On 2 December 2024, the Council of the European Union published its Mandate for negotiations on a regulation governing the legal framework for access to financial data. This opens negotiations with the EU Parliament. But what exactly is at stake?
1. Background
In 2020, the Digital Finance Strategy for the EU was introduced with the main objective of creating a European Financial Data Space. In addition to the revision and modernisation of the Payment Services Directive and the introduction of a new regulation (more information on PSD III and PSR can be found in our newsletter from summer 2024), FiDAR (= Financial Data Access Regulation) is intended to make a significant contribution to achieving this goal. It was proposed by the European Commission on 28 June 2023.
2. Goals
Some of the objectives of FiDAR are
improved data exchange between financial service providers, resulting in more innovative and highly personalised financial products and services,
increased competition in the financial sector,
better access to finance for consumers and small and medium-sized enterprises (SMEs) and
better protection of customer privacy through high security standards.
These goals are to be achieved through harmonised regulations on what data and how this data may be exchanged in the financial sector and by promoting transparency and comparability.
3. Scope of application
The scope of FiDAR includes both personal and non-personal data collected by financial institutions in the normal course of business. Examples of product categories for which data should be made available are:
Mortgages, loans and specific accounts
Savings, investments, crypto-assets, real estate and insurance investment products
Data for assessing the creditworthiness of companies
Non-life insurance products (in accordance with Directive 2009/138/EG), with the exception of health insurance products
Claims in connection with occupational pension schemes
FiDAR is intended to extend the principle of 'open banking' established in PSD II to 'open finance' by enabling the exchange of not only payment account data, but also financial data.
The FiDAR draft distinguishes between the following parties involved in data exchange:
Customer (= natural or legal person using financial services),
Data holder (= financial institution, e.g. credit institution or insurance company) and
Data user (= organisation that receives access to the customer's data with the customer's permission).
The preconditions for accessing and using the data are that
the data user is authorised as a financial information service provider within the meaning of Art. 3 No. 7 FiDAR (= data user who provides financial information services and is authorised to access customer data for this purpose) and
the customer gives his consent.
In particular, the provisions of the General Data Protection Regulation (GDPR) and the PSD must be complied with.
The obligation of data holders to provide a digital dashboard containing an overview of all data access and a simple cancellation function is intended to strengthen consumer protection.
4. Rights and obligations
Customers have the right to disclose their data to data users, but there is no obligation to do so.
Anyone who holds customer data (e.g. financial institutions) is obliged to make this data available to data users. The necessary technical infrastructure must be created and the customer's consent must be obtained.
Customers have complete control over who accesses their data and for what purpose.
Data users and data owners must be members of a system that processes customer data and the necessary technical interfaces.
There are liability regulations and dispute resolution mechanisms in the event of data breaches.
Data users are obliged to remunerate data owners appropriately (smaller companies only have to compensate for the costs).
5. Implementation
Once the Council has reached an agreement, negotiations take place with the European Parliament to discuss the final version of the regulation. If an agreement is reached, the two institutions must formally adopt the legislation, after which it is published in the Official Journal of the EU and comes into force 20 days later.
According to the FiDAR draft, financial service providers have 24 months from the date of entry into force to implement the requirements. Within 18 months, they must at least join a ‘Financial Data Sharing Scheme’, in which technical standards and harmonised rules are to be agreed.
6. Conclusion
|