On May 15, 2026, OpenAI connected ChatGPT Finances to the bank accounts of its American Pro subscribers via Plaid.
Over 12,000 institutions are covered, providing read-only access to balances, transactions, investments, and liabilities.
In the same week, Codex went mobile, Hiro was acquired in an acqui-hire, and the Intuit partnership was valued at over $100 million.
The key question isn’t whether OpenAI is building a financial super app, but what it would take to replicate the stack in Europe without hitting a regulatory wall.
This article maps out the announcements, cross-references DSP2, PSD3, DORA, AI Act, and GDPR, and proposes a blueprint for an EU-compatible SME treasury copilot.
In brief
- ChatGPT Finances remains US-only in mid-May 2026: Pro preview at $100 or $200 per month, web and iOS, Plaid data read-only, deletion within 30 days after disconnection.
- The OpenAI stack is converging towards a desktop super app: ChatGPT reasons, Atlas navigates, Codex codes, Hiro provides the finance brain trust, Intuit integrates TurboTax and Credit Karma into chats.
- The product can’t land as-is in Europe: DSP2 requires an AISP status to read an account, PSD3 and PSR tighten authentication, DORA regulates critical ICT subcontractors, the AI Act monitors credit scoring.
- Several European banks already have AI assistants in production: Revolut Money Intelligence, N26, Société Générale, Crédit Mutuel on watsonx, BNP Paribas with Kantox.
- An EU-compatible SME treasury copilot is technically feasible today: licensed AISP aggregator (Tink, Powens, GoCardless), FAPI profile 2, hash-chained audit trail, LLM isolated from the banking token.
- The French-speaking AI studio wins in the middle of the value chain: integration, orchestration, business safeguards, not in direct competition on the model or banking license.
What OpenAI announced between Hiro, Codex mobile, and ChatGPT Finances
The sequence began on April 13, 2026, with the acquisition of Hiro, a startup by Ethan Bloch, ex-Digit.
TechCrunch and Finextra described the operation as an acqui-hire: undisclosed amount, app closed on April 20, server data erased on May 13, Bloch’s team integrated into OpenAI.
Hiro operated on declarative data, not on real banking connections.
On May 14, 2026, Codex became available on iOS and Android within the ChatGPT app, included in all plans.
Connection to the Codex desktop macOS is done via QR code.
The audience grew from 3 to 4 million weekly users in two weeks, according to Neowin.
On May 15, 2026, OpenAI launched ChatGPT Finances in US Pro preview, web and iOS, via Plaid.
Over 12,000 institutions covered: Chase, Citi, Schwab, Fidelity, Robinhood, American Express, Capital One, Affirm.
ChatGPT reads balances, transactions, holdings, and liabilities.
It doesn’t see full account numbers and can’t initiate any payments.
Synchronized data is deleted within 30 days after disconnection.
The engine is GPT-5.5, with a new type of memory called Financial Memories.
Over 200 million people ask personal finance questions to ChatGPT each month, and Plaid connects these conversations to real banking flows, source Plaid blog May 15, 2026.
OpenAI also confirmed a partnership with Intuit worth over $100 million over several years.
TurboTax, Credit Karma, QuickBooks, and Mailchimp become actionable apps in ChatGPT, capable of calculating the tax impact of a stock sale or the probability of credit card approval.
These apps are not yet available to the general public as of mid-May 2026.
The sequence outlines the ChatGPT super app as an AI operating system: ChatGPT reasons, Atlas navigates on macOS, Codex codes, Hiro provides the finance angle, Intuit integrates taxation.
The stack aims for an integrated financial desk, not just a chatbot.
Why ChatGPT Finances can’t land as-is in Europe
The rollout is explicitly US-Pro as of mid-May 2026.
OpenAI has not given any date for international expansion.
The reason lies in a regulatory stack that the French-speaking press rarely analyzes in a cross-referenced manner.
DSP2 and PSD3-PSR: AISP status required to read an account
The DSP2 directive (2015/2366) has regulated access to banking data in Europe since 2018.
Reading a client’s balances and transactions requires the AISP (Account Information Service Provider) status, obtained from the competent national authority.
In France, it’s the ACPR.
The AISP doesn’t require initial capital but imposes a professional liability insurance of 5 million euros per incident and the use of eIDAS certificates (QWAC and QSealC).
The license is then valid throughout the EEA via passporting.
PSD3 and the PSR regulation reached a political agreement on November 27, 2025, with formal adoption expected in the first or second quarter of 2026 and a 21-month transition period.
The PSR introduces mandatory Verification of Payee, dual-factor SCA, and PSP liability for impersonation fraud.
It explicitly prohibits screen scraping: all account reading must go through the dedicated XS2A API.
SCA and FAPI: the agent never touches the token
Strong customer authentication has been in effect since September 2019.
Two independent factors among knowledge, possession, and inherence are mandatory to initiate a banking session in the EEA.
In a compliant architecture, the LLM never sees the access token.
OpenID Financial-grade API (FAPI) profile 2 separates the auth channel from the data channel: a backend keeps the secrets, the agent receives only filtered fields.
The AI agent acts as a junior accountant: it reads your statements, alerts you to unusual spending, suggests a budget, but doesn’t sign a check on your behalf.
This is the AIS versus PIS boundary.
DORA since January 2025: OpenAI becomes a critical ICT subcontractor
The Digital Operational Resilience Act has applied since January 17, 2025, to EU financial institutions.
DORA regulates contracts with third-party ICT providers, including external LLMs.
A bank connecting its IS to ChatGPT would see OpenAI reclassified as a critical provider: annual audits, supervisor oversight, exit plans, resilience tests.
The Accenture Banking Top Trends 2026 report highlights the DORA, PSD3, AI Act triangle as the new center of gravity for banking compliance.
The hash-chained audit trail functions like a judicial chain of custody: each agent action is signed, timestamped, irreversible, and this is what DORA requires without stating it in these words.
AI Act Annex III: high-risk credit scoring, deadline postponed
Annex III point 5(b) of the AI Act classifies any AI system intended to assess creditworthiness or establish a credit score as high risk.
The EBA confirmed in November 2025 that the AI Act combines with CRD, CRR, CCD, MCD, and PSD without direct contradiction.
The deployer automatically triggers Article 27 FRIA and the Article 26 cascade.
The Digital Omnibus trilogue agreement signed on May 7, 2026, postponed Annex III obligations from August 2, 2026, to December 2, 2027, providing a 16-month margin.
Article 50 transparency and Article 55 GPAI at systemic risk remain on August 2, 2026.
Anthem Creation documented this framework in its analysis of AI regulation in France via the AI Act and CNIL.
GDPR and transatlantic transfers of banking data
GDPR requires a legal basis and framework for transfers to the United States.
The SCHUFA ruling (CJEU C-634/21) judged that credit scoring constitutes an individual automated decision under Article 22 GDPR, even when a human validates ex post.
The right to explanation interlocks with AI Act Article 26 paragraph 11.
GDPR fines cap at 4% of global turnover.
What European players are already doing
Europe didn’t wait for OpenAI to put banking AI assistants into production.
Revolut launched its Money Intelligence AI Assistant in 2025, integrated directly into its mobile app, with access to Revolut account flows under license.
N26 uses AI for fraud detection and categorization.
Société Générale publicly documents its AI approach for clients and employees.
Crédit Mutuel Alliance Fédérale accelerated the deployment of generative AI in partnership with IBM watsonx in 2024.
BNP Paribas relied on Kantox for the automation of foreign exchange operations.
The Oliver Wyman report from April 2026 measures the market: 40% of European customers are open to AI-generated financial advice, and 38% are ready to delegate execution.
The market is ripe.
What is missing is the orchestration between the regulated banking layer and the public-facing AI conversational layer.
- Revolut Money Intelligence: integrated assistant, native accounts, vertical experience.
- N26 fraud AI: back-end, little exposed on the user surface.
- Société Générale: framed AI approach, client advice, and internal productivity.
- Crédit Mutuel watsonx: internal agents before client deployment.
- BNP Paribas Kantox: FX automation, not public conversational.
Blueprint for an EU-compatible SME treasury copilot
Instead of waiting for OpenAI to open ChatGPT Finances in France, an AI studio can build an SME treasury copilot today with EU-compatible components.
The architecture consists of four layers, each chosen to comply with DSP2, DORA, and AI Act.
Data layer: choose a licensed AISP aggregator
Three AISP aggregators cover the majority of the EEA market.
Tink is a Visa subsidiary, with broad coverage and enterprise-oriented pricing.
Powens offers a French fintech-oriented service with strong connectivity on tier 2 and tier 3 banks.
GoCardless combines open banking and SEPA direct debit through its Bank Account Data product.
Connecting one of these middleware avoids the need to apply for its own ACPR license: the AISP responsibility remains with the aggregator, which exposes a standardized API to the studio.
Orchestration layer: specialized agents and hash-chained audit trail
A treasury copilot doesn’t need a monolithic LLM.
A forecasting agent, an alert agent, a reporting agent, and a recommendation agent better frame business responsibility than a single prompt.
Each call produces a logged, hashed, and chained trace.
The FinQub reference describes this fintech orchestration pattern: custody chain by hash, timestamped signature, immutable archiving.
This level of logging anticipates what DORA will require from supervisors in case of an audit.
AI layer: generalist LLM or self-hosted FinGPT and FinRobot
Two options coexist for the reasoning engine.
The generalist LLM hosted in Europe (Mistral, Claude via Bedrock EU) covers the conversation, provided the banking token is isolated in a FAPI backend.
The open-source alternative is the AI4Finance Foundation stack: FinGPT for financial understanding, FinRobot for multi-task agency, agentic-tlm for portfolio management.
This choice becomes relevant for sovereign actors, mutual banks, fintechs that want to keep the model on-premise.
Safeguards: read vs write, human co-signature, logging
Four safeguards hold the whole together.
The read-write separation is non-negotiable: the copilot reads via AISP, never initiates payments.
Human co-signature is required for any transfer, any contractual commitment, any tax reporting.
Hash-chained logging feeds the DORA audit.
Explanations under GDPR Article 22 and AI Act Article 26 must be generated for each recommendation likely to influence a credit decision.
For a French-speaking AI studio: where to position
The value chain of an AI banking copilot has five links: AISP license, data aggregation, agent orchestration, AI model, user experience.
A French-speaking studio has no interest in competing head-on with OpenAI on the model, nor with Tink on the license.
The middle of the chain is the exploitable space.
Three positions are worth considering.
First position, the business integrator: connect Powens, FinGPT, and a client (accounting firm, mid-sized company, association) with a specialized agent.
Typical margin: 30 to 50% on integration cost.
Second position, the safeguard orchestrator: sell the FRIA block, hash-chain audit, explainable logging as a service to fintechs that want to pass DORA without building the module internally.
Third position, the vertical sector: associative treasury, condominium treasury, restaurant treasury, where the generalist LLM is poorly calibrated.
OpenAI has already paved the way on pricing with its OpenAI Workspace agents priced per credit.
The usage-based grid will become the norm: studios that price per seat or project will switch to a hybrid model, subscription plus credit.
Better to anticipate than to endure.
The trap is trying to compete with ChatGPT Finances on its turf, while the studio wins when it integrates the EU-regulated stack that ChatGPT Finances can’t serve.
The EU banking copilot is just one use case among others in a broader thesis: the AI agent wins at the contact of business constraints, not in general abstraction.
The 2026-2027 window is open before large European banks deploy their own integrated native assistants.
FAQ
What exactly does the ChatGPT Finances preview launched on May 15, 2026, include?
The preview is reserved for ChatGPT Pro subscribers in the United States, on web and iOS.
It allows connection via Plaid to bank accounts, cards, and investment portfolios among over 12,000 institutions, read-only.
Why is the acquisition of Hiro an acqui-hire and not a product acquisition?
Hiro operated on declarative data entered by the user, without real banking connection.
OpenAI wanted Ethan Bloch’s ex-Digit team, not the technical stack: the app was closed on April 20, and server data erased on May 13, 2026.
What is the concrete difference between AISP and PISP?
The AISP reads account information without being able to initiate payments, while the PISP initiates payments on behalf of the user.
ChatGPT Finances would fall under AISP in Europe and would need to obtain this license or go through a licensed aggregator.
Why does DORA complicate the deployment of external AI in European banks?
DORA, applicable since January 17, 2025, regulates contracts with critical ICT subcontractors.
An external LLM used in banking production falls within this scope: audits, supervisor oversight, exit plans, and resilience tests become contractual.
When does a banking AI copilot fall under high-risk AI Act?
As soon as the AI assesses creditworthiness or establishes a credit score for an individual, Annex III point 5(b) applies and activates Article 27 FRIA automatically.
The deadline was postponed to December 2, 2027, by the Digital Omnibus on May 7, 2026.
Is there already a European equivalent of ChatGPT Finances for the general public?
Revolut Money Intelligence is the most advanced in the native B2C segment.
Société Générale, Crédit Mutuel via watsonx, BNP Paribas via Kantox deploy AI assistants internally or in a vertical scope, without direct competition with a generalist assistant like ChatGPT.
Which open banking aggregators avoid the need to apply for an ACPR license?
Tink (Visa), Powens, and GoCardless are licensed AISP and expose standardized APIs across the EEA.
A studio can build a copilot without submitting an ACPR application, provided it remains strictly read-only.
How to isolate the LLM from the banking token?
OpenID Financial-grade API (FAPI) profile 2 separates the authentication channel from the data channel.
The technical backend keeps the token, the AI agent receives only filtered fields, and hash-chained logs trace each access.
What does the announced OpenAI-Intuit partnership include?
Over $100 million over several years covering TurboTax, Credit Karma, QuickBooks, and Mailchimp in ChatGPT, with tax analysis and card approval probability.
The public rollout hasn’t yet occurred as of mid-May 2026.
What is the position of major French banks?
BNP Paribas, Société Générale, and Crédit Mutuel invest in generative AI internally, mainly for employee productivity and fraud detection.
None have opened their client accounts to a generalist third-party AI assistant, and the move is expected among fintech challengers before systemic players.
Related Articles
ChatGPT breach: 7M users hacked – what the leak reveals about LLM safeguards
Piratage ChatGPT Kaikatsu Club : 7,24M utilisateurs exfiltrés en janvier 2025, lecture juridique FR/EU et checklist CTO RSSI 2026.
Europe just rewrote the AI Act at 4am: we read the 7 changes for you
The Digital Omnibus of the AI Act has just rewritten the European AI timeline. In the early hours of May 7, 2026, around 4:30 am, the EU Council and the…