The European Commission’s new package on digital payments and financial data access (Part I): Financial Data Access
- September 2023
On the 28th of June, the European Commission has rolled-out an ambitious set of legislative proposals in financial data and digital payments sector:
While the proposal on digital euro will leave wide discretionary powers to European Central Banks, National Banks and and Member States, the other draft legislative acts will be mostly decided at European level, falling within internal market shared competences of the European Union (Article 114TFUE), with a pivotal impact on companies and businesses active in the digital financial and smart payments services.
In this second article (2/2), we analyse the Commission’s proposal for a Regulation on Financial Data Access (FIDA) designed with the purpose to establish new rights and obligations for financial data and better enable data sharing between the financial sector and other ones. Among other things, the regulation would oblige customer data holders (e.g. financial institutions) to make this data available to data users (e.g. other financial institutions or fintech firms) by putting in place the required technical infrastructure and subject to customer permission. Enhancing open banking could force large, established banks to be more competitive with smaller and newer banks, ideally resulting in lower costs, better technology, and better customer service
Regulation on Financial Data Access will impact many more financial institutions and services providers than expected
After having enabled payments account data under the revised Payment Services Directive (PSD3) and the new Payment Services Regulation (look at the previous article in case you have missed it), the Commission aims at facilitating conditions and requirements for the right to access, share and use of financial data in the European single market. In the views of the Commission, this proposal could lead to more innovative financial products and services for users and it will stimulate competition in the financial sector for businesses.
FIDA in a nutshell
Firstly, the new proposal for a Regulation on Financial Data Access (FIDA) will give European customers and businesses a new access right for financial data held by their financial service providers (data holder), such as granting and withdrawing permissions for their data to be accessed by eligible third parties, as well as full control over who accesses their data and for what purpose. This could be translated into a possibility but no obligation for customers to share their data with data users (e.g. financial institutions or fintech firms).
Secondly, the proposed legislation will oblige data holders, such as financial institutions, make certain customer data also available to other financial institutions and financial information service providers (FISPs), always on the customer’s request. The access must be granted based on generally recognised standards (e.g., technical interfaces), while financial institutions must provide customers with clear dashboards to monitor and manage the permissions, they provide to data users. Further requirements to access financial data might be required for overseas firms, like designating a person based in the EU to act on their behalf and other conditions.
The following financial institutions both as data holders and data users will be targeted by this regulation: credit institutions, payment institutions including account information service providers, electronic money institutions, crypto-assets issuers and crypto-asset service providers, investment and trading providers, alternative investment fund managers, insurance and reinsurance undertakings, credit rating agencies, crowdfunding service providers.
While very limited exemptions are foreseen, these financial institutions must also become members of one or more financial data sharing schemes in order to make data available, determining maximum compensation for making data available and setting contractual liability for data users. Additionally, data users will only have the possibility to read and view the contents of these data, but will not be able to initiate transactions on behalf of customers. Both aspects could affect the uptake and potential benefits of open finance. The Commission will also have the right to intervene where a scheme for a category of consumer data is not developed.
According to the FIDA Regulation, the processing of data should be restricted to the following main categories of customer data, but changes might occur during the negotiation phase between the European Parliament and the Council:
Mortgage credit agreements, loans and accounts, including data on account balance
Savings, investments in financial instruments
Input data collected for MiFID suitability and appropriateness assessments
Pension schemes and pan-European personal pension products
Non-life insurance products other than sickness, health or medical insurance products
Input data forming part of an application by a firm for a creditworthiness assessment
Interplay with other key European legislations
The new regulation will necessarily have to deal with other pieces of legislation related to privacy, security and competition. First and foremost, access of personal data will be subject to what is strictly necessary in accordance with the GDPR rules when there is a valid legal basis for doing so. For whom already raised few concerns about potential broader mandatory data access rights and its unintended consequences the GDPR should ensure sufficient protection of financial personal data.
Regarding possible effects on cybersecurity, the Digital Operational Resilience Act Regulation (DORA) might solve an important problem in the EU financial regulation and also in the FIDA Regulation. According to DORA, financial institutions have an obligation to follow rules for the protection, detection, containment, recovery and repair capabilities against ICT-related incidents. This should lay down uniform requirements concerning the security of network and information systems supporting the business processes of financial entities, putting an important safeguard to the access of financial data.
In terms of competition, the Digital Markets Act (DMA) will also require potential new gatekeepers of financial data to ensure contestability and fairness of data access and data portability. In both cases, the GDPR will apply as well, but the DMA should extend effective and high-quality data portability also to non-personal financial data collected by a gatekeeper. Even though it is unlikely to designate a gatekeeper of financial data, national competition rules might apply at national level where private banking institutions or financial institutions may adopt anti-competitive behaviours.
Finally, Competent authorities will have the power to issue administrative penalties for breaches of FIDA obligations. The administrative penalties and sanctions under the Regulation are substantial as they include fines for both natural and legal persons.
 The distinction between E-money institutions and payment institutions is disappeared. According to the proposed legislation, there will only be payment institutions, which can be granted authorization to offer e-money services as well.
 Customer data on payment accounts will be included under the PSD3.
 It shall apply from 17 January 2025.
As the other proposals, the FIDA Regulation will be debated during two different parliamentary terms making particularly difficult at this stage to foresee potential outcome from the political negotiations. The FIDA Regulation will be directly applicable in Member States when the Council and the European Parliament will agree upon and adopt a final text. A final version of the FIDA regulation is likely to be agreed around the end of 2024 / early 2025, then it would take up to 24 months to be applicable after its entry into force.
The fintech sector, currently representing a small 2% share of global financial services revenue, is estimated to reach $1.5 trillion in annual revenue by 2030, reaching the 25% of the total banking valuations. With the FIDA Regulation, European opening banking and digital financial services will certainly have an opportunity to scale up and grow in the upcoming years. Furthermore, established banks will have to do things in new ways that they are not currently set up to handle and spend money to adopt new technology. However, banks can take advantage of new technologies to strengthen customer relationships and customer retention by better helping customers to manage their finances instead of simply facilitating transactions. Consumers will then benefit from improved personal finance management and advice. SMEs would also be able to access a wider range of financial services and products, such as more competitive loans resulting from their creditworthiness data being more easily accessible.
A call for feedback on these three pieces of legislation is open until the end of October. Lighthouse will take a deep-dive in these proposals on payment services and closely follow the legislative process. If you have any questions about the potential impact of financial data and payment services package on the digital payments sector or interest in advocating your position with European policymakers our team is ready to help you!
As a public affairs firm based in Paris and Brussels, Lighthouse Europe supports its clients in the analysis of European mechanisms as well as National and European political priorities, particularly in the digital and environmental sectors. The EC package will create new opportunities for innovative digital companies and start-ups active in the financial and payment services sector and beyond. Lighthouse Europe seeks to bring valuable and diverse voices to the attention of regulators from more than 10 years. If you want a better understanding of the European regulatory framework in relation to your activity and make your voice to be heard, please do not hesitate to contact us: email@example.com.
By Filippo Guidi