How will the European Commission's FiDA proposal for open finance impact the financial sector?

The future of financial services is digital and data driven. The promotion of data-driven financial services is a key priority for the European Commission. However, an obstacle for the Commission achieving these objectives is the absence of a framework for responsible access to customer data and the sharing of this data across the financial services industry.

In this context, the Commission published its draft proposal for a regulation on financial data access (FiDA) on 28 June 2023. FiDA allows for customers to grant access to their data held by financial institutions. This information can be used by other financial institutions to tailor finance products to the customer's needs or simply processes for accessing financial services.

For example, FiDA enables customers to grant an investment firm access to information on their current investments for the purposes of the firm's suitability and appropriateness assessment. Another example would be the sharing of information on various insurances held by a customer, which could then be combined in a central dashboard that helps customers better manage their risks.  

FiDA provides for a framework regarding the manner in which data can be accessed and shared, while customers are protected against the risks associated with sharing personal data.

Data sharing: the key principles

Financial institutions that hold customer data – the data holder – must, upon the instruction of their customer, share customer data with other financial institutions or with financial information service providers (FISPs) that wish to use that data – the data user.

Any sharing of data must take place pursuant to the rules and modalities of a financial data sharing scheme of which both the data user and the data holder are members.

Data holders must provide customers with a permissions dashboard to monitor and manage the permissions that a customer has granted to data users.

In-scope financial entities

FiDA applies to a broad range of financial institutions, or in-scope financial entities, as data holders or users.

In-scope financial institutions

• Credit institutions
• Payment institutions, including account information service providers and exempt payment institutions
• E-money institutions, including exempt e-money institutions
• Investment firms (Markets in Financial Instruments Directive (MiFID) firms)
• Markets in crypto-assets service providers and issuers of asset-referenced tokens
• Alternative investment funds managers
• UCITS (undertaking for collective investment in transferable securities) managers
• Insurance and reinsurance companies
• Insurance intermediaries and ancillary insurance intermediaries
• Institutions for occupational retirement provision
• Credit rating agencies
• Crowdfunding service providers
• Pan-European Personal Pension Product (PEPP) providers

In addition, FiDA applies to the newly introduced concept of financial information service providers (FISPs), which are separately authorised by the EU regulatory authorities to act as data users. The requirements that FISPs must comply with to become authorised are quite extensive. In order to obtain authorisation, FISPs must be established in the EU or must appoint a representative in the EU that can be held liable for non-compliance with FiDA. The authorisation as a FISP can be passported throughout the EU on a services or branch establishment basis.

FiDA in-scope data

In-scope financial entities are, upon the instruction of the customer, obliged to grant access to information with other in-scope financial entities and FISPs regarding:

• Mortgage credit agreements, loans and accounts, including data on balance, conditions and transactions, excluding payment accounts as defined in the revised Payments Services Directive (PSD2) (access is arrange for this data in the PSD2 itself).
• Savings, investments in financial instruments, insurance-based investment products, crypto-assets, real estate and other related financial assets as well as the economic benefits derived from such assets
• Data collected for suitability and appropriateness assessments in the context of MiFID2
• Pension rights in occupational pension schemes and PEPP products
• Non-life insurance products with the exception of sickness and health insurance products
• Data that forms part of a creditworthiness assessment

In accordance with the General Data Protection Regulation, processing of personal data must be limited to what is necessary in relation to the purpose for which they are processed.

Data sharing schemes

Any sharing of data must take place pursuant to the rules and modalities of a financial data sharing scheme, of which both the data user and the data holder are members. In-scope financial entities and FISPs must, therefore, become members of data sharing schemes.

The data sharing schemes will, among other things, determine: common standards for the technical interfaces to allow customers to request data sharing; the maximum compensation that a data holder can charge for making data available to the data user; and the contractual liability of data holders and data users in the event of, for example, inaccuracy or misuse of data.

Market participants themselves are responsible for the formation of data sharing schemes. The establishment of a data sharing scheme is subject to notification to the regulatory authorities of the three most significant data holders that are members of the scheme. The relevant regulatory authorities (which can be more than one) must within one month assess whether the data sharing scheme complies with FiDA requirements. If so, the data sharing scheme shall be notified to the European Bank Authority, as a result of which it is recognised as a compliant data sharing scheme in all EU member states. Data sharing schemes must be open to participation by any data holder and data user that comply with the objective criteria set by the scheme.. All members of a data sharing scheme must be treated equally.

In the event that no data sharing scheme is established for one or more categories of data, the Commission can adopt a delegated act which sets out the modalities under which a data holder must make customer data available to a data user.

Permissions dashboard

Data holders must provide customers with a permissions dashboard to monitor and manage the permissions that a customer has granted to data users. The dashboard, among other things, provides an overview of permission granted to data users and allows customers to withdraw the permission.

Osborne Clarke comment

FiDA is currently in draft stage and subject to negotiations between the Commission, European Parliament and Council of the EU.

FIDA will start to apply 24 months after its entry into force, with the exception of the obligations relating to data sharing schemes and the authorisation requirement for FISPs, which will apply starting 18 months after FIDA enters into force.

FiDA brings opportunities to further develop open finance across the financial services industry, such as the launch of innovative products and services which are better tailored to the position of individual customers.

Financial institutions will, however, also face several challenges resulting from FiDA:

• Data sharing schemes have to be set up from scratch and financial institutions must join these schemes within 18 months after FiDA enters into force.
• API interfaces must be developed and implemented via which the broad scope of data can be shared real time
• Robust data management protocols must be implemented to safeguard privacy, security, and compliance.