The New EU Financial Data Access Framework
ON THIS PAGE
- What Is the Financial Data Access Framework?
- Eligible Entities Under the FIDA
- Timelines of the Financial Data Access Framework
- Data Access: Who Can Access Customer Data?
- Obligations of Data Holders under the FIDA
- Obligations of Data Users under the FIDA
- Scope of FIDA
- FIDA's Impact on the Financial and Insurance Sectors
- Conclusion
- Frequently Asked Questions
On 28 June 2024, the European Union (EU) proposed a Financial Data Access (FIDA) framework. The new regulation proposed EU-wide implications of open finance across the banking and insurance sectors and beyond. Nearly all financial services data will be within its scope.
FIDA will grant consumers and SMEs the right to authorize third parties (data users) to access their data held by financial institutions.
What Is the Financial Data Access Framework?
The Financial Data Access Framework (FIDA) is a regulatory initiative by the EU aimed at opening finance across the banking and insurance sectors and beyond to foster a more open, transparent, and interconnected financial ecosystem by mandating standardized access to financial data.
FIDA aims to enhance transparency, foster innovation, and promote competition within the banking and insurance sectors. It takes a customer-centric approach.
The framework builds on the already existing open banking system to customer data held by account-servicing payment service providers. Its scope is to ensure that all consumers and organizations have effective control over their financial data and provide additional tools to ensure personal data protection, as in the General Data Protection Regulation (GDPR).
There are two key differences compared with EU open banking rules. First, data holders will be able to ask for reasonable compensation for providing data to data users. Second, data users could only see the data of customers, but will not be able to make transactions on behalf of customers.
Data holders will need to provide the data directly to their customers, free of charge, continuously, and in real-time. This will require data holders to develop new IT systems and online interfaces to enable their customers to access their own data. It may already be standard practice for some types of institutions, but for others, it will require significant investment and IT updates.
Eligible Entities Under the FIDA
FIDA applies to Financial Information Service Providers (FISPs, that are financial data holders or data users) operating within the EU that meet specific criteria:
- Have more than 249 employees, and
- Over €50 million in revenue.
Financial Data Access Framework extends its impact beyond traditional financial institutions and insurance companies. FIDA encompasses the following data holders:
- Financial institutions
- Insurance companies
- Brokers
- Investment firms
- Crypto-asset service providers
- Managers of alternative investment funds
- Managing General Agents (MGAs)
- Credit institutions
- E-money institutions
- Payment institutions
- CASPs
- Issuers of ARTs
- Management companies / AIFMs
- IORPs
- CRAs
- PEPP providers
- Other intermediaries.
The above-mentioned data holders are required to provide the same level of data access to customers as larger institutions.
CookieScript Consent Management Platform (CMP) helps many companies to comply with present privacy laws like the GDPR. In 2024, CookieScript CMP was nominated the best CMP on G2, a peer-review website. We are excited to provide our services for compliance with FIDA to financial data holders and data users as well.
Timelines of the Financial Data Access Framework
The publication of the FIDA proposals marks the beginning of EU legislative negotiations, which will not be easy. Provisions relating to FDSS and authorization requirements for FISPs will apply 18 months after FIDA becomes effective. All other requirements will enter into force after 24 months.
The proposed implementation timelines for FIDA are ambitious and, thus, could be delayed. It is expected that the EU will finalize FIDA in 2025 or later. Thus, all requirements of FIDA are expected to come enter into force no earlier than in 2027.
The proposed implementation approach and timelines for FIDA are very ambitious, requiring implementing many requirements right away. Open finance strategies adopted or contemplated by other leading jurisdictions prefer a phased implementation. For example, the UK's Financial Conduct Authority (FCA) has announced it will require a phased implementation.
There is much work to be done in the preparation for FIDA. It is important to be FIDA-ready now.
Data Access: Who Can Access Customer Data?
Customers’ financial data held by the data holder, could be accessed by:
- Customers. Customers can directly request access to their data held by a financial institution
- Data users. Licensed financial institutions and financial information service providers (FISPs) can also request access to customer data.
Note, that customer data access must satisfy the purpose limitation requirement: “Personal data shall be limited to what is necessary for which they are processed” (Article 7.1). FISPs should only process personal data for necessary and specified purposes.
Obligations of Data Holders under the FIDA
Under the Financial Data Access Framework, data holders have the following responsibilities:
- Standardized APIs. One of the key elements of FIDA is the establishment of standardized APIs for data sharing. This will make data available in a standardized way and of the same quality to the data holder across different platforms and institutions.
- Data availability to customers. Data holders must make data available to data users when requested by a customer.
- Data security and privacy. FIDA places a strong emphasis on the security and privacy of shared data, like GDPR to protect consumer information.
- Confidentiality. Data holders and data users must respect confidentiality, trade secrets, and intellectual property rights
- Compliance requirements. Data holders and data users must adhere to specific compliance requirements under FIDA, including technical standards, reporting obligations, and consumer rights protection.
Obligations of Data Users under the FIDA
Under the Financial Data Access Framework, data users have the following responsibilities:
- Data security and storage limitation. Data users must implement adequate security means to protect customer data. They must delete customer data when it is no longer necessary.
- Confidentiality. Data holders and data users must respect confidentiality, trade secrets, and intellectual property rights
- Compliance requirements. Data holders and data users must adhere to specific compliance requirements under FIDA, including technical standards, reporting obligations, and consumer rights protection.
- User consent. Data users can only access customer data for the purpose they have been granted permission.
- Authorization and organizational requirements for FISPs. Financial Information Service Providers (FISPs) must get authorized and comply with the organizational requirements for FISPs to be authorized as data users. Only then they can access customer data from data holders.
Scope of FIDA
The scope of FIDA is to give EU consumers with more control over their data and to require data holders to share customer data upon request. Essentially, FIDA will provide:
- Customer control over their data. FIDA will oblige data holders to share customer data upon request.
- Transparency. FIDA will set clear rules on how customer data could be used and shared among financial institutions.
- Granular customer consent. FIDA aims to empower customers with the ability to grant, manage, and withdraw consent for data sharing.
- Enhanced security. FIDA encourages the implementation of high-quality interfaces and strict security measures for the protection of financial data.
- Standardization. FIDA promotes standardization of customer data and technical interfaces.
- Promoting competition. By providing equal rights and responsibilities to all players in the field, FIDA encourages innovation and competition among financial institutions and fintech firms.
FIDA's Impact on the Financial and Insurance Sectors
For organizations in the banking and insurance industries, the impact of FIDA will be profound:
- Regulatory compliance. FIDA will require financial institutions and insurance companies to comply with unified data access and sharing standards.
- Operational transformation. Financial institutions must changes in IT infrastructure to support real-time data access, API standards, and consent management.
- New business opportunities. FIDA will open new possibilities for product innovation and customer engagement, allowing data holders or data users to offer more personalized and efficient services.
- Competitive possibilities. The framework gives opportunities to new entrants in the financial or insurance sectors, leveling the playing field between established players and new startups.
- Consumer-centric approach. With a focus on consumer rights and access to data, FIDA encourages a more customer-centric approach in the design and delivery of financial services. This presents an opportunity to strengthen trust and transparency with customers.
Conclusion
In summary, FIDA represents a significant shift in the financial and insurance sectors in the field of data privacy. The regulation will affect many organizations. The need to prepare for compliance with FIDA is not just a regulatory requirement but also an opportunity to stay competitive. Organizations could benefit from the opportunities presented by this new open data environment. Monetization of API presents a unique chance for data holders to balance compliance costs and create new revenue streams.
In 2024, CookieScript Consent Management Platform (CMP) was nominated as the best CMP on G2, a peer-review website for compliance with the GDPR and other privacy laws. We are excited to provide our services for compliance with FIDA to financial information service providers as well.
Frequently Asked Questions
What is the Financial Data Access Framework?
The Financial Data Access Framework (FIDA) is a regulatory initiative by the EU aimed at opening finance across the banking and insurance sectors and beyond to foster a more open, transparent, and interconnected financial ecosystem by mandating standardized access to financial data. It takes a customer-centric approach and aims to enhance transparency, foster innovation, and promote competition the within banking and insurance sectors.
Who must comply with the Financial Data Access Framework?
FIDA applies to financial service providers (data holders and data users) operating within the EU that meet specific criteria: have more than 249 employees, and over €50 million in revenue. It encompasses many organizations like financial institutions, insurance companies, brokers, investment firms, credit institutions, e-money institutions, payment institutions, etc. CookieScript Consent Management Platform (CMP) offers solutions for compliance with FIDA.
When is FIDA is expected to come into force?
The proposed implementation of the Financial Data Access Framework (FIDA) is expected to be finalized in 2025 or later, which is very ambitious. All requirements for Financial Information Service Providers (FISPs) will enter into force after 24 months. Thus, all requirements of FIDA are expected to come into force in 2027 or later.
What is an example of financial data in data privacy?
Examples of financial information include credit card numbers, credit information, credit rating data by third-party credit analysis firms, and other related information.