On June 28, 2023, the European Commission (EC) published a Proposal for a Regulation on Financial Data Access (FIDA). FIDA aims to create a framework through which data holders (e.g., banks, credit institutions) share the financial data they hold with other players in the finance industry (e.g., fintech companies). Customers of financial institutions will be able to control i) which data is shared, ii) with whom, iii) for what purpose, and iv) for how long. If adopted, FIDA will further liberalize financial data sharing in the EU.
Background
FIDA’s goal is to encourage innovative financial services and support a level playing field in the market. The EC hopes to achieve this goal through three pillars: i) granting individuals a right to control how their data is shared and subsequently used, ii) introducing an obligation for data holders to share data (subject to conditions), and iii) setting eligibility conditions for third parties who want to receive the data. FIDA’s scope and key provisions largely mirror requirements set to be introduced by the Data Act,1 signaling an interplay between and complementary approach for the two legal frameworks.
The EC’s FIDA proposal will now go through the standard EU legislative process. The European Parliament and the Council of the EU will examine the proposal and propose amendments. Negotiations will then occur among the EC, European Parliament, and Council of the EU to agree upon a final text. This process can take a few years.
Scope
FIDA extends to consumers and businesses that make use of financial products and services (referred to together as “customers”). FIDA provides a framework for the exchange of financial data between entities in the financial sector including, for instance, credit institutions, payment institutions, credit rating agencies, and financial information service providers. While not clearly defined in the text, some of the data types considered in scope could include, for instance, i) the account balance, ii) conditions or transaction details relating to mortgage credit agreements, iii) loans and any accounts other than those used to execute payment transactions (e.g., savings accounts), as well as iv) data used to assess the creditworthiness of business customers. However, FIDA will not apply to i) information relating to payment accounts used to execute payment transactions as regulated by the Payment Services Directive 2 (PSD2), ii) data collected as part of a creditworthiness assessment of a consumer, and iii) data related to the illness and health insurance of a consumer. Financial institutions that will make covered data available will be referred to as “data holders,” whereas those entities that will receive data under FIDA will be referred to as “data users.”
Key Provisions
Enforcement and Sanctions
EU Member States will be required to designate competent authorities charged with enforcing the rules. These authorities will have the power to impose sanctions and penalties for breaches of the law.
The sanctions are substantial and include:
Conclusion
Once adopted, FIDA will significantly alter the regulatory landscape for companies operating in the financial sector in the EU. Companies should consider following the legislative process closely and reviewing the scope of FIDA and its new obligations to assess how they will be impacted. We will publish further alerts covering the next steps in the adoption of FIDA as they occur.
For more information, please contact Cédric Burton, Laura De Boel, Yann Padova, Nikolaos Theodorakis, or another member of the firm’s privacy and cybersecurity practice.
Laura Brodahl and Matthew Nuding contributed to the preparation of this Wilson Sonsini Alert.
[1]Proposal for a Regulation of the European Parliament and of the Council on harmonized rules on fair access to and use of data (Data Act), available at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=COM%3A2022%3A68%3AFIN.
[2]Directive 2002/58/EC of the European Parliament and of the Council of July 12, 2002, concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), available at: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32002L0058.