On 28 June 2023, the European Commission published a proposal for a regulation on a framework for Financial Data Access (“FIDA”) for the access and use of customer data. As part of the EU Digital Finance Strategy, FIDA is expected to lead to better-quality, user-centric financial services and new data-driven business models in the financial sector. FIDA could also open new business opportunities in the fintech sector.
As the financial data space evolves, the emergence of novel interfaces, data-sharing methods, and other innovative technologies may also bring forth new risks, particularly in the realm of cybersecurity. We recommend stakeholders in the fintech sector to consider their role and potential responsibilities and opportunities in light of the upcoming regulations.
Ambitious Framework for Financial Customer Data Sharing
FIDA complements the existing financial data sharing legislation, such as the open banking provisions of PSD2 Directive 2015/2366 regulating access to payment account data, and goes far beyond them. FIDA also entails significant interplay with the horizontal framework for mandatory data sharing under the upcoming Data Act and the GDPR’s data protection rules.
Under FIDA, financial institutions (data holders) would be obliged to make available certain customer data to other financial institutions, authorised financial information service providers (“FISPs”) (data users) and to the customers, at the customer’s request.
Data holders should make the data available without undue delay, continuously, and in real-time. To achieve this, the new framework focuses on customers’ trust and control over their data, as well as on the technical and contractual means to carry out data sharing in a secure and efficient way. The data in question is personal and non-personal customer data divided into categories under FIDA, such as loans, savings, investments, crypto-assets, pensions, and non-life insurance products.
Some key features of FIDA in a nutshell
- Dashboard. Data holders should share customer data to data users only for the purposes for which the customer has granted permission. To manage permissions, data holders should provide the customers with real-time permission dashboards in the data holder’s user interface.
- Financial Information Services Providers. FISPs are entities other than financial institutions that wish to provide financial information services as data users. “Financial information services” are not defined in the proposal. FIDA sets forth the conditions for becoming a FISP, including authorisation and operational requirements. Becoming a FISP could be an option for fintech companies other than financial institutions to access customer data (for which the customer has granted permission).
- Compensation. A data holder may claim compensation from a data user for sharing the customer data if the data is shared in accordance with the rules of a Financial Data Sharing Scheme. For customers, the data should be made available free of charge.
- Financial Data Sharing Schemes. All data holders and data users should be members of at least one Financial Data Sharing Scheme (“FDSS”). The FDSSs are meant to develop common data and technical standards as well as contractual frameworks (including liability) governing access to specific datasets within the FDSS.
Status and Challenges
FIDA is ambitious and open questions remain. Whereas PSD2 focused on payments account data, FIDA covers a wide range of customer data and financial institutions. The Open Finance Report of the Expert Group on European financial data space, which was used to develop FIDA, covered several use cases but still only scratches the surface compared to the scope of FIDA. Further, the European Data Protection Supervisor has raised concerns regarding the broadness of the definition of customer data under FIDA in its Opinion 38/2023 on 22 August 2023. It is also set forth in FIDA that sharing of customer data should respect the protection of confidential business data and trade secrets but the practical implementation of this is unclear. Business concerns have also been raised regarding the required investments in technical infrastructure and compliance.
Next FIDA is subject to review in the Council and the Parliament, where the Committee on Economic and Financial Affairs (ECON) is responsible for the file. The open finance framework has been one of the EU’s legislative priorities for 2023 and 2024 and the work on FIDA is likely to continue after the 2024 Parliament Elections.
Digital Operational Resilience for Open Finance
As the EU continues to advance its open finance framework, it is imperative to ensure that fintech innovations and products align with robust financial regulation and operational risk management. This alignment is crucial to nurturing sustainable technological development, which, in turn, fosters a secure financial environment, prioritizes customer protection, and bolsters financial stability. In the era of technological advancement, it is essential to strike a balance between innovation and security, where technology and cybersecurity standards coalesce symbiotically.
While CER Directive 2022/2557 concerns overall digital and physical resilience, NIS2 Directive 2022/2555 plays a pivotal role in deepening the evaluation of cybersecurity and resilience across various critical sectors, whereas the Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (“DORA”) leads the cybersecurity and operational resilience legislation to the sector-specific level considering the cybersecurity challenges and risk profile characteristic of financial services. It is essential to understand the distinctions between these legislative instruments while navigating the evolving regulatory landscape of fintech.
The widespread utilization of ICT services is evident through intricate contractual arrangements. Prior to DORA, financial institutions frequently encountered challenges in negotiating contracts aligned with their prudential standards and regulatory requirements. Enforcing certain rights, such as access or audit rights specified in these agreements, can also prove challenging. Furthermore, many contracts lack robust provisions for effectively monitoring subcontracting processes, limiting the ability of financial entities to assess associated risks. DORA, adopted on 27 December 2022, introduced a comprehensive framework for enhancing the operational resilience of financial entities, explicitly addressing, inter alia, the aforementioned challenges and related third-party risks. This regulation mandates specific rules governing ICT risk management, incident reporting, operational resilience testing, and ICT third-party risk monitoring. Notably, DORA acknowledges that ICT incidents and a lack of operational resilience can imperil the stability of the entire supply chain.
Taking effect on 17 January 2025, DORA is a response to the escalating cyber threats faced by the financial sector. It obliges financial entities to prepare for, respond to, and recover from various ICT-related disruptions and threats. Ultimately, DORA marks a substantial leap forward in EU financial regulation, establishing a harmonized and comprehensive framework for managing digital operational resilience, safeguarding the financial sector’s stability, and enhancing consumer protection. A key question in the efforts to establish a standardized open finance ecosystem is the practical interaction between DORA and FIDA, which also expands the scope of DORA to cover FISPs in the future.
DORA and NIS2 represent crucial pillars in the evolving open finance framework, shaping the future of financial technology and cybersecurity standards.
As the cybersecurity regulations evolve and are implemented, organizations should stay informed and adapt their cybersecurity practices to meet the requirements of DORA and the regulatory technical standards issued by the European Banking Authority, European Securities and Markets Authority and European Insurance and Occupational Pensions Authority. In addition to DORA, companies operating in financial sector or being a part of the respective critical supply chain should be able to demonstrate compliance with NIS2 and national implementing instruments. Even if DORA does not apply, it is possible that certain entities will be deemed as critical entities under NIS2 and thus subject to the obligations thereunder.
Practical Steps to Take:
- EU is advancing its data regulations, including the open finance framework. Although FIDA is still in the proposal stage and changes may come, it is worth exploring how FIDA could change or create business models in fintech.
- DORA will become applicable on 17 January 2025 and thus preparations for DORA should be underway. To ensure compliance with DORA, it is recommended to carry out a gap assessment to identify the discrepancies between the current practices and DORA requirements and establish a plan to close such gaps. Third-party ICT agreements may also need amendments as part of the process.
If you have any questions or wish to learn more about how to prepare for the upcoming regulations, we are happy to continue the discussion. Please see our contact details below.