The EU has been working for many years to create regulations on a single market for data (both personal and nonpersonal) across Europe. In 2020, the European data strategy and the digital finance strategy were launched, and efforts have continued to establish standards for data collection, management, and circulation.

In this context, the proposal for a Regulation of the European Parliament and Council on a framework for access to financial data called Financial Data Access (FIDA) was introduced, complementing the Data Act that came into force on January 11, 2024. In this article, we’ll examine the FIDA framework: what it is, its aims, how data sharing works, and FIDA’s potential impact on the financial services industry.

What’s in this article?

• What is Financial Data Access (FIDA)?
  
• Objectives
  
• Scope of application
  
• Data sharing
  
• Financial information service providers
  
• Timeline for implementation
  
• Potential impact on the financial services industry
  

What is Financial Data Access (FIDA)?

On June 28, 2023, the European Commission proposed the Financial Data Access (FIDA) regulation to improve access to and sharing of financial data within the EU. The FIDA framework is part of a broader EU strategy to create an open finance system, allowing user data to be shared among banks, insurance companies, investment services, and other financial entities. It builds on the open banking rules from the revised Payment Services Directive (PSD2)—the Directive aimed at making payment services safer and more convenient for member countries—and its successor, PSD3.

FIDA is part of the European data strategy—launched by the European Commission—which, according to the Commission communication of February 19, 2020, aims to “create a single European data space—a genuine single market for data, open to data from across the world—where personal as well as non-personal data, including sensitive business data, are secure and businesses also have easy access to an almost infinite amount of high-quality industrial data, boosting growth and creating value, while minimizing the human carbon and environmental footprint.”

It’s important to note that, according to the regulation, “Financial data access refers to the access to and processing of business-to-business and business-to-customer (including consumer) data upon customer request across a wide range of financial services” within the European financial market.

Objectives

The financial sector has historically faced challenges in sharing customer data. Data users—such as companies seeking access to customer information—have often had difficulty obtaining data from the financial institutions that collect, store, and process this information. Data access has never been properly regulated and has often been unmonitored. In addition, the technical interfaces used to access data were vulnerable to cyber threats, raising concerns about the security of customer data.

This situation restricts access to financial data and poses significant challenges for new entrants and smaller, innovative service providers, who struggle to offer customized products that meet customers’ needs. As a result, those seeking financial products and services may end up paying higher fees without getting the experience they expect.

The FIDA framework aims to operate on two levels:

• First, to enhance data sharing among financial services operators, enabling the development of financial products that better meet customer needs.
  
• Second, to ensure greater protection of customer privacy by requiring high standards of security and confidentiality from operators, and by ensuring that data is used only with the user’s consent.
  

The European Commission’s proposal aligns with the General Data Protection Regulation (GDPR), which sets general rules for processing personal data and ensures both the protection and free movement of personal data. Additionally, consumers will be safeguarded against misuse and data breaches, as both data owners and users must adhere to the regulations of the Digital Operational Resilience Act (DORA), effective from January 16, 2023.

Scope of application

The proposal requires data related to the following product categories be made accessible:

• Mortgages, loans, and accounts (except payment accounts referred to in PSD2).
  
• Savings, investments in financial instruments, insurance-based investment products (IBIPs), crypto assets, real estate, and other financial assets—along with the economic benefits from these assets, including data gathered for suitability and appropriateness assessments.
  
• Retirement products.
  
• Non-life-insurance products as per Directive 2009/138/EC, excluding health and health risk coverage, including information gathered for the “demands and needs test” and the assessment of the insurance product’s appropriateness and suitability.
  
• Data used to assess a company’s credit, provided that it is collected during a loan or rating application.
  

Data sharing

Before diving into the specifics of data sharing, here is a brief glossary to clarify the main actors involved in financial data sharing under the FIDA regulation:

• Customer: An individual or legal entity that uses financial products and services
  
• Data holder: A financial institution (excluding account information service providers) that collects, stores, and processes the data mentioned in Article 2(1)
  
• Data user: One of the entities (referred to in Article 2(2))—which, with a customer’s authorization—has legitimate access to customer data
  

According to the proposal, data sharing will take place through Financial Data Sharing Schemes (FDSS). These are framework agreements established by data holders, data users, and representative customer and consumer organizations to self-regulate the management of data access among FDSS members.
The proposal also outlines the obligations of data holders and data users when accessing customers’ financial data.

Obligations of data holders

The data holder must make all requested data available to the customer electronically without undue delay, free of charge, on an ongoing basis and in real time.

The data holder must also make the customer’s data available to a data user. For this purpose, the data controller must:

• Make the customer’s data available to the user in a standardized way and at least of the same quality as the data available to the data holder
  
• Ensure secure communication with the data user by maintaining a suitable level of security when processing and transmitting customer data
  
• Ensure that data users prove they have the customer’s permission to access the customer’s data held by the data owner
  
• Provide the customer with an authorization management dashboard so they can easily monitor, renew, and revoke data users’ authorizations
  
• Respect the confidentiality of trade secrets and intellectual property rights when accessing customer data
  

Obligations of data users

In turn, a data user who receives customer data must:

• Process customer data only for the specific purposes related to the service that the customer has explicitly requested
  
• Respect the confidentiality of trade secrets and intellectual property rights when accessing customer data
  
• Implement the necessary measures to ensure an adequate level of security for storing, processing, and transmitting nonpersonal data
  
• Not use customer data for advertising purposes, except for direct marketing that complies with EU and national laws
  

Financial information service providers

FIDA introduces a new category of financial information service providers (FISPs) who can access customer data if they are authorized by the competent authority of a member state to provide financial information services.

FISPs that operate outside the European financial market but need to access financial data within the EU can do so without establishing a company or branch in the EU. However, they must appoint in writing a natural or legal person as their legal representative in one of the member states from which the FISP intends to access the financial data.

Timelines for implementation

FIDA will take effect 24 months after it becomes law, except for the provisions on FDSS and the authorization requirements for FISPs, which will take effect 18 months after the regulation becomes law.

Potential impact on the financial services industry

The implementation of FIDA, which aims to promote open finance, will undoubtedly have an impact on the financial services sector. It will create significant opportunities for companies to offer financial services that are more personalized and tailored to customers’ needs.

Here are some potential impacts that the implementation of the FIDA framework might have on the financial services industry:

• Increased range of financial products and services
  The financial data shared under FIDA will enable third-party developers, fintech startups, and others to create new financial, investment, and insurance products and services. This could lead to an increase in innovative product offerings and an improvement in the quality of services provided to customers.

• More personalized services
  Access to financial data could also lead to more user-centric and personalized services, increasing customer satisfaction.

• Increased competition
  The access to financial data facilitated by FIDA will allow new entrants (i.e., third parties) to compete with traditional financial institutions, which could result in lower costs for products offered to customers. This is intended to promote fair and impartial competition.

• Data protection concerns
  The open sharing of financial data introduced by the FIDA framework raises significant security and privacy concerns. Operators will need to implement effective IT security measures and comply with current data protection regulations to prevent data breaches and maintain customer trust.