ARTICLE
6 May 2025

FiDA Proposal Transforming Open Banking To Open Finance

EH
ELVINGER HOSS PRUSSEN, société anonyme

Contributor

ELVINGER HOSS PRUSSEN, société anonyme logo
Independent in structure and spirit, Elvinger Hoss Prussen guides clients on their most critical Luxembourg legal matters. Committed to excellence and creativity in legal practice, our firm delivers the best possible advice for businesses, institutions and entrepreneurs, playing a unique role in the development of Luxembourg as a financial centre.
Explore Firm Details
In June 2023, the EU Commission introduced a regulation proposal on a framework for Financial Data Access ("FiDA") intending to establish, amongst other things...
Luxembourg Finance and Banking
Tiago Nogueira,Karolina Szpinda, and Cynthia Kombe

In June 2023, the EU Commission introduced a regulation proposal on a framework for Financial Data Access1 (“FiDA”) intending to establish, amongst other things, rules concerning the access, sharing and use of certain categories of customer data in financial services and concerning the authorisation and operation of a new category of service providers, namely financial data service providers. FiDA is currently under trilogue negotiations between the EU co-legislators and its adoption is expected for 2025 (as part of the digital finance strategy objectives).

This is a pivotal development in the EU's drive towards a more integrated and innovative financial ecosystem. Indeed, FiDA aims to introduce a framework for open finance by opening the access of financial institutions to each other's customer data. This expands the principles of open banking to a broader range of financial services but also establishes new legal concepts, entities and operational schemes that will reshape financial services.

1. Key takeaways of the FiDA framework 

Building on the concept of open banking and the legal framework introduced by PSD22, the proposed framework extends beyond the payment industry. 

1.1. In scope entities

FiDA will apply to a broad range of financial institutions (“In Scope Entities”). Its scope captures the following entities:

  • Credit institutions, 
  • Payment institutions and electronic money institutions, 
  • Investment firms, 
  • Crypto-asset service providers and issuers of asset-referenced tokens, 
  • Managers of alternative investment funds and management companies,
  • Insurance and reinsurance, insurance intermediaries and ancillary insurance intermediaries, institutions for occupational retirement provision,
  • Crowdfunding service providers,
  • Credit rating agencies,
  • Pan-European Personal Pension Product (PEPP) providers, and
  • Financial information service providers.

1.2. Data sharing obligations

While PSD2 established the legal framework for sharing data specific to payment accounts, FiDA broadens the scope of data-sharing obligations to encompass a wider array of financial institutions (see above) and related customer data. FiDA establishes the rights and obligations of financial institutions involved in data-sharing processes. Thus, In Scope Entities will be obliged, upon customer request, to share data obtained while providing their services to other entities. The concerned customer data listed in Article 2(1) of FiDA includes, amongst other things, credit agreements and accounts (excluding payment accounts regulated by PSD2), savings and investments products, crypto-assets, pension or non-life insurance products (“Customer Data”). It should be noted that FiDA, specifically excluded from its scope, data relating to sickness and health insurance products.

The data-sharing mechanism established by FiDA, introduces two new legal concepts:

  • Data holder, which is a financial institution other than an account information service provider that collects, stores and otherwise processes the data listed in Article 2(1) of FiDA.
  • Data user, which is any of the In Scope Entities who, following the permission of a customer, has lawful right to access data listed in Article 2(1) of FiDA. 

It is paramount to note that data sharing between data holder and data user will only be possible upon the customers' request and consent (for sharing personal data). Indeed, customers can authorise third-party data users to access their financial data held by other financial service providers enabling more personalised and integrated financial services. 

It should be emphasised that financial institutions have the obligation, upon the customer's request, to make the Customer Data available to the customer without undue delay, free of charge, continuously and in real time. While the same principles govern the sharing of customer data by the data holder to the data user, there is an exception where the data holder is permitted to charge the data user for providing Customer Data. It is worth mentioning that the charged fee must align with the standards and the maximum compensation set by the financial data sharing schemes. FiDA outlines the principles that the data-sharing model should adhere to. 

1.3. Enhanced consumer rights 

Since customers will gain more control over their financial data, this will lead to increased transparency. The implementation of FiDA will also require robust mechanisms for obtaining and managing permissions. In this context, FiDA introduces a standardised mechanism ensuring that customers provide explicit, informed and revocable permission for data sharing via the FiDA permission dashboard. 

It is to be noted that where personal data is processed, the General Data Protection Regulation3 (GDPR) will also apply. Therefore, FiDA will be applied without prejudice to the rights and obligations of customers under other applicable regulations. 

Furthermore, financial institutions will be required to implement secure and interoperable systems for sharing Customer Data with data users. This may necessitate updating IT infrastructure and compliance protocols, and implementing secure application programming interfaces (API) for data access. Therefore, to ensure compliance with data-sharing standards, In Scope Entities will have to join new financial data sharing schemes and authorisation will be required for unregulated entities wishing to access such financial data. As a result, a new type of regulated entity and new schemes will emerge from FiDA.

1.4. New types of entities and schemes 

FiDA also outlines the requirements for obtaining authorisation from a competent authority to become a financial information service provider (“FISP”), which grants permission to act as data users and eventually become data holders. Indeed, while entities already operating as supervised financial institutions do not require further authorisation4 to use or share financial data, others seeking access to customer data will need a license from a competent authority. FISPs will form a new category of regulated financial institutions authorised to access and process customer data, thereby playing a pivotal role in leveraging open finance opportunities. 

In addition, FiDA establishes financial data sharing schemes (“FDSS”) to manage access to Customer Data. Those schemes are designed to facilitate, secure, standardise data-sharing processes between data holders and data users, who, along with customer organisations and consumer associations, will be members of such schemes. 

The EBA will establish a register including information on authorised FISPs and FDSSs as agreed among its members and notified to the competent authority.

2. Next steps

In Scope Entities should evaluate the impact of FiDA on their operations, focusing on: 

  • Determining their role as data holders or data users;
  • Reviewing and updating current data-sharing capabilities and IT systems for secure and interoperable data sharing;
  • Updating customer permission processes and training teams on new compliance requirements. 

Following negotiations between the EU Council and the EU Parliament, and depending on the final text adopted, FiDA provisions should apply between 18 and 48 months after its entry into force. 

Footnotes

1. Proposal for a regulation of the European Parliament and of the Council on a framework for Financial Data Access and amending Regulations (EU) No 1093/2010, (EU) No 1094/2010, (EU) No 1095/2010 and (EU) 2022/2554.

2. Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market.

3. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

4. It is to be noted however that the Council's negotiating mandate provides however for a prior notification to the competent authority of the supervised financial institutions' intention to operate as a data user. The notification shall include a short description of the programme of activities of the financial institution as a data user.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Tiago Nogueira
Tiago Nogueira
Photo of Karolina Szpinda
Karolina Szpinda
Photo of Cynthia Kombe
Cynthia Kombe
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More