FiDA: Open Finance in the EU?

1. INTRODUCing FiDA

Open Finance is said to help democratising the financial services industry. It will allow customers^[1] to be more digitally mobile and monitor, manage or share their financial data as they wish with entities from various financial sectors. The first formal step towards Open Finance in the EU was taken in June 2023, when the EU Commission published a proposal^[2] for a Financial Data Access Regulation ("FiDA" or "Proposal").

This initiative builds upon the foundation laid by Open Banking, introduced in 2018 through the Second Payment Services Directive (PSD2)^[3], which allowed third-party payment service providers to access customers' payment accounts maintained by other institutions.

FiDA, as a centrepiece of the initiative for Open Finance in the EU, goes a step further and makes financial data accessible. It also incorporates new tools for data sharing, such as the permission dashboard and financial data sharing schemes.

2. OBJECTIVES OF FiDA

FiDA aims to facilitate the development of innovative data-driven financial services and ensure customer confidence and trust in data sharing.^[4] Therefore, FiDA aims to ensure that customers will be enabled to better control access to their financial data.^[5] The basic tenet of FiDA is that the financial data must be shared among financial institutions if requested by the customer.^[6] The request must comply with a valid legal basis as referred to in the General Data Protection Regulation (GPDR)^[7] if personal data shall be shared.^[8] Consequently, the customer can decide whether his or her financial data, and its intrinsic value, will be used by other financial institutions. After permission to access is granted to an individual institution, it may, for example, analyse the customers' needs and preferences to offer tailored products.^[9] On the other hand, the financial institution that was requested by the customer to share the data (also referred to as the data holder) may under certain circumstances claim a compensation from the other financial entity (also referred to as the data user) for making customer data available.^[10] In summary, FiDA, promises to deliver benefits for financial institutions and customers.^[11]

3. SCOPE of FIDA

FiDA generally applies to financial institutions, that is credit institutions, payment institutions, investment firms, e-money institutions, crowdfunding service providers and crypto-asset service providers.^[12]

The Proposal allows access to and sharing of a broad set of financial data, including but not limited to customer data on mortgage credit agreements, loans, savings, investments in financial instruments, insurance-based investment products, crypto-assets, real estate and related financial assets and pension rights.^[13] Therefore, FiDA expands the access rights to financial data outside payments.^[14] More sensitive information, like data related to sickness and health insurance products are excluded from FiDA.^[15]

The data use perimeter^[16] constitutes limits to the use of data covered by FiDA and shall provide a proportionate framework on how personal data related to a customer that falls within the scope of FiDA shall be used.^[17]   

Pursuant to Art. 7 of FiDA the processing of customer data that constitutes personal data, is only permitted to the extent of what is necessary for the purposes for which they are processed. The current draft of FiDA does not specify what this means in practice. Further guidance on this will be provided by the European Banking Authority (EBA) and the European Insurance and Occupational Pensions Authority (EIOPA).

FiDA does not only apply to financial institutions but also to the newly introduced Financial Information Service Providers (FISPs). According to the current Proposal FISPs are entities that have obtained an authorization from the competent authority to access customer data for the provision of financial information services.^[18] 

Unfortunately, the current Proposal does neither contain more detailed information on FISPs nor a definition of financial information services. To our understanding FISPs are non-financial entities which are authorised by competent authorities to access customer data in the meaning of FiDA. Therefore FiDA, like DORA^[19], will likely lead to a further regulation of non-financial entities. Additionally, Art. 35 FiDA amends DORA to the effect that DORA also applies to FISPs.

4. New Data sharing tools

As under FiDA customers may permit access to their financial data, FiDA introduces a permission dashboard, where the customers' permissions will be managed in real time. Through the dashboard customers can grant, withdraw, and re-establish permissions for data access.^[20] Such dashboard shall contain the overview of each ongoing data permission, including the name of the data user, the customer account, the financial product/service to which the access was granted, purpose of the permission, categories of the data being shared, the period of validity of the permission and a record of permissions that have been withdrawn or have expired for a duration of two years.^[21]

Another new development under FiDA is the introduction of a financial data sharing scheme (FDSS). FiDA currently only provides a high-level overview of the FDSS and leaves several practical questions unanswered. However, the Proposal sets out that entities within the scope of FiDA shall establish and join a FDSS within a specified timeframe and the schemes shall develop data, interface and contractual standards.^[22] The contractual framework shall inter alia stipulate how the data will be accessed or shared among the members, the governance rules and transparency requirements.^[23] Further, the members shall agree on a maximum compensation for making the customer information available to another member when establishing the FDSS.^[24] The maximum compensation must be reasonable, be based on an objective, transparent and non-discriminatory methodology and be based on the comprehensive data collected from the market.^[25]

The establishment of the FDSS promises to ensure a fair data access between the members of the FDSS and to help maintaining a level playing field among them. As FiDA leaves many of the decisions in relation to the concrete set up of the scheme to the FDSS and their members, it remains to be seen whether in practice this will be achieved with FiDA.

5. Timeline

Currently, FiDA is just in the proposal stage and is expected to be applicable only from 2027. Nevertheless, it is surely worth starting to prepare now, as FiDA sets out extensive technical requirements which would need diligent preparatory work. At the least, each market participant should examine the individual opportunities and challenges that FiDA may entail.