TL;DR: The FCA’s Smart Data Accelerator is using two TechSprints on SME finance and mortgages to test production-like journeys, dynamic rules, and permissions in a secure sandbox, according to Raidiam. The practical issue is not innovation speed alone, but whether identity, consent, and trust controls can hold up outside toy environments.
NHIMG editorial — based on content published by Raidiam: Raidiam appointed as technical delivery partner for FCA’s Smart Data Sprints
Questions worth separating out
Q: How should security teams govern open finance access across multiple organisations?
A: They should treat open finance as delegated identity governance, not just API integration.
Q: Why do sandbox tests often miss real-world identity risk in financial data sharing?
A: Because sandboxes often simplify participant behaviour, entitlement changes, and operational pressure.
Q: What breaks when dynamic permissions are not tied to explicit policy?
A: Access decisions become inconsistent, difficult to audit, and easy to reinterpret by different parties.
Practitioner guidance
- Validate consent journeys in production-like conditions Test the full permission path, including approval, delegation, revocation, and re-consent, in an environment that mirrors real participant behaviour and data volume.
- Translate trust framework rules into enforceable policy decisions Define how each partner is identified, authorised, and audited, then map those requirements into machine-enforceable controls rather than narrative agreements.
- Build lifecycle review into every external data-sharing programme Require joiner, mover, and leaver controls for all participants and service identities involved in data exchange, including explicit offboarding and access re-certification.
What's in the full analysis
Raidiam's full post covers the operational detail this post intentionally leaves for the source:
- How the FCA Smart Data Accelerator is structured across the SME finance and mortgages TechSprints
- How Raidiam Connect, NayaOne, and synthetic datasets are combined in the sandbox environment
- How participants were selected through a competitive application process
- How the FCA expects the sprint outcomes to inform future standards and sector-wide implementation
👉 Read Raidiam's update on the FCA Smart Data Sprints and open finance testing →
Smart data sprints and open finance: what changes for IAM teams?
Explore further
Production-like testing is the right answer to a governance problem, not a platform problem. Open finance and smart data fail when organisations assume that sandbox success predicts production safety. That assumption breaks because permissions, consent boundaries, and participant behaviour change once the environment carries real operational pressure. The practitioner conclusion is that governance validation must be part of the test design, not a post-launch review.
A few things that frame the scale:
- 88.5% of organisations acknowledge that their non-human IAM practices lag behind or are merely on par with their human identity and access management efforts, according to The 2024 Non-Human Identity Security Report.
- In the same research, 35.6% of organisations cite managing consistent access across hybrid and multi-cloud environments as their top NHI security challenge.
A question worth separating out:
Q: Who is accountable when a smart data permission is granted or revoked incorrectly?
A: Accountability should sit with the organisation that defines the policy and with the participant that enforces it, because both shape the effective control. In regulated ecosystems, the question is not only who clicked approve, but who owns the lifecycle, audit trail, and revocation path across the full data journey.
👉 Read our full editorial: FCA smart data sprints expose the real test for open finance