Tous les articles

FIDA (Financial Data Access): How do you stay compliant?

January 27, 2025
Financial Data Access (FIDA) is a new regulatory framework that is transforming access to financial data in Europe, coming into force this year.

What is it FIDA?

On June 28, 2023, the European Commission presented Financial Data Access (FIDA), a new regulatory framework transforming access to financial data in Europe. This regulation significantly extends the scope of PSD2 by requiring the sharing of data beyond payment services alone.

IFAD now covers a broad spectrum of financial data: savings products, insurance contracts, investments and cryptoassets. This extension of the scope comes with specific obligations for financial institutions, in particular with regard to the provision of data and financial compensation.

This initiative is part of the European Union's digital finance strategy, in coordination with the Data Act. For financial institutions, it represents both a major compliance challenge and a strategic opportunity for development in the Open Finance ecosystem.

Who is affected by FIDA?

Financial Data Access (FIDA) is a regulation that extends financial data sharing obligations in Europe, going well beyond the current PSD2 framework.

Its field of application extends to:

  • Savings products
  • Insurance contracts
  • Investments
  • Crypto-assets

IFAD is part of the European digital finance strategy alongside the Data Act. It aims to strengthen innovation and competition in the financial sector while ensuring consumer protection.

Entities concerned and specificities

Traditional financial institutions:

  • Banks : all account data and transactions
  • Insurances : contract and claims data
  • Investment companies : portfolio positions and history

New actors:

  • Fintechs : integration of APIs mandatory
  • Crypto-asset platforms : specific reporting
  • Payment service providers : real time access

What are IFAD's obligations?

Customers should be able to access all of their personal data held by financial institutions:

  • This includes the information they provided (contact details, income, family situation...)
  • Also the data generated during their interactions (transaction history, communications...)
  • As well as the details of their contracts and financial products purchased

Customers can allow third parties to access their financial data:

  • This concerns most financial products: bank accounts, insurance, investments, cryptocurrencies
  • Only health and credit assessment data are excluded to avoid discrimination

A dashboard should allow customers to manage their authorizations:

  • They can choose exactly what data to share with each third party
  • Access can be revoked at any time

Secure sharing system:

  • Financial institutions should use standardized technical interfaces (APIs)
  • Strong authentication is mandatory, as for online payments (see DSP2/DSP3)
  • Data is encrypted during transfers
  • Technical specifications will be public to allow interoperability

Access monitoring:

  • All data accesses are monitored in real time
  • Each consultation or transfer is recorded
  • Alerts are generated in case of suspicious activity (multiple accesses, abnormal volumes)

Reporting requirements:

  • Institutions must report regularly to the authorities (ABE, EIOPA)
  • All security incidents should be documented
  • A register of authorized third parties must be kept up to date
  • Usage statistics should be produced regularly

Failure to comply with these obligations exposes the entities concerned to significant sanctions.

Without being exhaustive, we find:

Financial sanctions:

  • Maximum 5% of global annual turnover for serious offences
  • Minimum 500,000 euros fine

Operational sanctions:

  • Suspension or forced cessation of activities
  • Withdrawal of FDSS approval
  • Prohibition to practice

Financial Data Sharing Schemes (FDSS) are mandatory contractual frameworks introduced by FIDA to govern the sharing of financial data. These schemes bring together data holders, users, and consumer organizations, and define common rules for transparency, authorization management, remuneration, and accountability. Each financial actor must join at least one FDSS within 18 months of IFAD's entry into force.

Reputational sanctions

  • Mandatory publication of sanctions (Name & Shame)
  • Reinforced surveillance

How do you stay compliant with IFAD regulations?

  1. Create a customer control space
  • Develop an interface that allows customers to track and manage their data sharing permissions
  • Set up simple options to activate/deactivate information sharing

  1. Optimizing data protection
  • Establishing robust security measures: such as encryption and strong authentication
  • Use data only under conditions accepted by the customer
  • Implement processes to delete data that is no longer needed

Next steps in setting up IFAD

  • Plenary vote in the European Parliament to confirm the mandate
  • Trilogue negotiations scheduled for the first quarter of 2025
  • Start of implementation in the third quarter of 2025

Financial firms need to start preparing now, as adapting to IFAD could result in significant costs and require significant changes in their systems and processes.
ShareID secures the financial data sharing required by FIDA thanks to its strong MFA 3.0 authentication and Zero Knowledge Proof technology. Our solutions do not store any data and have proprietary advanced av encryption technology, the solution allows precise access control while guaranteeing regulatory compliance.
Do not hesitate to contact us for more information.

FIDA (Financial Data Access): How do you stay compliant?

RéglementationExigence cléRéponse ShareIDRésultat pour vous
DSP2 – Directive (UE) 2015/2366 + RTS SCA (UE 2018/389) Source DSP2 : Directive (UE) 2015/2366Authentification forte du client (SCA) obligatoire (art. 97) avec lien dynamique (art. 5 RTS) et indépendance des facteurs (art. 9 RTS).- Full IDV : authentification du document d’identité + biométrie (détection du vivant) - MFA 3.0: Ré-authentification forte basée sur l’identité Full IDV + MFA 3.0Conformité immédiate SCA ; fluidité pour l’utilisateur, sécurité renforcée.
DSP3 / Payment Services Regulation (projet) Source RTS SCA : Règlement délégué (UE) 2018/389 Entrée en vigueur prévue en 2025/ 2026.Articles 85–89 : consolidation de la SCA, règles d’accessibilité, clarification des exemptions.- Full IDV : authentification du document d’identité + biométrie (détection du vivant) - MFA 3.0: Ré-authentification forte basée sur l’identité Solution déjà alignée sur les parcours biométriques & exemptions. MFA 3.0Anticipez les évolutions futures sans refonte lourde.
DORA – Règlement (UE) 2022/2554 Source DORA : Règlement (UE) 2022/2554Authentification forte pour protéger les systèmes et les données critiques (art. 9(4)(d)), encadrement strict des prestataires de Technologie de l’information et de la communication (art. 28–30).- MFA 3.0: Ré-authentification forte basée sur l’identité. Intégrable via SDK/API (iOS, Android, Web), traçabilité complète. MFA 3.0Sécurisation des systèmes d’informations critiques, conformité démontrable aux superviseurs.
eIDAS (UE 910/2014) + implémentation 2015/1502 Source eIDAS (2014) : Règlement (UE) 910/2014Niveaux simple / substantiel / élevé ; multi-facteurs encouragés pour les niveaux substantiel et élevé.Authentification des documents + biométrie (détection du vivant). Full IDVValeur probante proche d’un contrôle présentiel.
eIDAS 2 – Règlement (UE) 2024/1183 Source eIDAS 2 : Règlement (UE) 2024/1183Les EUDI Wallets devront fonctionner à un niveau d’assurance élevé, avec partage sélectif d’attributs.- MFA 3.0: Ré-authentification forte basée sur l’identité Intégrable via SDK/API (iOS, Android, Web), traçabilité complète. MFA 3.0Intégration fluide des futurs portefeuilles européens.
MiCA – Règlement (UE) 2023/1114 Source MiCA : Règlement (UE) 2023/1114Les prestataires de services sur crypto-actifs doivent appliquer les obligations KYC/AML (Directive 2015/849) ; art. 76 impose CDD (renforcement de la vigilance client) renforcé pour certaines plateformes.Authentification des documents + biométrie (détection du vivant) = anti-deepfake et anti-spoofing. Doc IDV ou Full IDVRéduction drastique des fraudes, conformité crypto-AML.
ETSI TS 119 461 (V2.1.1, 2025) Source ETSI TS 119 461 : Norme européenneVérification d’identité à distance : 5 étapes (initiation → collecte → validation → liaison → résultat). Liveness et anti-spoofing obligatoires pour les parcours à distance.- Enrôlement complet : authentification des documents + Biométrie (détection du vivant) - Algorithmes entraînés sur une base de données de vrais et de faux documents de la Gendarmerie Nationale. Full IDVEnrôlement KYC robuste, valeur probante reconnue.
FIDA – Financial Data Access (projet) Source FIDA (proposition) : Commission européenneConsentement explicite, traçable et révocable via des tableaux de bord.- MFA 3.0: Authentification forte basée sur l’identité au moment du consentement + réauthentification fluide avec un simple sourire. MFA 3.0Accès aux données conforme et centré utilisateur.
RGPD – Règlement (UE) 2016/679 Source RGPD : Règlement (UE) 2016/679Durée de maintien de données chez ShareID paramétrable. Aucun stockage biométrique : hachages homomorphiques brevetés , ISO 27001.Image de marque, risque réglementairejuridique réduit, confiance accrue des régulateurs et clients.



← Tous les articles
Our newsletter - Digital Consciousness

Each month, get tips and tricks to protect yourself against online fraud.

Paris
San Francisco
Casablanca
Copyright © 2025 ShareID, Inc. All Rights Reserved.