At a time in which citizens struggle to efficiently control access and sharing of their data, the European Commission (“Commission”) decided to release, on 28 June, its long-awaited proposal to set out a comprehensive framework for financial data access (“FIDA”).
The proposal should be seen in the context of the Commission’s aspirations to strengthen new and technology-driven business models belonging to the “data economy.” The financial sector's strong focus on customer data and its informative value makes financial institutions a particularly suitable starting point for data sharing with other businesses. Notwithstanding the existing lack of clear rules on data-sharing, the perceived lack of access of customers to “their” data and of a standardised transfer format and interfaces is considered to hamper the growth of these business models.
Against this backdrop, the FIDA proposal, which was part of a broader package including legislative initiatives to review the current payments legislation and to establish a digital euro, will be a game-changer for accessing, sharing and processing financial data.
A glimpse into the new FIDA framework
Building on the lessons learnt from “open banking”, the Commission considered it necessary to establish a framework for access to individual and customer data across a wide range of financial services - beyond payment account data, which open banking targeted. This clear framework will be the basis for consumers and firms to be able to benefit from more tailored financial products and services.
It comes as no surprise that these new rules will have certain implications for financial institutions and fintech firms that collect, store and process customer data, as well as for customers. In this blogpost, we set out how businesses and citizens will be impacted by this proposal which contributes to put in place a European financial data space by focusing on the scope, the main obligations for market players and the interlinkages with other EU pieces of legislation.
Which data is under the scope of FIDA?
After having assessed the key components of an open finance ecosystem, the Expert Group on the Financial Data Space considered that the proposal should cover B2C and B2B data that financial institutions collect, store and process as part of their normal interaction with customers, namely:
- data transmitted by the customers themselves and transaction data arising from customers’ interactions with their financial service providers;
- both personal data that related to identified or identifiable individuals and non-personal data that relates to business entities or financial product features;
- specific types of customer data such as loans, savings, investments, occupational and personal pensions and non-life insurance; and
- input data collected for the purposes of (i) creditworthiness assessment of firms and (ii) carrying out an assessment of suitability and appropriateness of investments.
However, the proposal does not cover creditworthiness assessments of natural persons and life, sickness and health insurance since the legislator has considered that, in these cases, customer data is particularly sensitive, and the risks of financial exclusion may outweigh the potential benefits. It is worth flagging that EBA and EIOPA are expected to issue guidelines on the use of customer data from other sources for the purposes of these two use cases which are so far excluded from the scope.
Obligations on data holders and data users
Protecting customers’ data comes with the introduction of several obligations applying to those financial institutions which hold customer data (“data holders”) and those financial institutions which will have permission from customers to access that customer’s data (“data users”). "Financial institutions” is defined broadly and encompasses nearly all types of institutions regulated under European financial services legislation.
For instance, this proposal establishes that data holders would need to make this data available to the customer, upon request submitted electronically, without undue delay, free of charge, continuously and in real-time. Further, data holders must make customer data available to a data user upon a customer request, but only for the purposes for which the customer has granted permission.
Data users should only use data for the purposes and conditions agreed with the customer and should not store data for a longer period than required. The customer’s personalised security credentials should not be accessible to other parties.
Interestingly, data holders and data users must become members of a financial data sharing scheme according to which they will agree on contractual terms for sharing data that shall be completely standardised. Financial data sharing schemes will aim to bring together data holders, data users and consumer organisations, with a view to developing, among other things, data and interface standards, joint standardised contractual frameworks governing access to specific datasets and governance rules related to data sharing.
Interplay with other pieces of legislation
This piece of legislation fits in the broader European data strategy by ensuring full compliance with GDPR and focusing on customer consent for personal data. In addition, the proposal also builds upon the general principles of B2B data sharing established under the Data Act proposal, which was recently agreed at political level by co-legislators. In fact, the concept of data sharing schemes introduced by the Data Act is picked up in this proposal.
Furthermore, this proposal is fully consistent with the recently published proposals on PSR and PSD (on which, see our blog post) as well as with key principles for data access and processing established by the Data Governance Act and the Digital Markets Act.
Outlook and remaining challenges
This Commission’s proposal still needs to pass through the EU legislative process, and it will be subject to discussion and further amendments by Members of the European Parliament (“MEPs”) and Member States in the Council of the EU. In the meantime, the Commission has already published its regular 8-week call for feedback until the end of the summer to the adopted proposal. The main goal of this consultation is to present the key takeaways received from the input given by impacted stakeholders to MEPs and Member States in the Council of the EU with the aim of feeding into the legislative debate.
It is very early to predict what the most controversial issues will be during upcoming discussions, but we expect co-legislators to prioritise what types of data will be in scope, consumer protection measures, broad mandatory data access rights and ensuring a level playing field among market participants.
While discussions will not kick off until September, we expect the Commission to present the proposals to co-legislators and MEPs to appoint the negotiating teams for this proposal in the coming weeks. In terms of timing, according to the Commission’s proposal, the provisions dealing with financial data sharing schemes and eligibility for data access are expected to apply 18 months after the entry into force of FIDA, with the rest of the provisions applying 24 months after entry into force.