Duty to share customer data to be extended to most of the financial sector

The Open Finance Regulation (FIDA)

On 28 June 2023, the European Commission issued a proposal for a regulation on a framework for Financial Data Access (the FIDA Regulation). This regulation builds on the "open banking" model established in the payment services sector, where institutions holding accounts (primarily banks) have been required, since the implementation of the Second Payment Services Directive (PSD2), to grant third parties direct IT access to transaction data from customers' payment accounts.

In the FIDA Regulation, the European Commission proposes extending this data-sharing obligation to include most of the financial sector and data points, far beyond just payment account transaction data. In the market, this broader scope is commonly referred to as "open finance", and it is intended to provide European consumers and businesses with more personalised and enhanced financial services.

This expansion of data-sharing requirements will have a substantial impact on various financial sectors, including brokers, investment service providers, insurance and pension companies, mortgage credit institutions, and AIF and UCITS managers - sectors that were not previously covered by "open banking" rules. Also, financial institutions will face significant changes under the FIDA Regulation, as they will be required to provide access to a far wider array of customer data than the limited transaction data they currently share under the "open banking" framework.

In addition to building on experiences from PSD2, the FIDA Regulations introduces notable changes from the existing "open banking" rules. Most significantly, data owners will, to a limited extent, be allowed to receive compensation for the data they share. Furthermore, data access will be governed by a contractual relationship between data owners and third parties through "financial data sharing schemes."

Webinar about the new open finance rules

In the following, Plesner's payment services and fintech specialists outline the most significant issues in the FIDA regulation.

In a webinar on 21 September 2023, we will look at the details of the proposal for the new rules.

Scope

In the proposal, the European Commission suggests that the FIDA Regulation should apply to almost all types of financial institutions, including banks, mortgage credit institutions, insurance and pension companies, payment and e-money institutions, brokers, AIF and UCTIS managers, credit rating agencies, providers of crypto-asset services, and crowdfunding platforms.

The proposals also extend the rules to customer data related to a wide range of financial products, including:

• Loans and accounts (excluding payment accounts, which are covered by the "open banking" rules), including information on balances, terms, and transactions.
• Savings and investments, crypto-assets, real estate, and other financial assets, including data about customer's financial circumstances and data collected for suitability and appropriateness assessments.
• Occupational pension schemes and pan-European personal pension products.
• Non-life insurance products, with certain exceptions.
• Data collected during a loan application or creditworthiness assessment of companies.

In all cases, "customer data" encompasses both information directly provided by the customer and data generated through the financial undertaking's interaction with the customer.

Third parties (FISPs)

The FIDA Regulation introduces a new category of regulated service providers, "Financial Information Service providers" (FISPs), similar to the account information service providers under the "open banking" framework. At the heart of the FIDA Regulation is the requirement for financial institutions to make customer data available to authorised FISPs and other financial institutions within the scope of the regulation.

Danish FISPs will need to obtain authorisation from the Danish Supervisory Authority under rules similar to those already in place for account information service providers. The regulation establishes a passporting scheme between EU member states, allowing authorised FISPs to operate across borders, similar to other financial regulation. A key innovation compared to the Second Payment Services Directive (PSD2) is that a the FIDA Regulation allows non-EU (third country) undertakings to become authorised as FISPs, provided that they appoint a responsible representative within the EU.

Additionally, financial institutions required to share customer data under the FIDA Regulation are also entitled to access other financial institutions' customer data without needing separate authorisation as a FISP.

Financial data sharing schemes

The FIDA Regulation introduces a major shift from the "open banking" rules for payment accounts applied to payment accounts. It established that FISPs must have an existing customer relationship with the financial institution from which they seek data. Additionally, financial institutions may charge FISPs for providing access to customer data within certain limits.

The regulation requires the creation of so-called "financial data sharing schemes", which will outline the rights and obligations of FISPs and financial institutions. These schemes are essentially agreements governing key aspects, such as:

• Technical specifications and common standards for APIs or other IT access used to share data.
• Financial compensation from FISPs to financial institutions for data sharing.
• Liability rules in cases of incorrect or non-compliant data, data security breaches, or data misuse.

Both data owners and data users participating in a scheme must represent a significant portion of the market for the relevant product or service. Additionally, consumer and customer organisations must be included in these schemes. The Regulation requires financial undertakings and FISPs to join one or more schemes covering the data they manage within 18 months of the Regulation coming into force.

While the schemes mark a ground-breaking step in European financial regulation, their practical implementation is expected to face several significant challenges, including:

• The FIDA Regulation does not clarify who will oversee the development of these schemes – whether it will be supervisory authorities, trade organizations, or another body. However, the regulation allows the European Commission to establish a scheme through delegated regulation if no scheme is developed for a particular data category and there is no reasonable prospect of one being created.
• The requirement for typically competing undertakings to agree on prices and conditions for data-sharing services – including access to specific data and their presentation - may give rise to substantial competition law issues.
• In terms of achieving a level playing field across the EU and delivering better and more affordable financial products for consumers, success will primarily depend on the market participants only having to consider a limited number of schemes that cover large parts of the EU. However, given the above challenges there is a risk of fragmentation of the schemes which could result in multiple national schemes. In such a scenario, market participants might be required have join up to 27 different schemes across various product areas.

The further process

Considering the time it took to finalise similar initiatives such as PSD2 and the MiCA Regulation, there is a risk that the current proposal may not be adopted before the European Parliament elections in June 2024.

If this happens, the proposals will need to be reintroduced, which could only occur after the newly elected European Parliament is in session and a new European Commission is appointed. In 2019, the interval between the European Parliament elections to the appointment of the current European Commission was six months. Based on this, a conservative estimate suggests that the FIDA regulation may not take effect until the second half of 2025, with the majority of its provisions potentially becoming applicable in the second half of 2027.