On 28 June 2023, the European Commission put forward a Legislative Proposal for a Framework for Financial Data Access. This framework aims to establish transparent rights and obligations for managing customer data sharing in the financial sector, extending beyond payment accounts. In essence, it seeks to foster greater innovation in financial products and services for users, while also promoting healthy competition within the financial sector.





1. What is it about?

The proposed Framework Regulation builds on the ideas laid down in PSD2, the GDPR, and the (draft) Data Act, that customers should be able to instruct their service providers (Data Holders) to share certain customer data to other companies (Data Users).

These Data Users can leverage the obtained data to provide services to the customer. This enables a client for example to instruct his/her bank to provide data on savings and loans to a financial advisor which then permits said advisor to provide the customer with more tailored and efficient advice. Depending on the service offered by the Data User, this can be a one-time data sharing or more regular and real-time sharing.

The Framework Regulation is relatively short. The details will need to be worked out in schemes (comparable to the SEPA schemes established by the EPC), to which Data Holders and Data Users are obliged to adhere to.

An important caveat is that the Framework Regulation only applies to financial institutions. This means that, for example, a telco (as Data User) can get access to customer data held by a bank, but the bank cannot get information from the telco regarding, for instance, a subscription, or how the said client uses their telephone.





2.Which data is to be made available?

The EC has identified various categories of customer data that will become subject to a data sharing right, namely:

Mortgage credit agreements, loans and accounts, except payment accounts, including data regarding balances, conditions, and transactions;

Savings, investments in financial instruments, insurance-based investment products, crypto-assets, real estate and other related financial assets, and the economic benefits derived from such assets;

Data collected for the purposes of carrying out an assessment of suitability and appropriateness under the MiFID;

Pension rights in occupational pension schemes and PEPPs;

Non-life insurance products, with the exception of sickness, health, or medical insurance products;

Data that is collected as part of a loan application process or a credit rating request and that is used to evaluate the creditworthiness of a company.



The key takeaway for Data Holders Data Holders will need to make these data sets available for Data Users. The key takeaway for Data Users Data Users can build their use cases on these data sets.



3.Who can obtain the data?

Only financial institutions can access the data without the need to obtain a separate authorisation. These are banks, insurers, (exempted) payment institutions including AISPs, investment firms, crypto asset service providers (as of MiCA), fund managers, insurance intermediaries, crowdfunding service providers, and pension funds. Financial institutions that are regulated under local laws (i.e. not EU law) do not fall under the scope of the Framework Regulation. In the Netherlands, these include, for example, consumer credit providers and consumer credit intermediaries.

Non-financial institutions will need to obtain authorisation from their home-state supervisor which enables them to do business across the EU (a passport regime). Such parties are referred to as Financial Information Service Providers (FISPs). The requirements for authorisation are comparable to those of an account information service provider under PSD2.

It’s currently unclear whether a service model whereby one party obtains customer data and forwards this data (with customer permission) to another party to be used for its service is allowed if this other party has no license (the license-as-a-service model).

Also, BigTechs can use the possibilities under the Framework Regulation to enrich their data set. A rule comparable to the draft Data Act prohibiting Big Tech from obtaining more data is not included.







The key takeaway for Data Holders There is no rule prohibiting BigTech from obtaining data relating to customers. The key takeaway for Data Users In most cases, no separate authorisation will be required for obtaining data under the Framework Regulation.







4.Data sharing in practice (much is still unknown)

The only explicit rule in the Framework Regulation about how the data is to be shared is the following: ‘Upon request from a customer submitted by electronic means, make available to a data user the customer data for the purposes for which the customer has granted permission to the data user. The customer data shall be made available to the data user without undue delay, continuously and in real-time.’

Apart from this, market parties need to work out the details in a scheme. The Framework Regulation says that: a ‘financial data sharing scheme shall include the common standards for the data and the technical interfaces to allow consumers to request data sharing. The common standards for the data and technical interfaces that scheme members agree to use may be developed by scheme members or by other parties or bodies.’







The key takeaway for Data Holders It is clear that data needs to be made available without undue delay, continuously and in real-time, but technical details still need to be worked out. The key takeaway for TPPs Technical details on how to obtain the data will be worked out.



5.Schemes and governance and accessibility of the schemes must be set up

The Framework Regulation requires schemes to be set up. The following governance requirements shall be applicable to such schemes:

Data Holders and Data Users should be equally represented, and customer and consumers organisations should also join the scheme.

All Scheme members shall be treated equally and fairly.

A scheme shall be open to participation by all stakeholders.

A scheme shall not impose any controls or additional conditions for the sharing of data other than those provided in this Regulation or other EU law.

Schemes shall be notified to the supervisor, who will evaluate whether the scheme meets the requirements of the Framework Regulation.

It is not entirely clear what needs to happen when no scheme is successfully set up, but our understanding is that Data Holders still need to make the data available to Data Users, but then cannot charge for this data.







The key takeaway for Data Holders Join schemes. The key takeaway for TPPs Join schemes.



6.Data Users will not get the data for free

Data Users will not get the data free of charge. The Framework Regulation substantially deviates from PSD2 (and the proposal for PSD3) where banks are required to make payment data available to AISPs free of charge. The idea is that, to ensure that Data Holders have sufficient economic incentives to provide high-quality interfaces for making data available to Data Users, Data Holders should be able to request reasonable compensation from the Data Users for putting the required APIs in place. Nevertheless, Data Holders cannot charge excessive fees.

The compensation for Data Holders needs to be worked out in the scheme rules based on the following principles:

It should be limited to reasonable compensation directly related to making the data available to the Data User – and which is attributable to the request;

It should be based on an objective, transparent, and non-discriminatory methodology agreed by the scheme members;

It should be based on comprehensive market data collected from data users and data holders on each of the cost elements to be considered, clearly identified in line with the model;

It should be periodically reviewed and monitored to take account of the technological progress;

It should be devised to gear compensation towards the lowest levels prevalent on the market;

It should be limited to the requests for customer data subject to the Framework Regulation or proportionate to the related datasets in the case of combined data requests.

More favourable principles apply when the Data User is an SME.



The key takeaway for Data Holders Data Holders can build a business model around attractive APIs for which they can charge the Data Users. The key takeaway for TPPs Data Users cannot obtain the data free of charge; instead, they will be required to pay for accessing it, such as through a per API call fee.



7.Relation with PSD2 and payment account data

The sharing of payment account data will, in short and medium-term, continue to be regulated by PSD2 (and PSD3). No substantial changes have been suggested in PSD3. The changes are mainly clarifications in line with the existing EBA Guidance and Q&As.

Banks will still need to make information on the payment account available for free.

AISPs still need a specific license for this.

The EC does envisage that eventually AISPs could be exclusively regulated by the Framework Regulation and be subject to similar data sharing rules. They would then become FISPs and would have the same obligations and rights as other FISPs. The EC will need to evaluate the expediency of this 4 years after entry into the Framework Regulation.







The key takeaway for Data Holders Banks will still need to make payment data available for free based on the PSD2 rules. The key takeaway for AISPs In the short and medium term, the current business operations will continue as usual. However, in the long run, there is a possibility that AISPs (Account Information Service Providers) may be required to pay for data, depending on the evaluation conducted by the European Commission.



Some privacy considerations

The sharing of data implies a significant privacy angle. The Framework Regulation refers to this in three ways:

At various points, it reiterates that all data sharing should be done in compliance with the GDPR.

It mandates that Data Holders must provide customers with a permission dashboard , allowing them to monitor and manage the permissions granted to Data Users. This ensures that customers have clear visibility over which Data Users are accessing their data and for what specific purposes. More importantly, customers also have the convenience of easily stopping data sharing within the Data Holder's environment, without needing to directly contact the Data User. However, it should be noted that terminating data sharing during an ongoing service with a Data User may have contractual implications and potential consequences.

The EBA and EIOPA in cooperation with the EDPB will define Guidelines on the data perimeter for:

It is not entirely clear what the legal implications of such a data perimeter will be. However, it appears that if a Data User obtains data within the defined perimeter, they can readily justify the necessity and legitimacy of accessing that data in accordance with the GDPR. Conversely, if data falls outside the data perimeter, it becomes challenging to justify the continued need for accessing such data.







The key takeaway for Data Holders Arrange for permission dashboards. The key takeaway for AISPs Monitor the data perimeter to evaluate which data is acceptable for the use case.



Next steps

The proposal for a Framework Regulation has been opened for a 6-week consultation period. Following this, it will undergo the legislative process involving the EU Parliament and the EU Council of Ministers. Realistically, the entire process is expected to take at least two years, with an additional 18 months for the proposal to come into effect. Consequently, if the proposal is accepted, it would become binding by the end of 2026.





