European Commission introduces proposal for an open finance framework

The European Commission has published (28 June 2023) its proposal for a regulation on a framework for financial data access, along with proposals for a directive on payment services and electronic money services and a regulation on payment services in the internal market.

This draft Open Finance Act aims to introduce a legal framework regulating the access and use of customer data in the financial sector.

Data-driven innovation has the potential affect to significantly all sectors of the economy, including the financial industry. Financial institutions are already leveraging data to provide new types of services and products. In recent years, the financial sector has experienced a major shift of the regulatory landscape with the introduction of rules on access to account (known as XS2A) under the revised Payment Services Directive (PSD2) (Directive 2015/2366). These "open banking" rules introduced data sharing rights for third-party providers (TPPs) to access customer data regarding payment accounts and associated payment transactions.

The open finance initiative builds on the open banking principles laid down under PSD2 and aims at broadening the set of data to be shared within the financial industry, setting rules to regulate how this will be achieved and regulating the market participants.

What is open finance?

Open finance refers to third-party service providers’ access to customer data held by financial institutions  for the purposes of providing financial and information services. Essentially, the draft Open Finance Act would establish a legal framework for data sharing within the financial industry.

To do so the draft regulation introduces an obligation for financial institutions (data holders) to make their customer data available to customers at first request and share this data with other regulated entities (data users) upon customers' requests.

Who's concerned?

The rules laid down in the draft Open Finance Act will apply to multiple categories of financial institutions when they act as "data holders" or "data users".

Data holders refers to entities that would be subject to an obligation to grant access to and share customer data under the draft Open Finance Act. In contrast, the term data users refers to regulated entities that, following a customer's permission, lawfully access to the customer data under the draft Open Finance Act.

This includes credit, payment and e-money institutions, investment firms, crypto-asset services providers, issuers of asset-referenced tokens (as recently introduced by the Markets in Crypto-assets Regulation), alternative investment funds and UCITS (undertakings for collective investment in transferable securities) management companies, insurance and reinsurance undertakings, insurance intermediaries (both as a main or ancillary activity), pension funds, credit rating agencies, crowdfunding platforms and financial information services providers.

Which categories of data are involved?

Building up on the foundations of open banking, the draft Open Finance Act would broaden the scope of financial data to be shared to the following categories:

• The balance, conditions and transactions of a mortgage, credit and savings accounts.
• Savings, investments in financial instruments, insurance-based investment products, crypto-assets, real estate and other related financial assets and the economic benefits derived from such asset.
• Data collected for the purposes of suitability and appropriateness tests under Markets in Financial Instruments Directive II (Directive 2014/65/EU).
• Pension rights in occupational pension schemes within the scope of Institutions for Occupational Retirement Provision II (Directive 2016/2341) or Solvency II (Directive 2009/138/EC) as well as pension rights on the provision of European personal pension products regulation (Regulation 2019/1238).
• The provision of non-life insurance products under Solvency II (exception made for sickness, health or medical insurance products).
• Data used in companies applications for a creditworthiness assessment.

The draft regulation excludes – although it is not clearly stated – the following categories of data from its scope:

• Data on regarding the assessment of consumers creditworthiness credit score.
• Data regarding life and health insurance.

Due to their highly sensitive character, the draft proposal considers that their use would entail significant risks of financial exclusion.

This means that the sharing of data for these categories is excluded from the scope of the draft Open Finance Act.

Furthermore, the draft Open Finance Act provides that the European Banking Authority and the European Insurance and Occupational Pensions Authority should establish guidelines to regulate how personal data regarding consumers that are in scope can be used for assessing their creditworthiness, as well as their pricing and risks for life and health insurances.

These guidelines should be consistent with the scope of the draft Open Finance Act, which excludes the sharing of customer data regarding consumers' credit worthiness and data related to life and health insurance.

What are the rules regulating data sharing?

Despite their unprecedented nature, open banking rules introduced by PSD2 have had a mixed impact on the industry.

It has fostered innovation with traditional banks and fintechs leveraging these rules to offer new services or develop new business models. However, there were some important issues. Traditional banks have been forced to share their data free of charge through application programming interfaces (APIs), the development of which incurred significant costs for them. As a consequence, they had no incentives in developing high-quality APIs, which resulted in many technical issues for TPPs trying to access payment account data.

There were significant differences in the way APIs requirements have been implemented which led to a high variety of data formats and a fragmentation of the market.

The draft Open Finance Act intends to rectify these mistakes by introducing a compensation system for data holders, imposing standardisation requiremements, establishing financial data sharing schemes to develop coordination mechanisms within the industry and introducing permission dashboards for customers to monitor their data permissions.

Data-sharing compensation

In order to incentivise data holders and allow them to monetise the sharing of their customer data, the draft regulation introduces a compensation system for the data shared by data holders. In practice, it requires data holders to share their customer data through APIs against compensation.

The compensation system implements the principles laid down in the Commission's proposal for a regulation on harmonised rules on fair access to and use of data  (article 9): a draft Data Act for business-to-business (B2B) data sharing. These principles are:

• Data holders must make data that is in scope of the draft regulation available to their customers free of charge, continuously and in real time.
• When data holders make customer data available to a data user that is a micro, small or medium company, they are entitled to a compensation that would not exceed the costs directly related to making data available.
• When data holders make customer data available to any other data users, they are entitled to compensation that should be reasonable and based on an objective calculation methodology to be established by financial data sharing schemes.

Common standards

The draft regulation introduces an obligation for market participants to develop common standards for customer data and interfaces concerning data that are subject to mandatory access, as part of the "financial data sharing schemes" facilitated by the draft Open Finance Act.

When sharing customer data within the context of the Open Finance Act regulatory framework, data holders and data users would have to comply with the standards for data and APIs developed by the financial data sharing achemes.

Financial data sharing schemes

The draft Open Finance Act also establishes a framework for the creation and governance of the finance data sharing schemes.

These organisations would bring together data holders, data users and consumer organisations in order to develop data and interface standards, to set the coordination mechanisms for the operation of financial data access permission dashboards as well as to establish joint standardised contractual framework governing access to specific datasets.

Financial data sharing schemes would also be tasked among others with:

• Adopting rules regarding the contractual liability in case data shared is inaccurate, or of inadequate quality, data security is compromised or the data is misused.
• Establishing a dispute resolution system.
• Establishing a methodology to determine the compensation for making customer data available  in accordance with the terms of the schemes.

The draft regulation makes it mandatory for both data holders and data users to become members of one or more financial data sharing schemes and abide by the rules of these schemes when sharing data.

Customer control

Given the significant amount of data that would be shared as a result of the implementation of the draft Open Finance Act, it also aims at providing customers with tools to have effective control over their data and manage permissions they have granted to data users.

To this end, the draft Open Finance Act introduces an obligation for data holders to provide their customers with a financial data access permission dashboard.

That dashboard would allow customers to monitor their data permissions by providing them with an aggregated view of their data permissions, grant new permissions and withdraw permissions when they wish.

New market entrants

Finally, the draft Open Finance Act would introduce a regulatory status for financial information service providers (FISPs).

As is the case for TPPs under PSD2, the draft Open Finance Act introduces a new category of regulated third-party providers that would be allowed to access customers under the draft regulation for the provision of financial information services.

FISPs would be subject to a licensing regime similar to that of account information service providers (AISPs) under PSD2 and subject to the same types of prudential requirements.

It is worth noting that given the nature of AISPs' business activities, the draft Open Finance Act provides for a review clause for the Commission to assess the possibility of integrating AISPs into the regulatory status of FISPs.

Osborne Clarke comment

The Open Finance Act intends to establish a harmonised regulatory framework for a European financial data space.

It is an ambitious legal initiative that, if adopted, would have a significant impact on the financial industry.

However, at this stage, it remains a work in progress and, given the nature of the rules it aims at implementing, it is expected to be subject heavy discussions and lobbying.

The question remains as to how far will this regulatory framework will go to regulate data sharing within the financial industry and whether it would leave the industry with some room to regulate itself. In its current state, the legislative proposal seems to grant the financial industry and its actors some freedom to regulate themselves and adopt their own common standards through financial data sharing schemes.

However, it is unclear whether, in its final form, the Open Finance Act will keep such a self-regulatory approach or whether it will revert to more stringent rules with no room for interpretation and little room and competences for Financial Data Sharing Schemes