Investor Data Sharing in the EU: Enhancing Investor Protection and Capital Market Integration

The distribution of financial products typically relies on investor profiling. Depending on the product or service they provide, investment firms, insurance distributors, pan-European Personal Pension Product providers (PEPP providers) and distributors, crypto-asset service providers (CASPs) and crowdfunding service providers (CSPs) are subject to different types of know-your-customer requirements, such as suitability assessments, appropriateness assessments, demands and needs analyses, and entry knowledge tests. To assess whether a financial product or service fits customers’ investor profiles, financial institutions collect and analyse vast amounts of personal and non-personal customer data. Even though the type and volume of investor data needed for investor profile assessments varies widely between different kinds of institutions and services, an efficient exchange of investor data across financial institutions could bring significant benefits for both financial institutions and investors.

Therefore, the European Commission intends to establish an Open Finance Framework as part of its Digital Finance Strategy. Building upon the principles of ‘Open Banking’, the proposal for a Financial Data Access (FiDA) Regulation seeks to expand customer data sharing beyond payment account data to encompass a much broader range of investor-related information. It aims to establish a comprehensive framework governing the access to, sharing of, and use of such data by data holders and users across the financial sector. In parallel, the Commission put forward a Retail Investment Strategy Directive (‘RIS Directive’) designed to strengthen investor protection in EU capital markets. Amongst other things, it would require investment and insurance firms conducting suitability or appropriateness assessments to provide retailinvestors, upon request, with a ‘standardised retail investor information report’. The report would contain all data collected for the purposes of the relevant assessment and aims to facilitate more efficient data sharing. 

In our recent contribution, we have examined how the implementation of both proposals would affect investor profile assessments across various types of financial institutions. We found that the standardised retail investor information report is intended to lower financial institutions’ costs associated with investor profile assessments, streamline the onboarding of new clients and ultimately facilitate investors’ ability to switch between financial services and institutions. More investor mobility, in turn, can increase competition among financial institutions, incentivising them to develop more data-driven, innovative, and personalised financial products to investors. Combined with the RIS Directive’s other reforms aimed at improving retail investor protection and the FiDA Regulation’s comprehensive data protection framework, the Commission hopes investors will, over time, get access to investment products that are better tailored to their needs. This would, in turn, help increase investors’ trust in the well-functioning of EU capital markets, enhance retail investor participation and thereby contribute to the realisation of the Capital Markets Union and the Savings and Investments Union. 

Our research showed, however, that the proposed FiDA Regulation and RIS Directive contain important shortcomings which may hinder the realisation of these objectives. First, they do not harmonise data collection practices. The proposed RIS Directive’s retail investor information report would only standardise the format wherein the collected retail investor information is presented to the investor. Financial institutions, however, rely on very different processes and questionnaires to collect customer information. These divergences impact the categorisation of information (and the terminology used for that purpose), as well as the completeness and level of detail of customer data collected by different financial institutions. This may undermine the cost- and time-cutting benefits of data sharing and the intended increased efficiency of the customer onboarding process: even if data are exchanged, firms may still need to repeat onboarding procedures for new clients. 

To ensure an efficient Open Finance framework, some standardisation of the data collection processes for the purpose of suitability, appropriateness and demands and needs analyses is required. We have argued that a common cross-sectoral template for investor profile assessments, inspired by the European MiFID Template (EMT) for product governance purposes, could remedy this. The template would not aim to create one standardised questionnaire, but instead provide standardised terminology, definitions and subcategories (eg to express the ‘knowledge and experience’ of an investor, the European MiFID Template has introduced definitions of a ‘basic investor’, an ‘informed investor’ and an ‘advanced investor’). A similar template for investor profile assessments could significantly improve the exchange of financial customer data between different institutions, without halting the continuous finetuning of questionnaires by individual financial institutions (which may lead to a race to the top), without creating systemic risks which could result from a standardised questionnaire used by the entire market, and leaving ample room for financial institutions to create questionnaires apt to their product offer and client base. To maximise potential benefits, the common template would have to be used across all investment products (including insurance-based investment products, crowdfunding products and crypto-assets), while categories and terminology should adequately take into account differences between different types of products and services. 

Unfortunately, the proposed FiDA Regulation insufficiently considers this need for cross-sectoral consistency. This is illustrated by the proposal’s definition of ‘customer data’, defined as data collected, stored and processed by financial institutions in the normal course of business with their customers. While the definition expressly refers to data collected for carrying out suitability, appropriateness, and demands and needs analyses under MiFID II and IDD, it does not include similar references to data collected for investor profile assessments under the PEPP Regulation, ECSPR, and MiCAR. This is especially unfortunate as PEPP providers, CSPs, and CASPs are expressly listed in the proposal as potential data users and holders. The Council has proposed an amendment to the definition, introducing an explicit reference to data collected for the purpose of investor profile assessments under MiCAR and the ECSPR. Regrettably, the amendment does not include a similar clarification for investor profile assessments under the PEPP Regulation. 

Likewise, the proposed RIS Directive only partially levels the cross-sectoral playing field. First, the scope of application of the ‘standardised retail investor information report’ solely applies to data collected for suitability and appropriateness analyses under MiFID II and IDD. No similar report is introduced for profile assessments conducted by PEPP providers, CASPs and CSPs. Second, even though the Level 1 text concerning the report would be the same for investment and insurance services, both ESMA and EIOPA are mandated to develop Level 2 regulatory technical standards on the report’s content and format, without being required to develop a cross-sectoral format or even coordinate the Level 2 texts. 

Furthermore, the proposed FIDA Regulation does not establish a harmonised liability regime for inaccurate, low-quality, compromised or misused data. Instead, it requires that the liability and responsibility of financial institutions is determined contractually by the financial data sharing schemes in which they participate. This approach will not only result in diverging liability rules across different schemes, but also create uncertainty as to whether supervisory authorities will accept such arrangements to shield members from administrative sanctions if investor profile assessments based on flawed data resulted in unsuitable transactions. To create legal certainty for data users who use shared data for their investor profile assessments, we have therefore argued that a harmonised liability allocation regime for flawed data should be established in the FiDA Regulation, as has been done in other regulatory frameworks (eg art 26 MiFID II). 

Finally, the proposed FiDA Regulation would allow data users to use customer data for direct marketing purposes. We find this difficult to reconcile with the GDPR’s principle of data minimisation. Moreover, it may undermine the objectives of the open finance project, since many customers may resist data sharing if their data can be used for direct marketing. In our view, the Council’s position, requiring customers’ prior consent for direct marketing, provides an essential safeguard to maintain investors’ trust in the Open Finance framework and is a precondition for its success.  

We conclude that although open finance has the potential to improve the efficiency of the customer onboarding process, the proposed FiDA Regulation contains various shortcomings which may hinder this outcome. We have proposed targeted amendments in order to achieve a secure, efficient, and cross-sectoral EU Open Finance framework. 

Veerle Colaert is a full professor of financial law at KU Leuven University and co-director of the KU Leuven Jan Ronse Institute for Company and Financial Law.

Florence De Houwer is a PhD researcher at KU Leuven University.