Open banking API growth: what it means for IAM teams

TL;DR: Open banking is moving from regulated data sharing to a broader API economy, with the market projected to grow from $31.61 billion in 2024 to $135.17 billion by 2030, according to Kong and Grand View Research. The governance challenge is no longer adoption alone, but how banks and fintechs control consent, tokenised access, and third-party accountability at scale.

NHIMG editorial — based on content published by Kong: Open Banking: The Guide on APIs, Regulations, and the Future of Finance

By the numbers:

• In January 2024, consumers in the United Kingdom made a record-breaking 14.5 million open banking payments.
• By July 2024, the UK reached 10 million active open banking users.

Questions worth separating out

Q: How should security teams govern consent-based API access in open banking?

A: Security teams should treat consent as a controlled entitlement with scope, expiry, monitoring, and revocation.

Q: Why do open banking APIs create IAM and NHI governance challenges?

A: Open banking creates IAM and NHI challenges because external parties receive delegated access to sensitive financial data and payment functions.

Q: What breaks when API scopes are too broad in open banking?

A: Broad scopes collapse least-privilege controls and make it harder to prove that a third party accessed only what it needed.

Practitioner guidance

• Map every open banking integration to a named identity owner Assign ownership for each third-party API relationship, including who approves access, who reviews scope changes, and who revokes access when the business relationship ends.
• Treat consent scopes as enforceable entitlements Review whether each API scope matches the minimum data or payment action required, then align technical scopes with business purpose and expiry.
• Build offboarding into partner access governance Make revocation part of the standard third-party lifecycle, including API key removal, token invalidation, and partner certification withdrawal when needed.

What's in the full article

Kong's full guide covers the operational detail this post intentionally leaves for the source:

• A deeper walkthrough of open banking API primitives, including AIS, PIS, and variable recurring payments.
• Regulatory context across FAPI 2.0, PSD3, and Section 1033 for teams aligning controls to legal requirements.
• Implementation guidance for banks and fintechs that need phased rollout plans, not just governance framing.
• Examples of open finance use cases and cross-border interoperability issues that matter once policy is set.

👉 Read Kong's guide to open banking APIs, regulations, and finance →

Open banking API growth: what it means for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →