Financial Data Access (FiDA)

From new financial products and innovative business models to personalised services: For years, the financial industry has been discussing the huge potential that lies dormant for companies and customers in sharing data across company and platform boundaries. Now Europe is getting serious about open finance. The keyword is FiDA and refers to the European Union's Financial Data Access Regulation.

The European Union's Financial Data Access Regulation (FiDA) represents a logical next step from open banking towards open finance, i.e. an open and transparent data landscape in the financial sector. The aim of FiDA is to facilitate access to financial data and improve interoperability between different financial service providers in order to promote the development of data-driven financial services and overall innovation and competition in the financial sector. With the current draft regulation (FiDA-VO-E), the EU is launching another legal act to implement the EU digital strategy following the EU Data Act, which will also apply in the EU from 2025.

With FiDA, so-called data holders - i.e. financial institutions, insurance companies, brokers and other service providers that fall under the definition of the draft regulation - are obliged to provide their customers with their data immediately, free of charge, continuously and in real time upon request.

Customers may also request that this data be made available by the data controller to so-called data users - e.g. other financial institutions, insurance companies or service providers authorised by a public authority as financial institutions or financial information service providers ("FISPs") - so that they can offer customers data-based innovative financial products and services. For this purpose, data controllers must provide a dashboard in which customers can view and manage their consent to data sharing. They are authorised to demand "cost-based compensation" from data users for sharing the data.

FiDA applies to a very broad range of customer data, including mortgage credit agreements, loans and accounts, savings, investments in financial instruments, insurance investment products (e.g. annuities), crypto assets, real estate and other related financial assets, property and casualty insurance or data collected for the assessment of creditworthiness as part of a credit application or credit check. The current draft excludes data in connection with health and life insurance policies.

If players fail to comply with their obligations, far-reaching sanctions are envisaged, including financial penalties of up to 2% of total turnover, a public announcement and suspension of authorisation as a financial services provider.

• Credit institutions
• Payment institutions
• Electronic money institutions
• Investment firms
• Providers of crypto services
• Alternative investment fund managers
• Insurance and reinsurance companies
• Insurance intermediaries
• rating agencies
• Financial information service providers
• Financial & insurance brokers

Data exchange between the various players is to take place on the basis of a Financial Data Sharing Scheme (FDSS), which defines the necessary standards and also regulates their operationalisation. This includes technical standards relating to data, interfaces, protocols, authentication and regulations on liability, dispute resolution, compensation and other processes. Taking into account the heterogeneity of the data concerned and the various players in the European area, it is to be expected that several FDSSs will emerge in parallel, which must, however, guarantee interoperability and secure data exchange. The European Union has delegated the task of defining the FDSS to the market participants. The first possible candidates for FDSS development are already emerging in the banking and insurance sectors.

According to the draft regulation, data owners and data users are obliged to join an FDSS within 18 months of it coming into force.

When implementing the requirements - especially in the context of the FDSS - it is important to take into account the other applicable legal requirements, such as the EU General Data Protection Regulation (GDPR), the Digital Operational Resilience Act (DORA), the Payment Services Directive 3 (PSD 3) and the Payment Services Regulation (PSR), and to ensure that they are contractually complied with and included in internal documentation.

The introduction of FiDA presents both challenges and business opportunities in varying degrees, depending on the role that banks, insurance companies, asset managers and other financial service providers will play in the FiDA scheme, i.e. essentially whether a player will act as a data owner or data user (or both).

The main challenge for data owners is to adapt processes, data architecture, IT systems and data management within a very short implementation period in such a way that the FiDA requirements are met on time and compliance risks are avoided, particularly with regard to the required real-time provision of data. Many data owners will need to adapt, particularly in the areas of master data management, data quality, data governance and data platforms, in order to be able to provide the required data securely, efficiently and on time in the right quality and granularity. At the same time, data owners have the opportunity to utilise the potential of an improved data architecture in other ways and, not least, to offer innovative, data-based products themselves in the role of data user.

For data users, the FiDA Regulation offers extensive opportunities to develop and market new business areas and innovative products and services based on the data that is now available. In order to actually take advantage of these opportunities and realise further market potential and market share, data users must be able to use appropriate IT systems, processes and governance to record and process the data accordingly and to develop and offer attractive, data-based products with real added value for customers.

In addition to data owners and data users, other players such as industry associations and technology providers are also expected to become involved, for example as providers of a data exchange platform. The question for all stakeholders is whether and to what extent they should initially participate in the definition of an FDSS or join one or more of them.

Addressing the topic of FiDA in good time before the regulation comes into force will be decisive in determining whether you are a frontrunner in shaping the implementation of FiDA and thus the future of the financial sector and successfully realising business opportunities, or a laggard struggling with the timely adaptation of IT systems, the launch of new products and the threat of compliance risks.

According to the current draft regulation, banks, insurance companies and financial service providers must have joined an FDSS within 18 months of it coming into force and fulfil the FiDA requirements 24 months after it enters into force. It is also to be expected that competitors will already be entering the market with innovative, data-based products and services by this time.

Depending on which role(s) you will take on as a player in the FiDA scheme, it is advisable to address the following questions in an exploration phase at this stage:

KPMG offers customised advice for every phase of FiDA implementation, taking all relevant dimensions and perspectives into account. To achieve this, we rely on an interdisciplinary team that combines in-depth expertise in the financial services sector with competence in the areas of strategy and operations, regulatory, legal, IT solutions and data management.

In the current early FiDA exploration phase, KPMG supports you and your company in the following important short-term steps: