In 2020, the European Commission (EC) identified the promotion of data-driven finance as one of the priorities in its Digital Finance Strategy and stated the intention to put forward a legislative proposal on an Open Finance framework. President von der Leyen confirmed in her 2022 State of the Union Letter of Intent that data access in financial services is among the key initiatives for 2023. The EU is a globally recognised pioneer in the field of Open Banking and the objective of this initiative was to maintain this lead in terms of innovation by moving forward with establishing an Open Finance framework. Indeed, international developments also underscored the need for action on Open Finance. Most (non-EU) OECD countries are planning or are in the process of discussing further development of their data sharing frameworks and/or their expansion to other sectors beyond payments as the next stage in the evolution of Open Banking-type data sharing arrangements, with gradual evolution towards an expanded set of data types and other sectors of the financial (and non-financial) market.
After opening up access to payment accounts data under the revised Payment Services Directive (PSD2), Open Banking in the EU has begun to transform the way consumers and businesses use banking services. Banks are now obliged to share payment account data with third party service providers at the customer’s request. As a result, customers have gained access to new types of payment initiation and account information services. For example, these Open Banking requirements unlocked the possibility to combine data applying machine learning techniques to gain better insights into payment patterns and derive some key performance indicators from bank data. The EC proposal on a framework for financial data access (FIDA) of 28 June 2023 is expected to continue this trend in the broader context of Open Finance, as follows.
The impact assessment work that preceded the adoption of this legislative proposal pointed to four distinct problems beyond payment accounts data. First, customers hesitate to share their data due to lack of trust. Second, customers cannot make their data available to data users because data holders are not legally obliged to enable access. Third, customer data and interfaces in the financial sector beyond payment accounts are not standardised, rendering data sharing more costly. Fourth, data holders lack incentives for implementing high-quality interfaces for data users.
The combined effect of these issues is that consumers do not benefit from individualised, data-driven products and services that may fit their specific needs better, whilst firms, in particular SMEs, are prevented from taking advantage of more convenient and automated financial services. Financial institutions themselves cannot take full advantage of digital transformation trends to deliver a better customer experience whilst becoming more efficient and competitive along the way, and third-party service providers acting as data users face lost business opportunities in data-driven innovation. At aggregate economy level, the consequence is an underdeveloped EU digital financial data market in which customers cannot make full use of datadriven products and services.
The FIDA proposal fits into the broader Data Strategy for Europe and builds upon the key principles for data access and processing set out in the relevant applicable initiatives, such as the Data Act and the Data Governance Act. Furthermore, the FIDA proposal is designed in full coherence and without prejudice to the EU General Data Protection Regulation (GDPR), which provides for general rules on the processing of personal data to ensure their protection and free movement. Giving consumers control over their personal data is one of the main objectives of the GDPR, which stipulates generally applicable requirements, including the requirement to ensure the security of data processing and the right to data portability. Thus, any legal obligation to disclose personal data must meet the requirements set by the GDPR.
The general objective of this proposal is to improve economic outcomes for financial services customers (consumers and businesses) and financial sector firms by promoting digital transformation and speed up adoption of data-driven business models in the EU financial sector. This has two main components. First, customer trust in data sharing needs to be enhanced by giving both individual and business customers effective control over access to and use of their data. Second, effective access to customer data for third-party data users needs to be enabled to foster data-driven innovation and better financial products for consumers and businesses.
The proposal obliges financial institutions to grant access to customer data upon explicit request of a customer across selected areas of financial services(investments, insurance, pensions, mortgages and savings accounts), except for customer data where financial exclusion risks may outweigh the potential benefits, in particular as regards creditworthiness assessments of natural persons and life, sickness and health insurance. Payment account data remains subject to the Payment Services Directive 3 and Payment Services Regulation proposals. Both data holders and data users are obliged to join market-driven schemes to agree on the modalities for data sharing, including standardisation, liability rules and compensation levels.
The FIDA proposal is aimed at enabling machine-to-machine data access between customer data holders and data users. Today, much of the customer data in scope of the proposal can already be shared manually. But this is neither adequate nor useful in the digital age. To provide mobile applications with useful financial information, data users need these applications to be able to source customer data directly via APIs. Otherwise they will not work and customers will end up losing out.
The FIDA proposal also provides for many safeguards as follows. Any data sharing relationship is subject to strict customer control who must give their permission before any data is shared with data users. This applies in case of both individual and business customers as well as both personal and non-personal data.
To facilitate customer control in practice, data holders have to provide customers with permission dashboards as part of their customer interfaces, enabling overview and management of data permissions.
These dashboards will enable a customer to see at any given time to whom and for what purpose permission was granted to access the customer’s data. The customer should be able to withdraw permissions or re-establish a permission withdrawn.
The proposal also creates a an authorised financial information service provider (FISP) which, with the permission of a customer, will have lawful access to offer services to customers based on their data. These entities will be subject to authorisation and supervision rules similar to those for Account Information Service Providers under PSD2. To ensure responsible handling of data, only financial institutions and newly authorised FISPs will be able to access customer data and all are subject to the cybersecurity requirements under the Digital Operational Resilience Act.
To prevent financial exclusion, two European Supervisory Agencies will bemandated to develop guidelines on the processing of personal data in the scope of this proposal for products and services related to the credit score of a consumer (European Banking Authority) as well as to risk assessment and pricing of products in the case of life, health and sickness insurance (European Insurance and Occupational Pensions Authority).
To prevent anti-competitive behaviour by data holders, compensation levels are subject to the principles of the Data Act which envisages that compensation must be reasonable and, in cases where the data user is a small or medium enterprise (SME), any compensation shall not exceed the costs directly attributable to the individual data request.
In general, FIDA has the potential to lead to better and more innovative financial services for consumers and businesses. It can also boost competition in the financial sector and lower costs for customers. For example, the proposal implies that small businesses could get a quicker reply on a loan application due to digitally sharing credit data with a bank. Consumers could gain easier access to financial advice or personalised insurance offers whilst retail investors could get a better overview of their personal finances including savings, investments, pensions, and beyond.
Overall, FIDA is expected to have beneficial effects in terms of digital transformation of the EU financial sector. For example, FIDA requires data holders to make customer data accessible to the
customers themselves. The most efficient way to implement this requirement is through digital customer interfaces.
Furthermore, digital transformation of financial institutions that hold customer data would also be promoted by enabling their access and use of customer data held by other data holders. This has already happened as a result of PSD2 where banks are nowadays offering payment account data aggregation services to their customers that have payment accounts in several banks.
To conclude, the EC has high hopes for the beneficial effects of the FIDA proposal once it is adopted and enters into application.
Gundars OSTROVSKIS,
Team Leader Digital Finance European Commission