Understanding FIDA: The new regulation explained

What is FIDA?

The Financial Data Access regulation (FIDA) is a new regulatory framework operating within the broader context of financial services, which aims to use open finance to promote a better and broader access to individual and business customer data across a wide range of financial services.

FIDA is about empowering consumers by giving them control and transparency over their financial data. FIDA facilitates consumer access to their personal financial data across networks. FIDA will empower all consumers because it will establish a digital framework that allows them to better understand their financial situation, enabling them to make informed decisions.

What are the current data sharing issues that FIDA aims to resolve?

FIDA seeks to address the challenge of accessing and reusing consumer data to promote better access to financial information and unlock opportunities for consumers to benefit from better financial products and services.

Consumers are willing to share their data when they receive good services in return. However, currently they hesitate to do so due to lack of trust. This is because:

There are no rules and tools to manage data-sharing permissions.
Consumers feel that they are not able to control how their data is being used.
They are concerned about cybersecurity risks and the protection of their data and privacy when sharing information.
At the same time, the current lack of authorisation and supervision of the activity of the data users creates risks for customers, underscoring the need for enhanced oversight and regulation in this area.

The absence of standardisation in both the type of data and the technical infrastructure increases the cost of data-sharing, leading to significant divergence between data types.

Broad scope to ensure efficiency

It is imperative that the Regulation encompasses a broad spectrum of customer data from the outset so that customers across all categories of financial services can benefit from digital advancements. However, according to ECON’s report, data related to sickness and health cover would be excluded from the scope. By excluding life products in practice, ECPN’s report will deprive users of useful and innovative services by limiting their choice to services. Today, GDPR provides clear restrictions and requires explicit permissions on the processing of the sensitive data included in these categories of insurance, which will be enough to protect consumers if they decide to share these types of insurance policies.

Timeline, scope, and requirements.

On April 18, 2024 the ECON Committee of the European Parliament approved its FIDA report, acknowledging and incorporating many positive elements of the Commission’s proposal. The ECON report expands access to financial data beyond payment accounts, enabling customers to authorize its use for tailored financial products. This framework supports small enterprises by reducing barriers to entry, fostering competition, and encouraging innovation. Customers maintain control over their data, requiring explicit consent for its use and holding parties strictly liable for breaches. Data access will use high-quality technical interfaces, with reasonable compensation for data holders, and the European Banking Authority will oversee authorized providers and access schemes.

The timeline for FIDA implementation will likely unfold in several phases. Initially, the regulatory authorities will work on drafting guidelines, followed by consultations with stakeholders, and then enforcing compliance deadlines. Financial institutions and data intermediaries will need to upgrade their systems to meet the requirements outlined in FIDA.

As for the scope, FIDA applies to a wide range of entities within the financial ecosystem, including banks, payment service providers, insurance companies, and fintech startups. They will be required to implement robust data access controls, ensuring compliance with the regulation. Additionally, businesses will need to prove that customer consent has been explicitly obtained and that data sharing occurs within the bounds of the law.

Compliance requirements will include the development of APIs, the encryption of shared data, and secure customer consent management systems. FIDA will also enforce stringent data retention, monitoring, and reporting processes to enhance accountability and transparency across the board.

Which types of data and entities will be included in the regulation?

The scope of the FIDA proposal covers specific categories of customer data related to mortgage credit agreements, investments, pension rights, non-life insurance products - excluding sickness/health insurance, - and data, forming part of a firm’s creditworthiness assessment. The scope also includes the entities that fall in the scope of the Regulation, whether they function as data holders or data users, including various financial institutions, crypto-asset service providers, and insurance intermediaries.

It is apparent that the scope tries to cover a very broad range of categories and entities, excluding only data related to life, health and sickness insurance.

The definitions have been kept broad and inclusive. The definition for ‘customer data’ is of particular importance, as this may define what kind of data should be collected, affecting the implementation of the rest of the articles of the proposal. Customer data is articulated as “personal and non-personal data that is collected, stored and otherwise processed by a financial institution as part of their normal course of business with customers which covers both data provided by a customer and data generated as a result of customer interaction with the financial institution”.

The broad scope paves the way for an equal and unrestricted access to customer data belonging to EU citizens, fostering an environment of data sharing without limitations or discrimination. The broad definition of customer data fosters innovation, whether it be for known use cases, or ones yet to be discovered. As a result of a wide scope of data sharing, innovations will be unlocked across many financial categories. This type of data sharing should cover all aspects of a citizen’s financial life, with the exclusion of life, sickness, and health insurance products.

The current proposal also leaves the possibility to incorporate in the future these vital insurance products, (life, sickness, and health), within the FIDA framework, once it’s proven that data sharing is safe for the average European citizen.

In terms of entities, FIDA will impact both incumbents and emerging players in the financial space. These include insurance and reinsurance companies, insurance brokers, pension providers, investment firms, third-party payment processors and fund managers, credit and payment institutions, credit rating agencies, and crypto firms.

FIDA data schemes.

Financial Data Sharing Schemes essentially refer to the coalition of data holders/users that need to determine how financial data sharing should work between themselves, for a specific scope of data/accounts. While FIDA lays the foundation for financial data sharing within the articles on Scope and Definitions, FIDA does not provide many of the details related to how this should actually be done in practice; leaving many of those decisions up to the schemes and their participants (data holders and users).

As deployers of practical use cases, we know that data sharing is difficult. Period. It requires that different parties agree on common standards, formats, protocols, among many other things. This can be even more difficult when large financial institutions (i.e. data holders) are required to get together and decide how things should be done; each institution is powerful and set in their ways. This is a big ask for FIDA to place on data holders, and for this to be successful several things should be added to schemes: strong and independent governance, a fair balance of power between all members, clear procedures and defined processes, and strong deadlines; all determined by the central body asking for data sharing to occur. Without this added structure, it may be difficult for data holders to know where to begin.

How can schemes work in practice?

First let's establish that the majority of complexity within data sharing typically has to do with setting common data standards for data holders to agree to and abide by. Two approaches can be taken to solve this:

Data Holders do the work: In the approach, which is currently proposed within FIDA, all data holders get together in a scheme and decide how to structure the data they need to share. Typically in these scenarios, the use case is very clear, the participants required to standardize the data are well defined, and there is a well defined governance structure in place to help the parties come to compromises. In this scenario, the data holders are essentially doing all of the hard work, and data users then have a very easy job in accessing/using the data made available by data holders. Historical precedent shows that this effort takes many years to work on. For example, an industry wide standardization effort by the EMA and its IDMP program has taken 10+ years, even though it was supported by pre-defined ISO standards. A good example of powerful data holders dragging their feet on a standardization effort which was meant to last 3-5 years.

Data Users do the work: This scenario comprises the flipside of scenario 1; data schemes are optionally formed. Data holders have one basic responsibility, make the data available in whatever format they have, and on whatever real time interface they prefer (e.g. MyPages, customer App, API, etc), as long as data users can access it. Then data users are responsible for taking the data from each data holder and finding a way to standardize it so it works for their use case. The data users spend the effort in this scenario.

Are long term data holder driven schemes possible in the future?

Short answer: Absolutely. At Insurely, we see a future where data holders form schemes, probably for specific use cases, which results in the data holders providing high quality APIs in a common data format. These will most likely occur for the most popular use cases, and in situations where there is a clear incentive to do so. For example, if data holders are also primary data users for a certain use case, then they could drive market costs down significantly by making a scheme API available with standardized data. Then the data standardization costs/efforts would not be needed by the data users, as the data they will get will already be standardized. This is a much more realistic grounds for data holders to stand on and decide how much a service should cost; versus just guessing - as would be seen in scenario 1.

What is the FIDA permission dashboard?

The FIDA Permission Dashboard is one of the most important tools mandated by the regulation. It is a user-centric interface that allows individuals to manage their data-sharing permissions across different financial institutions and third-party providers.

Through this dashboard, consumers can view which companies have access to their data, revoke access at any time, and even set limits on how long their data can be shared. This puts the control squarely in the hands of the consumer, enhancing trust in digital financial services. Moreover, the dashboard will help to track data usage and ensure compliance, making it easier for consumers to safeguard their personal information.

What is a permission dashboard?

Each data holder will be responsible for developing and operating consumer permissions dashboards to help their customers manage the data they have chosen to share. For example, the dashboards should allow a customer to get an overview of whom they have shared data with, which data points were shared, and also allowing them to revoke the data receiver’s access to that data

Frequently asked questions.

FIDA covers a wide range of financial data. Any data that financial institutions hold about its customers and could be shared for the provision of financial services falls under the scope of FID. This includes data like personal and non personal data about a customer, all data collected about a customer during their onboarding, and all processed data created during a normal course of business with a customer.

A wide range of companies and entities will have to share data under FIDA. They include insurance and reinsurance companies, insurance brokers, pension providers, investment firms and fund managers, credit and payment institutions, credit rating agencies, and crypto firms.

FIDA covers a wide range of accounts, including;

-Mortgage credit agreements and loans

-Savings accounts

-Investment accounts

-Crypto accounts

-Occupational pensions and personal pensions

-Non-life insurance products (excluding sickness and health)

-Data required for credit ratings.

Data will be shared digitally in real time, digitally, after a consumer has initiated a data collection. Compliance will be mandatory for affected entities.

Both FIDA and PSD3 are pivotal in promoting financial transparency and customer empowerment.

The main difference is their scope: while FIDA focuses on the broader financial data across various institutions, PSD3 specifically targets payment services, revolutionizing the way transactions are made. Therefore, payments accounts, and its associated data, are not included in scope for FIDA’s data sharing regulation.

Examples of customer data categories covered by FIDA are, non-life insurance (excluding medical and health), pensions, savings, loans, and mortgages. FIDA gives a consumer access to their customer data for these types of accounts, allowing them to take control of their personal and non-personal data that is collected, stored and otherwise processed by a financial institution as part of their normal course of business with customers; which covers both data provided by a customer and data generated as a result of customer interaction with the financial institution.

FIDA and PSD3 share common ground in that they will both increase consumer access to their financial data, resulting in an empowered EU citizen. Additionally, both take steps to protect the consumer and give them greater control through data sharing permission dashboards; enable the consumer to easily see who they have shared their financial data with, what data was shared, and empower them to revoke access to that data.

Data privacy is very important to us, and our data is always safe to collect and use. We do not collect any data without explicit consent from the consumer, which can be given in several ways. In single sign on markets, we use digital authentication for consumers (for example throughBankID in Sweden). In non-single sign on markets, consumers authenticate themselves with the username and password, and as they are part of the authentication process themselves they will also get a potential second factor authentication and are able to enter it themselves.

Incentivization is a key topic to make data sharing work. First and foremost, the core incentive should be to empower EU citizens to make more financially literate decisions through the use of open data. As FIDA states in Article 4, this should be free for consumers. Secondly, cost/fees should be proportional to the workload put in by the party. In our proposed approach, data holders are now carrying out minimal effort to comply with FIDA; they are required to make data available, much of which is already available in real time on a User Interface (e.g. MyPages, customer App, etc) via a Web API. The majority of the effort will be on data users or on FISPs (third party providers) to standardize all of the data in different formats from the data holders. FISPs can charge their customers, data users, a free market based fee for these services. This approach lets market forces hone in on the optimal rate for providing these services.