On 28 June 2023, the European Commission published a proposal for a regulation on a framework for Financial Data Access (“FIDA”) for the access and use of customer data. As part of the EU Digital Finance Strategy, FIDA is expected to lead to better-quality, user-centric financial services and new data-driven business models in the financial sector. As the financial data space evolves, the emergence of novel interfaces, data sharing methods, and other innovative technologies may also bring forth new risks, particularly in the realm of cybersecurity. We recommend stakeholders in the financial sector to consider their role and potential responsibilities and opportunities in light of the upcoming regulations.
Ambitious framework for financial customer data sharing
FIDA complements the existing financial data sharing legislation, such as the open banking provisions of PSD2 Directive 2015/2366 regulating access to payments account data, and goes far beyond them. FIDA also entails significant interplay with the horizontal framework for mandatory data sharing under the upcoming Data Act and the GDPR’s data protection rules.
Under FIDA, financial institutions (data holders) would be obliged to make available certain customer data to other financial institutions, authorised financial information service providers (“FISPs”) (data users) and to the customers, at the customer’s request.
Data holders should make the data available without undue delay, continuously, and in real-time. To achieve this, the new framework focuses on customers’ trust and control over their data, as well as on the technical and contractual means to carry out data sharing in a secure and efficient way. The data in question is personal and non-personal customer data divided into categories under FIDA, such as loans, savings, investments, crypto-assets, pensions, and non-life insurance products.
|Some key features of FIDA in a nutshell
FIDA is ambitious and open questions remain. Whereas PSD2 focused on payments account data, FIDA covers a wide range of customer data and financial institutions. The Open Finance Report of the Expert Group on European financial data space, which was used to develop FIDA, covered several use cases but still only scratches the surface compared to the scope of FIDA. Further, the European Data Protection Supervisor has raised concerns regarding the broadness of the definition of customer data under FIDA in its Opinion 38/2023 on 22 August 2023. It is also set forth in FIDA that sharing of customer data should respect the protection of confidential business data and trade secrets but the practical implementation of this is unclear. Moreover, FIDA seems to be based on an assumption that FDSSs could be based on existing market initiatives, thus requiring extensive co-operation on the market. However, the Commission also has the authority to create frameworks for FDSSs if needed.
FIDA’s application periods are rather optimistic. The provisions concerning FDSSs and authorisation requirements for FISPs would apply 18 months after FIDA enters into force, whereas other requirements would apply after 24 months.
Next FIDA is subject to review in the Council and the Parliament, where the Committee on Economic and Financial Affairs (ECON) is responsible for the file. The open finance framework has been one of the EU’s legislative priorities for 2023 and 2024 but currently it seems unlikely that the proposal will be finalized prior to the 2024 Parliament Elections.
Digital operational resilience for open finance
As the EU continues to advance its open finance framework, it is imperative to ensure that innovative technologies and products align with robust financial regulation and operational risk management. This alignment is crucial to nurturing sustainable technological development, which, in turn, fosters a secure financial environment, prioritizes customer protection, and bolsters financial stability. In the era of technological advancement, it is essential to strike a balance between innovation and security, where technology and cybersecurity standards coalesce symbiotically.
While CER Directive 2022/2557 concerns overall digital and physical resilience, NIS2 Directive 2022/2555 plays a pivotal role in deepening the evaluation of cybersecurity and resilience across various critical sectors, whereas the Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (“DORA”) leads the cybersecurity and operational resilience legislation to the sector-specific level considering the cybersecurity challenges and risk profile characteristic of financial services. It is essential to understand the distinctions between these legislative instruments while navigating the evolving regulatory landscape of fintech.
The widespread utilization of ICT services is evident through intricate contractual arrangements. Prior to DORA, financial institutions frequently encountered challenges in negotiating contracts aligned with their prudential standards and regulatory requirements. Enforcing certain rights, such as access or audit rights specified in these agreements, can also prove challenging. Furthermore, many contracts lack robust provisions for effectively monitoring subcontracting processes, limiting the ability of financial entities to assess associated risks. DORA, adopted on 27 December 2022, introduced a comprehensive framework for enhancing the operational resilience of financial entities, explicitly addressing, inter alia, the aforementioned challenges and related third party risks. This regulation mandates specific rules governing ICT risk management, incident reporting, operational resilience testing, and ICT third party risk monitoring. Notably, DORA acknowledges that ICT incidents and a lack of operational resilience can imperil the stability of the entire supply chain.
Taking effect on 17 January 2025, DORA is a response to the escalating cyber threats faced by the financial sector. It obliges financial entities to prepare for, respond to, and recover from various ICT-related disruptions and threats. Ultimately, DORA marks a substantial leap forward in EU financial regulation, establishing a harmonized and comprehensive framework for managing digital operational resilience, safeguarding the financial sector’s stability, and enhancing consumer protection. A key question in the efforts to establish a standardized open finance ecosystem is the practical interaction between DORA and FIDA, which also expands the scope of DORA to cover FISPs in the future.
DORA and NIS2 represent crucial pillars in the evolving open finance framework, shaping the future of financial technology and cybersecurity standards.
As the cybersecurity regulations evolve and are implemented, organizations should stay informed and adapt their cybersecurity practices to meet the requirements of DORA and the technical standards issued by the European Banking Authority, European Securities and Markets Authority and European Insurance and Occupational Pensions Authority. In addition to DORA, companies operating in financial sector or being a part of the respective critical supply chain should be able to demonstrate compliance with NIS2 and national implementing instruments. Even if DORA does not apply, it is possible that certain entities will be deemed as critical entities under NIS2 and thus subject to the obligations thereunder.