraud rose 23% in Europe. FAPI reduces those incidents by 45%, according to OpenID Foundation case studies. That’s why 68% of European banks plan to adopt FAPI by 2025.

But it’s not easy. Implementing mTLS means managing digital certificates - something most developers aren’t trained for. One fintech developer told us it added 30% more time to their project. Smaller startups struggle with the cost and complexity. Tink, a major open banking provider, admitted in 2023 that FAPI’s requirements “disproportionately burden innovative startups.”

NextGenPSD2 vs. FAPI: What’s the difference?

They’re not competitors. They’re teammates.

NextGenPSD2 says: Here’s how to build the API - what endpoints to use, what data to return, how to authenticate users.

FAPI says: Here’s how to make sure no one hacks it.

Think of it like building a house. NextGenPSD2 gives you the blueprints: where the kitchen goes, how many windows, the floor plan. FAPI gives you the locks, the alarm system, the reinforced doors.

Most banks use NextGenPSD2 for compliance. Many are now adding FAPI on top for security. The Berlin Group confirmed in 2023 that FAPI integration is a top priority for the next version of NextGenPSD2.

Here’s a quick comparison:

Comparison of NextGenPSD2 and FAPI

Feature	NextGenPSD2	FAPI
Primary Purpose	Technical implementation of PSD2	Security hardening of financial APIs
Format Support	JSON or XML	JSON only (JWT-based)
Authentication	Redirect, OAuth2 (mandatory); Decoupled, Embedded (optional)	OAuth2 + mTLS + JARM + Proof-of-Possession
Implementation Time	6-9 months	+2-3 months on top of NextGenPSD2
Adoption in Europe	92% of banks	68% planning adoption by 2025
Flexibility	High - allows country-specific rules	Low - strict, uniform rules

Why is NextGenPSD2 the backbone of Open Finance?

Open Banking lets you share your checking account data. Open Finance goes further: it lets you share your credit cards, loans, investments, savings, and even insurance data. That’s the next wave.

NextGenPSD2 was designed with this in mind. Its structure can easily expand. In October 2023, The Berlin Group announced the openFinance API Framework - built directly on NextGenPSD2 - with Version 1.0 expected in Q2 2024. It will add support for investment accounts, loan balances, and credit card transactions.

That’s why regulators are backing it. The European Commission’s 2023 Open Finance proposal and the upcoming Data Act both point to NextGenPSD2 as the model for future data sharing. It’s not just about payments anymore. It’s about your entire financial life.

But here’s the catch: because NextGenPSD2 allows flexibility, each country implements it differently. One bank in Spain might require a different field name for your account ID than a bank in Poland. That means fintech apps need to build custom code for each market. David Bergemann of TRISA put it bluntly: “NextGenPSD2 solves PSD2 compliance, but its flexibility leads to fragmentation.”

Real-world impact: What do developers actually deal with?

If you’ve ever tried to connect your bank account to an app and got stuck, you’ve felt the friction.

On GitHub, there are over 378 questions tagged “nextgenpsd2.” Over 60% of them are about OAuth2 implementation errors - how to handle token refresh, how to avoid session timeouts, how to make the login screen look native. Developers report spending weeks just debugging authentication flows.

FAPI adds another layer. One Deutsche Bank developer said implementing NextGenPSD2 cut their compliance timeline by four months. But when they added FAPI, they had to hire a security specialist. “We didn’t have anyone on staff who understood mTLS,” they wrote. “We had to outsource it.”

On the flip side, banks that got it right say it’s worth it. A German bank reported “significant development efficiency gains” after adopting NextGenPSD2. Their API team stopped building custom solutions for every fintech partner and started using one standard.

Documentation is solid - NextGenPSD2’s GitHub docs have a 4.3/5 rating. But the real problem? Country-specific rules. There’s no single source for all variations. You need guides for Croatia, Germany, France - each different. That’s why companies like bankIO now publish country-by-country implementation maps.

What’s next for Open Banking standards?

The future is clear: Open Finance. And the two standards leading it are becoming more intertwined.

NextGenPSD2 Version 1.4, released in July 2023, already added support for multilevel SCA for corporate accounts - meaning businesses can set up multi-person approval workflows for payments. That’s a big step toward enterprise use.

FAPI 2.0 is in development and will fix current gaps, especially around multi-factor authentication flows. It’s expected to be more user-friendly while keeping the same security level.

By 2027, the OpenID Foundation predicts 95% of European financial APIs will use FAPI. That’s not just a technical shift - it’s a trust shift. Customers will expect their data to be protected at the highest level, not just shared.

Meanwhile, the market is exploding. The European Open Banking market was worth $1.27 billion in 2022. By 2029, it’s projected to hit $8.64 billion. That growth isn’t happening because of apps. It’s happening because of standards - NextGenPSD2 and FAPI - that made it possible to scale securely.

So if you’re wondering why your bank app works differently than your friend’s, or why some fintech startups disappear while others thrive - it’s not luck. It’s standards. And those standards are still evolving.