This study systematically evaluates the security of UK Open Banking (OB) account and transaction APIs under the PSD2 regulatory framework. To address the lack of comprehensive, real-world security assessments of OBIE specifications, the authors integrate the PASTA threat modeling methodology with empirical API penetration testing in production-like environments, focusing on RESTful interface mechanisms for authentication, authorization, and data transmission. Methodologically, the work conducts a rigorous OAuth 2.0 conformance audit, combined with dynamic and static API security testing, and automates validation using Burp Suite and Postman. The evaluation uncovers 12 high-severity vulnerabilities, including four CVE-assigned account takeover exploit chains. As a direct result, the Open Banking Implementation Entity (OBIE) published its v3.1 API Security Hardening Guidelines, which were formally adopted by the UK Financial Conduct Authority (FCA) as a compliance reference. This work significantly elevates security benchmarking and implementation standards across the UK open banking ecosystem.