On December 4, 2024, the Council of the European Union announced that it reached an agreement on the proposal for the Regulation on a framework for Financial Data Access (FIDA). This follows the European Commission's initial proposal for the FIDA Regulation in June 2023.

In particular, the FIDA Regulation provides harmonized rules on what data can and may be shared in financial services, facilitating the sharing of financial data beyond payments account data. The FIDA Regulation also seeks to ensure that the sharing of customer and technical data is standardized, reducing the costs of data sharing.

What is the scope of the FIDA Regulation?

The Council amended the scope of the FIDA Regulation to stipulate that personal and non-personal data included within its scope, should only refer to raw data that occurs as a result of the normal course of business between data holders and customers. Not confidential business data or trade secrets, nor data enriched by the data holder. The sharing of financial data should not facilitate the reverse engineering of data, or methods or techniques to unlawfully obtain business data and confidential trade secrets. For example, the FIDA Regulation specifies that personal data of uninvolved third parties who are data subjects other than the customer should be excluded from the scope of the FIDA Regulation.

In addition, the Council amended the FIDA Regulation to set a limitation period for the retention of data, since sharing data that is decades old may lead to significant costs for data holders.

How does the FIDA Regulation affect customer consent?

The Council further amended the FIDA Regulation in relation to customer data permissions. Data holders must not prompt customers to withdraw the permission given to a data user. Data holders are also prohibited from designing, organizing, or operating their permission dashboard interfaces in a manner that deceives, manipulates, or directs customer behavior towards permissions that are not in the best interest of the customer, or materially distort or impair the ability of customers to make free and informed decisions. Requests for customer data permission must be clear, objective, accurate, and easily understandable, and include the:

• name of the data user to which access will be granted;
• financial product or financial service to which access will or is intended to be granted;
• purpose of the permission;
• categories of data being shared;
• the period of validity of the permission; and
• information that the customer can view and withdraw the permission on the dashboard.

How does the FIDA Regulation affect third parties and gatekeepers?

Notably, the Council amended the FIDA Regulation to include provisions related to gatekeeping organizations under the Digital Markets Act (DMA). Specifically, the FIDA Regulation prohibits data users that are gatekeepers or data users that are owned or controlled by an entity designated as a gatekeeper under the DMA from combining customer data with other data relating to the customer that the designated gatekeeper may already collect, store, or otherwise process for purposes outside the FIDA Regulation.

Finally, regarding third-country financial information service providers (FISP), the FIDA Regulation now provides that third-country entities that want to become FISPs must have an established presence in an EU Member State. The FIDA Regulation cites the need to maintain a robust ICT-risk management framework for data users as a precondition for access to customer data and provision of financial information services.

You can read the press release here and the amended FIDA Regulation here.