On 28 June 2023, the European Commission published a proposal for a regulation on a framework for financial data access (FiDA) with a view to promoting open finance and data-driven finance.
In addition to FiDA, the European Commission also published on 28 June 2023 the payment service package consisting of the Payment Services Directive 3 (PSD3), which modernises PSD2, and the payment service regulation. The payment service package bears testament to the European Commission’s priority to improve the existing regulatory regime and consumer protection in the field of data sharing.
The legislative process is at an early stage and discussions have not yet started between the European Commission and the European Parliament. Furthermore, the forthcoming 2024 European elections will influence the European legislative agenda. Once adopted, the Financial Data Access regulation should apply 24 months after its entry into force.
What is FiDA’s primary objective?
FiDA’s primary objective is to boost digital transformation in the financial sector by speeding up the adoption of data-driven business models and the development of open finance.
Financial institutions, consumers, and financial market participants will benefit from a simplified access to financial data. This will enable the provision of financial products and services tailored to customers’ needs and expectations.
About the Financial Data Access regulation
FiDA primarily relies on customer permission for the sharing of data. Consent is indeed at the core of this open finance regulation as the obligation to share data must be at the request of customers.
The sharing of payment account data based on customer permission within the European Union is transforming the way consumers and businesses use and shape banking services. From a regulatory standpoint, the revised Directive (EU) 2015/233 on payment services in the internal market paved the way to open, data-driven finance.
FiDA expands the type of data eligible for sharing beyond mere payment account data. With this legislative proposal, the European Commission intends to put forward an effective open finance framework for the sharing of customer data across the financial sector by removing existing barriers and improving existing models under PSD2.
Attaining the objectives sought by FiDA means that the scope of the regulation should encompass an extensive range of entity types, acting as data holders or data users, as well as types of data and products.
Scope of the Financial Data Access regulation
Under the Financial Data Access regulation, entities holding customer data (data holders) will have to share customer data (customer) with third parties (data users). Any such data sharing process will be implemented according to data sharing schemes. Furthermore, permission dashboards will be made available to customers, notably to help control the permissions granted.
Customer data in the scope of FiDA
Under FiDA, the notion of customer data encompasses personal and non-personal data that financial institutions typically collect, store, and process as part of their normal interactions with customers, who can be either natural persons or business customers. Article 2(1) of FiDA provides an inventory of the data in scope. Data related to the investments in financial instruments is captured by the regulation.
Entities in the scope of FiDA
The list of entities acting as data holders or data users under the Financial Data Access regulation is provided for in Article 2(2) of the regulation. Credit institutions, investment firms, crypto-asset service providers, managers of alternative investment funds, or UCITS are notably all in the scope of FiDA.
Financial information service providers (FISP) are a new category of regulated service provider, the regime of which is disclosed and specified in FiDA.
How does data sharing work under FiDA?
The data access regime is disclosed in Title II of FiDA and primarily relies on data sharing schemes and the implementation of permission dashboards.
As a general principle, data holders must make customer data available to data users upon and as per the request of a customer:
- Customer data must be made available without undue delay, continuously, and in real-time
- The access and information being made available are limited by the terms of the permission granted by the customer
- This permission is reversible, which means that customers are entitled to withdraw it
Furthermore, data holders must provide customers with a permission dashboard to allow the latter to monitor and manage the permissions granted. Data holders must ensure that permission dashboards are “user friendly” and easy to access.
In addition, financial data sharing schemes governing access to customer data will have to be implemented within 18 months after the entry into force of the Financial Data Access regulation, so 6 months prior to the effective entry into application of the regulation. Article 10 of the Financial Data Access regulation provides for a dedicated governance regime of financial data sharing schemes and the possibility to determine a maximum (reasonable) compensation a data holder is entitled to charge for making data available through an interface. The implementation of a contractual approach and monetisation are two key elements of the data-sharing schemes.
Supervision under FiDA
Competent authorities designated by EU Member States will be empowered with investigatory and sanctioning powers, notably to investigate potential breaches of the Financial Data Access regulation and to impose administrative penalties and other administrative measures.
Our regulatory intelligence
Industry implications of FiDA
With FiDA, the European Commission paves the way to open finance and a data-driven economy in the financial sector. Because of the broad perimeter of entities concerned and the types of data in scope, FiDA is indeed likely to foster the development of new data-driven business models. It is however raising major operational challenges and strategic concerns for the industry.
Implementing all the principles laid down in FiDA is indeed likely to expose financial institutions to new challenges, whether they act as data holders or as data users. Financial information service providers (FISPs) are set to become major players of the open finance ecosystem and will need to develop in a coherent manner.
Customers are placed at the centre of the decision process of the EU’s open finance framework. They are empowered to decide who can access their data for the purpose of obtaining financial information and services.
Market participants and market associations have identified and highlighted elements that will require further clarification as the legislative process moves forward. The perimeter of key notions such as the notion of customer and customer data are being discussed. The mechanics of the data-sharing schemes are also being considered. The coming months will therefore be very important for FiDA and for market players. It cannot be excluded that the text will evolve during the legislative process.
Securities Services’ view
We commend this initiative and the efforts to strengthen data sharing and third-party access for a wide range of financial services and products.
Business models will evolve with the entry into application of the Financial Data Access regulation. We are at the very beginning of the legislative process and clarifications are expected on certain key notions. These clarifications should aim to provide market participants with a more comprehensive view of FiDA and its implications, notably the connection of the Financial Data Access regulation with other regulations around data, the incorporation of ESG elements, and the way in which authorities intend to act on of the lessons learned from PSD2.
This article was published in January 2024. It highlights some of the main points included in the legislative proposal published by the European Commission. This legislative proposal will evolve over the coming months.
Key dates of FiDA
 Title V of FiDA (Eligibility for Data Access and Organisation) contains specific provisions and regime to be authorised as FISP which are allowed to act as data user and not as data holder.
 Detailed regime with quantum of fines is contained in Articles 20 to 22 FiDA