The European Union (EU) is moving forward with establishing Open Finance following the proposal for a framework for financial data access (‘FIDA Proposal’) published in June 2023.1 Currently, significant changes are being discussed by the EU legislative bodies (EU Parliament and EU Council of Ministers). This article brings attention to some key discussion points in order to reflect on how the final framework may look. Final clarity as to the text is expected in Q3 or Q4 2025, and from that moment onwards, financial institutions have 30-32 months to implement the requirements.2
The FIDA Proposal introduces an access right to a broad range of financial data (banking, insurance, investments, pensions, crypto, and more). The three actors of the ecosystem are data holders (entities who currently hold customer data), data users (entities interested in accessing customer data to offer services and products), and customers (whose permission is the enabling key to data access).
The Proposal presupposes the standardisation of various financial data and respective data points for them to be made available via technical interfaces. If we are talking about mortgage data, this would mean name, address, credit score, and so on. While some data are already highly standardised, some other types of data, such as demands and needs assessments for insurance products, still need to be. Not all financial firms across the European Union (‘EU’) enjoy the same level of standardisation or digitisation of data in their financial sectors. This means that the implementation costs of FIDA are higher for some types of data than for others. Hence, it is being discussed that the FIDA Proposal should be implemented in three phases based on the criterion of ‘FIDA-readiness’ of data in scope.3 ‘FIDA readiness’ is defined from the degree of (i) standardisation and (ii) digitisation/digital availability of a certain product or service. The approach would start with the standardised data, available in a machine-readable format and digitised. In other words, it will not require much effort for data holders to make this data available, and ideally, they would build upon the experience with the Second Payment Services Directive (‘PSD2’). Such data could be, for example, data on savings and loan accounts. The second phase would include data that are not fully standardised and complex. These data are mostly digitised but not continuously available to customers, such as motor insurance or investments in financial instruments. The third phase would entail complex and heterogeneous data with much less standardisation, such as occupational pension data. The discussion revolves around which financial product or service data belongs in which phase.
The FIDA Proposal mandates data holders and data users to establish schemes with the underlying idea that such collective contracts will contribute towards the standardisation of technical interfaces for data access. An important discussion point in this respect relates to whether data access can also take place outside schemes and, if yes, can data holders get paid for it. The answer is not clear from the current text. On the one hand, since scheme articles (9-12) become applicable before the rest (Article 36), it can be argued that schemes are needed for the making available of data. On the other hand, Article 2(4b) clearly states that FIDA is without prejudice to data access and use based on a purely contractual basis. This means data holders and data users can contract outside schemes for the data in the FIDA’s scope. ‘Purely contractual basis’ means that parties can also agree to compensation for data access. But are data holders allowed to obtain compensation for data access outside schemes? Article 5(2) states that data holders can claim compensation only if data are made available in accordance with the rules of a scheme. But if contracts are allowed, then compensation should be possible. So, can data holders get paid for data access outside schemes? It is unclear. If compensation is not possible, then data holders can refuse access to outside schemes (unless the request is based on GDPR data portability, Article 20) and redirect interested data users to join schemes in order to get access. Big data users, however, such as bigtech, could be able to negotiate data access for free outside schemes using their market power to the detriment of data holders. If data holders can get paid for data access to outside schemes, it would be more interesting for small data users to join schemes as they can achieve a better price thanks to collective bargaining. Big data users, in this case, would be able to negotiate a lower price due to market power. In any case, these questions should be clarified at the legislative level for the sake of legal certainty in the market. This discussion is essential because implementing schemes is one of the means to achieve standardisation in the market and protect the weaker parties in negotiating the price for data access through collective bargaining. Hence, for practical reasons, it favours the mentioned aims of the proposal to allow access to customer data only following the rules and modalities of a financial data access scheme.
One of the first changes to the initial Commission’s proposal was to exclude gatekeepers from access to FIDA data. The initial proposal did not mention them; thus, in the absence of other restrictions related to financial data, it meant that big technological companies like Google, Amazon, or Meta (Facebook) were free to access Open Finance data by obtaining the newly introduced authorisation of the financial information service provider (‘FISP’).4 The ECON Committee proposes to prohibit designated gatekeepers from obtaining the FISP licence and thus, access Open Finance data and to give specific powers to supervisory authorities to ensure that gatekeepers do not circumvent this provision through entities owned or controlled by them (Article 18a). This amendment seems to align with the Digital Markets Act5 and the Data Act (Article 5(3)), which limits gatekeepers’ access to new sources of data that would reinforce their market position. It would also maintain a level playing field with financial incumbents who do not enjoy the advantages of comparable vast customer databases.6 However, bigtechs that act as data holders, because they have an existing financial institution licence (for example, a bank or insurance firm), can still access FIDA data. In this case, they cannot combine the FIDA data with their other customer data (Article 6(4a)). In addition, access through a non-FIDA-related contractual basis with financial institutions remains untouched (Article 2(4b)). So, gatekeepers can contract separately with a bank and access the customer data they wish against compensation. They just may not use the FIDA access right.
The definition of the financial information service (‘FIS’), initially not present in the Commission’s draft, has been the topic of another main discussion. This newly introduced service and its provider are inspired by the account information service providers (‘AISP’) of PSD2 Open Banking. The unclarity regards the FISP-as-a-Service,7 which entails an authorised Open Finance firm that makes available customer data accessed under the FIDA proposal to a non-Open Finance firm against a fee. AISP-as-a-Service, a similar business model with payment account data, is popular under the PSD28 and is now provided for in the definition of the account information service, in the PSD2’s review (PSR/PSD3).9 The difference between the definitions of financial information service and account information service might serve as an indication that FISP-as-a-Service will not be allowed. On the other hand, Article 6(4)(aa) prohibits data users from transferring customer data to a third party without the customer’s explicit permission, indicating that transfer is possible, but safeguards must be complied with. There is merit in this discussion because, in some cases, it might not be interesting for a firm to go through the costs of obtaining FISP authorisation and joining financial data access schemes in order to access FIDA data. The aim is to avoid compliance and data access costs for the non-Open Finance firm. For example, an auditing firm that accesses PSD2 data might be interested in also accessing FIDA data to provide some of its services.10 Should they get a FISP authorisation, or can they use the FISP-as-a-Service business model to get the data they want without the hassle of being regulated and supervised under FIDA? We think that regardless of the outcome, legal clarity must be ensured, and hence, customer protection as well.
Some Member States have been increasingly concerned about the consequences of Open Finance data access on customers, especially the risk of financial exclusion and customer profiling.11 For example, a bank could give a certain credit score and automatically decline credit to people with a lower income. Therefore, suggestions have been made to exclude data on climate and natural disasters and limit the accessibility to customer data not older than five years. Counterarguments mention that climate and natural disasters are valuable data for insurers of such events for accurate pricing, and the five-year-old limit cannot be a one-size-fits-all approach as some data are inherently more long-term. One example is mortgage data. The FIDA Proposal also contains several financial exclusion safeguards to be respected by data users. Data perimeters and powers on the European Supervisory Authorities to draft standards on how FIDA data can or cannot be used to safeguard customer protection are among them (Article 7). Looking at the broader EU legislation, consumer profiling is regulated by the General Data Protection Regulation (‘GDPR’) in Article 22, which will be fully applicable to the future Open Finance ecosystem.12 However, the GDPR applies only to natural persons, so customer profiling remains an unaddressed risk for legal persons such as small and medium enterprises (‘SMEs’) unless these are so closely related to their owner that profiling these SMEs in practice means profiling the owner himself. In this sense, there is merit in the FIDA Proposal to include safeguards to prevent profiling of such vulnerable categories of customers but also maintain the balance to facilitate innovation and competition.
A second debated issue is whether to partly exclude occupational pension data.13 This is a hot topic for several reasons. Those who support its exclusion argue similarly to why life, health, and sickness insurance are excluded from the FIDA scope. Occupational pension data, especially when it concerns the payout of disability pensions, reveals information about one’s health and, therefore, would endanger financial exclusion, and discrimination and diminish the risk-sharing principle of insurance as this data would be an indirect method for insurance firms to provide life, health, and sickness insurance.14 The second reason for exclusion is that customers do not choose the provider or its features as that is decided by the employer.15 Therefore, since customers (employees) cannot switch to another occupational pension provider, there is a lack of added value, and Open Finance access would not really contribute to more competitive alternatives. However, on the other hand, the European Insurance and Occupational Pensions Authority (‘EIOPA’) is responsible for developing draft regulatory technical standards (per the latest draft version voted in the ECON)16 to prevent the misuse of FIDA data in the pricing of life and health insurance. Additionally, although the employee cannot switch the occupational pension provider, occupational pension data holds a lot of information about the customer that can be used to offer other products, such as investment advice. Information about one’s salary and potential retirement income could be very helpful when evaluating a person’s financial situation. Therefore, this data remains a valuable source of information that, if excluded, would inhibit the benefits that FIDA data access promises to bring.
Despite different viewpoints on the modalities of EU Open Finance, there seems to be no discussion challenging the underlying idea: financial institutions making their customer data available based on customer permission. It is safe to say that it is a matter of time before Open Finance is implemented in the EU internal market. Starting from the moment of adoption (expected around Q3 or Q4 2025), market players have 30-32 months to implement Open Finance. In light of this, they should be mindful of the degree of standardisation and digitisation of their customer data as determinants of the FIDA implementation costs. It is clear that all financial players, especially insurance providers, must pay attention to the financial exclusion safeguards, and bigtechs can always enter the financial services market through private contracts with financial institutions. What remains unclear is if data users can access FIDA data outside schemes and, if that is the case, whether they should pay for it and whether a market player can access customer data without authorisation through another authorised data user.
This editorial piece was first published in The Paypers' Open Finance Report 2024, the latest comprehensive market overview and analysis focusing on the key players and products within the Open Banking and Open Finance ecosystem. Download the full report to discover more insightful content.
1European Commission, ‘Proposal for a Regulation of the European Parliament and of the Council on a framework for Financial Data Access and amending Regulations (EU) No 1093/2010, (EU) No 1094/2010, (EU) No 1095/2010 and (EU) 2022/2554’ (COM(2023) 360 final 2023/0205(COD), 28 June 2023) <https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52023PC0360> accessed 27 September 2024. 2As of writing, the proposal is waiting for a vote in the European Parliament after obtaining the vote in the responsible committee (Committee on Economic and Monetary Affairs (‘ECON Committee’)) <www.europarl.europa.eu/doceo/document/A-9-2024-0183_EN.html> accessed 27 September 2024. Several meetings have taken place in the Council of Ministers as well. See for the Council’s approach (January-June 2024), Council of the EU, ‘Proposal for a Regulation of the European Parliament and of the Council on a framework for Financial Data Access and amending Regulations (EU) No 1093/2010, (EU) No 1094/2010, (EU) No 1095/2010 and (EU) 2022/2554 - Progress report’ (10949/24, 14 June 2024) <https://data.consilium.europa.eu/doc/document/ST-10949-2024-INIT/en/pdf> accessed 27 September 2024. 3Ibid in the Council’s Progress Report. 4The designated gatekeepers are Alphabet Inc. (Google), Amazon.com Inc., Apple Inc., ByteDance Ltd. (TikTok), Meta Platforms, Inc. (Byte) (Facebook), Microsoft Corporation Inc. and Booking, at European Commission, ‘Digital Markets Act (DMA): Gatekeepers’ <https://digital-markets-act.ec.europa.eu/gatekeepers_en> accessed 27 September 2024. 5Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828 (Digital Markets Act) OJ L 265/1, 12.10.2022. 6Eugerta Muçi, ‘The EU Open Finance Proposal: Opening the Gates to Financial Services Data’ (Oxford Business Law Blog, 15 December 2023) <https://blogs.law.ox.ac.uk/oblb/blog-post/2023/12/eu-open-finance-proposal-opening-gates-financial-services-data> accessed 27 September 2024. 7Article 3(6a) FIDA Proposal ‘‘financial information service’ means the online service provided by a data user of collecting and consolidating customer data to customers and does not include the provision of services regulated under existing Union financial services legislation and reserved for financial institutions authorised under Union law’. 8European Banking Authority, ‘Opinion of the European Banking Authority on its technical advice on the review of Directive (EU) 2015/2366 on payment services in the internal market (PSD2)’ (EBA/Op/2022/06, 23 June 2022) <www.eba.europa.eu/sites/default/files/document_library/Publications/Opinions/2022/Opinion%20od%20PSD2%20review%20%28EBA-Op-2022-06%29/1036016/EBA%27s%20response%20to%20the%20Call%20for%20advice%20on%20the%20review%20of%20PSD2.pdf> accessed 27 September 2024. 9Article 3(21) PSR ‘‘account information service’ means an online service of collecting, either directly or through a technical service provider, and consolidating information held on one or more payment accounts of a payment service user with one or several account servicing payment service providers’ at European Commission, ‘Proposal for a Regulation of the European Parliament and of the Council on payment services in the internal market and amending Regulation (EU) No 1093/2010’ (COM(2023) 367 final 2023/0210(COD), 28 June 2023) <https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52023PC0367> accessed 27 September 2024. 10Thomson Reuters, ‘Open Banking’ at <https://tax.thomsonreuters.co.uk/products/open-banking/> accessed 27 September 2024. 11French Delegation to the Council of the European Union, ‘French Non-Paper, FIDA: How to Tackle the Risk of De-Mutualization’ (WK 6757/2024 ADD 1, 8 May 2024) <https://pensionseurope.eu/wp-content/uploads/FR-non-paper-FiDA.16.04.pdf> accessed 27 September 2024. 12Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) OJ L 119/1 04.05.2016 <https://eur-lex.europa.eu/eli/reg/2016/679/oj> accessed 27 September 2024. 13Ibid. 14PensionsEurope, ‘PensionsEurope Position Paper on the European Commission’s Proposal for a Framework for Financial Data Access’ (Position Paper, October 2023) <https://pensionseurope.eu/wp-content/uploads/PensionsEurope-position-paper-on-FIDA-ECs-proposal-October-2023_0.pdf> accessed 27 September 2024. 15Pensioen Federatie, ‘Dutch Pension Funds: How to Make Pension Fund Members and Beneficiaries Benefit from the Financial Data Access Regulation’ (Position Paper, 25 September 2023) <www.pensioenfederatie.nl/stream/fida-position-paper-dutch-pension-funds.pdf> accessed 27 September 2024. 16<www.europarl.europa.eu/doceo/document/A-9-2024-0183_EN.html> accessed 27 September 2024.
As an Attorney-at-law at Kennedy Van der Laan, Emanuel van Praag helps leading financial institutions navigate the complex and dynamic regulatory landscape. With over 15 years of experience in the financial industry, he has in-depth knowledge and practical insights into the legal and business challenges facing the sector, especially in the areas of Big Data, Open Finance, Payments (PSD2), Investment Services (MiFID II, AIFMD) and Cryptoassets. Emanuel combines legal practice with academic research and teaching as a Professor of Financial Technology and Law at Erasmus School of Law. He publishes articles and books on the impact of emerging technologies on the financial sector and the law. He wrote a leading textbook on PSD2 and Open Finance. Kennedy Van der Laan is a full-service Dutch law firm with more than 120 lawyers, serving market leaders since 1992, with specialist legal knowledge in the areas of FinTech, Payments, IP, Privacy and Employment Law.
Kennedy Van der Laan was established in 1992, and since then has been driven by the ambition to serve as top-level attorneys and improve the world. With over 120 lawyers KVdL is a full-service law firm. KVdL’s FinTech and payments practice is highly regarded.
As a third year PhD Candidate at Erasmus University Rotterdam, Erasmus School of Law, Eugerta Muçi researches how a safe and competitive infrastructure for Open Finance can be built in the EU. Eugerta has graduated summa cum laude from KU Leuven and the University of Zürich with a Double Degree Master in Law in European and Financial Law. She has various publishments on Open Finance and Open Banking (PSD2). Besides her PhD, she consults a global consultancy firm on financial law matters, specifically Open Finance. Eugerta is also a Member of the Albanian Bar Association. Erasmus University Rotterdam is a highly ranked international research university founded in 1913. Erasmus School of Law offers high-quality legal and criminological education and researches law from economic and social perspectives.
Erasmus University Rotterdam was founded in 1913 and is a highly ranked, international research university, based in the dynamic and diverse city of Rotterdam, the Netherlands. Erasmus School of Law offers high-quality legal and criminological education and researches law from economic and social perspectives.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now