In recent years, the financial sector has witnessed a paradigm shift with the advent of digital technologies, leading to an increased call for transparency, accessibility, and consumer empowerment. Amidst this backdrop, the Financial Information Data Access (FIDA) proposal* emerges as a cornerstone, aiming to bridge the gap between financial institutions and consumers. This article delves into the ‘why’ behind FIDA and highlights the pivotal changes it brings to the table.
* Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on a framework for Financial Data Access and amending Regulations (EU) No 1093/2010, (EU) No 1094/2010, (EU) No 1095/2010 and (EU) 2022/2554
The primary motivation behind FIDA is to foster a more transparent and consumer-centric financial ecosystem. With the proliferation of online banking and financial services, there’s a burgeoning need for a standardised framework that ensures secure and seamless data sharing between financial institutions, third-party providers and consumers.
The scope of FIDA applies are the following categories of customer data.
|In scope: article 2(1) FIDA|
|Data regarding: investments, crypto-assets, insurance, pensions, loans, mortgages and savings.||Individual and business customer data that financial institutions typically collect, store and process as part of their normal interaction with customers|
|Data transmitted by the customers themselves and transaction data arising from customers’ interactions with their financial service providers|
|Personal data that relates to identified or identifiable individuals and non-personal data that relates to business entities or financial product features|
|Outside of scope|
|Payment accounts (In scope of PSD2/PSD3)credit score of natural personslife, sickness and health insurances|
The regulation applies to entities when acting as data holders or data users, as stated in article 2 FIDA.
|Two types of data users|
|Licensed financial institutions||Financial Information Service Providers (FISPs)|
– Credit institutions
– E-money institutions
– Payment institutions, including account information service providers
– Crypto asset service providers
– Issuers of asset-referenced tokens
– Alternative investment fund manager
– Insurance companies / intermediaries
– Crowdfunding service providers
– Institutions for Occupational Retirement Provision Credit rating agencies
|Entities authorized under the new framework to acces customer data as they:|
– Are licensed in the EU (but no requirement to be established in the EU)
– Have a professional indemnity insurance or other comparable guarantee
– Meet the required organizational requirements
– Are covered by DORA
In the FIDA factsheet, the EC has identified the following as key elements of FIDA Framework:
Let’s take a closer look at these elements, the timelines, and then summarise the actions that can be taken at this point.
Empowering customers by granting them control over their financial data is pivotal. It ensures transparency and allows customers to decide who can access their data and for what purpose.
So, the customer decides who has data access (personal/non-personal data). The customer is defined as ‘a natural or a legal person who makes use of financial products and services’.
To ensure customer control, FIDA introduces further safeguards. These safeguards are:
As mentioned above, the customer must be provided with a permission dashboard to be able to manage and monitor their data. The aim is to give customers full control over who accesses their data and for what purpose.
The permission dashboard must meet the requirements of article 8 FIDA and must be an easy to access user interface: clear, accurate and understandable. The permission dashboard must give the customer:
As previously mentioned, data users are companies that have received permission from customers to lawfully access their customer data. Only licensed financial institutions and FISPs can be data users.
The FIDA objective is to regulate responsible access for data users where customers want to benefit from innovative products. This is done by:
The obligations of data users are mainly described in article 6 FIDA:
Customer data can be accessed by the customer and ‘data user(s)’.
Access is possible for purposes agreed with a customer for a specific product or service. However, there is a purpose limitation in place (See Title III Responsible data use and permission dashboards, article 7) saying that the processing of customer data shall be limited to what is necessary for which they are processed (Article 7.1).
The data that can be made available should be made available in a standardised way. This follows from article 5 FIDA which governs the obligations of data holders. This article states that:
Compensation for the data holder is only possible when data is shared under a financial data sharing scheme or if no scheme is available, the Commission delegated act (Article 5.2).
FIDA places high importance on security standards, ensuring that entities involved in data access and sharing have robust mechanisms in place to manage security incidents, ensure business continuity, protect against risks, and comply with regulatory obligations.
FIDA refers to DORA (The Digital Operational Resilience Act (Regulation (EU) 2022/2554)) for the security standards that have to be respected. Data users will be subject to the requirements of DORA and therefore be obliged to have strong cyber resilience standards in place to carry out their activities. This includes having comprehensive capabilities to enable a strong and effective ICT risk management, as well as specific mechanisms and policies for handling all ICT-related incidents and for reporting major ICT-related incidents.
Title IV FIDA describes the requirements for Financial Data sharing Scheme(s). Article 10 FIDA outlines the governance, content, and structural elements of a financial data sharing scheme, detailing the membership, rules, and standards that such a scheme should adhere to. It emphasises fair and equal representation, transparency, and adherence to common data and technical standards.
Within 18 months from the entry into force of FIDA, data holders and data users must become members of a financial data sharing scheme governing access to the customer data in compliance with Article 10 FIDA. Data holders and data users may become members of more than one financial data sharing schemes. Any sharing of data shall be made in accordance with the rules and modalities of a financial data sharing scheme of which both the data user and the data holder are members.
Important elements from the Financial Data Sharing scheme are (see also article 11 of FIDA):
If financial data sharing schemes are not developed for one or more categories of customer data, a Commission Delegated Act will specify the modalities for making data available (Article 11).
Once published, the proposal will embark on a legislative journey, navigating through the EU Parliament and the EU Council of Ministers. A plausible duration for this legislative process is a minimum of two years, with an additional 18-24 months anticipated for the proposal to officially take effect. Consequently, the ratified proposal is expected to become binding towards the end of 2026.
It’s crucial for entities (data holders and data users) to begin preparations early, considering the requirements and obligations under FIDA. This may include technological, operational, and governance adjustments to comply with data access, sharing, and security provisions.
If you have any questions about FIDA or its implementation, please feel free to contact us.