The Financial Data Access (FiDA) Regulation

What is the Financial Data Access (FiDA) Regulation?

On 28 June 2023, the European Commission published a Proposal for a regulation on a framework for Financial Data Access.

According to Article 1 (subject matter), this Regulation establishes rules on the access, sharing and use of certain categories of customer data in financial services. This Regulation also establishes rules concerning the authorisation and operation of financial information service providers.

The European Union’s financial data economy is fragmented, characterised by uneven data sharing, barriers, and high stakeholder reluctance to engage in data sharing beyond payments accounts.

Customers do not benefit from individualised, data-driven products and services that may fit their specific needs. The absence of personalised financial products limits the possibility to innovate, by offering more choice and financial products and services for interested consumers who could otherwise benefit from data-driven tools that can support them to make informed choices, compare offerings in a user-friendly manner, and switch to more advantageous products that match their preferences based on their data. The existing barriers to business data sharing are preventing firms, in particular SMEs, to benefit from better, convenient and automated financial services.

A dedicated and harmonised framework for access to financial data is necessary at Union level to respond to the needs of the digital economy and to remove barriers to a well-functioning internal market for data.

The Financial Data Access (FiDA) Regulation introduces new legal obligations on financial institutions acting as data holders, to share defined categories of data.

According to Article 2 (scope):

1. This Regulation applies to the following categories of customer data on:

(a) mortgage credit agreements, loans and accounts, except payment accounts, including data on balance, conditions and transactions;

(b) savings, investments in financial instruments, insurance-based investment products, crypto-assets, real estate and other related financial assets as well as the economic benefits derived from such assets;

(c) pension rights in occupational pension schemes;

(d) pension rights on the provision of pan-European personal pension products;

(e) non-life insurance products, with the exception of sickness and health insurance products;

(f) data which forms part of a creditworthiness assessment of a firm which is collected as part of a loan application process or a request for a credit rating.

2. This Regulation applies to the following entities when acting as data holders or data users:

(a) credit institutions;

(b) payment institutions;

(c) electronic money institutions;

(d) investment firms;

(e) crypto-asset service providers;

(f) issuers of asset-referenced tokens;

(g) managers of alternative investment funds;

(h) management companies of undertakings for collective investment in transferable securities;

(i) insurance and reinsurance undertakings;

(j) insurance intermediaries and ancillary insurance intermediaries;

(k) institutions for occupational retirement provision;

(l) credit rating agencies;

(m) crowdfunding service providers;

(n) PEPP providers;

(o) financial information service providers.

How is the Financial Data Access (FiDA) affecting financial information service providers that do not have an establishment in the Union?

According to Article 13 (Legal representatives):

1. Financial information service providers that do not have an establishment in the Union but that require access to financial data in the Union shall designate, in writing, a legal or natural person as their legal representative in one of the Member States from where the financial information service provider intends to access financial data.

2. Financial information service providers shall mandate their legal representatives to be addressed in addition to or instead of the financial information service provider by the competent authorities on all issues necessary for the receipt of, compliance with and enforcement of this Regulation. Financial information service providers shall provide their legal representative with the necessary powers and resources to enable them to cooperate with the competent authorities and ensure compliance with their decisions.

3. The designated legal representative may be held liable for non-compliance with obligations under this Regulation, without prejudice to the liability and legal actions that could be initiated against the financial information service provider.

4. Financial information service providers shall notify the name, address, the electronic mail address and telephone number of their legal representative to the competent authority in the Member State where that legal representative resides or is established. They shall ensure that that information is up to date.

5. The designation of a legal representative within the Union pursuant to paragraph 1 shall not constitute an establishment in the Union.

The Financial Data Access (FiDA), the General Data Protection Regulation (GDPR), and other EU legal acts

This proposal for the Financial Data Access (FiDA) respects the General Data Protection Regulation (GDPR) which sets the general rules on the processing of personal data related to a data subject and ensures the protection of personal data as well as the free movement of personal data.

The FiDA proposal is a sectoral building block that fits into the broader European strategy for data and enables data sharing within the financial sector and with other sectors. It is based upon the key principles for data access and processing set out in the Commission’s cross-sectoral initiatives.

The Data Governance Act focuses on increasing trust in data sharing and improving seamless interconnection (‘interoperability’) between data spaces and creating a framework for data intermediation service providers.

Another cross-sectoral initiative is the Digital Markets Act which establishes a number of data related obligations to tackle the power of gatekeeper platforms and ensure contestability in the digital markets by, for example, allowing financial institutions on behalf of their customers or when using gatekeeper core platform services to access data held by gatekeepers.

Yet another cross-sectoral initiative is the Data Act that establishes new data access rights for the Internet of Things (IoT) data – i.e. the data that products obtain, generate or collect concerning their performance, use or environment – for both product users and providers of related services. It also establishes generally applicable obligations for data holders, which are required to make data available to data recipients under EU law or national legislation adopted in line with EU law.

The FiDA proposal complements the EU retail investment strategy. It will support its objective to improve the functioning of the retail investor protection framework by providing safeguards in the use of retail investor data in financial services. Moreover, it ensures compliance with the rules on cybersecurity and operational resilience in the financial sector, as set out in the Digital Operational Resilience Act (DORA).

Cyber Risk GmbH, some of our clients