Legal provisions of COM(2023)360 - Framework for Financial Data Access - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
| dossier | COM(2023)360 - Framework for Financial Data Access. |
|---|---|
| document | COM(2023)360 |
| date | June 28, 2023 |
TITLE I
Subject Matter, Scope, and Definitions
Article 1
Subject matter
This Regulation establishes rules on the access, sharing and use of certain categories of customer data in financial services.
This Regulation also establishes rules concerning the authorisation and operation of financial information service providers.
Article 2
Scope
1. This Regulation applies to the following categories of customer data on:
(a) mortgage credit agreements, loans and accounts, except payment accounts as defined in the Payment Services Directive (EU) 2015/2366, including data on balance, conditions and transactions;
(b) savings, investments in financial instruments, insurance-based investment products, crypto-assets, real estate and other related financial assets as well as the economic benefits derived from such assets; including data collected for the purposes of carrying out an assessment of suitability and appropriateness in accordance with Article 25 of Directive 2014/65/EU of the European Parliament and of the Council32;
(c) pension rights in occupational pension schemes, in accordance with Directive 2009/138/EC and Directive (EU) 2016/2341 of the European Parliament and of the Council33 ;
(d) pension rights on the provision of pan-European personal pension products, in accordance with Regulation (EU) 2019/1238;
(e) non-life insurance products in accordance with Directive 2009/138/EC, with the exception of sickness and health insurance products; including data collected for the purposes of a demands and needs assessment in accordance with Article 20 of Directive (EU) 2016/97 of the European Parliament and Council34, and data collected for the purposes of an appropriateness and suitability assessment in accordance with Article 30 of Directive (EU) 2016/97.
(f) data which forms part of a creditworthiness assessment of a firm which is collected as part of a loan application process or a request for a credit rating.
2. This Regulation applies to the following entities when acting as data holders or data users:
(a) credit institutions;
(b) payment institutions, including account information service providers and payment institutions exempted pursuant to Directive (EU) 2015/2366;
(c) electronic money institutions, including electronic money institutions exempted pursuant to Directive 2009/110/EC of the European Parliament and of the Council35;
(d) investment firms;
(e) crypto-asset service providers;
(f) issuers of asset-referenced tokens;
(g) managers of alternative investment funds;
(h) management companies of undertakings for collective investment in transferable securities;
(i) insurance and reinsurance undertakings;
(j) insurance intermediaries and ancillary insurance intermediaries;
(k) institutions for occupational retirement provision;
(l) credit rating agencies;
(m) crowdfunding service providers;
(n) PEPP providers;
(o) financial information service providers
3. This Regulation shall not apply to the entities referred to in Article 2(3), points (a) to (e), of Regulation (EU) 2022/2554.
4. This Regulation does not affect the application of other Union legal acts regarding access to and sharing of customer data referred to in paragraph 1, unless specifically provided for in this Regulation.
Article 3
Definitions
For the purposes of this Regulation, the following definitions apply:
(1) ‘consumer’ means a natural person who is acting for purposes other than his or her trade, business or profession;
(2) ‘customer’ means a natural or a legal person who makes use of financial products and services;
(3) ‘customer data’ means personal and non-personal data that is collected, stored and otherwise processed by a financial institution as part of their normal course of business with customers which covers both data provided by a customer and data generated as a result of customer interaction with the financial institution;
(4) ‘competent authority’ means the authority designated by each Member State in accordance with Article 17 and for financial institutions it means any of the competent authorities listed in Article 46 of Regulation (EU) 2022/2554;
(5) ‘data holder’ means a financial institution other than an account information service provider that collects, stores and otherwise processes the data listed in Article 2(1) ;
(6) ‘data user’ means any of the entities listed in Article 2(2) who, following the permission of a customer, has lawful access to customer data listed in Article 2(1) ;
(7) ‘financial information service provider’ means a data user that is authorised under Article 14 to access the customer data listed in Article 2(1) for the provision of financial information services;
(8) ‘financial institution’ means the entities listed in Article 2(2) points (a) to (n), who are either data holders, data users or both for the purposes of this Regulation.
(9) ‘investment account’ means any register managed by an investment firm, credit institution or an insurance broker about the current holdings in financial instruments or insurance-based investment products of their client, including past transactions and other data points relating to lifecycle events of that instrument
(10) ‘non-personal data’ means data other than personal data as defined in Article 4(1) of Regulation (EU) 2016/679;
(11) ‘personal data’ means personal data as defined in Article 4(1) of Regulation 2016/679;
(12) ‘credit institution’ means a credit institution as defined in Article 4(1), point (1), of Regulation (EU) No 575/2013 of the European Parliament and of the Council36;
(13) ‘investment firm’ means an investment firm as defined in Article 4(1), point (1), of Directive 2014/65/EU;
(14) ‘crypto asset service provider’ means a crypto asset service providers as referred to in Article 3(1), point (15) of Regulation (EU) 2023/1114 of the European Parliament and of the Council37;
(15) ‘issuer of asset referenced tokens’ means an issuer of asset referenced tokens authorised under Article 21 of Regulation (EU) 2023/1114;
(16) ‘payment institution’ means a payment institution as defined in Article 4(4), of Directive (EU) 2015/2366;
(17) ‘account information service provider’ means an account information service provider as referred to in Article 33(1) of Directive (EU) 2015/2366;
(18) ‘electronic money institution’ means an electronic money institution as defined in Article 2(1), of Directive 2009/110/EC;
(19) ‘electronic money institution exempted pursuant to Directive 2009/110/EC’ means an electronic money institution benefitting from a waiver as referred to in Article 9(1) of Directive 2009/110/EC;
(20) ‘manager of alternative investment funds’ means a manager of alternative investment funds as defined in Article 4(1), point (b), of Directive 2011/61/EU of the European Parliament and of the Council38;
(21) ‘management company of undertakings for collective investment in transferable securities’ means a management company as defined in Article 2(1), point (b), of Directive 2009/65/EC of the European Parliament and of the Council39;
(22) ‘insurance undertaking’ means an insurance undertaking as defined in Article 13(1) of Directive 2009/138/EC;
(23) ‘reinsurance undertaking’ means a reinsurance undertaking as defined in Article 13(4) of Directive 2009/138/EC;
(24) ‘insurance intermediary’ means an insurance intermediary as defined in Article 2(1), point (3), of Directive (EU) 2016/97 of the European Parliament and of the Council40;
(25) ‘ancillary insurance intermediary’ means an ancillary insurance intermediary as defined in Article 2(1), point (4), of Directive (EU) 2016/97;
(26) ‘institution for occupational retirement provision’ means an institution for occupational retirement provision as defined in Article 6(1), of Directive (EU) 2016/2341;
(27) ‘credit rating agency’ means a credit rating agency as defined in Article 3(1), point (b), of Regulation (EC) No 1060/2009 of the European Parliament and of the Council41;
(28) “PEPP provider” means a PEPP provider as defined in Article 2, point (15) of Regulation (EU) 2019/1238 of the European Parliament and of the Council;
(29) ‘legal representative’ means a natural person domiciled in the Union or a legal person with its registered office in the Union, and which, expressly designated by a financial information service provider established in a third country, acts on behalf of such financial information service provider vis-à-vis the authorities, clients, bodies and counterparties to the financial information service provider in the Union with regard to the financial information service provider’s obligations under this Regulation;
TITLE II
Data Access
Article 4
Obligation to make available data to the customer
The data holder shall, upon request from a customer submitted by electronic means, make the data listed in Article 2(1) available to the customer without undue delay, free of charge, continuously and in real-time.
Article 5
Obligations on a data holder to make customer data available to a data user
1. The data holder shall, upon request from a customer submitted by electronic means, make available to a data user the customer data listed in Article 2(1) for the purposes for which the customer has granted permission to the data user. The customer data shall be made available to the data user without undue delay, continuously and in real-time.
2. A data holder may claim compensation from a data user for making customer data available pursuant to paragraph 1 only if the customer data is made available to a data user in accordance with the rules and modalities of a financial data sharing scheme, as provided in Articles 9 and 10, or if it is made available pursuant to Article 11.
3. When making data available pursuant to paragraph 1, the data holder shall:
(a) make customer data available to the data user in a format based on generally recognised standards and at least in the same quality available to the data holder;
(b) communicate securely with the data user by ensuring an appropriate level of security for the processing and transmission of customer data;
(c) request data users to demonstrate that they have obtained the permission of the customer to access the customer data held by the data holder;
(d) provide the customer with a permission dashboard to monitor and manage permissions in accordance with Article 8.
(e) respect the confidentiality of trade secrets and intellectual property rights when customer data is accessed in accordance with Article 5(1).
Article 6
Obligations on a data user receiving customer data
1. A data user shall only be eligible to access customer data pursuant to Article 5(1) if that data user is subject to prior authorisation by a competent authority as a financial institution or is a financial information service provider pursuant to Article 14.
2. A data user shall only access customer data made available under Article 5(1) for the purposes and under the conditions for which the customer has granted its permission. A data user shall delete customer data when it is no longer necessary for the purposes for which the permission has been granted by a customer.
3. A customer may withdraw the permission it has granted to a data user. When processing is necessary for the performance of a contract, a customer may withdraw the permission it has granted to make customer data available to a data user according to the contractual obligations to which it is subject.
4. To ensure the effective management of customer data, a data user shall:
(a) not process any customer data for purposes other than for performing the service explicitly requested by the customer;
(b) respect the confidentiality of trade secrets and intellectual property rights when customer data is accessed in accordance with Article 5(1);
(c) put in place adequate technical, legal and organisational measures in order to prevent the transfer of or access to non-personal customer data that is unlawful under Union law or the national law of a Member State;
(d) take necessary measures to ensure an appropriate level of security for the storage, processing and transmission of non-personal customer data;
(e) not process customer data for advertising purposes, except for direct marketing in accordance with Union and national law;
(f) where the data user is part of a group of companies, customer data listed in Article 2(1) shall only be accessed and processed by the entity of the group that acts as a data user.
TITLE III
Responsible Data Use and permission dashboards
Article 7
Data use perimeter
1. The processing of customer data referred to in Article 2(1) of this Regulation that constitutes personal data shall be limited to what is necessary in relation to the purposes for which they are processed.
2. In accordance with Article 16 of Regulation (EU) No 1093/2010, the European Banking Authority (EBA) shall develop guidelines on the implementation of paragraph 1 of this Article for products and services related to the credit score of the consumer.
3. In accordance with Article 16 of Regulation (EU) No 1094/2010, the European Insurance and Occupational Pensions Authority (EIOPA) shall develop guidelines on the implementation of paragraph 1 of this Article for products and services related to risk assessment and pricing of a consumer in the case of life, health and sickness insurance products.
4. When preparing the guidelines referred to in paragraphs 2 and 3 of this Article, EIOPA and EBA shall closely cooperate with the European Data Protection Board established by Regulation (EU) 2016/679.
Article 8
Financial Data Access permission dashboards
1. A data holder shall provide the customer with a permission dashboard to monitor and manage the permissions a customer has provided to data users.
2. A permission dashboard shall:
(a) provide the customer with an overview of each ongoing permission given to data users, including:
(i) the name of the data user to which access has been granted
(ii) the customer account, financial product or financial service to which access has been granted;
(iii) the purpose of the permission;
(iv) the categories of data being shared;
(v) the period of validity of the permission;
(b) allow the customer to withdraw a permission given to a data user;
(c) allow the customer to re-establish any permission withdrawn;
(d) include a record of permissions that have been withdrawn or have expired for a duration of two years.
3. The data holder shall ensure that the permission dashboard is easy to find in its user interface and that information displayed on the dashboard is clear, accurate and easily understandable for the customer.
4. The data holder and the data user for which permission has been granted by a customer shall cooperate to make information available to the customer via the dashboard in real-time. To fulfil the obligations in paragraph 2 points (a), (b), (c) and (d) of this Article:
(a) The data holder shall inform the data user of changes made to a permission concerning that data user made by a customer via the dashboard.
(b) A data user shall inform the data holder of a new permission granted by a customer regarding customer data held by that data holder, including:
(i) the purpose of the permission granted by the customer;
(ii) the period of validity of the permission
(iii) the categories of data concerned.
TITLE IV
Financial Data Sharing Schemes
Article 9
Financial data sharing scheme membership
1. Within 18 months from the entry into force of this Regulation, data holders and data users shall become members of a financial data sharing scheme governing access to the customer data in compliance with Article 10.
2. Data holders and data users may become members of more than one financial data sharing schemes.
Any sharing of data shall be made in accordance with the rules and modalities of a financial data sharing scheme of which both the data user and the data holder are members.
Article 10
Financial data sharing scheme governance and content
1. A financial data sharing scheme shall include the following elements:
(a) the members of a financial data sharing scheme shall include:
(i) data holders and data users representing a significant proportion of the market of the product or service concerned, with each side having fair and equal representation in the internal decision-making processes of the scheme as well as equal weight in any voting procedures; where a member is both a data holder and data user, its membership shall be counted equally towards both sides;
(ii) customer organisations and consumer associations.
(b) the rules applicable to the financial data sharing scheme members shall apply equally to all the members and there shall be no unjustified favourable or differentiated treatment between members;
(c) the membership rules of a financial data sharing scheme shall ensure that the scheme is open to participation by any data holder and data user based on objective criteria and that all members shall be treated in a fair and equal manner;
(d) a financial data sharing scheme shall not impose any controls or additional conditions for the sharing of data other than those provided in this Regulation or under other applicable Union law;
(e) a financial data sharing scheme shall include a mechanism through which its rules can be amended, following an impact analysis and the agreement of the majority of each community of data holders and data users respectively;
(f) a financial data sharing scheme shall include rules on transparency and where necessary, reporting to its members;
(g) a financial data sharing scheme shall include the common standards for the data and the technical interfaces to allow customers to request data sharing in accordance with Article 5(1). The common standards for the data and technical interfaces that scheme members agree to use may be developed by scheme members or by other parties or bodies;
(h) a financial data sharing scheme shall establish a model to determine the maximum compensation that a data holder is entitled to charge for making data available through an appropriate technical interface for data sharing with data users in line with the common standards developed under point (g). The model shall be based on the following principles:
(i) it should be limited to reasonable compensation directly related to making the data available to the data user and which is attributable to the request;
(ii) it should be based on an objective, transparent and non-discriminatory methodology agreed by the scheme members;
(iii) it should be based on comprehensive market data collected from data users and data holders on each of the cost elements to be considered, clearly identified in line with the model;
(iv) it should be periodically reviewed and monitored to take account of technological progress;
(v) it should be devised to gear compensation towards the lowest levels prevalent on the market; and
(vi) it should be limited to the requests for customer data under Article 2(1) or proportionate to the related datasets in the scope of that Article in the case of combined data requests.
Where the data user is a micro, small or medium enterprise, as defined in Article 2 of the Annex to Commission Recommendation 2003/361/EC of 6 May 200342, any compensation agreed shall not exceed the costs directly related to making the data available to the data recipient and which are attributable to the request.
(i) a financial data sharing scheme shall determine the contractual liability of its members, including in case the data is inaccurate, or of inadequate quality, or data security is compromised or the data are misused. In case of personal data, the liability provisions of the financial data sharing scheme shall be in accordance with the provisions in Regulation (EU) 2016/679;
(j) a financial data sharing scheme shall provide for an independent, impartial, transparent and effective dispute resolution system to resolve disputes among scheme members and membership issues, in accordance with the quality requirements laid down by Directive 2013/11/EU of the European Parliament and of the Council43.
2. Membership in financial data sharing schemes shall remain open to new members on the same terms and conditions as those for existing members at any time.
3. A data holder shall communicate to the competent authority of the Member State of its establishment the financial data sharing schemes it is part of, within one month of joining a scheme.
4. A financial data sharing scheme set up in accordance with this Article shall be notified to the competent authority of establishment of the three most significant data holders which are members of that scheme at the time of establishment of the scheme. Where the three most significant data holders are established in different Member States, or where there is more than one competent authority in the Member State of establishment of the three most significant data holders, the scheme shall be notified to all of these authorities which shall agree among themselves which authority shall carry out the assessment referred to in paragraph 6.
5. The notification in accordance with paragraph 4 shall take place within 1 month of setting up the financial data sharing scheme and shall include its governance modalities and characteristics in accordance with paragraph 1.
6. Within 1 month of receipt of the notification pursuant to paragraph 4, the competent authority shall assess whether the financial data sharing scheme’s governance modalities and characteristics are in compliance with paragraph 1. When assessing the compliance of the financial data sharing scheme with paragraph 1, the competent authority may consult other competent authorities.
Upon completion of its assessment, the competent authority shall inform EBA of a notified financial data sharing scheme that satisfies the provisions of paragraph 1. A scheme notified to EBA in accordance with this paragraph shall be recognised in all the Member States for the purpose of accessing data pursuant to Article 5(1) and shall not require further notification in any other Member State.
Article 11
Empowerment for Delegated Act in the event of absence of a financial data sharing scheme
In the event that a financial data sharing scheme is not developed for one or more categories of customer data listed in Article 2(1) and there is no realistic prospect of such a scheme being set up within a reasonable amount of time, the Commission is empowered to adopt a delegated act in accordance with Article 30 to supplement this Regulation by specifying the following modalities under which a data holder shall make available customer data pursuant to Article 5(1) for that category of data:
(a) common standards for the data and, where appropriate, the technical interfaces to allow customers to request data sharing under Article 5(1);
(b) a model to determine the maximum compensation that a data holder is entitled to charge for making data available;
(c) the liability of the entities involved in making the customer data available.
TITLE V
Eligibility for Data Access and Organisation
Article 12
Application for authorisation of financial information service providers
1. A financial information service provider shall be eligible to access customer data under Article 5(1) if it is authorised by the competent authority of a Member State.
2. A financial information service provider shall submit an application for authorisation to the competent authority of the Member State of establishment of its registered office, together with the following:
(a) a programme of operations setting out in particular the type of access to data envisaged;
(b) a business plan including a forecast budget calculation for the first 3 financial years which demonstrates that the applicant is able to employ the appropriate and proportionate systems, resources and procedures to operate soundly;
(c) a description of the applicant’s governance arrangements and internal control mechanisms, including administrative, risk management and accounting procedures, as well as arrangements for the use of ICT services in accordance with Regulation (EU) 2022/2554 of the European Parliament and of the Council, which demonstrates that those governance arrangements, control mechanisms and procedures are proportionate, appropriate, sound and adequate;
(d) a description of the procedure in place to monitor, handle and follow up a security incident and security related customer complaints, including an incident reporting mechanism which takes account of the notification obligations laid down in Chapter III of Regulation (EU) 2022/2554;
(e) a description of business continuity arrangements including a clear identification of the critical operations, effective ICT business continuity policy and plans and ICT response and recovery plans, and a procedure to regularly test and review the adequacy and efficiency of such plans in accordance with Regulation (EU) 2022/2554;
(f) a security policy document, including a detailed risk assessment in relation to its operations and a description of security control and mitigation measures taken to adequately protect its customers against the risks identified, including fraud;
(g) a description of the applicant’s structural organisation, as well as a description of outsourcing arrangements;
(h) the identity of directors and persons responsible for the management of the applicant and, where relevant, persons responsible for the management of the data access activities of the applicant, as well as evidence that they are of good repute and possess appropriate knowledge and experience to access data as determined in this Regulation;
(i) the applicant’s legal status and articles of association;
(j) the address of the applicant’s head office;
(k) where applicable, the written agreement between the financial information service provider and the legal representative evidencing the appointment, the extent of liability and the tasks to be carried out by the legal representative in accordance with Article 13.
For the purposes of the first subparagraph, points (c), (d) and (g) the applicant shall provide a description of its audit arrangements and the organizational arrangements it has set up with a view to taking all reasonable steps to protect the interests of its customers and to ensure continuity and reliability in the performance of its activities.
The security control and mitigation measures referred to in the first subparagraph, point (f), shall indicate how the applicant will ensure a high level of digital operational resilience in accordance with Chapter II of Regulation (EU) 2022/2554, in particular in relation to technical security and data protection, including for the software and ICT systems used by the applicant or the undertakings to which it outsources the whole or part of its operations.
3. Financial information service providers shall hold a professional indemnity insurance covering the territories in which they access data, or some other comparable guarantee, and shall ensure the following:
(a) an ability to cover their liability resulting from non-authorised or fraudulent access to or non-authorised or fraudulent use of data;
(b) an ability to cover the value of any excess, threshold or deductible from the insurance or comparable guarantee;
(c) monitoring of the coverage of the insurance or comparable guarantee on an ongoing basis.
As an alternative to holding a professional indemnity insurance or other comparable guarantee as required in the first sub-paragraph, the undertaking as referred in the previous subparagraph shall hold initial capital of EUR 50 000, which can be replaced by a professional indemnity insurance or other comparable guarantee after it commences its activity as financial information service provider, without undue delay.
4. EBA in cooperation with ESMA and EIOPA shall, after consulting all relevant stakeholders, develop draft regulatory technical standards specifying:
(a) the information to be provided to the competent authority in the application for the authorisation of financial information service providers, including the requirements laid down in paragraph 1, points (a) to (l);
(b) a common assessment methodology for granting authorisation as a financial information service provider, under this Regulation;
(c) what is a comparable guarantee, as referred in paragraph 2, which should be interchangeable with a professional indemnity insurance;
(d) the criteria on how to stipulate the minimum monetary amount of the professional indemnity insurance or other comparable guarantee referred to in paragraph 2.
In developing these regulatory technical standards, EBA shall take account of the following:
(a) the risk profile of the undertaking;
(b) whether the undertaking provides other types of services or is engaged in other business;
(c) the size of the activity;
(d) the specific characteristics of comparable guarantees and the criteria for their implementation.
EBA, shall submit those draft regulatory technical standards referred to in the first subparagraph to the Commission by [OP please insert the date = 9 months after entry into force of this Regulation].
Power is conferred to the Commission to adopt the regulatory technical standards referred to in the first subparagraph of this paragraph in accordance with Articles 10 to 14 of Regulation 1093/2015.
In accordance with Article 10 of Regulation (EU 1093/2010, EBA shall review and if appropriate, update these regulatory technical standards.
Article 13
Legal representatives
1. Financial information service providers that do not have an establishment in the Union but that require access to financial data in the Union shall designate, in writing, a legal or natural person as their legal representative in one of the Member States from where the financial information service provider intends to access financial data.
2. Financial information service providers shall mandate their legal representatives to be addressed in addition to or instead of the financial information service provider by the competent authorities on all issues necessary for the receipt of, compliance with and enforcement of this Regulation. Financial information service providers shall provide their legal representative with the necessary powers and resources to enable them to cooperate with the competent authorities and ensure compliance with their decisions.
3. The designated legal representative may be held liable for non-compliance with obligations under this Regulation, without prejudice to the liability and legal actions that could be initiated against the financial information service provider.
4. Financial information service providers shall notify the name, address, the electronic mail address and telephone number of their legal representative to the competent authority in the Member State where that legal representative resides or is established. They shall ensure that that information is up to date.
5. The designation of a legal representative within the Union pursuant to paragraph 1 shall not constitute an establishment in the Union.
Article 14
Granting and withdrawal of authorisation of financial information service providers
1. The competent authority shall grant an authorisation if the information and evidence accompanying the application complies with of the requirements laid down in Article 11(1) and (2). Before granting an authorisation, the competent authority may, where relevant, consult other relevant public authorities.
2. The competent authority shall authorise a third country financial information service provider provided that all the following conditions are met:
(a) the third country financial information service provider has complied with all conditions laid down in Article 12 and 16;
(b) the third country financial information service provider has designated a legal representative pursuant to Article 13;
(c) where the third country financial information service provider is subject to supervision, the competent authority shall seek to put in place an appropriate cooperation arrangement with the relevant competent authority of the third country where the financial information service provider is established, to ensure an efficient exchange of information;
(d) the third country where the financial information service provider is established is not listed as a non-cooperative jurisdiction for tax purposes under the relevant Union policy or as a high-risk third-country jurisdiction that presents deficiencies in accordance with Commission Delegated Regulation (EU) 2016/1675.44
3. The competent authority shall grant an authorisation only if, taking into account the need to ensure the sound and prudent management of a financial information service provider, the financial information service provider has robust governance arrangements for its information service business. This includes a clear organisational structure with well-defined, transparent and consistent lines of responsibility, effective procedures to identify, manage, monitor and report the risks to which it is or might be exposed, and adequate internal control mechanisms, including sound administrative and accounting procedures. Those arrangements, procedures and mechanisms shall be comprehensive and proportionate to the nature, scale and complexity of the information services provided by the financial information service provider.
4. The competent authority shall grant an authorisation only if the laws, regulations or administrative provisions governing one or more natural or legal persons with which the financial information service provider has close links, or difficulties involved in the enforcement of those laws, regulations or administrative provisions, do not prevent the effective exercise of its supervisory functions.
5. The competent authority shall grant an authorisation only if it is satisfied that any outsourcing arrangements will not render the financial information service provider a letterbox entity or that they are not undertaken as a means to circumvent the provisions of this Regulation.
6. Within 3 months of receipt of an application or, if the application is incomplete, of all of the information required for the decision, the competent authority shall inform the applicant whether the authorisation is granted or refused. The competent authority shall give reasons where it refuses an authorisation.
7. The competent authority may withdraw an authorisation issued to a financial information service provider only if the provider:
(a) does not make use of the authorisation within 12 months, expressly renounces the authorisation or has ceased to engage in business for more than 6 months;
(b) has obtained the authorisation through false statements or any other irregular means;
(c) no longer meets the conditions for granting the authorisation or fails to inform the competent authority on major developments in this respect;
(d) would constitute a risk to consumer protection and the security of data.
The competent authority shall give reasons for any withdrawal of an authorisation and shall inform those concerned accordingly. The competent authority shall make public the withdrawal of an authorisation, in an anonymised version.
Article 15
Register
1. EBA shall develop, operate and maintain an electronic central register which contains the following information:
(a) the authorised financial information service providers.
(b) the financial information service providers that have notified their intention to access data in a Member State other than their home Member State.
(c) the financial data sharing schemes agreed between data holders and data users.
2. The register referred to in paragraph 1 shall only contain anonymised data.
3. The register shall be publicly available on EBA’s website and shall allow for easy searching and accessing the information listed.
4. EBA shall enter in the register referred to in paragraph 1 any withdrawal of authorisation of financial information service providers or termination of a financial data sharing scheme.
5. The competent authorities of Member States shall communicate without delay to EBA the information necessary to fulfil its tasks pursuant to paragraphs 1 and 3. Competent authorities shall be responsible for the accuracy of the information specified in paragraphs 1 and 3 and for keeping that information up to date. They shall, where technically possible, transmit this information to EBA in an automated way.
Article 16
Organisational requirements for financial information service providers
A financial information service provider shall comply with the following organisational requirements:
(a) it shall establish policies and procedures sufficient to ensure its compliance, including its managers and employees with its obligations under this Regulation;
(b) it shall take reasonable steps to ensure continuity and regularity in the performance of its activities. To that end the financial information service provider shall employ appropriate and proportionate systems, resources and procedures to ensure the continuity of its critical operations, have in place contingency plans and a procedure to test and review regularly the adequacy and efficiency of such plans;
(c) when relying on a third party for the performance of functions which are critical for the provision of continuous and satisfactory service to customers and the performance of activities on a continuous and satisfactory basis, that it takes reasonable steps to avoid undue additional operational risk. Outsourcing of important operational functions may not be undertaken in such a way as to impair materially the quality of its internal control and the ability of the supervisor to monitor the financial information service provider’s compliance with all obligations;
(d) it shall have sound governance, administrative and accounting procedures, internal control mechanisms, effective procedures for risk assessment and management, and effective control and safeguard arrangements for information processing systems;
(e) its directors and persons responsible for its management as well as the persons responsible for the management of the data access activities of the financial information service provider are of good repute and possess appropriate knowledge, skills and experience, both individually and collectively, to perform their duties;
(f) it shall establish and maintain effective and transparent procedures for the prompt, fair and consistent monitoring, handling and follow up of a security incident and security related customer complaints, including a reporting mechanism which takes account of the notification obligations laid down in Chapter III of Regulation (EU) 2022/2554;
TITLE VI
Competent authorities and Supervision Framework
Article 17
Competent authorities
1. Member States shall designate the competent authorities responsible for carrying out the functions and duties provided for in this Regulation. Member States shall notify those competent authorities to the Commission.
2. Member States shall ensure that the competent authorities designated under paragraph 1 possess all the powers necessary for the performance of their duties.
Member States shall ensure that those competent authorities have the necessary resources, notably in terms of dedicated staff, in order to comply with their tasks as per the obligations under this Regulation.
3. Member States who have appointed within their jurisdiction more than one competent authority for matters covered by this Regulation shall ensure that those authorities cooperate closely so that they can discharge their respective duties effectively.
4. For financial institutions, compliance with this Regulation shall be ensured by the competent authorities specified in Article 46 of Regulation (EU) 2022/2554 in accordance with the powers granted by the respective legal acts listed in that Article, and by this Regulation.
Article 18
Powers of competent authorities
1. Competent authorities shall have all the investigatory powers necessary for the exercise of their functions. Those powers shall include:
(a) the power to require any natural or legal persons to provide all information that is necessary in order to carry out the tasks of the competent authorities, including information to be provided at recurrent intervals and in specified formats for supervisory and related statistical purposes;
(b) the power to conduct all necessary investigations of any person referred to in point (a) established or located in the Member State concerned where necessary to carry out the tasks of the competent authorities, including the power to:
(i) require the submission of documents;
(ii) examine the data in any form, including the books and records of the persons referred to in point (a) and take copies or extracts from such documents;
(iii) obtain written or oral explanations from any person referred to in point (a) or their representatives or staff, and, if necessary, to summon and question any such person with a view to obtaining information;
(iv) interview any other natural person who agrees to be interviewed for the purpose of collecting information relating to the subject matter of an investigation;
(v) subject to other conditions set out in Union law or in national law, the power to conduct necessary inspections at the premises of the legal persons and at sites other than the private residence of natural persons referred to in point (a), as well as of any other legal person included in consolidated supervision where a competent authority is the consolidating supervisor, subject to prior notification of the competent authorities concerned.
(vi) to enter the premises of natural and legal persons, in line with national law, in order to seize documents and data in any form where a reasonable suspicion exists that documents or data relating to the subject matter of the inspection or investigation may be necessary and relevant to prove a case of breach of provisions of this Regulation;
(vii) to require, insofar as permitted by national law, existing data traffic records held by a telecommunications operator, where there is a reasonable suspicion of a breach and where such records may be relevant to the investigation of a breach of this Regulation;
(viii) to request the freezing or sequestration of assets, or both;
(ix) to refer matters for criminal investigation;
(c) in the absence of other available means to bring about the cessation or the prevention of any breach of this Regulation and in order to avoid the risk of serious harm to the interests of consumers, competent authorities shall be entitled to take any of the following measures, including by requesting a third party or other public authority to implement them:
(i) to remove content or to restrict access to an online interface or to order that a warning is explicitly displayed to customers when they access an online interface;
(ii) to order a hosting service provider to remove, disable or restrict access to an online interface;
(iii) to order domain registries or registrars to delete a fully qualified domain name and to allow the competent authority concerned to record such deletion.
The implementation of this paragraph and the exercise of powers set out therein shall be proportionate and comply with Union and national law, including with applicable procedural safeguards and with the principles of the Charter of Fundamental Rights of the European Union. The investigation and enforcement measures adopted pursuant to this Regulation shall be appropriate to the nature and the overall actual or potential harm of the infringement.
2. Competent authorities shall exercise their powers to investigate potential breaches of this Regulation, and impose administrative penalties and other administrative measures provided for in this Regulation, in any of the following ways:
(a) directly;
(b) in collaboration with other authorities;
(c) by delegating powers to other authorities or bodies;
(d) by having recourse to the competent judicial authorities of a Member State.
Where competent authorities exercise their powers by delegating to other authorities or bodies in accordance withpoint (c), the delegation of power shall specify the delegated tasks, the conditions under which they are to be carried out, and the conditions under which the delegated powers may be revoked. The authorities or bodies to which the powers are delegated shall be organised in such a manner that conflicts of interest are avoided. Competent authorities shall oversee the activity of the authorities or bodies to which the powers are delegated.
3. In the exercise of their investigatory and sanctioning powers, including in cross border cases, competent authorities shall cooperate effectively with each other and with the authorities from any sector concerned as applicable to each case and in accordance with national and Union law, to ensure the exchange of information and the mutual assistance necessary for the effective enforcement of administrative sanctions and administrative measures.
Article 19
Settlement agreements and expedited enforcement procedures
1. Without prejudice to Article 20, Member States may lay down rules enabling their competent authorities to close an investigation concerning an alleged breach of this Regulation, following a settlement agreement in order to put an end to the alleged breach and its consequences before formal sanctioning proceedings are started.
2. Member States may lay down rules enabling their competent authorities to close an investigation concerning an established breach through an expedited enforcement procedure in order to achieve a swift adoption of a decision aiming at imposing an administrative sanction or administrative measure.
The empowerment of competent authorities to settle or open expedite enforcement procedures does not affect the obligations upon Member States under Article 20.
3. Where Member States lay down the rules referred to in paragraph 1, they shall notify the Commission of the relevant laws, regulations and administrative provisions regulating the exercise of powers referred to in that paragraph and shall notify it of any subsequent amendments affecting those rules.
Article 20
Administrative penalties and other administrative measures
1. Without prejudice to the supervisory and investigative powers of competent authorities listed in Article 18, Member States shall, in accordance with national law, provide for competent authorities to have the power to take appropriate administrative penalties and to take other administrative measures in relation to the following infringements:
(a) infringements of Articles 4, 5 and 6;
(b) infringements of Articles 7 and 8;
(c) infringements of Article 9 and 10;
(d) infringements of Articles 13 and 16;
(e) infringements of Article 28.
2. Member States may decide not to lay down rules on administrative sanctions and administrative measures applicable to breaches of this Regulation which are subject to sanctions under national criminal law. In such a case, Member States shall notify the Commission of the relevant criminal law provisions and any subsequent amendments thereto.
3. Member States shall, in accordance with national law, ensure that competent authorities have the power to impose the following administrative penalties and other administrative measures in relation to the infringements referred to in paragraph 1:
(a) a public statement indicating the natural or legal person responsible and the nature of the infringement;
(b) an order requiring the natural or legal person responsible to cease the conduct constituting the infringement and to desist from a repetition of that conduct;
(c) the disgorgement of the profits gained or losses avoided due to the infringement insofar as they can be determined;
(d) a temporary suspension of the authorisation of a financial information service provider;
(e) a maximum administrative fine of at least twice the amount of the profits gained or losses avoided because of the infringement where those can be determined, even if such fine exceeds the maximum amounts set out in this paragraph, point (f), as regards natural persons, or in paragraph 4 as regards legal persons;
(f) in the case of a natural person, maximum administrative fines of up to EUR 25 000 per infringement and up to a total of EUR 250 000 per year, or, in the Member States whose official currency is not the euro, the corresponding value in the official currency of that Member State on ... [OP please insert the date of entry into force of this Regulation].
(g) a temporary ban of any member of the management body of the financial information service provider, or any other natural person who is held responsible for the infringement, from exercising management functions in financial information service providers;
(h) in the event of a repeated infringement of the articles referred to in paragraph 1, a ban of at least 10 years for any member of the management body of a financial information service provider, or any other natural person who is held responsible for the infringement, from exercising management functions in a financial information service provider.
4. Member States shall, in accordance with national law, ensure that competent authorities have the power to impose, in relation to the infringements referred to in paragraph 1 committed by legal persons, maximum administrative fines of:
(a) up to EUR 50 000 per infringement and up to a total of EUR 500 000 per year, or, in the Member States whose official currency is not the euro, the corresponding value in the official currency of that Member State on ... [OP please insert the date of entry into force of this Regulation];
(b) 2% of the total annual turnover of the legal person according to the last available financial statements approved by the management body;
Where the legal person referred to in the first subparagraph is a parent undertaking or a subsidiary of a parent undertaking which is required to prepare consolidated financial statements in accordance with Article 22 of Directive 2013/34/EU of the European Parliament and of the Council45, the relevant total annual turnover shall be the net turnover or the revenue to be determined in accordance with the relevant accounting standards, according to the consolidated financial statements of the ultimate parent undertaking available for the latest balance sheet date, for which the members of the administrative, management and supervisory body of the ultimate undertaking have responsibility.
5. Member States may empower competent authorities to impose other types of administrative penalties and other administrative measures in addition to those referred to in paragraphs 3 and 4 and may provide for higher amounts of administrative pecuniary fines than those laid down in those paragraphs.
Member States shall notify to the Commission the level of such higher penalties, and any subsequent amendments thereto.
Article 21
Periodic penalty payments
1. Competent authorities shall be entitled to impose periodic penalty payments on legal or natural persons for an ongoing failure to comply with any decision, order, interim measure, request, obligation or other administrative measure adopted in accordance with this Regulation.
A periodic penalty payment referred to in the first subparagraph shall be effective and proportionate and shall consist of a daily amount to be paid until compliance is restored. They shall be imposed for a period not exceeding 6 months from the date indicated in the decision imposing the periodic penalty payments.
Competent authorities shall be entitled to impose the following periodic penalty payments which may be adjusted depending on the seriousness of the breach and the needs of the sector:
(a) 3% of the average daily turnover in the case of a legal person;
(b) EUR 30 000 in the case of a natural person.
2. The average daily turnover referred to in paragraph 1, third subparagraph, point (a), shall be the total annual turnover, divided by 365.
3. Member States may provide for higher amounts of periodic penalty payments than those laid down in paragraph 1, third subparagraph.
Article 22
Circumstances to be considered when determining administrative penalties and other administrative measures
1. Competent authorities, when determining the type and level of administrative penalties or other administrative measure, shall take into account all relevant circumstances in order to ensure that such sanctions or measures are effective and proportionate. Those circumstances shall include, where appropriate:
(a) the gravity and the duration of the breach;
(b) the degree of responsibility of the legal or natural person responsible for the breach;
(c) the financial strength of the legal or natural person responsible for the breach, as indicated, among other things, by the total annual turnover of the legal person, or the annual income of the natural person responsible for the breach;
(d) the level of profits gained or losses avoided by the legal or natural person responsible for the breach, if such profits or losses can be determined;
(e) the losses for third parties caused by the breach, if such losses can be determined;
(f) the disadvantage resulting to the legal or natural person responsible for the breach from the duplication of criminal and administrative proceedings and penalties for the same conduct;
(g) the impact of the breach on the interests of customers;.
(h) any actual or potential systemic negative consequences of the breach;
(i) the complicity or organised participation of more than one legal or natural person in the breach;
(j) previous breaches committed by the legal or natural person responsible for the breach;
(k) the level of cooperation of the legal or natural person, responsible for the breach, with the competent authority;
(l) any remedial action or measure undertaken by the legal or natural person responsible for the breach to prevent its repetition.
2. Competent authorities that use settlement agreements or expedited enforcement procedures pursuant to Article 19 shall adapt the relevant administrative penalties and other administrative measures provided for in Article 20 to the case concerned to ensure the proportionality thereof, in particular by considering the circumstances listed in paragraph 1.
Article 23
Professional secrecy
1. All persons who work or who have worked for the competent authorities, as well as experts acting on behalf of the competent authorities, are bound by the obligation of professional secrecy.
2. The information exchanged in accordance with Article 26 shall be subject to the obligation of professional secrecy by both the sharing and recipient authority to ensure the protection of individual and business rights.
Article 24
Right of appeal
1. Decisions taken by the competent authorities pursuant to this Regulation, may be contested before the courts.
2. Paragraph 1 shall apply also in respect of a failure to act.
Article 25
Publication of decisions of competent authorities
1. Competent authorities shall publish on their website all decisions imposing an administrative penalty or administrative measure on legal and natural persons, for breaches of this Regulation, and where applicable, all settlement agreements. The publication shall include, a short description of the breach, the administrative penalty or other administrative measure imposed, or, where applicable, a statement about the settlement agreement. The identity of the natural person subject to the decision imposing an administrative penalty or administrative measure shall not be published.
Competent authorities shall publish the decision and the statement referred to in paragraph 1 immediately after the legal or natural person subject to the decision has been notified of that decision or the settlement agreement has been signed.
2. By derogation from paragraph 1, where the publication of the identity or other personal data of the natural person is deemed necessary by the national competent authority to protect the stability of the financial markets or, to ensure the effective enforcement of this Regulation, including in the case of public statements referred to in Article 20(3) point (a), or temporary bans referred to in Article 20(3) point (g), the national competent authority may publish also the identity of the persons or personal data, provided that it justifies such a decision and that the publication is limited to the personal data that is strictly necessary to protect the stability of the financial markets or to ensure the effective enforcement of this Regulation.
3. Where the decision imposing an administrative penalty or other administrative measure is subject to appeal before the relevant judicial or other authority, competent authorities shall also publish on their official website, without delay, information on the appeal and any subsequent information on the outcome of such an appeal insofar as it concerns legal persons. Where the appealed decision concerns natural persons and the derogation under paragraph 2 is not applied, competent authorities shall publish information on the appeal only in an anonymised version.
4. Competent authorities shall ensure that any publication made in accordance with this Article remains on their official website for a period of at least 5 years. Personal data contained in the publication shall be kept on the official website of the competent authority only if an annual review shows the continued need to publish that data to protect the stability of the financial markets or to ensure the effective enforcement of this Regulation, and in any event for no longer than 5 years.
Article 26
Cooperation and exchange of information between competent authorities
1. Competent authorities shall cooperate with each other and with other relevant competent authorities designated under Union or national law applicable to financial institutions for the purposes of this Regulation carrying out the duties of the competent authorities.
2. The exchange of information between competent authorities and the competent authorities of other Member States responsible for the authorisation and supervision of financial information service providers shall be allowed for the purposes of carrying out their duties under this Regulation.
3. Competent authorities exchanging information with other competent authorities under this Regulation may indicate at the time of communication that such information must not be disclosed without their express agreement, in which case such information may be exchanged solely for the purposes for which those authorities gave their agreement.
4. The competent authority shall not transmit information shared by other competent authorities to other bodies or natural or legal persons without the express agreement of the competent authorities which disclosed it and solely for the purposes for which those authorities gave their agreement, except in duly justified circumstances. In this last case, the contact point shall immediately inform the contact point that sent the information.
5. Where obligations under this Regulation concern the processing of personal data, competent authorities shall cooperate with the supervisory authorities established pursuant to Regulation (EU) 2016/679.
Article 27
Settlement of disagreements between competent authorities
1. Where a competent authority of a Member State considers that, in a particular matter, cross-border cooperation with competent authorities of another Member State as referred to in Articles 28 or 29 of this Regulation does not comply with the relevant conditions set out in those provisions, it may refer the matter to EBA and may request its assistance in accordance with Article 19 of Regulation (EU) No 1093/2010.
2. Where EBA has been requested to provide assistance pursuant to paragraph 1, it shall take a decision under Article 19(3) of Regulation (EU) No 1093/2010 without undue delay. EBA may also, on its own initiative, assist the competent authorities in reaching an agreement in accordance with Article 19(1), second subparagraph of that Regulation. In either case, the competent authorities involved shall defer their decisions pending resolution of the disagreement pursuant to Article 19 of Regulation (EU) No 1093/2010.
TITLE VII
Cross Border access to data
Article 28
Cross-border access to data by financial information service providers
1. Financial information service providers and financial institutions shall be allowed to have access to the data listed in Article 2(1) of Union customers held by data holders established in the Union, pursuant to the freedom to provide services or the freedom of establishment.
2. A financial information service provider wishing to have access to the data listed in Article 2(1) of this Regulation for the first time in a Member State other than its home Member State, in the exercise of the right of establishment or the freedom to provide services, shall communicate the following information to the competent authorities in its home Member State:
(a) the name, the address and, where applicable, the authorisation number of the financial information service provider;
(b) the Member State(s) in which it intends to have access to the data listed in Article 2(1);
(c) the type of data it wishes to have access to;
(d) the financial data sharing schemes it is a member.
Where the financial information service provider intends to outsource operational functions of data access to other entities in the host Member State, it shall inform the competent authorities of its home Member State accordingly.
3. Within 1 month of receipt of all of the information referred to in paragraph 1 the competent authorities of the home Member State shall send it to the competent authorities of the host Member State.
4. The financial information service provider shall communicate to the competent authorities of the home Member State without undue delay any relevant change regarding the information communicated in accordance with paragraph 1, including additional entities to which activities are outsourced in the host Member States in which it operates. The procedure provided for under paragraphs 2 and 3 shall apply.
Article 29
Reasons and communication
Any measure taken by the competent authorities pursuant to Article 18 or Article 28 involving penalties or restrictions on the exercise of the freedom to provide services or the freedom of establishment shall be properly justified and communicated to the financial information service provider concerned.
TITLE VIII
Final provisions
Article 30
Exercise of delegation
1. The power to adopt delegated acts is conferred on the Commission subject to the conditions laid down in this Article.
2. The power to adopt the delegated act referred to in Article 11, shall be conferred on the Commission for a period of XX months from … [OP please insert: date of entry into force of this Regulation]. The Commission shall draw up a report in respect of the delegation of power not later than nine months before the end of the XX-month period. The delegation of power shall be tacitly extended for periods of an identical duration, unless the European Parliament or the Council opposes such extension not later than three months before the end of each period.
3. The delegation of powers referred to in Article 11, may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.
4. Before adopting a delegated act, the Commission shall consult experts signated by each Member State in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making.
5. As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and to the Council.
6. A delegated act adopted pursuant to Article 11, shall enter into force only if no objection has been expressed either by the European Parliament or by the Council within a period of three months of notification of that act to the European Parliament and to the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by three months on the initiative of the European Parliament or of the Council.
Article 31
Evaluation of this Regulation and report on access to financial data
1. By [OP please insert the date = 4 years after the date of entry into application of this Regulation, the Commission shall carry out an evaluation of this Regulation and submit a report on its main findings to the European Parliament and to the Council as well as to the European Economic and Social Committee. That evaluation shall assess, in particular:
(a) other categories or sets of data to be made accessible;
(b) the exclusion from the scope of certain categories of data and entities;
(c) changes in contractual practices of data holders and data users and the operation of financial data sharing schemes;
(d) the inclusion of other types of entities to those entities granted the right of access to data.
(e) the impact of compensation on the ability of data users to participate in financial data sharing schemes and access data from data holders.
2. By [OP please insert the date = 4 years after the date of entry into force of this Regulation, the Commission shall submit a report to the European Parliament and the Council assessing the conditions for access to financial data applicable to account information service providers under this Regulation and under Directive (EU) 2015/2366. The report can be accompanied, if deemed appropriate, by a legislative proposal.
Article 32
Amendment to Regulation (EU) No 1093/2010
In Article 1(2) of Regulation (EU) No 1093/2010, the first subparagraph is replaced by the following:
‘The Authority shall act within the powers conferred by this Regulation and within the scope of Directive 2002/87/EC, Directive 2008/48/EC*, Directive 2009/110/EC, Regulation (EU) No 575/2013**, Directive 2013/36/EU***, Directive 2014/49/EU****, Directive 2014/92/EU*****, Directive (EU) 2015/2366******, Regulation (EU) 2023/1114 (*******), Regulation (EU) 2024/…/EU (********) of the European Parliament and of the Council and, to the extent that those acts apply to credit and financial institutions and the competent authorities that supervise them, within the relevant parts of Directive 2002/65/EC, including all directives, regulations, and decisions based on those acts, and of any further legally binding Union act which confers tasks on the Authority. The Authority shall also act in accordance with Council Regulation (EU) No 1024/2013*********.
* Directive 2008/48/EC Of the European Parliament and of the Council of 23 April 2008 on credit agreements for consumers and repealing Council Directive 87/102/EEC (OJ L 133, 22.5.2008, p. 66).
** Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and amending Regulation (EU) No 648/2012 (OJ L 176, 27.6.2013, p. 1).
*** Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC (OJ L 176, 27.6.2013, p. 338).
**** Directive 2014/49/EU of the European Parliament and of the Council of 16 April 2014 on deposit guarantee schemes (OJ L 173, 12.6.2014, p. 149).
***** Directive 2014/92/EU of the European Parliament and of the Council of 23 July 2014 on the comparability of fees related to payment accounts, payment account switching and access to payment accounts with basic features (OJ L 257, 28.8.2014, p. 214).
****** Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (OJ L 337, 23.12.2015, p. 35).
******* Regulation (EU) 2023/1114 of the European Parliament and of the Council of 31 May 2023 on markets in crypto-assets, and amending Regulations (EU) No 1093/2010 and (EU) No 1095/2010 and Directives 2013/36/EU and (EU) 2019/1937 (OJ L 150, 9.6.2023, p. 40).
******** Regulation (EU) 2024/… of the European Parliament and of the Council of … on a framework for Financial Data Access and amending Regulations (EU) No 1093/2010, (EU) 1095/2010 and (EU) 2022/2554 and Directive (EU) 2019/1937 (OJ L ..., ...., p.).
********* Council Regulation (EU) No 1024/2013 of 15 October 2013 conferring specific tasks on the European Central Bank concerning policies relating to the prudential supervision of credit institutions (OJ L 287, 29.10.2013, p. 63).’
Article 33
Amendment to Regulation (EU) No 1094/2010
In Article 1(2) of Regulation (EU) No 1094/2010, the first subparagraph is replaced by the following:
‘The Authority shall act within the powers conferred by this Regulation and within the scope of Regulation (EU) 2024/…/EU (*), of Directive 2009/138/EC with the exception of Title IV thereof, of Directive 2002/87/EC, Directive (EU) 2016/97 (** ) and Directive (EU) 2016/2341 (*** ) of the European Parliament and of the Council, and, to the extent that those acts apply to financial information services providers, insurance undertakings, reinsurance undertakings, institutions for occupational retirement provision and insurance intermediaries, within the relevant parts of Directive 2002/65/EC, including all directives, regulations, and decisions based on those acts, and of any further legally binding Union act which confers tasks on the Authority.’
* Regulation (EU) 2024/… of the European Parliament and of the Council of … on a framework for Financial Data Access and amending Regulations (EU) No 1093/2010, (EU) No 1094/2010, (EU) No 1095/2010, (EU) 1094/2010 and (EU) 2022/2554 and Directive (EU) 2019/1937 (OJ L …, ...., p.).
** Directive (EU) 2016/97 of the European Parliament and of the Council
of 20 January 2016 on insurance distribution (OJ L 26, 2.2.2016, p. 19).
*** Directive (EU) 2016/2341 of the European Parliament and of the Council
of 14 December 2016 on the activities and supervision of institutions for
occupational retirement provision (IORPs) (OJ L 354, 23.12.2016, p. 37).
Article 34
Amendment to Regulation (EU) No 1095/2010
In Article 1(2) of Regulation (EU) No 1095/2010, the first subparagraph is replaced by the following:
‘The Authority shall act within the powers conferred by this Regulation and within the scope of Directives 97/9/EC, 98/26/EC, 2001/34/EC, 2002/47/EC, 2004/109/EC, 2009/65/EC, Directive 2011/61/EU of the European Parliament and of the Council*, Regulation (EC) No 1060/2009 and Directive 2014/65/EU of the European Parliament and of the Council**, Regulation (EU) 2017/1129 of the European Parliament and of the Council***, Regulation (EU) 2023/1114of the European Parliament and of the Council**** Regulation (EU) 2024/… of the European Parliament and of the Council***** and to the extent that those acts apply to firms providing investment services or to collective investment undertakings marketing their units or shares, issuers or offerors of crypto-assets, persons seeking admission to trading or crypto-asset service providers, financial information service providers and the competent authorities that supervise them, within the relevant parts of, Directives 2002/87/EC and 2002/65/EC, including all directives, regulations, and decisions based on those acts, and of any further legally binding Union act which confers tasks on the Authority.
___________
* Directive 2011/61/EU of the European Parliament and of the Council of 8 June 2011 on Alternative Investment Fund Managers and amending Directives 2003/41/EC and 2009/65/EC and Regulations (EC) No 1060/2009 and (EU) No 1095/2010 (OJ L 174, 1.7.2011, p. 1).
** Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Directive 2002/92/EC and Directive 2011/61/EU (OJ L 173, 12.6.2014, p. 349).
*** Regulation (EU) 2017/1129 of the European Parliament and of the Council of 14 June 2017 on the prospectus to be published when securities are offered to the public or admitted to trading on a regulated market, and repealing Directive 2003/71/EC (OJ L 168, 30.6.2017, p. 12).
**** Regulation (EU) 2023/1114 of the European Parliament and of the Council of 31 May 2023 on markets in crypto-assets, and amending Regulations (EU) No 1093/2010 and (EU) No 1095/2010 and Directives 2013/36/EU and (EU) 2019/1937 (OJ L 150, 9.6.2023, p.40).’
***** Regulation (EU) 2024/… of the European Parliament and of the Council of … on a framework for Financial Data Access and amending Regulations (EU) No 1093/2010, (EU) 1094/2010, (EU) 1095/2010 and (EU) 2022/2554 and Directive (EU) 2019/1937 (OJ L ..., ...., p.).
Article 35
Amendment to Regulation (EU) 2022/2554
Article 2(1) of Regulation (EU) 2022/2554 is amended as follows:
(1) In point (u), the punctuation mark “.”is replaced by “;”
(2) the following point (v) is added:
““(v) financial information service providers.””
Article 36
Entry into force and application
This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
It shall apply from [OP please insert the date = 24 months after the date of entry into force of this Regulation]. However, Articles 9 to 13 shall apply from [OP please insert the date = 18 months after the date of entry into force of this Regulation].
This Regulation shall be binding in its entirety and directly applicable in all Member States.