Imagine a world where you can ask ex-vendors to delete all the information they have on you, and where you can see exactly who’s got a copy of your personal financial information. That’s exactly what FIDA is designed to achieve. And when it comes into force in 2025, European data holders and users will be required to step up their data security and better recognize consumer rights. Discover FIDA regulations and how your business might need to adapt to comply, and how Trustpair can support the changes in your business.
Learn more about the upcoming PSD3 regulation in our white paper about Instant Payments in the EU.
FIDA regulation: what is it?
FIDA stands for Framework for Financial Data Access, and has been announced as part of a wider package of EU regulation known as PSD3. The framework aims to expand on previous open banking principles (brought in through PSD2 regulations) and create a wider scope for the sharing of personal data between approved financial institutions and third parties.
It’ll set the rules for responsible data use, eligibility for becoming an approved institution, and data sharing schemes.
The byproduct of FIDA will likely lead to better innovation in financial services, with more integrations and capabilities, increasing competition in the industry. Announced in June 2023 by the European Commission, FIDA is currently in the proposal stage and won’t be applied until 18-24 months after this date.
What is the objective of FIDA?
The primary objective of PSD3, including FIDA, is to create a single market for data collection, sharing, and storage across the EU. It’ll support institutions by creating a guide to appropriate and inappropriate access and use of customer data.
PSD3’s goals are to:
- Boost digital transformation in the financial industry through data-driven growth
- Develop innovative and competitive products in the financial space by increasing the access of designated third parties
- Empower customers to control the access and sharing of their personal data
Specifically, FIDA aims to empower customers to take control over their data and improve general rights to information. Account providers and payment initiators will have to comply, from insurance firms to digital credit card providers. FIDA should also provide harmony for cross-border collaborations, since the regulatory proposal includes bringing in minimum standards for data transfer.
FIDA regulation: what is its scope?
The regulation includes, but is not limited to, the following types of personal financial data:
- Mortgage products, credit agreements, and loans (including current balance, remaining payable, lending conditions, and previous transactions)
- Investments, including crypto, real estate, and insurance-based investments
- Pensions services Data forming part of a creditworthiness assessment
Data requirements
Under FIDA, customers will each be provided with their own financial data access permission dashboard. For example, customers using financial comparison sites to compare credit cards will see which third parties their information has been shared with, and which creditors have performed soft credit ‘pre-approval’ checks.
This will empower consumers to know which open finance partners hold their data and regain management in case they want to stop sharing personal data with certain institutions.
Market participants will have to meet common standards for holding customer data and dashboard interfaces, making it easy for customers to compare services and providers. The regulation states that APIs will be the driving force behind integration and standardization, which will likely be a success thanks to their widespread adoption after PSD2.
These dashboards will also grant the European Supervisory Authorities (ESAs) better insights, enabling the boards to issue guidelines on protecting customers against unfair treatment or exclusion.
Data holders
Data holders are defined as firms that collect, store, and otherwise process personal customer data.
One of the most important aspects of the European Commission’s FIDA is that upon a customer request, data holders must make the relevant data available without delay, free of charge, continuously, and in real-time. This means that data holders require a governance compliance solution that not only stores data safely but also ensures it’s accessible across large-scale information collection.
When making data available, the data holder must:
- Use generally recognized standards of data formats
- Communicate securely by appropriately processing and transmitting information
- Ensure data users are qualified and approved to access information
- Provide customers with a permission dashboard
- Respect confidentiality when accessing customer data
Data users
Data users are defined as any entity that, after consent and permission from the customer, has lawful access to their data. For example, lender services attempt to assess your borrowing eligibility.
Data users must be authorized by competent authorities, and can only access data based on the conditions the customer provides. The scope also includes entities being legally obligated to delete the data once it’s no longer required.
Customers have the right to withdraw their permission at any time, which is supported through the previously-mentioned dashboard. Moreover, users are obliged to put adequate technical measures in place to prevent unlawful transfer or access of personal data.
Outside of the EU
FIDA will apply to organizations outside of the EU if they’re:
- Sharing or receiving personal data from an EU data holder or user
- Dealing with data from customers based in the EU
It’s therefore best to think about compliance to FIDA and the wider PSD3 regulation if you’re a foreign company operating in EU jurisdictions, or with European partners or customers.
How does data sharing work with FIDA?
Under FIDA, data holders and users are obligated to join a financial data-sharing scheme within 18 months of the regulations’ entry. These schemes will exist to standardize data through technical APIs and ensure that customers have full access to the data collected on them.
Furthermore, each scheme will publish rules on transparency and reporting for its members. It means that when customers do permit new organizations to access their financial data, the information will hopefully be as secure as possible, maintaining its integrity.
Whether you’re based in the EU or not, it’s important to prioritize data security and keep customers, and partners, happy. Proper data sharing principles are also key for protecting against risk, and promoting operational resilience.
In a broader sense under PSD3, companies need to be confident that their data is both up-to-date and accurate. Trustpair’s ongoing vendor data monitoring can clean and enrich your data seamlessly, restoring payment data integrity and automatically blocking fraudulent information. Ask for a comprehensive database screening to add a bulletproof layer of data protection.
Here’s a quick summary on FIDA regulation
The FIDA regulation will form part of wider PSD3 European guidelines for data collection and sharing between approved organizations. It increases the rights of consumers and presents minimum standards for presentation and security. We recommend applying the highest grade data security measures to protect data, such as Trustpair’s continuous database monitoring.
