Key takeaways
- The European payments sector has experienced significant changes and currently offers wide choice and healthy competition among providers and solutions, indicating a well-functioning market.
- Payments Europe welcomes the European Commission’s Financial Data Access (FIDA) proposal, which is expected to enhance products and services development, improve customer experience, and create more effective financial solutions.
- Open Finance faces important challenges, including those related to regulatory, compliance, and security issues, and comes with a fundamental need for user education. To move the market in the right direction, FIDA should aim to strike a balance between regulating and incentivising Open Finance.
- To ensure clarity for stakeholders and increased efficiency, coherence with existing regulations is crucial. This includes alignment with GDPR, the Data Act, and the Payment Services Regulation (PSR).
- As the text introduces new concepts and roles, clear terminology is essential, particularly for the definition of terms such as customer data, data holder, financial information services, and data sharing obligations for regulated entities.
- To ensure competition is preserved, customer experience is improved, and innovation is fostered, the interplay between data sharing requirements for Financial Information Service Providers and the Payment Services Directive’s framework for Account Information Service Providers (AISPs) should be clarified.
- Moreover, cross-sector data sharing schemes should be incentivized to ensure a level-playing field for stakeholders towards the objective of establishing an open data economy.
- Finally, to allow the industry to develop schemes, the implementation deadline for data sharing schemes should be extended to allow for sufficient development, testing, and implementation time.
The European payments sector has gone through great changes in the past years. Today, there is wide choice and competition between providers and solutions, which illustrates that the market is functioning well.
Open Finance is the next step in this evolution towards a more vibrant payments sector and dynamic financial services ecosystem. The Financial Data Access proposal (FIDA) could be a key enabler of that evolution. Payments Europe believes Open Finance will boost the development of financial information products and services in Europe, triggering an overall improvement of customers’ experience and access to tailored financial solutions. With intermediary businesses streamlined access to their customers’ data, personalization of services and customer experience will improve, and more effective financial solutions will be created. However, with all its potential benefits, the transition to Open Finance is not without challenges. Regulatory and compliance issues, security concerns, and the need for user financial education are some of the hurdles that must be overcome. Moreover, the fast pace of innovation in the digitalisation of financial services means that the regulatory framework needs to be future proof in order to ensure customer protection while fostering innovation.
It is fundamental to ensure that FIDA finds the right balance between rules and incentives to allow the market to target investments an address customer demand. Payments Europe would like to highlight the below items, which require specific attention from both the regulator and the industry to ensure that the benefits of FIDA can materialise.
The importance of coherence between new and existing regulation
Payments Europe wants to highlight the importance of ensuring that FIDA is coherent and aligned with the European acquis. A coherent legal framework is fundamental to ensure legal clarity, fairness, and, in this case, also appropriate data protection.
As the efficiency of FIDA depends on effectively enabling data access and data use, the proposal must be completely aligned with the GDPR framework, ensuring legal clarity for businesses and customers, and avoiding any barrier to the free flow of data and their protection:
- First, the current definition of customer data includes both personal and non-personal data. Under GDPR terminology, non-personal data can be understood as ‘anonymized’ data. This risks bringing into scope data that are not meant to be covered by FIDA. Therefore, we suggest further clarifying that ‘non-personal’ data in the text refers to data related to legal entities that is not personal data.
- Second, the provision to limit intra-group data sharing should be amended to reflect the operational practices of data flows between company groups. We suggest either removing this prohibition or aligning the definition with the robust controls already existing under GDPR.
Coherence with the EU Data Act will also be fundamental. The Act plays a fundamental role, as it establishes both the overarching framework for horizontal data sharing and the crucial regulation governing compensation for data access within the scope of FIDA. In line with the Data Act, FIDA must allow data holders to develop commercial compensation models that enable at least cost recovery. To align with the Act, FIDA should also envisage a “reasonable compensation model” that allows for the possibility of compensation including a margin. This will provide a future-proof framework and allow for flexibility regarding the development of new financial products. This will also provide the right incentives for industry participation and fast development of the open finance ecosystem.
It is also of great importance that FIDA is aligned with the content of Payment Services Regulation (PSR). This pertains mainly to permissions dashboard requirements, as the framework designed by PSR empowers customers to manage their data access permissions in a user-friendly way and would allow the industry to develop and deliver these dashboards within the shortest possible delay. This would also be helped by ensuring data holders and users are able to manage and provide permission information and instructions via standard financial service APIs or equivalent secure technology.
The importance of clear terminology
The definition of “customer data”
As Payments Europe is committed to ensuring the highest standards of protection are guaranteed by data users, we highlight the importance of the definition of “customer data” within FIDA to exclude data derived or inferred from data provided by a customer as a result of profiling. In particular, the term “generated by the customer” would benefit from being further refined, notably as it relates to the provisions of Article 5(3)(e) on the respect of the confidentiality of trade secrets and intellectual property rights.
Additionally, we highlight the importance of clarifying what the term “non-personal data” is intended to cover under FIDA. A broad interpretation of the term ‘non-personal data’ could be understood as covering anonymized data, which could potentially hinder innovation in financial services and essential customer services. We would suggest clarifying that non-personal data under FIDA means data related to legal entities. We believe that explicitly covering this type of legal entities data alongside personal data in the definition of customer data will better align with the regulation’s intended policy objectives.
The definition of “data holder” and its relationship to data
Further clarity would also be welcome as to whether “data holders” are only those who own or manage the customer account where the data originates from. Based on the current proposal, any company lawfully accessing data could de facto become a data holder and be subject to the related obligations under FIDA.
Indicating that ownership or management of the data in a customer account is a prerequisite to become a data holder would provide the industry with the necessary clarity and ensure customer data is always used in accordance with the high standards of data protection that European customers expect. To that extent, Payments Europe recommends that only new “transactional data” created by a user through the provision of a service or product covered under the scope of FIDA would make such user a data holder.
On data sharing requirements for regulated entities
The proposal should also clearly define data sharing obligations for Account Information Service Providers (AISPs) offering more than AIS as compared with AISPs offering only AIS. Both categories should be able to access all types of customer data under FIDA, to maximise the benefits they can offer to customers.
Under the current terms of the proposal, it is unclear how the regulator is planning to level the playing field for all actors to ensure competition can keep thriving and deliver the best results for customers. In addition, the text should clarify that data holders can share customer data with entities that are not data users under FIDA, based on voluntary agreements.
The importance of cross-sector data sharing schemes
Open Finance needs to respond to concrete customer needs. To ensure this is the case, the regulator should identify specific use cases from the get-go and tailor the proposal around those. Principles for data sharing and technical interoperability should be outlined, but the industry should be allowed to have the ownership to determine the technical specifications for their functioning. To deliver the best customer experience within the shortest possible timeframe, schemes should allow for data sharing across different sectors, to guarantee better and faster implementation prevent the emergence of siloes and foster cross-sectoral innovation.
Timeline
Moreover, to ensure the successful uptake of financial data sharing schemes, sufficient time should be granted to reflect the complexity of the process to develop, test, and implement them in a way that would meet customers’ expectations in term of usability and safety and allow for different industries to align. An extension of the 18-month implementation deadline would provide the industry with the necessary time to do so. In this regard, we propose that the implementation period for FDSS aligns with the standard 24-month period foreseen for the rest of the regulation.