Draft regulation on a framework for Financial Data Access (FiDAR)

Time order

02.12.2024 – Publication of the Council’s compromise text

30.04.2024 – Report of the European Parliament on the FIDAR proposal

28.06.2023 – FiDAR project

Scope

FiDAR is applicable to customer data (natural or legal persons that use financial products and services) regarding:

• mortgage credit agreements, loans and accounts, except payment accounts as defined in PSD2, including data on balance, conditions and transactions
• savings, investments in financial instruments, insurance-based investment products, crypto-assets, real estate and other related financial assets, as well as the economic benefits derived from such assets, including data collected for the purposes of carrying out an assessment of suitability and appropriateness
• pension rights in occupational pension schemes
• pension rights on the provision of pan-European personal pension products
• non-life insurance products, with the exception of sickness and health insurance products, including data collected for the purposes of a demands and needs assessment, as well as for an appropriateness and suitability assessment

Personal scope

The regulation covers broadly defined financial institutions that may act as a holder or user of customer data. FiDAR is applied to:

• credit institutions
• payment institutions, including account information service providers and payment institutions exempted under PSD2 (e.g., MIPs)
• electronic money institutions, including electronic money institutions exempt in accordance with PSD2
• investment firms
• crypto-asset service providers
• issuers of asset-referenced tokens
• managers of alternative investment funds
• management companies of undertakings for collective investment in transferable securities
• insurance and reinsurance undertakings
• insurance intermediaries and ancillary insurance intermediaries
• institutions for occupational retirement provision
• credit rating agencies
• crowdfunding service providers
• PEPP providers
• financial information service providers (FISPs)

Entities that are excluded from the scope of the DORA regulation (including insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries that are micro, small or medium-sized enterprises) are not covered by the FiDAR.

Access to data

Obligation to make available data to the customer

The data holder is obliged to make the data covered by the FiDAR available to the customer upon the customer’s request submitted by electronic means. The provision of access shall be made immediately, free of charge and shall be conducted continuously and in real-time.

Obligations of the data holder

The data may be shared not only with the customer itself, but also with the data user (i.e., another financial entity or financial information service provider (FISP). The rules for sharing data in this regard are analogous to those for sharing data with the customer, except that the data is shared only for the purposes for which the customer has authorized the user. In the event that data sharing is carried out as part of a financial data sharing scheme, the data holder may demand a compensation from the user. As part of the data sharing, the data holder:

• make customer data available to the data user in a format based on generally recognised standards and at least in the same quality available to the data holder safely
• communicates with the data user ensuring an adequate level of security for the processing and transmission of customer data
• request data users to demonstrate that they have obtained the customer’s permission to access the data
• provides the customer with a permission dashboard to monitor and manage permissions
• respects the confidentiality of trade secrets and intellectual property rights

Obligations of the data user

Customer data may only be shared with an institution subject to authorization by the competent authority as a financial institution or as a financial information service provider (FISP). The data shall be accessed by the user only for the purposes and under the conditions for which the customer in question has granted authorization. The user of the data is obliged to delete it when it is no longer needed for these purposes. The permission previously granted by the customer may be revoked by the customer. In addition, in order to ensure effective management of customer data, the data user:

• shall not process any customer data for purposes other than the performance of a service expressly requested by the customer
• respects the confidentiality of trade secrets and intellectual property rights
• put in place adequate technical, legal and organisational measures in order to prevent the transfer of or access to non-personal customer data that is unlawful under Union law or the national law of a Member State
• take necessary measures to ensure an adequate level of security for the storage, processing and transfer of non-personal customer data
• not process customer data for advertising purposes, except for direct marketing in accordance with Union and national law
• where the data user is part of a group of companies, the customer data shall only be accessible to and processed by the group entity that acts as the data user

Permission dashboards

On the ground of FiDAR, the data holder is required to provide the customer with a Financial Data Access permission dashboard. The dashboard shall have the following functionality:

• providing the customer with an overview of all current permissions granted to data users (name of data user, customer account, financial product or service, purpose of granting permission, category of data accessed, duration of permission)
• allowing the customer to withdraw a permission given to a data user
• allowing the customer to re-establish any permission withdrawn 
• including a register of authorizations that have been withdrawn or expired, for a duration of two years 

The dashboard shall be easy to find in the user interface, and the information displayed there is to be clear, accurate and understandable to the customer.

FiDAR requires the data holder and user to work together to make information available to the customer through the dashboard in real time. To this end: 

• the data holder informs the data user of changes made by the customer via the dashboard to the authorization relating to that data user 
• the data user informs the data holder of a new permission granted by the customer regarding customer data held by that data holder, indicating the purpose of the permission granted by the customer, the duration of the permission, the categories of data concerned

Financial data sharing schemes

Participation in the financial data sharing scheme

The FiDAR introduces the institution of data sharing scheme (Financial data sharing scheme) and requires data holders and users to become participants in at least one such scheme (while not precluding an entity from being a participant in multiple schemes) within 18 months of the FIDAR coming into force. Sharing of data between participants in the system is carried out according to the rules of the scheme.

Data sharing scheme

FiDAR anticipates that:

• participants in the scheme consist of data holders and data users that represent a significant portion of the market for the product or service in question, as well as customer associations and consumer organizations
• the rules applicable to participants in the scheme apply equally to all participants and unjustified preferential or differential treatment of participants is not permitted
• the rules and regulations of participation in the scheme ensure that the scheme is open to participation by any data holder and user, based on objective criteria, and that all participants are treated fairly and equally
• the scheme does not impose any controls or additional conditions on data sharing other than those provided for in FiDAR or other applicable EU legislation
• the scheme includes a mechanism to amend its rules and regulations after an impact analysis and the consent of a majority in both groups – data holders and users, respectively
• the scheme includes rules on transparency and, where applicable, reporting to participants
• the scheme includes common standards for data and technical interfaces to allow customers to make requests for data (standards may be developed by scheme participants or others)
• the scheme shall define the contractual liability of participants, including in the case of inaccurate data, inadequate quality or breaches of data security, or misuse of data
• the scheme will provide for an independent, impartial, transparent, effective scheme for resolving disputes between scheme participants and issues related to participation

The data sharing scheme shall be notified to the competent authority for the place of residence of the three most significant data holders who are participants in the scheme at the time of its establishment. If the three most significant data holders are based in different countries, or if there is more than one competent authority in the country where they are based, the scheme shall be notified to all of these authorities, who shall agree among themselves which authority will carry out the assessment of the scheme’s compliance with FiDAR requirements. The notification shall be made within one month of the establishment of the scheme and shall include the rules for managing the scheme and its characteristics. 

Accession of new participants to financial data sharing schemes is possible at any time under the terms and conditions of current participants. Within one month of joining the scheme, the data holder shall notify the competent authority of the financial data sharing sys schemes tems in which it participates. 

In the absence of the establishment of a data sharing scheme, the Commission is authorized to adopt a delegated act to specify under what conditions data sharing is to take place. 

Compensation for sharing data

According to FiDAR, the financial data sharing scheme will also establish a model for determining the maximum compensation that a data holder is entitled to charge for sharing data through the relevant technical interface. The model is to be based on the following principles:

• it should be limited to a reasonable compensation
• should be based on an objective, transparent and non-discriminatory methodology agreed upon by scheme participants
• should be based on comprehensive market data collected from users and data holders on each of the cost elements considered
• should be periodically reviewed and monitored to account for technological advances
• should be devised to gear compensation towards the lowest levels prevalent on the market
• should be limited to customer data requests or, in the case of combined data requests, proportionate to the related data sets covered by this article

Financial information service provider

FiDAR introduces a new type of authorization – the financial information service provider (FISP) authorisation. This provider under FiDAR can act as both a data holder and a data user. The application for FISP authorization must be submitted with, among other things:

• a programme of operations setting out in particular the type of access to data envisaged
• a business plan including a budget forecast for the first three fiscal years
• a description of the management rules and internal control mechanisms, including administrative, risk management and accounting procedures, as well as arrangements for the use of ICT services in accordance with DORA
• a description of the procedure put in place to monitor security incidents and customer complaints regarding security, and the handling and follow-up of such incidents and complaints, including the mechanism for reporting such incidents
• a description of business continuity arrangements 

FISPs are required to hold a professional indemnity insurance (or a comparable guarantee) for their professional covering the territories in which they access data. As an alternative to having insurance is to hold initial capital of EUR 50 000.

DLK information

If you want to stay up-to-date on regulatory matters, sign up to receive information about important regulatory and industry events, and DLK Legal’s activities: Registration for notifications