The great potential and obvious pitfalls of innovative approaches to building new forms of digital public infrastructure

A previous Integral article spotlighted the rising focus on Digital Public Infrastructure (DPI). DPI is often provided through public-private collaboration. Building DPI takes place in a context of fast-changing technology choices and scarce skills to make the choices, often with the added pressure of ambitious goals and tight deadlines. The interests of public and private participants are not necessarily aligned; and even among private participants incentives may differ. In this setting, good governance matters a lot but is not simple to achieve or sustain. This article considers the governance challenges of the Open Banking scheme in the UK as an example of a newer category of DPI. The lessons are not simple. This case raises questions like: Is there a tradeoff between effectiveness and hygiene factors in governance? (or, if you prefer, Must moving fast always risk breaking things?) And the case suggests some answers to important questions like: How to structure and fund the role of an effective and innovative infrastructure builder and operator? 

First, however, let’s sketch some background on Open Banking.

Open Banking spreads worldwide

Open Banking derives from the principle that customers should control the use of their own data. Although countries in Europe led the way in entrenching this principle in law, Open Banking has now spread worldwide: a 2020 BBVA article reported that 15 countries around the world were at different stages of implementing it in different forms. Of these, the UK is generally recognized as the leader in implementation so far. Three years into the process, the Open Banking Impact Report 2020 gives an indication of why. Evaluators counted 109 live Open Banking products or services at end 2020, an increase of 76% year on year, accompanied by a 450% rise in usage measured by API calls on participating banks. An estimated 3 million people were using at least one open banking service, double the previous year’s number. 

To open up personally identifiable data of clients in this way securely and safely requires great care in design and robust implementation and oversight in an environment of fast changing technology and conflicting interests between banks and third party providers. In short, it requires good digital governance. 

But is Open Banking a category of DPI?

Emerging Open Banking schemes in general satisfy at least two of the three requirements to be considered DPI. They are certainly digital, in that they rely on APIs for third party providers to access banks’ information about their clients in secure, privacy preserving ways. They are also public at least in the sense that they rely on defined standards and protocols for API exchange which are usually publicly available and sometimes publicly owned. In this sense, some Open Banking protocols could be considered Digital Public Goods. But not all schemes have the third element, which is the supporting central infrastructure which provides the scaffolding to leverage and extend their protocols into market tractions.

In this respect, the UK scheme implemented as the result of a competition enquiry into banks conducted by the Competition and Markets Authority (CMA) went further than other national schemes: it established a new infrastructure in the form of the Open Banking Implementation Entity (OBIE) to develop and manage the scheme. OBIE is a special purpose structure housed in a non-profit company limited by guarantee called Open Banking Limited. The CMA’s Order not only mandated the setup of this entity, but also required the nine largest banks in the country (known thereafter as the CMA9) to participate in it and to fund it in order to achieve defined objectives benefiting consumers and small businesses. In this respect, the wide powers of the CMA to craft competitive remedies allowed it to go further than is common in open banking laws alone. 

By establishing OBIE, the UK approach effectively created a focal point for engagement with the multiple regulatory bodies who are inevitably involved in all Open Banking questions: while the OBIE itself is directly accountable to the Competition & Markets Authority, the Financial Conduct Authority (FCA) is responsible for consumer protection and the Information Commissioner's Office for data. The presence of an independent but well resourced infrastructure builder and operator in the form of OBIE has played a key role in why the UK scheme has thrived, whereas others have been slower to take off. 

Governing Open Banking Phase 1.0 (2016-2021)

OBIE’s governance structure for the initial phase was set out only in general terms by the CMA Order: the presumption was that standard company governance principles and norms would apply. The Order appointed an independent Implementation Trustee responsible for setting the standards for the participation of CMA9 banks as required under the Order and for overseeing their compliance with them. The OBIE was designed as the vehicle for providing institutional support to the Trustee in this role. Effectively, the Trustee also served as the Executive Chair of the Board of the Open Banking Ltd company, with one other non-executive for most of this first phase. A Program Director effectively acted as the COO, managing day-to-day activities and operations of the OBIE. 

While the Order required the CMA9 banks to share the operating costs of the OBIE, they did not have a direct voice on the board of the company. This was seen as a conflict of interests since they were essentially being asked to pay for opening up their client data to competitors. However, the Order established an advisory group called the Implementation Entity Steering Group (IESG) to review the standards and policies to be adopted by the OBIE. This group comprised representatives of the CMA9 banks, as well as the regulatory agencies and Treasury, and independent representatives for consumers and small businesses. Although the Implementation Trustee was required first to seek consensus at IESG, he also had the power to impose a decision if consensus could not be reached which acted as a forcing device to ensure momentum. The IESG introduced transparency and some voice for banks, regulators and end-users. This approach to multi-stakeholder governance is somewhat similar to that commonly followed by Open Source software protocols: a board of directors manages the business side of a developing and applying a standard, while a technical committee develops the technical standards. In fact, the concentration of power vested in the Trustee in the OBIE scheme is not unlike the wide powers wielded by founders in some Open Source movements. However, a key difference here is that OBIE was backed from the start by the regulatory powers of a state agency, the CMA, which could issue enforcement decrees to the CMA9 banks and even impose fines on them, though it had no powers over the other parties in the scheme. 

Funding and operations

Like many infrastructures, OBIE ended up costing a lot more than expected: originally, it was envisaged at the outset that the costs of implementation might run to the equivalent of around USD27m, but in fact, the total costs to date have run closer to USD200m. Almost all of this was paid by a levy on the CMA9 banks. In its 2020 Annual Report, OBIE reported that it now had growing income from fees of some USD5m, or around 10% of its operating costs in that year.

The ballooning cost was in part because of growing realizations of what was really needed for effective implementation. This led to a growing scope of operations: having standards and directory infrastructure alone were found to be insufficient for success of the scheme. By 2020, almost a quarter of OBIE costs were attributed to ecosystem development, which covered onboarding new third party providers. As the developer of the infrastructure, OBIE came to have a full time equivalent complement of 154 people by end 2019. However, since it was not envisaged that OBIE would last long term, these people were all contractors: a reasonable way to acquire skills fast, but one which also contributed to subsequent governance problems. 

Moving fast and breaking things: the independent investigation of OBIE governance (2020-21)

In 2020, a whistleblower complained to the CMA that OBIE was “devoid of basic governance.” Other complaints included that there was “No one at the helm” and there was a “total lack of accountability.” Allegations included that there were conflicts of interest in the hiring of contractors, that bullying and discrimination had taken place in the decisions to renew or terminate contracts, and that basic channels were lacking to address growing complaints of toxic work culture.

To investigate these claims, CMA appointed Alison Whyte to oversee an Independent Investigation as to whether OBIE was in fact properly managed. Made public in October 2021, the Investigation report concluded that while “...the Trustee and Program Director did an effective job of delivering the open banking program. ...Insufficient attention was paid to management of OBL as a limited company.” Some of the specific complaints resulted from a lack of clarity over key roles and from having too much power vested in one person, the Trustee, who was responsible for leading implementation while also overseeing it and the participants. The investigator concluded that the company Open Banking Ltd would have benefited from having at least one additional independent non-executive director throughout with a clear mandate of maintaining oversight.

In short, the apparent effectiveness of OBIE in delivering the outcomes desired by the CMA Order had come at a price. The structure had enabled rapid progress but in hindsight, it was not suited to overseeing a longer-term project which had accumulated a wider and lasting remit. 

The Governance of Open Banking 2.0 (2022 onwards)

The initial roadmap to deliver on Open Banking as required in the CMA Order is expected to be achieved by 2022. Is there then still a need for a central infrastructure, that is, an OBIE in some form, and if so, in what form? 

As the trade body for UK banks and financial service providers, UK Finance tabled a comprehensive set of proposals in March 2021 to address this question. These proposals essentially envisaged that OBIE would continue, but transition to become an independent entity without a trustee and with a board made up of an independent chair with 7 NEDs who would represent participants as well as users. The CMA invited a public consultation on these proposals and on what arrangements should follow. 

The then Trustee, Imran Gulamhuseinwala, vigorously opposed key elements of this proposal, arguing that “whilst the implementation requirements of the order are coming to an end, the outcomes sought by the Order have not yet fully materialized.” Specifically, he argued for the need to continue to:

• Have an independent Trustee Function which has powers to direct the new OBIE and monitor its work independently, and the trustee should be appointed as a Non executive director on its new board; and 
• Undertake ecosystem support as a mandated public good, not reliant on good will of banks as funders.

Following the publication of the Investigation, Gulamhuseinwala resigned in early October 2021. CMA appointed a new interim Chair and Trustee, followed by the appointment of an independent non-executive director in response to the findings of the inquiry. On 5 November 2021, OBIE issued a call for expressions of interest in a second NED appointment which would last for 6 months, presumably while the future structure is agreed. 

Lessons for governance of DPI

What are we to make of this case in all its complexity? 

In all its simplicity, the 2016 CMA Order seemed to establish the main elements for an effective governance structure for a digital infrastructure builder: one which had both sufficient power (as a result of being backed by regulation) and resources (as a result of the levy on banks), while also the flexibility (as a non-government entity) enabling it to make rapid and effective progress in a complex and contested environment. While cost overruns are all too common in infrastructure projects, effective delivery on a large DPI project is far less common. If OBIE were rated as a tech startup barely more than three years in the market, it would receive loud plaudits. 

However, the parallel to a tech startup doesn’t stop there: the patterns of toxic behavior uncovered by the Investigation also sound rather like some of the stories from other successful tech startups in recent years--think Uber, for example. But OBIE was not a private venture; rather it was a very visible vehicle for a public-private partnership in a contested market space. The level of scrutiny was always going to be higher for OBIE. 

In retrospect, the very simplicity of the CMA Order meant that there was insufficient clarity about key roles (such as Trustee and Director); and especially that checks and balances for greater accountability were lacking. These are timeless corporate governance considerations. The lesson from the OBIE case to date is not that the use of special-purpose structures like OBIE is risky per se, but rather that it is possible to double down on the elements which can make these structures both effective and accountable; and to equip regulators and boards to play the roles expected of them. 

It should be possible to move fast enough in the building of new Digital Public Infrastructure while breaking fewer things.