The new EU Financial Data Access framework: opening up data across financial services

At a glance

• The EU proposed a new Financial Data Access (FIDA) framework on 28 June. FIDA is a flagship initiative of the EU Digital Finance strategy and forms the legislative backbone for the EU-wide implementation of open finance.
• FIDA will grant consumers and SMEs the right to authorise third parties – or data users - to access their data held by financial institutions – or data holders. Nearly all financial services data will be within its scope. Firms can play a dual role - data holder and data user.
• There are two key differences compared with EU open banking rules. First, data holders will be able to ask for reasonable compensation for making data accessible to data users. Second, data users will have "read access", but will not be able to initiate transactions on behalf of customers. Both could affect the uptake and potential benefits of open finance.
• Data holders and users will have to join one or more Financial Data Sharing Schemes, which will govern data access in line with FIDA and other EU rules. However, the proposal lacks clarity about their establishment, and the broad scope of FIDA raise questions about their effectiveness. Both regulators and industry should heed the lessons from open banking, and work to avoid implementation delays and market fragmentation. 
• The proposed implementation timeline for FIDA is extremely ambitious, with all requirements becoming applicable 24 months after its entry into force. A more staggered approach focusing on key use cases could be more effective and realistic. It would also allow for greater consumer trust in, and demand for, open finance to grow.

Overview 

On 28 June, the European Commission unveiled its legislative proposal for a new Financial Data Access (FIDA) framework. Once finalised, FIDA will expand the Open Banking data-sharing obligations, which currently apply only to payments accounts data, to nearly all financial services (FS) data. It will be the legislative backbone of open finance in the EU. 

A cornerstone of the EU Digital Finance strategy, FIDA builds on and complements other key cross-sector digital markets initiatives – in particular the Data Act¹. Collectively, these policies aim to foster data-driven innovation and a competitive digital ecosystem that benefits both consumers and businesses across sectors, including FS. 

Yet, the EU-wide implementation of open finance is now certain. In this article, we analyse the key elements of the proposal and offer our initial reaction, drawing from our Open Banking implementation experience. As described in "open finance: preparing for success", the opportunities and challenges of open finance will require extensive strategic, operational, and technological transformations. Therefore, firms should start contemplating how their strategies, business models, and operations may need to evolve in response to FIDA. 

Scope and definitions

FIDA will give consumers and SMEs the right to authorise third parties – or data users – to access and use their financial data. This mirrors the Open Banking data-sharing provisions under PSD2. However, while PSD2 only applies to payments accounts, FIDA will cover almost all customer data held by financial institutions – or data holders. 

The scope of customer data includes information related to mortgages, loans, savings, investments, crypto-assets, pensions, and non-life insurance products². It includes both data supplied by the customer and data stemming from customer interactions. It also covers data related to the terms and conditions for specific products and services. However, customer data that could directly increase the risk of financial exclusion is out of scope. This includes data on sickness, health and life insurance, or data collected as part of assessments of consumers’ creditworthiness. 

The roles of data holder and data user are not mutually exclusive. For example, an investment manager may be required to share customer data with data users at the request of a customer. But that same investment manager could be authorised by its customers to receive data from other data holders, e.g., mortgage or pension providers, to improve its offerings. 

However, unlike in PSD2, data users will not be able to initiate transactions on the customer’s behalf, such as opening, switching, or closing accounts. This may limit the benefits of some potential use cases, e.g., mortgage or savings accounts comparison and switching services. Still, data users that are also authorised under PSD2 can still initiate payments with the customer’s consent.

Data holders

Data holders will have to make customer data available to a data user upon their customers’ request. They should provide the data securely without “undue delay, continuously, and in real-time” and in a format based on 'generally recognised standards'.

There are no details as to what these standards might be. Instead, data holders and users will have to jointly develop them as part of Financial Data Sharing Schemes (FDSS)³, as we discuss in more detail below. Data holders will also need to provide their customers with a permission dashboard to enable them to monitor, renew and withdraw permissions for data users easily.

There is one other provision that has received less attention so far, but that could have substantial cost implications. Data holders will also need to make the data available directly to their customers, also free of charge, continuously, and in real-time (mirroring similar provisions in the Data Act). This seems to imply that they will need to develop online interfaces to enable their customers to access their own data. This may already be standard practice for some types of accounts, such as mortgages. But for others, such as general insurance or pensions, it may require significant investment and change programmes for many firms.

Right to reasonable compensation and interaction with EU Data Act

One of the major differences between FIDA and PSD2 open banking rules is that data holders will have the right to ask for reasonable compensation from data users. 

Here, there is an important interplay between FIDA and the EU Data Act, although the details are not entirely clear at this stage. The EU Data Act establishes a cross-sectoral governance framework for legally mandated data sharing. This includes rules on determining fair compensation levels, e.g., what data production costs data holders can consider. FIDA will enhance the Data Act where necessary. For example, it already establishes that compensation for data holders should link directly to the cost of making data accessible to a data user. It also calls for an objective, transparent, non-discriminatory methodology, geared towards the market's lowest levels. 

Data users

Data users will need to be authorised by an EU National Competent Authority (NCA) either as a financial institution or as a financial information services provider (FISP) . Similar to open banking, data users can only access the data with their customers’ permission, and only for the purposes and under the conditions specifically agreed by the customers. 

One provision appears to address, at least partially, the lack of data-sharing reciprocity between FS firms and non-financial conglomerates, including digital platforms. This is a concern that has been flagged before by FS incumbents, and even by some policymakers⁴. But under FIDA, if a data user is part of a larger group, only the entity authorised as a data user will be able to access and use the customer data. However, it is unclear for now how this measure will interface with other laws, including GDPR, which govern data sharing and consumer data portability rights.

Measures to mitigate the risk of financial exclusion

One of the risks of open finance is that data users may combine customer data to create more accurate consumer profiles, potentially increasing the risk of financial exclusion. In response, the Commission will require the European Banking Authority (EBA) and the European Insurance and Occupational Pension Authority (EIOPA) to develop guidelines to introduce appropriate consumer safeguards. The guidelines will outline how data users can use FIDA data to calculate credit scores, and risk assessments and pricing related to life, health, and sickness insurance products. 

Financial Data Sharing Schemes: role and unanswered questions

Data holders and users will be required to join one or more Financial Data Sharing Scheme (FDSS). The schemes will be responsible for governing access to customer data in compliance with FIDA, and other applicable EU rules – e.g., data protection and the Data Act. FDSS will have to develop common standards for data sharing and interface requests, set member contractual liabilities, and provide effective dispute resolution mechanisms. 

Schemes will also establish the model to determine the maximum compensation data holders may charge users. This may prove to be a challenging task, as highlighted by a recent flagship industry-led report on the future of Open Banking in the UK. All stakeholders agreed that any future funding model for open finance needs to be sustainable, fair and equitable. However, there was no consensus as to how to achieve this in practice. Without proactive involvement from regulators, it may lead to delays in the development of open finance use cases and potentially frequent disputes. 

In some ways, FDSS resembles the UK's Open Banking Implementation Entity (OBIE)⁵. Yet, there are crucial differences and unanswered questions that in our view will raise important implementation challenges. 

First, the Commission does not task any specific regulators or industry bodies with setting up the schemes. The Commission even acknowledges that a FDSS may not be developed for certain customer data categories. Given the vast variety of data in scope, we think this may be a real possibility. If no FDSS seems likely to emerge, the Commission will step in directly to establish compensation limits, common standards, and liability frameworks. 

Second, the emergence of several FDSS also presents significant challenges. As the EBA pointed out, the lack of a single EU-wide Application Programming Interface (API) standard has been a major hurdle in unlocking the value of Open Banking. It creates significant obstacles for data users, as they must dedicate considerable resources into developing and maintaining connections to different APIs. 

Considering that the categories of customer data covered by FIDA are far more extensive and less standardised than payments data, preventing fragmentation becomes even more crucial. Industry can play a significant role in avoiding excessive fragmentation. But a further degree of regulatory intervention may nevertheless be required. 

What does all this mean for data-rich FS firms?

Opening up non-payments data is now a question of “when” rather than “if”. This opens up two key strategic implications. Firstly, data-rich firms must decide what role they want to play in this new ecosystem. Competition from outside FS may result in new players with more sophisticated data-mining capabilities wanting to own the customer relationship. 

Secondly, the data and technology lift in terms of making the data available for sharing externally, and the related development of APIs, is likely to require significant resources. Firms should reflect on their IT and data transformation programmes to determine how best to future proof, to the extent possible, any current design thinking or implementation. Future capabilities to mine the data such as advanced data analytics, AI and machine learning capabilities to offer tailored products may also be a consideration. 

Timelines and final considerations

The publication of the FIDA proposals marks the beginning of EU legislative negotiations, which we anticipate will be complex and drawn out. According to the Commission’s own assessment⁶, different types of firms hold significantly divergent views on how data-sharing in FS should be governed. The upcoming EU Parliament’s election in June 2024 will further slow progress. Therefore, it is unlikely the EU will finalise FIDA before 2025. 

The proposed implementation timelines for FIDA are ambitious, to say the least. Provisions relating to FDSS and authorisation requirements for FISPs will apply 18 months after FIDA enters into force. All other requirements will start to apply after 24 months. 

The 'big bang' approach proposed by the Commission starkly differs from the open finance strategies adopted or contemplated by other leading jurisdictions. For instance, the UK's Financial Conduct Authority (FCA) has already confirmed it will favour a phased implementation, beginning with use cases that offer the best cost-benefit balance. Similarly, Australia is also rolling out its Consumer Data Right in stages. A more incremental approach would be both pragmatic and effective given the technical complexities and the significant implementation costs of implementing FIDA in one go. The mere task of standardising and digitising data across all relevant categories will be colossal for many firms. A staggered approach prioritising key use cases could also foster consumer engagement, thereby building trust and demand for more open finance services.

________________________________________________________________________________________

Reference:

¹ The Data Act was politically agreed between the European Parliament and the Council of the EU on 27 June

² Payments data will continue to be governed by PSD2.

³ A FISP is a provider that lets you see information from all your selected accounts in one place and can analyse your data but does not otherwise undertake any other regulated financial activities.

⁴ https://www.bis.org/publ/work970.pdf

⁵ https://www.openbanking.org.uk/about-us/

⁶ See “Stakeholder consultations” in the Explanatory Memorandum of the FIDA proposal