The European Commission’s new package on digital payments and financial data access (Part I): Financial Data Access

While the proposal on digital euro will leave wide discretionary powers to European Central Banks, National Banks and and Member States, the other draft legislative acts will be mostly decided at European level, falling within internal market shared competences of the European Union (Article 114TFUE), with a pivotal impact on companies and businesses active in the digital financial and smart payments services.

 

In this second article (2/2), we analyse the Commission’s proposal for a Regulation on Financial Data Access (FIDA) designed with the purpose to establish new rights and obligations for financial data and better enable data sharing between the financial sector and other ones. Among other things, the regulation would oblige customer data holders (e.g. financial institutions) to make this data available to data users (e.g. other financial institutions or fintech firms) by putting in place the required technical infrastructure and subject to customer permission. Enhancing open banking could force large, established banks to be more competitive with smaller and newer banks, ideally resulting in lower costs, better technology, and better customer service

​

Regulation on Financial Data Access will impact many more financial institutions and services providers than expected

 

After having enabled payments account data under the revised Payment Services Directive (PSD3) and the new Payment Services Regulation (look at the previous article in case you have missed it), the Commission aims at facilitating conditions and requirements for the right to access, share and use of financial data in the European single market. In the views of the Commission, this proposal could lead to more innovative financial products and services for users and it will stimulate competition in the financial sector for businesses.

 

FIDA in a nutshell

 

Firstly, the new proposal for a Regulation on Financial Data Access (FIDA) will give European customers and businesses a new access right for financial data held by their financial service providers (data holder), such as granting and withdrawing permissions for their data to be accessed by eligible third parties, as well as full control over who accesses their data and for what purpose. This could be translated into a possibility but no obligation for customers to share their data with data users (e.g. financial institutions or fintech firms).

 

Secondly, the proposed legislation will oblige data holders, such as financial institutions, make certain customer data also available to other financial institutions and financial information service providers (FISPs), always on the customer’s request. The access must be granted based on generally recognised standards (e.g., technical interfaces), while financial institutions must provide customers with clear dashboards to monitor and manage the permissions, they provide to data users. Further requirements to access financial data might be required for overseas firms, like designating a person based in the EU to act on their behalf and other conditions. 

 

The following financial institutions both as data holders and data users will be targeted by this regulation: credit institutions, payment institutions including account information service providers, electronic money institutions[1], crypto-assets issuers and crypto-asset service providers, investment and trading providers, alternative investment fund managers, insurance and reinsurance undertakings, credit rating agencies, crowdfunding service providers.

 

While very limited exemptions are foreseen, these financial institutions must also become members of one or more financial data sharing schemes in order to make data available, determining maximum compensation for making data available and setting contractual liability for data users. Additionally, data users will only have the possibility to read and view the contents of these data, but will not be able to initiate transactions on behalf of customers. Both aspects could affect the uptake and potential benefits of open finance. The Commission will also have the right to intervene where a scheme for a category of consumer data is not developed.

 

According to the FIDA Regulation, the processing of data should be restricted to the following main categories of customer data, but changes might occur during the negotiation phase between the European Parliament and the Council:

• Mortgage credit agreements, loans and accounts, including data on account balance

• Savings, investments in financial instruments

• Input data collected for MiFID suitability and appropriateness assessments

• Pension schemes and pan-European personal pension products

• Non-life insurance products other than sickness, health or medical insurance products

• Input data forming part of an application by a firm for a creditworthiness assessment[2]

 

Interplay with other key European legislations

 

The new regulation will necessarily have to deal with other pieces of legislation related to privacy, security and competition. First and foremost, access of personal data will be subject to what is strictly necessary in accordance with the GDPR rules when there is a valid legal basis for doing so. For whom already raised few concerns about potential broader mandatory data access rights and its unintended consequences the GDPR should ensure sufficient protection of financial personal data.

 

Regarding possible effects on cybersecurity, the Digital Operational Resilience Act Regulation (DORA)[3] might solve an important problem in the EU financial regulation and also in the FIDA Regulation. According to DORA, financial institutions have an obligation to follow rules for the protection, detection, containment, recovery and repair capabilities against ICT-related incidents. This should lay down uniform requirements concerning the security of network and information systems supporting the business processes of financial entities, putting an important safeguard to the access of financial data.

 

In terms of competition, the Digital Markets Act (DMA) will also require potential new gatekeepers of financial data to ensure contestability and fairness of data access and data portability.  In both cases, the GDPR will apply as well, but the DMA should extend effective and high-quality data portability also to non-personal financial data collected by a gatekeeper. Even though it is unlikely to designate a gatekeeper of financial data, national competition rules might apply at national level where private banking institutions or financial institutions may adopt anti-competitive behaviours.

 

Finally, Competent authorities will have the power to issue administrative penalties for breaches of FIDA obligations. The administrative penalties and sanctions under the Regulation are substantial as they include fines for both natural and legal persons.

 

[1] The distinction between E-money institutions and payment institutions is disappeared. According to the proposed legislation, there will only be payment institutions, which can be granted authorization to offer e-money services as well.

[2] Customer data on payment accounts will be included under the PSD3.

[3] It shall apply from 17 January 2025.