Data is central to the European Union's digital economy. Data sharing and access in the financial sector is expected to improve competition and consumer protection and connected devices can help businesses provide new products and services to customers. New technologies have allowed new providers to enter the market, for example 'open banking' and embedded finance services that securely share financial data between banks and fintech companies (as discussed here). As options grow, consumers need to be better protected through data-based fraud detection.
Against this background, the EU has put forward two proposals: the Data Act and the Financial Data Access Regulation (FIDA). The Data Act focuses on data sharing, especially in the context of connected products and services. Trilogues have been completed and the Regulation is expected to enter into force in autumn 2023. FIDA, on the other hand, is still in the consultation phase, which ends on 13 October 2023, and the legislative process is expected to end in spring 2024. It aims to create a framework for access to and use of customer data in the financial services sector. Both Regulations reflect the EU's ambition to ensure a regulated and secure flow of data that protects the rights of individuals while opening up new opportunities for businesses.
Here we provide a brief overview and comparison of the two Regulations.
The Data Act represents a decisive step forward in European data regulation. Recognising that data is at the heart of the digital economy, it is designed to regulate the flow of personal and non-personal data within the EU. A key objective of the Data Act is to facilitate data sharing, particularly in the context of connected devices and services. This includes granting rights of access to data and regulating the mechanisms under which data can be shared, be it B2C, B2B or B2G.
Another important aspect of the Data Act is the protection of trade secrets. During the negotiations on the legislation, there was an intense debate about how to protect trade secrets against data sharing requirements. The final agreement provides that companies can refuse to release certain data amounting to trade secrets in "exceptional circumstances" and "on a case-by-case basis".
The Data Act is also closely linked to other legislative initiatives, including the Digital Markets Act (DMA), the GDPR, the Free Flow of Non-Personal Data Regulation, the ePrivacy Directive and the Database Directive. While the DMA and the Data Act share common objectives, the Data Act goes a step further and focuses on the sharing and use of data. The Data Act is also intended to be a general piece of legislation, to be supplemented by more sector-specific regulations governing specific data domains, such as the financial data domain, which will be governed by the Financial Data Access Regulation.
The Financial Data Access Regulation (FIDA) is another important part of data space regulation. It operates as a sector-specific vertical framework that builds on the Data Act.
It sets out guidelines on what customer data can be accessed, including mortgages, loans, accounts, savings products, investments, pension products and non-life insurance products. However, further criteria should be added during the legislative process to define the scope of data and promote legal certainty. The current proposal contains many general provisions and undefined legal terms which will hopefully be clarified during the legislative process.
FIDA applies to financial institutions acting as data controllers or data users; account information service providers can only act as data users. In the case of financial information service providers, data users authorised to access the customer for the provision of financial information services must be authorised by the competent authority of a Member State.
Unlike the Payment Services Directive 2 (PSD2), which focuses primarily on access to payment accounts, FIDA extends the scope to a wider range of financial products. This promotes the concept of open banking in the EU and allows for wider integration of financial services.
Data sharing is a key feature of FIDA. Both Account Information Service Providers (AISPs) and Financial Information Service Providers (FISPs) are entitled to receive data. The data holders are obliged to release their data as soon as a customer requests it. FISPs must meet certain criteria and obtain permission to access customer data. Customers can monitor their data permissions by accessing an overview of their data permissions, granting new permissions and withdrawing permissions if necessary.
In terms of access technology, data must be made available to customers and data users "without unreasonable delay, continuously and in real time". There are also alternative methods and fallback options for accessing data if the standard access is not available. An interesting feature of the draft Regulation is the introduction of permission dashboards - data holders will have to provide the customer with a permission dashboard to monitor and manage permissions. This may be refined in the legislative process. This is because financial data potentially includes data of a highly sensitive nature, as the European Data Protection Supervisor (EDPS) has pointed out. The EDPS also questioned whether profiling data should remain part of customer data. The EDPS suggests that data users should be obliged to clearly specify the specific types of customer data to which they wish to have access in each request. In addition, the final Regulation should prohibit the denial of financial services to customers who do not install and use the permissions dashboard or otherwise enable data sharing by data holders with data users under the proposal. Although the EDPS's advice is not binding, it is expected that the European Parliament at least will take it into account when deciding its position on the proposal.
Another important aspect of FIDA is compensation and costs. Data holders may be compensated for making data available, with the exact terms and cost structures to be determined by each scheme. Financial Data Sharing Schemes (FDSS) are also introduced to facilitate data sharing between data holders and data users.
Finally, FIDA also addresses liability issues. Liability is based on the schemes, ie where the data is inaccurate, the quality of the data is insufficient, the security of the data is compromised or the data is misused.
Both the Data Act and FIDA are key pieces of European data legislation with aligned aims but with different focuses and areas of application. While the Data Act focuses on data sharing in the context of connected products and services, FIDA focuses on the financial services sector. Some key differences between the Regulations include:
The move towards trusted financial data sharing stands to bring opportunities to businesses to provide new products and services, and benefits to the consumers receiving them, provided the legislation is clear and is coherently implemented in a way which builds trust.
Clare Reynolds looks at the opportunities presented by embedded finance, and how to manage legal and regulatory issues.
2 of 6 Insights
Thomas Kahl looks at incoming security obligations for the financial industry under DORA.
3 of 6 Insights
Mary Rendle looks at the sometimes overlapping requirements on financial organisations in the UK and EU in the event of an ICT-related incident or other data breach.
4 of 6 Insights
Daniel Hirschfield looks at the joint data transformation programme, which is being led by the UK's financial regulators to transform how data is collected from the UK financial sector.
5 of 6 Insights
Kelly Burke and Matthias Brenner look at the role of regulation in raising trust in digital IDs.
6 of 6 Insights