From new financial products and innovative business models to personalized services: For years, the financial industry has been talking about the huge potential of sharing data across company and platform boundaries. Now Europe is getting serious about open finance - and FiDA is set to create a uniform legal framework for this.
The European Union's Financial Data Access Regulation (FiDA) is intended to facilitate access to financial data and significantly change the exchange of data between financial institutions and insurance companies in Europe. The first draft of the regulation was fleshed out by the EU Council on December 2, 2024 and is now undergoing the further legislative process. FiDA represents the next step from open banking towards open finance.
What is FiDA and what are its objectives?
The EU regulation aims to improve data exchange in the financial sector and promote data-driven financial services. The aim is to strengthen interoperability between financial institutions, insurance companies and other relevant players.
FiDA represents a significant step towards an open and transparent financial landscape and promotes innovation and competition. As part of the EU digital strategy, FiDA completes the transition from open banking to open finance. The draft regulation (FiDA-VO-E) builds on the EU Data Act, which will enter into force in September 2025, and expands the legal framework for the secure and efficient exchange of data in the EU.
Who is affected by FiDA? Scope and requirements
The Financial Data Access Regulation affects a large number of players in the financial and insurance sector. Data holders such as insurance companies, banks and other service providers that fall under the definition of the regulation are obliged to provide their customers with their data immediately, free of charge, continuously and in real time upon request.
Customers also have the option of having this data passed on to data users upon request. These include other financial institutions, insurance companies or service providers that have been authorized by an authority as a financial institution or financial information service provider ("FISP"). These can then offer customers innovative financial products and services based on data.
To make this possible, data controllers must provide a dashboard on which customers can view and manage their consent to data sharing. Consent must be specific, earmarked for a specific purpose and limited in time, and revocation is generally free of charge. The focus here is on clarity and transparency for end customers.
Data owners can demand appropriate remuneration from data users for sharing data, which may also include an appropriate margin.
If an actor fails to meet its obligations, far-reaching sanctions are provided for, including financial restrictions of up to two percent of total turnover, a public announcement and suspension of the license as a financial services provider.
Data controller and data user according to Art. 2 para. 2 FiDA-VO-E can be, for example:
Credit institutions
Payment institutions
E-money institutions
Investment firms
Providers of crypto services
Managers of alternative investment funds
Insurance and reinsurance companies
Insurance intermediaries
Rating agencies
Financial information service providers
Financial & insurance brokers
Financial Data Sharing Scheme (FDSS) as the basis for data exchange
A central element of FiDA is the Financial Data Sharing Scheme (FDSS). This defines technical standards, interfaces, protocols and authentication procedures for the secure exchange of data. It also regulates essential aspects such as liability, dispute resolution, compensation and other processes.
In view of the diversity of products and market participants in Europe, it is to be expected that several FDSSs will emerge in parallel. However, these must ensure interoperability and enable secure data exchange. The European Union has delegated the development of these data sharing models to the market participants. The first potential FDSS candidates are already emerging in the banking and insurance sectors.
However, the EU Council limited the number of permissible FDSSs in its December 2024 concretization: a financial data sharing scheme must represent at least 25 percent of the relevant clientele of a product in a geographical market. In addition, the three most important data holders must be reported to the supervisory authority.
When does FiDA come into force? Deadlines and important regulatory requirements
With the update of the draft regulation, the European Union has introduced a staggered timeline for the implementation of FiDA. While a uniform deadline was originally planned, a three-phase breakdown is now being introduced:
- 24 months overall deadline: customer data on consumer credit agreements, accounts, savings and car insurance must be made accessible. The deadline for the FDSS requirements is 18 months.
- 36 months overall deadline: This concerns customer data on consumer credit agreements for residential real estate, investments in financial instruments, crypto investments and pension products, including the Pan-European Personal Pension Products (PEPP). The FDSS requirements must be implemented within 30 months.
- 48 months overall deadline: An implementation deadline of 48 months applies to all other customer data, whereby the FDSS requirements must be implemented after 42 months.
In addition to FiDA, other legal requirements must be observed, including the EU General Data Protection Regulation (GDPR), the Digital Operational Resilience Act (DORA), the Payment Services Directive 3 (PSD3) and the Payment Services Regulation (PSR). Companies must take these regulations into account both contractually and in their internal documentation. In addition, liability regulations must be carefully mapped, particularly in the context of financial data sharing schemes.
Which data is affected?
FiDA covers a wide range of customer data, including:
Loans and accounts
Savings and investments
Insurance products (e. g. pension insurance)
Crypto assets
Data on creditworthiness
Data in connection with health and life insurance is currently excluded.
FiDA compared to PSD2: What are the differences?
The FiDA regulation differs from the Payment Services Directive 2, which primarily concerns payment transactions. While PSD2 regulates access rights to payment data, FiDA extends access to a much broader range of financial data, including insurance data and crypto assets. However, both regulations promote the concept of open finance and enable financial institutions to develop innovative products through the secure exchange of customer data.
Challenges and opportunities for data owners and data users
FiDA creates new business opportunities and challenges - depending on whether insurers and financial service providers act as data owners, data users or both.
Challenges for data owners
|
Opportunities for data owners
|
Challenges for data users
|
Opportunities for data users
|
How can insurers and financial institutions prepare for FiDA?
Dealing with FiDA in good time will be crucial for financial institutions to actively shape its implementation as frontrunners and realize new business opportunities. Competitors are likely to enter the market early with innovative, data-based financial services.
However, focusing solely on the implementation of organizational, technical, legal and regulatory requirements for data owners and (future) data users also requires an early start to preparations for implementation.
Depending on their respective role in the FiDA scheme, financial institutions should already be addressing these issues now:
… Data Owner
What relevance does FiDA have for my organisation?
What challenges and opportunities does FiDA offer?
What data is relevant for the exchange?
Is all the data digitised and can it be provided in the right quality, granularity, format, etc.
How will an FDSS definition be made and to what extent can I influence it?
Is there a need for action in the area of IT systems and data management to ensure secure, efficient and first-class data provision?
What does "cost-based compensation" for data provision to data users look like?
… Data User
What relevance does FiDA have for my organisation?
What new business models & products will FiDA enable in my business area?
How will FDSS be defined and to what extent can I influence it?
Is my product development set up accordingly?
Does my company need permission to become active as a data user?
Is there a need for action in the area of IT systems and data management in order to be able to securely record and process the data?
How will I advertise consent requests and new products to my customers?
KPMG: End-to-end advice for successful FiDA implementation
KPMG offers customized advisory services for each phase of FiDA implementation to ensure that all relevant dimensions are considered. With an interdisciplinary team, KPMG combines in-depth expertise in financial services, strategy, operations, regulatory, legal, IT solutions and data management.
In the current early FiDA exploration phase, KPMG supports you and your company in the following steps:
KPMG advisory services in the FiDA exploration phase for ...
… Data Owner
Building FiDA expertise (C-level & more)
Positioning - relevance, opportunities and challenges of FiDA
Clarification of FiDA role(s) and level of ambition
Advice or support for an FDSS definition, if applicable
Quick check / FiDA readiness assessment (technical, strategic, regulatory ...)
Development of recommendations for action & roadmap
Supporting the implementation of FiDA requirements (strategic, technical, regulatory, legal)
… Data User
Building FiDA expertise (C-level & more)
Positioning - relevance, opportunities and challenges of FiDA
Market and competition analysis / benchmarking
Ideation and design of new products & services
Quick check / FiDA readiness assessment (technical, strategic, regulatory ...)
Development of recommendations for action & roadmap
Supporting the implementation of FiDA requirements (strategic, technical, regulatory, legal)
Further interesting content for you (in German only)
Contacts
Jens Siebert
Partner, Financial Services
KPMG AG Wirtschaftsprüfungsgesellschaft
Barbara Scheben
Partner, Audit, Regulatory Advisory, Head of Forensic, Head of Data Protection
KPMG AG Wirtschaftsprüfungsgesellschaft
Dr. Ulrich Keunecke*
Partner, Sector Head Legal FS Insurance, Sector Head Legal FS Asset Management
KPMG Law Rechtsanwaltsgesellschaft
* The legal services are provided by KPMG Law Rechtsanwaltsgesellschaft mbH.