Open banking in the United Kingdom is entering a new phase, transitioning from the Open Banking Implementation Entity (OBIE) to what is often referred to as the Future Entity. The transition to a new entity is about moving to a more permanent, sustainable governance model as the OBIE completes its original mandate.
This shift follows a 2016 inquiry by the Competition and Markets Authority (CMA) into the retail banking sector, which found limited competition in the field and the need to give consumers more choice. Initially, the CMA required the nine largest banks (often called the “CMA9,” comprising Barclays, HSBC, Lloyds Banking Group, Nationwide, RBS, Santander, Danske Bank, Bank of Ireland, and Allied Irish Bank) to allow third-party providers (TPPs) regulated access to customer data—subject to user consent—via standardized application programming interfaces (APIs).
Under this mandate, the OBIE was formed to define technical guidelines, set compliance requirements, and coordinate efforts among the CMA9 and TPPs. As open banking matured, however, the CMA recognized the need for a more inclusive structure that extends beyond these nine major institutions and also embraces smaller banks, fintech enterprises, consumer groups, and other stakeholders. A new committee, the Joint Regulatory Oversight Committee (JROC), was established to guide this transition. JROC comprises the CMA, the Financial Conduct Authority (FCA), the Payment Systems Regulator (PSR), and HM Treasury, working together to chart the strategic direction and governance of the upcoming Future Entity.
The Future Entity: Key objectives
A prominent goal of the Future Entity is delivering robust oversight across open banking operations.
By including stakeholders outside the original CMA9, it aims to ensure a balanced governance model that avoids any single party’s dominance. Standardization and interoperability, already central to the existing open banking framework, remain priorities as the Future Entity seeks to refine APIs and data formats so newcomers can enter the market with fewer hurdles.
Strengthening security protocols through consistent guidelines around encryption, incident response, and authentication is another focal point. Lastly, consumer protection underpins these efforts, making sure that users can seamlessly grant or revoke data access while understanding how their information is managed.
Structure and funding model
The Future Entity’s governance frequently mentions a balanced board that includes representatives from banks, TPPs, consumer advocacy organizations, and regulators in an observer role. This structure prevents overconcentration of power among the former CMA9.
Funding is likely to come from a broader range of participants—rather than solely these largest banks—distributing financial obligations more equitably. There is also a discussion of offering paid services or toolkits to generate additional revenue that supports long-term operations. For an in-depth breakdown of these proposals, refer to the JROC's latest Proposals for the Future Entity.
Technical architecture and standards overhaul
The new entity will refine existing API specifications—originally defined by the OBIE—for account data, payment initiation, and other services. This could involve aligning certain technical elements with global best practices, particularly for fintech firms operating in multiple jurisdictions.
Security protocols, including tokenization and advanced fraud-detection measures, will likely be reinforced through frequent audits and self-assessments. Participants must also abide by the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act (2018), maintaining clear data usage logs and consent policies. In addition to technical changes, the new entity will also focus on improving user experience and accessibility.
All of the above will require market players in the open banking industry to invest in data architecture transformation and update their infrastructure to be compliant.
Market impact
On the other hand, banks and financial institutions stand to benefit from a unified set of standards as they develop service offerings in conjunction with technology partners. Although this may require increased spending on cybersecurity, system upgrades, data tranformations and staff training, such measures lay a foundation for stable, future-oriented growth.
Fintechs could see lower barriers to entry but must prepare for rigorous security and compliance checks. Meanwhile, consumers and small businesses may gain access to more advanced products and integrated solutions—ranging from real-time cash flow monitoring to data-driven financing options.
Below is an outline of practical steps that fintech and open banking companies need to prepare to take to align with the Joint Regulatory Oversight Committee (JROC) April 2023 recommendations, drawn from the JROC Report – Recommendations and Actions, April 2023:
Update APIs and infrastructure
Ensure compatibility with new API standards, refine authentication flows, and document changes for future audits.Strengthen security and resilience
Adopt stronger encryption, run regular penetration tests, and set clear response protocols for incidents or disruptions.Implement performance reporting
Automate metrics collection (e.g., uptime, error rates) and share data in standardized formats to enhance transparency.Support Variable Recurring Payments (VRPs)
Adapt payment systems to accommodate VRPs, clearly define user consent processes, and align technical requirements with partner banks.Enhance consumer protection
Maintain straightforward consent controls, respond quickly to privacy or fraud complaints, and offer user education on data usage.Participate in governance discussions
Engage with industry groups, regulators, and working committees to stay informed about funding, timeline adjustments, and evolving guidelines.Plan phased rollouts
Coordinate internal and partner roadmaps with JROC’s recommended milestones, anticipating interim updates and changes in deadlines.
Looking Ahead: Operational and strategic considerations
Adhering to the Future Entity’s guidelines demands diligent data governance. Financial institutions should maintain thorough inventories of the data they collect and process, ensuring robust encryption and consent management. Collaboration among industry associations—like Innovate Finance or UK Finance—as well as with regulators and technology consortia, remains crucial. The Bank of England and the FCA also emphasize operational resilience, defining clear protocols for incident response, uptime, and continuity planning to mitigate service disruptions.
The shift to a broader, more inclusive system under the UK Open Banking Future Entity Framework represents an evolution beyond the initial OBIE model. With well-defined governance, refined technical standards, and stakeholder collaboration, this next phase of open banking promises both challenges and opportunities. Institutions that adapt promptly can deliver secure, transparent, and flexible services, strengthening user trust and supporting long-term market confidence.
Data transformation and IT consultancy firms, such as Blocshop, can facilitate this transition by applying AI-driven data integration tools and tailoring API infrastructures to meet specific operational and regulatory needs. Blocshop can create and revise APIs for seamless data sharing, identify gaps in existing architectures, and implement best practices that align with open banking guidelines. Through dedicated consultations, unique in-house tools, and hands-on expertise, we help organizations manage the complexities of evolving regulatory requirements, and maintain robust security standards.
