Considerations on COM(2023)360 - Framework for Financial Data Access - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
| dossier | COM(2023)360 - Framework for Financial Data Access. |
|---|---|
| document | COM(2023)360 |
| date | June 28, 2023 |
(2) Customers of financial institutions, both consumers and firms, should have effective control over their financial data and the opportunity to benefit from open, fair, and safe data-driven innovation in the financial sector. Those customers should be empowered to decide how and by whom their financial data is used and should have the option to grant firms access to their data for the purposes of obtaining financial and information services should they wish.
(3) The Union has a stated policy interest in enabling access of customers of financial institutions to their financial data. The Commission confirmed in its communication on a digital finance strategy and Communication on a capital markets union adopted in 2021 an intention to put in place a framework for financial data access to reap the benefits for customers of data sharing in the financial sector. Such benefits include the development and provision of data-driven financial products and financial services, made possible by the sharing of customer data.
(4) Within financial services, and as a result of the revised Directive (EU) 2015/2366 of the European Parliament and of the Council7, the sharing of payments account data in the Union based on customer permission has begun to transform the way consumers and businesses use banking services. In order to build upon the measures in that Directive, a regulatory framework should be established for the sharing of customer data across the financial sector beyond payment account data. This should also be a building block for fully integrating the financial sector into the Commission’s strategy for data8 which promotes data sharing across sectors.
(5) Ensuring customer control and trust is imperative to build a well-functioning and effective data sharing framework in the financial sector. Ensuring effective customers’ control over data sharing contributes to innovation as well as customer confidence and trust in data sharing. As a result, effective control helps overcome customer reluctance to share their data. Under the current Union framework, the data portability right of a data subject in accordance with the Regulation (EU) 2016/679 of the European Parliament and of the Council9 is limited to personal data and can be relied upon only where it is technically feasible to port the data. Customer data and technical interfaces in the financial sector beyond payment accounts are not standardised, rendering data sharing more costly. Further, the financial institutions are only legally obliged to make the payment data of their customers available.
(6) The Union’s financial data economy therefore remains fragmented, characterised by uneven data sharing, barriers, and high stakeholder reluctance to engage in data sharing beyond payments accounts. Customers accordingly do not benefit from individualised, data-driven products and services that may fit their specific needs. The absence of personalised financial products limits the possibility to innovate, by offering more choice and financial products and services for interested consumers who could otherwise benefit from data-driven tools that can support them to make informed choices, compare offerings in a user-friendly manner, and switch to more advantageous products that match their preferences based on their data. The existing barriers to business data sharing are preventing firms, in particular SMEs, to benefit from better, convenient and automated financial services.
(7) Making data available by way of high-quality application programming interfaces is essential to facilitate seamless and effective access to data. Beyond the area of payment accounts, however, only a minority of financial institutions that are data holders indicate that they make data available through technical interfaces like application programming interfaces. As incentives to develop such innovative services are absent, market demand for data access remains limited.
(8) A dedicated and harmonised framework for access to financial data is therefore necessary at Union level to respond to the needs of the digital economy and to remove barriers to a well-functioning internal market for data. Specific rules are required to address these barriers to promote better access to customer data and hence make it possible for consumers and firms to realise the gains stemming from better financial products and services. Data-driven finance would facilitate industry transition from the traditional supply of standardised products to tailored solutions that are better suited to the customers’ specific needs, including improved customer facing interfaces that enhance competition, improve user experience and ensure financial services that are focused on the customer as the end user.
(9) The data included in the scope of this Regulation should demonstrate high value added for financial innovation as well as low financial exclusion risk for consumers. This Regulation should therefore not cover data related to the sickness and health insurance of a consumer in accordance with Directive 2009/138/EC of the European Parliament and of the Council10 as well as data on life insurance products of a consumer in accordance with Directive 2009/138/EC other than life insurance contracts covered by insurance-based investment products. This Regulation should also not cover data collected as part of a creditworthiness assessment of a consumer. The sharing of customer data in the scope of this Regulation should respect the protection of confidential business data and trade secrets.
(10) The sharing of the customer data in the scope of this Regulation should be based on the permission of the customer. The legal obligation on data holders to share customer data should be triggered once the customer has requested their data to be shared with a data user. This request can be submitted by a data user acting on behalf of the customer. Where the processing of personal data is involved, a data user should have a valid lawful basis for processing under Regulation (EU) 2016/679. The customers data can be processed for the agreed purposes in the context of the service provided. The processing of personal data must respect the principles of personal data protection, including lawfulness, fairness and transparency, purpose limitation and data minimisation. A customer has the right to withdraw the permission given to a data user. When data processing is necessary for the performance of a contract, a customer should be able to withdraw permissions according to the contractual obligations to which the data subject is party. When personal data processing is based on consent, a data subject has the right to withdraw his or her consent at any time, as provided for in Regulation (EU) 2016/679.
(11) Enabling customers to share their data on their current investments can encourage innovation in the provision of retail investment services. Primary data collection to complete a suitability and appropriateness assessment of a retail investor is time-intensive for a customer and constitutes a significant cost factor for advisors and distributors of investment, pension, and insurance-based investment products. The sharing of customer data on holdings of savings and investments in financial instruments including insurance-based investment products and data collected for the purposes of carrying out a suitability and appropriateness assessment can improve investment advice for consumers and has strong innovative potential, including in the development of personalised investment advice and investment management tools that can make retail investment advice more efficient. Such management tools are already being developed in the market and can develop more effectively in the context where a customer can share their investment-related data.
(12) Customer data on balance, conditions or transaction details related to mortgages, loans and savings can enable customers to gain a better overview of their deposits and better meet their savings needs based on credit data. This Regulation should cover customer data beyond payment accounts defined in Directive (EU) 2015/2366. Credit accounts covered by a credit line which cannot be used for the execution of payment transactions to third parties should be within the scope of this Regulation. It should therefore be understood that this Regulation covers the access to the balance, conditions or transaction details related to mortgage credit agreements, loans, and savings accounts as well as the types of accounts not falling withing the scope of the Directive (EU) 2015/236611.
(13) The customer data included in the scope of this Regulation should include sustainability-related information that should enable customers to more easily access financial services that are aligned with their sustainability preferences and sustainable finance needs, in line with the Commission’s strategy for financing the transition to a sustainable economy12. Access to data relating to sustainability which may be contained in balance or transaction details related to a mortgage, credit, loan and savings account, as well as access to customer data relating to sustainability held by investment firms, can contribute to facilitating access to data needed to access sustainable finance or make investments into the green transition. Moreover, customer data in the scope of this Regulation should include data which forms part of a creditworthiness assessment related to firms, including small and medium sized enterprises, and which can provide greater insight into the sustainability objectives of small firms. The inclusion of data used for the creditworthiness assessment related to firms should improve access to financing and streamline the application for loans. Such data should be limited to data on firms and should not infringe intellectual property rights.
(14) Customer data related to the provision of non-life insurance are essential to enable insurance products and services important to the needs of customer like the protection of homes, vehicles, and other property. At the same time, the collection of such data is often burdensome and costly and can act as a deterrent against seeking optimal insurance coverage by customers. To address this problem, it is therefore necessary to include such financial services within the scope of this Regulation. Customer data on insurance products within scope of this Regulation should include both insurance product information such as detail on an insurance coverage and data specific to the consumers’ insured assets which are collected for the purposes of a demands and needs test. The sharing of such data should allow for the development of personalised tools for customers, such as insurance dashboards that could help consumers better manage their risks. It could also help customers to obtain products that are better targeted to their demands and needs, including through more valuable advice. This can contribute to more optimal insurance coverage for customers and increased financial inclusion of otherwise underserved consumers, by offering new or increased coverage. Moreover, the sharing of insurance data can be beneficial for more efficient supply of insurance including, in particular, at the stages of product design, underwriting, contract execution, including claims management, and risk mitigation.
(15) The sharing of data on occupational and personal pension savings has strong innovative potential for consumers. Pension savers often lack sufficient knowledge about their pension rights, which is related to the fact that data on such rights are often dispersed across different data holders. The sharing of data related to occupational and personal pension savings should contribute to the development of pension tracking tools that provide savers with a comprehensive overview of their entitlements and retirement income both within specific Member States and cross-border in the Union. Data on pension rights concerns in particular accrued pension entitlements, projected levels of retirement benefits, risks and guarantees of members and beneficiaries of occupational pension schemes. Access to data related to occupational pensions is without prejudice to national social and labour law on the organisation of pension systems, including membership of schemes and the outcomes of collective bargaining agreements.
(16) Data which forms part of a creditworthiness assessment of a firm in the scope of this Regulation should consist of information which a firm provides to institutions and creditors as part of the loan application process or a request for a credit rating. This includes loan applications of micro, small, medium and large enterprises. It may include data collected by institutions and creditors as set out in Annex II of the European Banking Authority Guidelines on loan origination and monitoring13. Such data may include financial statements and projections, information on financial liabilities and arrears in payment, evidence of ownership of the collateral, evidence of insurance of the collateral and information on guarantees. Additional data may be relevant if the purpose of the loan application relates to the purchase of commercial real estate or real estate development.
(17) As this Regulation is meant to oblige financial institutions to provide access to defined categories of data at the request of the customer when acting as data holders, and allow the sharing of data based on customer permission when financial institutions act as data users, it should provide a list of the financial institutions that may act as either a data holder, a data user or both. Financial institutions should therefore be understood to mean those entities that provide financial products and financial services or offer relevant information services to customers in the financial sector.
(18) Practices employed by data users to combine new and traditional customer data sources in the scope of this Regulation must be proportionate to ensure that they do not lead to financial exclusion risks for consumers. Practices that lead to a more sophisticated or comprehensive analysis of certain vulnerable segments of consumers, such as persons with a low income, may increase the risk of unfair conditions or differential pricing practices like the charging of differential premiums. The potential for exclusion is increased in the provision of products and services that are priced according to the profile of a consumer, notably in credit scoring and the assessment of creditworthiness of natural persons as well for products and services related to the risk assessment and pricing of natural persons in the case of life and health insurance. Given the risks, the use of data for these products and services should be subject to specific requirements to protect consumers and their fundamental rights.
(19) The data use perimeter thus established in this Regulation and in the accompanying guidelines (‘the guidelines’) to be developed by the European Banking Authority (EBA) and the European Insurance and Occupational Pensions Authority (EIOPA) should provide a proportionate framework on how personal data related to a consumer that falls within the scope of this Regulation should be used. The data use perimeter ensures consistency between the scope of this Regulation, which excludes data that forms part of a creditworthiness assessment of a consumer as well as data related to life, health and sickness insurance of a consumer, and the scope of the guidelines, which set recommendations on how types of data originating from other areas of the financial sector that are in scope of this Regulation can be used to provide these products and services. The guidelines developed by the EBA should set out how other types of data that are in scope of this Regulation can be used to assess the credit score of a consumer. The guidelines developed by EIOPA should set out how data in scope of this Regulation can be used in products and services related to risk assessment and pricing in the case of life, health and sickness insurance products. The guidelines should be developed in a manner that is aligned to the needs of the consumer and proportionate to the provision of such products and services.
(20) EBA and EIOPA should closely cooperate with the European Data Protection Board when drafting the guidelines, which should build on existing recommendations on the use of consumer information in the area of consumer and mortgage credit, notably the rules on use of creditworthiness assessment under Directive 2008/48/EC of the European Parliament and of the Council of 23 April 2008 on credit agreements for consumers and repealing Council Directive 87/102/EEC, the European Banking Authority’s Guidelines on loan origination and monitoring, and the European Banking Authority guidelines on creditworthiness assessment developed under Directive 2014/17/EU, as well guidelines provided by European Data Protection Board on the processing of personal data.
(21) Customers must have effective control over their data and confidence in managing permissions they have granted in accordance with this Regulation. Data holders should therefore be required to provide customers with common and consistent financial data access permission dashboards. The permission dashboard should empower the customer to manage their permissions in an informed and impartial manner and give customers a strong measure of control over how their personal and non-personal data is used. It should not be designed in a way that would encourage or unduly influence the customer to grant or withdraw permissions. The permission dashboard should take into account, where appropriate, the accessibility requirements under Directive (EU) 2019/882 of the European Parliament and of the Council14. When providing a permission dashboard, data holders could use a notified electronic identification and trust service, such as a European Digital Identity Wallet issued by a Member State as introduced by the proposal amending Regulation (EU) No 910/2014 as regards establishing a framework for a European Digital Identity15. Data holders may also rely on data intermediation service providers under Regulation (EU) 2022/868 of the European Parliament and of the Council16, to provide permission dashboards that fulfil the requirements of this Regulation.
(22) The permission dashboard should display the permissions given by a customer, including when personal data are shared based on consent or are necessary for the performance of a contract. The permission dashboard should warn a customer in a standard way of the risk of possible contractual consequences of the withdrawal of a permission, but the customer should remain responsible for managing such risk. The permission dashboard should be used to manage existing permissions. Data holders should inform data users in real-time of any withdrawal of a permission. The permission dashboard should include a record of permissions that have been withdrawn or have expired for a period of up to two years to allow the customer to keep track of their permissions in an informed and impartial manner. Data users should inform data holders in real-time of new and re-established permissions granted by customers, including the duration of validity of the permission and a short summary of the purpose of the permission. The information provided on the permission dashboard is without prejudice to the information requirements under Regulation (EU) 2016/679.
(23) To ensure proportionality, certain financial institutions are out of the scope of this Regulation for reasons associated with their size or the services they provide, which would make it too difficult to comply with this regulation. These include institutions for occupational retirement provision which operate pension schemes which together do not have more than 15 members in total, as well as insurance intermediaries who are microenterprises or small or medium-sized enterprises. In addition, small or medium-sized enterprises acting as data holders that are within the scope of this Regulation should be allowed to establish an application programming interface jointly, reducing the costs for each of them. They can also avail themselves of external technology providers which run application programming interfaces in a pooled manner for financial institutions and may charge them only a low fixed usage fee and work largely on a pay-per-call basis.
(24) This Regulation introduces a new legal obligation on financial institutions acting as data holders to share defined categories of data at request of the customer. The obligation on data holders to share data at the request of the customer should be specified by making available generally recognised standards to also ensure that the data shared is of a sufficiently high quality. The data holder should make customer data available continuously for the purposes and under the conditions for which the customer has granted permission to a data user. Continuous access could consist of multiple requests to make customer data available to fulfil the service agreed with the customer. It could also consist of a one-off access to customer data. While the data holder is responsible for the interface to be available and for the interface to be of adequate quality, the interface may be provided not only by the data holder but also by another financial institution, an external IT provider, an industry association or a group of financial institutions, or by a public body in a member state. For institutions for occupational retirement provisions, the interface can be integrated into pension dashboards that cover a broader range of information, as long as it complies with the requirements of this Regulation.
(25) In order to enable the contractual and technical interaction necessary for implementing data access between multiple financial institutions, data holders and data users should be required to be part of financial data sharing schemes. These schemes should develop data and interface standards, joint standardised contractual frameworks governing access to specific datasets, and governance rules related to data sharing. In order to ensure that schemes function effectively, it is necessary to establish general principles for the governance of these schemes, including rules on inclusive governance and participation of data holders, data users and customers (to ensure balanced representation in schemes), transparency requirements, and a well-functioning appeal and review procedure (notably around the decision-making of schemes). Financial data sharing schemes must comply with Union rules in the area of consumer protection and data protection, privacy, and competition. The participants in such schemes are also encouraged to draw up codes of conduct similar to those prepared by controllers and processors under Article 40 of Regulation (EU) 2016/679. While such schemes may build upon existing market initiatives, the requirements set out in this Regulation should be specific to financial data sharing schemes or parts thereof which market participants use to fulfil their obligations under this Regulation after the data of application of these obligations.
(26) A financial data sharing scheme should consist of a collective contractual agreement between data holders and data users with the objective of promoting efficiency and technical innovation in financial data sharing to the benefit of customers. In line with Union rules on competition, a financial data sharing scheme should only impose on its members restrictions which are necessary to achieve its objectives and which are proportionate to those objectives. It should not afford its members the possibility of preventing, restricting or distorting competition in respect of a substantial part of the relevant market.
(27) In order to ensure the effectiveness of this Regulation, the power to adopt acts in accordance with Article 290 of the Treaty on the Functioning of the European Union should be delegated to the Commission in respect of specifying the modalities and characteristics of a financial data sharing scheme in case a scheme is not developed by the data holders and the data users. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level, and that those consultations be conducted in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making17. In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council receive all documents at the same time as Member States' experts, and their experts systematically have access to meetings of Commission expert groups dealing with the preparation of delegated acts.
(28) Data holders and data users should be allowed to use existing market standards when developing common standards for mandatory data sharing.
(29) To ensure that data holders have an interest in providing high quality interfaces for making data available to data users, data holders should be able to request reasonable compensation from data users for putting in place application programming interfaces. Facilitating data access against compensation would ensure a fair distribution of the related costs between data holders and data users in the data value chain. In cases where the data user is an SME, proportionality for smaller market participants should be ensured by limiting compensation strictly to the costs incurred for facilitating data access. The model for determining the level of compensation should be defined as part of the financial data sharing schemes as provided in this Regulation.
(30) Customers should know what their rights are in case problems arise when data is shared and who to approach to seek compensation. Financial data sharing scheme members, including data holders and data users, should therefore be required to agree on the contractual liability for data breaches as well as how to resolve potential disputes between data holders and data users regarding liability. Those requirements should focus on establishing, as part of any contract, liability rules as well as clear obligations and rights to determine liability between the data holder and the data user. Liability issues related to the consumers as data subjects should be based on Regulation (EU) 2016/679, notably the right to compensation and liability under Article 82 of that Regulation.
(31) To promote consumer protection, enhance customer trust and ensure a level playing field, it is necessary to lay down rules on who is eligible to access customers’ data. Such rules should ensure that all data users are authorised and supervised by competent authorities. This would ensure that data can be accessed only by regulated financial institutions or by firms subject to a dedicated authorisation as financial information service providers’ (‘FISPs’) which is subject to this Regulation. Eligibility rules on FISPs, are needed to safeguard financial stability, market integrity and consumer protection, as FISPs would provide financial products and services to customers in the Union and would access data held by financial institutions and the integrity of which is essential to preserve the financial institutions’ ability to continue providing financial services in a safe and sound manner. Such rules are also required to guarantee the proper supervision of FISPs by competent authorities in line with their mandate to safeguard financial stability and integrity in the Union, which would allow FISPs to provide throughout the Union the services for which they are authorised.
(32) Data users within the scope of this Regulation should be subject to the requirements of Regulation (EU) 2022/2554 of the European Parliament and of the Council18 and therefore be obliged to have strong cyber resilience standards in place to carry out their activities. This includes having comprehensive capabilities to enable a strong and effective ICT risk management, as well as specific mechanisms and policies for handling all ICT-related incidents and for reporting major ICT-related incidents. Data users authorised and supervised as financial information service providers under this Regulation should follow the same approach and the same principle-based rules when addressing ICT risks taking into account their size and overall risk profile, and the nature, scale and complexity of their services, activities and operations. Financial information service providers should therefore be included in the scope of Regulation (EU) 2022/2554.
(33) In order to enable effective supervision and to eliminate the possibility of evading or circumventing supervision, financial information service providers must be either legally incorporated in the Union or in case they are incorporated in a third country appoint a legal representative in the Union. An effective supervision by the competent authorities is necessary for the enforcement of requirements under this Regulation to ensure integrity and stability of the financial system and to protect consumers. The requirement of legal incorporation of financial information service providers in the Union or the appointment of a legal representative in the Union does not amount to data localisation since this Regulation does not entail any further requirement on data processing including storage to be undertaken in Union.
(34) A financial information service provider should be authorised in the jurisdiction of the Member State where its main establishment is located, that is, where the financial information service provider has its head office or registered office within which the principal functions and operational control are exercised. In respect of financial information service providers that do not have an establishment in the Union but require access to data in the Union and therefore fall within the scope of this Regulation, the Member State where those financial information service providers have appointed their legal representative should have jurisdiction, considering the function of legal representatives under this Regulation.
(35) To facilitate transparency regarding data access and financial information service providers, EBA should establish a register of financial information service providers authorised under this Regulation, as well as financial data sharing schemes agreed between data holders and data users.
(36) Competent authorities should be conferred with the powers necessary to supervise the way the compliance of the obligation on data holders to provide access to customer data established by this Regulation is exercised by market participants, as well as to supervise financial information service providers. Access relevant data traffic records held by a telecommunications operator as well as the ability to seize relevant documents on premises are important and necessary powers to detect and prove the existence of breaches under this Regulation. Competent authorities should therefore have the power to require such records where they are relevant to an investigation, insofar as permitted under national law. Competent authorities should also cooperate with the supervisory authorities established under Regulation (EU) 2016/679 in the performance of their tasks and the exercise of their powers in accordance with that Regulation.
(37) Since financial institutions and financial information service providers can be established in different Member States and supervised by different competent authorities, the application of this Regulation should be facilitated by close cooperation among relevant competent authorities, through the mutual exchange of information and the provision of assistance in the context of the relevant supervisory activities.
(38) To ensure a level playing field in the area of sanctioning powers, Member States should be required to provide for effective, proportionate and dissuasive administrative sanctions, including periodic penalty payments, and administrative measures for the infringement of provisions of this Regulation. Those administrative sanctions, periodic penalty payments and administrative measures should meet certain minimum requirements, including the minimum powers that should be vested on competent authorities to be able to impose them, the criteria that competent authorities should consider when imposing them, and the obligation to publish and report. Member States should lay down specific rules and effective mechanisms regarding the application of periodic penalty payments.
(39) In addition to administrative sanctions and administrative measures, competent authorities should be empowered to impose periodic penalty payments on financial information services providers and on those members of their management body who are identified as responsible for an ongoing infringement or who are required to comply with an order from an investigating competent authority. Since the purpose of the periodic penalty payments is to compel natural or legal persons to comply with an order from the competent authority to act, for example to accept to be interviewed or to provide information, or to terminate an ongoing breach, the application of periodic penalty payments should not prevent competent authorities from imposing subsequent administrative sanctions for the same infringement. Unless otherwise provided for by Member States, periodic penalty payments should be calculated on a daily basis.
(40) Irrespective of their denomination under national law, forms of expedited enforcement procedure or settlement agreements are to be found in many Member States and are used as an alternative to formal proceedings leading to imposing sanctions. An expedited enforcement procedure usually starts after an investigation has been concluded and the decision to start proceedings leading to imposing sanctions has been taken. An expedited enforcement procedure is characterised by being shorter than a formal one, due to simplified procedural steps. Under a settlement agreement usually the parties subject to the investigation by a competent authority agree to end that investigation early, in most cases by accepting liability for wrongdoing.
(41) While it does not appear appropriate to strive to harmonise at Union level such expedited enforcement procedures, which were introduced by many Member States, due to the varied legal approaches adopted at national level, it should be acknowledged that such methods allow competent authorities that can apply them, to handle infringement cases in a speedier, less costly and overall efficient way under certain circumstances, and should therefore be encouraged. However, Member States should not be obliged to introduce such enforcement methods in their legal framework nor should competent authorities be compelled to use them if they do not deem it appropriate. Where Member States choose to empower their competent authorities to use such enforcement methods, they should notify the Commission of such decision and of the relevant measures regulating such powers.
(42) National competent authorities should be empowered by Member States to impose such administrative sanctions and administrative measures to financial information service providers and other natural or legal persons where relevant to remedy the situation in the case of infringement. The range of sanctions and measures should be sufficiently broad to allow Member States and competent authorities to take account of the differences between financial information service providers, as regards their size, characteristics and the nature of their business.
(43) The publication of an administrative penalty or measure for infringement of provisions of this Regulation can have a strong dissuasive effect against repetition of such infringement. Publication also informs other entities of the risks associated with the sanctioned financial information service provider before entering into a business relationship and assists competent authorities in other Member States in relation to the risks associated with a financial information service provider when it operates in their Member States on a cross-border basis. For those reasons, the publication of decisions on administrative penalties and administrative measures should, be allowed as long as it concerns legal persons. In taking a decision whether to publish an administrative penalty or administrative measure, competent authorities should take into account the gravity of the infringement and the dissuasive effect that the publication is likely to produce. However, any such publication referred to natural persons may impinge on their rights stemming from the Charter of Fundamental Rights and the applicable Union data protection legislation in a disproportionate manner. Publication should occur in an anonymised way unless the competent authority deems it necessary to publish decisions containing personal data for the effective enforcement of this Regulation, including in the case of public statements or temporary bans. In such cases the competent authority should justify its decision.
(44) The exchange of information and the provision of assistance between competent authorities of the Member States is essential for the purposes of this Regulation. Consequently, cooperation between authorities should not be subject to unreasonable restrictive conditions.
(45) The cross-border access to data by information service providers should be allowed pursuant to the freedom to provide services or the freedom of establishment. A financial information service provider wishing to have access to data held by a data holder in another Member State, should notify its intention to its competent authority, providing information on the type of data it wishes to access, the financial data sharing scheme of which it is a member and the Member States in which it intends to access the data.
(46) The objectives of this Regulation, namely giving effective control of data to the customer and addressing the lack of rights of access to customer data held by data holders, cannot be sufficiently achieved by the Member States given their cross-border nature but can rather be better achieved at Union level, by means of the creation of a framework through which a larger cross-border market with data access could be developed. The Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union. In accordance with the principle of proportionality as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve those objectives.
(47) The proposal for a Data Act [Regulation (EU) XX] establishes a horizontal framework for access to and use of data across the Union. This Regulation complements and specifies the rules laid down in the proposal for a Data Act [Regulation (EU) XX] Therefore those rules also apply to the sharing of data governed by this Regulation. This includes provisions on the conditions under which data holders make data available to data recipients, on compensation, dispute settlement bodies to facilitate agreements between data sharing parties, technical protection measures, international access and transfer of data and on authorised use or disclosure of data.
(48) Regulation (EU) 2016/679 applies when personal data are processed. It provides for the rights of a data subject, including the right of access and right to port personal data. This Regulation is without prejudice to the rights of a data subject provided under Regulation (EU) 2016/679, including the right of access and right to data portability. This Regulation creates a legal obligation to share customer personal and non-personal data upon customer’s request and mandates the technical feasibility of access and sharing for all types of data within the scope of this Regulation. The granting of permission by a customer is without prejudice to the obligations of data users under Article 6 of Regulation (EU) 2016/679. Personal data that are made available and shared with a data user should only be processed for services provided by a data user where there is a valid legal basis under Article 6(1) of Regulation (EU) 2016/679 and, when applicable, where the requirements of Article 9 of that Regulation on the processing of special categories of data are met.
(49) This Regulation builds upon and complements the ‘open banking’ provisions under Directive (EU) 2015/2366 and is fully consistent with Regulation (EU) …/202.. of the European Parliament and of the Council on payment services and amending Regulation (EU) No 1093/201019 and Directive (EU) …/202.. of the European Parliament and of the Council on payment services and electronic money services amending Directives 2013/36/EU and 98/26/EC and repealing Directives 2015/2355/EU and 2009/110/EC20. The initiative complements the already existing ‘open banking’ provisions under Directive (EU) 2015/2366 that regulate access to payment account data held by account servicing payment service providers. It builds on the lessons learned on ‘open banking’ as identified in the review of Directive 2015/2366/EU.21 This Regulation ensures coherence between financial data access and open banking where additional measures are necessary, including on permission dashboards, the legal obligations to grant direct access to customer data, and the requirement for data holders to put in place interfaces.
(50) This Regulation does not affect the provisions related to data access and data sharing in Union financial services legislation, namely the following: (i) the provisions on access to benchmarks and the access regime for exchange-traded derivatives between trading venues and Central Counterparties laid down in Regulation (EU) No 600/2014 of the European Parliament and of the Council22; (ii) the rules on access of creditors to the database under Directive 2014/17/EU of the European Parliament and of the Council23; (iii) the rules on access to securitisation repositories under Regulation (EU) 2017/2402 of the European Parliament and of the Council24; (iv) the rules on the right to request from the insurer a claims history statement and on the access to central repositories to basic data necessary for the settlement of claims under Directive 2009/103/EC of the European Parliament and of the Council25; (v) the right to access and transfer all necessary personal data to a new pan-European Personal Pension Product provider under Regulation (EU) 2019/1238 of the European Parliament and of the Council26; and (vi) the provisions on outsourcing and reliance under Directive (EU) 2018/843 of the European Parliament and of the Council27. Furthermore, this Regulation does not affect the application of EU or national rules of competition of the Treaty on the Functioning of the European Union and any secondary Union acts. This Regulation is also without prejudice to accessing, sharing and using data without making use of the data access obligations established by this Regulation on a purely contractual basis.
(51) As the sharing of data related to payment accounts is regulated under a different regime set out in Directive (EU) 2015/2366, it is deemed appropriate to set, in this Regulation, a review clause for the Commission to examine whether the introduction of the rules under this Regulation impacts the way AISPs access data and whether it would be appropriate to streamline the rules governing the sharing of data applicable to AISPs.
(52) Given that EBA, EIOPA and ESMA should be mandated to make use of their powers in relation to financial information service providers, it is necessary to ensure that they are able to exercise all of their powers and tasks in order to fulfil their objectives of protecting the public interest by contributing to the short, medium and long-term stability and effectiveness of the financial system, for the Union economy, its citizens and businesses and to ensure that financial information service providers are covered by Regulations (EU) No 1093/201028, (EU) No 1094/201029 and (EU) No 1095/201030 of the European Parliament and of the Council. Those Regulations should therefore be amended accordingly.
(53) The date of application of this Regulation should be deferred by XX months in order to allow for the adoption of regulatory technical standards and delegated acts that are necessary to specify certain elements of this Regulation.
(54) The European Data Protection Supervisor was consulted in accordance with Article 42(2) of Regulation (EU) 2018/1725 of the European Parliament and of the Council31 and delivered an opinion on [……….]