Payments Risk & Compliance

Unveiling FIDA: A Leap Towards Financial Transparency and Consumer Empowerment

Date:October 31, 2023

Notice: Undefined index: titleWrapper in /data/sites/web/projectivegroupcom/www/wp-content/plugins/seo-by-rank-math/includes/modules/schema/blocks/toc/class-block-toc.php on line 103

In recent years, the financial sector has witnessed a paradigm shift with the advent of digital technologies, leading to an increased call for transparency, accessibility, and consumer empowerment. Amidst this backdrop, the Financial Information Data Access (FIDA) proposal* emerges as a cornerstone, aiming to bridge the gap between financial institutions and consumers. This article delves into the ‘why’ behind FIDA and highlights the pivotal changes it brings to the table.

* Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on a framework for Financial Data Access and amending Regulations (EU) No 1093/2010, (EU) No 1094/2010, (EU) No 1095/2010 and (EU) 2022/2554


The primary motivation behind FIDA is to foster a more transparent and consumer-centric financial ecosystem. With the proliferation of online banking and financial services, there’s a burgeoning need for a standardised framework that ensures secure and seamless data sharing between financial institutions, third-party providers and consumers.

What is the scope of FIDA?

The scope of FIDA applies are the following categories of customer data.

In scope: article 2(1) FIDA
Data regarding: investments, crypto-assets, insurance, pensions, loans, mortgages and savings.  Individual and business customer data that financial institutions typically collect, store and process as part of their normal interaction with customers
Data transmitted by the customers themselves and transaction data arising from customers’ interactions with their financial service providers 
Personal data that relates to identified or identifiable individuals and non-personal data that relates to business entities or financial product features 
Outside of scope
Payment accounts (In scope of PSD2/PSD3)credit score of natural personslife, sickness and health insurances

The regulation applies to entities when acting as data holders or data users, as stated in article 2 FIDA. 

Data holders and data users

  • data holder is a financial institution responsible for collecting, storing, and processing specific data (excluding account information service providers). A data holder provides a permission dashboard to the customer to monitor and manage the permissions the customer has granted to data users.
  • data user is an entity that, upon receiving permission from a customer, has lawful access to customer data. These entities must be (1) licensed financial institutions or (2) ‘Financial Information Services Providers’ (FISPs). The latter is the newly introduced category of authorised service providers that are eligible to access and process customer data in the financial sector. FISPs will be subject to roughly the same requirements as account information service providers under the PSD regime.
Two types of data users
Licensed financial institutions Financial Information Service Providers (FISPs)
– Credit institutions
– E-money institutions
– Payment institutions, including account information service providers
-Investment firms
– Crypto asset service providers
– Issuers of asset-referenced tokens
– Alternative investment fund manager
– Insurance companies / intermediaries
– Crowdfunding service providers
– Institutions for Occupational Retirement Provision Credit rating agencies
Entities authorized under the new framework to acces customer data as they:
– Are licensed in the EU (but no requirement to be established in the EU)
– Have a professional indemnity insurance or other comparable guarantee
– Meet the required organizational requirements
– Are covered by DORA

Most important elements from FIDA

In the FIDA factsheet, the EC has identified the following as key elements of FIDA Framework: 

  1. Explicit customer data access rights;
  2. New tools to manage customer permissions;
  3. New rules for data users to be supervised;
  4. Standardised data access;
  5. Security standards respected;
  6. Cooperation through financial data sharing.

Let’s take a closer look at these elements, the timelines, and then summarise the actions that can be taken at this point.

FIDA element 1: Explicit customer Data access rights

Empowering customers by granting them control over their financial data is pivotal. It ensures transparency and allows customers to decide who can access their data and for what purpose.

So, the customer decides who has data access (personal/non-personal data). The customer is defined as ‘a natural or a legal person who makes use of financial products and services’. 

To ensure customer control, FIDA introduces further safeguards. These safeguards are:

  • An Obligation on data holders to provide “permission dashboards” to enable customer control over how their data is used (Article 8). 
  • An Obligation on data users to respect data use perimeters to ensure strong consumer protection guardrails for activities that present higher exclusion risk (Article 8). 
  • Ensuring responsible handling of data: Only financial institutions and newly authorised “financial information service providers” (‘FISP’) can access customer data. These are all  subject to DORA.

FIDA element 2: New tools to manage customer permissions 

As mentioned above, the customer must be provided with a permission dashboard to be able to manage and monitor their  data. The aim is to give customers full control over who accesses their data and for what purpose. 

The permission dashboard must meet the requirements of article 8 FIDA and must be an easy to access user interface: clear, accurate and understandable. The permission dashboard must give the customer:

  • Control: enable customer to withdraw an re-establish permissions (article 8.2). 
  • Transparency: Detailed overview of ongoing permissions and their purpose and Record of permissions (Article 8.2) 
  • Usability: Easy to find and use (article 8.3) “clear, accurate, understandable” 
  • Real-time: Obligation on data holders/data users to keep dashboard accurate and up-to-date (Article 8.4) 

FIDA element 3: New rules for data users to be supervised

As previously mentioned, data users are companies that have received permission from customers to lawfully access their customer data. Only licensed financial institutions and FISPs can be data users.

The FIDA objective is to regulate responsible access for data users where customers want to benefit from innovative products. This is done by:

  • Promoting standardisation of customer data and technical interfaces;
  • Encouraging implementation of high-quality interfaces;
  • Based on a contractual framework of financial data sharing schemes.

The obligations of data users are mainly described in article 6 FIDA:

  • Only access customer data for the purpose they have been granted permission;
  • Respect confidentiality, trade secrets and intellectual property rights;
  • Prevent the transfer of non-personal data when unlawful;
  • Ensure security of customer data & storage limitation – delete customer data when it is no longer necessary;
  • For groups of companies, data to be accessed only by the entity of the group that acts as the data user;
  • Authorisation and organizational requirements for FISPs (Article 12-16).

FIDA element 4: Standardised data access

Customer data can be accessed by the customer and ‘data user(s)’. 

Access is possible for purposes agreed with a customer for a specific product or service. However, there is a purpose limitation in place (See Title III Responsible data use and permission dashboards, article 7) saying that the processing of customer data shall be limited to what is necessary for which they are processed (Article 7.1).

The data that can be made available should be made available in a standardised way. This follows from article 5 FIDA which governs the obligations of data holders. This article states that:

  • Data must be made available to data users when requested by a customer;
  • Data must be made available in a standardised way and of the same quality to the data holder;
  • The data holder must communicate the data securely;
  • The data holder must provide the customer with a permission dashboard;
  • The data holder must respect confidentiality, trade secrets and intellectual property rights.

Compensation for the data holder is only possible when data is shared under a financial data sharing scheme or if no scheme is available, the Commission delegated act (Article 5.2).

FIDA element 5: Security standards respected

FIDA places high importance on security standards, ensuring that entities involved in data access and sharing have robust mechanisms in place to manage security incidents, ensure business continuity, protect against risks, and comply with regulatory obligations.

FIDA refers to DORA (The Digital Operational Resilience Act (Regulation (EU) 2022/2554)) for the security standards that have to be respected. Data users will be subject to the requirements of DORA and therefore be obliged to have strong cyber resilience standards in place to carry out their activities. This includes having comprehensive capabilities to enable a strong and effective ICT risk management, as well as specific mechanisms and policies for handling all ICT-related incidents and for reporting major ICT-related incidents.

FIDA element 6: Cooperation through financial data sharing

Title IV FIDA describes the requirements for Financial Data sharing Scheme(s). Article 10 FIDA outlines the governance, content, and structural elements of a financial data sharing scheme, detailing the membership, rules, and standards that such a scheme should adhere to. It emphasises fair and equal representation, transparency, and adherence to common data and technical standards. 

Within 18 months from the entry into force of FIDA, data holders and data users must become members of a financial data sharing scheme governing access to the customer data in compliance with Article 10 FIDA. Data holders and data users may become members of more than one financial data sharing schemes. Any sharing of data shall be made in accordance with the rules and modalities of a financial data sharing scheme of which both the data user and the data holder are members.

Important elements from the Financial Data Sharing scheme are (see also article 11 of FIDA):

  • Market driven arrangement between data holders and data users;
  • Common standards for the data and technical interfaces;
  • Open to participation, fair, transparent rules;
  • Provide model to determine compensation;
  • Dispute resolution system;
  • Contractual liability.

If financial data sharing schemes are not developed for one or more categories of customer data, a Commission Delegated Act will specify the modalities for making data available (Article 11).

And now? What to do with FIDA?

Once published, the proposal will embark on a legislative journey, navigating through the EU Parliament and the EU Council of Ministers. A plausible duration for this legislative process is a minimum of two years, with an additional 18-24 months anticipated for the proposal to officially take effect. Consequently, the ratified proposal is expected to become binding towards the end of 2026.

It’s crucial for entities (data holders and data users) to begin preparations early, considering the requirements and obligations under FIDA. This may include technological, operational, and governance adjustments to comply with data access, sharing, and security provisions.

If you have any questions about FIDA or its implementation, please feel free to contact us.