United Kingdom | Publication | April 2025
In June 2023, the European Commission (EC) published a proposal for a Financial Data Access Regulation (FiDA)1 . FiDA is part of a broader initiative by the EC to modernise the EU’s financial sector to ensure that it is fit for the digital age. At FiDA’s core is data – those who hold it, those who use it and the customer. The problem that FiDA seeks to resolve is that customers in the EU financial sector currently cannot efficiently control access and sharing of their data beyond payment accounts. As such FiDA complements the existing ‘open banking’ provisions under the revised Payment Services Directive (PSD 2)2 that regulates access to payment account data held by account servicing payment service providers. It does this by establishing rules for the access, sharing, and use of a broader set of financial services data.
When presenting FiDA the EC argued that its benefits were considerable. For example, the EC predicted that the total annual benefits for the EU economy produced by enhanced access to and sharing of data in the EU financial sector ranged between EUR 4.6 billion and EUR 12.4 billion. The overall estimated cost of the proposal, were, however, significant, with the EC estimating that they could be up to a range of EUR 2.2 billion to EUR 2.4 billion in one-off costs and between EUR 147 million to EUR 465 million in recurring annual costs.
The starting point is that FiDA is a draft Regulation and, when finalised, will be legally binding in Member States. Unlike a Directive Member States will not be free to decide how to implement the legislation into their own national laws. In addition, it will come into effect in Member States on the same date. The EC’s draft of FiDA has the Regulation applying 24 months after its entry into force albeit certain provisions3 apply earlier, from 18 months.
FiDA, as proposed by the EC, has nine Titles and a brief summary of the key provisions is as follows. Similar to other pieces of EU legislation Title 1 sets out the subject matter, scope and definitions. In Article 1 FiDA establishes the rules in line with which certain categories of customer data in finance may be accessed, shared, and used. It also establishes rules concerning the authorisation and operation of financial information service providers (FISPs).
Article 2 is key as it sets the scope of FiDA to certain exhaustively described sets of data and lists the firms to which it applies. FiDA applies to the following categories of customer data on:
When acting as data holders or data users the following entities are in scope of FiDA:
Article 3 sets out definitions including the critical ones regarding ’data holder‘, ’data user‘, ’financial information service provider‘. A data holder is defined as a financial institution other than an account information service provider4 that collects, stores and otherwise processes the data listed above. A data user is any of the entities listed above who, following permission of a customer5 has lawful access to the data listed above. A financial information service provider is defined as a data user that is authorised (see below) to access the customer data listed above for the provision of financial information services.
Title 2 deals with data access and begins by setting out a legal obligation in Article 4. This obligation is placed on data holders who must make available to customers the data within scope of FiDA. The data holder must do this without undue delay, free of charge, continuously and in real-time. Article 5 provides the customer with the right to request that the data holder shares this data with a data user. Where personal data is concerned, the request must comply with a valid legal basis as referred to in the General Data Protection Regulation (GDPR) that allows for the processing of personal data. Article 6 imposes certain obligations on data users receiving data at the request of customers. There should only be access to the customer data made available under Article 5 and this data should be used only for the purposes and the conditions agreed with the customer. The customer’s personalised security credentials should not be accessible to other parties and the data should not be stored for longer than what is necessary.
Title III covers responsible data use and permission dashboards. Article 7 deals with a data use perimeter and in particular processing customer data which constitutes personal data shall be limited to what is necessary in relation to the purposes for which they are processed. The European Supervisory Authorities are to develop guidelines on this point for products and services relating to credit scores and certain insurance products. Article 8 establishes the financial data access permission dashboards to ensure that customers can monitor their data permissions by being able to access an overview of their data permissions, grant new ones and withdraw permissions if necessary.
Title IV sets the requirements for the creation and governance of financial data sharing schemes whose aim is to bring together data holders, data users and consumer organisations. Article 9 provides that the data falling within the scope of FiDA must be made available only to members of a financial data-sharing scheme, rendering the existence and membership to such schemes mandatory. Article 10 builds on this by setting the governance processes of such a scheme and provides for the development of common standards for the sharing of data and the creation of technical interfaces to be used for the sharing of data. Where a financial data sharing scheme is not developed for one or more categories of customer data, Article 11 provides for an EC empowerment to adopt a delegated act.
Title V sets out the provisions on authorisation and operating conditions of FISPs. Among other things Article 15 provides for the establishment of a register of FISPs and data sharing schemes to be held by the European Banking Authority and Article 16 provides for the organisational requirements of FISPs.
Titles VI and VII cover Member State competent authorities (NCAs) in the sense that Title VI (Articles 17 to 27) provides details on the powers of NCAs including administrative penalties that they may impose (Article 20) and Title VII deals with cross border access to data.
Title VIII contains certain provisions providing for the adoption of delegated acts and an obligation for the EC to review certain aspects of FiDA. It also includes an amendment to the Digital Operational Resilience Act and states that FiDA enters into application 24 months after its entry into force, except for Title IV which enters into application 18 months after FiDA’s entry into force.
Having set out the basics of FiDA, we briefly review the positions of the Council and the European Parliament (EP). Last summer the EP’s Committee on Economic and Monetary Affairs (ECON) published its report on FiDA. The next step in the process is for the EP to hold a vote on the proposal although at the time of writing this had not yet taken place. One of the more interesting amendments that ECON put forward in its report was to extend quite significantly the date of application by extending it from 24 months and 18 months as mentioned above to 32 months and 30 months respectively. In addition, ECON further added that the date of application for data holders and data users be 38 months and 36 months. With these proposals the ECON is clearly concerned about FiDA-readiness.
Other amendments put forward by ECON include changes to the scope set out in Article 2. For instance, ECON expressly includes credit card accounts and provides further details on savings being term deposits, structured deposits, and savings accounts. In terms of pensions rights, data related to sickness and health is specifically excluded and a provision inserted that will bring within scope “non-sensitive categories of data used by data holders to meet know-your customer requirements for business customers”. In terms of definitions, perhaps the key addition is that of a financial information service6 .
ECON also made certain amendments to FiDA’s provisions concerning financial data access schemes. This included adding a timetable whereby members of such schemes would agree on the general rules within 12 months of FiDA entering into force, within 26 months members are to agree on common standards and a model to determine compensation and within 30 months members to ensure that all elements of the scheme are fully operational.
Another key change from the ECON is that FISPs are not to use their authorisation to conduct activities regulated by existing EU sector-specific legislation, for example they should not be authorised to provide financial advice regulated under the revised Markets in Financial Services Directive.
ECON’s report also covered so-called ‘gate-keeper access’. The EC’s draft did not cover this issue meaning that in the absence of other restrictions related to financial data, big technological companies could access open finance data by obtaining authorisation as a FISP. A new Article 18a prohibits designated gatekeepers7 from obtaining such authorisation and gives NCAs certain powers to ensure that gatekeepers do not circumvent this provision through entities owned or controlled by them. In addition, a new Article 6(4b) provides that data users that are owned or controlled by an undertaking that has been designated as a gatekeeper are prohibited from combining customer data referred to in Article 2 FiDA with other data relating to the customer that the designated gatekeeper may already collect, store, or otherwise possess for purposes outside the Regulation.
On 4 December 2024, the Council adopted its FiDA General Approach to enter trilogues. The Council largely supported the EC’s initial proposals and sought to clarify its scope by defining what specific data sets, products or sectors, the new rules should cover and apply to, as well as a timeframe for the data sharing obligations to kick-in. On the latter point the Council’s amendments to Article 36 (entry into force and application) are detailed and set out when FiDA will apply to each piece of customer data listed in Article 2.
While trilogues were set to begin in March 2025, leaked versions of the EC’s 2025 work programme included FiDA in the list of proposals to be withdrawn. The reason that was circulated in the media for the withdrawal were concerns about placing significant burdens and complexity on EU financial institutions amid the deregulation agenda of the United States. However, when the official 2025 EC work programme was published there appeared to be a U-turn in the sense that FiDA was listed under the heading of pending proposals, meaning negotiations will continue, preventing the file from being abandoned.
FiDA has raised a number of concerns in the market, and these can be briefly summarised as follows:
The United Kingdom does not currently have a legislative equivalent to FiDA but has sufficiently built on its ‘Open Banking’ initiative so that it is now referred to as ‘Open Finance’. In its new five year strategy the Financial Conduct Authority (FCA) has recently committed to publishing a roadmap for the rollout of Open Finance within a year. The FCA expects the “regulatory foundations” for the first Open Finance scheme to be in place by the end of 2027 and will prioritise small business lending. In its five-year strategy, the FCA also reiterated its commitment to prioritising the development of account-to-account payments, “so people have more choice about how they pay”, and to make variable recurring payments “a reality”.
At the time of writing the Data (Use and Access) Bill is also making its way through the UK Parliament. The Bill is designed to enhance the secure and effective use of data in the UK by laying the groundwork for initiatives like Open Finance. It does this in several ways including establishing clear standards for data sharing and robust oversight mechanisms to ensure that organisations handling sensitive data comply with legal and ethical standards.
Although FiDA is still undergoing review in the EU legislative process there are some practical steps that firms can take now. For example, a high-level assessment can be undertaken so that a firm can get a better understanding of how the draft legislation impacts it from an operational and technological perspective particularly as regards data management and customer consent.
Monitoring FiDA’s progression will also be key. This will include regularly checking the European Parliament’s and Council’s websites for updates. Using EUR-Lex, the official database for EU law, would also be useful as would regular engagement with industry associations and advocacy groups that have a particular interest in FiDA.
Publication
In For Women Scotland Ltd v The Scottish Ministers, the Supreme Court unanimously held that the definitions of “man”, “woman” and “sex” in the Equality Act 2010 refer to a person’s biological sex.
Subscribe and stay up to date with the latest legal news, information and events . . .
© Norton Rose Fulbright LLP 2025