The EU’s proposed Financial Data Access Regulation (FiDA) seeks to ensure the EU’s financial sector is fit for purpose and adaptive to the digital transformation, and the risks and opportunities it presents. The proposed framework builds on the already existing ‘open banking’ access to customer data held by account-servicing payment service providers and takes a customer-centric approach by ensuring that all consumers and firms have effective control tools over their financial data.
The proposed regulation forms part of the Digital Finance Package which, apart from the proposed FiDA, proposes amendments to PSD2 as well as the establishment of a Payment Services Regulation. It also provides additional tools to ensure personal data protection in line with the GDPR and applying the general principles of business-to-business data sharing in line with the proposed Data Act.
FiDA establishes a framework governing access to and use of customer data in finance. Financial data access refers to the access to and processing of business-to-business and business-to-customer (including consumer) data upon customer request across a wide range of financial services.
The Regulation establishes the rules in line with which certain categories of customer data in finance may be accessed, shared, and used. It also establishes the requirements for the access, sharing, and use of data in finance, the respective rights and obligations of data users and data holders and the respective rights and obligations of Financial Information Service Providers (FISPs) in relation to the provision of information services as a regular occupation or business activity.
FISPs are data users that are authorised under FiDA to access the customer data for the provision of financial information services; this refers to personal and non-personal data that is collected, stored and otherwise processed by a financial institution as part of their normal course of business with customers which covers both data provided by a customer and data generated as a result of customer interaction with the financial institution.
FiDA places a number of obligations on data holders and governs the way these obligations are to be exercised. These include:
The processing of customer data that constitutes personal data is to be limited to what is necessary in relation to the purposes for which they are processed. Furthermore, the Regulation seeks to ensure that customers that refuse to grant permission to use sets of their data will not be refused access to financial products just because they refused to grant permission. Customers will also be provided with financial data access permission dashboards to ensure they can monitor their data permissions by being able to access an overview of their data permissions, grant new ones and withdraw permissions if necessary.
Within 18 months from the entry into force of the FiDA Regulation, data holders and data users are to become members of a financial data sharing scheme governing access to the customer data. The aim of such schemes is to bring together data holders, data users and consumer organisations; they should develop data and interface standards, set the coordination mechanisms for the operation of financial data access permission dashboards as well as a joint standardised contractual framework governing access to specific datasets, the rules on governance of these schemes, transparency requirements, compensation rules, liability, and dispute resolution.
Indeed Article 10 of the Regulation sets the governance processes of such a scheme, including the rules on the contractual liability of its members and the mechanism to resolve disputes out-of-court. It also provides for the developments of common standards for the sharing of data and the creation of technical interfaces to be used for the sharing of data. Such data-sharing schemes must be notified to the competent authorities, they must benefit from a passport for operations across the EU and or transparency purposes, and the schemes must be part of a register to be maintained by EBA. The minimum arrangements for a financial data sharing scheme should also state that data holders must be entitled to compensation for making the data available to data users, according to the terms of the scheme they are both part of. Compensation in any case must be reasonable, based on a clear and transparent methodology previously agreed by the scheme members and should aim to reflect at least the costs incurred for making available a technical interface to share the data requested.
The Regulation also sets out the provisions on authorisation and operating conditions of FISPs. It sets out the requirements for an application for authorisation as a FISP, the appointment of a legal representative where the FISP does not have an establishment in the Union, the scope of the authorisation, their organisational requirements and the EU passport of FISPs. The EBA shall operate and maintain a register of FISPs and data sharing schemes; such register shall only hold anonymised data.
The Regulation is expected to enter into application 24 months after its entry into force, although certain provisions relating to financial data sharing schemes and the application for authorisation of FISPs shall enter into application 18 months after the Regulation’s entry into force.
For information or assistance relating to the EU Framework for Financial Data Access or matters relating to Financial Services please contact Dr Ian Gauci and Dr Cherise Abela Grech.