Proposed Open Finance framework/FIDA: Bird & Bird’s initial thoughts

Introduction

One week ago, on 28 June 2023, i.e. on the same day that it published its PSD3 and Payment Services Regulation (PSR) proposals, the EC also published a proposal on Open Finance (i.e. access to more than “just” access to payment accounts as regulated under PSD2, and in the future PSD3 and the PSR).

More specifically, the EC published a proposal for a Regulation of the European Parliament and of the Council on a framework for Financial Data Access (FIDA). Like the PSD3 and PSR proposals, it is also available here.

Like PSD3 and the PSR, this is now the beginning of the EU legislative process in relation to FIDA. It isn’t clear how long this legislative process will take, but it is possible that the proposal will not be adopted in final form before at least Q2 2025.

FIDA will then be published in the Official Journal of the EU, “enter into force” 20 days later, and 24 months later FIDA would “become applicable” (i.e. would need to be complied with), with the exception of Articles 9 to 13 (on schemes, application as Financial Information Service Provider (FISP) and legal representatives of FISP) that would become applicable 18 months after the date of entry into force.

Background

FIDA is adopted against the background of the horizontal (i.e. cross-sectoral) EU approach to data sharing established on the basis of a proposed Regulation on harmonised principles of fair access to and use of data, i.e. the so-called proposal for a Data Act (here), which is currently in trialogue negotiations.

FIDA provides a legal framework for sharing data between different financial market participants, and supplements the current provisions on sharing data on payment accounts between Account Servicing Payment Service Providers (ASPSPs) and Account Information Service Providers (AISPs) under PSD2 (and under the PSR in the future).
FIDA provides a legal framework for sharing customer data between various entities active in the financial services sector. It will allow them to create new business models based on processing and analysing data on the financial condition of customers.
Contrary to some predictions, the provisions on account information services (now regulated under PSD2, and in the future under the PSR) have not been incorporated into FIDA, but will be regulated by the PSR.

Addressees of the FIDA proposal

FIDA is addressed to the following institutions:

  • credit institutions,
  • payment institutions (PIs) including AISPs,
  • e-money institutions (EMIs),
  • investment firms,
  • crypto-assets service providers (CASPs),
  • issuers of asset-referenced tokens,
  • managers of alternative investment funds,
  • UCITS management companies (i.e. management companies of undertakings for collective investment in transferable securities),
  • insurance and reinsurance undertakings,
  • insurance intermediaries and ancillary insurance intermediaries,
  • institutions for occupational retirement provision,
  • credit rating agencies,
  • crowdfunding service providers,
  • pan-European Personal Pension Product providers,
  • as well as a new category of financial services providers called FISP. A FIPS is a new category of entities that acts as a data holder or data user under FIDA and does not provide any other financial service.

All the institutions above can act under FIDA as data users (i.e. entities receiving data on customers from data holders).

All can also act as data holders (i.e. institutions holding information on customers and required to make information available to data users and the customers), with the exception of AISPs and FISPs that do not qualify as data holders and are therefore aren’t required to make information available to data users and customers.

Obligations under the FIDA proposal

Under the FIDA proposal, a data holder is required to make certain data (listed below) available to:

  • the customer. The data needs to be available to the customer without undue delay, free of charge, continuously and in real time;
  • upon request from the customer, to a data user without undue delay, continuously and in real time. But not free of charge since the data user can be requested to pay a “reasonable compensation” to the data holder if the customer data is made available to the data user in accordance with the rules and modalities of a financial data sharing scheme (scheme).

In both cases the data holder makes customer data available upon request from a customer submitted by electronic means.

The customer data that should be made available to a data user include the following:

a. mortgage credit agreements, loans and accounts, except payment accounts (as defined in PSD2 and in the future in the PSR), including data on balance, conditions and transactions;
b. savings, investments in financial instruments, insurance-based investment products, crypto-assets, real estate and other related financial assets, as well as the economic benefits derived from such assets; including data collected for the purposes of carrying out an assessment of suitability and appropriateness as defined in MiFID2;
c. pension rights in occupational pension schemes in accordance with the Directive 2016/2341 or Directive Solvency II;
d. pension rights on the provision of pan-European personal pension products, in accordance with Regulation (EU) 2019/1238;
e. non-life insurance products in accordance with Directive Solvency II, with the exception of sickness and health insurance products; including data collected for the purposes of a demands and needs assessment in accordance with Article 20 of IDD, and data collected for the purposes of an appropriateness and suitability assessment in accordance with Article 30 of IDD;
f. data which forms part of a creditworthiness assessment of a firm which is collected as part of a loan application process or request for a credit rating.
However FIDA does not specify the detailed scope of customer data that can be shared with a data user. For example, it is unknown at this stage what type of data on investments in financial instruments can be shared by an investment firm with a data user.

A data user is allowed to access customer data for the purposes and under the conditions for which the customer has granted its permission (i.e. conditions agreed with the customer), but it cannot process any customer data for purposes other than performing the service explicitly requested by the customer.

A data user is required to delete customer data when it is no longer necessary to store such data for the purposes agreed with a customer. Moreover, data users cannot process customer data for advertising purposes, except for direct marketing.

Comparison between PSD2 today, the PSR proposal and the FIDA proposal

We thought it would be helpful to compare some of the features of access to payment accounts under PSD2 today, access to payment accounts in the future under the PSR, and access to other types of information under the FIDA proposal. Therefore we have put together the below table that attempts to compare some of the aspects of the three regimes.

 

 Issue PSD2 and RTS on SCA and CSC   PSR proposal FIDA proposal  
Who can “receive” data?  AISPs (with “explicit consent” from the PSU - Art. 67 PSD2)  Same as PSD2 (with “permission” from the PSU - Art. 67 PSR)

 “Data users”, i.e. all the entities listed in Article 2(2) FIDA, which includes AISPs but also a new category of entities created by FIDA called “financial information service providence” (FISPs). With “permission” from the customer.

In addition “The data holder shall, upon request from a customer submitted by electronic means, make the data listed in Article 2(1) available to the customer without undue delay, free of charge, continuously and in real-time” (Art. 4)

Who is required to make data available?  ASPSPs that maintain payments accounts that are accessible online (AISPs don’t have to make data available to others) (Art. 67(1) PSD2)  Same as PSD2 (Art. 33(2) and 35(1) and (2) PSR)

 “data holders”, i.e. financial institutions, i.e. the entities listed in Art. 2(2) (a) to (n) except AISPs (i.e. AISPs aren’t required to make data available to data users or customers), as long as they collect, store and otherwise process the data listed in Article 2(1).

A FISP doesn’t qualify as a “financial institution”, therefore doesn’t qualify as a “data holder”, therefore isn’t required to make data available to “data users” or the customer.

What data can be accessed?  “... the same information from designated payment accounts and associated payment transactions made available to the [PSU] when directly requesting access to the account information, provided that this information does not include sensitive payment data” (Art. 36(1)(a) RTS on SCA and CSC).  “At least” the same as PSD2/RTS on SCA and CSC (Art. 37(2) PSR)  The categories of customer data listed in Art. 2(1) (e.g. mortgage, savings, investments, pension rights, non-life insurance, etc).
How frequently?  “(a) whenever the payment service user is actively requesting such information; (b) where the payment service user does not actively request such information, no more than four times in a 24-hour period …“ (Art. 36(5) RTS on SCA and CSC)  “… whether or not the [PSU] is actively requesting such information” (Art. 41(2) PSR - i.e. no more limitation to four times in a 24-hour period in the scenario where the PSU is not actively requesting?

 “The customer data shall be made available to the data user without undue delay, continuously and in real-time.” (Art. 5(1)).

It should also be made available to the customer “without undue delay, free of charge, continuously and in real-time” (Art. 4).

Need for an agreement with the third party? No agreement required between ASPSP and AISP (but possible if the parties agree) Same as PSD2 - see Art. 34 PSR: “1.. The provision of [AIS] and [PIS] shall not be conditioned by any party on the existence of a contractual relationship to that end between an [AISP] or a [PISP] and an [ASPSP]. 2. [ASPSPs] shall not charge [AISPs] or [PISPs] for access to payment accounts data as regulated under this Chapter.”

“… data holders and data users shall become members of a financial data sharing scheme governing access to the customer data in compliance with Article 10. 2. Data holders and data users may become members of more than one financial data sharing schemes. …”

See Art. 10 FIDA for more details on schemes (e.g. members, rules, participation, transparency, common standards for the data and technical interfaces, reasonable compensation, contractual liability, dispute resolution system, notification to NCAs, etc).

“EBA shall develop, operate and maintain an electronic central register which contains the following information: … (c) the financial data sharing schemes agreed between data holders and data users.” (Art. 15(1)(c)).

Which technology

/interface?

Dedicated interface (plus a contingency mechanism/fallback unless exempted) or a modified customer interface (MCI) At least one dedicated interface (except is NCA allows ASPSP (1) to grant access via a MCI or (2) not to grant access at all).

 “(g) a financial data sharing scheme shall include the common standards for the data and the technical interfaces to allow customers to request data sharing in accordance with Article 5(1). The common standards for the data and technical interfaces that scheme members agree to use may be developed by scheme members or by other parties or bodies;” (Art. 10(1)(g)).
Quality levels? Quality requirements of interface set out in RTS on SCA and CSC, primarily Art. 30-33. Quality requirements largely copy-pasted from the RTS on SCA and CSC into Art. 35-37 PSR.

FIDA does not provide specific provisions on quality requirements of interfaces. The “financial data sharing scheme shall include the common standards for the data and the technical interfaces to allow customers to request data sharing in accordance with Article 5(1). The common standards for the data and technical interfaces that scheme members agree to use may be developed by scheme members or by other parties or bodies;” (Art. 10(1)(g)).

“A financial data sharing scheme … shall be notified to the competent authority of establishment of the three most significant data holders which are members of that scheme at the time of establishment of the scheme. … the competent authority shall assess whether the financial data sharing scheme’s governance modalities and characteristics are in compliance with paragraph 1.”

Obstacles?

Art. 32(3) RTS on SCA and CSC and EBA Opinion on obstacles here.

In particular see para. 43 of the EBA opinion on obstacles: “Article 32(3) RTS explicitly mentions additional checks of the consent given by PSUs to AISPs/PISPs as a potential obstacle. The EBA clarified in paragraph 13 of the EBA Opinion on the implementation of the RTS (EBA-Op-2018-04)14 and the final report on the EBA Guidelines on the exemption from the contingency mechanism under Article 33(6) RTS (EBA/GL/2018/07) that it is the obligation of the PISP/AISP to ensure that it has obtained the PSU’s explicit consent in accordance with Article 66(2) of PSD2 and, respectively, Article 67(2)(a) of PSD2, and that the ASPSP should not check the consent given by the PSU to the PISP/AISP. This was also confirmed by the European Commission in its response to Q&A 4309.”

Art. 44 PSR on obstacles, largely copy-pasting from the EBA Opinion on obstacles.
In particular “Prohibited obstacles shall include the following: … (c) requiring additional checks of the permission given by the payment service users to a payment initiation service provider or an account information services provider;”
 

FIDA does not provide for specific provisions on the prohibited obstacles to data access data.

Art. 5(3)(c): “When making data available pursuant to paragraph 1, the data holder shall: … (c) request data users to demonstrate that they have obtained the permission of the customer to access the customer data held by the data holder”. Interestingly, this seems contrary to the regime under PSD2 and PSR as stated in the two columns on the left!?

What if the interface is unavailable? ASPSP shall have in place contingency measures in case the dedicated interface is unavailable (Article 33 of the RTS on SCA and CSC). Art. 33(4): “As part of a contingency mechanism, [TPPs] shall be allowed to make use of the interfaces made available to the [PSUs] for the authentication and communication with their [ASPSP], until the dedicated interface is restored to the level of availability and performance provided for in Article 32.”  In case the interface is unavailable, see Art. 38 PSR above (i.e [ASPSP] shall … offer … without delay an effective alternative solution … [If] the [ASPSP] has not offered a rapid and effective alternative solution referred to in paragraph 2, [TPPs] may request their competent authority … to allow them to use the interface that the [ASPSP] uses for authentication and communication with its users for payment account data access. … the competent authority may for a time-limited period … authorise all [TPPs] to access payment accounts data via an interface that the [ASPSP] uses for authentication and communication with its users. … As long as the competent authority has not taken a decision on the request, the requesting [TPP] may exceptionally access payment accounts data via an interface that the [ASPSP] uses for authentication and communication with its users. …” FIDA does not provide for specific provisions on the unavailability of a data interface. Presumably this scenario will be addressed as part of the scheme rules?
Fee? No agreement, therefore no fee (unless agreed in an agreement).  Same as PSD2.

 “A data holder may claim compensation from a data user for making customer data available pursuant to paragraph 1 only if the customer data is made available to a data user in accordance with the rules and modalities of a financial data sharing scheme, as provided in Articles 9 and 10, or if it is made available pursuant to Article 11.” (Art. 5(2)). The methodology of calculating the amount of compensation will be determined by the financial data sharing scheme.

Data has to be made available to the customer free of charge.

What can the third party do with the data?  “The [AISP] shall: … (f) not use, access or store any data for purposes other than for performing the account information service explicitly requested by the payment service user, in accordance with data protection rules.” (Art. 67(2)(f))  “The [AISP] shall not: … (b) use, access or store any data for purposes other than for performing the account information service permitted by the payment service user, in accordance with Regulation (EU) 2016/679.” (Art. 47(2))

 “... for the purposes for which the customer has granted permission to the data user” (Art. 5(1)).

“A data user shall only access customer data made available under Article 5(1) for the purposes and under the conditions for which the customer has granted its permission. A data user shall delete customer data when it is no longer necessary for the purposes for which the permission has been granted by a customer.” (Art. 6(2)).

“... a data user shall: (a) not process any customer data for purposes other than for performing the service explicitly requested by the customer; … (e) not process customer data for advertising purposes, except for direct marketing in accordance with Union and national law;” (Art. 6(4)(a) and (e)).

“The processing of customer data referred to in Article 2(1) of this Regulation that constitutes personal data shall be limited to what is necessary in relation to the purposes for which they are processed” (Art. 7(1)).

Permission Dashboard No dashboard requirement.

Article 43 PSR requires ASPSPs to provide the PSU with a “dashboard … to monitor and manage the permissions the [PSU] has given [to TPPs] ”. In particular, the ASPSP and the TPP are required to “cooperate to make information available to the [PSU] via the dashboard in real-time”.

Almost identical obligations on data holders and data users in Art. 8 FIDA as in Art. 43 PSR. According to Art. 8(4) FIDA “The data holder and the data user for which permission has been granted by a customer shall cooperate to make information available to the customer via the dashboard in real-time”.
NCA enforcement powers Other than general supervisory powers carried out by NCAs (e.g. compliance with licensing requirements, measures in case of non-compliance and determining administrative penalties), there are no NCA detailed enforcement powers set out in PSD2.

Under Article 48(2) PSR, NCAs shall take, without undue delay, any necessary actions (including sanctions) to preserve account access for AISPs and PISPs. Under Art. 48(3), NCAs must ensure that TPPs comply at all times with their obligations regarding the use of the data access interface. NCAs may request that ASPSPs provide them with data on access by the AISPs and PISPs they service (Art. 48(7) PSR). Likewise, NCAs may request AISPs and PISPs to provide data on their operations.

Article 91 PSR lists the various powers that a NCA should have (e.g. require all necessary information including from non-PSPs (e.g. TSP, payment system operators); conduct all necessary investigations including request documents, examine books, interview individuals, etc; inspections at business premises; etc).

According to Article 45(d), NCAs may request from AISPs all data accessed from accounts (the AISP must log this data and keep it for a 3 year period).
NCAs may also conclude an ongoing investigation through settlement agreements and create expedited enforcement procedures (Art. 96 PSR).

NCAs may impose periodic penalty payments in case of an ongoing breach, until the infringement is terminated (Art. 98 PSR).

Art. 100 PSR provides for a right of appeal against decisions and enforcement actions of NCAs under the PSR.

Very similar provisions to PSR, in Art. 18 to 24 FIDA. NCA are given the right to require all necessary information and conduct all necessary investigations as in Art. 91 PSR. However FIDA also grants NCAs the power to remove content, restrict access to online interfaces, as well as order hosting services to remove, disable or restrict access and domain registries to delete domain names (Art. 18 FIDA).

Similar to PSR, Art. 19-21 FIDA lay down rules for settlements of ongoing investigations, expedited procedures, administrative procedures and penalties, as well as periodic penalty payments.

Under Article 24 FIDA, entities and natural persons who are subject to an adverse decision have a right of appeal.

 

Co-authors:
Scott McInnes, Finance & Financial Regulation, Partner, Belgium.
Peter Paulikovics, Finance & Financial Regulation, Junior Legal Advisor, Belgium.
Julien Sad, Finance & Financial Regulation, Senior Associate, Belgium.
Marta Stanislawska, Finance & Financial Regulation, Counsel, Poland.
Melissa Daley, Finance & Financial Regulation, Knowledge Manager, London.

IF YOU WOULD LIKE TO RECEIVE OUR REGULAR PAYMENTS ALERTS IN YOUR INBOX, CLICK HERE

IF YOU WOULD LIKE TO READ BIRD & BIRD’S PREVIOUS ALERTS, PLEASE CHECK OUT OUR PAYMENTS IN FOCUS WEBPAGE HERE

Latest insights

More Insights
Car by beach

China Cybersecurity: MIIT Releases Data Security Risk Assessment Rules

Jun 24 2024

Read More
card reader and receipt

Open banking rules and GDPR interplay revisited under the EC’s Payment Services Legislation Proposals

Jun 24 2024

Read More
Generative AI

The FCA publishes its expectations of UK financial services firms adopting or deploying the use of AI

Jun 24 2024

Read More