On 28 June 2023, the European Commission presented a proposal aimed at creating a framework for open financial services. There is already an established regulatory framework for data sharing linked to payment services in the form of the Second Payment Services Directive (“PSD2”). The new proposal is aimed at extending the regulations to include financial services in a broad sense through a new regulation (“FiDA”) and revising the regulatory framework for payment services through an updated Payment Services Directive (“PSD3”) and a new Payment Services Regulation (“PSR”). This article aims to analyse the Commission’s proposal regarding the extension of regulations on data sharing to include financial services other than payments and also to highlight the opportunities and challenges to which the proposal may give rise.
“Open financial services” means that a third-party supplier is provided with the ability to access customers’ financial information through a range of technological access methods. The introduction of PSD2 served to regulate an access method based on the fact that so-called account servicing payment service providers are required to provide a specific interface (“API") that enables third-party providers to access financial data. For other financial services, there are no such requirements for what are referred to as “data holders”, which means that any data sharing takes place in a completely unregulated manner. In such situations, the data sharing is carried out solely by the third-party service provider with the customer’s consent and without the involvement of an account servicing payment service provider. The legal conditions for these unregulated methods are unclear, which has meant that the Commission’s proposal for a new framework has been welcomed by the Swedish Financial Supervisory Authority and the Swedish Government, among others.[1]
AREA OF APPLICABILITY
The FiDA applies to both data holders and data users. A “data holder” means a financial entity that collects, stores or otherwise processes financial information that is subject to the FiDA. A data user is a financial entity that has lawful access to that financial information with the customer’s consent. As a starting point, all types of financial entities: credit institutions, insurance companies, securities companies, etc. are subject to the FiDA. However, the FiDA introduces a new entity that is subject to a requirement for a permit, i.e. financial information service providers. Providers of financial information are data users that hold no other permit to carry on financial activities and the proposal is to make them subject to a new authorisation process in the FiDA. The nature of the activities carried on by a provider of that kind is likely to be similar to the activities carried on by registered providers of account information services in accordance with the PSD2.
The financial information to be subject to the FiDA under the proposal consists of:
- mortgage agreements, loans and accounts, excluding payment accounts (which will be regulated separately in the PSD3 and the PSR);
- savings, investments in financial instruments, insurance-based investment products, crypto-assets, real estate and other related financial assets as well as financial benefits relating to such assets;
- data collected in order to carry out fitness and suitability assessments in accordance with the Markets in Financial Instruments Directive (“MiFID”);
- pension rights in occupational pension plans and PEPP products;
- non-life insurance products, with the exception of sickness, accident or health insurance products; and
- data collected for creditworthiness assessments for corporate loan applications and credit ratings.
OBLIGATIONS OF DATA HOLDERS AND DATA USERS
Under the FiDA, data holders are required to make financial information available to a data user, with the customer’s consent, without undue delay on an ongoing basis and in real time. The information must be made available in a standardised format and in a secure manner. There is a proposal whereby data holders must also be required to provide a consent panel for their customers. The panel must show, among other things, which consents the customer has given, to which data user and the history of any consents that have been withdrawn or that have expired. The customer must also have the ability to withdraw consent directly through the panel.
A number of obligations for the data user are proposed, relating primarily to the use of the information. Overall principles in other EU legal frameworks must naturally be obeyed, such as the principle whereby data may not be used in any way other than as expressly consented to by the customer and data must be used for the purpose for which it was collected. There are also requirements for technical, legal and organisational measures to be adopted in order to ensure that no unauthorised access occurs. When it comes to the use of data that falls within the scope of applicability of the FiDA in order to provide financial services that are not subject to the FiDA, such as using the data as a basis for a creditworthiness assessment on a consumer or a risk assessment or in order to price life, accident and health insurance, it is proposed that the EBA and the EIOPA be granted a mandate to produce guidelines.
The obligations imposed on data holders in particular require technical systems to be in place in order to be able to handle large numbers of inquiries from different third-party providers for large amounts of data. The systems themselves must also comply with the requirements of the recently adopted Digital Operational Resilience Act (“DORA”). Significant investment will consequently be required in companies’ ICT systems. Even if account servicing payment service providers at least have some experience of using APIs in relation to sharing of financial information, the scope of applicability of the FiDA is significantly broader. However, the specific technology for data sharing is not regulated in the FiDA, but data holders and data users are both required to be members of one or more organisations for sharing financial data.
ORGANISATIONS FOR SHARING FINANCIAL INFORMATION
Organisations for sharing financial data involve a degree of mandatory self-regulation. In the FiDA, the framework is set up in the form of rules regarding the purpose of the organisation, i.e. to decide how data sharing in the financial sector should take place. Consequently, the FiDA sets out certain overall questions on the way in which the organisation functions that need to be subject to the organisation’s regulations, such as current voting rules, transparency criteria, mechanisms for change, common standards for technical interfaces, matters concerning liability and dispute resolution. The organisation must also develop a model for remuneration for data sharing.
Both data holders and data users will be required to join such an organisation and all stakeholders will thereby take part in determining the rules of the game for how sharing will work in specific terms based on the framework set out in the FiDA. Besides data holders and data users, customer organisations must also take part.
Should the industry fail to develop any data-sharing organisation of its own, the Commission is instead authorised to adopt a delegated act concerning common standards for interfaces, the remuneration model and questions concerning liability. In Sweden, it may be noted that financial entities are relatively accustomed to participating in joint industry initiatives aimed at establishing common rules of the game, which is why this requirement should not be seen as particularly burdensome but rather as a welcome contrast to the detailed decrees that are otherwise commonly issued.
PROVIDERS OF FINANCIAL INFORMATION SERVICES
There is a proposal whereby providers who intend to provide financial information should be subject to a requirement for a permit through the FiDA. “Providers who intend to provide financial information” must be understood to mean any company that intends to be a data user within the meaning of the FiDA. The purpose of subjecting any third-party provider that provides financial information, such as data users, to a permit requirement is to ensure that customer information is processed in a sound, secure manner. In the long run, secure processing of customer information is a prerequisite for the continuity of the financial system and the public’s confidence in it.
The permit application must set out how the provider complies with a series of different technical and operational requirements in accordance with regulations such as DORA, including policies on continuity, security, internal governance and dealing with incidents as well as a description of how ICT systems meet the requirement for resilience. In addition, providers of financial information must have appropriate liability insurance or start-up capital of at least EUR 50,000. It is proposed that the EBA be given a mandate to prepare technical standards to further specify the documentation to be submitted in the application, the supervisory authorities’ assessment criteria for granting permits and details of suitable liability insurance. For providers that are not established within the EU, there is also a requirement to appoint a legal representative within the Union to be responsible for contact with the supervisory authority. That representative may also be held liable for any shortcomings in the service provider’s compliance with the FiDA.
Compared to operating in an unregulated environment, the proposed requirements naturally risk appearing burdensome for providers of financial data services. Companies that are already established and companies already of a significant size may enjoy an advantage due to the more extensive requirements imposed in order to be able to provide the services in question. One natural consequence of that is that the barriers to entry become higher and more costly, which could in turn serve to discourage competition and innovation. As a result, there is a risk that the market for various ICT-related services will become increasingly concentrated. On the other hand, the new requirements for providers of financial information services form a natural part of the Commission’s expressed strategy to strengthen the digital resilience of the financial sector, which has been identified as one of the primary risks to both consumer protection and financial stability. There are also advantages deriving from the fact that the conditions for ICT providers are clearly regulated in advance since they thus provide predictable rules of the game for operators interested in entering the market.
THE PROCESS FROM THIS POINT ONWARDS
The proposal presented by the Commission will now be the subject of negotiations between the Parliament and the Council. There is no formal deadline for those negotiations and the timetable differs depending on the nature of the proposal. However, one starting point should be the fact that new legislation in financial regulation takes at least two years to finally be adopted. Once an adopted regulation has entered into force, a period of 24 months is proposed before most of the provisions begin to apply. On the other hand, it is proposed that the provisions regarding organisations for sharing financial information begin to apply as early as 18 months after the regulation has entered into force.
Lindahl is following the process with great interest. You are welcome to contact us if you have any questions about how the proposal will affect your business.
[1]See the Swedish Financial Supervisory Authority report entitled Användningen av öppna finansiella tjänster i Sverige [The use of open financial services in Sweden], Reg. no. 23–3846 and the Government’s factual memorandum 2022/23:FPM119 entitled Förordning om ett ramverk för tillgång till finansiella data [Regulations on a framework for access to financial data].