My piece for Ogier Leman on the EU's proposed Open Finance Regulation is here.
As part of its review of the second Payment Services Directive (PSD2), the EU consulted on whether to expand the concept of 'account information services' to other types of online financial services. As a result, the EU is now proposing a financial data access regulation (Open Finance Regulation) that will give a wider range of financial services customers new ways to extract, use and share their account data independently of the service provider who holds their account. For instance, you could get an independent adviser to analyse all your finances - savings, pensions and mortgages/loans - in detail at any time, including creditworthiness data, rather than rely on periodic summaries from the primary service providers. As a regulation, it will apply directly applicable in all Member States to ensure consistency, without needing to be 'transposed' under local law. Firms will have 2 years to prepare, although 'financial data sharing schemes' will have an earlier window in which to notify the local regulator of their activities. The Regulation is summarised below for information purposes, if you require advice on its application please let us know.
Barriers to Data Access
Most financial service providers rely on knowing more than you about your use of their services, so they don't give you the same access to your data or convenient ways to share that data with advisers or other service providers. Without secure ways to share the data, you won't do it or can't figure out how to do it - which is costly and not standardised.
Consistent with other EU legislation
The Open Finance Regulation not only builds on 'open banking' under PSD2, but is consistent with data access and portability rights under GDPR, the Data Governance Act (improving interoperability between data platforms), the Digital Markets Act (tackling the power of gatekeeper platforms), the proposed Data Act to provide data access rights to Internet of Things (IoT) data for users and providers of related services), the EU retail investment strategy (to provide safeguards in the use of retail investor data) and the Digital Operational Resilience Act (rules on cybersecurity and operational resilience in the financial sector).
Preferred Approach
The EU has chosen the following approach from a wide range of options considered by an experts group and other stakeholders. The Open Finance Regulation will:
- require data holders to provide customers with 'permission dashboards' to grant access to selected customer datasets;
- set eligibility rules on who can access customer data;
- empower European authorities to issue guidelines to protect consumers against unfair treatment or exclusion;
- require common standards for customer data and interfaces (APIs) for access to that data; and
- require agreement on compensation and contractual liability.
Cost/Benefit
The Regulation is considered to be a necessary transition that will pay off in the medium to long term. Big providers will lose some of their 'hold' over customers, while providing new entrants access to data that will promote more customer activity and help grow the overall financial services market.
A key example would be enabling you and your finance providers to figure out how to fund a sustainable lifestyle and retirement, make the decisions to meet your goals and obtain the relevant services to achieve them.
Creating standard ways to efficiently share data will enable less form filling for customers and better productivity for service providers.
The estimated total annual benefits from Open Finance for the EU economy ranges from €4.6bn to €12.4bn, including a direct impact on the financial data sector of €663m to €2bn. The overall estimated cost could be €2.2bn to €2.4bn initially and ongoing annual costs of €147m to €465m.
Specific Features of the Open Finance Regulation
Scope
In this context 'customer data' means personal and non-personal data that is collected, stored and otherwise processed by a financial institution as part of their normal course of business, whether provided by a customer or generated as a result of customer interaction with the institution. So it includes access to, and processing of, business-to-business as well as business-to-consumer data, at the customer's request.
Certain categories of customer data may be accessed, shared, and used; with specific rights and obligations of defined data users/holders and authorised 'financial information service providers' (who provide information services as a regular occupation or business activity).
The specific sets of data relate to mortgages, savings, investments, pensions, credit information and so on; and the types of firms in scope are regulated financial institutions - as well as authorised financial information service providers - when acting as holders or users of those types of data.
A 'data holder' must make available the specified type of data to customers and their nominated 'data users' at the customer's request, in real time.
Where personal data is involved, the request must also align with a valid legal basis for that data holder to undertake the requested processing under the General Data Protection Regulation (GDPR).
Data users receiving data at the request of customers should only access the customer data made available to them, and only for the purposes and the conditions agreed with the customer.
The customer’s personalised security credentials must not be accessible to other parties, nor can the data be stored longer than necessary.
Responsible data use and security
The Regulation also guides firms on how they should use data for given use cases, and prohibits any discrimination or restriction in the access to services as a result of the use of the data.
Customers can't be refused access to financial products just because they refuse to grant permission to use their data.
Data holders must provide the customer with a 'permission dashboard' that meets certain criteria to monitor, manage and withdraw permissions the customer's gives to data users.
Creation and governance of financial data sharing schemes
Financial data schemes are those whose aim is to bring together data holders, data users and consumer organisations. A scheme should develop data and interface standards, 'coordination mechanisms' for the operation of permission dashboards and a standardised contractual framework governing access to specific datasets and rules on governance, transparency, compensation, liability, and dispute resolution.
Such data-sharing schemes must be notified to the local regulator; and benefit from a passport for operations across the EU.
Data holders must be entitled to compensation for making the data available to data users, according to the terms of the scheme of which they are members.
Financial information service providers.
Financial information providers must apply for authorisation and meet various operational requirements, appoint a legal representative and may passport their services throughout the EU/EEA.
The Regulation will apply 24 months after its entry into force, except that 'financial data sharing schemes' will be able to apply 6 months in advance months to be ready for the Regulation to go live.
This note summarises the Regulation for information purposes, if you require advice on its application please let us know.