On 1 May 2026, the FCA published KPMG’s Industry Evaluation Panel report on the competing proposals to establish the UK’s Open Banking Future Entity. Open Banking Limited scored 63.88 out of 76. The Smart Data Group scored 46.

The outcome was shaped by far more than technical capability. Governance credibility, operational readiness, funding feasibility, and implementation confidence all carried substantial weight in the assessment.

That matters beyond open banking. The report shows how regulated financial markets are beginning to assess critical technology providers before contracts are signed, before infrastructure goes live, and before regulators formally intervene.

What the KPMG Panel Evaluated

The Industry Evaluation Panel was not assessing architecture in isolation. Governance and operational readiness carried equal importance alongside technical capability.

OBL scored higher because the panel viewed its proposal as more immediately executable, with clearer accountability structures, stronger mobilisation planning, and greater operational credibility from the outset. SDG was recognised for its independence and broader architectural ambition, but the panel identified less clarity around how governance arrangements would function under live operating conditions.

That distinction matters because financial institutions increasingly expect firms to demonstrate how oversight, escalation processes, accountability structures, and operational controls function in practice rather than how they appear in conceptual frameworks.

The panel was not reviewing a whitepaper. It was assessing whether an organisation could govern critical financial infrastructure reliably, under scrutiny, and at scale.

Why This Extends Beyond Open Banking

The Future Entity will eventually oversee key components of the UK’s open banking ecosystem, including API standards, directory services, certification frameworks, and operational coordination across participants.

Any regulated firm relying on those services inherits a level of operational dependency on the organisation responsible for governing them. That changes the nature of procurement assessment.

Under the EU’s Digital Operational Resilience Act (DORA), which has applied across financial services since 17 January 2025, firms must maintain detailed oversight of ICT third-party providers. The regulation requires contractual controls, operational resilience assessments, concentration risk analysis, and demonstrable exit capability throughout the lifecycle of a supplier relationship.

Governance weaknesses are now treated as operational resilience risks with direct implications for outsourcing approvals, vendor onboarding, and supervisory scrutiny.

The KPMG panel’s emphasis on governance operability and credible risk management reflects that shift. Governance assessment is increasingly forming part of third-party risk due diligence long before onboarding decisions are finalised.

That change will extend well beyond open banking infrastructure.

The AI Governance Parallel

The Future Entity evaluation offers a clear indication of how AI systems inside regulated firms will increasingly be assessed.

Before an AI model reaches production, touches customer data, influences a credit outcome, supports onboarding decisions, or flags suspicious transactions, firms need evidence that its governance framework can withstand operational scrutiny.

That requires more than internal policy documents or broad governance principles. Boards, procurement teams, risk committees, and regulators increasingly expect firms to demonstrate:

• traceable decision logic

• documented controls

• escalation pathways

• monitoring frameworks

• operational oversight mechanisms

• evidence of ongoing governance effectiveness

Regulatory expectations are becoming increasingly clear. FCA expectations around accountability, explainability, operational oversight, and senior management responsibility are moving firms towards a more evidence-based approach to AI governance.

Financial institutions are no longer evaluating technology solely on performance claims or architectural sophistication. They are assessing whether governance controls can withstand audit, escalation, and supervisory review under real operating conditions.

That is precisely what the Industry Evaluation Panel assessed in the OBL versus SDG process.

Regulativ’s AI Governor helps regulated firms evidence governance controls before AI systems reach production. From accountability mapping to oversight workflows and audit-ready governance records, the platform is designed for organisations operating under increasing regulatory and procurement scrutiny.

Why Procurement Standards Are Changing

Historically, governance reviews often sat downstream from technical selection. A vendor demonstrated capability first, whilst governance maturity was assessed later in the process.

That sequencing is changing.

Regulated firms increasingly assess governance credibility during procurement itself, particularly where technology providers influence customer outcomes, operational resilience, financial crime controls, or regulatory exposure.

The Future Entity process illustrates this clearly. The panel evaluated governance structures before the organisation existed operationally. The assessment focused on whether governance arrangements appeared credible, implementable, and sustainable from the beginning.

AI vendors and internal AI teams should expect the same level of scrutiny.

Procurement, compliance, operational resilience, and model risk teams are already asking more demanding questions:

• Who owns accountability for model behaviour?

• How are governance breaches escalated?

• Can decisions be reconstructed and evidenced?

• What controls exist around data usage and monitoring?

• How does the organisation demonstrate oversight after deployment?

• Can governance controls withstand audit or supervisory review?

Technical performance remains important. On its own, it no longer secures trust inside regulated environments.

What Firms Should Take From This

The Industry Evaluation Panel rewarded operational credibility over architectural ambition. That distinction matters for every regulated firm deploying AI.

Financial institutions increasingly assess whether governance frameworks can be evidenced, audited, escalated, and relied upon under pressure. That applies to external vendors, internal AI deployments, and critical infrastructure providers alike.

The operational burden is also increasing. Firms subject to DORA, FCA operational resilience expectations, model risk governance obligations, and emerging AI oversight requirements cannot rely on governance by assertion alone.

They need governance structures that function consistently in practice.

The broader lesson from the OBL versus SDG evaluation is not about which organisation won the Future Entity process. The more important signal is that regulated markets are beginning to assess trustworthiness before systems become operational.

For firms deploying AI, the question is no longer whether models perform well in controlled environments.

Would your governance framework withstand the same level of scrutiny before deployment, before procurement approval, and before regulatory intervention?