Hostname: page-component-586b7cd67f-dsjbd Total loading time: 0 Render date: 2024-11-23T20:07:54.473Z Has data issue: false hasContentIssue false

Data Access and Automated Decision-Making in European Financial Law

Published online by Cambridge University Press:  08 October 2024

Felix Pflücke*
Affiliation:
University of Luxembourg, Luxembourg, Luxembourg and Somerville College, University of Oxford, Oxford, UK
Rights & Permissions [Opens in a new window]

Abstract

This article examines the regulatory landscape of financial data access within the European Union, emphasising the implications and effectiveness of recent legislative initiatives. It provides an in-depth analysis of the Financial Data Access Regulation (FIDA) proposal and its relationship with existing laws, focusing on the possibilities for data access and utilisation in the context of Open Finance. The discussion evaluates the regulatory framework for automated decision-making (ADM) in European financial law, highlighting its strengths and identifying areas for improvement. By exploring the intersections of tech resilience, financial regulation, and data protection, the article aims to clarify the practical implications of current and proposed rules, emphasising effective practices and areas needing further legislative attention.

Type
Articles
Creative Commons
Creative Common License - CCCreative Common License - BY
This is an Open Access article, distributed under the terms of the Creative Commons Attribution licence (https://creativecommons.org/licenses/by/4.0/), which permits unrestricted re-use, distribution and reproduction, provided the original article is properly cited.
Copyright
© The Author(s), 2024. Published by Cambridge University Press

I. Introduction

In an era characterised by rapid technological advancements and an ever-expanding digital landscape, the intersection of regulating financial data access and automated decision-making (ADM) in European Financial Law has emerged as a critical focal point for legal scholars, policymakers, and industry stakeholders alike. The profound impact of data-driven decision-making on the financial services sector necessitates a nuanced understanding of the regulatory framework governing data access and ADM within the European Union. This article explores this intricate landscape comprehensively, particularly emphasising the implications and effectiveness of recent critical legislative initiatives.

The financial industry has undergone a transformative evolution in recent years, driven by advancements in technology and data analytics, leading to increased datafication.Footnote 1 Financial institutions increasingly rely on vast datasets to streamline operations, enhance risk management, and personalise customer services and products. As these data-driven practices become more prevalent, the need for a robust regulatory framework governing financial data access, utilisation, and protection has become paramount. Recognising the challenges and opportunities of digital transformation, the European Union has introduced the Financial Data Access Regulation (FIDA) proposal to tackle crucial issues surrounding data sharing and interoperability within the EU’s financial sector.Footnote 2

The proposal for the Financial Data Access Regulation framework expands upon the foundation laid by the Open Banking frameworkFootnote 3 initiated under the Payment Services Directive 2 (PSD2).Footnote 4 PSD2 focused on facilitating the sharing of payment account data with customer consent, which will be replaced by the PSD3Footnote 5 and Payment Services Regulation (PSR),Footnote 6 broadening the scope in light of the comprehensive Open Finance framework.Footnote 7 Part of the Open Finance framework is the FIDA proposal, which includes amendments to existing regulations such as (EU) No 1093/2010,Footnote 8 (EU) No 1094/2010,Footnote 9 and (EU) No 1095/2010,Footnote 10 which respectively established the European Banking Authority, the European Insurance and Occupational Pensions Authority, and the European Securities and Markets Authority, alongside Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (DORA), which aims to tackle ICT related incidents and covers most financial actors, including those covered by FIDA.Footnote 11 The initiatives under Open Finance address tech resilience, financial regulation, and data protection, and will play a decisive role in shaping the trajectory of EU financial law.

The FIDA proposal includes various financial data beyond mere payment accounts, encompassing insurance, savings accounts, loans, investments, and pension products.Footnote 12 Under the FIDA proposal, clear rights and obligations would be established, allowing customers to share their data with authorised data users.Footnote 13 Importantly, customers retain full control over access to their data, dictating its usage and purpose, with standardisation of data and technical interfaces ensuring interoperability.Footnote 14 A pivotal component of FIDA is the designation of financial information service providers (FISP) as authorised data users,Footnote 15 akin to account information service providers (AISP) under PSD2.Footnote 16 Furthermore, the proposed amendments would impact existing laws, including those governing European financial authorities and digital operational resilience within the sector,Footnote 17 marking a significant legislative evolution towards a more regulated financial data ecosystem. Against the backdrop of the FIDA proposal, this article delves into the broader European legal landscape, scrutinises the interplay between the FIDA proposal and related existing and proposed laws, and assesses the role of ADM.

The present Article proceeds as follows. Section II introduces the proposed Financial Data Access Regulation framework, delving into the legislative proposal by the European Commission aimed at addressing challenges in the EU financial sector and fostering a harmonised European response regarding data access. It discusses the empowerment of customers through control over their financial data, the operational framework for data access, sharing, and use, and the supervision framework with competent authorities ensuring compliance and risk management. Section III explores financial data access and automated decision-making, starting with an introduction to ADM in European Financial Law, highlighting its evolution and intersections with the FIDA proposal. It discusses the challenges and implications of integrating ADM into financial data access, emphasising the need to balance innovation with consumer rights and business interests. Section IV addresses stakeholders’ critiques on the FIDA proposal and provides policy recommendations for improvement. Finally, Section V provides concluding remarks and an outlook.

II. The Proposed Financial Data Access Regulation Framework

The proposed Financial Data Access Regulation framework is a legislative proposal introduced by the European Commission to address emerging challenges in the EU financial sector and provide a harmonised European response to them. The FIDA proposal is part of the European Commission’s wider European Finance StrategyFootnote 18 and European Data Strategy,Footnote 19 based on the foundations of the Data Governance Act,Footnote 20 the Digital Markets Act,Footnote 21 and the Data Act.Footnote 22 The Commission hopes that the FIDA proposal fosters greater innovation in financial products and services, thereby enhancing the array of options available to consumers.Footnote 23 Additionally, they anticipate that it increases competition within the financial sector, promoting a more dynamic and responsive marketplace.Footnote 24 According to the European Commission, the FIDA proposal aims to achieve these goals by establishing a framework that facilitates data-driven finance by enabling efficient access and sharing of financial data while ensuring high privacy, security, safety, and ethical standards.Footnote 25 The legislative proposal for the FIDA framework is thus driven by the European Commission’s commitment to fostering a data-driven economy. The proposal seeks to empower customers by providing better control over access to their financial data with the objective of enhancing economic outcomes for financial services customers and firms, allowing for personalised, data-powered products and services and creating new business opportunities for data-driven third-party service providers.Footnote 26 The legislative intent is also to strike a balance between facilitating the flow and wide use of data in the financial sector while preserving robust standards for privacy, security, and risk management.Footnote 27 The proposal has cleared the first reading stage in the Council, with the potential for minor adjustments as it progresses through the legislative process.Footnote 28

The proposed FIDA framework ultimately concerns accessing, sharing, and using customers’ financial data, including natural or legal persons.Footnote 29 Its scope is narrowed down to particular categories of customer data in Article 2, including mortgage credit agreementsFootnote 30 and non-life insurance products.Footnote 31 The FIDA proposal would also apply to other institutions that act as data holders or users, including e.g. credit institutionsFootnote 32 and crypto-asset service providers.Footnote 33

Concerning data access, the data holder must make specific data available to the customer upon the customer’s request.Footnote 34 This includes continuously providing the data without undue delay, free of charge, and in real-time.Footnote 35 The data holder must make customer data available to a data user based on the customer’s permission.Footnote 36 Compensation may be claimed by the data holder from a data user only under specific conditions, such as compliance with financial data sharing scheme rules or other specified circumstances.Footnote 37 Additionally, when making data available, the data holder must ensure the use of recognised standards,Footnote 38 communicate securely with the data user,Footnote 39 verify customer permissions,Footnote 40 provide a permission dashboard to the customer,Footnote 41 and respect confidentiality and intellectual property rights.Footnote 42 The FIDA proposal outlines further obligations on data users. Data users can access customer data if they are authorised as a financial institution or financial information service provider by a competent authority.Footnote 43 Data users can only access customer data for the specified purposes and conditions granted by the customer, and they must delete it when no longer necessary.Footnote 44 Further to that, the FIDA proposal grants customers the right to withdraw their permission, especially in contractual obligations.Footnote 45

Another duty is that data users must process customer data only for the explicitly requested service,Footnote 46 implement security measures,Footnote 47 respect confidentiality and intellectual property rights,Footnote 48 prevent unlawful transfer or access to non-personal customer data,Footnote 49 and refrain from processing customer data for advertising purposes unless allowed by EU and national law.Footnote 50 If data users are part of a group of companies, customer data is limited to the entity acting as the data user within the group.Footnote 51 Further responsible data use is ensured by the data use perimeterFootnote 52 and the Financial Data Access permission dashboards.Footnote 53 The FIDA proposal would thus significantly open data access while protecting the relevant interests of data customers, holders, and users. Customers would have a variety of choices to customise their experience in the dashboard:

‘A permission dashboard shall:

  1. a) provide the customer with an overview of each ongoing permission given to data users, including:

    1. (i) the name of the data user to which access has been granted

    2. (ii) the customer account, financial product or financial service to which access has been granted;

    3. (iii) the purpose of the permission;

    4. (iv) the categories of data being shared;

    5. (v) the period of validity of the permission

  2. b) allow the customer to withdraw a permission given to a data user;

  3. c) allow the customer to re-establish any permission withdrawn;

  4. d) include a record of perm’Footnote 54

To facilitate data sharing, the FIDA proposal would establish financial data sharing schemes. It outlines that within 18 months of the FIDA proposal’s entry into force, data holders and users must become members of one or multiple financial data-sharing schemes.Footnote 55 The proposal also outlines how such schemes should look like, namely it must include members representing a significant market share with fair and equal representation in decision-making processes as well as customer and consumer associations.Footnote 56 Several provisions in Article 10 govern the exact procedural and substantive rules that govern such schemes, including dispute resolution.Footnote 57 The Commission might intervene on the absence of a financial data sharing scheme for specific categories of customer data listed in Article 2(1) of the FIDA proposal.Footnote 58

The FIDA proposal also outlines eligibility requirements for data access and organisation. Article 12 of the proposed FIDA proposal outlines the process for financial information service providers to obtain authorisation to access customer data, requiring them to submit a detailed set of documents and hold professional indemnity insurance. The proposal also covers the granting and potential withdrawal of authorisations, considering compliance, conditions for third-country providers, and the role of competent authorities in overseeing outsourcing arrangements.Footnote 59 To facilitate this, Article 15 outlines the establishment of a central register by the European Banking Authority, containing information on authorised providers, their intentions, and financial data-sharing schemes.Footnote 60 It outlines organisational requirements for financial information service providers, including policies for compliance, continuity, and risk management.Footnote 61 The framework would thus allow for cross-border access to data by financial information service providers.Footnote 62

Finally, the proposed FIDA framework establishes a sophisticated supervision framework. It establishes competent authorities in Member States responsible for ensuring compliance with the Regulation, with the obligation to notify the Commission of these authorities and ensure they possess necessary powers and resources.Footnote 63 Several investigatory powers would be transferred to the competent authorities, including the ability to require information, conduct investigations, and take various measures to address breaches.Footnote 64 Articles 19 and 20 allow for settlement agreements, expedited enforcement procedures, and the imposition of administrative penalties, respectively, with detailed provisions on the types and levels of penalties.Footnote 65 The FIDA proposal would safeguard fundamental rights by granting the right of appeal against decisions of competent authorities.Footnote 66 In addition, while the proposed FIDA framework would foster cooperation and information exchange between competent authorities,Footnote 67 they must ensure data protection.Footnote 68

The proposed FIDA framework would notably harmonise and propel data access within the EU, facilitating the personalisation of current financial products and services and potentially fostering the emergence of new ones. It is poised to emerge as a cornerstone initiative in Open Finance, promoting decentralised control over data rather than centralisation. Some scholars have generally characterised Open Finance as antitrust, arguing that data-centric enterprises leverage their large datasets and tend to monopolise market share.Footnote 69 The FIDA proposal could thus serve as a potential remedy to address such tendencies, offering a path towards greater competition. Another noteworthy aspect of FIDA is its focus on the intersection of tech resilience – connected to DORA – financial regulation, and data protection, which is crucial for ensuring a robust, secure, and compliant financial ecosystem in the EU.

III. Financial Data Access, Data Protection, and Automated Decision-Making

Automated decision-making, utilised by data users, holders, and supervising authorities, is rapidly advancing within the context of European financial law. As generative AI technologies advance, ADM increasingly utilises software to support or replace human decision-making processes, leveraging the abundance of data available in the technology age. This is especially used in European financial law, where the 2008 financial crisis resulted in further data reporting requirements, for instance, to monitor compliance,Footnote 70 mostly in real-time.Footnote 71 This section delves into the intricate relationship between the FIDA proposal, data protection, and automated decision-making, examining its implications and regulatory elements.

The Data Protection Directive of 1995 contained some of the first rules on ADM, prohibiting the use of solely automated decision-making in individual cases without human involvement.Footnote 72 The right to data protection is a fundamental human right protected by Article 8(1) of the European Convention on Human Rights, Article 8(1) of the EU Charter of Fundamental Rights, and Article 16(1) of the Treaty on the Functioning of the European Union.Footnote 73 It is thus no surprise that the GDPR took on the restrictive approach in the Data Protection Directive.Footnote 74 However, the GDPR outlines exceptions in Article 22:

  1. a) ‘is necessary for entering into, or performance of, a contract between the data subject and a data controller;

  2. b) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or

  3. c) is based on the data subject’s explicit consent.’

Decisions by the EU and national data protection authorities suggest that the prohibition applies to very few circumstances.Footnote 75 Nevertheless, the GDPR duties apply to private and public bodies,Footnote 76 including data holders, users, and supervising authorities under the FIDA proposal.Footnote 77 The Court of Justice also clarified that calculating a credit score constitutes an automated individual decision under Article 22(1) of the GDPR.Footnote 78

Additionally, the GDPR introduced other duties, including an obligation to ensure data protection through the design of technology, so-called privacy by design.Footnote 79 The FIDA proposal requires such a design feature, for instance, in the permission dashboard.Footnote 80 The GDPR sets forth stringent requirements for data processing, including provisions related to automated decision-making and profiling (Aarticle 22). Financial institutions must ensure that their automated decision-making processes comply with the principles of fairness, transparency, and accountability enshrined in the GDPR.Footnote 81 Moreover, individuals have rights under the GDPR to access, rectify, and object to automated decisions that significantly affect them.Footnote 82 The AI Act will further restrict the use of certain ADM mechanisms that deploy “high risk” AI systems.Footnote 83 Profiling AI systems are always considered “high risk,”Footnote 84 and it is thus inevitable that AI systems need a number of safeguards like transparency and audits.Footnote 85

If customers choose to share their data with data holders and users by granting permission in the dashboard, their data will be utilised for personalised products and services. The Commission highlights several use cases, such as personalised investment advice and automated creditworthiness assessments for SMEs.Footnote 86 Financial institutions may deploy ADM to assess the needs and opportunities of customers, leveraging data analytics and machine learning algorithms to gain deeper insights into customer behaviour to personalise marketing, services, and products or identify risks like fraud.Footnote 87 Furthermore, as pointed out in the previous section, the FIDA proposal does not apply to all kind of data but it is limited to an exhaustive list of industries and products.Footnote 88 It also provides customers with a choice on whether and how much data they want to share, including the option to withdraw it.Footnote 89 In any case, data holders and users must ensure that they do not use the data contrary to Article 9(1) of the GDPR, dealing with processing sensitive information like ethnic origin or religious beliefs, which could be deduced from transaction activities, and lead to unwanted consequences like price discrimination.Footnote 90 Customers also have a right to be informed under Articles 13 and 14 of the GDPR and to receive information about the existence ADM under Article 15 of the GDPR, which includes profiling.Footnote 91

The FIDA proposal also requires an automated transmission of data to regulators. Article 15 establishes a central register by the European Banking Authority containing information on authorised providers and their intentions. The provision for establishing such a register implies the need for computerised systems to manage and maintain this information efficiently. Furthermore, Title VI of the FIDA proposal pertains to the supervision and enforcement framework of the FIDA proposal, including the powers of competent authorities to investigate breaches and impose penalties. The investigatory powers granted to competent authorities will most likely involve scrutiny of automated decision-making processes to ensure compliance of data holders and users with the FIDA regulation.Footnote 92 Both maintaining the register and ensuring compliance of supervised entities must align with the GDPR. Regarding the data of natural persons, EU regulators must also ensure they comply with the EDPR.Footnote 93

In summary, the integration of automated decision-making into financial data access marks a substantial advancement in European financial law. While it presents opportunities for efficiency and innovation, it also introduces intricate challenges related to data protection, fairness, and accountability. Regulatory interventions like the FIDA proposal are pivotal in overseeing the implementation of automated systems, safeguarding consumer rights, and industry interests. Looking ahead, it is imperative for policymakers, regulators, and industry stakeholders to collaborate continuously in evolving the framework within the swiftly changing technological terrain.

IV. Policy Considerations

The FIDA proposal ambitiously addresses the intersections of tech resilience, financial regulation, and data protection. While the FIDA proposal offers benefits to customers and financial firms, it also presents several shortcomings. For instance, the European Economic and Social Committee (EESC), the European Commission’s Regulatory Scrutiny Board, and BEUC have already highlighted various contentious points within the FIDA proposal.

The primary and foremost critique directed at the FIDA proposal revolves around its inadequate evidential support and integration of consumer protection theories.Footnote 94 The Commission’s call for evidence garnered minimal engagement, receiving a mere seventy-nine responses.Footnote 95 While the majority of these responses were from citizens (fifty-seven), contributions also stemmed from trade associations (fourteen), businesses (three), consumer organisations (one), unions (one), and other entities (three). Geographically, the bulk of the responses originated from Slovakia (twenty-four), Germany (twenty-two), and Belgium (eight). According to the impact assessment, citizen responses generally conveyed a negative sentiment towards Open Finance and those from businesses exhibited a more positive outlook. The public consultation attracted slightly more feedback with fifty-five citizens and thirty-seven professional responses.Footnote 96 Citizens highlighted their concerns about privacy and data protection. Professionals were more optimistic in the consultation, highlighting the benefits of innovation and competition for customers. The Commission’s cost/benefit analysis is positive, although it is difficult to quantify the estimated impact.Footnote 97

The European Commission’s Regulatory Scrutiny Board also expressed criticism regarding the impact assessment.Footnote 98 They contended that the assessment places excessive reliance on stakeholder feedback, urging for the inclusion of insights from initiatives in different jurisdictions. Additionally, the European Commission’s Regulatory Scrutiny Board highlighted the ambiguity surrounding the existence of customer demand for new financial services and products, emphasising the absence of concrete examples of innovation. The European Commission should thus conduct further research on the potential impact of the FIDA proposal.

Another concern relates to data protection. While data minimisation in accordance with the GDPR appears to be adhered to,Footnote 99 some actors point out that more could be done. BEUC, a consumer organisation, emphasises the importance of including only financially relevant data and excluding profiling activities, as both could lead to a high risk of exclusion.Footnote 100 Furthermore, BEUC suggests that data perimeters should be binding and cover additional areas such as retail banking and insurance products, which also pose a high risk of exclusion.Footnote 101 The European Economic and Social Committee (EESC) also proposes refinements concerning data minimisationFootnote 102 and raises further considerations. Regarding customer data categories, the EESC notes a persistent risk of “misuse and illegitimate interference.”Footnote 103 Consequently, the EESC recommends proper training for staff,Footnote 104 additional bans on the use of personal data within the FIDA proposal,Footnote 105 and ensuring that data holders refrain from restrictive practices concerning the dashboards that provide customers with consent and transparency.Footnote 106 The sentiment regarding dashboards is also emphasised by BEUC, which underscores the importance of ensuring easy accessibility to dashboards.Footnote 107 Moreover, BEUC emphasises that dashboard design and the information presented must comply with data protection and consumer law rules.Footnote 108 The European Commission’s Regulatory Scrutiny Board further highlighted that it is unclear how the FIDA proposal would protect vulnerable customers and ensure customers are not pressured into data sharing.Footnote 109 The intricate nature of utilising ADM AI mechanisms necessitates experience requirements, which the FIDA proposal should mandate for both data holders and users.Footnote 110

In addition to the previous concerns, the European Economic and Social Committee suggests that there might be an imbalance in the regulatory environment between heavily regulated financial institutions and other participants in the market.Footnote 111 This is also debated by BEUC.Footnote 112 On the one hand, BEUC emphasises the potential benefits of the proposal’s introduction of Financial Information Service Providers (FISPs), which could offer tailored and innovative solutions to consumers, enhancing competition and consumer outcomes in Open Finance. One the other hand, BEUC cautions against the risks associated with financial data sharing, particularly the possibility of exploitation by powerful companies. They advocate for clear delineation of the role of FISPs and propose that entities designated as gatekeepers under the Digital Markets Act should be barred from accessing data under Open Finance to mitigate these risks. The impact assessment, and potentially the FIDA proposal, should consider this power imbalance and aim to rectify it.

There are also deficiencies concerning supervision and enforcement within the proposed framework. Specifically, the European Economic and Social Committee emphasises the necessity for the European Banking Authority and the European Insurance and Occupational Pensions Authority to receive a clear mandate for developing guidelines regarding the processing of consumer data. These guidelines would pertain to various financial products and services, including credit level assessment and risk evaluation for consumers, as well as life, health, and sickness insurance products.Footnote 113 Regarding the enforcement of consumer rights, the FIDA proposal would allow individuals to seek compensation when their rights are violated,Footnote 114 and entities found responsible for such violations could face administrative penalties imposed by the Competent Authority.Footnote 115 One criticism highlighted by BEUC is that it should be incorporated into the Annex of the Representative Actions Directive.Footnote 116 The legislators should take these concerns seriously and carefully assess whether to take them on board during the legislative process.

BEUC further emphasises that data users, data holders, consumer organisations, and consumer associations must collaborate to establish data sharing schemes, where the content and governance will be determined by scheme members themselves.Footnote 117 While BEUC appreciates the inclusion of consumer representation, they urge policymakers to ensure a balanced representation, emphasising that consumer presence should not merely serve to legitimise financial data sharing schemes. They thus argue that customer organisations and consumer associations should be granted full voting rights within these schemes. Additionally, the European Commission’s Regulatory Scrutiny Board recommends that the FIDA proposal report provides a clearer description of the intended compensation measures, including the governance model and the methodology for calculating “reasonable compensation.”Footnote 118 Furthermore, it should address how compensation measures will not impede innovative open finance services and how the risk of anticompetitive effects resulting from data reuse will be mitigated.

Another point to consider is the time to implement the measure.Footnote 119 The EESC highlighted that the 18-month period for technical features should be prolonged by another six months.Footnote 120 Industry associations, like the Association of the Luxembourg Fund Industry, equally pointed out that the anticipated timeframe is unrealistic.Footnote 121 The Commission should thus assess whether this timeline is realistic and feasible.

The critique of the FIDA proposal is warranted, particularly due to the absence of evidence or consumer theories in the impact assessment. The FIDA proposal must heed all the outlined concerns as certain aspects necessitate additional refinement for it to succeed, ensuring a delicate balance between innovation and consumer protection, particularly regarding automated decision-making. Overall, the FIDA proposal took some principles proposed by the academic community into account, without directly listing them in the impact assessments.Footnote 122 The concentration of power by digital platforms will potentially be remedied by FIDA, serving as antitrust and strengthening consumer choice. However, as previously mentioned, the European Commission should have initiated a broader public discourse and justified its legislative choices with scientific evidence. It is hoped that the European Commission will employ an evidence-based approach when assessing the ex-post impact of FIDA on the financial industry and consumer protection.Footnote 123

V. Conclusion

This article has scrutinised the intricate landscape surrounding financial data access and automated decision-making in the European Union, focusing on the proposed Financial Data Access Regulation. It has highlighted the critical necessity of regulating financial data access and ADM within the EU’s legal framework, especially in a digital era marked by a rapid influx of financial data. The FIDA proposal signifies a significant stride towards tackling these challenges, aiming to balance innovation with consumer rights and business interests.

As pointed out, a noteworthy aspect of FIDA is its focus on the intersection of tech resilience – connected to DORA – financial regulation, and data protection. A key consideration regarding the FIDA proposal is thus whether it aligns more closely with the trajectory of EU financial law or primarily serves as a specialised form of data protection regulation. It seems that FIDA attempts to satisfy both perspectives without fully committing to either domain. While it is an ambitious endeavour with potential antitrust effects on digital finance platforms, mere transparency in data processing does not automatically lead to enhanced consumer protection.

Moving forward, it is imperative for the European Commission to conduct further research on the potential impacts of the FIDA proposal and to mandate experience requirements for both data holders and users engaging in such ADM systems. Additionally, there is a pressing need to address power imbalances, particularly concerning entities designated as gatekeepers under the Digital Markets Act, to ensure fair access to data under Open Finance. It is essential for legislators to take these concerns into account and integrate them into the legislative process, while also assessing the feasibility of proposed timelines. Ultimately, the FIDA proposal has the potential to fortify the FinTech sector, amplify consumer choice, and foster healthy competition. It could be seen as an antitrust measure, decentralising data access and reducing centralisation, thereby promoting a more balanced financial ecosystem. However, it is crucial to remember that the contents of the FIDA proposal are subject to potential revisions and adjustments throughout the ongoing legislative process.

Acknowledgments

The author would like to thank Herwig C. H. Hofmann, Dirk A. Zetzsche, and two anonymous reviewers. All errors remain my sole responsibility. The author is also extremely grateful for funding support by the NORFACE Joint Research programme on Democratic Governance in Turbulent Ages and co-funded by AEI, AKA, DFG, FNR, and the European Commission through Horizon 2020 under the Grant Agreement No 822166. This research was also funded in part by the Luxembourg National Research Fund (FNR), grant reference NCER22/IS/16570468/NCER-FT.

References

1 See, for example, Ross P. Buckley, Douglas W. Arner, and Dirk A. Zetzsche, FinTech: Finance, Technology and Regulation (Cambridge University Press 2024) Part I; Dirk Zetzsche, Douglas Arner, Ross Buckley, and Rolf H. Weber, “The Evolution and Future of Data-Driven Finance in the EU” (2020) 57(2) Common Market Law Review 331–336.

2 Proposal for a Regulation of 26 June 2023 on a framework for Financial Data Access and amending Regulations (EU) No 1093/2010, (EU) No 1094/2010, (EU) No 1095/2010 and (EU) 2022/2554 COM (2023) 360 final (FIDA proposal).

3 See, for example, Božina Beroš, and Marta Gabriella Gimigliano (eds), The Payment Services Directive II: A Commentary (Edward Elgar 2021) ch 1.

4 Directive (EU) 2015/2366 of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC OJ L 337/35 (PSD2).

5 Proposal for a Directive of 28 June 2023 on payment services and electronic money services in the Internal Market amending Directive 98/26/EC and repealing Directives 2015/2366/EU and 2009/110/EC COM(2023) 366 final (PSD3).

6 Proposal for a Regulation of 28 June 2023 on payment services in the internal market and amending Regulation (EU) No 1093/2010 COM(2023) 367 final (PSR).

7 European Commission, “Digital Finance Strategy for the EU” COM(2020) 591 final Section 4.3.

8 Regulation (EU) No 1093/2010 of 24 November 2010 establishing a European Supervisory Authority (European Banking Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/78/EC OJ L 331/12.

9 Regulation (EU) No 1094/2010 of 24 November 2010 establishing a European Supervisory Authority (European Insurance and Occupational Pensions Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/79/EC OJ L 331/48.

10 Regulation (EU) No 1095/2010 of 24 November 2010 establishing a European Supervisory Authority (European Securities and Markets Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/77/EC OJ L 331/84.

11 Regulation (EU) 2022/2554 of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 OJ L 333/1. Art 2(1) lists all entities covered by the DORA Regulation; Art 2(3) and (4) provides a number of exceptions. The Regulation deals with ICT risk management (Chapter II), ICT-related incident management, classification and reporting (Chapter III), digital operational resilience testing (Chapter IV), managing of ICT third-party risk (Chapter V), and information-sharing arrangements (Chapter VI). For a detailed analysis, see, eg, Jannik Woxholth and Dirk A. Zetzsche, “DORA on DEFI” (SSRN, 23 June 2024) https://doi.org/10.2139/ssrn.4874057.

12 Art 2 of the FIDA Proposal 2023.

13 Title II of the FIDA Proposal 2023.

14 Title III of the FIDA Proposal 2023.

15 Title V of the FIDA Proposal 2023.

16 Art 67 of PSD2. Buckley, Arner, and Zetzsche (n 1, CUP) 34–35.

17 Title VIII of the FIDA Proposal 2023.

18 European Commission, “Communication on a Digital Finance Strategy for the EU” COM(2020) 591 final.

19 European Commission, “A European Strategy for Data” COM(2020) 66 final.

20 Regulation (EU) 2022/868 of 30 May 2022 on European data governance and amending Regulation (EU) 2018/1724 (Data Governance Act) OJ L152/1.

21 Regulation (EU) 2022/1925 of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828 (Digital Markets Act) OJ L265/1.

22 Regulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023 on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act) OJ L71/1.

23 European Commission, “Modernising payment services and opening financial services data: new opportunities for consumers and businesses” (European Commission, 28 June 2023) <https://ec.europa.eu/commission/presscorner/detail/en/ip_23_3543> accessed 10 December 2023.

24 Ibid.

25 Section 1 (“Reasons for and objectives of the proposal”) of the FIDA Proposal 2023.

26 Ibid.

27 Ibid.

28 EUR-Lex, “Procedure 2023/0205/COD” (EUR-Lex, 2024) <https://eur-lex.europa.eu/legal-content/EN/HIS/?uri=CELEX:52023PC0360> accessed 10 December 2023.

29 Art 1 and Art 3(2) of the FIDA Proposal 2023.

30 Art 2(1)(a) of the FIDA Proposal 2023.

31 Art 2(1)(e) of the FIDA Proposal 2023.

32 Art 2(2)(a) of the FIDA Proposal 2023.

33 Art 2(2)(e) of the FIDA Proposal 2023. However, limits are provided in Arts 2(3) and (4).

34 Art 4 of the FIDA Proposal 2023.

35 Ibid.

36 Art 5(1) of the FIDA Proposal 2023.

37 Art 5(2) of the FIDA Proposal 2023.

38 Art 5(3)(a) of the FIDA Proposal 2023.

39 Art 5(3)(b) of the FIDA Proposal 2023.

40 Art 5(3)(c) of the FIDA Proposal 2023.

41 Art 5(3)(d) of the FIDA Proposal 2023.

42 Art 5(3)(e) of the FIDA Proposal 2023.

43 Art 6(1) of the FIDA Proposal 2023.

44 Art 6(2) of the FIDA Proposal 2023.

45 Art 6(3) of the FIDA Proposal 2023.

46 Art 6(4)(a) of the FIDA Proposal 2023.

47 Art 6(4)(c)) of the FIDA Proposal 2023.

48 Art 6(4)(b) of the FIDA Proposal 2023.

49 Art 6(4)(d) of the FIDA Proposal 2023.

50 Art 6(4)(e) of the FIDA Proposal 2023.

51 Art 6(4)(f) of the FIDA Proposal 2023.

52 Art 7 of the FIDA Proposal 2023.

53 Art 8 of the FIDA Proposal 2023.

54 Art 8(2) of the FIDA Proposal 2023.

55 Art 9 of the FIDA Proposal 2023.

56 Art 10(1)(a) of the FIDA Proposal 2023.

57 Art 10(1)(j) of the FIDA Proposal 2023.

58 Art 11 of the FIDA Proposal 2023.

59 Art 14 of the FIDA Proposal 2023.

60 Art 15 of the FIDA Proposal 2023.

61 Art 16 of the FIDA Proposal 2023.

62 Art 28 of the FIDA Proposal 2023.

63 Art 17 of the FIDA Proposal 2023.

64 Art 18 of the FIDA Proposal 2023.

65 Additionally, Art 21 introduces periodic penalty payments, Art 22 outlines circumstances considered for penalties, and Art 23 enforces professional secrecy.

66 Art 24 of the FIDA Proposal 2023. All cases would be published on the website of competent authorities, creating a wealth of case law and guidance (Art 25). In cases of disagreements between competent authorities, Art 27 allows referral to the EBA for resolution.

67 Art 26 of the FIDA Proposal 2023.

68 Art 26(5) of the FIDA Proposal 2023.

69 Dirk A. Zetzsche, Douglas W. Arner, and Ross P. Buckley, “Decentralized Finance” (2020) 6(2) Journal of Financial Regulation 197–198. Zetzsche, Birdthistle, Arner, and Buckley outline several policy considerations regarding digital finance platforms in their article “Digital Finance Platforms: Toward a New Regulatory Paradigm” (2020) 23(1) University of Pennsylvania Journal of Business Law 325ff. Their considerations range from a hand-off approach to “test and learn” to a more interventionist approach that digital finance platforms could be viewed as public utilities and regulated accordingly, which were partly taken on board by the European Supervisory Authorities.

70 Buckley, Arner, and Zetzsche (n 1, Cambridge University Press) 44–46, 49–50, 145–146.

71 See, eg, Herwig C.H. Hofmann, Dirk A. Zetzsche, and Felix Pflücke, “The Changing Nature of ‘Regulation by Information’: Towards Real-Time Regulation?” (2023) 28(6) European Law Journal 172.

72 Art 15 of Directive (EC) 95/46 of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data OJ L181. Francesca Palmiotto, “When Is a Decision Automated? A Taxonomy for a Fundamental Rights Analysis” (2024) 25(1) German Law Journal 4. A detailed overview on Article 22 and its exception is provided in Herwig C. H. Hofmann, “Automated Decision-Making (ADM) in EU Public Law” in Hofmann and Pflücke (eds), Governance of Automated Decision-Making and EU Law (Oxford University Press 2024, in print) 28ff.

73 Buckley, Arner, and Zetzsche (n 1, Cambridge University Press) 152–153.

74 Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR) OJ L119/1.

75 Hofmann in Hofmann and Pflücke (n 72) 28–29. There is also consent and necessity in light of the FIDA proposal (Articles 6(1)(a) and (b) of the GDPR)

76 Liane Huttner, La décision de l’algorithme: Étude de droit privé sur les relations entre l’humain et la machine (Thèse pour l’obtention du titre de Docteur en droit de l’Université Paris 1 Panthéon-Sorbonne, 2022) 31.

77 Recitals 5, 10, 20, 22, 25, 30, 48 and Arts 5, 7(4), 10(1)(i), 12(2) of the FIDA proposal 2023.

78 Case C-634/21 OQ v Land Hessen and SCHUFA Holding AG (as intervener) [2023] para 73. See, eg, Liane Huttner, ‘Décisions automatisées : le réveil d’un géant endormi ?’ (2024) 2 Revue Communication Commerce électronique 7.

79 Art 25 of the GDPR; Buckley, Arner, and Zetzsche (n 1, Cambridge University Press) 154.

80 Title 3 of the FIDA Proposal 2023.

81 Art 5 of the GDPR.

82 22(3) of the GDPR.

83 Proposal for a regulation of 21 April 2021 laying down harmonised rules on artificial intelligence (artificial intelligence act) and amending certain union legislative acts COM(2021) 206 final (AI Act). For a detailed analysis of the final AI Act, see the contribution of Oriol Mir in the present special issue.

84 Art 6(2) and Annex III of the AI Act proposal 2021. Palmiotto (n 72) 13.

85 European Data Protection Supervisor, “Tech Dispatch: Explainable Artificial Intelligence” (EDPS, 2023) <https://www.edps.europa.eu/system/files/2023-11/23-11-16_techdispatch_xai_en.pdf> accessed 20 January 2024. See, eg, Buckley, Arner, and Zetzsche (n 1, Cambridge University Press) chapter 7.

86 Pages 6 and 13 of the preparatory work of the FIDA proposal 23.

88 Title 1 of the FIDA Proposal 2023.

89 Title 3 of the FIDA Proposal 2023.

90 This issue has been discussed in light of PSD2, see European Data Protection Board, “Guidelines 06/2020 on the interplay of the Second Payment Services Directive and the GDPR: Version 2.0” (EDPB 15 December 2020) section 5.1; Article 29 Working Party Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679, WP251rev.01, 15. See also Recital 18 of the FIDA proposal 2023.

91 Ibid (EDPB) section 6.5; Ibid (WPG) 16-17.

92 For an overview on datafication of finance in the EU, especially data-driven reporting and supervision, Zetzsche, Arner, Buckley, and Weber (n 1, CMLR) 338–339, 356–357.

93 Regulation (EU) 2018/1725 of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC OJ L295/39 (EDPR).

94 See the impact assessment report: European Commission, “Impact Assessment Report Accompanying the document Proposal for a Regulation of the European Parliament and of the Council on a framework for Financial Data Access and amending Regulations (EU) No 1093/2010, (EU) No 1094/2010, (EU) No 1095/2010 and (EU) 2022/2554” SWD(2023) 224 final.

95 Ibid Annex 2(2).

96 Ibid Annex 2(3).

97 Ibid Annex 3.

98 European Commission Regulatory Scrutiny Board, “Open Finance Framework: Opinion” SEC(2023) 255 11220/23 ADD3.

99 See the previous section of this paper.

100 BEUC, “Access to Consumers’ Financial Data: BEUC position paper on the proposed Financial Data Access Regulation” (BEUC, 31 October 2023) BEUC-X-2023-137, Scope. Potential risks of data control in intragroup dependencies were also highlighted in the joint report by the European Supervisory Authorities and the European Securities and Markets Authority, “Joint-ESA Report on 2023 stocktaking of BigTech direct financial services provision in the EU” (ESA and ESMA, 1 February 2024) <https://www.esma.europa.eu/sites/default/files/2024-02/JC_2024_02_Joint_ESAs_Report_on_2023_stocktaking_of_BigTech_direct_financial_services_provision.pdf> accessed 17 June 2024, 11ff.

101 BEUC (n 100) Data paramenters

102 Opinion of the European Economic and Social Committee on (a) Proposal for a Regulation of the European Parliament and of the Council on a framework for Financial Data Access and amending Regulations (EU) No 1093/2010, (EU) No 1094/2010, (EU) No 1095/2010 and (EU) 2022/2554 (COM(2023) 360 final – 2023/0205 (COD)) (b) Proposal for a Directive of the European Parliament and of the Council on payment services and electronic money services in the Internal Market amending Directive 98/26/EC and repealing Directives 2015/2366/EU and 2009/110/EC (COM(2023) 366 final – 2023/0209 (COD)) and (c) Proposal for a Regulation of the European Parliament and of the Council on payment services in the internal market and amending Regulation (EU) No 1093/2010 (COM(2023) 367 final – 2023/0210 (COD)), OJ C/2024/1594 (hereafter EESC Opinion) para 3.3.5.

103 EESC Opinion (n 102) para 3.3.6.

104 EESC Opinion (n 102) para 3.3.5.

105 EESC Opinion (n 102) para 3.3.8.

106 EESC Opinion (n 102) paras 3.3.10 and 3.3.11.

107 BEUC (n 100) Permission Dashboard and Alignment with EU Data Protection & Consumer Law.

108 Ibid.

109 European Commission Regulatory Scrutiny Board Opinion (n 98) paras (B) 2 and (C) 3.

110 For a general argument in favour of experience requirements regarding AI in financial law, see Buckley, Arner, and Zetzsche (n 1) 104–105.

111 EESC Opinion (n) para 3.3.6.

112 BEUC (n 100) Data Users.

113 EESC Opinion (n 102) para 3.3.7

114 Recital 30 of the FIDA Proposal 2023.

115 Arts 20–22 of the FIDA Proposal 2023.

116 BEUC (n 100) Enforcement

117 BEUC (n 100) Financial Data Sharing Schemes.

118 European Commission Regulatory Scrutiny Board Opinion (n 98) para (C) 4.

119 Art 36 of the FIDA Proposal 2023.

120 EESC Opinion (n 102) para 3.3.12.

121 Association of the Luxembourg Fund Industry, “ALFI’s response to the EU Commission’s ‘have your say’ on the proposal for a regulation on a framework for Financial Data Access” (Association of the Luxembourg Fund Industry, 27 October 2024) <https://www.alfi.lu/getmedia/403b7ced-4416-49fb-a910-912b15f7c44f/2023-10-27-alfi-response-to-ec-have-your-say-on-fida.pdf> Section VI.

122 See, eg, Zetzsche, Birdthistle, Arner, and Buckley (n 69). Most of the authors of the previous article proposed in 2018 that data delivery should be a regulated activity, noting that only some countries had implemented such regulations: Dirk A. Zetzsche, Ross P. Buckley, Douglas W. Arner, and Janos N. Barberis “From Fintech to Techfin: The Regulatory Challenges of Data-Driven Finance” (2018) New York University Journal of Law and Business https://doi.org/10.2139/ssrn.2959925 26ff.

123 For an examination of the rules and status quo of evidence-based regulation in EU law, see, eg, Felix Pflücke, Compliance with European Consumer Law (Oxford University Press 2024) ch 2.