[lapusta]

> Why 'would be' just out of interest?

The scenario is typically the following. After the EU Commission approves the directive, each country has to transform it into the national law and define the authority/approach/timelines. In the case of the UK, it's indeed the way you've described.

> As AFAICT this would be explicitly disallowed unless all the users of said APIs are themselves accredited.

In UK Plaid would have to follow the OpenBanking regulation indeed and provide access according to the consent of the account owner. In the US they are just storing your password and using it according to their privacy policy.

[Nursie]

I'm not sure they would be allowed to provide access to another party at all, if the other party wasn't accredited, regardless of consent.

I'm sure they've looked into this with their lawyers, but acting as an escape route for banking data to non-approved entities is not likely to be smiled upon.

[cormac_q]

They are allowed to provide access but with a few stipulations:

Firstly, the consumer must be aware that they are sharing their data via Plaid (i.e. Plaid can't hide behind the scenes).

Secondly, there are certain exceptions for needing to be regulated by the FCA - particularly if you don't show any data back to the user.

In practice, it makes sense to be regulated by the FCA regardless because asking to share bank information/transactions with Plaid can turn users off and you're limited with what you can do with that data without being regulated/authorised.

Source: Fintech founder in the UK/Ireland.

[Nursie]

I find that surprising, given the lengths OB go to to ensure that only registered, accredited entities can participate in using their APIs. I'm not saying you're wrong, just that I find it surprising.

(Source, I consult with OB and have a hand in their PKI, I don't speak for them and I'm not part of or informed well about anything to do with the regulatory environment)