The Committee on Economic and Monetary adopted the report by Michiel HOOGEVEEN (ECR, NL) on the proposal for a regulation of the European Parliament and of the Council on a framework for Financial Data Access and amending Regulations (EU) No 1093/2010, (EU) No 1094/2010, (EU) No 1095/2010 and (EU) 2022/2554.
The committee responsible recommended that the European Parliament's position adopted at first reading under the ordinary legislative procedure should amend the proposal as follows:
Subject matter
The proposed regulation establishes rules on the access, use and re-use of categories of customer data in financial services. The framework would be established for the access of customer data processed by financial institutions across the financial sector beyond payment account data. Based on owner’s permission, their data (including holdings of savings and investments in financial instruments and insurance-based investment products as well as data collected for the purposes of carrying out a suitability and appropriateness assessment) would be made available in order to develop and provide tailor-made and data-driven financial products and services.
Access to data
Ensuring customer control and trust is imperative to build a well-functioning and effective data access framework in the financial sector. Ensuring effective customers’ control over their data contributes to innovation as well as customer confidence and trust in using alternative service providers. As a result, effective control may help overcome customer reluctance to re-use their data.
The Union’s financial data economy remains fragmented, characterised by uneven data access, barriers, and high stakeholder reluctance to engage in unlocking and re-using data beyond payments accounts. Data required to conduct know-your-customer processes by financial firms, including SMEs, can be valuable when on-boarding new customers. Therefore, the access to and re-use of such data could significantly contribute to lowering barriers to switching providers and therefore result in increased competition and innovation for financial products and services to the benefit of customers.
Excluded data
Data related to sickness and health cover should be excluded from the scope, as well as confidential business data and undisclosed know-how. Members also decided that the large digital platforms designated as Gatekeepers pursuant to the Digital Markets Act should not be eligible to become financial information service providers (currently designated gatekeepers are Alphabet, Amazon, Apple, ByteDance, Meta and Microsoft). These are platforms whose dominant online position makes it virtually impossible for business to reach end users if not through their gateways, and their exclusion aims to ensure that they could not circumvent the rules in case they owned or control data users.
Customer control over their data
Access to customer data in the scope of this regulation should be based on the explicit permission of the customer. Customers would decide how and by whom their financial data is used. The access should be based on customers’ explicit permission and data users would have to specify what they intend to make with them. The data could not be transferred to a third-party without permission. Moreover, a consent could be withdrawn at any time and free of charge.
Financial data access scheme governance and content
Customers should know what their rights are in case problems arise when data is accessed and who to approach to seek compensation. Financial data access scheme members, including data holders and data users, should therefore be required to agree on the contractual liability for data breaches, customer compensation when data is misused, including when it is transferred to a third party without the customer’s explicit permission, as well as how to resolve potential disputes between data holders and data users regarding liability. Those requirements should focus on establishing, as part of any contract, liability rules as well as clear obligations and rights to determine liability between the data holder and the data user.
Processing of personal data in the context of the new rules should be carried out in accordance with the exiting EU legislation.
Register
The European Banking Authority (EBA) should establish a register of authorised financial information service providers, as well as financial data access schemes agreed between data holders and data users. The register should be publicly available on EBA’s website, should be machine readable, and should allow for easy searching and accessing the information listed, free of charge.