The UK Government published its response to the Smart Data digital markets call for evidence this week. Read alongside the Smart Data 2035 strategy published in April, it amounts to the clearest statement yet of where UK open finance risk management infrastructure is heading - and what it will need to function safely.
Respondents to the call for evidence consistently identified the same problem: data portability in digital markets doesn't work well enough, and the reason it doesn't is structural. Current frameworks don't guarantee data in real time or in a usable format. Identity verification processes are inconsistent.
And there is no standardised mechanism for authenticating and authorising the third parties that need to access that data on a consumer's behalf - beyond that available for authorised AISPs and PISPs in open banking.
That last point is not a minor operational detail. It is the foundational condition for any data-sharing scheme to function at scale. Regulators authorise and supervise the regulated community – in open banking AISPs & PISPs - but supervision at scale is necessarily sample-based, not continuous. And regulation has no structural reach into the fourth, fifth, and nth party layer: the unregulated intermediaries that sit downstream of authorised providers and through whom consumer and business data continues to flow. Without a standardised accreditation mechanism covering that wider population, every participant beyond the regulated perimeter is a judgement call - made individually, inconsistently, and without ongoing oversight once access is granted.
That is not a risk management framework. It is a series of individual bets.
Open banking - the most mature of the UK's smart data schemes - already has 17 million users and more than 300 FCA-authorised AISPs and PISPs, according to figures from Open Banking Ltd and the FCA's own data. But behind those regulated providers sit thousands of unregulated third parties - fourth, fifth, and nth parties - accessing the market indirectly, and largely invisible to the financial institutions whose customers' data is flowing through them.
Some regulated providers do assess the downstream parties they contract with carefully. Others lack the specialist skills, capacity, or infrastructure to do so. That inconsistency is itself the problem - because a system is only as strong as its weakest point of oversight. And even where initial assessment is rigorous, ongoing monitoring is where the whole industry tends to fall short. Not just at the moment of access, but for all the time that access is live.
The Smart Data 2035 strategy estimates that five use cases alone could deliver £26 billion in social net present value over the next fifteen years. Open finance - the natural extension of open banking into the full breadth of financial services data - is identified as one of the priority sectors, with the FCA's Open Finance roadmap already in progress.
The ambition is not in question. The infrastructure question is.
Every smart data scheme the government intends to build - in finance, in digital markets, in energy, in property - depends on the same underlying architecture. Regulation covers the authorised layer - and should. But regulators cannot accredit every fourth, fifth, and nth party, monitor them continuously, or backstop the liability when something goes wrong downstream. That is not a criticism of the FCA or any regulator. It is a structural reality. The infrastructure question is what fills that gap: standardised accreditation of participants, continuous risk intelligence on how those parties are performing over time, and clear liability when something goes wrong.
That is not a future requirement. It is the present one. Open finance data flows are already happening. Consumers and businesses are already sharing financial data with third parties through the pipes that open banking built. The risk of inadequate third-party oversight exists today, in every data-sharing or payment initiation transaction that takes place without standardised accreditation, dynamic risk monitoring, or clear liability allocation behind it.
The Smart Data 2035 strategy sets a target of five or more active schemes by 2030. The question for every data providing institution - banks, insurers, pension providers, utility companies - intermediary, and provider in the UK is not whether this infrastructure is coming. It is whether they are ready for it when it arrives - and whether the risk that third parties are creating, and that data providers are ultimately carrying, is visible to them.
Invela is building the risk management network across three integrated layers: standardised Accreditation; dynamic risk monitoring via the Invela Risk Indicator; and insurance-backed Warranty, which will provide the financial backstop that ensures liability lands in the right place.
Open finance, covered.
