Home Knowledge Sharing is Caring: The Financial Data Access Regulation

Sharing is Caring: The Financial Data Access Regulation

July 14, 2023
Sharing is Caring: The Financial Data Access Regulation
Partner
John O’Connor
Partner
Shane Kelleher
Louise McNabola
Partner
Louise McNabola

On 28 June 2023, the European Commission proposed a new framework to regulate the sharing of customer data between financial services firms (the Regulation) (see press release here).

Background

The Regulation was identified as an objective by the European Commission in its digital finance strategy in 2020. It was felt that customers could not effectively control access to and sharing of their financial data, thus preventing widespread access to data-driven financial services and financial products.

What is the aim of the Regulation?

The Regulation aims to allow customers to request that data holders share their data with a specified data user or to make it available to the customers themselves.

Who are these data holders and data users?

A data holder is a financial institution which collects, stores, and otherwise processes the data identified under the Regulation. A data user is an entity acting under the consumer’s permission with lawful data access.

The following financial services firms will fall under the Regulation where they act as data holders or data users:

  • Credit institutions;
  • Payment institutions (including account information services providers and payment institutions exempted under the second Payments Services Directive);
  • Electronic money institutions (including electronic money institutions exempted under the second Electronic Money Directive);
  • Investment firms;
  • Crypto-asset service providers;
  • Issuers of asset-referenced tokens;
  • Managers of alternative investment funds;
  • Management companies of undertakings for collective investments in transferable securities;
  • Insurance and reinsurance undertakings;
  • Insurance intermediaries and ancillary insurance intermediaries;
  • Institutions for occupational retirement provision;
  • Credit rating agencies;
  • Crowdfunding service providers;
  • Pan-European pension product providers; and
  • Financial information service providers.

New Obligations

Data holders and data users face new obligations regarding the treatment of customer data and its accessibility, such as:

  • Data holders must be able to make a customer’s data available to the customer and/or data users upon request;
  • Using an appropriate level of security for transmission and processing of the data when making it available; and
  • When making the customer data available, respect the confidentiality of trade secrets and IP rights.

Data holders will be expected to create a “permission dashboard” allowing customers to monitor and manage the permissions granted to data users.

Financial Data Sharing Schemes

Once the Regulation comes into force, data holders and data users must become members of financial data sharing schemes, which will govern access to customer data. Any data sharing must then be made per the rules of the sharing scheme.

Financial Information Service Provides (FISPs)

A FISP must be authorised by a member state’s competent authority, such as the Central Bank of Ireland, to access customer data. A FISP will be expected to appoint a legal representative to correspond with the competent authority if the FISP does not have an establishment within the EU.

As part of the new authorisation process, the Regulation creates criteria for examination by a competent authority when considering an authorisation application.

This authorisation process may be refined under the EBA’s mandate, in cooperation with ESMA and EIOPA, to develop regulatory technical standards for the information required.

Supervision Framework

Competent authorities will be granted powers to ensure compliance with the Regulation. This includes powers to require persons to provide necessary information and powers to conduct all necessary investigations. The investigation powers include requiring documents, interviews, entering relevant premises and requiring existing data traffic records.

Competent authorities will have the power to issue administrative penalties for breaches of the following articles;

  • Articles 4, 5 and 6 (obligations on making data available to customers and data users, and obligations on data users on the receipt of customer data);
  • Articles 7 and 8 (data use perimeters for the Regulation and financial data access permission dashboards);
  • Articles 9 and 10 (financial data sharing scheme membership, governance and content);
  • Articles 13 and 16 (requirements for legal representatives and organisational requirements for FISPs); and
  • Article 28 (cross border access to data by FISPs).

The administrative penalties and sanctions under the Regulation are substantial as they include fines for both natural and legal persons. Member States have also been provided with latitude to provide for fines which exceed the maximums mentioned within the Regulation.

Next Steps

The Regulation is currently in an 8-week consultation process, due to end on 30 August 2023. After this consultation ends, the proposal will be presented to the European Parliament and European Council for further debate.

If you wish to discuss any of the above, or if you have any queries regarding the treatment of data, please contact John O’Connor, Shane Kelleher or Louise McNabola, or your usual William Fry contact.

 

Contributed by Conor Forde

Recommended Insights

See all
Article and Insights
11
Apr 2024
Stricter Rules for the GDPR’s One-Stop-Shop?
The EDPB, in its new opinion, looks at the criteria to be fulfilled for a controll...
WF_author_blank
Partner
John O’Connor
Article and Insights
9
Apr 2024
Central Bank Updates Approach to Authorising Payment Institutions / E-Money Institutions
We look at updates to the Central Bank's approach to authorising Payment and E-Mon...
WF_author_blank
Partner
Shane Kelleher
Article and Insights
8
Apr 2024
Minimum PI cover required for Insurance Intermediaries to Increase
The European Commission adopted a delegated regulation, increasing the base amount...
WF_author_blank
Partner
Eoin Caulfield
Article and Insights
12
Mar 2024
Food, Beverage & Agribusiness Podcast – Data Protection & Cyber Security
In this episode Laura considers how these issues have become an increasingly criti...
WF_author_blank
Associate
Laura Casey
Article and Insights
8
Mar 2024
Payments and E-Money Sector – Central Bank Event and Report
We look at key supervisory priorities for the payments and e-money sector based on...
WF_author_blank
Partner
Shane Kelleher
Article and Insights
26
Jan 2024
Data Protection Day: Expectations for 2024 & 2023 Look Back
William Fry is celebrating the Council of Europe’s annual Data Protection Day toda...
WF_author_blank
Partner
Leo Moore
Article and Insights
21
Dec 2023
Administrative Sanctions Procedure Guidelines Now in Force
13 Dec 2023, the CBI published consolidated Guidelines relating to the enhanced Ad...
WF_author_blank
Partner
Shane Kelleher
Article and Insights
21
Nov 2023
DSARs: Motive and a Coordinated Action
DSARs: motive is not a relevant factor to Europe's highest court and regulators wi...
WF_author_blank
Partner
David Cullen
Article and Insights
5
Oct 2023
How critical is critical? – ESAs publish technical advice on critical service provider designation under DORA
In response to the European Commission's call to action in December 2022, the Euro...
WF_author_blank
Partner
John O’Connor
Article and Insights
8
Sep 2023
AdTech Update: CJEU Landmark Data Protection Ruling for Online and Behavioural Advertising
The CJEU has handed down a landmark ruling that clarifies what legal bases control...
WF_author_blank
Partner
Leo Moore
prev
next
See all