Understanding the FiDA Regulation and its impact on businesses

As banks, insurance companies, and FinTechs adapt to an increasingly data-driven economy, a key challenge remains: how to ensure fair and secure access to this data while protecting consumer rights.

Against this backdrop, the European Commission proposed on 28 June 2023 to modernise access to financial data across the European Union. The draft Financial Data Access (FiDA) Regulation draws on EU Directive 2015/2366 on payment services, more commonly known as PSD2, and the principles of open finance. It aims to strengthen financial data sharing while giving consumers greater control over their information.

What is the FiDA Regulation? What are its objectives? How does it affect financial data sharing? This article explores the opportunities created by FiDA and the challenges it presents for data-holding organisations.

 

Background and objectives of the FiDA Regulation

 

 

As the volume of available data continues to grow and its role in the economy expands, the European Union is seeking to establish a framework that facilitates access to financial data and governs how it can be shared and used. Building on PSD2, FiDA aims to remove the long-standing structural barriers that hinder data sharing.

As Xavier Lefèvre, our Sales Director, explains: “With this new regulation, the European legislator is clearly seeking to break down personal data silos, making them accessible to all stakeholders regardless of the data holder. This philosophy, already reflected in the GDPR title, General Data Protection Regulation and the free movement of such data, is now being extended through legislation such as FiDA, which complements PSD2. FiDA aims to facilitate data sharing both between organisations within the same sector and across sectors, in line with the European data strategy.”

By addressing these challenges, FiDA serves not only as a regulatory instrument but also as a foundation for fostering innovation. FiDA aims to give consumers greater control over their data and enable businesses to develop innovative financial products and services tailored to users’ needs across the European market.

 

Implementation timeline for the FiDA Regulation

 

 

The FiDA Regulation is currently under discussion between the Council and the European Parliament and is expected to be adopted soon.

It will then be formally published, triggering a 24-month transition period. If negotiations proceed as expected, FiDA will apply from early 2027.

 

How the new FiDA Regulation works

 

In its initial version, FiDA governs how financial data is shared between two key groups:

• Data holders: banks, insurers or other entities that collect and store customer data (transactions, savings and similar information). Under FiDA, these entities may share this data only when customers explicitly request it.
•  Data users: FinTechs or other companies that use this information to offer personalised financial services, such as budgeting tools or credit offers.

Customer consent lies at the heart of the framework and can be withdrawn at any time. Data holders are required to:

• Share data in real time and securely, in line with granted permissions.
• Provide a dashboard allowing customers to view and manage these permissions.

To protect consumers, data users must be authorised and supervised by a competent authority. They must register as financial information service providers (FISPs) to access customer data. Data holders may also require proportionate financial compensation in return for providing this access.

FiDA therefore introduces significant technical and operational changes that firms across the financial sector must prepare for.

“Data sharing in the financial sector faces three major challenges,” explains Xavier Lefèvre. “The first is technical: legacy IT systems are often siloed and were not designed for interoperability, making secure data sharing more complex. The second is security-related, ensuring that data users are genuinely who they claim to be, while building a trusted ecosystem around sensitive data. Finally, personal data adds a third layer of complexity. It involves a third party, the data subject, who must provide informed and transparent consent, adding regulatory and operational constraints to the data-sharing process.”

 

Which entities fall within the scope of the FiDA Regulation?

 

Although changes are expected before the Regulation is formally adopted, the preliminary version of FiDA already identifies the main categories of entities affected across the financial sector and related services.

• Banking and monetary institutions:

1. 1. Credit institutions
   2. Payment institutions, including account information service providers and those exempted under PSD2 (Directive 2015/2366)
   3. Electronic money institutions, including those exempted under Directive 2009/110/EC

• Financial market participants:

1. 1. Investment firms
   2. Alternative investment fund managers
   3. Management companies for undertakings for collective investment in transferable securities (UCITS)

• Insurance and pensions sector:

1. 1. Insurance and reinsurance undertakings
   2. Insurance intermediaries, including ancillary intermediaries
   3. Occupational pension institutions
   4. Providers of Pan-European Personal Pension Products (PEPPs)

• Specialised service providers:

1. 1. Crypto-asset service providers
   2. Asset-referenced token issuers
   3. Credit rating agencies
   4. Crowdfunding service providers
   5. Account information service providers (AISPs)

 

Which types of data are subject to the FiDA Regulation?

 

Article 2 of the FiDA Regulation outlines the scope of the data covered, which includes a wide range of information such as financial transactions, savings products, loans and investments.

• Credit, loans and accounts: Data relating to mortgage credit agreements, personal loans and bank accounts (excluding payment accounts as defined under PSD2). This includes information on contractual terms, balances and transactions.
• Savings and investments: Data relating to savings products, financial instruments, insurance-based investment products, crypto-assets, real estate assets and the economic benefits derived from these assets.
• Pension rights: Data relating to occupational pension schemes and PEPPs.
• Non-life insurance products: Information excluding health insurance products, but including data collected to assess customer needs.

Even before its formal adoption, FiDA is already introducing significant changes that affected companies must begin preparing for to meet its future requirements.

 

What happens in the event of non-compliance?

 

 

Under FiDA, national authorities will be responsible for compliance supervision, with exact arrangements to be specified later.

Although the amounts and duration of sanctions have not yet been finalised, the draft regulation provides an indication of the consequences of non-compliance.

Financial penalties and periodic penalty payments

In cases of non-compliance with FiDA, financial penalties may be imposed. For companies, fines may reach €50,000 per infringement, capped at €500,000 per year.

Alternatively, a fine of up to 2% of total annual turnover may be imposed if this amount is higher. For private individuals, fines may reach up to €25,000 per infringement, with an annual cap of €250,000.

In addition to these fines, periodic penalty payments may be imposed to encourage prompt adoption and full compliance. These may reach up to 3% of average daily turnover for companies and up to €30,000 per day for individuals.

Suspension or withdrawal of authorisation

FiDA also establishes strict measures for serious or repeated violations, including the suspension or withdrawal of authorisation for non-compliant entities.

• Temporary suspension of authorisation: Competent authorities may temporarily suspend a financial information service provider’s authorisation. This prevents the entity from carrying out any activity related to sharing or accessing financial data during the suspension period.
• Temporary ban for directors: Where a serious infringement is established, members of the management body or any other individual found responsible for non-compliance may be banned from holding management positions in any financial information service provider.
• Long-term ban for repeated infringements: In cases of repeated non-compliance, tougher sanctions may be imposed. Directors or other responsible individuals may be banned from holding management positions for at least ten years.

A proportionate supervision mechanism

While FiDA establishes a robust sanctions framework, it also introduces mechanisms to ensure that sanctions are applied in a fair and proportionate way.

When an infringement is identified, competent authorities must consider several factors before imposing sanctions. These include the nature, severity and duration of the infringement, as well as any corrective measures implemented by the company in question.

In addition, sanctioned companies have a right to challenge enforcement decisions. The Regulation guarantees a right of appeal before the European Commission or a competent judicial or administrative authority, providing an opportunity to review the facts or correct potential errors.

 

How can banking and financial institutions comply with FiDA?

 

The introduction of FiDA means that banking and financial institutions will need to adapt their practices to meet new obligations relating to sharing and using financial data.

Below are the key steps organisations should consider when preparing for FiDA.

Implement compliant technical infrastructure

Companies must update their business applications to ensure FiDA-compliant application programming interfaces (APIs). These APIs must guarantee interoperability, transparency and security in data sharing.

The objective is to enable smooth, controlled access to customer data for authorised users while avoiding discrimination in data sharing.

Provide access to permission dashboards

FiDA requires data holders to make dashboards available to customers. These tools must allow users to manage their data-access permissions, revoke authorisations and monitor how their information is shared.

Protect customer rights and ensure transparency

Entities subject to FiDA must review their policies and procedures to ensure full compliance with customer rights under the Regulation.

This includes enabling customers to withdraw consent at any time, limiting data use to the specified purposes and ensuring full transparency regarding data processing.

Establish monitoring and compliance mechanisms

Companies will need to put in place internal control systems to monitor compliance, identify issues quickly and address them effectively. This also involves designating individuals responsible for overseeing the integration of the new FiDA requirements.

 

Get ready for FiDA with Fair&Smart: streamlined consent management

 

With the entry into force of the FIDA Regulation, banking and financial institutions will need to adapt to strict requirements for managing financial data and consumer consent. Meeting these obligations requires the implementation of robust solutions capable of addressing both technical and operational challenges, while achieving the required level of compliance.

As a qualified eIDAS trust services provider, LuxTrust supports organisations in their compliance efforts with technical solutions tailored to their industry’s specific requirements.

Fair&Smart’s Right Consents platform collects, manages and updates user consent and preferences in real time. Fully compliant with both the GDPR and FiDA’s specific requirements, it provides a centralised and intuitive approach that strengthens transparency and builds user trust.

Our solution goes beyond simple consent collection, covering other types of authorisations, such as accepting terms and conditions of use or service. The platform generates time-stamped and signed evidence records with a high evidential value, providing solid guarantees for audits or regulatory inspections.

Unlike traditional approaches that rely on editable data entries, Fair&Smart provides a robust, immutable evidence that meets regulatory authority requirements.

Contact our experts today to help you implement the FiDA Regulation. Optimise your customer data management and turn regulatory obligations into opportunities for your financial services.