On June 28, 2023, the European Commission (EC) published a Proposal for a Regulation on Financial Data Access (FIDA). FIDA aims to create a framework through which data holders (e.g., banks, credit institutions) share the financial data they hold with other players in the finance industry (e.g., fintech companies). Customers of financial institutions will be able to control i) which data is shared, ii) with whom, iii) for what purpose, and iv) for how long. If adopted, FIDA will further liberalize financial data sharing in the EU.

Background

FIDA’s goal is to encourage innovative financial services and support a level playing field in the market. The EC hopes to achieve this goal through three pillars: i) granting individuals a right to control how their data is shared and subsequently used, ii) introducing an obligation for data holders to share data (subject to conditions), and iii) setting eligibility conditions for third parties who want to receive the data. FIDA’s scope and key provisions largely mirror requirements set to be introduced by the Data Act,¹ signaling an interplay between and complementary approach for the two legal frameworks.

The EC’s FIDA proposal will now go through the standard EU legislative process. The European Parliament and the Council of the EU will examine the proposal and propose amendments. Negotiations will then occur among the EC, European Parliament, and Council of the EU to agree upon a final text. This process can take a few years.

Scope

FIDA extends to consumers and businesses that make use of financial products and services (referred to together as “customers”). FIDA provides a framework for the exchange of financial data between entities in the financial sector including, for instance, credit institutions, payment institutions, credit rating agencies, and financial information service providers. While not clearly defined in the text, some of the data types considered in scope could include, for instance, i) the account balance, ii) conditions or transaction details relating to mortgage credit agreements, iii) loans and any accounts other than those used to execute payment transactions (e.g., savings accounts), as well as iv) data used to assess the creditworthiness of business customers. However, FIDA will not apply to i) information relating to payment accounts used to execute payment transactions as regulated by the Payment Services Directive 2 (PSD2), ii) data collected as part of a creditworthiness assessment of a consumer, and iii) data related to the illness and health insurance of a consumer. Financial institutions that will make covered data available will be referred to as “data holders,” whereas those entities that will receive data under FIDA will be referred to as “data users.”

Key Provisions

1. Customers’ right to access and direct the sharing of their customer data. Customers can request access to their own data “without undue delay, free of charge, continuously and in real-time” through a simple electronic request. In addition, they will be entitled to instruct data holders to share their customer data with third parties and set the conditions under which their data is shared. This is similar to the Data Act’s obligation on data holders to share data with third parties. Under FIDA, only licensed (“authorized”) data users will be eligible to receive customer data.
2. Obligations on data holders. Data holders will be required to create infrastructure through which they will make customer data available to data users. This infrastructure will need to meet security standards to be determined by the European Banking Authority (EBA). The customer data must be made available in a specific format and only with the customer’s permission.
3. Data use dashboard to allow customers to manage the sharing in real time. Data holders must create a “dashboard” that provides customers with an overview of with whom, how, why, and for how long their data is shared. Customers must further be able to enable and disable their permissions for each use in real time.
4. Obligations on data users and restrictions on data use. Data users can only access customer data under the conditions set by the customer, and only process customer data that is personal data for the specific service requested by the customer (similar to the use restrictions under PSD2). The data must be deleted when no longer necessary for these purposes. FIDA expressly prohibits processing customer data for advertising purposes but allows processing for direct marketing (if the appropriate consent is obtained under the ePrivacy Directive).² It also prohibits sharing the data with other group entities, beyond the entity that is licensed as the data user. The EBA and the European Insurance and Occupational Pensions Authority (EIOPA) will, together with the European Data Protection Board (EDPB), draft guidelines on permitted data use.
5. Conditions to participate in the data sharing framework. Access to customer data will be restricted to licensed (“authorized”) financial institutions. Financial information service providers must apply to a national authority to obtain authorization under FIDA. The license application must include details such as the type of access envisaged, a business plan with a forecast budget calculation that demonstrates the applicant has appropriate resources, a description of governance arrangements and internal control mechanisms, and details of security incident monitoring and handling policies and procedures.

Enforcement and Sanctions

EU Member States will be required to designate competent authorities charged with enforcing the rules. These authorities will have the power to impose sanctions and penalties for breaches of the law.

The sanctions are substantial and include:

• a public statement about the violation;
• an order to cease the conduct;
• forfeit of the profits gained or losses avoided due to the violation;
• temporary suspension of the authorization of a financial information service provider;
• a potential 10-year ban from the financial industry for executives; and
• monetary penalties of up to twice the profits gained or losses avoided, or up to two percent of the global turnover of the ultimate parent company (in case of a group of companies).

Conclusion

Once adopted, FIDA will significantly alter the regulatory landscape for companies operating in the financial sector in the EU. Companies should consider following the legislative process closely and reviewing the scope of FIDA and its new obligations to assess how they will be impacted. We will publish further alerts covering the next steps in the adoption of FIDA as they occur.

For more information, please contact Cédric Burton, Laura De Boel, Yann Padova, Nikolaos Theodorakis, or another member of the firm’s privacy and cybersecurity practice.

Laura Brodahl and Matthew Nuding contributed to the preparation of this Wilson Sonsini Alert.

---

^[1]Proposal for a Regulation of the European Parliament and of the Council on harmonized rules on fair access to and use of data (Data Act), available at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=COM%3A2022%3A68%3AFIN.

^[2]Directive 2002/58/EC of the European Parliament and of the Council of July 12, 2002, concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), available at: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32002L0058.