On 28 June 2023, the European Commission put forward a Legislative Proposal for a Framework for Financial Data Access. This framework aims to establish transparent rights and obligations for managing customer data sharing in the financial sector, extending beyond payment accounts. In essence, it seeks to foster greater innovation in financial products and services for users, while also promoting healthy competition within the financial sector.
The proposed Framework Regulation builds on the ideas laid down in PSD2, the GDPR, and the (draft) Data Act, that customers should be able to instruct their service providers (Data Holders) to share certain customer data to other companies (Data Users).
These Data Users can leverage the obtained data to provide services to the customer. This enables a client for example to instruct his/her bank to provide data on savings and loans to a financial advisor which then permits said advisor to provide the customer with more tailored and efficient advice. Depending on the service offered by the Data User, this can be a one-time data sharing or more regular and real-time sharing.
The Framework Regulation is relatively short. The details will need to be worked out in schemes (comparable to the SEPA schemes established by the EPC), to which Data Holders and Data Users are obliged to adhere to.
An important caveat is that the Framework Regulation only applies to financial institutions. This means that, for example, a telco (as Data User) can get access to customer data held by a bank, but the bank cannot get information from the telco regarding, for instance, a subscription, or how the said client uses their telephone.
The EC has identified various categories of customer data that will become subject to a data sharing right, namely:
Mortgage credit agreements, loans and accounts, except payment accounts, including data regarding balances, conditions, and transactions;
Savings, investments in financial instruments, insurance-based investment products, crypto-assets, real estate and other related financial assets, and the economic benefits derived from such assets;
Data collected for the purposes of carrying out an assessment of suitability and appropriateness under the MiFID;
Pension rights in occupational pension schemes and PEPPs;
Non-life insurance products, with the exception of sickness, health, or medical insurance products;
Data that is collected as part of a loan application process or a credit rating request and that is used to evaluate the creditworthiness of a company.
Only financial institutions can access the data without the need to obtain a separate authorisation. These are banks, insurers, (exempted) payment institutions including AISPs, investment firms, crypto asset service providers (as of MiCA), fund managers, insurance intermediaries, crowdfunding service providers, and pension funds. Financial institutions that are regulated under local laws (i.e. not EU law) do not fall under the scope of the Framework Regulation. In the Netherlands, these include, for example, consumer credit providers and consumer credit intermediaries.
Non-financial institutions will need to obtain authorisation from their home-state supervisor which enables them to do business across the EU (a passport regime). Such parties are referred to as Financial Information Service Providers (FISPs). The requirements for authorisation are comparable to those of an account information service provider under PSD2.
It’s currently unclear whether a service model whereby one party obtains customer data and forwards this data (with customer permission) to another party to be used for its service is allowed if this other party has no license (the license-as-a-service model).
Also, BigTechs can use the possibilities under the Framework Regulation to enrich their data set. A rule comparable to the draft Data Act prohibiting Big Tech from obtaining more data is not included.
The only explicit rule in the Framework Regulation about how the data is to be shared is the following: ‘Upon request from a customer submitted by electronic means, make available to a data user the customer data for the purposes for which the customer has granted permission to the data user. The customer data shall be made available to the data user without undue delay, continuously and in real-time.’
Apart from this, market parties need to work out the details in a scheme. The Framework Regulation says that: a ‘financial data sharing scheme shall include the common standards for the data and the technical interfaces to allow consumers to request data sharing. The common standards for the data and technical interfaces that scheme members agree to use may be developed by scheme members or by other parties or bodies.’
The Framework Regulation requires schemes to be set up. The following governance requirements shall be applicable to such schemes:
Data Holders and Data Users should be equally represented, and customer and consumers organisations should also join the scheme.
All Scheme members shall be treated equally and fairly.
A scheme shall be open to participation by all stakeholders.
A scheme shall not impose any controls or additional conditions for the sharing of data other than those provided in this Regulation or other EU law.
Schemes shall be notified to the supervisor, who will evaluate whether the scheme meets the requirements of the Framework Regulation.
It is not entirely clear what needs to happen when no scheme is successfully set up, but our understanding is that Data Holders still need to make the data available to Data Users, but then cannot charge for this data.
Data Users will not get the data free of charge. The Framework Regulation substantially deviates from PSD2 (and the proposal for PSD3) where banks are required to make payment data available to AISPs free of charge. The idea is that, to ensure that Data Holders have sufficient economic incentives to provide high-quality interfaces for making data available to Data Users, Data Holders should be able to request reasonable compensation from the Data Users for putting the required APIs in place. Nevertheless, Data Holders cannot charge excessive fees.
The compensation for Data Holders needs to be worked out in the scheme rules based on the following principles:
It should be limited to reasonable compensation directly related to making the data available to the Data User – and which is attributable to the request;
It should be based on an objective, transparent, and non-discriminatory methodology agreed by the scheme members;
It should be based on comprehensive market data collected from data users and data holders on each of the cost elements to be considered, clearly identified in line with the model;
It should be periodically reviewed and monitored to take account of the technological progress;
It should be devised to gear compensation towards the lowest levels prevalent on the market;
It should be limited to the requests for customer data subject to the Framework Regulation or proportionate to the related datasets in the case of combined data requests.
More favourable principles apply when the Data User is an SME.
The sharing of payment account data will, in short and medium-term, continue to be regulated by PSD2 (and PSD3). No substantial changes have been suggested in PSD3. The changes are mainly clarifications in line with the existing EBA Guidance and Q&As.
Banks will still need to make information on the payment account available for free.
AISPs still need a specific license for this.
The sharing of data implies a significant privacy angle. The Framework Regulation refers to this in three ways:
At various points, it reiterates that all data sharing should be done in compliance with the GDPR.
It mandates that Data Holders must provide customers with a permission dashboard, allowing them to monitor and manage the permissions granted to Data Users. This ensures that customers have clear visibility over which Data Users are accessing their data and for what specific purposes. More importantly, customers also have the convenience of easily stopping data sharing within the Data Holder's environment, without needing to directly contact the Data User. However, it should be noted that terminating data sharing during an ongoing service with a Data User may have contractual implications and potential consequences.
The EBA and EIOPA in cooperation with the EDPB will define Guidelines on the data perimeter for:
Next to his role as counsel at Kennedy Van der Laan, Van Praag is a professor of financial technology and law at the Erasmus University Rotterdam, where he researches topics like big data, Open Finance, and the payments industry (PSD2). As director of the FinTech course, he lectures on topics such as the law of payments, the utilisation of big data, blockchain and crypto assets, digital services, and crowdfunding.
Emanuel is not only academically grounded, but he also understands the financial industry inside out. He was an in-house lawyer at a variety of financial institutions for many years. He understands how financial markets and financial institutions operate.
Emanuel has written well over 35 articles on various topics in books and magazines. In 2020 he published a book on PSD2 and Open Banking. His most recent article (in 2023) deals with data use in the financial industry (Open Finance).
Kennedy Van der Laan was established in 1992, and since then our company has been driven by the ambition to serve as top-level attorneys and improve the world. We have always held to the principles of human standards and social impact, ensuring that every aspect of our work reflects these values. In our pursuit of excellence, we have remained dedicated to keeping things straightforward and transparent in our legal business. This commitment reflects our character as professionals – both resolute and refreshingly non-conformist, fostering an environment that is pragmatic, personal, and dedicated to collaboration.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now