Xenia Kalogirou of Elias Neocleous & Co discusses the rise of the concept of Open Finance as incorporated in the Framework for Financial Data Access

I) Overview

On 28 June 2023, the European Commission (EC) published a set of legislative proposals on payment services; on the much anticipated introduction of a digital euro; and on the sharing of financial data. These proposals aim to modernise the financial sector, align with the ongoing digital transformation, cultivate data-driven innovation and promote a competitive digital ecosystem. Simultaneously, they also seek to safeguard consumers' interests, ensure fair competition, and bolster security and trust.

Apart from the third Payment Services Directive (PSD3) and the Payment Services Regulation (PSR), the legislative proposals included a Framework for Financial Data Access (FiDA), also commonly referred to as the Open Finance Framework (OFF). FiDA is a flagship initiative of the EU Digital Finance strategy, built upon the concept of customers' permission to share their data. The concept was nurtured under the second Payment Services Directive (PSD2) through the 'Open Banking' framework and now incorporated in FiDA.

While the current PSD2 has enabled customers to allow Payment Services Providers (PSPs) to access their payment accounts' data for payment initiation and account information services, FIDA now goes even further and extends the 'Open Banking' concept by introducing 'Open Finance'. Under this broader perspective, customers will be able to exercise control over their data across all facets of financial services. This is expected to result in the introduction of new types of services, business models and operations while leveraging technology and external data sources.

II) Scope

In-scope customer data:

The scope of customer data (Customer Data) under FiDA includes:

  1. mortgage credit agreements, loans and all other accounts which are not yet covered by PSD2 including balance, conditions and transaction details;
  2. creditworthiness assessments performed during a loan application process or a request for a credit rating;
  3. savings, investments in financial instruments, insurance-based investment products, crypto-assets, real estate and other related financial assets as well as the economic benefits derived from such assets;
  4. suitability and appropriateness assessment data under Markets in Financial Instruments Directive 2014/65/EU (MiFID) and Insurance Distribution Directive (EU) 2016/97 (IDD);
  5. non-life insurance products, with the exception of sickness and health insurance products;
  6. pension rights in occupational pension schemes and pan-European personal pension products.

In-scope entities:

FiDA applies to the following entities, with only limited exclusions, when acting as data holders or data users (DA Institutions):

  1. Credit institutions
  2. Payment institutions, including account information service providers (AISP) and exempted payment institutions under PSD2
  3. Electronic money institutions, including exempted e-money institutions
  4. MiFID investment firms
  5. MiCA crypto-asset service providers
  6. Issuers of asset-referenced tokens
  7. Alternative investment fund managers (AIFMs)
  8. UCITS management companies
  9. Insurance and reinsurance undertakings
  10. Insurance intermediaries and ancillary insurance intermediaries
  11. Institutions for occupational retirement provision
  12. Credit rating agencies
  13. Crowdfunding service providers
  14. PEPP providers
  15. Financial information service providers (FISPs)

III) Data Holders

Data holders are the financial institutions listed in points (a) to (n) above (Financial Institutions), other than an AISP that collect, store and otherwise process Customer Data and must make available such data to the customer on request or from the data user (i.e. other financial institution) on the customer's request. This access must be granted based on generally recognised standards.

Data holders must provide customers with a permission dashboard to monitor and manage the permissions they provide to data users. The dashboard must provide the customer with an overview of each ongoing permission given to data users such as the name of the data user, the customer account, the purpose of the permission, the categories of data being shared and the period of validity of permission. In addition, the dashboard must allow the customer to withdraw and re-establish permissions given to data users and include a relevant record of withdrawn or expired permissions. Finally, the dashboard must be "easy to find" in its user interface and provide clear, accurate and easily understandable information.

The processing of Customer Data that constitutes personal data must be limited to what is necessary and for retention periods in accordance with the General Data Protection Regulation 2016/679 (GDPR).

IV) Data Users and FISP Authorisation

Data users are any of the DA Institutions which, following the permission of a customer, have lawful access to Customer Data. This means that only Financial Institutions and authorised FISPs are eligible for data access.

The regulation describes the authorisation process for FISPs. FISPs must either be established in an EU Member State or designate a legal representative in the EU. This means that overseas firms that require access to Customer Data in the EU must have a written agreement designating a person based in the EU to act on their behalf.

Similar to Open Banking, data users can only access the data with their customers' permission, and only for the purposes and under the conditions specifically agreed to by the customers.

For the purposes of effective management of Customer Data, a data user shall:

  1. not process any customer data for purposes other than for performing the service explicitly requested by the customer;
  2. respect the confidentiality of trade secrets and intellectual property rights;
  3. put in place adequate technical, legal and organisational measures in order to prevent the transfer of or access to non-personal customer data that is unlawful;
  4. take necessary measures to ensure an appropriate level of security for the storage, processing and transmission of non-personal customer data;
  5. not process customer data for advertising purposes, except for direct marketing;
  6. where the data user is part of a group of companies, Customer Data shall only be accessed and processed by the entity of the group that acts as a data user.

V) Financial Data Sharing Schemes

Data holders and data users will be required to join one or more Financial Data Sharing Scheme (FDSS) which will govern data access to Customer Data in line with FIDA and other EU rules.

In addition, those schemes will be mandated to develop common standards for both data and technical interfaces to facilitate customer requests for data sharing.

Unlike PSD2 open banking rules, FDSS introduces an important element: the establishment of a model to determine the maximum compensation that a data holder is entitled to charge. This compensation pertains to making data available through an appropriate technical interface for sharing with data users in accordance with common standards.

Schemes must also set the contractual liability of its members and establish a dispute resolution regime to resolve disputes among scheme members and membership issues.

The European Commission is tasked with setting rules to cover the event that a FDSS is not developed for a category of customer data. In this case, delegated acts would specify the common standards for the data and the technical interfaces allowing customers to request data sharing, the model for determining the maximum compensation that a data holder is entitled to charge for making the data available, and the liability of the entities involved.

VI) Industry's Position

In recent years, while some financial institutions opted to merely comply with PSD2, others seized the opportunity to generate additional value for their customers by providing access to financial products and services other than payments using application programming interfaces (APIs).

For instance, there are financial institutions developing APIs that allow their "clients across all segments to integrate them in their preferred applications and internal processes to improve financial decision-making and efficiency, but also in consumer applications to offer seamless experiences to their clients and generate new revenue streams for the business" ( see The Paypers, Open Finance Report 2023, ING, The Open Banking Ecosystem in Action).

Other use cases include the formation of partnerships between banks and data aggregators, as well as the emergence of consortiums with the aim to standardise the data exchange protocols.

Consultancy firms have also developed various models to help financial institutions assess their Open Finance maturity. These models aim to highlight both strengths and weaknesses in capabilities, providing insights for exploring new income streams via Open Finance-related APIs. Additionally, they assist in ensuring compliance with FiDA requirements.

Due to this evolving landscape, we are witnessing the emergence of advanced payment options like Buy Now, Pay Later and payment request API. Concurrently, new services such as comprehensive financial management, improved personalised services and e-invoicing for insurance, telecommunication, and utility bills, are unlocking and delivering added value to consumers.

The continuous growth of Open Finance is largely inevitable. However, the velocity of that growth in individual countries depends on the extent that Open Finance is tailored to specific market considerations.

VII) Implementation of FiDA

Provisions of the FiDA will apply 24 months after FiDA enters into force, except for those relating to the FDSS and authorisation requirements for FISPs which will apply 6 months earlier. The timeline laid down by the European Commission is very ambitious. Establishing data-sharing agreements, developing and establishing data-sharing schemes and relevant standards, developing the governance structures of schemes, etc., will likely take significantly longer, as demonstrated by the implementation of the PSD2 framework.

In order to ensure successful implementation across the financial sector, a more incremental approach would be both realistic and effective taking into consideration the technical complexities, the number of players involved and the significant implementation costs of implementing FIDA.

The proposals of the European Commission will be reviewed by the European Parliament and Counsel. The Committee on Economic and Monetary Affairs (ECON) was appointed as the lead Committee to deal with the FiDA proposal. On 13 December 2023, ECON has published a draft report on FiDA by proposing certain amendments related to enhancement of customer trust, promotion of innovation and improvement of interoperability and supervision. This review constitutes only a starting point for ECON's work on FiDA. Assuming that the texts are agreed upon by the end of 2024 or early 2025, the new regime is anticipated to go into effect in 2026.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.