THE GUIDE · BEYOND CARDS

Pay from your bank. No card required.

Every fintech card is a stack of rented parts - but open banking skips the card entirely. Your data and your bank's payment rail, opened by your permission: near-free, instant, and the structural threat to interchange.

SCROLL ↓
PART 01

Money that moves with no card in the middle.

Step through consent, reading your accounts, pushing a payment, and the standing permission that makes recurring pay-by-bank work.

PART 02

The moving parts.

Data and payments, opened by permission - and the pieces that turn it into a real card alternative.

OPEN BANKING

"Your data, opened by you."

Banks expose APIs that let you share account data and initiate payments through licensed third parties. It reframes the bank as a platform - and hands the customer, not the bank, control over who can see and move their money.

AISP vs PISP

"Read vs move."

Two licences. An AISP reads account information (balances, transactions). A PISP initiates payments (pushes money). Many fintechs hold both - one to understand you, one to charge you.

PAY-BY-BANK / A2A

"The card-free checkout."

Account-to-account payment pushes funds straight from buyer's bank to seller's, usually on an instant rail. Near-zero cost, instant settlement, no chargeback - which is exactly why merchants love it and card networks are buying in.

VRP

"Subscriptions without a card."

Variable Recurring Payments let a payee pull repeatedly within a consented rulebook. Sweeping VRP (moving money between your own accounts) is live; commercial VRP - paying third parties - is the piece that unlocks A2A subscriptions and bill pay.

AGGREGATION

"One pipe to every account."

Aggregators (Plaid, Yodlee, Tink, TrueLayer) sit between apps and thousands of banks, normalising connections. They began by screen-scraping with your login; the industry is now being pushed onto permissioned APIs and tokenised access.

OPEN FINANCE

"Beyond the checking account."

The next step extends the same consent model to investments, pensions, insurance and mortgages - your whole financial life, portable by permission. The EU's FIDA proposal is the flagship: 'open banking' becomes 'open everything.'

PART 03

Why merchants are pushing this.

Pay-by-bank rides the instant rail with no interchange. Here is roughly what the same $100 sale costs the merchant, by rail.

Pay-by-bank / A2A push on the instant rail
~0.1-0.3%
Regulated debit Durbin-capped
~0.5%
Consumer credit
~1.8%
Rewards credit the points come from here
~2.3%
Illustrative merchant cost. A2A's marginal cost is near zero because it carries no interchange - the structural reason merchants push it and card incumbents are nervous. The catch: no chargeback also means no built-in buyer protection.
PART 04

Same idea. Opposite politics.

Whether open banking happens is decided by regulators, not technology.

// OPEN BANKING, TWO WAYS

EU / UK   MANDATE   banks must open APIs; regulators drive adoption (PSD2 → PSD3 + PSR)
INDIA / BRAZIL   PUBLIC RAIL   UPI + account aggregator; Pix + open finance - state-led, fast
USA   MARKET   CFPB 1033 rule finalised, then reopened - direction uncertain

// Same technology, opposite posture. Adoption follows the mandate.
FIELD NOTES — THE PRO LAYER

For the professionals.

The pieces up close - Europe's mandate, America's wobble, VRP, the death of screen-scraping, and open finance.

PSD2 → PSD3 + PSR — EUROPE MANDATES IT
The EU created open banking by fiat: PSD2 (2018) forced banks to open APIs. Its successor reached provisional political agreement on 27 Nov 2025: a PSR (a directly-applicable Regulation rather than a directive) plus PSD3. The PSR kills screen-scraping, mandates permission dashboards and a Verification of Payee name check, and tightens fraud liability. Because it's a Regulation, it lands uniformly across the bloc - the opposite of the US approach.
THE US 1033 SAGA — A MANDATE THAT WOBBLED
The CFPB finalised its Section 1033 'personal financial data rights' rule in Oct 2024 - America's first real open-banking mandate. Then through 2025 the CFPB moved to reconsider and partly vacate its own rule, reopening data-access fees and third-party-liability questions. As of Jul 2026 the US direction is genuinely uncertain. It's the cleanest case study in the academy of how regulatory posture, not technology, decides whether open banking actually happens.
VRP — SWEEPING TODAY, COMMERCIAL NEXT
Sweeping VRP (automatically moving money between a customer's own accounts) is live and safe by design. The prize is commercial VRP - paying third parties on a standing mandate, the true card-on-file killer. The UK launched an industry cVRP scheme with a first cohort of firms, targeting first live commercial payments in early 2026. If cVRP works, subscriptions and bill-pay start leaking off the card rails.
AGGREGATION & THE DEATH OF SCREEN-SCRAPING
Before APIs, aggregators logged in as you and scraped the page - fragile and risky. Regulation (PSD2, the PSR, the CFPB rule) is forcing a shift to permissioned APIs and tokenised access, where the third party never holds your credentials. Plaid, Tink and TrueLayer are re-platforming onto this model. The transition is messy - coverage gaps, flaky bank APIs - but it's the plumbing nearly every lending and PFM fintech quietly depends on.
OPEN FINANCE & DATA RECIPROCITY
'Open banking' covers payment accounts; open finance extends the consent model to investments, pensions, insurance and more. The unresolved fights are reciprocity - if fintechs read bank data, must they share their own back? - and who pays for the APIs. The EU's FIDA proposal, the UK's 'smart data' agenda, and Brazil's open-finance rollout are the ones to watch; Brazil and India show how fast adoption moves when a regulator leads.
PART 05

Remember three things.

1
Open banking is your bank data plus your bank's payment rail, opened by your permission - not sold by the bank and not routed through a card network.
2
A2A is the structural threat to interchange: pay-by-bank is instant, near-free and chargeback-free, and VRP is the piece that lets it handle subscriptions - the card's last stronghold.
3
The technology is settled; the politics are not. The EU is mandating it, the US keeps wavering, and everywhere adoption follows the mandate. Whoever controls the consent layer controls the customer.