New regulatory package on payment services – FIDA
13/07/2023
Read also our previous blogs in this series!
Earlier, the European Commission unveiled its findings on the evaluation of the Second Payment Services Directive (PSD2), which hinted at an upcoming revision of this framework. On 28 June 2023, these revisions were formally proposed. The package contains a new Directive, which will become known as the PSD3, a Payment Services Regulation, addressing the issue of financial data access – also known as Open Banking – and the issues of transaction authorization and customer authentication, and a Regulation concerning financial data access (FIDA). In this blogpost, we provide an initial overview of the Financial Data Access Regulation.
Expanding Open Banking
While the PSD2 provided customers the ability to have their traditional financial data providers – generally banks – share their financial data with third party service providers – such as account information service providers (AISPs) – this data sharing is limited to payment accounts as defined under the payment services framework. This has become known as Open Banking.
Given that financial data is much broader than just the data related to payment accounts, it was decided that a more harmonized approach was needed to provide customers and data users a clear set of rules for access to and use of financial data, other than payment account data. Therefore, the Financial Data Access Regulation is being proposed to:
- Require the implementation of financial data access permission dashboards. These will give customers more control over their data sharing.
- Mandate data users’ access to select customer financial data, subject to permission from that customer.
- Require the development of common standards for customer financial data and interfaces.
- Require the implementation of application programming interfaces (APIs) according to the common standards.
Larger scope of data and entities
Concretely, access to payment accounts remains regulated under the payment services framework, as discussed in our previous blogpost.
In terms of data, the Financial Data Access Regulation covers:
- mortgage credit agreements, loans and accounts – other than payment accounts;
- savings, investments in financial instruments, insurance-based investment products, crypto-assets, real estate and other related financial assets as well as the economic benefits derived from such assets;
- pension rights in occupational pension schemes;
- pension rights on the provision of pan-European personal pension products;
- non-life insurance products, with the exception of sickness and health insurance products; and
- data which forms part of a creditworthiness assessment of a firm which is collected as part of a loan application process or a request for a credit rating.
The broad scope of data also means that the Regulation is not just addressed to credit institutions and payment institutions, but also to investment firms, crypto-asset service providers, insurance and reinsurance undertakings, etc.
The entities holding the data – collectively the ‘data holders’ – and the recipients of the data – ‘data users’ – must become member of at least one financial data sharing scheme. Such schemes set out the rules applicable to the data sharing, the common standards and technical interfaces, and compensation. It is up to data holders and users to develop these schemes. In the absence of a scheme for one of the data types covered here, the Commission can adopt one by means of delegated act.
Data access to customers and data users
All data holders must make the data electronically available to their customers at their request, without undue delay, free of charge, continuously and in real-time.
The same idea applies when data is requested by a data user, upon request from a customer. In such case, data must be communicated securely and be in a generally recognized format. Additionally, customers must be provided access to a permission dashboard to monitor and manage their data permissions. The Regulation provides minimum requirements for such dashboards, such as the possibility to withdraw permissions.
Data users receiving access to this data may only do so after being authorized – either as a financial institution or a financial information service provider – and only for the purposes to which the customer has granted permission.
Financial information service providers
The Regulation sets out the requirements for receiving an authorization as financial information service provider in the home Member State, which are very much in line with the requirements for payment institutions. Also organizational requirements – for instance concerning governance and outsourcing of important operational functions – closely mirror those for payment institutions.
If a financial information service provider does not have an establishment in the EU, they must designate a legal representative in the EU. Such representative may be held liable for the non-compliance with obligations under the Regulation.
The EBA will maintain a register of authorized financial information service providers.
Cross-border data access
In order to ensure the effective use of financial data access across the EU, the Regulation also specifies rules for cross-border provision of financial information services on the basis of the freedom of establishment and the freedom to provide services.
As under the well-known concept of payment services passporting, financial information service providers can notify their intention to provide their services on a cross-border basis.
Conclusion
The Financial Data Access Regulation is intended to kick the notion of Open Banking up a notch. By listing a much broader field of data than just payment accounts, and by addressing a wide range of financial entities, the Regulation effectively aims to move the bar from ‘Open Banking’ to ‘Open Finance’. This will require many entities in the financial sector to start preparing for their compliance with financial data access requests under this framework. The experiences with Open Banking under PSD2 have taught us that this is not an easy exercise. Additionally, new players aiming to enter the financial data market will need to prepare for their financial information service provider authorization applications.
If you have more questions on PSD3 and payment services, please contact Timelex.
