2023/0205/COD: Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on a framework for Financial Data Access and amending Regulations (EU) No 1093/2010, (EU) No 1094/2010, (EU) No 1095/2010 and (EU) 2022/2554

In view of the EU Commission’s focus on facilitating data access and sharing in the financial sector to promote innovation and provide customers with better financial products and services, the Commission (EC) has now published a proposed new data access regulation, the so-called Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on a framework for Financial Data Access and amending Regulations (EU) No 1093/2010, (EU) No 1094/2010, (EU) No 1095/2010 and (EU) 2022/2554.
According to the EC, the proposed regulation would establish a framework that enhances „trust, clarifies rules, and standardizes financial data access (FIDA) and sharing processes“, thereby mitigating shortcomings such as:
– customers‘ limited control over the access and sharing of their data beyond payment accounts, which hinders the availability of data-driven financial services and products;
– the absence or unclear rules governing data sharing between data holders (financial institutions) and data users (firms providing innovative services), which fosters mistrust among consumers; or
– the lack of data and infrastructure standardization, which raises complexity and the costs for sharing data between data holders and users.
The new regulation is the last one of the so-called „Single Currency Package“ and includes rules regarding the access, sharing, and use of specific categories of customer data in the finance sector. It outlines the rights and obligations of both data users and data holders and introduces a new category of firms called „financial information service providers“ which will be engaged in providing financial information services based on the data provided by data holders.
#### The new regulation thereby sets out the following key provisions:
(1) Scope of customer data: In-scope data – that is data that can or could be shared between data holders and users – include, among others, data relating to mortgage credit agreements, loans and accounts (excluding payment accounts defined in the PSD2), savings, investments in financial instruments, insurance-based investment products, crypto-assets, real estate, related financial assets, pension rights, certain non-life insurance products, and data that forms part of a creditworthiness assessment for loan applications or credit ratings.
(2) Scope of firms that would be considered data holders and users and thus be subject to the new regulation: The regulation would apply to various entities acting as data holders or data users, such as credit institutions, account information service providers (AISPs), payment institutions (PIs) exempt under the PSD2, investment firms, crypto-asset service providers (CASPs), issuers of asset-referenced tokens, alternative investment fund managers (AIFMs), insurance and reinsurance undertakings, institutions for occupational retirement provision, crowdfunding service providers, financial information service providers, and several others.
(3) Data access and sharing provisions: The new regulation would provide that data holders make in-scope data (see point (1)) available to customers „without undue delay, free of charge, continuously, and in real-time“ upon a customer’s request, which must be submitted electronically. The customer also has the right to request that the data holder shares this data with a data user.
(4) Obligations of data users: Data users including the new financial information service providers (FISP) would have to be authorized in order to obtain, maintain, and process data furnished by data holders. Additionally, any data user must have been granted authorization for the use of the data by the customers whose data is affected.
(5) Creation of new data access dashboards: To enable customers to monitor their data permissions, the regulation includes provisions for the creation of financial data access permission dashboards. These dashboards would allow customers to access an overview of their data permissions, grant new permissions, and withdraw permissions when necessary.
(6) Mandatory membership in and creation of „financial data sharing schemes“: Data users and holders would be required to become members of the beforementioned „financial data sharing schemes“ in order to share ANY data. These schemes would be designed to facilitate collaboration among data holders, data users, and consumer organizations to establish data and interface standards, define coordination mechanisms for operating financial data access dashboards, and establish a standardized contractual framework for accessing specific datasets. Corresponding rules for the establishment of the schemes, including governance requirements, are outlined in the proposed new regulation.