Regulatory frameworks like Know Your Customer (KYC), Anti-Money Laundering (AML), and Open Banking were designed to broaden and protect economic opportunity, ensuring security, financial inclusion, and trust at scale. However, over time, these frameworks have become highly centralised within federal agencies and financial institutions, to this point limiting their applicability beyond those spheres.

Rather than fostering widespread innovation, these regulations have inadvertently created a policy-first economy, where compliance dictates the rules of engagement, and only institutions that can afford the regulatory burden, like large banks, financial firms, and federal governments, have been able to fully participate.

We are now at a transition point where these programs should begin to open up across industries. But how will this shift occur, and what are the real benefits? If financial institutions have successfully implemented digital identity, secure transactions, and real-time data sharing, why haven’t other sectors followed suit at the same pace? Has digital public infrastructure evolved from an enabler of innovation into a constraint that slows broader adoption?

The Regulatory Capture of Technology

Over the past two decades, banking and finance have undergone significant transformation due to regulatory pressures such as AML, KYC, and Open Banking initiatives like PSD2 in Europe. These policies have forced financial institutions to refine their digital identity verification processes, develop secure payments infrastructure, and standardise customer data management.

Centralised identity verification systems, digital wallets, and interbank data-sharing standards have emerged as byproducts of these regulatory requirements, enabling more secure transactions, enhanced fraud detection, and a seamless customer experience.

Importantly, these innovations have also been heavily driven by federal governments to foster new markets, stimulate economic development, and facilitate cross-border transactions. Especially in the context of digital IDs. While the underlying technologies, such as identity management, security, master data management (MDM), and integration, are not new, their application has largely been focused in fintech and shaped by top-down regulatory mandates rather than organic technological evolution.

Once a dominant policy position is established at the federal level, it can become self-contained within “the bubble”, limiting its applicability outside of that regulatory sphere.

Policymakers, despite introducing valuable compliance requirements, can often lack a deep understanding of the technology itself. Especially if those policy makers reside outside a central digital agency. This can lead to a misconception that they have created something fundamentally new when, in reality, they have only dictated the terms under which existing technologies must now operate. Usually within a specific sector.

This results in a critical challenge. Federal regulatory frameworks capture and reshape universal technologies, transforming them from flexible solutions into rigid compliance mechanisms. Then, instead of being widely adopted across industries, these technologies become locked into a policy-first paradigm that prioritises oversight, control, and national economic interests.

The consequence is that identity management, security, and data integration become policy artifacts rather than practical, adaptable tools that could benefit a wider range of sectors.

Furthermore, once these policy-driven frameworks take hold, they become difficult to repurpose for other contexts. Case in point, the financial sector, driven by compliance, has conformed to these frameworks, reinforcing the federal policy model rather than enabling broader innovation.

I think this dynamic creates a bottleneck where policy becomes the product, and success is measured by adherence rather than effectiveness or adaptability.

As a result, other sectors, struggle to access and apply these technologies in ways that fit their unique needs. As an example, I don’t know a single executive in the local government sector that thinks that KYC has any applicability to their business.

The Global Push for Digital Public Infrastructure: But Then What?

Practically, every country now seeks a Digital Public Infrastructure (DPI) strategy that defines their approach to Digital Identity, Payment Systems, and a National Data Exchange, aiming to establish themselves as global FinTech hubs. But once these foundational elements are in place, what comes next?

If the original goal of regulatory-driven frameworks was to broaden economic opportunity, enhance security, and drive innovation, why has following this same regulatory-first blueprint led many countries to build infrastructure optimised for compliance rather than innovation?

The fundamental challenge is that while DPI components are critical enablers, they do not inherently generate new economic opportunities or services on their own. Part of the issue is that DPI has not evolved as a true PaaS model, where digital identity, payments, and data exchange are simply services within a broader, adaptable digital ecosystem. Instead, stakeholders have continued applying new policies to existing technologies within legacy service delivery models, rather than allowing DPI to evolve at the pace of modern platform-driven innovation.

This raises a deeper concern: Are we treating policy as the product, rather than using it to enable the evolution of digital infrastructure itself? Once a nation establishes its DPI and FinTech hub, the challenge becomes in creating infrastructure that truly empowers citizens and businesses, not just the compliance-driven ecosystem itslef.

By focusing on compliance rather than adaptability, countries risk creating a policy-driven digital economy rather than one that is responsive to actual economic needs. If regulatory frameworks are to truly enable economic opportunity, they cannot be confined to the financial sector alone.

Policymakers must recognise that policy does not create technology. Technology exists independently of policy. The challenge is whether governments can proactively adapt and extend its benefits beyond the narrow confines of federal oversight and financial regulation, without over-reach.

The Practical Application of KYC Principles in Local Government

I mentioned KYC so let me quickly break that out. While financial institutions have successfully consolidated customer data into unified, regulatory-compliant frameworks, local governments remain encumbered by legacy systems that hinder a single view of the citizen.

A typical local government may store data across multiple, disconnected platforms for rates and property management, libraries, regulatory applications and permits, social services, and utilities. The absence of integrated identity verification leads to inefficiencies, redundancy, and suboptimal citizen experiences.

Unlike the financial sector, local governments have not been subject to the same regulatory pressure to unify customer data. Instead, modernisation efforts are often constrained by budget limitations, political cycles, and a lack of overarching policy direction at the state (insert your own state-based LG Association here), and federal (ALGA) level.

However, as digital government services continue to expand, the need for a standardised, secure, and interoperable approach to citizen data management becomes increasingly critical.

Master Data Management (MDM) projects provide a pathway for local governments to apply KYC principles to customer data. By consolidating citizen records across disparate systems (rather than blindly following the idea that they exist within a single NAR within a single ERP), local councils and municipalities can create a single source of truth, improving service delivery, reducing administrative inefficiencies, and enabling more data-driven decision-making.

One example of this in practice is the implementation of Digital IDs in city governments where MDM has been deployed. These councils can invite constituents to adopt a Digital ID that serves as a unified credential for interacting with local government services, covering everything from gym or library access and parking permits to rate payments and reg services.

If a resident moves outside the Local Government Area (LGA), their Digital ID is revoked, archived, or disposed of according to regulated records management policies. This not only strengthens security and compliance but also ensures that citizen data management aligns with best practice governance frameworks.

Secure authentication and digital identity management, key pillars of FinTech innovation, can significantly enhance public sector interactions, making services more accessible, personalised, and efficient. By applying these principles, local governments can modernise their digital service ecosystems without being constrained by compliance-driven innovation models.

Bottom Line

As governments push Digital Public Infrastructure (DPI) beyond finance and into other sectors, they may well face some resistance. Not because digital infrastructure is not right or unwanted, but because it has been framed as a compliance tool rather than an innovation enabler. Or simply because for years they have ignored every industry except finance.

The centralisation and digitisation of every individual’s interactions with government raise legitimate concerns about overreach, control, and unintended consequences. I think that means that if DPI remains a policy-first system, it will struggle to gain the trust and adoption needed for broader societal impact.

So the core question remains: Has policy become the product? And if so, what does that say about the true intent and effectiveness of these regulations?

The answer is pretty simple really. Free the policy through some strong PaaS partnerships. Then let the PaaS providers drive penetration through their industry practices.

Otherwise if countries do not rethink how DPI strategies evolve beyond compliance, they risk creating a digital governance system that serves policy objectives rather than economic or societal needs. And for DPI to truly benefit everyone, these frameworks must be reclaimed as tools for innovation, not just as regulatory instruments for compliance.