Read also our previous blogs in this series!
Earlier, the European Commission unveiled its findings on the evaluation of the Second Payment Services Directive (PSD2), which hinted at an upcoming revision of this framework. On 28 June 2023, these revisions were formally proposed. The package contains a new Directive, which will become known as the PSD3, a Payment Services Regulation, addressing the issue of financial data access – also known as Open Banking – and the issues of transaction authorization and customer authentication, and a Regulation concerning financial data access (FIDA). In this blogpost, we provide an initial overview of the Financial Data Access Regulation.
While the PSD2 provided customers the ability to have their traditional financial data providers – generally banks – share their financial data with third party service providers – such as account information service providers (AISPs) – this data sharing is limited to payment accounts as defined under the payment services framework. This has become known as Open Banking.
Given that financial data is much broader than just the data related to payment accounts, it was decided that a more harmonized approach was needed to provide customers and data users a clear set of rules for access to and use of financial data, other than payment account data. Therefore, the Financial Data Access Regulation is being proposed to:
Concretely, access to payment accounts remains regulated under the payment services framework, as discussed in our previous blogpost.
In terms of data, the Financial Data Access Regulation covers:
The broad scope of data also means that the Regulation is not just addressed to credit institutions and payment institutions, but also to investment firms, crypto-asset service providers, insurance and reinsurance undertakings, etc.
The entities holding the data – collectively the ‘data holders’ – and the recipients of the data – ‘data users’ – must become member of at least one financial data sharing scheme. Such schemes set out the rules applicable to the data sharing, the common standards and technical interfaces, and compensation. It is up to data holders and users to develop these schemes. In the absence of a scheme for one of the data types covered here, the Commission can adopt one by means of delegated act.
All data holders must make the data electronically available to their customers at their request, without undue delay, free of charge, continuously and in real-time.
The same idea applies when data is requested by a data user, upon request from a customer. In such case, data must be communicated securely and be in a generally recognized format. Additionally, customers must be provided access to a permission dashboard to monitor and manage their data permissions. The Regulation provides minimum requirements for such dashboards, such as the possibility to withdraw permissions.
Data users receiving access to this data may only do so after being authorized – either as a financial institution or a financial information service provider – and only for the purposes to which the customer has granted permission.
The Regulation sets out the requirements for receiving an authorization as financial information service provider in the home Member State, which are very much in line with the requirements for payment institutions. Also organizational requirements – for instance concerning governance and outsourcing of important operational functions – closely mirror those for payment institutions.
If a financial information service provider does not have an establishment in the EU, they must designate a legal representative in the EU. Such representative may be held liable for the non-compliance with obligations under the Regulation.
The EBA will maintain a register of authorized financial information service providers.
In order to ensure the effective use of financial data access across the EU, the Regulation also specifies rules for cross-border provision of financial information services on the basis of the freedom of establishment and the freedom to provide services.
As under the well-known concept of payment services passporting, financial information service providers can notify their intention to provide their services on a cross-border basis.
The Financial Data Access Regulation is intended to kick the notion of Open Banking up a notch. By listing a much broader field of data than just payment accounts, and by addressing a wide range of financial entities, the Regulation effectively aims to move the bar from ‘Open Banking’ to ‘Open Finance’. This will require many entities in the financial sector to start preparing for their compliance with financial data access requests under this framework. The experiences with Open Banking under PSD2 have taught us that this is not an easy exercise. Additionally, new players aiming to enter the financial data market will need to prepare for their financial information service provider authorization applications.
If you have more questions on PSD3 and payment services, please contact Timelex.