Financial Information Service Providers (FISP)

What is a Financial Information Service Provider (FISP) in the Financial Data Access (FiDA) Regulation?

The Financial Data Access (FiDA) Regulation introduces a new category of authorised Financial Information Service Providers (FISP), to ensure that only trusted and secure providers are eligible to access and process customer data in the financial sector. Consumers will be protected with strong security safeguards against possible data misuse and data breaches as both data holders and data users will be bound by the rules of the Digital Operational Resilience Act (DORA).

According to Preamble 31 of the proposed Financial Data Access (FiDA) Regulation, to promote consumer protection, enhance customer trust and ensure a level playing field, it is necessary to lay down rules on who is eligible to access customers’ data.

Such rules should ensure that all data users are authorised and supervised by competent authorities. This would ensure that data can be accessed only by regulated financial institutions or by firms subject to a dedicated authorisation as financial information service providers’ (‘FISPs’) .

Eligibility rules on FISPs are needed to safeguard financial stability, market integrity and consumer protection, as FISPs would provide financial products and services to customers in the Union and would access data held by financial institutions and the integrity of which is essential to preserve the financial institutions’ ability to continue providing financial services in a safe and sound manner.

Such rules are also required to guarantee the proper supervision of FISPs by competent authorities in line with their mandate to safeguard financial stability and integrity in the Union, which would allow FISPs to provide throughout the Union the services for which they are authorised.

Data users are subjects to the requirements of the Digital Operational Resilience Act (DORA) - Regulation (EU) 2022/2554, and obliged to have strong cyber resilience standards in place to carry out their activities.

This includes having comprehensive capabilities to enable a strong and effective ICT risk management, as well as specific mechanisms and policies for handling all ICT-related incidents and for reporting major ICT-related incidents.

Data users authorised and supervised as financial information service providers under the Financial Data Access (FiDA) Regulation must follow the same approach and the same principle-based rules when addressing ICT risks, taking into account their size and overall risk profile, and the nature, scale and complexity of their services, activities and operations. Financial information service providers will be included in the scope of the Digital Operational Resilience Act (DORA) Regulation.

Understanding the role of non-EU Financial Information Service Providers (FISP)

In order to enable effective supervision and to eliminate the possibility of evading or circumventing supervision, financial information service providers must be either legally incorporated in the Union or in case they are incorporated in a third country appoint a legal representative in the Union.

An effective supervision by the competent authorities is necessary for the enforcement of requirements under this Regulation to ensure integrity and stability of the financial system and to protect consumers.

The requirement legal incorporation of financial information service providers in the Union or the appointment of a legal representative in the Union does not amount to data localisation since this Regulation does not entail any further requirement on data processing including storage to be undertaken in Union.

A financial information service provider should be authorised in the jurisdiction of the Member State where its main establishment is located, that is, where the financial information service provider has its head office or registered office within which the principal functions and operational control are exercised.

In respect of financial information service providers that do not have an establishment in the Union but require access to data in the Union and therefore fall within the scope of this Regulation, the Member State where those financial information service providers have appointed their legal representative should have jurisdiction, considering the function of legal representatives under this Regulation.

To facilitate transparency regarding data access and financial information service providers, the European Banking Authority will establish a register of financial information service providers authorised under this Regulation, as well as financial data sharing schemes agreed between data holders and data users.

More about Financial Information Service Providers (FISP)

According to Article 12 (Application for authorisation of financial information service providers), in the proposal for the Financial Data Access (FiDA) Regulation:

1. A financial information service provider shall be eligible to access customer data if it is authorised by the competent authority of a Member State.

2. A financial information service provider shall submit an application for authorisation to the competent authority of the Member State of establishment of its registered office, together with the following:

(a) a programme of operations setting out in particular the type of access to data envisaged;

(b) a business plan including a forecast budget calculation for the first 3 financial years which demonstrates that the applicant is able to employ the appropriate and proportionate systems, resources and procedures to operate soundly;

(c) a description of the applicant’s governance arrangements and internal control mechanisms, including administrative, risk management and accounting procedures, as well as arrangements for the use of ICT services in accordance with the Digital Operational Resilience Act (DORA), which demonstrates that those governance arrangements, control mechanisms and procedures are proportionate, appropriate, sound and adequate;

(d) a description of the procedure in place to monitor, handle and follow up a security incident and security related customer complaints, including an incident reporting mechanism which takes account of the notification obligations laid down in Chapter III of the Digital Operational Resilience Act (DORA);

(e) a description of business continuity arrangements including a clear identification of the critical operations, effective ICT business continuity policy and plans and ICT response and recovery plans, and a procedure to regularly test and review the adequacy and efficiency of such plans in accordance with the Digital Operational Resilience Act (DORA);

(f) a security policy document, including a detailed risk assessment in relation to its operations and a description of security control and mitigation measures taken to adequately protect its customers against the risks identified, including fraud;

(g) a description of the applicant’s structural organisation, as well as a description of outsourcing arrangements;

(h) the identity of directors and persons responsible for the management of the applicant and, where relevant, persons responsible for the management of the data access activities of the applicant, as well as evidence that they are of good repute and possess appropriate knowledge and experience to access data as determined in this Regulation;

(i) the applicant’s legal status and articles of association;

(j) the address of the applicant’s head office;

(k) where applicable, the written agreement between the financial information service provider and the legal representative evidencing the appointment, the extent of liability and the tasks to be carried out by the legal representative.

For the purposes of the first subparagraph, points (c), (d) and (g) the applicant shall provide a description of its audit arrangements and the organizational arrangements it has set up with a view to taking all reasonable steps to protect the interests of its customers and to ensure continuity and reliability in the performance of its activities.

The security control and mitigation measures referred to in the first subparagraph, point (f), shall indicate how the applicant will ensure a high level of digital operational resilience in accordance with Chapter II of the Digital Operational Resilience Act (DORA), in particular in relation to technical security and data protection, including for the software and ICT systems used by the applicant or the undertakings to which it outsources the whole or part of its operations.

3. Financial information service providers shall hold a professional indemnity insurance covering the territories in which they access data, or some other comparable guarantee, and shall ensure the following:

(a) an ability to cover their liability resulting from non-authorised or fraudulent access to or non-authorised or fraudulent use of data;

(b) an ability to cover the value of any excess, threshold or deductible from the insurance or comparable guarantee;

(c) monitoring of the coverage of the insurance or comparable guarantee on an ongoing basis.

As an alternative to holding a professional indemnity insurance or other comparable guarantee as required in the first sub-paragraph, the undertaking as referred in the previous subparagraph shall hold initial capital of EUR 50 000, which can be replaced by a professional indemnity insurance or other comparable guarantee after it commences its activity as financial information service provider, without undue delay.

Cyber Risk GmbH, some of our clients