Financial data is one of the most sensitive and vulnerable forms of personal data. Broadly, it pertains to any information related to bank accounts, purchase history, credit records, and details of an organization’s assets and liabilities. Because financial data plays a critical role in both personal life and economic outcomes, it is a prime target for security breaches such as cyberattacks, identity theft, and fraud. Thus, when financial data is compromised, the results can be damaging to any consumer or organization.
The European Union’s (EU) General Data Protection Regulation, or GDPR, offers the most stringent, comprehensive, and standardized framework for protecting all forms of personal data, including financial data. Along with the current GDPR requirements, the European Commission has developed its Framework for Financial Data Access (FiDA). In short, the framework proposes a consumer-centric “open finance” solution designed to facilitate secure access to financial data, protect consumers’ personal data, promote competition, ensure compliance with broader GDPR requirements, and maintain organizational transparency.
This article explores developments within financial data protection law, how financial data is regulated in Italy, the evolution of open finance under FiDA, and the changes the sector may undergo in the future.
History of Financial Data Protection
Payment Service Directive 1
Since the 2000s, Europe has undergone a series of transformations related to the protection of financial data. Beginning in 2007, the European Commission adopted the first Payment Service Directive (PSD1). The directive standardized the rules and authorizations for processing and securing financial data, but did not differentiate between types of transactions. The directive applies to banks and non-bank payment service providers (PSPs) processing any financial data in the EU. These institutions obtain authorization by maintaining “robust governance arrangements…and a certain amount of capital,” according to the EU. In short, the PSD1 holds data processors accountable for protecting financial data in two key ways.
- Requires organizations to communicate financial information related to fees, complaint procedures, and charges payable before a payment service
- Ensures organizations provide adequate information to the consumer about the payment amount, transaction fees, commission, and the reference of the payment transaction after the transaction occurs
Revised Payment Service Directive
By 2015, Europe introduced a Revised Payment Services Directive (PSD2) to update and enhance the financial data regulations outlined in PSD1. The PSD2 outlines stronger data protections, consumer authentication solutions, definitions related to the types of transactions, and enforcement mechanisms. In particular, the directive seeks to satisfy four key objectives.
- Increase the efficiency and unification of the European payment market by building upon the PSD1
- Continue to accommodate new entrants into the market to support healthy competition
- Make payments safer and more secure to mitigate the risk and severity of data breaches
- Create more protections for both individual consumers and organizations handling financial data
Further, PSD2 sought to encourage open finance practices in the EU and, thus, opened the European payment services market to third-party providers under three types of transactions.
- Payment initiation services
- Account information services
- Issuing credit card payment instruments
Financial Data Protection Under GDPR
By 2016, the EU passed the GDPR, which outlines the most far-reaching, comprehensive protections for personal data across Europe. Under GDPR Article 4(1), financial data qualifies as personal data because information such as bank account details or credit records can be linked to “[an] identified or identifiable natural person.”
The GDPR is a significantly consumer-focused regulation. It prioritizes individuals’ access to their personal data and holds organizations accountable for maintaining and protecting consumer data. More specifically, under the GDPR Article 25, financial organizations are required to implement adequate technical and organizational measures to safeguard consumer financial data “by design and default.” Additionally, the Accountability Principle under the GDPR Articles 5(2) and 24 requires that organizations demonstrate compliance with the regulation.
Additionally, when financial data is processed by banks, non-bank PSPs, or other financial institutions, the processing must be completed under at least one of the following legal bases outlined in the GDPR Article 6.
- Consent: The individual gives permission for a specific purpose (e.g., for personalized marketing)
- Contractual performance: The processing is necessary to complete a contractual obligation
- Legal obligation: The processing is necessary to comply with the law (e.g., anti-money laundering)
- Vital interest: The processing protects consumer well-being
- Public interest: The processing is necessary and carried out for the public well-being
- Legitimate interest: The organization has a legitimate interest in processing data, except when that interest conflicts with fundamental consumer data protection rights or the data subject is a child
What A Third Directive Could Look Like
Later, in June 2023, the European Commission proposed an initial revision of PSD2 to integrate and grow the payment services market even further. The initial revision consists of two components that would fall under a newly developed FiDA.
- Third Payment Services Directive (PSD3) would address legal inconsistencies in licensing and enforcement mechanisms
- Payment Services Regulation (PSR) would address data security needs, consumer authentication developments, and organizational obligations (for banking and non-banking PSPs)
Although PSD3 is still in draft form, it will likely initiate changes in several areas of financial data protection law in Europe.
- Increase consumer protection and transaction security to address cybersecurity risks and fraud occurrences more comprehensively. This can include mandatory bank account number checks, refund guidelines for fraud, and increasing consumer accessibility to their transaction history
- Encourage open finance practices to further improve transparency and build upon the banking network established in PSD2
- Support cross-border and cross-currency transactions by presenting consumers with clear and updated foreign exchange rates and settlement times
- Preemptively address future market developments by outlining a legal framework for financial data sharing, processing, authorization, and access among bank and non-bank PSPs
- Continue to increase competition within open finance by bolstering regulations around financial application program interfaces (APIs), developing additional monitoring practices, and increasing transparency among open finance and banking and non-banking PSPs
An Introduction to Open Finance
Open finance refers to “the sharing, access and reuse of personal and non-personal [financial] data,” to promote innovation and strengthen protections for both consumers and organizations, according to the EU’s 2022 report on open finance. To achieve its core focus, the EU specifies five goals for adopting open finance practices.
- Enhancing customer experience through personalized products
- Promoting financial inclusion and access for underserved populations
- Ensuring consumer control over data sharing
- Enabling innovation through artificial intelligence (AI) and machine learning
- Supporting a cross-sectoral data economy
As mentioned, PSD2 laid the foundation for open finance practices when it opened up the European payment services market to third-party providers. The EU suggests that such an open finance model can be fully achieved by strengthening data protection, building consumer confidence, maintaining transparency in data sharing practices, increasing organizations’ and consumers’ access to financial data, and prioritizing user control in data usage practices. It is also vital to take preemptive measures, which include addressing the risks associated with transactions, financial exclusion, and data processing operations.
Although the EU does not endorse one particular open finance model, it specifies several possibilities and key considerations for a future setup.
- Contractual schemes: A market-driven approach that specifies voluntary data-sharing methods based on a contractual agreement. Keeping data sharing voluntary would show where demand is highest and promote innovation through increased market competition.
- Mandatory framework: A consumer protection-driven approach that outlines a specific, standardized set of legal requirements to make specific financial data available
Both of these open finance frameworks can be feasible and beneficial. However, the optimal choice largely depends on data flow between stakeholders in the financial services market. Thus, the EU should consider the future of PSD3 and open finance practices based on several conditions.
- The actor who initiates data sharing or processing activities
- The legal basis used for data processing (e.g., consent, contract, consumer interest)
- The conditions under which data sharing occurs
- The method by which data is processed and shared, including existing data security measures that impact this operation
- How the open finance model would coexist with current GDPR requirements
Framework for Financial Data Access (FiDA)
Although PSD2 remains a significant development in financial data law, its scope was limited to payment and bank account information. This limited scope could not cover developments within the complex, fast-growing, and rapidly evolving payment and financial services market. In fact, between 2017 and 2021, the value of electronic payments in Europe grew from 184.2 trillion to 240 trillion euros. Additionally, this market growth enabled organizations to develop advanced financial technology (Fintech) innovations.
By June 2023, the European Commission introduced FiDA to expand financial data sharing regulations across the broader industry. The framework aims to extend regulations over financial data to savings, insurance, investments, mortgages, pensions, and other financial tools. In doing so, the EU hopes to strengthen data protection requirements, raise transparency among data processors, standardize data sharing practices, and address recent developments within the market. In short, several key elements to this plan include:
- Adopt a consumer-centric approach that gives individual consumers greater access to and control over their financial data and focuses on developing trust with consumers
- Require mandatory data sharing, which would make organizations report the data they receive when consumer consent is given
- Standardize financial APIs to ensure interoperability, efficiency, and security
- Remain aligned with GDPR to uphold the regulation’s strict compliance surrounding transparency, security, and data subject rights
Italy’s Regulatory Landscape
Italy follows EU regulations, including GDPR and FiDA. These regulations, along with their national data protection framework, are administered and enforced by the Italian Data Protection Authority, known as Garante Privacy. When it comes to financial data protection, Garante Privacy works with financial institutions and data controllers, such as the Bank of Italy and CONSOB, to monitor adherence to current laws. Garante Privacy leads in protecting all forms of data throughout Italy. Some of its key responsibilities within the financial sector include:
- Fintech and AI guidance: Ensuring transparent, fair, and compliant practices under new and developing fintech innovations. In the past, the agency has issued guidance on fintech, banking surveillance, biometric data, and AI matters.
- Cybersecurity emphasis: Holding organizations accountable for reliably protecting consumer financial data and taking appropriate measures to mitigate security risks and data breaches
- Compliance: Garante Privacy has both investigative and enforcement power. It conducts investigations and sanctions financial organizations that fail to comply with GDPR, mishandle data, or do not receive the proper consumer consent.
- European Data Protection Board (EDPB): Garante Privacy actively participates in the EDPB. Briefly, the EDPB issues standardized guidelines to promote a clear and consistent understanding of data protection law across Europe
- Data retention requirements in Italy: According to Article 5(1)(e) of the GDPR, personal data should be retained “for no longer than is necessary” to support the public interest, scientific research, and statistical analysis. More specifically, Italy’s data retention requirement is 10 years to meet accounting and tax obligations; however, this may also limit Italy’s ability to meet all requests to relinquish or delete data
When it comes to implementing an open finance model, the EU’s 2022 report on open finance does not favor one approach over another. Instead, it suggests that a model be flexible and adaptable to national legal differences, including those in tax, social welfare, and pension financial systems. For countries like Italy, this entails detailed coordination between national data protection authorities (e.g., Garante Privacy) and the broader EU representatives.
Future Directions and Challenges in Financial Data Protection Law
Although the GDPR and FiDA offer some of the world’s strongest protections for financial data, several challenges and likely changes still surround its processing.
- Consent Fatigue: According to GDPR Article 7, consent for data processing must be freely given, specific, informed, and clearly distinguishable. However, consumers may be uninformed about the financial service industry, unsure of how their data is being used, or experience “consent fatigue” after completing numerous data usage requests. Additionally, complex legal jargon can make it difficult for an ordinary consumer to give meaningful, well-informed consent. This disconnection between consumers’ and data processors’ understanding can lead to reduced transparency and hazy consent in the financial services market, contrary to the goals of open finance.
- Third-party provider risks: PSD2 first opened the European payment services market to third-party organizations. Allowing more external organizations to access data may increase the risk of a data breach occurring by one of those entities.
- Artificial intelligence: Although AI can improve efficiency and cut costs in the financial sector, it may also be untrustworthy with confidential financial information. Thus, in order for AI to work effectively, organizations’ AI policies must be highly transparent, include some form of human oversight, mitigate biases and stereotypes, and remain consistent with GDPR and FiDA practices.
Conclusion
Financial data is one of the most sensitive and critical forms of data. Since this form of data reveals personally identifiable information, it is also highly susceptible to data breaches. In order to fully protect consumers and organizations, the EU has adopted a set of procedures known as the Framework for Financial Data Access, or FiDA. FiDA is especially important because it outlines the way to integrate an “open finance” model in the European financial services market.
If adopted correctly, an open finance model has several long-term benefits. Such advantages include creating a personalized customer experience, promoting financial inclusion among all consumers, supporting individual consumers’ control over their personal financial data, enabling innovation through AI and other automated banking services, and supporting a cross-sectoral and international data economy.
At A.L. Assistenza Legale, we host a team of lawyers who are expertly trained in data protection law in Italy and abroad. If you have any questions about the current FiDA framework, data protection law, or future considerations your organization should make, please feel free to contact us!
