DData Protection

Financial Data Access Regulation (FiDA)

FiDA
0
Shares
0
0
0
0
0
0

As part of the Retail Payment Strategy, the EU Commission has published the Financial Data Access and Payments Package, which was released on 28 June 2023. The EU package includes the proposals for PSD3 & PSR (Payments) and FiDA (Financial Data Access Regulation). We have already provided an initial classification of the FiDA in our podcast, The importance of the Financial Data Access Regulation | ALLES LEGAL FinTech-Recht kompakt and the subsequent article One-way street FiDA – why well-intentioned is not well done (published 19 April 2024). In this article, we will take a closer look at the individual provisions of the draft regulation.

FiDA-Background

The EU Commission has published a draft “Regulation on a framework for access to financial data”. In doing so, it is pursuing one of its objectives declared on 24 September 2020 as part of the Digital Finance Strategy: promoting business-to-business data sharing in the EU financial sector and beyond (open finance). The draft is intended to establish uniform rules across the EU for access, sharing (via interfaces to be set up for this purpose) and the use of certain categories of customer data in financial services.

(R)Evolution: From Open Banking to Open Finance

PSD2 established the framework for the use of technical interfaces to retrieve and exchange payment account data (open banking).

However, PSD2 only covers payment account data, but not data relating to non-payment accounts, such as savings accounts, pure deposit accounts (e.g. call money accounts), pure credit and credit card billing accounts or mere custody accounts.

In addition to payment account data, FiDA is now also intended to enable the exchange of (other) financial data (e.g. custody account or insurance data) (Open Finance).

What (financial) data is recorded by FiDA?

FiDA records Customer data (a) from certain categories (b).

(a) Customer data

Customer data within the meaning of Art. 3 No. 3 FiDA is personal and non-personal data that is collected, stored and otherwise processed by a financial institution in the course of its normal business activities with customers and includes both data transmitted by customers and data generated as a result of the customer’s interaction with the financial institution.

(b) Categories

In accordance with Art. 2 (1) FiDA, customer data of the following categories is recorded:

  • Mortgage loan agreements, loans and accounts (excluding payment accounts within the meaning of PSD2), including data on balances, conditions and transactions;
  • Savings, investments in financial instruments, insurance investment products, crypto assets, real estate and other related financial assets as well as the economic benefits of these assets (including data collected to assess suitability and appropriateness as defined in Art. 25 of the Financial Markets Directive);
  • Pension entitlements from occupational pension schemes or from pan-European private pension products;
  • Non-life insurance products (excluding health insurance products; including data collected to determine the wishes and needs of customers and data collected to assess suitability and reliability within the meaning of the EU Insurance Distribution Directive) → Non-life and health insurance data
  • Data collected to assess the creditworthiness of a company as part of a credit application procedure or when applying for a credit assessment → Not credit assessment data of natural persons

Who falls within the FiDA scope?

The entities listed in Art. 2 para. 2 a) to o) FiDA, i.e.

  • Financial institutions within the meaning of Art. 3 No. 8 FiDA (e.g. credit institutions, payment and e-money institutions, investment firms or (re)insurance undertakings)

and

  • Financial information service providers within the meaning of Art. 3 No. 7 FiDA (a new category introduced by FiDA).

However, FiDA applies for these entities only when acting as data holders or data users.

Art. 2 para. 3 FiDA provides for exemptions and refers in this respect to Art. 2 para. 3 DORA. The exemptions basically only apply to micro, small and medium-sized enterprises (SMEs).

Actors involved in the “FiDA triangle”

The central players in the FiDA regulatory regime are

  • the customer
  • the data holder and
  • the data user.

Financial Data Access Regulation (FiDA) 1

(Source: Annerton Rechtsanwaltsgesellschaft mbH)

Art. 3 FiDA defines the actors as follows:

  • “Customer” is a natural or legal person who makes use of financial products and services (Art. 3 No. 2 FiDA)
  • “Data holder” is a financial institution that is not an account information service provider and collects, stores and otherwise processes customer data (within the meaning of Art. 2 para. 1 FiDA).
  • “Data users” are the entities listed in Art. 2 para. 2 FiDA (i.e. financial institutions and financial information service providers) that have lawful access to the customer data listed in Art. 2 para. 1 FiDA with the customer’s consent.

Side note:

  • “Financial institution” within the meaning of Art. 3 No. 8 FiDA are the entities listed in Art. 2 para. 2 a) to n) that are either data holders or data users or both for the purposes of the FiDA.

The entities listed in Art. 2 Para. 2 a) to n) are:

(Source: Annerton Rechtsanwaltsgesellschaft)

  • “Financial information service provider” within the meaning of Art. 3 No. 7 FiDA is a data user who is authorised to access the customer data listed in Art. 2 para. 1 for the purpose of providing financial information services in accordance with Art. 14 FiDA.

Rights and obligations in the FiDA triangle?

Firstly, the obligations of the data holder towards the customer are stated in Art. 4 FiDA. The data holder must provide the customer with the customer data (as defined in Art. 2 (1)) upon the customer’s electronically transmitted request.

  • Without undue delay
  • free of charge
  • continuously and
  • in real-time

to make them available.

In addition, the data holder is obliged to provide the customer data (as defined in Art. 2 para. 1) to the data user at the customer’s electronically transmitted request, Art. 5 para. 1 FiDA. In return, the data holder is entitled to demand remuneration from the data user for providing the customer data to the data user, Art. 5 para. 2 FiDA. The customer data is made available to the data user

  • without undue delay
  • continuously and
  • in real-time

made available.

Art. 6 FiDA regulates in detail the obligations of the data user in relation to the receipt of customer data. Accordingly, a data user is only authorised to access customer data if it

  • was previously authorised as a financial institution or financial information service provider, and
  • the customer’s consent has been obtained. Customer data may only be accessed for the purposes and under the conditions to which the customer has consented.

Requirements for the provision of data

According to Art. 5 (3) FiDA, the data holder must

  • provide the data user with customer data in a format based on generally recognised standards and at least in the quality in which it is available to the data holder;
  • ensure secure communication with the data user by ensuring an appropriate level of security in the processing and transmission of customer data;
  • protect the confidentiality of business secrets and intellectual property rights when accessing customer data;
  • provide the customer with a dashboard for monitoring and managing access authorisations (Art. 8 FiDA);
  • require data users to provide proof (usually authorisation via dashboard) that the customer has consented to access to the data holder’s customer data.

Provision of dashboards

The data holder shall provide the customer with a dashboard for monitoring and managing access authorisations (Art. 8 para. 1 FiDA). This must provide the customer with an overview of all active access authorisations that have been granted to data users. It must also contain certain information (including the name of the data user, customer account, purpose and duration of consent, etc.).

The customer must have the option of revoking a granted access authorisation and re-granting a revoked access authorisation. The dashboard must also contain a list of access authorisations that have been revoked or expired in the past two years.

The data holder must also ensure that the dashboard is easy to find in its user interface and that the information contained in the dashboard is clear, accurate and easy for the customer to understand (Art. 8 (3) FiDA).

To ensure that the information is also available to the customer in real-time, FiDA provides for close cooperation between the data holder and the data user (see Art. 8 para. 4 FiDA). Mutual notification obligations are provided for, according to which the data holder and data user must inform each other about dashboard-relevant incidents, such as when the customer makes changes to the dashboard or grants new access authorisations.

FiDA Schemes

The so-called Financial Data Sharing Scheme (FDSS) regulates the contractual framework for access to customer data for various financial products and services.

Members of an FDSS (scheme) are

  • data holderd and data users covering a significant share of the market for the product or service in question
  • Consumer organisations and associations.

Data holders and data users must be members of one Scheme (Art. 9 para. 1); Data holders and data users may also be members of several Schemes (Art. 9 para. 2).

The central task of the members of an FDSS is to develop common standards for customer data and interfaces (APIs) for the exchange of data between data holders and data users (Art. 10 (1) g) FiDA). In addition, the schemes should include provisions on appropriate remuneration for data holders for the provision of data (in particular for formatting, data transmission and storage) (Art. 10 (1) h) FiDA). In the absence of a corresponding provision in a scheme, the right to remuneration does not apply (Art. 5 para. 2 FiDA). Regulations on the allocation of liability between data users and data holders (in coherence with the liability provisions of the GDPR) should also be included (Art. 10 para. 1 i) FiDA).

Timeline?

According to Art. 9 para. 1 FiDA, data holders and data users are obliged to become members of a scheme, i.e. a system for the exchange of financial data, within 18 months of the FiDA coming into force.

And when the timeline is up?

If a scheme is not developed for one or more categories of customer data and there is no realistic prospect of setting up such a system within a reasonable period of time, the so-called “fallback mechanism” applies in accordance with Art. 11 FiDA.

According to the “fallback mechanism”, the Commission is then authorised to supplement the FiDA requirements (in particular Art. 5 para. 1 FiDA) with the following modalities via a delegated act:

  • common standards for data and, where applicable, technical interfaces that enable customers to commission data exchange in accordance with Article 5(1);
  • a model for determining the maximum remuneration that a data owner can demand for the provision of data;
  • the liability of the companies involved in the provision of customer data.

New category: Financial information service providers

Access to customer data is only possible by authorised bodies, i.e. in addition to financial institutions, these can also be the financial information service providers newly created by the FiDA. In this regard, FiDA contains detailed provisions on

  • the authorisation procedure (Art. 12, 14),
  • the obligation to register financial information service providers (Art. 15),
  • as well as the organisational requirements for financial information service providers (Art. 16).

The application for authorisation must be submitted to the competent authority of the Member State in which the financial information service provider is established. Art. 12 para. 2 FiDA contains an overview of the information that must be attached to an application for authorisation.

Financial information service providers – without EU branch

Financial information service providers without an establishment in the EU who wish to obtain access to customer data must designate in writing a legal representative (legal entity or natural person) in one of the Member States in which access to the financial data is desired (Art. 13 para. 1 FiDA) and observe the additional provisions in Art. 13 para. 2 to 5 FiDA.

Financial information service provider – from a third country

A financial information service provider from a third country receives a licence to provide financial information services if

  • the requirements of Art. 12 (admission requirements) and Art. 16 (organisational requirements) are met;
  • a legal representative (Art. 13) has been appointed;
  • and the third country in which the applicant is established is not a high-risk third country in accordance with Delegated Regulation (EU) 2016/1675.

Authorisation is only granted if, among other things

  • Effective procedures and structures for identifying, managing, monitoring and reporting risks to which it is exposed can be ensured,
  • the supervisory authority is satisfied that outsourcing arrangements do not result in the financial information service provider becoming a letterbox entity and are not used as a means of circumventing the provisions of this Regulation,
  • and the exercise of supervisory rights is possible without restriction

Passporting

Art. 28 FIDA provides for a so-called passporting regime for financial information service providers and financial institutions. Under the freedom to provide services or freedom of establishment (“branch”), financial service providers and financial institutions can obtain access to customer data in the EU that is held by data holders established in the EU. Financial information service providers are therefore entitled to access data from data holders throughout the EU (Art. 28 (1) FiDA).

What will happen next?

The current version of the FiDA is a draft by the EU Commission, which still has to go through the legislative process. The final version therefore remains to be seen. It will then apply in the member states 24 months after it comes into force. It is not yet possible to predict when the FiDA will come into force. One thing is already certain: The FiDA regulation will probably not come into force this year…

Conclusion

From open banking to open finance: this brings the EU legislator much closer to its goal of promoting data-based financial products and services. The FiDA proposal will therefore open up the flow of financial data and promote innovation and competition in order to be able to offer users of financial services customised products. However, this will only succeed if appropriate financial data sharing schemes are set up (in good time) (keyword: fallback mechanism). The FiDA draft poses organisational challenges for all companies involved, which will entail considerable set-up and compliance costs in relation to data standardisation, among other things. Financial institutions should therefore take the FiDA draft as an opportunity to consider the establishment of schemes at an early stage.

0
0

Awet Yohannes works as a lawyer for Annerton in Munich. Awet advises (inter)national companies on all regulatory issues relating to banking, crypto, payments and compliance (AML/GwG and IT compliance in financial supervisory law).



By continuing, you accept our privacy policy.
You May Also Like