Background
FIDA introduces Open Finance framework building on the concept of Open Banking and refers to the sharing, access and reuse of personal and non-personal data for purposes of providing a wide range of financial services. The idea is that the sharing of data can promote innovative financial products and services for the benefit of consumers and companies. Amongst others, Open Finance may lead to more personalized financial products and better tailored services for comparing financial products. However, customers remain in charge as they need to give permission before their data may be shared and can withdraw this permission at will.
Data and entities in scope
The scope proposed in FIDA encompasses a wide range of financial products data. This concerns data on (a) mortgage credit agreements, loans and accounts (with exception of payment accounts regulated under PSD2), (b) numerous financial assets such as savings, investments in financial instruments and crypto-assets (the number of financial assets listed is non-exhaustive), (c) pension rights in occupational pension schemes, (d) pension rights in pan-European personal pension products, (e) non-life insurance products (some exceptions apply), and (f) creditworthiness data related to companies (including SME’s). The financial assets named under FIDA represent a non-exhaustive list of potential data, indicating the aim of FIDA to be a ‘catch-all’ regulation concerning data sharing in the financial sector.
The dynamic between the entities collecting and requesting data included in the scope of FIDA is captured by the terms data holder and data user. FIDA contains a list of parties that make customer-related data available in their role as data holder. These are: credit institutions, investment firms, crypto-assets service providers and payment institutions (including account information service providers and payment institutions exempted under PSD2). Central counterparties, central securities depositories and benchmark providers are not included in the scope of FIDA.
Financial Institutions that can apply as data holder, may also retrieve data in the role of data user, without having a separate license thereto. In addition, there are two parties that retrieve data (as data user) but do not act as a data holder. These are the Account Information Service Providers (AISP), within the meaning of PSD2, and FISPs, as newly introduced by FIDA. The logic behind this is that FISPs and AISPs do not produce financial data themselves and only use it for the benefit of their customers.
The entities named under 2(3) FIDA all have their basis in European legislation. Some financial entities only hold licenses or registrations under national legislation (as is the case in the Netherlands). For these ‘national-licensed entities’ Member States could gold-plate the scope in their respective jurisdictions, encompassing these entities in addition to those covered in FIDA itself.
The entities exempted under article 2(3)(a-e) under the Digital Operational Resilience Act (DORA) are also exempted under FIDA and fall outside of its scope.
Financial Information Service Provider (FISP)
An FISP is a data user authorised to access the customer data listed in FIDA for the provision of financial information services. The FISP requires a license under FIDA, which is similar to the license for an AISP under PSD2. For authorisation as an FISP, the aspiring FISP must provide a programme of operations, business plan for the first three financial years, description of governance arrangements, internal control mechanisms including cybersecurity mechanisms aligned with DORA, complaints procedures, and security policy including policy how to protect its customers against identified risks in security assessments. In this regard, article 35 FIDA amends DORA to the effect that DORA also applies to FISPs. FISPs therefore must comply with DORA, specifically regarding technical security and data protection, which includes the software and ICT systems used by the FISP and the companies to which it outsources its operations.
Unlike the AISP, an FISP does not necessarily have to be established in the EU, it is sufficient for the FISP to have a legal representative in one of the EU Member States.
Permission from customers, trade secrets and intellectual property rights
As the EU aims to foster a comprehensive financial data space through FIDA, the proposal aims to facilitate data access, sharing, and processing while maintaining a balance between advancing business models and protecting individual data rights, trade secrets and intellectual property rights. FISPs, operating as data users, require permission from customers to access and use their data. The FISP only accesses and uses the data for purposes and under the conditions explicitly agreed to by the customer, with the ability to withdraw given permission(s) at any time. Notably, the proposal addresses various financial data domains, encompassing, inter alia, B2C data handled by financial institutions, yet excludes sensitive areas like creditworthiness assessments of natural persons and life, sickness, and health insurance due to their sensitivity and potential risks of financial exclusion.
In addition, data holders and data users must respect the confidentiality and be in control of trade secrets and intellectual property rights. Data holders and data users should ensure to always be in control of the relevant data and ensure that trade secrets and intellectual property rights are respected.
Once it no longer is necessary to access customer data, the FISP should delete the data. Under FIDA, there is no clear time frame when and if an FISP has to reaffirm permission for data usage, unlike the AISP, which has to do so every 180 days. The inclusion of 'permission dashboards' further empowers customers, allowing them to manage permissions in real-time and receive warnings about associated risks. In that respect, the data holder should provide the client with an overview of all open permissions to provide data. This permission dashboard should also include a functionality that allows the client to revoke a permission, which stops the data sharing. The data holder will maintain records of permissions withdrawn or expired for two years.
Data protection & privacy
Furthermore, FIDA explicitly states its applicability alongside the General Data Protection Regulation (GDPR), underscoring the need for compliance with GDPR's stringent requirements, including establishing a legal basis for sharing personal data. This parallel framework ensures that data holders and data users handling customer financial data under FIDA must adhere to GDPR provisions, preventing any compromise in data protection standards. Additionally, to further shield consumers from potential data misuse and breaches, data holders and data users will both be bound by the rules of the DORA.
Despite these provisions, the European Data Protection Supervisor (EDPS) highlighted certain risks in its assessment of FIDA's impact on data protection rights. While acknowledging alignment with GDPR principles, the EDPS underscored the need for clearer definitions within FIDA, particularly distinguishing 'permission' from 'explicit consent' as defined in GDPR. In addition, the EDPS raised concerns regarding the broad scope of 'customer data,' potentially encompassing highly sensitive personal information and special category data protected under GDPR.
Schemes
Data holders and data users both have an obligation to join a ‘Financial Data Sharing Scheme’ within 18 months from entry into force of FIDA. Such a scheme is a system of agreements, which is particularly common in payment markets. A well-known scheme in the Netherlands is iDEAL. Under this scheme, banks, where payment accounts are held and the collecting payment service providers, such as Buckaroo or Mollie, regulate how customers can make a payment via iDEAL. In schemes agreements are made on transparency, permission dashboards, remuneration of data holders (for the provision of data) and liability of data holders. An important component is the maximum compensation that a data holder is entitled to charge for making data available through an appropriate technical interface for data sharing with data users.
The scheme should be set up and managed by data holders and data users representing a significant proportion of the market of the product or service concerned. Additionally, relevant customer organisations and consumer associations must be included in the schemes.
If no scheme is developed for one of the categories of data listed under FIDA, the European Commission may adopt a delegated act to develop standardised formats for the data and technical interfaces, remuneration standards for data holders and liability of the data holders and data users involved in making customer data available.
Concluding remarks
The FIDA is the next regulatory step in a financial sector which is digitalizing at a high pace. It seeks to standardise the data sharing protocols in line with the open banking norms introduced under PSD2 and continued under the new Payment Services Regulation. However, the FIDA does not act in isolation. The usage of costumer data may have implications for privacy obligations under the GDPR and qualification as an FISP under FIDA triggers digital operational resilience requirements under DORA. Furthermore, there are several gold-plating opportunities within FIDA, which may lead to differing national implementations across the EU. Financial entities are therefore well advised to follow both European and national developments concerning implementation of FIDA.
As the development of FIDA is in its early stages, there is no timeline available, and the content of the proposal is still subject to change.
Contact
If you wish to receive further information or need further guidance concerning Open Finance, feel free to reach out to our financial regulatory team or Loyens & Loeff advisor.