On 28 June 2023, the European Commission proposed a new framework to regulate the sharing of customer data between financial services firms (the Regulation) (see press release here).
The Regulation was identified as an objective by the European Commission in its digital finance strategy in 2020. It was felt that customers could not effectively control access to and sharing of their financial data, thus preventing widespread access to data-driven financial services and financial products.
What is the aim of the Regulation?
The Regulation aims to allow customers to request that data holders share their data with a specified data user or to make it available to the customers themselves.
Who are these data holders and data users?
A data holder is a financial institution which collects, stores, and otherwise processes the data identified under the Regulation. A data user is an entity acting under the consumer’s permission with lawful data access.
The following financial services firms will fall under the Regulation where they act as data holders or data users:
- Credit institutions;
- Payment institutions (including account information services providers and payment institutions exempted under the second Payments Services Directive);
- Electronic money institutions (including electronic money institutions exempted under the second Electronic Money Directive);
- Investment firms;
- Crypto-asset service providers;
- Issuers of asset-referenced tokens;
- Managers of alternative investment funds;
- Management companies of undertakings for collective investments in transferable securities;
- Insurance and reinsurance undertakings;
- Insurance intermediaries and ancillary insurance intermediaries;
- Institutions for occupational retirement provision;
- Credit rating agencies;
- Crowdfunding service providers;
- Pan-European pension product providers; and
- Financial information service providers.
Data holders and data users face new obligations regarding the treatment of customer data and its accessibility, such as:
- Data holders must be able to make a customer’s data available to the customer and/or data users upon request;
- Using an appropriate level of security for transmission and processing of the data when making it available; and
- When making the customer data available, respect the confidentiality of trade secrets and IP rights.
Data holders will be expected to create a “permission dashboard” allowing customers to monitor and manage the permissions granted to data users.
Financial Data Sharing Schemes
Once the Regulation comes into force, data holders and data users must become members of financial data sharing schemes, which will govern access to customer data. Any data sharing must then be made per the rules of the sharing scheme.
Financial Information Service Provides (FISPs)
A FISP must be authorised by a member state’s competent authority, such as the Central Bank of Ireland, to access customer data. A FISP will be expected to appoint a legal representative to correspond with the competent authority if the FISP does not have an establishment within the EU.
As part of the new authorisation process, the Regulation creates criteria for examination by a competent authority when considering an authorisation application.
This authorisation process may be refined under the EBA’s mandate, in cooperation with ESMA and EIOPA, to develop regulatory technical standards for the information required.
Competent authorities will be granted powers to ensure compliance with the Regulation. This includes powers to require persons to provide necessary information and powers to conduct all necessary investigations. The investigation powers include requiring documents, interviews, entering relevant premises and requiring existing data traffic records.
Competent authorities will have the power to issue administrative penalties for breaches of the following articles;
- Articles 4, 5 and 6 (obligations on making data available to customers and data users, and obligations on data users on the receipt of customer data);
- Articles 7 and 8 (data use perimeters for the Regulation and financial data access permission dashboards);
- Articles 9 and 10 (financial data sharing scheme membership, governance and content);
- Articles 13 and 16 (requirements for legal representatives and organisational requirements for FISPs); and
- Article 28 (cross border access to data by FISPs).
The administrative penalties and sanctions under the Regulation are substantial as they include fines for both natural and legal persons. Member States have also been provided with latitude to provide for fines which exceed the maximums mentioned within the Regulation.
The Regulation is currently in an 8-week consultation process, due to end on 30 August 2023. After this consultation ends, the proposal will be presented to the European Parliament and European Council for further debate.
If you wish to discuss any of the above, or if you have any queries regarding the treatment of data, please contact John O’Connor, Shane Kelleher or Louise McNabola, or your usual William Fry contact.
Contributed by Conor Forde