FIDA (Financial Data Access): How do you stay compliant?

What is it FIDA?

On June 28, 2023, the European Commission presented Financial Data Access (FIDA), a new regulatory framework transforming access to financial data in Europe. This regulation significantly extends the scope of PSD2 by requiring the sharing of data beyond payment services alone.

IFAD now covers a broad spectrum of financial data: savings products, insurance contracts, investments and cryptoassets. This extension of the scope comes with specific obligations for financial institutions, in particular with regard to the provision of data and financial compensation.

This initiative is part of the European Union's digital finance strategy, in coordination with the Data Act. For financial institutions, it represents both a major compliance challenge and a strategic opportunity for development in the Open Finance ecosystem.

‍

Who is affected by FIDA?

Financial Data Access (FIDA) is a regulation that extends financial data sharing obligations in Europe, going well beyond the current PSD2 framework.

Its field of application extends to:

Savings products
Insurance contracts
Investments
Crypto-assets

‍

IFAD is part of the European digital finance strategy alongside the Data Act. It aims to strengthen innovation and competition in the financial sector while ensuring consumer protection.

‍

Entities concerned and specificities

‍

Traditional financial institutions:

Banks : all account data and transactions
Insurances : contract and claims data
Investment companies : portfolio positions and history

‍

New actors:

Fintechs : integration of APIs mandatory
Crypto-asset platforms : specific reporting
Payment service providers : real time access

‍

What are IFAD's obligations?

‍

Customers should be able to access all of their personal data held by financial institutions:

This includes the information they provided (contact details, income, family situation...)
Also the data generated during their interactions (transaction history, communications...)
As well as the details of their contracts and financial products purchased

‍

Customers can allow third parties to access their financial data:

This concerns most financial products: bank accounts, insurance, investments, cryptocurrencies
Only health and credit assessment data are excluded to avoid discrimination

‍

A dashboard should allow customers to manage their authorizations:

They can choose exactly what data to share with each third party
Access can be revoked at any time

‍

Secure sharing system:

Financial institutions should use standardized technical interfaces (APIs)
Strong authentication is mandatory, as for online payments (see DSP2/DSP3)
Data is encrypted during transfers
Technical specifications will be public to allow interoperability

‍

Access monitoring:

All data accesses are monitored in real time
Each consultation or transfer is recorded
Alerts are generated in case of suspicious activity (multiple accesses, abnormal volumes)

‍

Reporting requirements:

Institutions must report regularly to the authorities (ABE, EIOPA)
All security incidents should be documented
A register of authorized third parties must be kept up to date
Usage statistics should be produced regularly

‍

Failure to comply with these obligations exposes the entities concerned to significant sanctions.

Without being exhaustive, we find:

‍

Financial sanctions:

Maximum 5% of global annual turnover for serious offences
Minimum 500,000 euros fine

‍

Operational sanctions:

Suspension or forced cessation of activities
Withdrawal of FDSS approval
Prohibition to practice

‍

Financial Data Sharing Schemes (FDSS) are mandatory contractual frameworks introduced by FIDA to govern the sharing of financial data. These schemes bring together data holders, users, and consumer organizations, and define common rules for transparency, authorization management, remuneration, and accountability. Each financial actor must join at least one FDSS within 18 months of IFAD's entry into force.

‍

Reputational sanctions

Mandatory publication of sanctions (Name & Shame)
Reinforced surveillance

‍

How do you stay compliant with IFAD regulations?

‍

Create a customer control space

Develop an interface that allows customers to track and manage their data sharing permissions
Set up simple options to activate/deactivate information sharing

‍

Optimizing data protection

Establishing robust security measures: such as encryption and strong authentication
Use data only under conditions accepted by the customer
Implement processes to delete data that is no longer needed

‍

Next steps in setting up IFAD

Plenary vote in the European Parliament to confirm the mandate
Trilogue negotiations scheduled for the first quarter of 2025
Start of implementation in the third quarter of 2025

‍

Financial firms need to start preparing now, as adapting to IFAD could result in significant costs and require significant changes in their systems and processes.

ShareID secures the financial data sharing required by FIDA thanks to its strong MFA 3.0 authentication and Zero Knowledge Proof technology. Our solutions do not store any data and have proprietary advanced av encryption technology, the solution allows precise access control while guaranteeing regulatory compliance.