FIDA Regulation: A Glimpse into the Open Finance World

Introduction

In 2018, the Second Payment Services Directive (PSD2) reshaped the payment services landscape in the EU by introducing a concept of open banking. With the aim of increasing competition in the payments sector, PSD2 created a framework for consent-based sharing and use of payment account data by service providers other than traditional banks and payment institutions by introducing two new types of authorized entities, payment initiation and account information service providers. This opened the door for new market entrants, such as innovative FinTech companies, that for the first time got access to valuable customer payment account data and a chance to enter into (by then) heavily bank dominated payments market. By building on the lessons learned from open banking, on 28 June 2023, the EU Commission has unveiled its proposal that shall create the very first regulatory framework on open finance, in the form of a Regulation on financial data access (FIDA Regulation). The proposal is developed in line with the main principles on protection of personal data anchored in the EU General Data Protection Regulation (GDPR) as well as the main pillars of the forthcoming framework on B2B data sharing established under the Data Act proposal, that is still finding its way through the EU legislative making process.

Open Finance (in layman’s terms)

Whenever you as a customer decide to go for a new financial product or a service, the very first step you need make is to fill out the application form and provide a financial institution (be it a bank, investment firm, mortgage provider etc.) with key information about yourself. Based on this information, financial institutions are first conducting customer onboarding (know your customer “KYC”, suitability assessment etc.) and subsequently, use valuable data that they obtain in the course of the customers’ lifecycle to create individual customers’ profiles, that help them to provide their service in a better and more personalized way.

However, once you decide to switch a financial service provider you need to go through the entire process again: from the application form to customer onboarding, hoping to get access to more personalised service and product offering at some point in the future (usually after being a customer for a significant period of time).

Now imagine a world in which when you decide to switch a financial service provider, besides taking your money, you can take with you something at least as valuable – your data. Based on this data, the entire onboarding process can be done much faster and a new financial service provider can be in a position to use this data about you and your customer behaviour to provide you with a service that is more tailored to your individual needs. Same as in the case of open banking, this exchange of customers’ financial information in open finance world will be made possible by the use of application programming interfaces (APIs), which are in a nutshell, computer programs that enable different IT systems to communicate and share information between each other.

This is the very aim that the EU Commission is looking to achieve with the proposed FIDA Regulation - to create a framework for controlled and consent-based sharing of financial data in which customers have effective control over their financial data and the opportunity to benefit from open, fair, and safe data-driven innovation in the financial sector.

Who are the addressees of the new rules?

The proposed FIDA Regulation has a very broad scope of application and will enable consent-based sharing of financial data between all of the following entities that operate in the financial services sector:

• credit institutions,
• payment institutions including account information service providers (AISPs),
• e-money institutions,
• investment firms,
• crypto-assets service providers (CASPs) and issuers of asset-referenced tokens as defined under the new Markets in Crypto-Assets (MiCA) Regulation;
• Alternative investment fund managers (AIFMs);
• UCITS management companies;
• insurance and reinsurance undertakings;
• insurance intermediaries and ancillary insurance intermediaries;
• institutions for occupational retirement provision;
• credit rating agencies;
• crowdfunding service providers;
• pan-European Personal Pension Product providers.

In addition to the above mentioned, the new framework will introduce a new type of authorised entities, the so-called financial information service providers (FISPs), that will be allowed to have access to customers’ data for the sole purpose of providing financial information service. More on FISPs and the newly developed authorization framework for them is contained below.

What types of data are in the scope of the proposed framework?

The proposed FIDA Regulation, broadens the scope of data that will be eligible for consent-based sharing, which now goes way beyond already covered payment account data under the PSD2 framework, and covers financial data related to any of the following:

• Mortgage credit agreements, loans, and accounts (except payment account related data that is already regulated under PSD2).
• Savings, investments in financial instruments, insurance-based investment products, crypto-assets, real estate and other related financial assets as well as economic benefits derived from such assets including data processed as part of suitability and appropriateness assessments under MiFID II;
• Pension rights in occupational pension schemes within the scope of Institutions for Occupational Retirement Provision II and Solvency II;
• Non-life insurance products (e.g. car insurance);
• Creditworthiness assessments of companies (where data is collected as part of a loan application process or based on a request for a credit rating).

It is noteworthy that financial data that is within the scope of the proposed framework will not cover particularly sensitive customers’ data such as data related to customers’ creditworthiness as well as data related to sickness and health insurance products.

Obligations on financial institutions

The proposed framework differentiates between data holders – financial entities that collect, store and otherwise processes in scope customers’ data and data users – entities that, following the permission of a customer, have lawful access to customer data. All in-scope financial institutions, except AISPs and FISPs, will generally be able to act both as data holders and data users.

Upon customers’ request, institutions that act as data holders will be obliged to make customers’ data available to them without undue delay and free of charge. The same obligation will apply where request for data access is sent by a data user that acts based on customers consent, however in this case institutions acting as data holders will be able to charge some compensation for this service.

Data users processing customers’ data based on the proposed framework will be required to process customers’ data solely for the purpose for which the customer’s consent was granted and will be obliged to delete them in the case of withdrawal of customers’ consent.

Within 18 months from the entry into force of the proposed Regulation, data holders and data users will be required to become members of one or more financial data sharing schemes whose main aim will be to (among other) to foster development of common data sharing and industry recognized interface standards as well as a joint standardised contractual framework governing access to specific datasets.

Authorisation regime for FISPs

The proposed Regulation creates new authorisation framework for FISPs that will, prior to commencing with their activities in the EU, be required to obtain authorization from their national competent authorities (“NCAs” such as BaFin or the Central Bank of Ireland). FISPs will be required either to be incorporated in the EU or to have legal representative that will be responsible for communication with the NCAs.

While the proposed Regulation contains some key threshold requirements that prospective FISPs will need to meet for the purposes of authorisation, the European Supervisory Authorities are mandated to develop regulatory technical standards that will define authorization requirements in more detail.

Once authorised, FISPs will be able to operate across the EU Single Market based on the EU passport in a similar way like financial institutions regulated under other key pieces of the EU financial regulation (e.g. MiFID II investment firms, payment institutions etc.)

Outlook

It goes without saying that the proposed framework and Commission’s efforts to create the very first regulatory framework on open finance is a very welcome development that can make the EU the very first jurisdiction globally where the heartbeats of the new fully data driven financial services industry will be felt. Further, it is highly likely that this will be another piece of EU regulation that will produce the commonly known “Brussels effect” by influencing other jurisdictions around the globe to develop their own regulatory frameworks on open finance based on it.

The proposed Regulation yet needs to find its way through the EU legislative making process that will most likely be additionally prolonged by the forthcoming EU elections that are due next spring. With that in mind, it is unlikely that the new framework will become operational before the end of 2024 / beginning of 2025.

Nonetheless, due to the complexity of the proposed framework, primarily from an operational and technical standpoint, financial institutions should use this time wisely and will need to start preparing for the implementation well in advance.

Over the coming period, we will closely follow the upcoming developments as the proposed Regulation goes through the EU legislative making process. Should you have any questions or want to have more detailed consultation about the proposal, feel free to reach out to us.