Skip to main content

EU Financial Data Access (FiDA) Framework

Impact on companies in Switzerland and beyond

In June 2023 the European Commission issued a legislative proposal for a Framework for Financial Data Access (FiDA), which focuses on expanding access to customer data across a wide range of financial services.

Given the tight coupling of the finance and technology service industries between the EU and Switzerland, it is reasonable to expect that FiDA will affect a broad range of Swiss-based entities. This includes institutions serving EU customers directly and the service providers supporting them.

FiDA has not yet entered into force, but the effort required to comply with it may be substantial. In the following sections we examine the framework itself and consider its impact on companies in Switzerland.

 

Regulatory background


The FiDA framework is another step towards implementation of the EU’s digital finance strategy for building a more competitive and innovative European financial sector. This strategy, adopted in 2020, is designed to promote data-driven innovation in finance by establishing a common financial data space. This is in addition to the principles of open banking as defined in the 2nd Payment Services Directive (PSD2) which has been in force since 2018.

EU’s president von der Leyen, in her 2022 State of the Union Letter, confirmed that data access in financial services is among the key new initiatives for 2023 and beyond. The speech was followed up with a report on open finance from an Expert Group on the European Financial Data Space, which discussed key elements of an open finance system and made an assessment of selected data sharing use cases.

At the time of this publication, FiDA remains in the proposal stage and the exact adoption date is not yet confirmed. In December 2024, the Council of the European Union issued a communication affirming its preparedness to negotiate the final form of the legislation with the European Parliament. This represents the final significant step before the legislation comes into effect; however it is challenging to predict the duration of the negotiations.

FiDA establishes an obligation for EU-based financial institutions to enable third-party access to customers’ data and sets rules that govern it. The regulation is far reaching and covers the majority of financial service providers, including (but not limited to):

  • Credit, payment and electronic money institutions
  • Investment firms (including managers of alternative investment funds)
  • Crypto-asset and asset-referenced token issuers or service providers
  • Insurance and reinsurance companies
  • Credit rating agencies
  • Occupational pension providers

However, with prior authorisation, non-financial firms will also be granted access, greatly increasing the number of players in the EU’s open data ecosystem.

Participating entities can assume the following (either or both at the same time) roles:

Data holder – an entity that maintains (holds) and processes data provided by customers and data generated as a result of customer interaction.
Data user – any entity listed in FiDA that has lawful access to customer data following permission from a customer.
 

Key Provisions


The proposed framework contains the following key provisions:

  • Within 18 months of FiDA coming into force, data holders and data users shall become members of one or more Financial Data Sharing Schemes (FDSS). Members of such schemes will be required to develop data interfaces and structures to provide secure and effective data sharing.
  • Data holders will be allowed to claim compensation for making customer data available, but the maximum compensation levels shall be determined by the FDSS.
  • The regulations cover a broad range of data – at a high level, both data provided by customers, and data generated as a result of interactions with customers. Almost any financial data associated with a customer will be within the scope for sharing.
  • Data holders will be required to provide customers with dashboards to monitor third-party access and manage permissions. Data should be made available in real-time.

 

On obtaining a customer's consent, a financial institution (data holder) shall make data available to an authorised third party (data user) without undue delay, continuously, and in real time. The data shall be provided in a format based on generally recognised standards and at least in the same quality available to the data holder. Data holders and data users shall have interfaces and communication channels in place to enable data transfers and for data users to make efficient use of the data.
 

A simplified data access scenario is illustrated below:

Relevance for companies in Switzerland

FiDA will affect two broad categories of entities based in Switzerland:

In particular, financial service providers with an EU presence (acting either as data holders or data users) are likely to be affected by both new compliance obligations and increased competition due to improved data access for other firms.

Companies that decide to enter the EU market as data users shall appoint a legal representative in one of the EU member states and obtain authorisation as a Financial Information Service Provider, to meet the requirements outlined in Article 12 of FiDA on application for authorisation.

The impact on suppliers will depend largely on the type and extent of the services they provide. For example, service providers that work directly with customer data may need to develop new data storage and transmission functionalities to comply with the requirements of a particular data sharing scheme.
 

Compliance Challenges


Based on our experience with EU regulations, we have listed several specific areas where we anticipate that companies will face challenges when either introducing new processes and controls or evidencing current arrangements in response to regulatory changes introduced by FiDA:

Due to its EU-centric nature, FiDA is only applicable to services and data relating to customers based in the EU. Therefore, it is important to identify the data elements, support functions, and processes that fall within the scope of the legislation. Including services, customer groups, or support functions that are not relevant may result in unnecessary costs and increase the risk of violating non-EU data privacy regulations.

The EU General Data Privacy Regulation (GDPR) applies when personal data of EU-based customers is shared and processed. FiDA does not introduce any new data privacy requirements; however GDPR is explicitly referred to in the regulation. Although companies based in Switzerland are typically well-versed in data privacy requirements, compliance with local laws does not necessarily equate to compliance with EU regulations. For instance, Switzerland’s Federal Act on Data Protection (FADP) is more lenient when compared to the GDPR in terms of the legal basis for data processing, accountability, profiling and consent management. It is therefore crucial to take into account compliance gaps, especially in view of the close link between FiDA and data privacy laws.

The importance of having robust governance arrangements is emphasised in FiDA (Articles 12, 14 and 15) with a particular focus on companies obtaining access to customer data. We see the following challenges when addressing regulatory corporate governance requirements:

  • It is essential to ensure that existing governance arrangements are suitable for addressing the requirements of any particular regulation. For FiDA compliance, sufficient attention should be given to data governance and management as well as cyber security risks.
  • Organisations should be able to demonstrate the effectiveness of governance arrangements and controls supporting compliance obligations throughout the financial data processing and sharing pipeline.
     

FiDA does not explicitly address requirements for operational resilience, but it refers to another EU regulation – the Digital Operational Resilience Act (DORA). Service providers are required to comply with DORA and to provide evidence of compliance when applying for authorisation as a financial information service provider.

Implementation of new data exchange interfaces and the increasing volume of processed data will introduce new cybersecurity risks for both data holders and data users. The importance of security for data transmission and storage is emphasised in FiDA; however, the regulation is not prescriptive about technical solutions or controls that should be introduced. In particular, data holders are required to ensure secure communication in accordance with Article 5 of FiDA, while data users are required to have adequate technical measures to ensure data confidentiality in accordance with Article 6. Typically, we see the following areas where controls either need to be introduced or improved:

  • Data encryption (at rest and in transit)
  • Third party onboarding and secure authentication
  • Session management
  • Logging and monitoring.
     

Article 12(2) of FiDA requires that companies registering as financial information service providers should submit an overview of their outsourcing arrangements. Although the regulation is not prescriptive, Article 16(c) states that outsourcing of important operational functions must not impair internal control or the supervisor's ability to monitor compliance. In an environment with a high degree of outsourcing, companies may face challenges in addressing compliance and evidencing end-to-end coverage, particularly when partners are unfamiliar with regulations outside Switzerland.

How can we help?

 

Deloitte in Switzerland offers a wide range of services that can help
data holders and data users to prepare for FiDA, in particular:

  • Assessment of company’s services, customer base and support functions to define the scope of boundaries for FiDA compliance.
  • Evaluating the current state and performing a gap assessment, focusing on risk management, data governance, incident management, and business continuity requirements.
  • Reviewing data governance to provide an assessment of readiness to participate in data sharing.
  • Reviewing outsourced activities to identify areas where activities critical to FiDA are managed by suppliers and the current third-party risk management process.
  • Preparing or reviewing business plans in accordance with FiDA Article 12(2).
  • Designing and implementing internal control mechanisms, automation solutions and risk management procedures needed for FiDA compliance.
  • Preparing and executing an internal audit plan, taking into consideration requirements of Article 12(2).

Did you find this useful?

Thanks for your feedback