The EU Open Finance Proposal: Opening the Gates to Financial Services Data

On 28 June 2023, the European Commission published the proposal for a Regulation on a Framework for Financial Data Access (FIDA). The FIDA proposal, or the Open Finance framework, is noteworthy for opening market access to customer financial services data across a range of domains. This blogpost argues that the Open Finance framework will do so largely to the benefit of European nonfinancial and international non-/financial companies, creating an unjustified competitive disadvantage for existing EU financial players.

The FIDA proposal aims to enhance data availability and use and innovation in the financial sector. Its particularity is obliging a wide range of financial institutions (in their capacity as data holders) from banking, insurance, investments, pensions and other domains to make available customer financial data upon customer request to data users in return for compensation (subject to conditions, ie membership in financial data sharing schemes). The firms that can access this data (data users) are not only the same financial institutions that act as data holders but also Account Information Service Providers (AISPs, from the Second Payment Services Directive (PSD2)) and Financial Information Service Providers (FISPs). So, the same financial institution that has to make customer data available will also be able to use financial data. Only AISPs and FISPs can act only as data users, precisely because their business model is based on consuming other firms’ data. The FISP is an authorisation granted by the competent regulator (AISP-like authorisation) introduced in the FIDA that gives the authorised firm the right to access FIDA data.

The FISP can potentially become a gateway to financial services data in a way that is competitively disadvantageous for incumbent financial institutions in the EU, and in some cases can threaten competition in the financial industry. Three aspects are important in this regard: eligibility to access financial data by EU non-financial firms, by foreign firms (financial or not) and by BigTech companies (gatekeepers) through obtaining an FISP authorisation.

Data access by non-financial firms

The first aspect relates to the making available of financial data to companies from other sectors, such as telecommunication, health, mobility, etc. For example, e-commerce platforms can access retailers’ financial data based on the FIDA, but there is no similar law obliging e-commerce platforms to make available to financial service providers retailers’ e-commerce platform data, unless they conclude contracts for this purpose on a case-by-case basis. This situation leads to an unlevel playing field because e-commerce platforms are increasingly integrating lending in their business by partnering with certain financial institutions. Making e-commerce platform data available would however be desirable as it could be used to improve the credit scoring of small retail companies, resulting in more efficient underwriting by all financial service providers. For some other strategic sectors, the EU Data Strategy has envisaged the establishment of common data spaces, but it is not clear when they will materialise and hence when data sharing reciprocity will take place. A possible solution to address this imbalance could be to oblige companies from other sectors to also share their customer data should they want to access financial services data.

Data access by foreign financial and non-financial firms

The second group of companies that the FISP will open financial data to are foreign firms. Per Article 13 of the FIDA proposal, a foreign FISP established outside the EU can access data in the Union by appointing a legal representative in a Member State. In other words, the legal representative provision enables foreign financial or nonfinancial companies from anywhere in the world to access European customers’ financial data. A couple of issues arise. First, it is uncertain how the supervision of foreign FISPs will be carried out because they conduct their business operations outside the EU unlike the EU FISPs or other financial institutions subject to FIDA. The foreign FISP has no office in the EU where the supervisor can inspect their business. The FIDA legal representative regime is a much lighter regime compared to other third country market access regimes like licensing. This is more problematic when customers’ financial data are sensitive. If we were to compare the FISP with their PSD2 counterpart ie AISPs, the latter are subject to a stricter regime, since they are payment institutions and need to be established in the EU. Second, it is puzzling what financial services business models foreign FISPs can build on the EU data they will access. Given they do not have an establishment in the EU, their regulated business opportunities are limited. But what a foreign FISP can do, is build a business model that is not regulated, eg SME lending which in many EU member states is not regulated or falls outside the scope of financial services. Naturally, the creativity of firms accessing data is hard to predict. In any case, it is difficult to see how trustworthiness is ensured in the Open Finance ecosystem when the FIDA proposal puts a lower bar for participation for some entities compared to others and lacks the justifications for it. Generally speaking, with no need for establishment in the EU and lack of other FIDA subjects-like supervision, the Open Finance proposal has made it relatively easy for foreign firms to enter the EU financial market in an arguably more advantageous footing than existing players.

Data access by Big Tech firms

Lastly, large technological companies (Big Tech) labelled as ‘gatekeepers’ under the Digital Markets Act (DMA) can access financial services data. Differently from the above scenarios, BigTechs do have to share their platform data free of charge with other firms, so reciprocity is not a problem. But BigTechs are so powerful that any additional data field they can obtain could add to their dominant position. The DMA recognised the fact that some Big Techs have a dominant position in the European digital services market, which may lead to difficulties for new players to compete. Therefore, certain BigTechs (gatekeepers) are obliged to share their platform data for free, to enable other market actors to compete. The same logic is present in the Data Act proposal where gatekeepers are restricted from accessing Internet of Things (IoT) data, as opposed to non-gatekeepers who do get this right. The idea here is that more data would reinforce the dominance of the gatekeepers. A year after the DMA’s enactment, the FIDA proposal enables gatekeepers’ access to financial data. Why should gatekeepers not get access to IoT data but get access to financial data? Referring to the FIDA recitals and the accompanying impact assessment, its rationale is to enhance data availability and use. However, it’s unclear why access is allowed for FIDA data and not allowed for IoT data, considering that gatekeepers are not all active in these markets. The underlying risk of BigTech dominating the financial markets is real. If Big Techs were to access all of their customers’ insurance, banking, investment, etc. data, they would be able to build the same algorithms and models that financial institutions have and combine these with their other data. As an end result, instead of increasing data use and enhancing competition, the FIDA proposal bears the risk of shifting market power from one group of firms (incumbent financial institutions) to the other (Big Techs), possibly resulting in a less competitive ecosystem. There could potentially be financial stability implications and hence regulatory intervention, but currently the digital services sector is not as heavily regulated as the financial one, leading to fewer safeguards for customers and financial stability.

Conclusion

It is clear that financial data holds insights on customer behaviour that can add value to other products and services. However, it is not clear how the current draft of the FIDA proposal will increase value in a safe and controlled manner for the economy and customers. In light of the above, a couple of recommendations can be made. The first is to introduce a right for financial institutions to access non-financial data if they make data available to FISP firms from other sectors. Second, to at least add safeguards to Article 13 of the FIDA proposal. Third, to reconsider BigTech’s access to FIDA data.

Eugerta Muçi is a PhD Candidate on Open Finance at Erasmus University Rotterdam and fellow of the International Center for Financial law & Governance (ICFG).