REPORT on the proposal for a regulation of the European Parliament and of the Council on a framework for Financial Data Access and amending Regulations (EU) No 1093/2010, (EU) No 1094/2010, (EU) No 1095/2010 and (EU) 2022/2554

30.4.2024 - (COM(2023)0360 – C9‑0215/2023 – 2023/0205(COD)) - ***I

Committee on Economic and Monetary
Rapporteur: Michiel Hoogeveen

DRAFT EUROPEAN PARLIAMENT LEGISLATIVE RESOLUTION

on the proposal for a regulation of the European Parliament and of the Council on a framework for Financial Data Access and amending Regulations (EU) No 1093/2010, (EU) No 1094/2010, (EU) No 1095/2010 and (EU) 2022/2554

(COM(2023)0360 – C9‑0215/2023 – 2023/0205(COD))

(Ordinary legislative procedure: first reading)

The European Parliament,

 having regard to the Commission proposal to Parliament and the Council (COM(2023)0360),

 having regard to Article 294(2) and Article 114 of the Treaty on the Functioning of the European Union, pursuant to which the Commission submitted the proposal to Parliament (C9‑0215/2023),

 having regard to Article 294(3) of the Treaty on the Functioning of the European Union,

 having regard to the opinion of the European Economic and Social Committee of 14 December 2023[1],

 having regard to Rule 59 of its Rules of Procedure,

 having regard to the report of the Committee on Economic and Monetary Affairs (A9-0183/2024),

1. Adopts its position at first reading hereinafter set out;

2. Calls on the Commission to refer the matter to Parliament again if it replaces, substantially amends or intends to substantially amend its proposal;

3. Instructs its President to forward its position to the Council, the Commission and the national parliaments.

 

 

 

 

Amendment  1

AMENDMENTS BY THE EUROPEAN PARLIAMENT[*]

to the Commission proposal

---------------------------------------------------------

 

Proposal for a

REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

on a framework for Financial Data Access and amending Regulations (EU) No 1093/2010, (EU) No 1094/2010, (EU) No 1095/2010 and (EU) 2022/2554

(Text with EEA relevance)

THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 114 thereof,

Having regard to the proposal from the European Commission,

After transmission of the draft legislative act to the national parliaments,

Having regard to the opinion of the European Economic and Social Committee[2],

Acting in accordance with the ordinary legislative procedure,

Whereas:

(1) A responsible data economy, which is driven by the generation and use of data, is an integral part of the Union internal market that can bring benefits to both Union citizens and the economy. Digital technologies relying on data are increasingly driving change in financial markets by innovating and producing new business models, products and ways for firms to engage with customers.

(2) Customers of financial institutions, both consumers and firms, should have effective control over their financial data and the opportunity to benefit from open, fair, and safe data-driven innovation in the financial sector. Those customers should be empowered to decide how and by whom their financial data is used and should have the option to grant firms secure access to their data for the purposes of obtaining financial and information services should they wish. The unlocking and re-use of customer data, based on permission by the customer, would enable customers to benefit from access to a wider range of financial services and products from across the internal market, which, in turn, would lead to the availability of more competitive, customer-focused and cheaper financial services and products.

(3) The Union has a stated policy interest in enabling access of customers of financial institutions to their financial data. The Commission confirmed in its communication on a digital finance strategy and Communication on a capital markets union adopted in 2021 an intention to put in place a framework for financial data access to reap the benefits for customers of unlocking their data ▌ in the financial sector. Such benefits include the development and provision by the financial sector of data-driven financial products and financial services, made possible by the re-use of customer data. By creating synergies with data from other relevant sectors and enabling financial institutions to develop and provide tailor-made and data-driven financial products and services, the innovative potential of such financial products and financial services could be further enhanced to the benefit of customers and the overall data economy.

(4) Within financial services, and as a result of the revised Directive (EU) 2015/2366 of the European Parliament and of the Council[3], the access of payments account data in the Union based on customer permission has begun to transform the way consumers and businesses use banking services. In order to build upon the measures in that Directive, a regulatory framework should be established for the access of customer data processed by financial institutions across the financial sector which goes beyond payment account data. This should also be a building block for fully integrating the financial sector into the Commission’s strategy for data[4] which promotes data access across sectors. 

(5) Ensuring customer control and trust is imperative to build a well-functioning and effective data access framework in the financial sector. Ensuring effective customers’ control over their data ▌ contributes to innovation as well as customer confidence and trust in using alternative service providers. As a result, effective control may help overcome customer reluctance to re-use their data. Under the current Union framework, the data portability right of a data subject in accordance with the Regulation (EU) 2016/679 of the European Parliament and of the Council[5] is limited to personal data and can be relied upon only where it is technically feasible to port the data. Customer data and technical interfaces in the financial sector beyond payment accounts are not standardised, rendering data access more costly. Further, the financial institutions are only legally obliged to make the payment data of their customers available.

(6) The Union’s financial data economy therefore remains fragmented, characterised by uneven data access, barriers, and high stakeholder reluctance to engage in unlocking and re-using data ▌ beyond payments accounts. Customers accordingly do not benefit from individualised, data-driven products and services that may fit their specific needs. The absence of personalised financial products limits the possibility to innovate, by offering more choice and financial products and services for interested consumers who could otherwise benefit from data-driven tools that can support them to make informed choices, compare offerings in a user-friendly manner, and switch to more advantageous products that match their preferences based on their data. The existing barriers to business data re-use are preventing firms, in particular small and medium-sized enterprises (SMEs), from benefitting from better, convenient and automated financial services.

(7) Making data available by way of high-quality technical interfaces like application programming interfaces is essential to facilitate seamless and effective access to data. Beyond the area of payment accounts, however, only a minority of financial institutions that are data holders indicate that they make data available through technical interfaces like application programming interfaces. As incentives to develop such innovative services are absent, market demand for data access remains limited. To foster efficient data access, data holders and data users are able to make use of existing application programming interfaces and common standards under Directive (EU) 2015/2366 and Commission Delegated Regulation (EU) 2018/389[6] where such interfaces and standards comply with this Regulation.

(8) A dedicated and harmonised framework for access to financial data is therefore desirable at Union level to respond to the needs of the digital economy and to remove barriers to a well-functioning internal market for data. Specific rules are required to address these barriers to promote better access to customer data and hence make it possible for consumers and firms to realise the gains stemming from better financial products and services. Data-driven finance could facilitate industry transition from the traditional supply of standardised products to tailored solutions that are better suited to the customers’ specific needs, including improved customer facing interfaces that enhance competition, improve user experience and ensure financial services that are focused on the customer as the end user.

(9) The data included in the scope of this Regulation should demonstrate high value added for financial innovation as well as low financial exclusion risk for consumers. This Regulation should therefore not cover data related to the sickness and health insurance of a consumer in accordance with Directive 2009/138/EC of the European Parliament and of the Council[7] as well as data on life insurance products of a consumer in accordance with Directive 2009/138/EC other than life insurance contracts covered by insurance-based investment products. This Regulation should not cover data related to sickness and health cover of a member or beneficiary in accordance with Directive (EU) 2016/2341 of the European Parliament and of the Council[8]. This Regulation should also not cover  data collected as part of a creditworthiness assessment of a consumer. The access and use of customer data in the scope of this Regulation should respect the protection of confidential business data of both the customer and the data holder. This Regulation should therefore not cover trade secrets within the meaning of Directive (EU) 2016/943 of the European Parliament and of the Council[9], including but not limited to mathematical and methodological approaches. This Regulation should not cover data derived from confidential business data of the data holder or data that is generated by a financial institution by way of significantly enriching the customer data in scope of this Regulation, such as data that is the outcome of the use of proprietary algorithms.

(9a) Data users should comply with existing Union rules and guidelines when customer data is accessed under this Regulation for the purpose providing the customer with a financial service or product. This includes the rules applicable to carrying out consumer creditworthiness assessments as laid down in Directive (EU) 2023/2225 of the European Parliament and of the Council[10] and Directive 2014/17/EU of the European Parliament and of the Council[11], and the duty of firms to act in the best interest of the customer when providing investment services in accordance with Directive 2014/65/EU of the European Parliament and of the Council[12] or offering insurance products in accordance with Directive (EU) 2016/97 of the European Parliament and of the Council[13].

(10) Access to ▌customer data in the scope of this Regulation should be based on the explicit permission of the customer. Such permission should not solely be based on a “tick-the-box” approach or the use of generalising phrases. In seeking the explicit permission of the customer for the use of his or her data, data users should specify the purpose of the use of the data, subject to  the customer’s consent. The legal obligation on data holders to enable access to customer data should be triggered once the customer has explicitly requested their data to be made accessible to a data user. Where permission has explicitly been granted, this request can be submitted by a data user acting on behalf of the customer. This Regulation sets out rules on gatekeepers designated pursuant to Article 3 of Regulation (EU) 2022/1925. Those rules should apply to data users owned or controlled by gatekeepers to ensure that gatekeepers do not circumvent those rules. Gatekeepers should not be eligible to become financial information service providers. A data user that is owned or controlled by a gatekeeper should be subject to a special assessment by the national competent authority of its registered office to ensure its eligibility under this Regulation. Where a data user is part of a group of companies in which one or more entities in the group has been designated as a gatekeeper, customer data should be accessed only by the entity of the group that acts as a data user. The data user should therefore not grant access to customer data under this Regulation to the gatekeeper that owns or controls it. Gatekeepers should not engage in behaviour that would undermine the effectiveness of the prohibitions and obligations laid down in this Regulation. The limitation on gatekeepers would not exclude them from the market or prevent them from offering their services, as voluntary agreements between gatekeepers and the data holders remain unaffected. Where the processing of personal data is involved, a data user should rely on one of the valid lawful bases for processing under Article 6(1)(a) or (b) of Regulation (EU) 2016/679. The customers’ data can be processed only for the agreed purposes in the context of the service provided. Under this Regulation, those purposes should be strictly limited to the provision of financial products, financial services or financial information services. The processing of personal data must respect the principles of personal data protection, including lawfulness, fairness and transparency, purpose limitation and data minimisation. A customer has the right to withdraw the permission given to a data user at any time. For example, when data processing is necessary for the performance of a contract, a customer should be able to withdraw permissions according to the contractual obligations to which the data subject is party. Similarly, when personal data processing is based on consent, a data subject should be able to withdraw his or her consent at any time and free of charge, as provided for in Regulation (EU) 2016/679. It should not be possible for the data user to transfer customer data to a third party, or even to another entity within the same group, without such explicit permission.

(11) Enabling customers to unlock and re-use their data on their current investments can encourage innovation in the provision of retail investment services. Primary data collection to complete a suitability and appropriateness assessment of a retail investor is time-intensive for a customer and constitutes a significant cost factor for advisors and distributors of investment, some types of pension, and insurance-based investment products. The re-use of customer data on holdings of savings and investments in financial instruments including insurance-based investment products and data collected for the purposes of carrying out a suitability and appropriateness assessment can improve investment advice for consumers and has strong innovative potential, including in the development of personalised investment advice and investment management tools that can make retail investment advice more efficient. Such management tools are already being developed in the market and can develop more effectively in the context where a customer can re-use their investment-related data.

(12) Customer data on balance, conditions or transaction details related to mortgages, loans and savings can enable customers to gain a better overview of their deposits and better meet their savings needs based on credit data. This Regulation should cover customer data beyond payment accounts defined in Directive (EU) 2015/2366. Credit accounts covered by a credit line which cannot be used for the execution of payment transactions to third parties should be within the scope of this Regulation. This Regulation does not cover payment account data that are covered by Regulation (EU) [.../...] of the European Parliament and of the Council[14].

(12a) To ensure the right of investment firms, insurance undertakings and insurance intermediaries to protect undisclosed know-how and business information when distributing investment products, the scope of the obligation to share data under this Regulation should be limited to relevant data that has been collected from the customer by the financial institution in order to comply with the regulatory obligation to perform a suitability and appropriateness assessment in accordance with Article 25 of Directive 2014/65/EU and Article 30 of Directive (EU) 2016/97. This is limited to data collected from the customer by the financial institution for the purposes of assessing the customer’s knowledge and experience, financial situation, and investment objectives, as provided for in those provisions. This does not include the result of the suitability or appropriateness assessment itself made by the financial institution on the basis of the data collected from the customer, the suitability report given to a customer, or any analysis or preparatory work for the purposes of such report, which should be excluded from the scope of this Regulation.

(13) The customer data included in the scope of this Regulation should include available information on sustainability-related preferences, where applicable, that should enable customers to more easily access financial services that are aligned with their sustainability preferences and sustainable finance needs, in line with the Commission’s strategy for financing the transition to a sustainable economy[15]. Access to data relating to sustainability which may be contained in balance or transaction details related to a mortgage, credit, loan and savings account, insurance-based investment products, as well as access to customer data relating to sustainability held by investment firms, such as a customer’s initital sustainability preferences, can contribute to facilitating access to data needed to access sustainable finance or make investments into the green transition. Moreover, customer data in the scope of this Regulation should include data which forms part of a creditworthiness assessment related to firms, including small and medium sized enterprises, and which can provide greater insight into the sustainability objectives of small firms. The inclusion of data used for the creditworthiness assessment related to firms should improve access to financing and streamline the application for loans. Such data should be limited to data on firms and should not infringe intellectual property rights. Sustainability preferences should include sustainability preferences of a customer collected by insurance intermediaries distributing insurance-based investment products as defined in Article 2(4) of Commission Delegated Regulation (EU) 2021/1257[16], and sustainability preferences collected by investment firms as defined in Article 2(7) of Commission Delegated Regulation (EU) 2017/565[17].

(14) Customer data related to the provision of non-life insurance are essential to enable insurance products and services important to the needs of customer like the protection of homes, vehicles, and other property. At the same time, the collection of such data is often burdensome and costly and can act as a deterrent against seeking optimal insurance coverage by customers. To address this problem, it is therefore necessary to include such financial services within the scope of this Regulation. Customer data on insurance products within scope of this Regulation should include both insurance product information such as detail on an insurance coverage and data specific to the consumers’ insured assets which are collected for the purposes of a demands and needs test. The access to and re-use of such data should allow for the development of personalised tools for customers, such as insurance dashboards that could help consumers better manage their risks. It could also help customers to obtain products that are better targeted to their demands and needs, including through more valuable advice. This can contribute to more optimal insurance coverage for customers and increased financial inclusion of otherwise underserved consumers, by offering new or increased coverage. Moreover, the unlocking and re-use of insurance data can be beneficial for more efficient supply of insurance including, in particular, at the stages of product design, underwriting, contract execution, including claims management, and risk mitigation.

(15) The access to of data on occupational and personal pension savings can create added value for consumers that are members or beneficiaries of occupational pension schemes. Especially in the absence of national pension tracking systems, pension savers often lack sufficient knowledge about their pension rights, which is related to the fact that data on such rights are often dispersed across different data holders. The access to and re-use of data related to occupational and personal pension savings should contribute to the development of pension tracking tools that provide savers with a comprehensive overview of their entitlements and retirement income both within specific Member States and cross-border in the Union or to the alignment of such access and re-use in terms of content and data formats with existing pension tracking systems that include entitlements from public and occupational pension schemes and in some cases also personal schemes. Alignment is also desirable with regard to emerging forms of data exchange between national pension tracking systems, in particular the European Tracking System. Data on pension rights concerns in particular accrued pension entitlements, projected levels of retirement benefits, risks and guarantees of members and beneficiaries of occupational pension schemes. Access to data related to occupational pensions is without prejudice to national social and labour law on the organisation of pension systems, including membership of schemes and the outcomes of collective bargaining agreements. To avoid duplicative data management costs, data holders that contribute to existing national pension tracking schemes should be permitted to use existing technical interfaces and common standards that have already been developed as part of these schemes in order to fulfil the obligations under this Regulation.

(16) Data which forms part of a creditworthiness assessment of a firm in the scope of this Regulation should consist of information which a firm provides to institutions and creditors as part of the loan application process ▌. This includes loan applications of micro, small, medium and large enterprises. It may include data collected by institutions and creditors as set out in Annex II of the European Banking Authority Guidelines on loan origination and monitoring[18]. Such data may include financial statements and projections, information on financial liabilities and arrears in payment, evidence of ownership of the collateral, evidence of insurance of the collateral and information on guarantees. Additional data may be relevant if the purpose of the loan application relates to the purchase of commercial real estate or real estate development.

(16a) Data required to conduct know-your-customer processes by financial firms, including SMEs, can be valuable when on-boarding new customers. Therefore, the access to and re-use of such data could significantly contribute to lowering barriers to switching providers and therefore result in increased competition and innovation for financial products and services to the benefit of customers.

(17) As this Regulation is meant to oblige financial institutions to provide access to defined categories of data at the expressed request of the customer when acting as data holders, and allow the access to and re-use of data based on customer explicit permission when financial institutions act as data users, it should provide a list of the financial institutions that may act as either a data holder, a data user or both. Financial institutions should therefore be understood to mean those entities that provide financial products and financial services or offer relevant information services to customers in the financial sector. A data user that is a financial information service provider should not become a data holder by virtue of accessing or otherwise receiving customer data from a data holder.

(18) Practices employed by data users to combine new and traditional customer data sources in the scope of this Regulation must be in the best interest of the customer and proportionate to ensure that they do not lead to financial exclusion risks for consumers. Practices that lead to a more sophisticated or comprehensive analysis of certain vulnerable segments of consumers, such as persons with a low income, may increase the risk of unfair conditions or differential pricing practices like the charging of differential premiums. The potential for exclusion is increased in the provision of products and services that are priced according to the profile of a consumer, notably in credit scoring and the assessment of creditworthiness of natural persons as well for products and services related to the risk assessment and pricing of natural persons in the case of life and health insurance. Given the risks, the use and re-use of data for these products and services should be subject to specific requirements to protect consumers and their fundamental rights.

(19) The data use perimeter thus established in this Regulation and in the accompanying regulatory technical standards and guidelines ▌to be developed by the European Banking Authority (EBA) and the European Insurance and Occupational Pensions Authority (EIOPA) should provide a proportionate framework on how personal data related to a consumer that falls within the scope of this Regulation should be used. The data use perimeter ensures consistency between the scope of this Regulation, which excludes data that forms part of a creditworthiness assessment of a consumer as well as data related to life, health and sickness insurance of a consumer, and the scope of the regulatory technical standards and guidelines, which set recommendations on how types of data originating from other areas of the financial sector that are in scope of this Regulation can be used to provide these products and services. The regulatory technical standards and guidelines developed by ▌ EBA should set out how other types of data that are in scope of this Regulation can be used to assess the credit score of a consumer. The regulatory technical standards and guidelines developed by EIOPA should set out how data in scope of this Regulation can be used in products and services related to risk assessment and pricing in the case of life, health and sickness insurance products. The regulatory technical standards and guidelines should be developed in a manner that is aligned to the needs of the consumer and proportionate to the provision of such products and services.

(20) EBA and EIOPA should closely cooperate with the European Data Protection Board when drafting the guidelines, which should build on existing recommendations on the use of consumer information in the area of consumer and mortgage credit, notably the rules on use of creditworthiness assessment under Directive 2008/48/EC of the European Parliament and of the Council of 23 April 2008 on credit agreements for consumers and repealing Council Directive 87/102/EEC, the European Banking Authority’s Guidelines on loan origination and monitoring, and the European Banking Authority guidelines on creditworthiness assessment developed under Directive 2014/17/EU, as well guidelines provided by European Data Protection Board on the processing of personal data.

(21) Customers must have effective control over their data and confidence in managing permissions they have granted in accordance with this Regulation. Data holders should therefore be required to provide customers with common and consistent financial data access permission dashboards. The permission dashboard should empower the customer to manage their permissions in an informed and impartial manner and give customers a strong measure of control over how their personal and non-personal data is used. It should not be designed in a way that would encourage or unduly influence the customer to grant or withdraw permissions. For example, the procedure to withdraw permission should not be made more difficult than the procedure to give permission for access to data. The data user should be responsible for the accuracy of the data provided to the data holder to fulfil its requirements with regards to the display of new permissions granted by the customer on the permission dashboard. The permission dashboard should take into account, where appropriate, the accessibility requirements under Directive (EU) 2019/882 of the European Parliament and of the Council[19]. When providing a permission dashboard, data holders could use a notified electronic identification and trust service, such as a European Digital Identity Wallet issued by a Member State as introduced by the proposal amending Regulation (EU) No 910/2014 as regards establishing a framework for a European Digital Identity[20]. Data holders may also rely on data intermediation service providers under Regulation (EU) 2022/868 of the European Parliament and of the Council[21], to provide permission dashboards that fulfil the requirements of this Regulation.

(22) The permission dashboard should display the permissions given by a customer, including when personal data are accessed based on consent or are necessary for the performance of a contract. The permission dashboard should warn a customer in a standard way of the risk of possible contractual consequences of the withdrawal of a permission, but should not encourage or influence a customer to grant access in a way that materially distorts or impairs their ability to make a free and informed decision, as the customer should remain responsible for managing such risk. To allow consumers to effectively stay in control of their data, the deployment of dark patterns and pre-ticked boxes in dashboards should be prohibited for the purpose of providing permissions to enable data access. The permission dashboard should be used to manage existing permissions. Data holders should inform data users in real-time of any withdrawal of a permission. The permission dashboard should include a record of permissions that have been withdrawn or have expired for a period of up to two years to allow the customer to keep track of their permissions in an informed and impartial manner. Data users should inform data holders in real-time of new and re-established permissions granted by customers, including the duration of validity of the permission and a short summary of the purpose of the permission. The information provided on the permission dashboard is without prejudice to the ▌requirements under Regulation (EU) 2016/679, in particular the information requirements. The permission dashboard may be combined with the permission dashboard established under Regulation ... [the Payment Services Regulation].

(23) To ensure proportionality, certain financial institutions are out of the scope of this Regulation for reasons associated with their size or the services they provide, which would make it too difficult to comply with this regulation. These include institutions for occupational retirement provision which operate pension schemes which together do not have more than 15 members in total, as well as insurance intermediaries who are microenterprises or small or medium-sized enterprises.  In addition, small or medium-sized enterprises acting as data holders that are within the scope of this Regulation should be allowed to establish an application programming interface jointly, reducing the costs for each of them. They can also avail themselves of external technology providers which run application programming interfaces in a pooled manner for financial institutions and may charge them only a low fixed usage fee and work largely on a pay-per-call basis. This Regulation should not apply to small enterprises until after ... [12 months from the date of application of this Regulation]. Small enterprises may at their own initiative choose to apply this Regulation before the deadline of the entry into force of this obligation. This could be important to ensure proportionate involvement of smaller enterprises in the development of financial data access schemes.

(24) This Regulation introduces a new legal obligation on financial institutions acting as data holders to share provide data users with access to defined categories of data at request of the customer. The obligation on data holders to provide access to data at the expressed request of the customer should be specified by making available generally recognised standards to also ensure that the data accessed is of a sufficiently high quality. The data holder should make customer data available only for the purposes and under the conditions for which the customer has explicitly granted permission to a data user for a specific service clearly identified by the customer, where relevant and technically feasible continuously and in real-time. Continuous access should be strictly limited to the purposes for which the customer has granted permission. It could consist of multiple requests to make customer data available to fulfil the service agreed with the customer. It could also consist of a one-off access to customer data. Real-time access should not oblige a data holder to instantly update an account, policy or contract of a customer. The obligation of a data holder to make customer data available in real-time concerns the rate of access at which data should be transmitted to a customer or a data user. Customer data should be made available in the state that it is held by the data holder at the time access is requested by a data user. Real time access, for instance, is without prejudice to constraints in the payroll declaration and the cyclicity of pension administration processing time. While the data holder is responsible for the interface to be available and for the interface to be of adequate quality, the interface may be provided not only by the data holder but also by another financial institution, an external IT provider, an industry association or a group of financial institutions, or by a public body in a member state. For institutions for occupational retirement provisions, the interface can be integrated into pension dashboards or existing pension tracking services that cover a broader range of information, as long as it complies with the requirements of this Regulation.

(25) In order to enable the contractual and technical interaction necessary for implementing data access between multiple financial institutions, data holders and data users should be required to be part of financial data access schemes. These schemes should develop data and interface standards, joint standardised contractual frameworks governing access to specific datasets, and governance rules related to data access and re-use. In order to ensure that schemes function effectively across the internal market, it is necessary to establish general principles for the governance of these schemes, including rules on inclusive governance and participation of data holders, data users and customers (to ensure balanced representation in schemes), transparency requirements, and a well-functioning appeal and review procedure (notably around the decision-making of schemes). Financial data access schemes must comply with Union rules in the area of consumer protection and data protection, privacy, and competition. The participants in such schemes are also encouraged to draw up codes of conduct in accordance with Article 40 of Regulation (EU) 2016/679. While such schemes may build upon existing market initiatives, the requirements set out in this Regulation should be specific to financial data access schemes or parts thereof which market participants use to fulfil their obligations under this Regulation after the data of application of these obligations.

(26) A financial data access scheme should consist of a collective contractual agreement between data holders and data users with the objective of promoting efficiency and technical innovation in financial data access to the benefit of customers. In line with Union rules on competition, a financial data access scheme should only impose on its members restrictions which are necessary to achieve its objectives and which are proportionate to those objectives. It should not afford its members the possibility of preventing, restricting or distorting competition in respect of a substantial part of the relevant market. In the setting up of financial data access schemes, all parties to the schemes should be involved. The Commission and competent authorities should also be available for consultation by those setting up the schemes, and be ready to offer advice on best practice and examples of other schemes set up during the period running up to the application of this Regulation. A financial data access scheme that is developed by scheme members established in the same Member State should be notified to the competent authority of the Member State of establishment. In accordance with the obligations of this Regulation, financial data access schemes that are national in composition should remain open to participation of new members on the same terms and conditions as those for existing members. Where the membership of such a financial data access scheme changes due to the addition of data holders and data users that are established in another Member State, the scheme should be notified to the European Banking Authority established by Regulation (EU) No 1093/2010[22] (EBA), the European Insurance and Occupational Pensions Authority established by Regulation (EU) No 1094/2010[23] (EIOPA) and the European Securities and Markets Authoriy established by Reguulation (EU) No 1095/2010[24], of the European Parliament and of the Council (together referred to as the ‘ESAs’). However, where changes to the membership of a financial data access scheme result in all members being established in the same Member State, the scheme should be notified to the competent authority of that Member State. All changes should be notified to the electronic central register maintained by EBA.

(27) In order to ensure the effectiveness of this Regulation, the power to adopt acts in accordance with Article 290 of the Treaty on the Functioning of the European Union should be delegated to the Commission in respect of specifying the modalities and characteristics of a financial data access scheme in case a scheme is not completely developed by the data holders and the data users. Before adopting such a delegated act, the Commisison should consult the European Data Protection Board and all relevant stakeholders and submit a report to the European Parliament and the Council setting out any grounds for intervention. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level, and that those consultations be conducted in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making[25]. In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council receive all documents at the same time as Member States' experts, and their experts systematically have access to meetings of Commission expert groups dealing with the preparation of delegated acts.

(28) Data holders and data users should be allowed to use existing market standards and infrastructures for technical interfaces like application programming interfaces when developing common standards for mandatory data access. The European Data Innovation Board should issue guidelines to ensure Union-wide interoperable data standards related to customer data in the scope of this Regulation.

(29) To ensure that data holders have an interest in investing in and providing high quality interfaces for making data available to data users, while at the same time avoiding excessive burdens on access to and the use of data which make data access no longer commercially viable, data holders should be able to request reasonable compensation from data users for costs incurred in providing access to the data, including the costs related to putting in place and maintaining application programming interfaces. Facilitating data access against compensation would ensure a fair distribution of the related costs between data holders and data users in the data value chain. In cases where the data user is an SME, proportionality for smaller market participants should be ensured by limiting compensation strictly to the costs incurred for facilitating data access, while ensuring that there are sufficient incentives to foster market adoption and effective competition. The model for determining the level of compensation should be defined as part of the financial data access schemes as provided in this Regulation. The model should take into account levels of compensation prevalent in the market, including in market-led initiatives. In accordance with Regulation (EU) 2023/2854 of the European Parliament and of the Council[26], the Commission should adopt guidelines on the calculation of reasonable compensation.

(30) Customers should know what their rights are in case problems arise when data is accessed and who to approach to seek compensation. Financial data access scheme members, including data holders and data users, should therefore be required to agree on the contractual liability for data breaches, customer compensation when data is misused, including when it is transferred to a third party without the customer’s explicit permission, as well as how to resolve potential disputes between data holders and data users regarding liability. Those requirements should focus on establishing, as part of any contract, liability rules as well as clear obligations and rights to determine liability between the data holder and the data user. Liability issues related to the consumers as data subjects should be based on Regulation (EU) 2016/679, notably the right to compensation and liability under Article 82 of that Regulation.

(31) To promote consumer protection, enhance customer trust and ensure a level playing field, it is necessary to lay down rules on who is eligible to access customers’ data. Such rules should ensure that all data users are authorised and supervised by competent authorities. This would ensure that data can be accessed only by regulated financial institutions or by firms subject to a dedicated authorisation as financial information service providers’ (‘FISPs’) which is subject to this Regulation. Eligibility rules on FISPs, are needed to safeguard financial stability, market integrity and consumer protection, as FISPs would provide financial information services to customers in the Union and would access data held by financial institutions and the integrity of which is essential to preserve the financial institutions’ ability to continue providing financial services in a safe, sound and secure manner. Such rules are also required to guarantee the proper supervision of FISPs by competent authorities in line with their mandate to safeguard financial stability and integrity in the Union, which would allow FISPs to provide throughout the Union the financial information services for which they are authorised. FISPs should not use their license as financial information service providers to conduct activities regulated by existing sector-specific legislation. For example, they should not be authorised to provide financial advice regulated under Directive 2014/65/EU or carry out insurance distribution activities regulated under Directive (EU) 2016/97.

(32) Data users within the scope of this Regulation should be subject to the requirements of Regulation (EU) 2022/2554 of the European Parliament and of the Council[27] and therefore be obliged to have strong cyber resilience standards in place to carry out their activities. This includes having comprehensive capabilities to enable a strong and effective information and communication technology (ICT) risk management, as well as specific mechanisms and policies for handling all ICT-related incidents and for reporting major ICT-related incidents. Data users authorised and supervised as financial information service providers under this Regulation should follow the same approach and the same principle-based rules when addressing ICT risks taking into account their size and overall risk profile, and the nature, scale and complexity of their services, activities and operations. Financial information service providers should therefore be included in the scope of Regulation (EU) 2022/2554.

(33) In order to enable effective supervision and to eliminate the possibility of evading or circumventing supervision, financial information service providers must be ▌legally incorporated in the Union▌. An effective supervision by the competent authorities is necessary for the enforcement of requirements under this Regulation to ensure integrity and stability of the financial system and to protect consumers. ▌

(34) A financial information service provider should be authorised in the jurisdiction of the Member State where its main establishment is located, that is, where the financial information service provider has its head office or registered office within which the principal functions and operational control are exercised. ▌

(35) To facilitate transparency regarding data access and financial information service providers, EBA should establish a register of financial information service providers authorised under this Regulation, as well as financial data ▌ access schemes agreed between data holders and data users.

(36) Competent authorities should be conferred with the powers necessary to supervise the way the compliance of the obligation on data holders to provide access to customer data established by this Regulation is exercised by market participants, as well as to supervise financial information service providers. Access relevant data traffic records held by a telecommunications operator as well as the ability to seize relevant documents on premises are important and necessary powers to detect and prove the existence of breaches under this Regulation. Competent authorities should therefore have the power to require such records where they are relevant to an investigation, insofar as permitted under national law. Competent authorities should also cooperate with the supervisory authorities established under Regulation (EU) 2016/679 in the performance of their tasks and the exercise of their powers in accordance with that Regulation.

(37) Since financial institutions and financial information service providers can be established in different Member States and supervised by different competent authorities, the application of this Regulation should be facilitated by close cooperation among relevant competent authorities, through the mutual exchange of information and the provision of assistance in the context of the relevant supervisory activities.

(38) To ensure a level playing field in the area of sanctioning powers, Member States should be required to provide for effective, proportionate and dissuasive administrative sanctions, including periodic penalty payments, and administrative measures for the infringement of provisions of this Regulation. Those administrative sanctions, periodic penalty payments and administrative measures should meet certain minimum requirements, including the minimum powers that should be vested on competent authorities to be able to impose them, the criteria that competent authorities should consider when imposing them, and the obligation to publish and report. Member States should lay down specific rules and effective mechanisms regarding the application of periodic penalty payments.

(39) In addition to administrative sanctions and administrative measures, competent authorities should be empowered to impose periodic penalty payments on financial information services providers and on those members of their management body who are identified as responsible for an ongoing infringement or who are required to comply with an order from an investigating competent authority. Since the purpose of the periodic penalty payments is to compel natural or legal persons to comply with an order from the competent authority to act, for example to accept to be interviewed or to provide information, or to terminate an ongoing breach, the application of periodic penalty payments should not prevent competent authorities from imposing subsequent administrative sanctions for the same infringement. Unless otherwise provided for by Member States, periodic penalty payments should be calculated on a daily basis.

(40) Irrespective of their denomination under national law, forms of expedited enforcement procedure or settlement agreements are to be found in many Member States and are used as an alternative to formal proceedings leading to imposing sanctions. An expedited enforcement procedure usually starts after an investigation has been concluded and the decision to start proceedings leading to imposing sanctions has been taken. An expedited enforcement procedure is characterised by being shorter than a formal one, due to simplified procedural steps. Under a settlement agreement usually the parties subject to the investigation by a competent authority agree to end that investigation early, in most cases by accepting liability for wrongdoing.

(41) While it does not appear appropriate to strive to harmonise at Union level such expedited enforcement procedures, which were introduced by many Member States, due to the varied legal approaches adopted at national level, it should be acknowledged that such methods allow competent authorities that can apply them, to handle infringement cases in a speedier, less costly and overall efficient way under certain circumstances, and should therefore be encouraged. However, Member States should not be obliged to introduce such enforcement methods in their legal framework nor should competent authorities be compelled to use them if they do not deem it appropriate. Where Member States choose to empower their competent authorities to use such enforcement methods, they should notify the Commission of such decision and of the relevant measures regulating such powers.

(42) National competent authorities should be empowered by Member States to impose such administrative sanctions and administrative measures to financial information service providers and other natural or legal persons where relevant to remedy the situation in the case of infringement. The range of sanctions and measures should be sufficiently broad to allow Member States and competent authorities to take account of the differences between financial information service providers, as regards their size, characteristics and the nature of their business.

(43) The publication of an administrative penalty or measure for infringement of provisions of this Regulation can have a strong dissuasive effect against repetition of such infringement. Publication also informs other entities of the risks associated with the sanctioned financial information service provider before entering into a business relationship and assists competent authorities in other Member States in relation to the risks associated with a financial information service provider when it operates in their Member States on a cross-border basis. For those reasons, the publication of decisions on administrative penalties and administrative measures should, be allowed as long as it concerns legal persons. In taking a decision whether to publish an administrative penalty or administrative measure, competent authorities should take into account the gravity of the infringement and the dissuasive effect that the publication is likely to produce. However, any such publication referred to natural persons may impinge on their rights stemming from the Charter of Fundamental Rights and the applicable Union data protection legislation in a disproportionate manner. Publication should occur in an anonymised way unless the competent authority deems it necessary to publish decisions containing personal data for the effective enforcement of this Regulation, including in the case of public statements or temporary bans. In such cases the competent authority should justify its decision.

(44) The exchange of information and the provision of assistance between competent authorities of the Member States is essential for the purposes of this Regulation. Consequently, cooperation between authorities should not be subject to unreasonable restrictive conditions.

(45) The cross-border access to data by information service providers should be allowed pursuant to the freedom to provide services or the freedom of establishment. A financial information service provider wishing to have access to data held by a data holder in another Member State, should notify its intention to its competent authority, providing information on the type of data it wishes to access, the financial data access scheme of which it is a member and the Member States in which it intends to access the data.

(46) The objectives of this Regulation, namely giving effective control of data to the customer and addressing the lack of rights of access to customer data held by data holders, cannot be sufficiently achieved by the Member States given their cross-border nature but can rather be better achieved at Union level, by means of the creation of a framework through which a larger cross-border market with data access could be developed. The Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union. In accordance with the principle of proportionality as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve those objectives.

(47) Regulation (EU) 2023/2854 (Data Act) ▌establishes a horizontal framework for access to and use of data across the Union. This Regulation complements and specifies the rules laid down in Regulation (EU) 2023/2854. Therefore those rules also apply to the access of data governed by this Regulation. This includes provisions on the conditions under which data holders make data available to data recipients, on compensation, dispute settlement bodies to facilitate agreements between data access parties, technical protection measures, international access and transfer of data and on authorised use or disclosure of data.

(48) Processing of personal data in the context of this Regulation should be carried out in accordance with Regulation (EU) 2016/679 and Regulation (EU) 2018/1725, as well as, where applicable, with Directive 2002/58/EC of the European Parliament and of the Council[28] andRegulation (EU) 2016/679 provides for the rights of a data subject, including the right of access and right to port personal data. This Regulation is without prejudice to the rights of a data subject provided under Regulation (EU) 2016/679, including the right of access and right to data portability. This Regulation creates a legal obligation to provide access to and enable re-use of customer personal and non-personal data upon customer’s request and mandates the technical feasibility of access ▌for all types of data within the scope of this Regulation. The granting of permission by a customer is without prejudice to the obligations of data users under Article 6 of Regulation (EU) 2016/679 notably permission should not be construed as consent or as necessity for the performance of a contract. Personal data that are made available to a data user should only be processed for services provided by a data user where there is a valid legal basis under Article 6(1) of Regulation (EU) 2016/679 and, when applicable, where the requirements of Article 9 of that Regulation on the processing of special categories of data are met. In the case of mixed datasets, where personal and non-personal data are inextricably linked, the protections in Union data protection legislation and in this Regulation concerning personal data should be fully applicable.

(49) This Regulation builds upon and complements the ‘open banking’ provisions under Directive (EU) 2015/2366 and is fully consistent with Regulation (EU) …/202.. of the European Parliament and of the Council on payment services and amending Regulation (EU) No 1093/2010[29] and Directive (EU) …/202.. of the European Parliament and of the Council on payment services and electronic money services amending Directives 2013/36/EU and 98/26/EC and repealing Directives 2015/2355/EU and 2009/110/EC[30]. The initiative complements the already existing ‘open banking’ provisions under Directive (EU) 2015/2366 that regulate access to payment account data held by account servicing payment service providers. It builds on the lessons learned on ‘open banking’ as identified in the review of Directive 2015/2366/EU.[31] This Regulation ensures coherence between financial data access and open banking where additional measures are necessary, including on permission dashboards, the legal obligations to grant direct access to customer data, and the requirement for data holders to put in place interfaces.

(50) This Regulation does not affect the provisions related to data access ▌in Union financial services legislation, namely the following: (i) the provisions on access to benchmarks and the access regime for exchange-traded derivatives between trading venues and Central Counterparties laid down in Regulation (EU) No 600/2014 of the European Parliament and of the Council[32]; (ii) the rules on access of creditors to the database under Directive 2014/17/EU of the European Parliament and of the Council[33]; (iii) the rules on access to securitisation repositories under Regulation (EU) 2017/2402 of the European Parliament and of the Council[34]; (iv) the rules on the right to request from the insurer a claims history statement and on the access to central repositories to basic data necessary for the settlement of claims under Directive  2009/103/EC of the European Parliament and of the Council[35]; (v)  the right to access and transfer all necessary personal data to a new pan-European Personal Pension Product provider under Regulation (EU) 2019/1238 of the European Parliament and of the Council[36]; and (vi) the provisions on outsourcing and reliance under Directive (EU) 2018/843 of the European Parliament and of the Council[37]. Furthermore, this Regulation does not affect the application of EU or national rules of competition of the Treaty on the Functioning of the European Union and any secondary Union acts. This Regulation is also without prejudice to accessing ▌and using data without making use of the data access obligations established by this Regulation on a purely contractual basis.

(51) As the access to data related to payment accounts is regulated under a different regime set out in Directive (EU) 2015/2366, it is deemed appropriate to set, in this Regulation, a review clause for the Commission to examine whether the introduction of the rules under this Regulation impacts the way AISPs access data and whether it would be appropriate to streamline the rules governing the access of data applicable to AISPs.

(52) Given that the ESAs should govern all objectives of this Regulation and be mandated to make use of their powers in relation to financial information service providers, it is necessary to ensure that they are able to exercise all of their powers and tasks in order to fulfil their objectives of protecting the public interest by contributing to the short, medium and long-term stability and effectiveness of the financial system, for the Union economy, its citizens and businesses and to ensure that financial information service providers are covered by Regulations (EU) No 1093/2010 ▌, (EU) No 1094/2010 and (EU) No 1095/2010 of the European Parliament and of the Council. Those Regulations should therefore be amended accordingly.

(53) The date of application of this Regulation should be deferred by [32] months in order to allow for the adoption of regulatory technical standards and delegated acts that are necessary to specify certain elements of this Regulation.

(54) The European Data Protection Supervisor was consulted in accordance with Article 42(2) of Regulation (EU) 2018/1725 of the European Parliament and of the Council[38] and delivered an opinion on 22 August 2023,

HAVE ADOPTED THIS REGULATION:

TITLE I
Subject Matter, Scope, and Definitions

Article 1
Subject matter

This Regulation establishes rules on the access, ▌use and re-use of ▌categories of customer data in financial services referred to in Article 2(1) of this Regulation.

 

This Regulation also establishes rules concerning the authorisation and operation of financial information service providers.

 

This Regulation is without prejudice to Regulations (EU) 2016/679 and (EU) 2018/1725 and to Directive 93/13/EEC of the European Parliament and of the Council[39], Directive 2002/58/EC, Directive (EU) 2019/2161 of the European Parliament of the Council[40], and Directive 2011/83/EU of the European Parliament and of the Council[41].

 

This Regulation is also without prejudice to Directives 2014/17/EU, 2014/65/EU, (EU) 2016/97 and (EU) 2023/2225.

Article 2
Scope

1. This Regulation applies to the following categories of customer data, which are derived from financial services provided within the Union:

(a) mortgage credit agreements as defined in Directive 2014/17/EU, credit agreements, and accounts, including credit card accounts, except payment accounts as defined in the Payment Services Directive (EU) 2015/2366 and technical accounts, including data on balance, conditions and transactions;

(b) savings comprising term deposits, structured deposits, and savings accounts, investments in financial instruments, in accordance with Section C of Annex I to Directive 2014/65/EU and excluding derivative transactions used for risk management purposes, insurance-based investment products, crypto-assets as defined in Article 3(1), point (5), of Regulation (EU) 2023/1114 of the European Parliament and of the Council[42], real estate and other related financial assets as well as the economic benefits derived from such assets; including data collected for the purposes of carrying out an assessment of suitability and appropriateness in accordance with Article 25 of Directive 2014/65/EU of the European Parliament and of the Council[43];

(c) pension rights in occupational pension schemes, in accordance with Directive 2009/138/EC and Directive (EU) 2016/2341 of the European Parliament and of the Council[44] that are accessible for all interested consumers, with the exception of data related to sickness and health cover of a member or beneficiary;

(d) pension rights on the provision of pan-European personal pension products, in accordance with Regulation (EU) 2019/1238;

(e) non-life insurance products in accordance with Directive 2009/138/EC, with the exception of sickness and health insurance products; including data collected for the purposes of a demands and needs assessment in accordance with Article 20 of Directive (EU) 2016/97 of the European Parliament and Council[45], and data collected for the purposes of an appropriateness and suitability assessment in accordance with Article 30 of Directive (EU) 2016/97;

(f) data which forms part of a creditworthiness assessment of a firm which is collected as part of a credit agreement application process ▌. Data collected as part of a creditworthiness assessment of consumers shall be excluded;

(fa) non-sensitive categories of data used by data holders to meet know-your-customer requirements for business customers.

2. This Regulation applies to the following entities when acting as data holders or data users:

(a) credit institutions;

(b) payment institutions ▌;

(c) electronic money institutions ▌;

(d) investment firms;

(e) crypto-asset service providers;

(f) issuers of asset-referenced tokens;

(g) managers of alternative investment funds;

(h) management companies of undertakings for collective investment in transferable securities;

(i) insurance ▌ undertakings;

(j) insurance intermediaries and ancillary insurance intermediaries;

(k) institutions for occupational retirement provision (IORP) that are accessible for all interested consumers, excluding small IORP as referred to in Article 5 of Directive (EU) 2016/2341;

(m) crowdfunding service providers, which are not consumer lending platforms;

(n) PEPP providers;

(o) financial information service providers;

(oa) operators of payment schemes.

3. This Regulation applies to small enterprises as defined in Commission Recommendation 2003/361/EC[46] from ...[12 months from the date of application of this Regulation] and shall not apply to the entities referred to in Article 2(3), points (a) to (e), of Regulation (EU) 2022/2554, the small and non‐interconnected investment firms referred to in Article 12 of Regulation (EU) 2019/2033 of the European Parliament and of the Council[47], or the entities referred to in Article 2(5), points (4) to (23), of Directive (EU) [2024/...] of the European Parliament and of the Council[48].

3a. By way of derogation from paragraph 3, this Regulation applies to the entities referred to in Article 2(3), point (e), of Regulation (EU) 2022/2554 if they so wish, provided that they prove their compliance with the relevant provisions of that Regulation.

3b. This Regulation does not apply to special categories of data referred to in Article 9(1) of Regulation (EU) 2016/679 unless the requirements referred to in Article 9(2) of that Regulation are met.

4. This Regulation does not affect the application of other Union legal acts regarding access to and re-use of customer data referred to in paragraph 1, unless specifically provided for in this Regulation.

4a. This Regulation is without prejudice to Union and national law on the protection of personal data, privacy and confidentiality of communications and integrity of terminal equipment, which shall apply to personal data processed in connection with the rights and obligations laid down herein, in particular Directive 2002/58/EC, including the powers and competences of supervisory authorities and the rights of data subjects. Insofar as users are data subjects, the legal obligation laid down in Chapter II of this Regulation is without prejudice to the rights of access by data subjects and rights to data portability under Articles 15 and 20 of Regulation (EU) 2016/679.

4b. This Regulation is without prejudice to accessing and using data on a purely contractual basis without making use of the data access obligations established by this Regulation.

Article 3
Definitions

For the purposes of this Regulation, the following definitions apply:

(1) ‘consumer’ means a consumer as defined in Article 2, point (1), of Directive 2011/83/EU of the European Parliament and of the Council;

(2) ‘customer’ means a natural person resident in the Union or a legal person established in the Union who is a consumer or a micro, small or medium-sized enterprise that is party to or has applied to an agreement for the use of financial products and services;

(3) ‘customer data’ means personal and non-personal data in digital form that is collected, stored and managed by a financial institution as part of its normal course of business in connection with a relationship between a customer and the financial institution as the data holder for the provision of such services, which covers both data provided by a customer and transaction data related to a customer held by a financial institution and which excludes data created as a result of profiling as defined in Article 4(4) of Regulation (EU) 2016/679 and trade secrets as defined in Article 2, point (1), of Directive (EU) 2016/943;

(4) ‘competent authority’ means the authority designated by each Member State in accordance with Article 17 ▌;

(5) ‘data holder’ means a financial institution▌ that collects and stores one or more categories of data listed in Article 2(1) ;

(6) ‘data user’ means any of the entities listed  in Article 2(2) who, following the permission of a customer, has lawful access to customer data listed in Article 2(1);

(6a) ‘financial information service’ means the online service provided by a data user of collecting and consolidating customer data to customers and does not include the provision of services regulated under existing Union financial services legislation and reserved for financial institutions authorised under Union law;

(7) ‘financial information service provider’ means an entity providing a financial information service that is established in the Union and authorised under Article 14 to access the customer data listed in Article 2(1) for the provision of financial information services;

(8) ‘financial institution’ means the entities listed in Article 2(2), points (a) to (n), who are either data holders, data users or both for the purposes of this Regulation;

(10) ‘non-personal data’ means data other than personal data ▌;

(11) ‘personal data’ means personal data as defined in Article 4(1) of Regulation 2016/679;

(12) ‘credit institution’ means a credit institution as defined in Article 4(1), point (1), of Regulation (EU) No 575/2013 of the European Parliament and of the Council[49];

(13) ‘investment firm’ means an investment firm as defined in Article 4(1), point (1), of Directive 2014/65/EU;

(14) ‘crypto asset service provider’ means a crypto asset service providers as referred to in Article 3(1), point (15) of Regulation (EU) 2023/1114 of the European Parliament and of the Council[50];

(15) ‘issuer of asset referenced tokens’ means an issuer of asset referenced tokens authorised under Article 21 of Regulation (EU) 2023/1114;

(16) ‘payment institution’ means a payment institution as defined in Article 4(4), of Directive (EU) 2015/2366;

(17) ‘account information service provider’ means an account information service provider as referred to in Article 33(1) of Directive (EU) 2015/2366;

(18) ‘electronic money institution’ means an electronic money institution as defined in Article 2(1), of Directive 2009/110/EC;

(19) ‘electronic money institution exempted pursuant to Directive 2009/110/EC’ means an electronic money institution benefitting from a waiver as referred to in Article 9(1) of Directive 2009/110/EC;

(20) ‘manager of alternative investment funds’ means a manager of alternative investment funds as defined in Article 4(1), point (b), of Directive 2011/61/EU of the European Parliament and of the Council[51];

(21) ‘management company of undertakings for collective investment in transferable securities’ means a management company as defined in Article 2(1), point (b), of Directive 2009/65/EC of the European Parliament and of the Council[52];

(22) ‘insurance undertaking’ means an insurance undertaking as defined in Article 13(1) of Directive 2009/138/EC;

(23) ‘reinsurance undertaking’ means a reinsurance undertaking as defined in Article 13(4) of Directive 2009/138/EC;

(24) ‘insurance intermediary’ means an insurance intermediary as defined in Article 2(1), point (3), of Directive (EU) 2016/97 of the European Parliament and of the Council[53];

(25) ‘ancillary insurance intermediary’ means an ancillary insurance intermediary as defined in Article 2(1), point (4), of Directive (EU) 2016/97;

(26) ‘institution for occupational retirement provision’ means an institution for occupational retirement provision as defined in Article 6(1), of Directive (EU) 2016/2341;

(27a) ‘credit agreement’ means credit agreement as defined in Article 3, point (4), of Directive (EU) 2021/2167 of the European Parliament and of the Council[54];

(28) “PEPP provider” means a PEPP provider as defined in Article 2, point (15), of Regulation (EU) 2019/1238 of the European Parliament and of the Council;

(28a) ‘crowdfunding service provider’ means a crowdfunding service provider as defined in Article 2(1), point (e), of Regulation (EU) 2020/1503 of the European Parliament and of the Council[55];

(28b) ‘trade secret’ means trade secret as defined in Article 2(1), point (1), of Directive (EU) 2016/943;

(29a) ‘permission’ means the clear and unambiguous authorisation to a data user to access customer data, provided by customers themselves, based on which a data holder is required to make the requested data available for the specified purpose.

(29b) 'small and medium-sized enterprises' means a small and medium sized enterprises as defined in Article 4(1), point (13), of Directive 2014/65/EU;

(29c) ‘legal entity identifier’ means a unique alphanumeric reference code based on the ISO 17442 standard assigned to a legal entity;

TITLE II
Data Access

Article 4
Obligation on a data holder to make ▌ data available to the customer

The data holder shall, upon request from a customer submitted through a dedicated online or mobile customer interface make the data listed in Article 2(1) available to the customer via that customer interface in an easily readable format reflecting the state in which those data are readily available to the data holder at the time that access is requested by a customer, without undue delay, free of charge, continuously and in real-time.

Article 5
Obligations on a data holder to make customer data available to a data user

1. The data holder shall, upon explicit request from a customer to do so submitted through a dedicated online or mobile customer interface, make available to a data user that acts on behalf of the customer the customer data listed in Article 2(1) only for the purposes relating to the specific service for which the customer has given explicit permission for the use of their data▌. The customer data shall be made available to the data user without undue delay, continuously and in real-time.

2. A data holder may claim compensation from a data user for making customer data available pursuant to paragraph 1 only if the customer data is made available to a data user in accordance with the rules and modalities of a financial data access scheme, as provided in Articles 9 and 10, or if it is made available pursuant to Article 11.

3. When making data available pursuant to paragraph 1, the data holder shall:

(a) make customer data available to the data user in a format based on generally recognised standards and at least in the same quality available to the data holder;

(b) communicate securely with the data user by ensuring an appropriate level of security for the processing and transmission of customer data;

(ba) where personal data is processed, request data users to demonstrate that they have a valid legal basis pursuant to Article 6(1), point (a) or (b), of Regulation (EU) 2016/679;

(c) request data users to demonstrate that they have obtained the permission of the customer to access the customer data held by the data holder;

(d) provide the customer with a permission dashboard to monitor and manage permissions in accordance with Article 8.

(e) protect the confidentiality of trade secrets and intellectual property rights of a data holder.

Article 6
Obligations on a data user receiving customer data

1. A data user shall only be eligible to access customer data pursuant to Article 5(1) if that data user is▌ a financial institution or▌ a legal person that has been authorised as financial information service provider pursuant to Article 14.

1a. Consumers shall not be prevented from accessing a financial product by a data user solely because they did not give permission to their data being accessed in the manner set out in Article 5(1). For the purpose of implementing this paragraph, the burden of proof shall be on the data user to show that permission was given.

2. A data user shall only request and access any type of customer data made available under Article 5(1) that is adequate, relevant and necessary for the purposes and under the conditions for which the customer has granted its permission. They shall relate only to the specific service for which the customer has given its explicit permission. A data user shall delete that customer data, including all backups, without undue delay when it is no longer necessary for the purposes for which the permission has been granted by a customer.

2a. A data user shall ensure that any data access request to a customer provides the customer with fair, transparent and adequate information that is easily understandable for the customer of the financial product or service, including on the specific types of customer data to which the data user seeks access.

2b. A data user shall ensure that any data access request to a customer is not designed in a way that would encourage or unduly influence the customer to grant access, in a way that is not in the best interests of the customer, or in a way that materially distorts or impairs the ability of the customer to make free and informed decisions.

2c. The ESAs may jointly develop draft regulatory technical standards on the implementation of this Article for specific practices, including pre-ticked boxes and behavioural nudges. When preparing those draft regulatory standards, the ESAs shall formally consult the European Data Protection Board established by Regulation (EU) 2016/679.

3. A customer shall be able to withdraw the permission it has granted to a data user at any time and, where data access is based on consent in accordance with Regulation (EU) 2016/679, free of charge. When processing is necessary for the performance of a contract, a customer may withdraw the permission it has granted to make customer data available to a data user according to the contractual obligations to which it is subject.

4. To ensure the effective management of▌ data, a data user shall:

(-a) identify itself and securely communicate with the data holder when accessing customer data;

(a) not process any customer data for purposes other than for performing the service explicitly requested by the customer in the best interest of the customer;

(aa) not transfer customer data to any third party, including in an outsourcing scheme, without the customer’s explicit permission;

(b) protect the confidentiality of trade secrets and intellectual property rights of a data holder when customer data is made available in accordance with Article 5(1);

(ba) respect the data protection rights of consumers and the level of protection guaranteed by Regulation (EU) 2016/679;

(c) put in place adequate technical, legal and organisational measures in order to prevent the transfer of or access to▌ customer data that is unlawful under Union law or the national law of a Member State;

(d) take necessary measures to ensure an appropriate level of security for the storage, processing and transmission of ▌customer data;

(e) only contact customers for direct marketing purposes subject to their prior consent or with offers for products or services similar to the ones for which they have accessed customer data and under the conditions provided by Article 13(2) of Directive 2002/58/EC;

(f) where the data user is part of a group of companies, or one of the entities of the group has been designated as a gatekeeper under Article 3 of Regulation (EU) 2022/1925, customer data listed in Article 2(1) shall only be made available to and processed by the entity of the group that acts as a data user.

4a. Personal data under this Regulation shall be processed in the Union unless the conditions laid down in Chapter V of Regulation (EU) 2016/679 are complied with.

4b. Data users that are owned or controlled by an undertaking that has been designated as a gatekeeper under Article 3 of Regulation (EU) 2022/1925 shall be prohibited from combining customer data referred to in Article 2(1) of this Regulation with other data relating to the customer that the designated gatekeeper may already collect, store, or otherwise possess for purposes outside this Regulation.

TITLE III
Responsible Data Use and permission dashboards

Article 7
Data use perimeter

1. The processing of customer data referred to in Article 2(1) of this Regulation ▌ shall be limited to what is necessary in relation to the purposes for which they are processed. Customers that refuse to grant permission to access their data shall not be refused access to financial products solely for this reason.

1a. The ESAs shall develop draft regulatory technical standards for the implementation of paragraph 1 of this Article for products and services related to the credit score of the consumer.

The ESAs shall submit those draft regulatory technical standards to the Commission by ... [12 months from the date of entry into force of this Regulation].

Power is delegated to the Commission to supplement this Regulation by adopting regulatory technical standards referred to in the first subparagraph of this paragraph in accordance with Articles 10 to 14 of Regulation (EU) No 1093/2010.

2. In accordance with Article 16 of Regulation (EU) No 1093/2010, the European Banking Authority (EBA) shall develop guidelines on the implementation of paragraph 1 of this Article for products and services related to the credit score of the consumer, mortgage credit agreements, accounts including credit card accounts, and investment products. When doing so, EBA shall duly take into account the relevant provisions of Directive (EU) 2023/2225, including subsequent implementing legislation and guidelines.

3. The European Insurance and Occupational Pensions Authority (EIOPA) shall develop draft regulatory technical standards on the implementation of paragraph 1 of this Article for products and services related to risk assessment and pricing of a consumer in the case of life, health, motor, home and sickness insurance products. To avoid certain consumers becoming unable to access insurance due to overly granular risk assessments, these regulatory technical standards shall include provisions on how data may be used to avoid excessive granularity that undermines the "risk sharing" principle of insurance.

EIOPA shall submit the draft regulatory technical standards referred to in the first subparagraph to the Commission by ... [XX].

Power is delegated to the Commission to supplement this Regulation by adopting the regulatory technical standards referred to in the first subparagraph of this paragraph in accordance with Articles 10 to 14 of Regulation (EU) No 1093/2010.

3a. For the purpose of paragraph 3, regulatory technical standards should address how the ‘right to be forgotten’ of survivors of cancer or other chronic diseases and mental conditions shall be applicable in relation to non-credit related insurance policies, including life and health insurance.

4. When preparing the draft regulatory technical standards and guidelines referred to in paragraphs 2 and 3 of this Article, EIOPA and EBA shall closely cooperate with and shall formally consult the European Data Protection Board established by Regulation (EU) 2016/679.

4a. The ESAs shall develop guidelines on the processing of customer data referred to in Article 2(1), point (fa), of this Regulation that constitutes non-sensitive data.

4b. Additional human and financial resources shall be provided to the ESAs for the fulfilment of their tasks under this Regulation.

4c. The ESAs shall undertake regular comprehensive reviews of data users' compliance with the provisions set out in this Article. Those reviews shall include a thorough and documented assessment of the data processed by data users in the provision of financial services for the purposes of ensuring that the data processed is in line with the data use perimeter rules as set out in this Article.

Article 8
Financial Data Access permission dashboards

1. A data holder shall provide the customer with a permission dashboard, integrated into its user interface, to monitor and manage the permissions a customer has provided to data users.

2. The permission dashboard as referred to in paragraph 1shall:

(a) provide the customer, at any time and in a format that is easy to understand, to the extent that the information is in the possession of the data holder, with an overview of each ongoing permission given to each data user, including:

(i) the name of the data user to which access has been granted

(ii) the customer account, financial product or financial service to which access has been granted;

(iii) the purpose of the permission;

(iv) the categories of data to which access has been granted;

(v) the period of validity of the permission;

(vi) the dates on which the data was accessed.

(b) allow the customer, at any time and free of charge, to withdraw a permission given to a data user;

(ca) allow the customer to opt out from data access with third parties in a general way for all present and future data access permission requests;

(d) include a record of permissions that have been withdrawn or that have expired for a duration of two years.

(da) be consistent with the Regulation (EU) [..../....] [Payment Services Regulation] dashboards and allow data holders to manage data permissions pursuant to this Regulation and the Payment Services Regulation through a single dashboard upon the request of the user.

2a. The ESAs shall jointly, in close cooperation with the European Data Protection Board established by Regulation (EU) 2016/679, develop guidelines specifying the categories of data referred to in paragraph 2 so that data are easily understandable for customers. Those guidelines shall ensure that the dashboard is designed in a way that does not:

(a) encourage or unduly influence the customer to grant or withdraw permissions, including through the use of dark patterns or pre-ticked boxes;

(b) deceive or manipulate the customer, or otherwise materially distorts or impairs the ability of the customer to make free and informed decisions;

(c) make the procedure to withdraw permission more difficult than the procedure to grant access.

2b. Where, pursuant to paragraph 2, point (b), a customer decides to withdraw data access, the data user concerned shall:

(a) cease using the data;

(b) withdraw the data; and

(c) without undue delay, erase all data received as a result of the data access permission granted by the customer.

3. The data holder shall ensure:

(a) that the permission dashboard is easy to find in its user interface and that, in accordance with Union data protection and consumer legislative frameworks, in particular Regulation (EU) 2016/679, Council Directive 92/13/EEC[56]and Directives 2011/83/EU and (EU) 2019/2161; and

(b) that the information displayed on the dashboard is clear, neutral, accurate and easily understandable for the customer and that it is exclusively limited to information provided by the relevant data user.

4. The data holder and the data user for which permission has been granted by a customer shall cooperate to make information available to the customer via the dashboard in real-time. For the purposes of paragraph 2▌:

(a) the data holder shall inform the data user, in real time, of changes made to a permission, including withdrawal, concerning that data user made by a customer via the dashboard.

(b) a data user shall inform the data holder, in real time, of a new permission granted by a customer regarding customer data held by that data holder, including:

(i) the purpose of the permission granted by the customer, in a clear and comprehensible manner for the user;

(ii) the period of validity of the permission

(iii) the categories of data concerned.

(iiia ) the legal basis under Article 6(1) of Regulation (EU) 2016/679 and, where relevant, the exception under Article 9(2) of that Regulation that the data user intends to rely on to access personal data contained in the customer data.

(ba) A data user shall be responsible for the accuracy of the data provided to the data holder.

4a. For the purpose of this Article, more than one data holders may, collectively, provide a single permission dashboard to customers, provided that such a single permission dashboard fulfils the requirements set out in paragraphs 1 to 4.

TITLE IV
Financial Data Access Schemes

Article 9
Financial data access scheme membership

1. By ... [30 months from the date of entry into force of this Regulation], data holders and data users shall become members of a financial data access scheme governing access to the customer data in accordance with Article 10.

1 a. The implementation of a financial data access scheme shall be structured as follows:

(a)  by ... [12 months from the date of entry into force of this Regulation], members shall agree on the general rules applicable to a financial data access scheme in accordance with Article 10(1), points (a) to (f) and Article 10(1), points (i)to (j) (‘development phase’);

(b)  by ... [26 months from the date of entry into force of this Regulation], members shall agree on common standards and a model to determine compensation in accordance with the requirements laid down in Article 10(1) points (g) and (h). Members shall also notify a financial data access scheme in accordance with Article 10(4) (‘implementation phase’);

(c)  by ... [30 months from the date of entry into force of this Regulation], members shall ensure that all elements of a financial data access scheme are fully operational (‘operationalisation phase’).

2. Data holders and data users may become members of one or more▌ financial data access schemes.

Any access of data shall be▌ granted in accordance with the rules and arrangements of a financial data access scheme of which both the data user and the data holder are members.

Article 10
Financial data access scheme governance and content

1. A financial data access scheme shall include the following elements:

(a) the members of a financial data access scheme shall include:

(i) data holders and data users representing a significant proportion of the market of the product or service concerned, with each side having fair▌ representation in the internal decision-making processes of the scheme as well as every member having equal weight within their side in any voting procedures; where a member is both a data holder and data user, its membership shall be counted equally towards both sides;

(ii) customer organisations and consumer associations with expertise in financial services.

(b) the rules applicable to the financial data access scheme members shall apply equally to all the members and there shall be no unjustified favourable or differentiated treatment between members;

(c) the membership rules of a financial data access scheme shall ensure that the scheme is open to participation by any data holder and data user based on objective criteria and that all members shall be treated in a fair and equal manner;

(d) a financial data access scheme shall not impose any controls or additional conditions for the access or re-use of data other than those provided in this Regulation or under other applicable Union law;

(e) a financial data access scheme shall include a mechanism through which its rules can be amended, following an impact analysis and the agreement of the majority of each community of data holders and data users respectively;

(f) a financial data access scheme shall include rules on transparency and where necessary, reporting to its members;

(g) a financial data access scheme shall include the common standards for the data and the technical interfaces to allow customers to request data access in accordance with Article 5(1). The common standards for the data and technical interfaces that scheme members agree to use shall draw on existing international or industry-recognised standards or may be developed by scheme members or by other parties or bodies;

(ga) a financial data access scheme shall include the minimum technical and organisational measures that financial data access scheme members shall implement to ensure an appropriate level of security for exchanged data, including security measures to prevent and mitigate the risk of fraud;

(h) a financial data access scheme shall establish a model to determine the maximum compensation that a data holder is entitled to charge the data user for making data available through an appropriate technical interface for enabling the data users to access data in line with the common standards developed under point (g).

The model shall be based on the following principles:

(i) it should be limited to reasonable and proportionate compensation▌ related to the costs incurred in making the data available to the data user and which is attributable to the request and agreements to award any compensation shall ensure that the scheme members take into account in particular the costs necessary for the formatting of data, dissemination via electronic means and storage, and investments in the collection and production of data, where applicable, taking into account whether other parties contributed to obtaining, generating, or collecting the data in question, as well as the volume, format and nature of the data;

(ii) it should be based on an objective, transparent and non-discriminatory methodology agreed by the scheme members and may include a margin;

(iii) it should be based on comprehensive market data collected from data users and data holders on each of the cost elements to be considered, clearly identified in line with the model;

(iv) it should be periodically reviewed and monitored to take account of technological progress;

(v) it should  be devised to gear compensation towards the lower levels prevalent on the market, while ensuring that there are sufficient incentives to foster market adoption and effective competition;

(vi) it should be limited to the requests for customer data under Article 2(1) or proportionate to the related datasets in the scope of that Article in the case of combined data requests.

(ha) taking into account the level of compensation in the market, in particular regarding the developments in the calculation, the ESAs, on the basis of their respective competences, shall publicly report to the Commission on a yearly basis on the evolution of compensation fees. The Commission may adopt a delegated act in accordance with Article 30 to address market failures using proportionate and appropriate tools. The ESAs shall consult data holders and data users upon the drafting of those reports.

Where the data user is a micro, small or medium enterprise, as defined in Article 2 of the Annex to Commission Recommendation 2003/361/EC of 6 May 2003[57], any compensation agreed shall not exceed the costs directly related to making the data available to the data user and which are attributable to the request.

The guidelines adopted by the Commission on the calculation of reasonable compensation in accordance with Article 9(5) of the Regulation (EU) 2023/2854 shall also apply to this Regulation;

(i) a financial data access scheme shall determine the contractual liability of its members, including in case the data is inaccurate, or of inadequate quality, or data security is compromised or the data are misused. In case of personal data, the liability provisions of the financial data access scheme shall be in accordance with the provisions in Regulation (EU) 2016/679;

(ia) a financial data access scheme shall provide for a mechanism of financial compensation to customers for any loss of data, damage or fraud suffered by these customers;

(j) a financial data access scheme shall provide for an independent, impartial, transparent and effective dispute resolution system to resolve disputes among scheme members and membership issues, in accordance with the quality requirements laid down by Directive 2013/11/EU of the European Parliament and of the Council[58].

2. Membership in financial data access schemes shall remain open to new members on the same terms and conditions as those for existing members at any time.

3. A data holder shall communicate to the competent authority of the Member State of its establishment the financial data access schemes it is part of, within one month of joining a scheme. The competent authority of the Member State shall communicate this notification to the ESAs as applicable, based on their respective competences.

4. A financial data access scheme set up in accordance with this Article shall be notified directly to the ESAs, based on their respective competences, shall carry out the assessment referred to in paragraph 6. Where a financial data access scheme set up in accordance with this Article is developed by scheme members which are established in the same Member State, a financial data access shall be notified to the competent authority of the Member State of establishment which shall carry out the assessment referred to in paragraph 6.

Where the membership of a financial data access scheme changes due to the addition of data holders and data users that are established in another Member State, the scheme shall be notified to the ESA concerned. However, where changes to the membership of a financial data access scheme result in all members being established in the same Member State, the scheme shall be notified to the competent authority of that Member State. All changes shall be notified to the register referred to in Article 15. The relevant ESA or the competent authority to which the change has been notified may in that case proceed to a new assessment as referred to in paragraph 6.

5. The notification in accordance with paragraph 4 shall take place within 1 month of setting up the financial data access scheme and shall include its governance modalities and characteristics in accordance with paragraph 1.

6. Within 1 month of receipt of the notification pursuant to paragraph 4 of this Article, the ESA concerned and, where appropriate, the competent authority referred to in paragraph 4 of this Article, shall assess whether the financial data access scheme’s governance modalities and characteristics are in compliance with paragraph 1. When assessing the compliance of the financial data access scheme with paragraph 1 of this Article, the ESA concerned shall consult the supervisory authorities established pursuant to Regulation (EU) 2016/679 and the other ESAs. Where the competent authorities referred to in paragraph 4 of this Article is assessing compliance of the financial data access scheme with paragraph 1, it shall consult the supervisory authorities established pursuant to Regulation (EU) 2016/679 and the relevant ESAs based on their respective competences.

Upon completion of this assessment, the ESA concerned and, where appropriate, the competent authority referred to in paragraph 4, shall inform the members of a▌ financial data access scheme that satisfies the provisions of whether the scheme fulfils the requirements set out in paragraph 1. After a positive assessment, a  scheme notified▌ in accordance with this paragraph shall be recognised in all the Member States for the purpose of accessing data pursuant to Article 5(1) and shall be made available on the register defined in Article 15.

6. The ESAs shall undertake regular comprehensive reviews of data access schemes’ governance arrangements set out in Article 10(1). Those reviews shall include a thorough and documented assessment whether the schemes’ arrangements are appropriate and credible for the purposes of ensuring the responsible treatment of customer data.

Article 11
▌ Delegated act in the▌ absence of a financial data access scheme

-1. Where a financial data access scheme is not developed or implemented within the relevant time-frame as referred to in Article 9, members of a prospective financial data access scheme shall work with the relevant competent authorities to develop or implement the scheme, taking account of experiences across the market and the need to ensure the standardisation of schemes.

1.  In the event that a financial data access scheme is not completely developed or implemented in accordance with Article 9(1a) for one or more categories of customer data listed in Article 2(1) and there is no realistic prospect of such a scheme being completed within a reasonable amount of time, the Commission is empowered to adopt a delegated act in accordance with Article 30 to supplement this Regulation  by specifying the following arrangements under which a data holder shall make available customer data pursuant to Article 5(1) for that category of data:

(a) common standards for the data and, where appropriate, the technical interfaces to allow customers to request data to be made available under Article 5(1);

(b) a model to determine the maximum compensation that a data holder is entitled to charge for making data available;

(c) the liability of the entities involved in making the customer data available.

1a. The Commission shall, before adopting the delegated act pursuant to paragraph 1, consult the European Data Protection Board and all relevant stakeholders and submit a report to the European Parliament and the Council setting out any grounds for intervention by the Commission. The report shall take account of any existing work towards a scheme already undertaken by the industry and shall describe the arrangements for making available customer data as referred to in paragraph 1.

1b. When developing the draft delegated act for the purpose of paragraph 1, point (a), of this Article the Commission shall consult the European Data Protection Supervisor pursuant to Article 42(1) of Regulation (EU) 2018/1725.

TITLE V
Eligibility for Data Access and Organisation

Article 12
Application for authorisation of financial information service providers

1. A legal person shall be eligible to access customer data under Article 5(1) for the provision of financial information services if it is authorised by the competent authority of a Member State.

2. A legal person that intends to provide financial information services shall apply to the competent authority of the Member State of establishment of its registered office for authorisation as a financial information service provider. It shall submit the application for authorisation together with the following:

(a)  a programme of operations setting out in particular the type of access to data and financial information services envisaged;

(b) a business plan including, where applicable, a forecast budget calculation for the first 3 financial years which demonstrates that the applicant is able to employ the appropriate and proportionate systems, resources and procedures to operate soundly;

(c) a description of the applicant’s governance arrangements and internal control mechanisms, including administrative, risk management and accounting procedures, as well as arrangements for the use of ICT services in accordance with Regulation (EU) 2022/2554 of the European Parliament and of the Council, which demonstrates that those governance arrangements, control mechanisms and procedures are proportionate, appropriate, sound and adequate;

(d) a description of the procedure in place to monitor, handle and follow up a security incident and security related customer complaints, including an incident reporting mechanism which takes account of the notification obligations laid down in Chapter III of Regulation (EU) 2022/2554;

(e) a description of business continuity arrangements including a clear identification of the critical operations, effective ICT business continuity policy and plans and ICT response and recovery plans, and a procedure to regularly test and review the adequacy and efficiency of such plans in accordance with Chapter II of Regulation (EU) 2022/2554;

(f) a security policy document, including a detailed risk assessment in relation to its operations and a description of security control and mitigation measures taken to adequately protect its customers against the risks identified, including fraud;

(g) a description of the applicant’s structural organisation, as well as a description of outsourcing arrangements;

(h) the identity of directors and persons responsible for the management of the applicant and, where relevant, persons responsible for the management of the data access activities of the applicant, as well as evidence that they are of good repute and possess appropriate knowledge and experience to access data as determined in this Regulation;

(i) the applicant’s legal status and articles of association;

(j) the address of the applicant’s head office and, where available, the legal entity identifier (LEI);

(k) where applicable, the written agreement between the financial information service provider and the legal representative evidencing the appointment, the extent of liability and the tasks to be carried out by the legal representative in accordance with Article 13. 

For the purposes of the first subparagraph, points (c), (d) and (g) the applicant shall provide a description of its audit arrangements and the organizational arrangements it has set up with a view to taking all reasonable steps to protect the interests of its customers and to ensure continuity and reliability in the performance of its activities.

The security control and mitigation measures referred to in the first subparagraph, point (f), shall indicate how the applicant will ensure a high level of digital operational resilience in accordance with Chapter II of Regulation (EU) 2022/2554, in particular in relation to technical security and data protection, including for the software and ICT systems used by the applicant or the undertakings to which it outsources the whole or part of its operations.

3. Financial information service providers shall hold a professional indemnity insurance or other comparable guarantee covering the territories in which they offer financial information services, and shall ensure the following:

(a) an ability to cover their liability resulting from professional negligence, non-authorised or fraudulent access to or non-authorised or fraudulent use of data;

(b) an ability to cover the value of any excess, threshold or deductible from the insurance or comparable guarantee;

(c) monitoring of the coverage of the insurance or comparable guarantee on an ongoing basis.

As an alternative to holding a professional indemnity insurance or other comparable guarantee as required in the first sub-paragraph, the undertaking as referred in the previous subparagraph shall hold initial capital of EUR 50 000, which shall, without undue delay,be replaced by a professional indemnity insurance or other comparable guarantee on liability after it commences its activity as financial information service provider ▌.

3a. Financial information service providers authorised in accordance with Article 14 shall at all times meet the conditions for their authorisation.

4. EBA in cooperation with ESMA and EIOPA shall, after consulting all relevant stakeholders, develop draft regulatory technical standards specifying:

(a) the information to be provided to the competent authority in the application for the authorisation of financial information service providers, including the requirements laid down in paragraph 2, points (a) to (k);

(b) a common assessment methodology for granting authorisation as a financial information service provider, under this Regulation;

(c) what is a comparable guarantee, as referred in paragraph 3, which should be interchangeable with a professional indemnity insurance;

(d) the criteria on how to stipulate the minimum monetary amount of the professional indemnity insurance or other comparable guarantee referred to in paragraph 3.

In developing these draft regulatory technical standards, EBA shall take account of the following:

(a) the risk profile of the undertaking;

(b) whether the undertaking provides other types of services or is engaged in other business;

(c) the size of the activity;

(d) the specific characteristics of comparable guarantees and the criteria for their implementation.

EBA, shall submit those draft regulatory technical standards referred to in the first subparagraph to the Commission by [OP please insert the date = 9 months after entry into force of this Regulation].

Power is conferred to the Commission to adopt the regulatory technical standards referred to in the first subparagraph of this paragraph in accordance with Articles 10 to 14 of Regulation (EU) No 1093/2010.

In accordance with Article 10 of Regulation (EU) 1093/2010, EBA shall review and if appropriate, update these regulatory technical standards.

4a. A registered account information service provider as defined in Directive (EU) 2015/2366 may only access data under Article 5(1) if it has been authorised as a financial information service provider.

4b. This Article shall not apply to an undertaking providing core platform services for which one or more of such services has been designated as a gatekeeper pursuant to Article 3 of Regulation (EU) 2022/1925, or to any entity that is owned or controlled by such an undertaking.

Article 14
Granting and withdrawal of authorisation of financial information service providers

1. The competent authority shall grant an authorisation if the information and evidence accompanying the application complies with▌ the requirements laid down in Article 12(1), (2) and (3) and if the competent authority’s overall assessment, having scrutinised the application, is favourable. Before granting an authorisation, the competent authority shall consult other relevant public authorities, in particular the supervisory authorities established pursuant to Regulation (EU) 2016/679.

3. The competent authority shall grant an authorisation only if, taking into account the need to ensure the sound and prudent management of a financial information service provider, the financial information service provider has robust governance arrangements for its information service business. This includes a clear organisational structure with well-defined, transparent and consistent lines of responsibility, effective procedures to identify, manage, monitor and report the risks to which it is or might be exposed, and adequate internal control mechanisms, including sound administrative and accounting procedures. Those arrangements, procedures and mechanisms shall be comprehensive and proportionate to the nature, scale and complexity of the information services provided by the financial information service provider.

4. The competent authority shall grant an authorisation only if the laws, regulations or administrative provisions governing one or more natural or legal persons with which the financial information service provider has close links, or difficulties involved in the enforcement of those laws, regulations or administrative provisions, do not prevent the effective exercise of its supervisory functions.

5. The competent authority shall grant an authorisation only if it is satisfied that any outsourcing arrangements will not render the financial information service provider a letterbox entity or that they are not undertaken as a means to circumvent the provisions of this Regulation.

6. Within 2 months of receipt of a complete  application▌, the competent authority shall inform the applicant whether the authorisation is granted or refused. The competent authority shall present to the applicant a detailed report on the grounds of its decision where it refuses an authorisation.

7. The competent authority may withdraw an authorisation issued to a financial information service provider only if the provider:

(a) does not make use of the authorisation within 12 months, requests the competent authority to withdraw the authorisation or has ceased to engage in business for more than 6 months;

(b) has obtained the authorisation through false statements or any other irregular means;

(c) no longer meets the conditions for granting the authorisation or fails to inform the competent authority on major developments in this respect; or

(ca) has breached its obligations under Union data protection law according to a supervisory authority established pursuant to Regulation (EU) 2016/679;

(d) would constitute a risk to consumer protection or the security of data.

The competent authority shall give reasons for any withdrawal of an authorisation and shall inform those concerned accordingly. The competent authority shall make public the withdrawal of an authorisation▌.

7a. The ESAs or the competent authority of any host Member State may at any time request the competent authority of the home Member State to examine whether the financial information service provider still complies with the conditions under which the authorisation was granted, when there are grounds to suspect that this may no longer be the case.

Article 15
Register

1. EBA shall develop, operate and maintain an electronic central register which contains the following information:

(a) the authorised financial information service providers, including the name, the address and, where applicable, the authorisation number, and a description of the financial information services offered;

(b) the financial information service providers that have notified their intention to access data in a Member State other than their home Member State;

(c) the financial data access schemes agreed between data holders and data users;

(ca) the information listed in Article 28(2).

3. The register shall be publicly available on EBA’s website, shall be machine readable, and shall allow for easy searching and accessing the information listed, free of charge. 

4. EBA shall enter in the register referred to in paragraph 1 any withdrawal of authorisation of financial information service providers or termination of a financial data access scheme.

5. The competent authorities of the Member States shall communicate without delay, and where possible in an automated way, to EBA the information necessary to fulfil its tasks pursuant to paragraphs 1 and 4. Competent authorities shall be responsible for the accuracy of the information specified in paragraphs 1 and 3 and for keeping that information up to date. They shall, where technically possible, transmit this information to EBA in an automated way.

Article 16

Organisational requirements for financial information service providers

A financial information service provider shall comply with the following organisational requirements:

(a) it shall establish policies and procedures sufficient to ensure its compliance, including its managers and employees with its obligations under this Regulation;

(b) it shall take reasonable steps to ensure continuity and regularity in the performance of its activities. To that end the financial information service provider shall employ appropriate and proportionate systems, human and technical resources and procedures to ensure the continuity of its critical operations, have in place contingency plans and a procedure to test and review regularly the adequacy and efficiency of such plans;

(c) when relying on a third party for the performance of functions which are critical for the provision of continuous and satisfactory service to customers and the performance of activities on a continuous and satisfactory basis, that it takes reasonable steps to avoid undue additional operational risk. Outsourcing of important operational functions may not be undertaken in such a way as to impair materially the quality of its internal control and the ability of the competent authority to monitor the financial information service provider’s compliance with all obligations;

(d) it shall have sound governance, administrative and accounting procedures, internal control mechanisms, effective procedures for risk assessment and management, and effective control and safeguard arrangements for information processing systems;

(e) its directors and persons responsible for its management as well as the persons responsible for the management of the financial information service activities of the financial information service provider are of good repute and possess appropriate knowledge, skills and experience, both individually and collectively, to perform their duties including in relation to the types of data which are subject to the processing; the data subjects concerned; the entities to, and the purposes for which, the personal data may be disclosed; the purpose limitation; storage periods; and processing operations and processing procedures, including measures to ensure lawful and fair processing such as those for other specific processing situations;

(f) it shall establish and maintain effective and transparent procedures to ensure the confidentiality, availability and integrity of data in the event of a security incident and for the prompt, fair and consistent monitoring, handling and follow up of a security incident and security related customer complaints, including a reporting mechanism which takes account of the notification obligations laid down in Chapter III of Regulation (EU) 2022/2554;

TITLE VI
Competent authorities and Supervision Framework

Article 17
Competent authorities

1. Member States shall designate the competent authorities responsible for carrying out the functions and duties provided for in this Regulation, including the supervision of financial data access schemes and compliance of financial information services providers with this Regulation. Member States shall notify those competent authorities to the Commission.

2. Member States shall ensure that the competent authorities designated under paragraph 1 possess all the powers necessary for the performance of their duties.

Member States shall ensure that those competent authorities have the necessary human and technical resources, notably in terms of dedicated staff, in order to comply with their tasks as per the obligations under this Regulation.

3. Member States who have appointed within their jurisdiction more than one competent authority for matters covered by this Regulation shall ensure that those authorities cooperate closely so that they can discharge their respective duties effectively.

4. For financial institutions, compliance with this Regulation shall be ensured by the competent authorities specified in Article 46 of Regulation (EU) 2022/2554 in accordance with the powers granted by the respective legal acts listed in that Article, and by this Regulation.

Article 18
Powers of competent authorities

1. Competent authorities shall have all the investigatory powers necessary for the exercise of their functions. Those powers shall include:

(a) the power to require any natural or legal persons to provide all information that is necessary in order to carry out the tasks of the competent authorities, including information to be provided at recurrent intervals and in specified formats for supervisory and related statistical purposes;

(b) the power to conduct all necessary investigations of any person referred to in point (a) established or located in the Member State concerned where necessary to carry out the tasks of the competent authorities, including the power to:

(i) require the submission of documents;

(ii) examine the data in any form, including the books and records of the persons referred to in point (a) and take copies or extracts from such documents;

(iii) obtain written or oral explanations from any person referred to in point (a) or their representatives or staff, and, if necessary, to summon and question any such person with a view to obtaining information;

(iv) interview any other natural person who agrees to be interviewed for the purpose of collecting information relating to the subject matter of an investigation;

(v) subject to other conditions set out in Union law or in national law, the power to conduct necessary inspections at the premises of the legal persons and at sites other than the private residence of natural persons referred to in point (a), as well as of any other legal person included in consolidated supervision where a competent authority is the consolidating supervisor, subject to prior notification of the competent authorities concerned.

(vi) to enter the premises of natural and legal persons, in line with national law, in order to seize documents and data in any form where a reasonable suspicion exists that documents or data relating to the subject matter of the inspection or investigation may be necessary and relevant to prove a case of breach of provisions of this Regulation;

(vii) to require, insofar as permitted by national law, existing data traffic records held by a telecommunications operator, where there is a reasonable suspicion of a breach and where such records may be relevant to the investigation of a breach of this Regulation;

(viii) to request the freezing or sequestration of assets, or both, in accordance with relevant national law;

(ix) to refer matters for criminal investigation;

(c) in the absence of other available means to bring about the cessation or the prevention of any breach of this Regulation and in order to avoid the risk of serious harm to the interests of consumers, competent authorities shall be entitled to take any of the following measures, including by requesting a third party or other public authority to implement them:

(i) to remove content or to restrict access to an online interface or to order that a warning is explicitly displayed to customers when they access an online interface;

(ii) to order a hosting service provider to remove, disable or restrict access to an online interface;

(iii) where appropriate, to order domain registries or registrars to delete a fully qualified domain name and to allow the competent authority concerned to register it.

The implementation of this paragraph and the exercise of powers set out therein shall be proportionate and comply with Union and national law, including with applicable procedural safeguards and with the principles of the Charter of Fundamental Rights of the European Union. The investigation and enforcement measures adopted pursuant to this Regulation shall be appropriate to the nature and the overall actual or potential harm of the infringement.

2. Competent authorities shall exercise their powers to investigate potential breaches of this Regulation, and impose administrative penalties and other administrative measures provided for in this Regulation, in any of the following ways:

(a) directly;

(b) in collaboration with other authorities;

(c) by delegating powers to other authorities or bodies;

(d) by having recourse to the competent judicial authorities of a Member State.

Where competent authorities exercise their powers by delegating to other authorities or bodies in accordance withpoint (c), the delegation of power shall specify the delegated tasks, the conditions under which they are to be carried out, and the conditions under which the delegated powers may be revoked. The authorities or bodies to which the powers are delegated shall be organised in such a manner that conflicts of interest are avoided. Competent authorities shall oversee the activity of the authorities or bodies to which the powers are delegated.

3. In the exercise of their investigatory and sanctioning powers, including in cross border cases, competent authorities shall cooperate effectively with each other, with the supervisory authorities established pursuant to Regulation (EU) 2016/679, and with the authorities from any sector concerned as applicable to each case and in accordance with national and Union law, to ensure the exchange of information and the mutual assistance necessary for the effective enforcement of administrative sanctions and administrative measures.

Article 18a

Specific powers of competent authorities

1. By ... [12 months from the date of entry into force of this Regulation], an entity listed in Article 2(2), points (a) to (n) which is owned or controlled by an undertaking providing core platform services for which one or more of such services have been designated as a gatekeeper pursuant to Article 3 of Regulation (EU) 2022/1925 shall be subject to a specific assessment by the competent authority of its registered office. 

2. The specific assessment shall consist of the following information:

(a) a programme of operations submitted by the entity referred to in paragraph 1 which sets out the functioning, services and activities performed as a data user; including the type of access to customer data and the size of the activity in terms of the number of customers reached;  

(b) an assessment of the network effects and data driven advantages of the entity, in particular in relation to that undertaking’s access to, and collection of, customer data or analytics capabilities;

(c) evidence that the entity has in place sufficient safeguards to demonstrate compliance with the requirements in Articles 5 to 8, including Article 6(4), point (f).

3. As soon as the competent authority considers the assessment to be complete, it shall send a copy of that assessment to the ESA concerned, depending on whether the entity referred to in paragraph 1 of this Article is authorised pursuant to one of the Union acts referred to in Article 2(1) of Regulation (EU) No 1093/2010, Article 2(1) of Regulation (EU) No 1094/2010 or Article 2(1) of Regulation (EU) No 1095/2010.

4.  The ESA concerned pursuant to paragraph 3 of this Article shall provide the competent authority with a binding opinion on the assessment conducted within 30 calendar days of receiving the copy of that assessment. Before issuing a binding opinion, the ESA concerned shall consult the competent authorities of the other Member States and the European Data Protection Board and shall take the utmost account of their views when issuing its opinion.

5.  The competent authority shall conclude its assessment once the requirements laid down in paragraphs 2 and 4 of this Article are met. The competent authority shall inform the entity referred to in paragraph 1 of the conclusion of its assessment.

If the assessment conducted by the competent authority concludes that the entity fulfils the requirements in paragraph 2 of this Article, the assessment shall be declared complete by the competent authority and the entity referred to in paragraph 1 of this Article shall be confirmed as an eligible entity pursuant to Article 2(2) of this Regulation.

If the assessment conducted by the competent authority concludes that there are significant deficiencies, the competent authority may request that the entity introduce measures to address those deficiencies. If measures are not taken, the competent authority may determine that the entity is excluded from the scope of this Regulation pursuant to Article 2(2).

6.  The competent authority may decide to conduct a new assessment if the entity referred to in paragraph 1 no longer meets the conditions of the assessment or fails to inform the competent authority on major developments in this respect.

Article 19
Settlement agreements and expedited enforcement procedures

1. Without prejudice to Article 20, Member States may lay down rules enabling their competent authorities to close an investigation or formal sanctioning proceeding concerning an alleged breach of this Regulation, following a settlement agreement in order to put an end to the alleged breach and its consequences before formal sanctioning proceedings are started or to close formal sanctioning proceedings by way of settlement.

2. Member States may lay down rules enabling their competent authorities to close an investigation concerning an established breach through an expedited enforcement procedure in order to achieve a swift adoption of a decision aiming at imposing an administrative sanction or administrative measure.

The empowerment of competent authorities to settle or open expedite enforcement procedures does not affect the obligations upon Member States under Article 20.

3. Where Member States lay down the rules referred to in paragraph 1, they shall notify the Commission of the relevant laws, regulations and administrative provisions regulating the exercise of powers referred to in that paragraph and shall notify it of any subsequent amendments affecting those rules.

Article 20
Administrative penalties and other administrative measures

1. Without prejudice to the supervisory and investigative powers of competent authorities listed in Article 18, Member States shall, in accordance with national law, provide for competent authorities to have the power to take appropriate administrative penalties and to take other administrative measures in relation to the following infringements:

(a) infringements of Articles 4, 5 and 6;

(b) infringements of Articles 7 and 8;

(c) infringements of Article 9 and 10;

(d) infringements of Articles 12, 13 and 16;

(e) infringements of Article 28.

2. Member States may decide not to lay down rules on administrative sanctions and administrative measures applicable to breaches of this Regulation which are subject to sanctions under national criminal law. In such a case, Member States shall notify the Commission of the relevant criminal law provisions and any subsequent amendments thereto.

3. Member States shall, in accordance with national law, ensure that competent authorities have the power to impose the following administrative penalties and other administrative measures in relation to the infringements referred to in paragraph 1:

(a) a public statement indicating the natural or legal person responsible and the nature of the infringement;

(b) an order requiring the natural or legal person responsible to cease the conduct constituting the infringement and to desist from a repetition of that conduct;

(c) the disgorgement of the profits gained or losses avoided due to the infringement insofar as they can be determined;

(d) a temporary suspension of the authorisation of a financial information service provider;

(e) a maximum administrative fine of at least twice the amount of the profits gained or losses avoided because of the infringement where those can be determined, even if such fine exceeds the maximum amounts set out in this paragraph, point (f), as regards natural persons, or in paragraph 4 as regards legal persons;

(f) in the case of a natural person, maximum administrative fines of up to EUR 35 000 per infringement and up to a total of EUR 350 000 per year, or, in the Member States whose official currency is not the euro, the corresponding value in the official currency of that Member State on ... [OP please insert the date of entry into force of this Regulation].

(g) a temporary ban of any member of the management body of the financial information service provider, or any other natural person who is held responsible for the infringement, from exercising management functions in financial information service providers;

(h) in the event of a repeated infringement of the articles referred to in paragraph 1, a ban of at least 10 years for any member of the management body of a financial information service provider, or any other natural person who is held responsible for the infringement, from exercising management functions in a financial information service provider.

4. Member States shall, in accordance with national law, ensure that competent authorities have the power to impose, in relation to the infringements referred to in paragraph 1 committed by legal persons, maximum administrative fines of:

(a) up to EUR 160 000 per infringement and up to a total of EUR 1600 000 per year, or, in the Member States whose official currency is not the euro, the corresponding value in the official currency of that Member State on ... [OP please insert the date of entry into force of this Regulation];

(b)  4,5% of the total annual turnover of the legal person of the preceding financial year, according to the last available financial statements approved by the management body;

Where the legal person referred to in the first subparagraph is a parent undertaking or a subsidiary of a parent undertaking which is required to prepare consolidated financial statements in accordance with Article 22 of Directive 2013/34/EU of the European Parliament and of the Council[59], the relevant total annual turnover shall be the net turnover or the revenue to be determined in accordance with the relevant accounting standards, according to the consolidated financial statements of the ultimate parent undertaking available for the latest balance sheet date, for which the members of the administrative, management and supervisory body of the ultimate undertaking have responsibility.

5. Member States may empower competent authorities to impose other types of administrative penalties and other administrative measures in addition to those referred to in paragraphs 3 and 4 and may provide for higher amounts of administrative pecuniary fines than those laid down in those paragraphs.

Member States shall notify to the Commission the level of such higher penalties, and any subsequent amendments thereto.

 

Article 21
Periodic penalty payments

1. Competent authorities shall be entitled to impose periodic penalty payments on legal or natural persons for an ongoing failure to comply with any decision, order, interim measure, request, obligation or other administrative measure adopted in accordance with this Regulation.

A periodic penalty payment referred to in the first subparagraph shall be effective and proportionate and shall consist of a daily amount to be paid until compliance is restored. They shall be imposed for a period not exceeding 6 months from the date indicated in the decision imposing the periodic penalty payments.

Competent authorities shall be entitled to impose the following periodic penalty payments which may be adjusted depending on the seriousness of the breach and the needs of the sector:

(a) 3% of the average daily turnover in the case of a legal person;

(b) EUR 30 000 in the case of a natural person.

2. The average daily turnover referred to in paragraph 1, third subparagraph, point (a),  shall be the total annual turnover, divided by 365.

3. Member States may provide for higher amounts of periodic penalty payments than those laid down in paragraph 1, third subparagraph.

Article 22
Circumstances to be considered when determining administrative penalties and other administrative measures

1. Competent authorities, when determining the type and level of administrative penalties or other administrative measure, shall take into account all relevant circumstances in order to ensure that such sanctions or measures are effective and proportionate. Those circumstances shall include, where appropriate:

(a) the nature, gravity and the duration of the breach taking into account the nature, scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;

(b) the degree of responsibility of the legal or natural person responsible for the breach;

(c) the financial strength of the legal or natural person responsible for the breach, as indicated, among other things, by the total annual turnover of the legal person, or the annual income of the natural person responsible for the breach;

(d) the level of profits gained or losses avoided by the legal or natural person responsible for the breach, if such profits or losses can be determined;

(e) the losses for third parties caused by the breach, if such losses can be determined;

(f) the disadvantage resulting to the legal or natural person responsible for the breach from the duplication of criminal and administrative proceedings and penalties for the same conduct;

(fa) the categories of personal data affected by the infringement;

(g) the impact of the breach on the interests of customers;.

(h) any actual or potential systemic negative consequences of the breach;

(i) the complicity or organised participation of more than one legal or natural person in the breach;

(j) previous breaches committed by the legal or natural person responsible for the breach;

(k) the level of cooperation of the legal or natural person, responsible for the breach, with the competent authority;

(ka) the manner in which the infringement became known to the competent authority, in particular whether, and if so to what extent, the controller or processor notified the infringement;

(l) any remedial action or measure undertaken by the legal or natural person responsible for the breach to prevent its repetition.

2. Competent authorities that use settlement agreements or expedited enforcement procedures pursuant to Article 19 shall adapt the relevant administrative penalties and other administrative measures provided for in Article 20 to the case concerned to ensure the proportionality thereof, in particular by considering the circumstances listed in paragraph 1.

Article 23
Professional secrecy

1. All persons who work or who have worked for the competent authorities, as well as experts acting on behalf of the competent authorities, are bound by the obligation of professional secrecy.

2. The information exchanged in accordance with Article 26 shall be subject to the obligation of professional secrecy by both the sharing and recipient authority to ensure the protection of individual and business rights.

Article 24
Right of appeal

1. Decisions taken by the competent authorities pursuant to this Regulation, may be contested before the courts.

2. Paragraph 1 shall apply also in respect of a failure to act.

Article 25
Publication of decisions of competent authorities

1. Competent authorities shall publish on their website all decisions imposing an administrative penalty or administrative measure on legal and natural persons, for breaches of this Regulation, and where applicable, all settlement agreements. The publication shall include, a short description of the breach, the administrative penalty or other administrative measure imposed, or, where applicable, a statement about the settlement agreement. The identity of the natural person subject to the decision imposing an administrative penalty or administrative measure shall not be published.

Competent authorities shall publish the decision and the statement referred to in paragraph 1 immediately after the legal or natural person subject to the decision has been notified of that decision or the settlement agreement has been signed.

2. By derogation from paragraph 1, where the publication of the identity or other personal data of the natural person is deemed necessary by the national competent authority to protect the stability of the financial markets or, to ensure the effective enforcement of this Regulation, including in the case of public statements referred to in Article 20(3) point (a), or temporary bans referred to in Article 20(3) point (g), the national competent authority may publish also the identity of the persons or personal data, provided that it justifies such a decision and that the publication is limited to the personal data that is strictly necessary to protect the stability of the financial markets or to ensure the effective enforcement of this Regulation.

3. Where the decision imposing an administrative penalty or other administrative measure is subject to appeal before the relevant judicial or other authority, competent authorities shall also publish on their official website, without delay, information on the appeal and any subsequent information on the outcome of such an appeal insofar as it concerns legal persons. Where the appealed decision concerns natural persons and the derogation under paragraph 2 is not applied, competent authorities shall publish information on the appeal only in an anonymised version.

4. Competent authorities shall ensure that any publication made in accordance with this Article remains on their official website for a period of at least 5 years. Personal data contained in the publication shall be kept on the official website of the competent authority only if an annual review shows the continued need to publish that data to protect the stability of the financial markets or to ensure the effective enforcement of this Regulation, and in any event for no longer than 5 years.

Article 26
Cooperation and exchange of information between competent authorities

1. Competent authorities shall cooperate with each other and with other relevant competent authorities designated under Union or national law applicable to financial institutions for the purposes of this Regulation carrying out the duties of the competent authorities.

2. The exchange of information between competent authorities and the competent authorities of other Member States responsible for the authorisation and supervision of financial information service providers shall be allowed for the purposes of carrying out their duties under this Regulation.

3. Competent authorities exchanging information with other competent authorities under this Regulation may indicate at the time of communication that such information must not be disclosed without their express agreement, in which case such information may be exchanged solely for the purposes for which those authorities gave their agreement.

4. The competent authority shall not transmit information shared by other competent authorities to other bodies or natural or legal persons without the express agreement of the competent authorities which disclosed it and solely for the purposes for which those authorities gave their agreement, except in duly justified circumstances. In this last case, the contact point shall immediately inform the contact point that sent the information.

5. Where obligations under this Regulation concern the processing of personal data, competent authorities shall cooperate with the supervisory authorities established pursuant to Regulation (EU) 2016/679.

Article 27
Settlement of disagreements between competent authorities

1. Where a competent authority of a Member State considers that, in a particular matter, cross-border cooperation with competent authorities of another Member State as referred to in Articles 28 or 29 of this Regulation does not comply with the relevant conditions set out in those provisions, it may refer the matter to EBA and may request its assistance in accordance with Article 19 of Regulation (EU) No 1093/2010.

2. Where EBA has been requested to provide assistance pursuant to paragraph 1, it shall take a decision under Article 19(3) of Regulation (EU) No 1093/2010 without undue delay. EBA may also, on its own initiative, assist the competent authorities in reaching an agreement in accordance with Article 19(1), second subparagraph of that Regulation. In either case, the competent authorities involved shall defer their decisions pending resolution of the disagreement pursuant to Article 19 of Regulation (EU) No 1093/2010.

TITLE VII
Cross Border access to data

Article 28
Cross-border access to data by financial information service providers

1. Financial information service providers and financial institutions shall be allowed to have access to the data listed in Article 2(1) of Union customers held by data holders established in the Union, pursuant to the freedom to provide services or the freedom of establishment.

2. A financial information service provider wishing to have access to the data listed in Article 2(1) of this Regulation for the first time in a Member State other than its home Member State, in the exercise of the right of establishment or the freedom to provide services, shall communicate the following information to the competent authorities in its home Member State:

(a) the name, the address and, where applicable, the authorisation number and the LEI of the financial information service provider;

(b) the Member State(s) in which it intends to have access to the data listed in Article 2(1);

(c) the type of data it wishes to have access to;

(d) the financial data access schemes of which it is a member. 

Where the financial information service provider intends to outsource operational functions of data access to other entities in the host Member State, it shall inform the competent authorities of its home Member State accordingly.

3. Within 1 month of receipt of all of the information referred to in paragraph 1 the competent authorities of the home Member State shall send it to the competent authorities of the host Member State.

4. The financial information service provider shall communicate to the competent authorities of the home Member State without undue delay any relevant change regarding the information communicated in accordance with paragraph 1, including additional entities to which activities are outsourced in the host Member States in which it operates. The procedure provided for under paragraphs 2 and 3 shall apply.

4a. Where the competent authority of a host Member State has reasonable grounds for believing that a financial information service provider acting within its territory under the freedom to provide services or the freedom of establishment infringes the provisions of this Regulation as regards its use of the data of customers located within the host Member State, the competent authority of such host Member State shall have the power to temporarily suspend transmission of data of those customers from data holders to that financial information service provider, until the competent authority of the home Member State has taken the necessary measures to bring the infringements to an end.

Article 29
Reasons and communication

Any measure taken by the competent authorities pursuant to Article 18 or Article 28 involving penalties or restrictions on the exercise of the freedom to provide services or the freedom of establishment shall be properly justified and communicated to the financial information service provider concerned.

TITLE VIII

Final provisions

Article 30
Exercise of delegation

1. The power to adopt delegated acts is conferred on the Commission subject to the conditions laid down in this Article.

2. The power to adopt the delegated act referred to in Article 10(1), point (ha) and Article 11, shall be conferred on the Commission for a period of XX months from … [OP please insert: date of entry into force of this Regulation]. The Commission shall draw up a report in respect of the delegation of power not later than nine months before the end of the XX-month period. The delegation of power shall be tacitly extended for periods of an identical duration, unless the European Parliament or the Council opposes such extension not later than three months before the end of each period.

3. The delegation of powers referred to in Article 10(1), point (ha) and Article 11, may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.

4. Before adopting a delegated act, the Commission shall consult stakeholders and experts designated by each Member State in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making.

5. As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and to the Council.

6. A delegated act adopted pursuant to Article 10(1), point (ha) or Article 11, shall enter into force only if no objection has been expressed either by the European Parliament or by the Council within a period of three months of notification of that act to the European Parliament and to the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by three months on the initiative of the European Parliament or of the Council.

Article 31
Evaluation of this Regulation and report on access to financial data

-1. By ... [one year from the date of entry into application of this Regulation], and every year thereafter, the ESAs shall present a joint annual public report to the European Parliament, the Council and the Commission on the application of this Regulation.

The report referred to in the first subparagraph shall contain at least the following:

(a) a description of developments in the activities of financial information service providers;

(b) an appraisal of whether any changes are needed to the measures set out in this Regulation to ensure the protection of customers and to foster the development of innovative services.

1. By ... [OP please insert the date = 48 months from the date of entry into force of this Regulation, the Commission shall carry out an evaluation of this Regulation and submit a report on its main findings to the European Parliament and to the Council as well as to the European Economic and Social Committee. That evaluation shall assess, in particular:

(a) other categories or sets of data to be made accessible;

(b) the exclusion from the scope of certain categories of data and entities;

(c) changes in contractual practices of data holders and data users and the operation of financial data access schemes;

(d) the inclusion of other types of entities on the list of data holders and data users set up under this Regulation, including the inclusion of certain categories of entities on a voluntary basis;.

(e) the impact of compensation on the ability of data users to participate in financial data access schemes and access data from data holders.

(ea) the impact of the Regulation on financial inclusion and simplicity of financial product and services;

(eb)  the adequacy of the administrative penalties and measures;

(ec) the implementation costs of the Regulation;

(ed) the impact of the Regulation on sustainable finance.

(ee) the activities under this Regulation of any undertaking designated as a gatekeeper pursuant to Article 3 of Regulation (EU) 2022/1925 to evaluate whether additional measures, including the exclusion of such designated entities, are required. The competent authorities of Member States shall provide any relevant information they have that the Commission may require for the purposes of drawing up the assessment to this effect.

2. By ... [OP please insert the date = 48 months from the date of entry into force of this Regulation, the Commission shall submit a report to the European Parliament and the Council assessing the conditions for access to financial data applicable to account information service providers under this Regulation and under Directive (EU) 2015/2366. The report can be accompanied, if deemed appropriate, by a legislative proposal.

Article 32
Amendment to Regulation (EU) No 1093/2010

In Article 1(2) of Regulation (EU) No 1093/2010, the first subparagraph is replaced by the following:

‘The Authority shall act within the powers conferred by this Regulation and within the scope of Directive 2002/87/EC, Directive 2008/48/EC*, Directive 2009/110/EC, Regulation (EU) No 575/2013**, Directive 2013/36/EU***, Directive 2014/49/EU****, Directive 2014/92/EU*****, Directive (EU) 2015/2366******, Regulation (EU) 2023/1114 (*******), Regulation (EU) 2024/…/EU (********) of the European Parliament and of the Council and, to the extent that those acts apply to credit and financial institutions and the competent authorities that supervise them, within the relevant parts of Directive 2002/65/EC, including all directives, regulations, and decisions based on those acts, and of any further legally binding Union act which confers tasks on the Authority. The Authority shall also act in accordance with Council Regulation (EU) No 1024/2013*********.

* Directive 2008/48/EC Of the European Parliament and of the Council of 23 April 2008 on credit agreements for consumers and repealing Council Directive 87/102/EEC (OJ L 133, 22.5.2008, p. 66).

** Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and amending Regulation (EU) No 648/2012 (OJ L 176, 27.6.2013, p. 1).

*** Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC (OJ L 176, 27.6.2013, p. 338).

**** Directive 2014/49/EU of the European Parliament and of the Council of 16 April 2014 on deposit guarantee schemes (OJ L 173, 12.6.2014, p. 149).

***** Directive 2014/92/EU of the European Parliament and of the Council of 23 July 2014 on the comparability of fees related to payment accounts, payment account switching and access to payment accounts with basic features (OJ L 257, 28.8.2014, p. 214).

****** Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (OJ L 337, 23.12.2015, p. 35).

******* Regulation (EU) 2023/1114 of the European Parliament and of the Council of 31 May 2023 on markets in crypto-assets, and amending Regulations (EU) No 1093/2010 and (EU) No 1095/2010 and Directives 2013/36/EU and (EU) 2019/1937 (OJ L 150, 9.6.2023, p. 40).

******** Regulation (EU) 2024/… of the European Parliament and of the Council of … on a framework for Financial Data Access and amending Regulations (EU) No 1093/2010, (EU) 1095/2010 and (EU) 2022/2554 and Directive (EU) 2019/1937 (OJ L ..., ...., p.).

********* Council Regulation (EU) No 1024/2013 of 15 October 2013 conferring specific tasks on the European Central Bank concerning policies relating to the prudential supervision of credit institutions (OJ L 287, 29.10.2013, p. 63).’

Article 33
Amendment to Regulation (EU) No 1094/2010

In Article 1(2) of Regulation (EU) No 1094/2010, the first subparagraph is replaced by the following:

‘The Authority shall act within the powers conferred by this Regulation and within the scope of Regulation (EU) 2024/…/EU (*), of Directive 2009/138/EC with the exception of Title IV thereof, of Directive 2002/87/EC, Directive (EU) 2016/97 (** ) and Directive (EU) 2016/2341 (*** ) of the European Parliament and of the Council, and, to the extent that those acts apply to financial information services providers, insurance undertakings, reinsurance undertakings, institutions for occupational retirement provision and insurance intermediaries, within the relevant parts of Directive 2002/65/EC, including all directives, regulations, and decisions based on those acts, and of any further legally binding Union act which confers tasks on the Authority.’

* Regulation (EU) 2024/… of the European Parliament and of the Council of … on a framework for Financial Data Access and amending Regulations (EU) No 1093/2010, (EU) No 1094/2010, (EU) No 1095/2010, (EU) 1094/2010 and (EU) 2022/2554 and Directive (EU) 2019/1937 (OJ L …, ...., p.).

** Directive (EU) 2016/97 of the European Parliament and of the Council
of 20 January 2016 on insurance distribution (OJ L 26, 2.2.2016, p. 19).

*** Directive (EU) 2016/2341 of the European Parliament and of the Council
of 14 December 2016 on the activities and supervision of institutions for
occupational retirement provision (IORPs) (OJ L 354, 23.12.2016, p. 37).

Article 34
Amendment to Regulation (EU) No 1095/2010

In Article 1(2) of Regulation (EU) No 1095/2010, the first subparagraph is replaced by the following:

‘The Authority shall act within the powers conferred by this Regulation and within the scope of Directives 97/9/EC, 98/26/EC, 2001/34/EC, 2002/47/EC, 2004/109/EC, 2009/65/EC, Directive 2011/61/EU of the European Parliament and of the Council*, Regulation (EC) No 1060/2009 and Directive 2014/65/EU of the European Parliament and of the Council**, Regulation (EU) 2017/1129 of the European Parliament and of the Council***, Regulation (EU) 2023/1114of the European Parliament and of the Council**** Regulation (EU) 2024/… of the European Parliament and of the Council***** and to the extent that those acts apply to firms providing investment services or to collective investment undertakings marketing their units or shares, issuers or offerors of crypto-assets, persons seeking admission to trading or crypto-asset service providers, financial information service providers and the competent authorities that supervise them, within the relevant parts of, Directives 2002/87/EC and 2002/65/EC, including all directives, regulations, and decisions based on those acts, and of any further legally binding Union act which confers tasks on the Authority.

___________

* Directive 2011/61/EU of the European Parliament and of the Council of 8 June 2011 on Alternative Investment Fund Managers and amending Directives 2003/41/EC and 2009/65/EC and Regulations (EC) No 1060/2009 and (EU) No 1095/2010 (OJ L 174, 1.7.2011, p. 1).

** Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Directive 2002/92/EC and Directive 2011/61/EU (OJ L 173, 12.6.2014, p. 349).

*** Regulation (EU) 2017/1129 of the European Parliament and of the Council of 14 June 2017 on the prospectus to be published when securities are offered to the public or admitted to trading on a regulated market, and repealing Directive 2003/71/EC (OJ L 168, 30.6.2017, p. 12).

**** Regulation (EU) 2023/1114 of the European Parliament and of the Council of 31 May 2023 on markets in crypto-assets, and amending Regulations (EU) No 1093/2010 and (EU) No 1095/2010 and Directives 2013/36/EU and (EU) 2019/1937 (OJ L 150, 9.6.2023, p.40).’

***** Regulation (EU) 2024/… of the European Parliament and of the Council of … on a framework for Financial Data Access and amending Regulations (EU) No 1093/2010, (EU) 1094/2010, (EU) 1095/2010 and (EU) 2022/2554 and Directive (EU) 2019/1937 (OJ L ..., ...., p.).

Article 35
Amendment to Regulation (EU) 2022/2554

Article 2(1) of Regulation (EU) 2022/2554 is amended as follows:

(1) In point (u), the punctuation mark “.”is replaced by “;”

(2) the following point (v) is added:

““(v) financial information service providers.””

Article 36
Entry into force and application

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

It shall apply from [OP please insert the date = 32 months from the date of entry into force of this Regulation]. However, Articles 9 to 13 shall apply from [OP please insert the date = 30 months from the date of entry into force of this Regulation].

This Regulation shall apply to entities when acting as data holders or data users as referred to in Article 2(2) from ...[38 months from the date of entry into force of this Regulation]. However, Articles 9 to 13 shall apply to those entities from ...[36 months from the date of entry into force of this Regulation].

This Regulation shall be binding in its entirety and directly applicable in all Member States.

Done at ▌,

For the European Parliament For the Council

The President The President


 

 

ANNEX: ENTITIES OR PERSONS FROM WHOM THE RAPPORTEUR HAS RECEIVED INPUT

Pursuant to Article 8 of Annex I to the Rules of Procedure, the rapporteur declares that he has received input from the following entities or persons in the preparation of the report, until the adoption thereof in committee:

Entity and/or person

American Chamber of Commerce to the European Union (AmCham)

American Express

Association for Financial Markets in Europe (AFME)

Assuralia

Autorité des Marchés Financiers (AMF)

Better Finance

Bureau européen des unions de consommateurs (BEUC)

Council of European National Top-Level Domain Registries (CENTR)

European Association of Co-operative Banks (EACB)

European Association of Credit Rating Agencies (EACRA)

European Association of Paritarian Institutions (AEIP)

European Banking Federation (EBF)

European Digital Payments Industry Alliance (EDPIA)

European Fund and Asset Management Association (EFAMA)

European Third Party Providers Association (ETTPA)

Febelfin

Federation of Business Information Services (FEBIS)

Finance Watch

Financial Services and Markets Authority (FSMA)

French Banking Federation (FBF)

German Banking Industry Committee (GBIC)

German Insurance Association (GDV)

Global Legal Entity Identifier Foundation (GLEIF)

Hogan Lovells

Insurance Europe

Insurely

Klarna

Mastercard

Pensions Europe

PensioPlus

S&P Global

Sigedis

Nederlands Verbond van Verzekeraars

Nederlandse Vereniging van Banken

Nederlandse Pensioenfederatie

Visa

 

The list above is drawn up under the exclusive responsibility of the rapporteur.

 


PROCEDURE – COMMITTEE RESPONSIBLE

Title

Framework for Financial Data Access and amending Regulations (EU) No 1093/2010, (EU) No 1094/2010, (EU) No 1095/2010 and (EU) 2022/2554

References

COM(2023)0360 – C9-0215/2023 – 2023/0205(COD)

Date submitted to Parliament

29.6.2023

 

 

 

Committee responsible

 Date announced in plenary

ECON

19.10.2023

 

 

 

Committees asked for opinions

 Date announced in plenary

LIBE

19.10.2023

 

 

 

Not delivering opinions

 Date of decision

LIBE

24.10.2023

 

 

 

Rapporteurs

 Date appointed

Michiel Hoogeveen

19.7.2023

 

 

 

Discussed in committee

22.2.2024

 

 

 

Date adopted

18.4.2024

 

 

 

Result of final vote

+:

–:

0:

43

1

5

Members present for the final vote

Rasmus Andresen, Anna-Michelle Asimakopoulou, Marek Belka, Isabel Benjumea Benjumea, Gilles Boyer, Engin Eroglu, Markus Ferber, Jonás Fernández, Frances Fitzgerald, Enikő Győri, Michiel Hoogeveen, Stasys Jakeliūnas, France Jamet, Othmar Karas, Ondřej Kovařík, Georgios Kyrtsos, Pedro Marques, Luděk Niedermayer, Dimitrios Papadimoulis, Sirpa Pietikäinen, Antonio Maria Rinaldi, Dorien Rookmaker, Alfred Sant, Joachim Schuster, Aušra Seibutytė, Pedro Silva Pereira, Paul Tang, Irene Tinagli, Inese Vaidere, Johan Van Overtveldt

Substitutes present for the final vote

Fabio Massimo Castaldo, Eider Gardiazabal Rubial, Michael Kauch, Margarida Marques, Ville Niinistö, Johan Nissinen, Henk Jan Ormel, Erik Poulsen, Laurence Sailliet

Substitutes under Rule 209(7) present for the final vote

Attila Ara-Kovács, Vladimír Bilčík, Karolin Braunsberger-Reinhold, Andreas Glück, Moritz Körner, Vânia NETO, Inma Rodríguez-Piñero, Maria Veronica Rossi, Domènec Ruiz Devesa, Javier Zarzalejos

Date tabled

30.4.2024

 


FINAL VOTE BY ROLL CALL IN COMMITTEE RESPONSIBLE

43

+

ECR

Michiel Hoogeveen, Johan Nissinen, Johan Van Overtveldt

NI

Enikő Győri

PPE

Anna-Michelle Asimakopoulou, Isabel Benjumea Benjumea, Vladimír Bilčík, Karolin Braunsberger-Reinhold, Markus Ferber, Frances Fitzgerald, Othmar Karas, Vânia NETO, Luděk Niedermayer, Henk Jan Ormel, Sirpa Pietikäinen, Laurence Sailliet, Aušra Seibutytė, Inese Vaidere, Javier Zarzalejos

Renew

Gilles Boyer, Engin Eroglu, Andreas Glück, Michael Kauch, Moritz Körner, Georgios Kyrtsos, Erik Poulsen

S&D

Attila Ara-Kovács, Marek Belka, Jonás Fernández, Eider Gardiazabal Rubial, Margarida Marques, Pedro Marques, Inma Rodríguez-Piñero, Domènec Ruiz Devesa, Alfred Sant, Joachim Schuster, Pedro Silva Pereira, Paul Tang, Irene Tinagli

The Left

Dimitrios Papadimoulis

Verts/ALE

Rasmus Andresen, Stasys Jakeliūnas, Ville Niinistö

 

1

-

ID

France Jamet

 

5

0

ECR

Dorien Rookmaker

ID

Antonio Maria Rinaldi, Maria Veronica Rossi

Renew

Fabio Massimo Castaldo, Ondřej Kovařík

 

Key to symbols:

+ : in favour

- : against

0 : abstention

 

 

Last updated: 13 May 2024
Legal notice - Privacy policy