Skip to main content
Banking & Finance

Open Finance – a framework for financial data access (FIDA)

| Dr. Bernd Fletzberger, Mag. Sanijel Ficulovic

On 28 June 2023, the European Commission published the draft regulation on Financial Data Access (FIDA or FIDAR) as part of the EU’s Financial Data Access and Payments Package, which gave birth to the EU’s Open Finance vision.

The essence of Open Finance is the transition of financial data from internal assets to regulated customer-owned assets, bringing multidimensional risks and opportunities.

In the beginning, the expectation was that the final version of FIDA could be released by the end of 2024 or early 2025. However, this has not happened. On the contrary, news spread in February 2025 that the FIDA proposal would be withdrawn. This turned out to be “fake news”. In April 2025, European financial press circulated reports that interinstitutional negotiations (the so-called trilogue) have already started.

Accordingly, it is a perfect moment to take stock of the FIDA project as it stands. In this post, we provide an overview of the planned regulation, the differences in the current positions of the legislative bodies and the expected further timeline.

Introduction

The Payment Service Directive 2 (PSD2) laid the foundation for Open Banking. It paved the way to share customers’ payment account data, with mixed success. With FIDA, the EU plans to elevate this concept to all kind of financial data (so-called Open Finance). It is part of the European Commission´s digital strategy and Financial Data Access and Payments Package, based on the following two main legislative pillars:

(i) Payment Service Regulation (PSR) & Payment Service Directive 3 (PSD3).

(ii) Financial Data Access Regulation (FIDA) – facilitating the sharing of a wider range of financial data between financial institutions and third-party providers.

FIDA aims to establish a foundation for an innovative and competitive Open Finance environment. Furthermore, this initiative should be fully compatible with the EU's data security, digital resilience and ethical standards, fostering trust in Open Finance.

Please note that this post does not provide a comprehensive list of all FIDA provisions but only covers the most important ones.

Included and excluded data

Whereas the sharing of financial data from payment accounts stays part of the PSD2 and in the future of PSR/PSD3, the legal framework for sharing a wider range of customers´ financial data will be determined by FIDA.

FIDA applies to both personal and non-personal data, meaning it covers information that directly identifies individuals as well as broader financial data. It also applies to any data collected, stored or processed by financial institutions in the normal course of their business. This includes both data provided directly by customers, such as when they open an account, and data generated through customer interactions, regardless of whether the information is shared by the customer or derived from their activities.

In its proposal, the Commission excluded data related to sickness / health insurance and insurance-based investment products as well as data collected in the context of a creditworthiness assessment of a consumer from the scope of FIDA. The Council also wants to grant Member States the option to include customer data on pension rights in occupational pension schemes. In order to protect data holders, the Council also proposes restricting the scope of relevant personal and non-personal customer financial data to raw data that occurs as a result of normal course of business between data holders and customers. According to the Council, it shall not include confidential business data or trade secrets, nor data enriched internally by the data holder.

Main roles in Open Finance: Data holder, data user and customer

Basically, FIDA sets the framework for three parties in the Open Finance data exchange process: data holder, data user and customer. If a customer consents to financial data access, the data holder is obliged to provide financial data – under regulated circumstances – to data users. They can process customers’ financial data and create business models customizing products upon the financial conditions of the customer.

Data holders and data users can be any existing financial institution, for example credit institutions, payment and e-money institutions, investment firms, crypto-asset service providers, alternative investment fund managers, UCITS management companies, (re)insurance undertakings, etc. However, Account Information Service Providers (AISPs) can only act as data users.

Additionally, FIDA introduces a new provider named Financial Information Service Provider (FISP) which can only act as a data user. The logic behind this is that FISPs do not produce financial data. Therefore, they cannot provide any such data to third parties but can receive and use them. FISPs need to get licensed by the competent authority and will be supervised accordingly. The application for authorization has to include a program of operations, a business plan, a description of governance arrangements and control mechanisms including cybersecurity and operational outsourcing aligned with the Digital Resilience Operational Act (DORA), just to name a few. Fine-tuning of licensing requirements for FISPs will later be done via a respective delegated act.

Third-country FISPs and gatekeepers

According to the Commission’s draft regulation, companies seated outside the Union would be able to access the EU market as FISPs, which would open the possibility for companies from third countries to obtain financial information about consumers seated in the Union. To get licensed, they would need to meet all FISP requirements and appoint a legal representative in the EU who is liable for compliance with FIDA’s requirements. However, in their positions, both the Parliament and the Council eliminated the possibility for third-country entities to get a license as FISP.

Furthermore, particularly the sharing of financial data with so-called Big Techs raised concerns during the legislative process, as it could conflict with other recent regulations regarding gatekeepers, such as the Digital Markets Act (DMA). Such gatekeepers could combine existing consumer data with financial data and might gain a vast competitive advantage over traditional European financial institutions. Ultimately, this could harm consumer protection in the Union. Therefore, the Parliament wants to prohibit gatekeepers from becoming or establishing FISPs within the EU, whereas the Council prefers to allow them based on restrictive license procedures. If an eligible data user is a gatekeeper itself, e.g. a credit institution, or is controlled by a gatekeeper, e.g. a credit institution that is owned by a gatekeeper, the positions of Parliament and Council are similar. Both require a specific additional assessment by the competent national authority, differing only regarding the extent of further involvement of EU bodies such as the ESAs. This assessment shall evaluate network effects, data-driven advantages as well as organisational compliance with the FIDA requirements. Lastly, Parliament and Council agree that data users that are gatekeepers or entities owned by gatekeepers should not be allowed to transfer data to other group companies and must not combine received financial data with other customer data that the gatekeeper may already possess.

Rules on rights and obligations in data sharing

The rules governing the conduct of data holders and data users when sharing customers´ data follow a customer-centered approach and focus on efficiency, security and confidentiality.

Following FIDA´s triangular concept, the obligations of data holders have two directions, one towards the customer and another vis-à-vis data users. The data holder´s obligation to share data must be in accordance with and determined by customer´s electronically transmitted request.

Upon a customer's request, the data holder must provide the customer with their own financial data without undue delay, continuously, in real time and free of charge. If the customer requires it, the data holders are also obliged to provide the customer´s financial data to third data users without undue delay, continuously and in real-time. However, in this case, the data holder may request reasonable compensation from the data user. The data transfer is compensated only if the data was provided according to a so-called Financial Data Sharing Scheme (FDSS). Such schemes have to be established once FIDA is in force. In the absence of an eligible scheme, the data must be provided according to modalities to be regulated by a respective delegated act to be prepared by EBA and issued by the European Commission.

Furthermore, data holder must

  • provide the data user with customer data in a format based on generally recognized standards without reducing data quality,
  • ensure appropriate security levels in both data processing and transmission,
  • safeguard business secrets and intellectual property rights when accessing customer data and
  • require data users to provide proof of customer´s consent.

On the other hand, the data usage of data users is also limited by the customer's consent and subject to strict rules ensuring data security and a customer-centric approach. In relation to data holders, data users must prove that the customer has given them permission to access specific data. Data processing must be standardized and aligned with the quality standards provided by data holders. At all times, sensitive data such as trade secrets, intellectual property, and other confidential information must be kept confidential. Furthermore, in relation to customers, data users are obliged to restrict their data usage to services requested by the customer (e.g., financial advice). The data purpose also impacts data storage, as data users are obliged to delete the respective financial data when it is no longer necessary for the authorized purpose. The data may not be used for direct marketing unless explicitly permitted under applicable direct marketing law.

When it comes to comparing the roles of data holders and data users under FIDA, while some regulatory requirements are the same, their compliance impact can differ significantly depending on the role.

Financial institutions subject to FIDA have a mandatory role as data holders. Since many compliance requirements for data holders also apply to data users, financial institutions can strategically leverage their regulatory investments by additionally embracing the role of data users. While this broadens their compliance responsibilities and adds regulatory risk, it also creates opportunities for innovative, data-driven business models, new revenue streams, and operational synergies in compliance. Generally, this dual role puts them in a favorable position to better adapt to the evolving regulatory landscape and reduces the risk of future regulatory breaches.

Permission Dashboard

To empower customers with easy management of their data-sharing consents, FIDA requires that data holders provide a user-friendly permission dashboard for managing and monitoring access authorizations.

This dashboard, already part of the PSD3/PSR proposal limited to payment accounts, serves as a centralized tool that allows customers to view all active access permissions granted to data users, including details such as the data user's name, the purpose of access, and the duration of consent.

Customers must be able to revoke or reauthorize access at any time. Mandatory real-time updates of the dashboard require close cooperation between data holders and data users. This shall ensure that customers receive instant updates when access permissions are modified, with mutual notification obligations between stakeholders to keep information up to date.

The specific challenge of real-time consent transparency is that potential technical problems with consent updates can cause violations of various regulatory provisions (e.g. both GDPR and FIDA). Additionally, under certain circumstances, this could also result in a financial institution´s liability towards customers.

Financial Data Sharing Schemes (FDSS)

An efficient data transfer between data holders and data users shall be ensured by the so-called Financial Data Sharing Schemes (FDSS).

The goal is to set standards on contracting and sharing data which operate through standardized industry-recognized interfaces (APIs). An FDSS should also include reasonable compensation in favor of data holders for providing data and associated services like data formatting, transmission and storage. If there is no compensation rule in the respective FDSS, the right to compensation does not apply. Additionally, an FDSS shall contain provisions on contractual liability. For example, if data is inaccurate or misused, it does not meet the quality standard or data security is compromised. In the case of personal data, liability regulations must be coherent with General Data Protection Regulation (GDPR).

The FDSSs are to be developed and defined by their members, including data holders and data users, who cover a significant share of the market, as well as customer organisations and consumer associations. Data holders and data users must be members of at least one FDSS but may also be members of several FDSS.

According to the European Commission, data holders and data users shall become members of FDSS no later than 18 months after FIDA´s entry into force. In the absence of an appropriate FDSS for a particular data category, the “fallback mechanism” comes into effect. This means that the Commission shall provide rules through a delegated act on common standards and technical interfaces, determining the maximum compensation for data provision and regulating the liability of the parties involved.

Further timeline

In the so-called trilogue negotiations, both Parliament and Council currently negotiate upon the final version of FIDA. The general expectation is that this could be concluded until the end of 2025 with a final political agreement. As soon as such an agreement is reached, both the Parliament and the Council have to adopt the final FIDA version in their plenary meetings. Afterwards, it needs to be translated into all official EU languages and published in the Official Journal. On the 20th day following publication, FIDA will enter into force.

It remains to be seen when FIDA will be applicable, though. While the Commission proposed that FIDA should apply 24 months after entering into force, the Parliament suggests within 38 months and the Council within 48 months, however proposing a gradual application. For the time being, assuming FIDA will be published in the first half of 2026, we roughly estimate FIDA will be applicable from the first half of 2029 or 2030.

Nevertheless, the world is facing very dynamic times with rapid political changes at the moment. It remains to be seen how this will affect the duration of the trilogue negotiations, as well as the date of applicability of FIDA. Since timelines and details are still evolving, flexibility is key for FIDA preparations. Financial institutions should plan for multiple scenarios by mapping regulatory risks early and focusing on high-impact areas, building a flexible foundation to be able to quickly adjust once the rules are finalized.

How can we help you?

With our comprehensive know-how in regulatory risk management, we are happy to support you in the early preparation for the new requirements of the FIDA Regulation.

Contact persons: Bernd Fletzberger & Sanijel Ficulovic

News Categories
Subscribe to Newsletter

Subscribe to our newsletter and never miss any news from PFR again!

Latest News

You have questions?
We have answers.

+43 1 877 04 54
Contact us