Navigating the New Rulebook: Digital Banking Regulation in a World of Open Finance

Digital banking regulation has entered a period of unprecedented complexity and pace. What began as a relatively contained effort to apply existing banking rules to new digital delivery channels has evolved into something far more ambitious: a wholesale reconception of how financial services should be regulated in a world of open data, platform economics, and embedded finance.

For digital banks, challenger banks, and traditional institutions with significant digital operations, the regulatory landscape of 2025 looks fundamentally different from even five years ago. New frameworks are emerging on multiple fronts simultaneously - open banking mandates, digital operational resilience requirements, AI governance rules, and consumer protection standards - and the firms that are building digital banking compliance as a strategic capability rather than a reactive obligation will have a decisive advantage.

The Open Finance Horizon

Open banking was the first wave. The requirement that banks share customer data with authorised third parties via APIs - mandated by PSD2 in Europe and equivalent frameworks elsewhere - fundamentally changed the competitive dynamics of retail banking and created the infrastructure for a new generation of financial services built on top of banking data.

Open finance is the second, larger wave. Where open banking focused on payment accounts, open finance extends data sharing requirements to a much broader range of financial products: mortgages, savings, investments, pensions, and insurance. The vision is a financial system in which consumers have genuine portability of their financial data, the ability to share it with providers of their choice, and the negotiating power that comes from being able to switch providers without losing access to their financial history.

The strategic implications of open finance for digital banks are profound. On one hand, the mandatory sharing of account data means that competitive moats built on data exclusivity are progressively eroded. On the other hand, open finance creates the opportunity to build new products and services that aggregate and make sense of customers' complete financial picture in ways that a single provider could never achieve with only its own data.

Operational Resilience and DORA

The European Union's Digital Operational Resilience Act - DORA - represents one of the most significant new requirements for financial institutions with digital operations. In force since January 2025, DORA mandates comprehensive requirements around ICT risk management, incident reporting, digital operational resilience testing, and the management of third-party technology providers.

For digital banks, whose entire business model is built on technology infrastructure, DORA is not a peripheral compliance requirement - it is a framework that touches every dimension of operational risk management. The requirement to test ICT systems' resilience against a range of threat scenarios, to maintain detailed documentation of technology dependencies, and to demonstrate that third-party providers including cloud platforms meet resilience standards requires a level of operational sophistication that many institutions are still building.

The strategic opportunity in DORA compliance is real. Institutions that have genuinely built operational resilience - not just documented it - are safer, more reliable, and ultimately more attractive to customers and counterparties than those that have taken a box-ticking approach to compliance.

AI Governance in Digital Banking

The rapid deployment of AI models across digital banking operations - in credit decisioning, fraud detection, customer service, and product recommendation - has placed AI governance firmly on the regulatory agenda.

In the European Union, the AI Act creates a tiered regulatory framework that classifies AI systems by risk level. AI systems used in credit scoring and financial decision-making that could affect individuals' access to financial services are classified as high-risk systems, subject to requirements around transparency, human oversight, data governance, and ongoing monitoring.

For digital banks that have invested heavily in AI-driven decisioning, these requirements represent a significant compliance investment. They also represent an opportunity: institutions that can demonstrate that their AI systems are transparent, fair, and subject to meaningful human oversight will be better positioned as regulators and consumers increasingly scrutinise the role of automated decision-making in access to credit and financial services.

Consumer Duty and the Outcomes Focus

The UK FCA's Consumer Duty framework, which came into full effect in 2023 and 2024, represents a fundamental shift in the philosophy of financial consumer protection. Rather than specifying the rules that firms must follow, Consumer Duty specifies the outcomes that firms must deliver: good outcomes for customers in terms of products and services, price and value, consumer understanding, and consumer support.

This outcomes-based approach places a much higher burden of evidence on firms. It is not sufficient to demonstrate that products were designed with good intentions or that disclosures met regulatory requirements. Firms must demonstrate, with evidence, that their customers are actually achieving good outcomes - that products are meeting the needs they were sold to address, that pricing is fair relative to value delivered, and that customers who need support are receiving it.

For digital banks, Consumer Duty creates both a challenge and an opportunity. The challenge is the data and monitoring infrastructure required to demonstrate good customer outcomes at scale. The opportunity is that the outcomes focus rewards institutions that genuinely serve their customers well - and penalises those that have relied on complexity, inertia, and information asymmetry to extract value from customers who do not fully understand what they are buying.

What Digital Banks Must Do Now

- Treat regulatory engagement as a strategic function: The pace and complexity of digital banking regulation makes reactive compliance increasingly untenable. Firms that engage proactively with regulators, participate in industry consultations, and help shape the implementation of new frameworks will be better positioned than those that simply wait for rules to be finalised.

- Build compliance infrastructure that generates insight: The monitoring and reporting requirements of modern digital banking regulation generate valuable data about customer behaviour and outcomes. Firms that build compliance infrastructure that also serves as a source of business intelligence are extracting more value from their compliance investment.

- Develop a genuine AI governance framework: The regulatory requirements around AI in financial services are still developing, but the direction is clear. Institutions that have built genuine AI governance - with meaningful human oversight, transparent decision-making processes, and robust model monitoring - will navigate the emerging AI regulatory framework more smoothly than those that have deployed AI without governance structures.

- Communicate clearly with customers about regulatory rights: Open banking and open finance create genuine benefits for customers, but only if customers understand and exercise their rights. Digital banks that communicate clearly about data portability, switching rights, and the meaning of authorised third-party access will build stronger customer relationships.

Conclusion

Digital banking regulation is not simply a compliance burden - it is a strategic environment that rewards institutions that engage with it seriously. The firms that will lead digital banking in the next decade are those that have built regulatory capability as a competitive advantage rather than a cost centre.

At SpinDepth, we help digital banks and traditional institutions with digital operations navigate the strategic, narrative, and operational dimensions of this regulatory environment. The conversation starts here.