Summary
- The following abridged policy brief was produced by CCI earlier this month.
- It is meant to help members dissect critical policy elements or proposals
- Download PDF version
The European Commission’s proposed framework for Financial Data Access consists of thirty-six articles organized into eight titles. It concerns the access, sharing, and use of specific categories of customer data in financial services and provides mandates and guidelines for data holders, users, service providers, and competent authorities.
Key Features of the Proposal
Title I – Subject Matter, Scope & Definitions: Title I defines the scope of the regulation as concerning the access, sharing, and use of financial customer data; encompassing a wide range of areas such as mortgage credits and creditworthiness evaluations, with obligations on entities from credit institutions to crypto-asset service providers. This title also provides specific definitions for terms like ‘customer’ and ‘data holder’, and mandates lawful access to data following customer consent, with the understanding that these obligations do not replace existing legal directives unless explicitly stated.
Title II – Data Access: Title II outlines the obligations of data holders and users towards customer data; stressing real-time availability, data security, customer consent, and disclosure of intended purposes for data use. It also involves guidelines for customer data management, service provider authorization, consent withdrawal, confidentiality, and limitations on non-personal data access, marketing, and intra-company data sharing.
Title III – Responsible Data Use & Permission Dashboards: Title III specifies rules for data use and the establishment of permission dashboards, including required data minimization and non-discrimination in financial sectors under Article 7, while mandating the EBA and EIOPA to create implementation guidelines with the European Data Protection Board’s involvement. Article 8 of this title creates a duty for data holders to provide interactive dashboards for customers to manage data permissions; requiring detailed information, record-keeping, easy accessibility, and real-time collaboration to keep the dashboard current and users informed of changes
Title IV – Financial Data Sharing Schemes: Title IV outlines Financial Data Sharing Schemes, detailing membership, governance, and content requirements as well as contingency measures. Specific articles mandate data holders and users to enroll within 18 months of enactment, establish guidelines for diverse membership and uniform rule application, prescribe reporting requirements, and authorize the Commission to supplement the Regulation with a delegated act if a scheme is absent.
Title V – Eligibility for Data Access and Organization: Title V outlines financial service providers’ criteria for customer data access; mandating comprehensive applications, professional indemnity insurance, technical standards, obligations for non-EU-based providers, and specific conditions for authorization. Articles 15 and 16 further require the European Banking Authority to maintain a public register of anonymized data about authorized providers and their schemes, and enumerate organizational requirements to ensure regulatory compliance, continuity, risk management, and security response.
Title VI – Competent Authorities & Supervision Framework: Title VI provides a framework for the responsibilities of competent authorities in Member States; outlining duty execution, cooperation, information gathering, investigation, enforcement, power delegation, and the imposition of administrative penalties while ensuring confidentiality. It also elaborates on the right of appeal, the disclosure of decisions and their appeals, cooperation and information exchange amongst competent authorities, resolution of disagreements, and necessary collaboration with the European Banking Authority.
Title VII – Cross-Border Access to Data: Title VII provides clarity on the principles and procedures that guide cross-border access to customer data by financial information service providers and financial institutions. Article 28 forms the core of this title, proposing that these entities should have access to data as defined in Article 2(1), in compliance with the freedom to provide services and the freedom of establishment principles. The Article also sets out notification and procedural guidelines for these entities when seeking to access data in a member state other than their home state, fostering cooperation between the home and host state authorities. Prompt reporting to the home state’s authorities is mandated in cases of significant changes to the information provided or added outsourcing activities. Article 29 emphasizes that any restrictive measures or penalties imposed by competent authorities under Title VI or Title VII need to be adequately justified and communicated to the affected financial information service provider.
Title VIII – Final Provisions: Title VIII of the proposal empowers the Commission to adopt delegated acts and requires the Commission to review specific aspects of the Regulation. Additionally, it includes amendments to the regulations establishing the ESAs and financial information service providers, as well as an amendment to the Digital Operational Resilience Act Regulation. The Regulation is set to enter into application 24 months after its entry into force, except for Title IV, which enters into application 18 months later.
