EUROPEAN COMMISSION

Brussels, 28.6.2023

SWD(2023) 224 final

COMMISSION STAFF WORKING DOCUMENT

IMPACT ASSESSMENT REPORT

Accompanying the document

Proposal for a

Regulation of the European Parliament and of the Council

on a framework for Financial Data Access and amending Regulations (EU) No 1093/2010, (EU) No 1094/2010, (EU) No 1095/2010 and (EU) 2022/2554

{COM(2023) 360 final} - {SEC(2023) 255 final} - {SWD(2023) 230 final}

Table of Contents

1.Introduction

1.1.Economic context

1.2.Political context

1.3.Legal context

2.Problem definition

2.1.Problem to be addressed by this initiative

2.2.Problem drivers

2.3.Consequences

2.4.How likely is the problem to persist without further action?

2.5.Problem tree

3.Why should the EU act?

3.1.Legal basis

3.2.Subsidiarity: necessity of EU action

3.3.Subsidiarity: added value of EU action

4.Objectives: What is to be achieved?

4.1.General objectives

4.2.Specific objectives

5.What are the available policy options?

5.1.Baseline

5.2.Description of the policy options

5.2.1    Enhance customer trust in data sharing (specific objective A)    

5.2.2    Oblige data holders to share customer data with data users (specific objective B)    

5.2.3    Promote standardisation of customer data and interfaces (specific objective C)    

5.2.4    Promote implementation of high-quality interfaces for customer data sharing (specific objective D)    

5.3.Options discarded at an early stage

5.4.Analysis of the impact of policy options

5.4.1.    Enhance customer trust in data sharing (specific objective A)    

5.4.2.    Oblige data holders to share customer data with data users (specific objective B)    

5.4.3.    Promote standardisation of customer data and interfaces (specific objective C)    

5.4.4.    Promote implementation of high-quality interfaces for customer data sharing (specific objective D)    

6.Preferred option

6.1.Preferred policy option bundle

6.2.Overall impact of the preferred option bundle

6.3.Application of the “one in one out” approach and REFIT

7.How will actual impacts be monitored and evaluated?

Annex 1: Procedural information

1.Lead DG, Decide Planning/CWP references

2.Organisation and timing

3.Consultation of the RSB

4.Evidence, sources and quality

Annex 2: Stakeholder consultation

Annex 3: Who is affected and how?

Annex 4: Analytical methods

Annex 5: Scope of Consumer Data under Policy Option B.2 (access to selected data sets)

Annex 6: Coherence of preferred option bundle with other relevant legal frameworks and initiatives

Annex 7: Examples of use cases

Annex 8: Assessment of how SMEs are likely to be affected

Annex 9: Market-driven open finance initiatives

GLOSSARY

1.Introduction

This Impact Assessment accompanies the legislative proposal for a framework regulating access to and use of customer data in finance (‘open finance’). Open finance refers to the access to and processing of business-to-business and business-to-customer (including consumer) data upon customer request across a wide range of financial services, except payment accounts (‘open banking’) data that is covered by the revised Payment Services Directive (PSD2). The open finance initiative takes a customer-centric approach and aims to ensure that all consumers and firms have effective control over their financial data, notably by strengthening personal data protection in line with the General Data Protection Regulation (GDPR) and applying the general principles of business-to-business data sharing in line with the Data Act proposal . The initiative also aims to promote data-enabled financial products and services by expanding pools of quality data and putting in place clearer governance structures for their processing. This will improve economic outcomes for those customers who wish to share their data and ensure that they have the opportunity to benefit from open, fair, and safe data-driven innovation in the financial sector. Overall, this initiative contributes to the implementation of the European strategy for data in the financial sector. 

This initiative covers customer data that financial institutions typically collect, store and process as part of their normal interaction with customers. These data include both personal and business entity data transmitted by the customers themselves (transmitted data). It also includes personal and non-personal transaction data arising from customers’ interactions with their financial service providers (transaction data).

1.1.Economic context

Data-driven innovation is the result of effective use of data, in combination with data analytics (software), which generates information of social and economic value. It can help boost productivity and improve or foster new products, processes, organisational methods and markets. Access to data is thus crucial for competition and innovation in the digital economy 2 .Firms have become increasingly reliant on data, information and knowledge to remain productive and retain their competitive edge. Where the value of secondary data reuse for the society as a whole is larger than the private value of primary data use, access to and sharing of data can maximise the value of data across organisations, sectors and economies 3 .

The data economy, which is driven by the production and use of data, has substantial growth potential 4 . In 2021, the overall size of the EU data market where digital data are exchanged as products or services marked a considerable annual increase of 4.9% to reach EUR 63.6 billion 5 . The impacts of these positive trends on the economy as a whole are captured by the value of the data economy, which has been estimated to have reached €443 billion in 2021 representing 3.6% of GDP. In 2030, the EU data economy is expected to reach the EUR 1 trillion threshold, growing as the share of GDP to 5.9%. Similarly, the number of data supplier and data user companies (i,e firms that produce and deliver data-related products, services and technologies as their main activity or that generate, collect and analyse digital data intensively) has increased along with the data market in the past few years. Data is also a critical resource for new entrants, such as start-ups and SMEs, in particular, with low initial capital 6 .

Among different sectors, financial services are the biggest user of data in the EU and data-driven firms in finance stand to benefit substantially from increased data sharing 7 . Every digital interaction in finance creates data, which can be made operable and useful to other parties. This importance of data will further increase with the growing use of emerging models, concepts or technologies that rely on data, notably artificial intelligence (AI). The use of AI applications in the EU financial sector continues to grow and it is expected to have particularly important and potentially disruptive impacts on financial services in the coming years. 8  In fact, 10% of all the start-ups and scale-ups included in the EU data landscape database 9 of some 3,000 key data companies active in the area of big data are financial technology (fintech) firms.

Within financial services, and as a result of PSD2, open banking in the EU has begun to transform the way consumers and businesses use banking services (see Box in section 1.3 for an overview of the evaluation of PSD2). Open finance is expected to continue this trend in the general context of the open economy. Some estimates suggest the potential boost that open financial data could provide in the range of 1-1.5% of EU GDP in 2030, with 55% of the value accruing to customers and 45% to the industry 10 .

1.2.Political context

As stated by President von der Leyen in her Political Guidelines 11 , and set out in the Communication ‘Shaping Europe’s digital future’ 12 , it is crucial that Europe can reap all the benefits of the digital age and strengthens its industry and innovation capacity, within safe and ethical boundaries. The European strategy for data 13 sets out the vision of creating a single market for data that will ensure Europe’s global competitiveness and enable smaller EU players to scale up. Data is also critical to achieving the European Green Deal  objectives, such as supporting the circular economy, reducing waste as well as adapting to and combating climate change. 

In 2020, the Commission identified the promotion of data-driven finance as one of the priorities in its Digital Finance Strategy  and stated its intention to put forward a legislative proposal on an open finance framework. The CMU Communication adopted in 2021 confirmed the Commission’s ambition to accelerate its work on open finance and announced the establishment of the Expert Group on the European Financial Data Space to provide input on a first set of use cases related to open finance. Most recently, President von der Leyen confirmed in her 2022 State of the Union Letter of Intent  that data access in financial services is among the key new initiatives for 2023. It will build on the PSD2, which enabled the sharing of payment accounts data, and enable sharing of a broader set of financial services data.

The legislators recognise the benefits of further data sharing in finance. In its own initiative report on Digital Finance , the European Parliament “underlined the importance of open banking in improving the quality of payment services by the inclusion of new market participants that provide increased operational and price efficiency to the consumer; points out that a transition from open banking to open finance, i.e. the inclusion of financial services other than payments, is a strategic priority which has the potential to improve efficiency, reduce concentration risks and enhance financial inclusion.” 14

The ECOFIN Council concluded that “open finance may bring additional impetus to innovation and that it should therefore be duly taken into consideration, while ensuring a level playing field and an adequate level of consumer protection, and taking into account the lessons learnt from PSD2, the potential impacts on the business models of financial intermediaries and the potential risks involved (e.g. privacy-related risks) 15 .

International developments also underscore the need for action on open finance. Third countries have already taken or are currently exploring steps to move from open banking to open finance. Most (non-EU) OECD countries are planning or are in the process of discussing further development of their data sharing frameworks and/or their expansion to other sectors beyond payments as the next stage in the evolution of open banking-type data sharing arrangements, with gradual evolution towards an expanded set of data types and other sectors of the financial (and non-financial) market 16 . This trend is reflected in regulatory developments in Australia, Singapore, and the United Kingdom. 17  The EU is a globally recognised pioneer in the field of open banking and the objective of this initiative is to maintain this lead in terms of innovation by moving forward with establishing an open finance framework.

1.3.Legal context

This initiative is a response to the commitment set out in the EU Digital Finance Strategy to put in place a European financial data space. It complements already tabled legislative proposals on (1) the European Single Access Point (ESAP) 18 , and (2) the strategy on supervisory data 19 .

This initiative builds upon the already existing ‘open banking’ provisions under PSD2, that regulate access to and processing of customer data held by account servicing payment service providers (ASPSPs – banks). Based on the review clause in Article 108 of PSD2, and as announced in the Retail payments strategy of 24 September 2020 20 , an evaluation of PSD2 has been carried out and a legislative proposal to modify the PSD2 (“PSD3”) is being proposed in parallel to this initiative (see dedicated PSD3 impact assessment). The two initiatives remain separate because the PSD3 proposal covers customer data relating to payment accounts only, which are not covered by the open finance initiative. Furthermore, policy measures required to improve an already existing system of data sharing under PSD2 differ from those needed to build a new regulatory system for other parts of the financial sector. At the same time, this initiative builds on the lessons learned on ‘open banking’ as identified in the review of PSD2 (as summarised in Box 1, based on the PSD2 evaluation report), and is fully consistent with the PSD3 proposal, as set out in the analysis of options in section 5.  

This initiative also contributes to the EU strategy for retail investors by supporting its objective to improve the functioning of the retail investor protection framework 21 . Moreover, it will ensure compliance with the applicable rules on cybersecurity and operational resilience in the financial sector, as set out in the Digital Operational Resilience Act  which entered into force on 16 January 2023 22 .

Generally applicable legislation

The open finance framework is designed in full coherence 23 and without prejudice to the GDPR, which provides for general rules on the processing of personal data to ensure their protection and free movement. 24 Any legal obligation to disclose personal data must meet the requirements set by the GDPR. Giving consumers control over their personal data is one of the main objectives of the GDPR 25 , which stipulates generally applicable requirements, including the requirement to ensure the security of data processing 26 and the right to data portability 27 . However, the latter is subject to practical limitations as set out in this impact assessment, which have led the Commission to propose a general framework for additional data access rights in the Data Act, and the same approach is taken in this initiative.  

This financial sector initiative fits into the broader Data Strategy for Europe and builds upon the key principles for data access and processing set out in the following generally applicable initiatives:

·The Data Governance Act  (entered into force on 23 June 2022) is focused on increasing trust in data sharing and improving interoperability between data spaces. It also creates a framework for data intermediation service providers with a secure processing environment where companies or individuals can share data. 

·The Digital Markets Act  (entered into force on 1 November 2022) establishes new data-sharing requirements to tackle the market power of gatekeeper platforms and level the playing field in digital markets. Gatekeeper platforms will have to ensure real time access to data provided or generated on the platform by business users and consumers.

·The Data Act proposal (23 February 2022) 28  establishes new data access rights as regards the Internet of Things (IoT) data for both product users and providers of related services subject to user permission. For business-to-business data sharing across the economy, the Data Act proposal regulates unfair contractual terms in relation to data sharing (Chapter IV). It also establishes generally applicable obligations for those data holders, which are legally obliged to make data available to data recipients under Union law or national legislation implementing Union law (Chapter III). However, no such obligations to make data available exist currently in the financial sector beyond payment accounts data. 

·The Free Flow of Non-Personal Data Regulation ensures that non-personal data can
be stored, processed and transferred anywhere in the EU. It also addresses the problem of ‘vendor lock-in’ at the level of providers of data processing services, by introducing self-regulatory codes of conduct to facilitate switching data between cloud services.

·The ePrivacy rules on the processing of data in the electronic communication sector are contained in Directive 2002/58/EC. These rules protect the confidentiality of communications as well as any (personal and non-personal) data stored in and accessed from terminal equipment.

·The Open Data Directive sets out minimum rules governing the reuse of data held by
the public sector and of publicly funded research data.

·The proposed Framework for a European Digital Identity that amends Regulation (EU) No 910/2014 will enable citizens and businesses in the EU to access public and private services online in a secure manner, including in the financial sector. 29  

Specific rights and obligations on data access and processing have also been regulated to various degrees in other economic sectors, not related to financial services. An overview of these initiatives, as well as a detailed description of the coherence of this initiative with the GDPR, PSD3 and the broader EU regulation for data sharing are summarised in Annex 6 (coherence of preferred policy option bundle with other relevant legal frameworks).

Lastly, the EU is bound by its international trade commitments in cross-border data flows. 30  

2.Problem definition

2.1Problem to be addressed by this initiative

The main problem is that EU financial sector customers do not have effective control over their data in order to access data-driven services beyond payments. As a result, the supply of data-driven services also remains limited. Figure 1 depicts the impeded customer data flow in the financial sector beyond payments.

Figure 1. Problems in the current data flow process in the financial sector beyond payments

Source: DG FISMA

The relevant stakeholders include:

·Customers (consumers or firms) who may want to give data users access to their data held by financial institutions to obtain personalised products and services;

·Financial institutions acting as data holders of customer data; and

·Third-party providers (other financial institutions or fintech firms) acting as data users who access customer data held by data holders based on customer request for the purposes of providing financial products and/or financial information services 31 .

Customers must be entitled to decide how and by whom their financial data is used: they may either want to limit third-party access to their data for principled reasons, or they may wish to grant firms access to their data for the purposes of obtaining financial and information services. Access to consumers’ and firms’ financial data would enable data users (financial institutions and fintech firms) to provide tailored financial products and services that better suit customers’ needs (see Box 2 in section 2.3 and Annex 7 for an overview of potential benefits and use cases). However, data users today only have limited access to such data. Therefore, those that wish to use customer data to provide new services find it difficult to do so. As a result, customers that wish to tap these potential opportunities are not able to benefit from a broader offering of more tailored services and products. At the same time, the activity of data users today is neither authorised nor supervised beyond payment accounts data, creating risks for customers.

A set of inter-related problems explain the limited access to data. First, in the absence of rules and tools to manage data sharing permissions, customers do not trust that potential risks of sharing data are addressed, so they are often reluctant to share their data. Second, even where they want to share data, the rules governing such sharing are either absent or unclear. As a result, data holders are not always obliged to enable data users’ access to their data. Third, data sharing is made more costly as both the data itself and the technical infrastructure upon which it would rely are not standardised and hence differ significantly. Addressing these problems is furthermore made more difficult by market participants’ (i.e. data holders’ and data users’) diverging interests. This initiative aims to address these problems in order to promote better access to consumers’ and firms’ financial data and hence make it possible for consumers and firms to realise the gains stemming from better financial products and services.

2.2Problem drivers

The above challenges are caused by the following problem drivers:

·Problem driver 1 – Customers hesitate to share their data due to lack of trust

Trust plays an essential role in data access, sharing and re-use across organisations, sectors and countries. It can be abused or erode over time and restoring it can be challenging. Data sharing comes with several risks to retail and business customers, such as those of breaches of confidentiality or privacy and the violation of other legitimate private interests. Evidence confirms that risks of confidentiality breach, for instance, have led data subjects to be more reluctant to share their data, including providing personal data, and in some cases to use digital services at all 32 . 

Several factors lead to low consumer confidence in data sharing in the financial sector. First, customers feel that they are not able to control how their data is being used. Lack of control over data is perceived as a major issue for both organisations and individuals. Some SMEs, for instance, have not only refrained from engaging in data sharing, but have even avoided using certain digital technologies such as cloud computing out of concerns of losing control over their data 33 . Even where individuals and organisations agree on and consent to specific terms for data sharing and data re-use, including the purposes for which the data should be re-used, there remains a significant level of risk that a third party may intentionally or unintentionally use the data differently 34 . Most of the citizens who participated in the public consultation believe that their data is shared by a financial or third-party service provider for reasons beyond what they have agreed to (58%). 35  This indicates lack of trust in data sharing. A recent market survey indicates that although many customers referred to using one of more finance-apps (80%), 61% said they never use ‘open banking’ products and services, largely due to data sharing concerns (57%) 36 . In addition to perceived data sharing concerns, a lack of enforcement of consumer rights also leads to low levels of trust. According to a recent Eurobarometer survey, almost one in two Europeans reported not to have filed a complaint when they suffered from a breach of their rights in the financial sector 37 . Indeed, from a consumer’s perspective, it may also not always be clear to whom they can address a complaint if something goes wrong when sharing data. 38   

A large majority of respondents to the targeted consultation on open finance believe that customers need more effective means to maintain control over their data, and that digital identity solutions, such as European Digital Identity Wallets, (78%) as well as privacy dashboards such as consent management dashboards (71%) would strengthen the ability of customers to control how their data is shared and used. 39 However, while personal information management dashboards are being tested by some data holders in the financial sector 40 , the scope of these tools is restricted to consumers only and do not cover businesses, and their rollout is often limited to specific forms of consumer-permissioned access to personal data.

These findings are consistent with the experience in the payment sector: the PSD2 review shows that a lack of consumer understanding and concerns regarding data protection have led to limited data sharing. 41  Consumers have found it difficult to understand and manage permissions to access data. This has contributed to low trust. While PSD2 provides for a legal obligation to share payment data following customers’ request, national data protection authorities 42 , consumer organisations 43 , and more recently the European Data Protection Board (EDPB) 44 have criticised the variations in the definition of ‘explicit consent’ as defined in PSD2 and the GDPR 45 . This has led to different interpretation of PSD2 requirements to share payment data amongst stakeholders 46 .

Second, customers worry about cybersecurity risks as well as how to protect their data and privacy when sharing data. Enhanced access and sharing typically requires opening information systems so that data can be accessed and shared. This may further expose parts of an organisation to cybersecurity threats that can lead to incidents that disrupt the availability, integrity or confidentiality of data and information systems on which economic and social activities rely. Personal data breaches are less frequently experienced compared to other types of cybersecurity incidents. However, evidence suggests that their impact is increasing drastically as large-scale data breaches become more frequent with the collection, processing and sharing of large volumes of personal data 47 . The risks of enhanced access and sharing go beyond digital security and personal data breaches. They include most notably risks of violating contractual and socially agreed terms of data re-use, and thus risks of acting against the reasonable expectations of users. This is true with respect to individuals (data subjects), their consent and their privacy expectations, but also with respect to organisations and their contractual agreements with third parties and the protection of their commercial interests. In the case of organisations, these risks can negatively affect incentives to invest and innovate 48 .

The vast majority of individuals responding to the public consultation believe there are security and/or privacy risks in giving service providers access to their data 49 . Moreover, studies suggest that consumers value their privacy and are aware of how this can be compromised in today’s technological environment 50 . Consumers are concerned by the risks to the integrity of their personal data when transacting online. In a 2020 Eurobarometer survey on cybersecurity, citizens reported their top two concerns to be the misuse of personal data, and the security of online payments 51 . They have concerns about how their personal data can be unlawfully accessed and used and are aware of the risks posed by cybercrime (e.g. data misuse, financial crime/fraud) 52 . 

Concerns about data security are a significant barrier to consumer engagement 53 . All stakeholders need to ensure that the data-sharing environment is safe in order to build trust in the ecosystem. According to the GDPR, service providers must take adequate security measures when handling personal data 54 . However, ensuring that the security framework is state of the art, resilient and futureproof in a data sharing context clearly involves additional business costs for firms. 

Third, many consumers consider financial data to be particularly sensitive and their use may lead to potential financial exclusion risks. A recent survey conducted by the Dutch National Bank shows that consumers are concerned with how their personal data is used. Consumers believe that financial data – data related to debts, payments, income, wealth – is more sensitive than data related to social contacts or personal preferences 55 . Inappropriate use of financial information could lead to unfair bias or prejudice that is harmful for the consumer. Some consumers could be excluded from a market as a result, whilst those who may choose not to participate in data sharing may end up paying a higher price for services 56 . Consumer associations participating in the Commission’s Expert Group pointed to several types of financial exclusion risks related to increased data sharing in the absence of proper safeguards 57 . This includes, amongst others, the risks that more granular risk selection may pose for vulnerable consumers with a higher risk profile. Moreover, there is a risk that consumers who do not decide to share their data may not get access to all the services and products offered. The risk-pooling nature of some sectors, such as insurance provision, could also be at stake, potentially resulting in higher prices for many.

·Problem driver 2 – Customers cannot make their data available to data users because data holders are not legally obliged to enable access

The main cause of the incentive problems of data access and sharing can be attributed to a positive externality issue: data access and sharing may benefit others more than it may benefit the data holder who may not be able to privatise all the benefits from data reuse. Thus, data holders may lack incentives to share their customer data, especially if the costs are perceived to be higher than the expected private benefits. There is a high risk that data access and sharing will not occur where firms cannot recuperate a sufficient level of return on their data-related investments, for instance, through revenues from granting data access against fees 58 . 

A majority of consumers who participated to the public consultation on open finance believe that data holders should make their data available to other financial or third-party providers if consumers have given their permission to do so (59%) 59 . However, a lack of a clear legal obligation on data holders to enable access to data means that customers (consumers and firms) who wish to share their data with data users like third party providers face a number of legal and technical barriers to do so beyond payments accounts regulated under PSD2.

The ability of third-party service providers acting as data users to access data based on consumer request under the data portability right set out in Article 20 GDPR is difficult to exercise in practice. Only 7% of financial firms that replied to the targeted consultation relied on a data subject’s data portability right under Article 20 GDPR in the financial sector: one third replied that they rarely do, and 29% do not 60 . This suggests that there are obstacles undermining the use of Article 20 GDPR in the financial sector. First, the right for data subjects to port data does not explicitly entitle them to do so on a continuous or real-time basis. Second, data portability is preconditioned on it being ‘technically feasible’. However, the absence of technical interfaces enabling direct access of third-party providers to data holders renders this right moot 61 . Furthermore, even where such interfaces exist, the lack of their standardisation impedes interoperability and increases the cost of using ported data. Third, the scope of the data portability right under Article 20 GDPR is limited to the personal data that is processed under the lawful grounds of processing of consent and for the performance of a contract, which excludes categories of data processed on other relevant lawful grounds under Article 6(1) GDPR 62 . Finally, no equivalent provision exists for non-personal data that is relevant for business customers, such as SMEs. As a result, the data portability right in accordance with the GDPR may not cover all needs of customers in the financial sector (other important factors include the absence of standardised ways for sharing data and the absence of clear rules on liability in case of data misuse which are addressed in problem drivers 3 and 4). 

Another avenue for third-party providers acting as data users to get access to customer data is to conclude a contract with data holders. However, data users have in many cases been unable to obtain access to customer data on a contractual/commercial basis due to unequal bargaining power. The latter applies to direct competitors and same-sector downstream providers, as well as SMEs and start-ups acting as data users. Firms that act as data users in a weaker position in the value chain do not have sufficient bargaining power to obtain access to certain data from data holders, whether for free or at a cost. This results in a difficult situation for companies whose business model depends on data held by third parties. 63   Furthermore, identifying which data to share and defining the exact scope and conditions for access and re-use is perceived as a major challenge by data holders, as inappropriate sharing of data can lead to significant costs, including fines due to privacy violations. The targeted consultation indicates that most firms using customer data (88.6%) have experienced difficulties in accessing data held by financial firms 64 . Two thirds of the firms using customer data held by financial firms had practical experience with ad hoc contracts to ensure data access – but indicated that the cost of concluding an ad hoc contract for data access was very high 65 . 

A third avenue for accessing customer data is to rely on interfaces provided by data holders to customers (e.g. online banking application). However, this avenue also faces important limitations. Third party providers acting as data users have been developing their IT solutions in such a way as to use these interfaces as the access point to customer data. This solution was also common practice in the area of payments before the introduction of a legal obligation to grant access to payments account data under the requirements of PSD2 66 . However, such solutions are not efficient and raise concerns about their security. They tend to break down each time the customer facing interface on the side of the financial service provider is modified. According to some data holders, the fact that third party service providers are using customer facing interfaces also has a significant negative cost implication for them, since many data holders have fixed service contracts with IT suppliers that involve high fees in case of substantial increase of customer interface usage. Lastly, some data holders maintain that third-party access via customer facing interfaces poses challenges for their security systems, as it may be difficult to distinguish access authorised by customers from unauthorised access 67 .

·Problem driver 3 – Customer data and interfaces in the financial sector beyond payment accounts are not standardised, rendering data sharing more costly

One of the most frequently cited barriers to data sharing and reuse is the lack of common standards. Inconsistent data formats are impediments to the creation of data sets, since variations in measurement and collection practices make it hard to compare and aggregate data. This is detrimental both for building data samples of robust statistical power and for data reuse across systems (i.e. interoperability) 68 . Clearly, the information that can be extracted from data depends on their quality, which can be enhanced through standardisation. Data quality typically depends on the intended use of the data: good quality for certain applications can be poor quality for others. Thus, data quality needs to be viewed as a multi-faceted concept, which is why data quality standards need to take into account the specific context of data use 69 . Furthermore, poor data quality may not only affect the ability and cost of reusing data, but also prevent stakeholders from participating in data-sharing arrangements in the first place 70 . 

The results of the targeted consultation on open finance strongly indicate that a lack of standardisation is an obstacle to data sharing in finance: 65% of active respondents 71 argue that a lack of standardisation hinders their ability to offer data-driven services 72 . A significant number of active respondents to the targeted consultation highlighted key reasons preventing the sharing and portability of user data to be fully effective in the financial sector. This includes the absence of standards ensuring data interoperability (52%), and the absence of standardised APIs (49%) 73 . 

Indeed, very little exists in the market today in terms of recognised standardisation of customer data and interfaces in the financial sector beyond payments. 74 While standards in the payment sector and some related activities have started to emerge 75 , no commonly recognised standards exist at this stage for the sharing of insurance, pension, and investment data as market participants often structure their data differently. 76 For example, data relating to investment advice and SME lending are not standardised across the market (see Annex 7). When it comes to API interface standardisation, the financial sector is not widely using standardised high-quality APIs beyond payments. Different standards and specifications are used for the same data and for different datasets, as opposed to fully standardised APIs. Certain data may be accessible and downloadable at a specific point in time, but this is not executed on a real-time basis.

With regard to common contractual frameworks which can be readily used for data access, little in terms of commonly agreed standardisation exists in the market today beyond payments 77 . The targeted consultation on open finance suggests that a clear majority of data holders (65%) and data users (69%) believe that standardisation of data could usefully be complemented by such contractual schemes.

However, data, interface and contract standardisation are needed to achieve interoperability, which is a crucial prerequisite for data sharing to take place effectively. Members of the Expert Group on European Financial Data Space suggested unanimously that there is a need for a higher level of standardisation for specific core data fields to increase interoperability 78 . The absence of standardisation of APIs has also been identified as an important element for the imperfect functioning of Open Banking under PSD2 79 . The more firms use data, the more technical barriers and lack of interoperability issues present important obstacles for access to and reuse of data 80 . They are also one of the most important drivers of costs for data users, especially for SMEs. Merging different datasets and making them interoperable is one of the most resource-intensive activities for data users and datasets are rarely interoperable by default even within the same value chain. This results in a need to multiply the efforts when a company wishes to integrate different datasets 81 . Interoperability is a crucial technical enabler for data sharing, as well as one of the highest categories of costs to be borne for developing new financial products and services. 

·Problem driver 4 - Data holders lack incentives for implementing high-quality interfaces for data users 

Making data available by way of high-quality application programming interfaces (APIs) is essential to facilitate seamless access to data 82 . Indeed, where data is not made available via high quality technical interfaces, each data user would have to spend significant time and investment to enhance the data quality before being able to aggregate and merge them with other data sets. The functionality of individual APIs may also differ, complicating this process even further.

Beyond the area of payments, only a minority of financial institutions that are data holders indicate that they make data available through technical interfaces like APIs 83 . At the same time, the majority of data holders expect new innovative products and services to be developed if more customer data were available through APIs 84 . Indeed establishing technical interfaces like APIs entails upfront costs (see Annex 3), and recovery of these costs from data users is subject to a coordination problem, as follows. On the one hand, if data supply is limited due to only a few financial institutions establishing interfaces to make customer data available, data users are unlikely to invest in developing new use cases. This is especially the case if a use case relies on data made available by several financial institutions (e.g. use case improving retail investment advice, as set out in Annex 7). On the other hand, absent development of such innovative services, market demand for data access will remain limited, and financial institutions acting as data holders which establish interfaces will not be able to recover the cost for setting up these interfaces.

Even where data holders are required to make customer data available, like under PSD2, in absence of sufficient business incentives, data holders may opt for the minimum effort to comply. Data holders may also be unwilling to grant access to actual or potential competitors for competition reasons. PSD2 experience shows that data holders in the financial sector (ASPSPs) might have lacked sufficient incentives to develop high-quality APIs 85 . There are several reasons for this. In addition to issues related to standardisation (problem driver 3), the evaluation of PSD2 indicates that many data holders believe that the investments for building infrastructure without compensation are disproportionate 86 , while uneven implementation and enforcement may have played a role, together with the competition considerations mentioned above. At the same time, 75% of respondents to the targeted consultation on open finance agreed that data holders should be entitled to compensation for putting in place the infrastructure. The results of the targeted consultation indicate that the majority of data users and data intermediaries are more concerned about a lack of incentives to ensure high quality data and interfaces than about the additional costs which a compensation would cause for them 87 .  

Concerns related to the application of liability rules also hold back the development of high-quality APIs, both with respect to liability rules that protect consumers and liability rules between market participants (data users and data holders). While there are general rules on liability to protect consumers 88 , the complexity inherent to increased data sharing means there is uncertainty about the application of liability rules to determine who is liable in case of fault (e.g. if shared data is incomplete, or if shared data is disclosed without permission). Data sharing may make financial service value chains longer as it may involve more data users, making it more complex for data holders and data users to determine liability and for consumers to seek redress. Complexity also stems from the fact that consumers have an increasing number of parallel contractual relations with multiple data holders and users 89 . In the financial sector, this means that data sharing exposes data holders and data users to financially very significant liability risks in case of fault, and uncertainty about liability risks can have a significant chilling effect for their willingness to engage in data sharing. The same applies to data subjects for whom data breaches may cause significant financial losses, if  they face unclarity and difficult judicial proceedings to recover those losses. Indeed, a majority of the respondents (55%) to the targeted consultation agree that it is necessary to clarify who is liable in order to ensure a high quality of customer data that is shared in open finance 90 . With regard to the application of liability amongst market participants, data holders stress the risk of data sharing in the absence of full clarity on liability, given the potential increase in data misuse, financial crime and fraud when data is shared, which may undermine customers’ trust in the bank and reputational losses 91 . Moreover, market participants in the Expert Group on the European Financial Data Space agree that a clear liability framework is required to ensure accountability and legal certainty in open finance 92 .

2.3Consequences

The limited access to customer data caused by these problems has a number of consequences.

First, consumers do not benefit from individualised, data-driven products and services that may fit their specific needs. According to OECD 93 , enhanced data access and sharing is a key means for improving transparency and empowering consumers. Open data initiatives in the financial sector demonstrate how data can be used to help people transact, save, borrow, lend and invest their money. By increasing transparency in the financial sector, this initiative can empower consumers so they become able to better compare existing offerings, which can contribute to a higher level of competition in the market. Certain segments of retail financial services display low levels of switching which suggests that consumers, in some cases, have either little inclination or choice to seek alternative financial products and services. According to a recent Eurobarometer report, only 29% of respondents have changed provider for at least one of their financial products or services in the past five years 94 . At the same time, there is evidence for growing demand for an EU open finance framework from end-users. A majority (57%) of respondents to the targeted consultation believe that increased data sharing and reuse can help consumers access offers more easily and connect them with financial products suited to their preferences and tailored to their financial profile 95 . This is why market-driven initiatives are already developing beyond open banking (see Annex 9).

In addition to fostering competition, customer data sharing may also act as a stimulus for innovation and the creation of new products and services, or the expansion of existing markets. The absence of personalised financial products limits the possibility to offer more choice and financial products and services for interested consumers who could otherwise benefit from data-driven tools that can support them to make informed choices, compare offerings in a user-friendly manner, and switch to more advantageous products that match their preferences and financial profile based on their data. Indeed, 70 % of respondents to the public consultation mention one or further innovative financial products which would stand to benefit retail customers. This is evident for example in the area of investment advice, where personalisation could help match investments to the sustainability preferences of clients (see example of use case in Annex 7): six in ten Europeans (62%) find it important that their savings and investments do not fund economic activities that have a negative climate impact. Nevertheless, only one in three consumers (34%) today know whether their private savings are invested into sustainable economic activities 96 . 

25 out of 34 OECD countries surveyed have reported active use cases resulting from data sharing frameworks in their jurisdictions involving innovative business models, such as credit scoring applications, debt management tools, wealth management applications, alternative payment services, product comparison, account verification and balance checks by third parties. For example, in Australia, a variety of use cases include providers using consumer and product data, with consent, to get a deeper understanding of the consumers’ financial situation and help them reduce their debt faster. Other reported active use cases in Australia include services that help smooth and expedite the application for and switching of loans by transferring and prefilling data used by brokers and/or lenders. Further use cases are emerging to help consumers calculate their carbon footprint and suggest alterative ‘greener’ purchasing options 97 .

Second, the existing barriers to business data sharing are preventing firms, in particular SMEs, to benefit from better, convenient and automated financial services. The above issues concerning consumers equally apply to business customers of financial firms. Innovative B2B solutions can contribute to enhancing access to credit or more broadly better financial management of SMEs (see examples of use cases in Annex 7). This was a potential highlighted by many respondents to the targeted consultation. 98  Box 2 provides an overview of potential benefits from open finance to both SMEs and consumers.

Third, financial institutions themselves cannot take full advantage of digital transformation trends to deliver a better customer experience whilst becoming more efficient and competitive along the way. Some 1,200 banks are already active as data users under PSD2 and the vast majority of them are expected to extend their activity into other types of customer data beyond payment accounts that they hold as part of their activity as providers or distributors of the relevant financial services and products. Data is an essential resource for growth: the results from the targeted consultation indicate strongly that financial firms see data sharing and reuse as a key source of innovation of financial services and products. 99  Digital technologies rely on data, which is increasingly driving change in financial markets, producing new business models, products and ways for firms to engage with their customers 100 . It is as important to ensure that data is able to flow freely across the EU single market in a safe and secure manner, as is the case for the free movement of capital and labour. More effective access to datasets by market participants would help facilitate the development of new data-driven services.

Fourth, third-party service providers acting as data users face lost business opportunities in data-driven innovation. This is the flipside of customers not benefitting from data-driven products and services. Most end users do not directly use raw data, but rather rely on data users that access such raw data to extract and present the embedded information in more user-friendly ways, sometimes enriched through additional inferred data. These data users typically provide added-value services including advanced data analytics services. While businesses tend to use so-called data brokers, consumers often access added-value information services via apps. Overall, this leads to new demand for added-value services and thus to new business opportunities for new and old data users, including data brokers and app developers, but also for some incumbents. Established open finance firms that entered the market following the introduction of PSD2 have already confirmed their interest to expand into new data sets. The most significant impact of open finance data sharing arrangements is the emergence of new entrants as well as FinTech firms with new business models. For example, more than 400 non-bank providers are estimated to have been created since the introduction of the PSD2 in the EU. Another possible impact involves greater and closer cooperation between banks and FinTech firms as observed in Japan 101 .

At aggregate economy level, the consequence is an underdeveloped EU digital financial data market in which customers cannot make full use of data-driven products and services. The EU financial data economy remains fragmented, characterised by uneven data sharing, barriers, and high stakeholder reluctance to engage in data sharing. This initiative is expected to deliver an overall stronger level of innovation and competitiveness of the European financial sector based on evidence from data sharing frameworks in OECD countries that have been producing positive impacts on customers and financial services, fostering innovation, increasing competition, lowering costs, and delivering better customer experiences 102 . Open Finance is expected by OECD countries to stimulate competition by de-monopolising data and improving information availability, while also encouraging the emergence of cheaper and better financial products for consumers.

2.4How likely is the problem to persist without further action?

The baseline scenario where the Commission takes no action is described in detail in section 5.1. This section provides a short summary of the essential consequences.

The current EU legislative framework does not allow to address all the challenges described in sections 2.1 and 2.2 above. Currently, the sharing of customer data in the financial sector has its basis in two legal frameworks: PSD2, with respect to payment accounts data of both retail and business customers, as well as Article 20 of the GDPR which grants the data subject the right to receive and port personal data held by financial service providers. However, access rights to customer data under PSD2 are limited to payment account data. The GDPR, in turn, is limited to personal data and gives a data subject the right to data portability only where it is technically feasible (see also the impact assessment accompanying the Data Act). Current legislation has shown limited effectiveness in allaying customer concerns over a perceived lack of control over their financial data and in facilitating the sharing and reuse of data in a highly interoperable manner. Once agreed, the Data Act proposal would apply. However, the obligations under Chapter III of the Data Act proposal, concerning mandatory business-to-business data sharing, would not apply in the financial sector beyond payment accounts, as they only apply to data holders legally obliged to make data available under other Union law or national legislation implementing Union law.

In the absence of EU action, the following situation will accordingly persist: 

Customers will continue to have limited control over their financial data when they chose to share it in the financial sector. Lack of market coordination would impede the emergence of private solutions to this problem. This will mean that issues related to low trust and lack of control, including due to ‘consent’ fatigue or a lack of clarity over liability, will persist. 103

Bilateral contracts between individual data holders and data users will continue to be the main vehicle for sharing and accessing data. Contractual barriers will be solved on a case-by-case basis, thus leading to dispersed approaches towards similar legal concepts across the single market and to the persistence of unequal bargaining power between parties. Businesses will continue to take a case-by-case approach to liability through their contractual arrangements. Technical barriers may be addressed at the industry and sectoral level, but at different speeds. Without a clear data sharing regime, innovators will have less opportunity to create new services that could provide more choice and better access to financial services and products.

Data sharing and reuse will remain limited in absence of a coordinated approach, including as regards standardisation. Due to a lack of standardisation, data users will continue to struggle accessing financial information in an interoperable and timely manner. Private initiatives on standardisation and schemes are unlikely to address the issue at a structural level for the financial sector as a whole. While some private initiatives may enable broader data sharing 104 , it is unlikely that these initiatives will reach the scale required to create an ecosystem between data holders and data users 105 . The main problem is related to coordination and incentives. Whilst contractual schemes on payment accounts data have gradually emerged, this has been a very slow and painstaking process conditioned by the need to implement PSD2. Against this background, it is unlikely that schemes would emerge by themselves across a much wider range of financial products and services in the absence of a regulatory impetus. Only 19.5% of respondents to the open finance targeted consultation agreed that without regulatory intervention, contractual challenges linked to open finance to be resolved within the next 3-5 years by the market itself. 106  Given the lack of adequate incentives for interoperability and financial data exchanges, the EU financial data market will continue to face issues such as vendor lock-in situations, as there will be no common interoperability requirements in finance to make market entry and switching easier. This may prevent a level playing field.

Overall, the EU financial data market would as a result remain underdeveloped, with more expensive services and less digital finance innovation.

From a global perspective, and a perspective of strategic autonomy, no further action implies there is a risk that the EU could lag behind as other jurisdictions move from open banking to open finance and develop their regulatory frameworks to enable greater data-driven innovation in financial markets.

2.5Problem tree

Figure 2: Problem drivers and consequences in the context of open finance

Source: DG FISMA

3.Why should the EU act?

3.1Legal basis

The Treaty on the Functioning of the European Union (TFEU) confers to the European institutions the competence to lay down appropriate provisions for the approximation of laws of the Member States, that have as their objective the establishment and functioning of the internal market (Article 114 TFEU). This encompasses the power to enact legislation at EU level to approximate requirements on the increasingly important use of data for financial institutions and for their supervisors, as financial institutions active across borders would otherwise face diverging national requirements, rendering cross-border activity more costly. Creating uniform rules for data sharing in the financial sector will contribute to the functioning of the internal market by ensuring a harmonised regulatory framework on financial data governance, in line with the European strategy for data.

3.2Subsidiarity: necessity of EU action

The data economy is an integral part of the EU internal market. Data flows form an intrinsic part of digital activities, and they mirror existing supply chains and collaborations. Any initiative aiming to organize such data flows must address the whole EU single market. As data holders are generally licensed financial institutions subject to EU supervision, action at EU level is needed to set uniform conditions and preserve a level playing field among financial institutions in order to safeguard market integrity, consumer protection and financial stability. Furthermore, the high level of integration within the EU financial sector – governed by broad and detailed set of rules largely set out in directly applicable regulations and supervisory arrangements that to a high degree is centralised at EU level – together with the significant cross-border activity of financial institutions, and the depth and breadth of digitalisation calls particularly for action at EU level in the financial sector.

The problems described in this impact assessment are common for all EU Member States. Legislation in the area of financial services is a shared competence between the EU and its Member States. The problem cannot be solved by Member States acting alone, given that the holders and potential users of customer data in finance often operate across several Member States in the internal market for financial services. Therefore, a single customer may have data held by financial institutions in different Member States, and to enhance trust and allow the integrated use of this data all these financial institutions would need to be subject to the same framework and the same technical standards. Individual national initiatives would result in overlapping requirements and disproportionately high compliance costs for firms without providing most of the benefits due to a lack of interoperable standards, which are fragmented along national lines.

It also is necessary for this initiative to take the form of a regulation directly applicable in all Member States (and not a directive), in order to ensure uniform rules across Member States concerning access to financial services customer data, as well as by whom and under which conditions access may occur.

3.3Subsidiarity: added value of EU action

To increase the use of data and leverage its potential in finance, individual action by Member States would be suboptimal and clearly insufficient. EU action is deemed necessary to provide a comprehensive way to access and use data in the single market for financial services. Action at EU level would bring more advantages and greater value than action taken separately at national level. It would provide common rules on the access of customer data across the EU financial sector and would therefore eliminate the need for Member States to individually improve rules, standards and expectations regarding access to personal and non-personal data in the financial sector. It will also improve financial products and services and create opportunities for consumers and firms to obtain better targeted advice and personalised services across the single market.

Not taking action at EU level would be a missed opportunity to reap the full benefits of the
single market, as it would result in the proliferation of piecemeal and uncoordinated approaches at national level, which would further fragment the single market for digital financial services. It would slow down the digital transformation of EU financial institutions, many of which operate across many Member States. Faced with differences in the accessibility and quality of financial data, it would be much more challenging for them to develop digital products and services both for operational and economic reasons. Developing a product for a market of 450 million people greatly benefits from the economies of scale and scope that characterise digital data. Consequently, a need to develop separate products for each national market would either result in more expensive products or less products brought to the market altogether. Such an outcome would disproportionally affect the smaller Member States. The same logic applies to innovative start-ups and new market entrants that would benefit from a single regulatory framework across the EU.

In accordance with the principle of proportionality, the proposed rules will not go beyond
what is necessary to achieve the objectives set out in below. The initiative
will cover only the aspects that Member States cannot achieve on their own and where the
administrative burden and costs are commensurate with the specific and general objectives to
be achieved. Proportionality will be carefully designed in terms of scope and intensity and
using qualitative and quantitative assessment criteria to ensure that the new rules will have a wide material scope. None of the options analysed in this impact
assessment goes beyond what is necessary to achieve the objectives set in the following
section. EU action is therefore justified on both grounds of subsidiarity and of proportionality.

4.Objectives: What is to be achieved?

4.1General objectives

The general objective of this initiative is to promote digital transformation and speed up adoption of data-driven business models in the EU financial sector to improve economic outcomes for financial services customers (consumers and businesses) and financial sector firms. Once achieved, consumers would be able to access individualised, data-driven products and services that may better fit their specific needs. Corporates, notably SMEs, would enjoy wider access to financial products and services. Financial institutions would be able to take full advantage of digital transformation trends, whilst third-party service providers would enjoy new business opportunities in data-driven innovation.

4.2Specific objectives

The specific objectives of this initiative are twofold.

First, to enhance customer trust in data sharing in the financial sector (specific objective A, problem driver 1). The initiative aims to ensure a secure data-sharing framework that empowers customers by giving them meaningful and effective control over their data, providing additional safeguards in line with data protection rules and rules on digital operational resilience, as well as ensuring that the use of this data by the industry is beneficial to them.

Second, to enable effective access to customer data for data users in the financial sector, decomposed into three distinct objectives, as follows:

·Oblige data holders to share customer data with data users (specific objective B, problem driver 2): as explained in section 2.3, customers of financial service providers can only ensure that third-party providers obtain access to their payment accounts data under PSD2. Although GDPR also gives consumers the right to share their personal data held by any financial service provider directly with third-party providers, this only covers personal data and does not entail a right to allow for electronic access, which is necessary if customers want their data to be used for digital services.

·Promote standardisation of customer data and interfaces (specific objective C, problem driver 3): enabling customer data aggregation and sharing at scale in the financial sector would require that both customer data and their sharing interfaces are standardised. Furthermore, in the interest of the broader EU data policy, these standards should, to the extent appropriate, be compatible with those used in other sectoral data spaces of the economy to safeguard interoperability and enable cross-sectoral use cases.

·Promote implementation of high-quality interfaces for customer data sharing (specific objective D, problem driver 4): it aims to ensure that data holders implement the standards developed under the specific objective C and have sufficient economic incentives to provide high quality interfaces, distributing the related costs between data holders and data users in the data value chain. Moreover, as data reuse involves risks, such as data misuse, financial crime or fraud, it must be ensured that the liability in case of data misuse, financial crime or fraud is clear and predictable and liability risks do not act as a disincentive for data holders to make data available.

5.What are the available policy options?

5.1Baseline

If the Commission did not propose this initiative, the cross-sectoral rules (both existing and proposed) set out in section 1.3 above would apply to data sharing in finance beyond payments.

In a ‘no action scenario’ in the financial sector, it is therefore expected that:

A lack of effective control over data sharing would continue to limit consumer confidence and trust in the secure sharing of their data. This includes the absence of control tools in the financial sector that enable consumers to monitor and manage the use of their personal data. Some financial institutions may continue to provide customers with dedicated tools to comprehensively manage permissions for data access they have given (market-driven consent management dashboards), and data intermediation service providers under the Data Governance Act may provide an additional market offer for such functions. But these will depend on the voluntary initiative of market participants and will therefore not be offered to all customers, and are not necessarily based on common standards, leading to less clarity for consumers.

Outside the scope of the PSD2, there would be no effective and comprehensive obligation for data holders to make data available to third party providers, and the possibility for these firms to offer innovative financial products and services to customers based on effective access to customer data held by financial services providers would remain limited.

·Concerning non-personal customer data, making data available to third-party service providers would remain voluntary based on bilateral contracts.

·Concerning personal customer data, the GDPR right to portability of personal data with third parties would apply, subject to the limitations set out above that will continue to impede its effectiveness for the purposes of data access in financial services (see section 2.2).

·The obligations established by the Data Act proposal (Chapter III - Articles 8 to 12) for data holders in business-to-business data sharing would not apply, as they would only apply to data holders legally required to make data available, which is not the case for the data considered under this initiative 107 . There would be no legal obligation in the Data Act requiring data holders to share data with data users if their customer so requests. Thus, data access in finance beyond payments would remain largely contractual, and contractual barriers would continue to be tackled on a case-by-case basis, preventing sufficient scaling up of third-party access to customer data in the financial sector. 

·Chapter IV of the Data Act proposal would introduce an unfairness test for contractual terms concerning the access to and use of data unilaterally imposed on a micro, small or medium-sized enterprise. Article 34 of the Data Act proposal may be used by the Commission to develop certain model contractual terms. Nevertheless, even with the use of such terms individual contracts will have to be negotiated for every data access.

Without an obligation to make data available, data holders would likely continue to share customer data in limited circumstances beyond a data subject’s right to port their personal data under Article 20 GDPR. As a result, customers would be unlikely to benefit significantly from individualised, data-driven financial products and services that may fit their specific needs.

When it comes to standardisation of data and interfaces as well as schemes, there has so far been little progress in terms of market driven efforts in areas outside payments (see Annex 9 for an overview). While some ongoing initiatives go beyond payments (Berlin Group’s open finance work), others (SPAA API access scheme) face challenges to expand into the broader financial sector. The consultation replies show that while most stakeholders expect some progress on standardisation, consumers and third-party providers with the highest interest in open access expect limited progress in terms of adoption of market driven standards. The Data Governance Act, including Art 12 (d) and (i), the European Data Innovation Board established under DGA Art 30, and the Data Spaces Support Centre will play an active role, but would have benefited from additional dedicated standardisation efforts specific to the financial sector.

Implementation of customer data access interfaces (APIs) with a high quality would continue to be rare. Neither the GDPR nor the Data Act proposal would make such interfaces mandatory for the financial sector, and absent regulation no data holder is ready to make the first move. Even if APIs were available, the quality of data that could be accessed would also vary substantially across data holders due to the absence of any common data standards, rendering the services based on such access by third-party service providers too costly and thus unfeasible. In the framework of the DGA, data intermediaries could mitigate this elevated cost of individual connections across data holders by offering a single access point for third-party service providers. However, the lack of common data standards may constitute a real challenge even for data intermediaries. In any case, structuring data sharing through data intermediaries may imply higher cost for access to the data.

However, the DMA would improve the level-playing field between gatekeeper platforms and financial services providers who, based on customer request, would be able to access relevant customer data held by these large technology providers in order to offer new financial services to businesses and consumers.

5.2Description of the policy options

Policy options have been chosen based on the Commission Expert Group on the European Financial Data Space and on stakeholder feedback. As presented in section 5.4 (see Figure 3), the policy options are organised by specific objective. They are depicted below and described in detail in the subsequent sections.

5.2.1Enhance customer trust in data sharing (specific objective A)

Privacy and other legitimate commercial and non-commercial interests need to be protected, otherwise incentives to contribute data and to invest in data-driven innovation may be undermined, in addition to the risks of direct and indirect harm to right holders, including data subjects. In open finance, a particular challenge is when customers have relationships with multiple firms (data holders; data users), which can make it cumbersome to track and revoke the respective permissions granted. A first policy option would therefore be to require market participants (i.e. data holders, data users and data intermediaries) to provide customers with common and consistent open finance permission dashboards to manage customer permissions for data sharing 108 (Option A.1). Open finance permission dashboards give customers a holistic overview of permissions granted and ensure a strong measure of control over personal and non-personal data in open finance. In this respect, the dashboards allow customers to track permissions by providing them with an overview of the validity period and purpose of the permissions they have granted a data user of each data relationship. In addition, open finance dashboards provide customers with an interface through which to manage and, if appropriate, withdraw permissions with respect for each separate data relationship of the customer.  

Thus, dashboards would be available for all customers and cover both personal and non-personal customer data. Open finance dashboards would have to be implemented by both data holders and data users, with separate dashboards as one solution. For example, the dashboard on the data holder side would provide a specific customer with an overview of all permissions granted to data users with respect to data of that customer held by a particular data holder, whilst the dashboard on the data user side would provide a specific customer with an overview of all data holders, from which a particular data user is sourcing that customer’s data., Another alternative could be an eIDAS-notified solution, such as the proposed European Digital Identity Wallets to be issued by Member States 109 . In this case, open finance dashboards would be managed by customers through the common interface provided by the European Digital Identity Wallet which can provide a customer with control over their data permissions. In turn, data holders and data users would be able to rely on the wallet to check and verify customer permissions. Data holders and data users could also use data intermediation services providers under the Data Governance Act to put in place the dashboards 110 . Option A.1 would involve binding rules established in the legislation that set out a common approach to their development and implementation. This would ensure consistent implementation irrespective of the specific solution chosen.

A second policy option would be to require market participants to provide common and consistent open finance permission dashboards for customers (like Option A.1), and in addition set eligibility rules on who can access customer data under the open finance framework (Option A.2). These eligibility rules would be the same as the requirements existing already today for Account Information Service Providers (AISPs) under PSD2 111 . This would ensure that data can be accessed only by already regulated financial institutions or by firms subject to a dedicated ‘financial information service providers’ (FISPs) license which are subject to regulation covering their conduct, governance and organisation, and would be subject to DORA and have high cyber resilience standards in place 112 .

A third policy option would be to include the safeguards on data sharing set out in Options A.1 and A.2 (open finance permission dashboards, eligibility rules), and complement them with personal data use perimeters, an additional safeguard against unlawful use of the accessed data, in line with the GDPR (Option A.3). For financial services that have an important inclusion and societal dimension (e.g. the use of consumer data related to occupational pensions) or where exclusion risks are higher for consumers as a result of granular risk assessments (e.g. the use of consumer data related to insurance policies), these perimeters would detail specific categories of personal data in scope of this initiative (see specific objective B) that financial institutions may use when providing services to consumers to guard against consumers being pressured into sharing data against their will  113 . If a customer refuses to provide personal data outside these categories, this should not be a reason for the financial institution to refuse to offer services to the customer. This would ensure that even consumers who want to refuse broad permissions for data access would still have access to these services, further limiting the risk of their financial exclusion. Whilst already present in some areas of financial sector legislation, notably in guidelines which detail how consumer information can be used in the Mortgage Credit Directive (MCD) 114 , at present most pieces of legislation do not define such personal data use perimeters. Personal data use perimeters could be set by empowering the European Supervisory Authorities either to issue guidelines or binding rules. 

Concerning stakeholder views, the Commission Expert Group outlined both benefits and challenges setting eligibility rules (Option A.2 and Option A.3), and stakeholders were mixed in their views on the issue, with consumer associations and data holders like financial institutions generally in favour, while data users like third party providers urged caution 115 .  With regards to open finance permission dashboards (Option A.1), data holders and consumer associations express general support for the introduction of control management tools that strengthen the ability of customers to grant track and withdraw permissions. 116 Data users, on the other hand, caution that dashboards need to be designed in a way that does not complicate to data sharing. 117 Stakeholders’ views vary the most on the issue of personal data use perimeters (Option A.3). While consumer protection organisations support personal data use perimeters and argue they could protect vulnerable consumers against data misuse, market participants are concerned that personal data perimeters may fail to serve the purpose of offering innovative services to customers and limit opportunity to promote financial inclusion 118 . Neither data holders nor data users support binding rules on personal data use perimeters. Data users argue that binding rules on personal data use perimeters may affect their business prospects by restricting the space to innovate and devise their own data-driven methodology in line with the GDPR. 119  Data holders are of the view that binding rules on personal data use perimeters would be technically complex to implement, whereas the GDPR grants flexibility to adjust the processing of personal data for each new purpose 120 . 

5.2.2Oblige data holders to share customer data with data users (specific objective B)

The options under this objective would introduce a clear legal obligation on data holders to make customer data available to data users on a mandatory basis, subject to customer request. Introducing a legal obligation on data holders in the financial sector to make available categories of customer data would effectively grant ‘mandatory access’ for data users based on customer agreement. There are three options which differ based on the scope of data required to be made available.

A first option would be to introduce a legal obligation only for credit institutions in their capacity as data holders (which are already required to make available payment accounts data under the PSD2), to make available all customer data also from business lines other than payment accounts, including data on savings accounts, loans, and mortgages (Option B.1). Under this option, other financial firms like insurers, pension providers and investment firms would not be required to make data available.

A second option would be to introduce a legal obligation to make data available for all data holders across the financial sector (including banking, insurance, private and occupational pensions, investment) to ensure comprehensive coverage 121 , but only with respect to selected data sets which are particularly relevant for the provision of targeted retail financial products with low financial exclusion risk and for facilitating SME access to finance (Option B.2). For example, life insurance and non-life insurance related to medical and health coverage would be excluded from the scope of this option 122 , as would data related to consumer creditworthiness assessment (CWA) 123 . The exact scope of Option B.2 would be specified in the legislation as summarised in Table 1 and would cover data sets for which there is a clear use case that benefits consumers and firms (see Annex 5 for a detailed analysis of the scope of Option B.2), such as:

·Data on consumers’ holdings of savings accounts, securities accounts, loans, insurance-related and investment-related insurance products, occupational and personal pensions that are all necessary for the retail investment strategy to have a holistic overview of the consumer’s saving situation, in order to develop improved investment advice and investment management tools; and

·Data necessary to provide creditworthiness assessments of SMEs.

Introducing access rights to CWA-related data related to firms could have advantages for customers seeking finance:

-improve their access to financing, including by improving access to funding for SMEs rejected from a bank loan as well as streamlining the assessment of applications for loans.

-reduce capital costs by creating competition among investors; and

-reduce the risk of disruption in financing by diversifying funding sources for SMEs.

Currently, primary data collection from SMEs during a loan application process is costly and may not deliver all the relevant data. Only a small minority of respondents to the targeted consultation believe that there is sufficient SME data accessible today (8%). Moreover, only 28.6% of active respondents to the targeted consultation believe that data required for SME creditworthiness assessment is readily available from a technical perspective. Indeed, the majority of active respondents (71%) believe that the required data for SME creditworthiness assessments are not sufficiently standardised either by market operators, or via existing regulation.

Table 1. Scope of customer data under Option B.2

Source: DG FISMA

The update of accessible data sets would be possible subject to further legislative action and accompanying impact assessment, since the scope of the open finance initiative would be subject to a review cause (see Annex 5). Given the sensitivity and importance of accessible data sets, this can only be decided by the co-legislators.

The third and most complete option would be the introduction of mandatory data access to all customer data sets held by financial institutions across the entire financial sector (Option B.3). It would give the fullest effect to the principle that customers must be in control of their data. However, Option B3 would only include data relating to activities recognised as financial services in EU legislation. For example, the management of public pensions (“pillar 1 pensions”) – even if funded – does not constitute a financial service and would therefore not be covered. In a similar vein, public health insurance would not be covered by this option either. Sharing of customer data would be subject to customer request, meaning mandatory access would only be triggered once the customer has requested his or her data to be shared with a data user, as with Options B.1-2. 124  Interoperability with the Internet of Things data access rights under the Data Act proposal and with data spaces in other economic sectors would be ensured based on the right of customers to share their data with third-party service providers. This means that any cross-sectoral sharing of customer data will always put customers in control of their data and require their permission for access.

Stakeholders are split in their views concerning any new data access rights: most incumbent financial institutions (data holders) do not support the introduction of new mandatory access (which may partially be explained by the fact that providing access to data users who are (potential) competitors is not on their commercial interest) 125 . On the contrary, many customers and third-party providers (data users) argue in favour of such access rights. 126  

5.2.3Promote standardisation of customer data and interfaces (specific objective C)

Options C.1 to C.3 address the need to promote the development of standards (as opposed to their implementation dealt with by Options D.1 to D.4). A first option would involve a requirement for market participants to jointly develop common standards for customer data and interfaces as part of schemes, for those data sets that are subject to mandatory data sharing under the specific objective B (Option C.1). However, Option C.1 would neither define common standards in the legislation nor set a single standard (meaning that several different standards might develop as a result) 127 .

This option would require market participants to be part of a contractual scheme, which is managed based on a multi-stakeholder approach. Supporting the creation of communities of stakeholders (data users, data holders and third parties) around data sharing and re-use is considered a major success factor for building trust as there is no guarantee that data would be re-used effectively even when made available through open access. Effective data reuse requires technical measures, such as the development and maintenance of APIs, and active community engagement, which can help allocate responsibilities and define the acceptable risk levels 128 . 

Schemes for data sharing would bring together data holders and data users but also representatives of data subjects (e.g. consumer organisations). 129 Schemes would have the task to develop data and interface standards, as well as a joint standardised contractual framework governing access to specific datasets, and establish governance rules related to data sharing. The open finance framework would establish general principles for the governance of these schemes, including rules on inclusive governance and participation of data holders, data users and data subjects (to ensure balanced representation in schemes), transparency requirements, and a well-functioning appeal and review procedure (notably around the decision-making of schemes). Where competitors are involved, there is a risk that data partnerships and the use of trusted third parties could lead to implicit collusion between businesses, i.e. agreements that would limit open competition, which is why all schemes would have to comply with competition law.

A second option could be to follow the PSD2 approach and define in the legislative act basic principles for customer data and interfaces, but would not require market participants to be part of a scheme, leaving it up to them if they want to develop detailed standards on the basis of these principles (Option C.2).

A third, more comprehensive policy option would be a single EU-wide standard for data and interfaces. Hence, on the basis of a proposal from the Commission, the co-legislators could empower ESAs to develop a single EU-wide standard for data and interfaces covering customer data sets that are subject to mandatory access (Option C.3).

Stakeholders widely supported further standardisation as well as the use of schemes. Among the different options, the Commission expert group recommended consensually to ask market participants to draw up standards (Options C.1 and C.2) as opposed to public standards, because of the need for flexibility in light of rapid market developments. 130  

5.2.4Promote implementation of high-quality interfaces for customer data sharing (specific objective D)

While Options C.1 to C.3 promote the development of common standards and schemes, Options D.1 to D.3 address the need to ensure that financial institutions actually implement these standards and make available the necessary interfaces.

As a first option, data holders could be required to put in place APIs implementing the common standards for data and interfaces developed under the specific objective C and make them available to data users without a contract and without being able to receive any compensation from data users for using these interfaces (Option D.1), following the PSD2 approach, and enforced by public authorities. Option D.1 would include certain mitigating measures for SMEs, in particular giving them flexibility in achieving its objective by making use of APIs developed and run by third parties (see Annex 8).

As a second option, data holders could be required to put in place APIs implementing the common standards developed under the specific objective C, and make it available to data users based on a contract and in exchange for an explicit right to receive reasonable compensation from data users for making data available, in line with Article 9 of the Data Act proposal 131 (Option D.2) that introduced the general principle of compensation to data holders legally obliged to make data available in the context of business-to-business data sharing. Data users would have to pay compensation for these costs when accessing data. Such compensation would merely aim to refinance the implementation of high-quality APIs and should by no means be interpreted as a price for the customer data, which clearly does not belong to the data holders 132 . This implementation cost would normally arise fully upfront and data holders would only be able to recuperate it from data users over a longer period of time. This is why it would seem justified not to limit the compensation level strictly at the cost incurred, but to allow for a small margin to also cover the cost of the initial financing. Smaller data holders may also choose to make data available through an external API provided by a third party on a “pay as you go” basis, over time. In this case, the initial cost would be financed by the API provider, which would then charge the data holder in accordance with the intensity of API use by data users and the margin included in the compensation to data holders would serve the same purpose, as the initial financing cost would be factored in in the price that the API provider would charge the data holder. In cases where the data user is an SME, however, which would represent the vast majority of data access relationships (see Annex 8), Option D.2 would limit compensation strictly to the costs incurred for making data available, in line with Article 9(2) of the Data Act proposal. In addition, Option D.2 would include the same mitigating measures for SMEs as Option D.1.

A third policy option under this objective would be topping up Option D.2 with an additional requirement for market participants to agree on contractual liability for data breaches (Option D.3). These requirements and would focus on establishing, as part of any construct, liability rules as well as clear obligations and rights to determine liability between the data holder and the data user. Liability issues related to the consumers as data subjects would be based on the GDPR, notably the right to compensation and liability under Article 82 of the GDPR.

Concerning stakeholder views, the Commission expert group recommended consensually data holders be compensated for the cost of making data available 133 , while views in the public consultation were rather split with only a slight majority of individual respondents to the open public consultation (55%) opposing it 134 and a slight majority of active professional respondents (52%) expressing support 135 . The support to compensation in the targeted consultation was more pronounced, with 75% of (predominantly business 136 ) respondents speaking out in favour, citing level-playing field and data quality issues 137 . However, 14% of respondents believe that there should be no compensation, arguing that it would restrict innovation to the detriment of end-users and negatively affect smaller players and market competition. The Commission expert group also consensually supported providing a clear framework for liability in open finance. In the targeted consultation, stakeholders were also supportive: 55% of respondents were in favour, of which 31% supported uniform liability principles across the financial sector whilst the remaining 24% argued in favour of liability principles that are tailored to the specific types of financial services.

5.3Options discarded at an early stage

Although a small majority of data holders argue in favour of voluntary measures 138 by way of recommendations or calls on stakeholders through Communications, voluntary measures would not be able to credibly ensure the achievement of the specific objectives in view of the lack of any enforcement mechanisms and the general reluctance of data holders to enable access of data users to customer data observed so far 139 .

Voluntary measures would in particular consist of Commission encouragement for stakeholders to put in place open finance dashboards (alternative to binding Option A.1), to facilitate data access (alternative to Options B.1 to B.3), to develop standards and schemes (alternative to Options C.1 to C.3) and to promote the implementation of common interfaces (alternative to Options D.1 to D.3).

Encouraging market participants to provide common and consistent open finance dashboards is unlikely to result in the uniform implementation of dashboards across financial institutions. As the decision to provide open finance dashboards would remain at the discretion of market participants, the lack of market coordination would mean that a voluntary measure would result in operational and technical discrepancies in how dashboards are provided to customers. Moreover, a voluntary measure would mean there would be no guarantee that open finance dashboards would be available to all customers of open finance. Interpreted collectively, its voluntary nature would hamper customer confidence in open finance.

Furthermore, merely encouraging data holders to grant data users access to customer data, encouraging data holders and data users to develop common standards for customer data and interfaces and encouraging data holders to put in place APIs implementing these standards would give rise to a coordination problem as follows. Some data holders may unilaterally provide access, resulting in the former being negatively affected due to their inability to access data as opposed to its competitors. Such risk would lower the incentives for all data holders to make data directly available. Furthermore, if data users could access data from only a handful of data holders, the opportunities to offer additional services beyond what data holders could do would be limited, reducing the potential for innovative products, especially when they require access to data held by different providers servicing a single customer, such as tools to facilitate investment advice or insurance, pension or investment dashboards. Absent any regulatory intervention market participants are unlikely to set up schemes and develop common standards. Even if some market participants may favour common standards, it could seem attractive to “freeride” by relying on others to develop them. The more market participants seek to withhold their engagement, the less probable it is that common standards are developed. According to the targeted consultation, very few respondents (including among respondents which identified themselves as data users and consumers) would expect such schemes to develop. 140  

Finally, voluntary measures could not ensure implementation of standardised data formats, interfaces, and contracts by market participants. Without a way to ensure that most data holders establish APIs, there is a clear coordination problem both for cost and competition reasons. If data holder A is the only one to put in place an API, all other data holders would be able to access the customer data it holds without this data holder enjoying reciprocity with other data holders. Furthermore, data holder A will have invested a substantial amount of money to achieve this competitive disadvantage. Data holders may also not be interested in providing access to competitors or competing services. The possibility to charge data users for accessing the APIs is unlikely to solve this coordination and market issue on its own. It may even result in effective market foreclosure in case the compensation levels would be set so high that they would effectively price data users out of the market. This would have a negative economic impact on data users and their customers alike, putting a break on innovation and slowing down digitalisation in the financial sector, and therefore not reach the objective of enabling effective data access.

5.4Analysis of the impact of policy options

On the basis of the above, Figure 3 schematically presents the policy options with the potential to achieve the specific policy objectives. These are further assessed in the following sections.

Figure 3: Objectives and policy options of open finance

Source: DG FISMA

5.4.1Enhance customer trust in data sharing (specific objective A)

The policy option to require data holders and data users to provide common and consistent open finance permission dashboards (Option A.1) would affect both data holders and data users, which would need to provide such tools and assume the associated cost of their development. Option A.1 would have a positive impact on customers and their trust in data sharing, since customers have transparency and control in terms of which market participants are accessing their data, when and for what purpose. Customers would also be able to manage their permissions, including by revoking them where appropriate 141 . In line with the data protection principles of purpose limitation and data minimisation, the open finance dashboard would act as an additional safeguard to ensure that customer data is not shared or made available under different conditions beyond what is agreed by the customer. As the open finance dashboard under Option A.1 would be obligatory, it would be available for all customers of open finance, thus adding to customer trust.

Data holders would need to develop and provide such dashboards when making customer data available to data users who would, in turn, need to integrate them in their applications. The total annual cost of these dashboards is estimated between EUR 65 million and EUR 259 million (see Annex 3). The expected benefit is substantial in terms of boosting confidence and ensuring convenience for the customer in data sharing. The overall economic impact of this option would be positive: greater customer control over their data can be expected to lead to more confidence in managing these access rights and thereby to more data sharing transactions, which would facilitate the use of innovative financial services. Basing open finance dashboards on the European Digital Identity would also provide a strong level of cybersecurity 142 . The social impact of this measure can be expected to be positive: those customers that agree to data sharing would be able to access data-driven services and products, whereas the situation of those that do not would not change. Whilst such permission dashboards are not explicitly required by existing EU legislation, Option A.1 is coherent with the position taken in PSD3 143 as well as responds to long-standing consumer organisation requests.

Option A.2 would require data holders and data users to provide common and consistent open finance permission dashboards for customers and add eligibility rules on who can access customer data under the open finance framework. Setting eligibility rules for access to customer data would ensure more coherence with the existing regulatory framework, as there are similar authorisation requirements for Account Information Service Providers (AISPs) under PSD2. It would also ensure all firms accessing customer data have basic governance and customer protection structures in place, are subject to cyber and digital operational resilience requirements under DORA and are supervised by financial supervisors.

The expected benefit of setting eligibility rules would be to ensure a high level of security and data protection when customer data is accessed, which in turn safeguards the operational integrity of financial institutions which are holding these data sets, thereby ensuring the proper prudential functioning of the financial system. While Option A.1 would be effective in ensuring that there is full clarity at all times about the permissions given by the data subject, Option A.2 would in addition address concerns that data users may not handle the permissioned data in a safe and responsible manner.

The PSD2 evaluation draws an overall positive conclusion on the requirements for AISPs 144 . The eligibility requirement would involve administrative burden for data users applying and acting as licensed Financial Information Service Providers (FISPs) in the form of prior authorisation and ongoing supervision 145 . The total cost for 350 FISPs 146 adds up to some EUR 22 million in one-off expenses to obtain a license, and EUR 2.24 million in annual expenses for supervision and insurance (see Annex 3). The magnitude of these costs may be seen as fully proportionate in view of the sensitive nature of financial data that would be accessed. A FISP license as part of the eligibility rules would promote level playing field as an important safeguard to ensure that all firms accessing data are subject to regulation and supervision. The eligibility rules would be implemented and justified in compliance with the EU international trade commitments.

Option A.3 would require data holders and data users to provide common and consistent open finance dashboards for customers, set eligibility rules on who can access customer data under the open finance framework, and empower the European Supervisory Authorities (ESAs) to set personal data use perimeters either through guidelines or binding rules. The policy choice on the latter would depend on whether the scope of this initiative excludes high-risk data sets with disproportional unintended effects or potential lack of understanding by consumers as to the consequences of making such data available, giving rise to financial exclusion risks. In case it does not (as in Options B.1 and B.3), binding rules may be necessary, whereas a guideline-based approach would be sufficient in case it does (as in Option B.2).

Compared to Option A.2, Option A.3 would therefore have the benefit of also addressing any risks that excessive data use – even if permissioned and secure – could lead to financial exclusion of vulnerable groups. As regards financial information services that directly depend on customer data sourcing from data holders, access to customer data is indispensable to enable such services. Thus, customers would not be able to use these services unless they agree to share their data. This is not considered problematic, however, in view of these type of services not being relevant from financial inclusion point of view 147 .

The economic impact of personal data use perimeters would depend in part on whether personal data user perimeters would be implemented in the form of binding or non-binding measures. Binding measures which would exclude the use of any additional data under any circumstances could restrict financial innovation significantly even where a consumer explicitly requests it, while non-binding guidance would limit such risks 148 . Option A.3 does not give rise to any additional direct costs for market participants compared to Option A.2. Credit institutions already now have to consider what data to use under GDPR and need to regularly update their considerations. Guidelines on personal data use perimeters would only make this clearer. The associated costs for the ESAs would have to be internalised in their existing operational budgets. The expected benefit derived from personal data use perimeters is not quantifiable but can be expected to be substantial as it can boost consumer confidence in terms of how their personal data is used to offer financial products and services, a view supported by consumer protection organisations 149 .

In view of the above, issuing guidelines on personal data use perimeters would be the preferred approach in achieving efficiency and coherence with other policy objectives. Guidelines have been effective in specifying data requirements to be used in financial products and services 150 , whilst their non-binding nature would provide the market with a flexible framework in which to use and combine data sets in scope an innovative manner and offer such services to customers. A guideline-based approach would also follow existing regulatory practice: in the area of mortgage credit, the European Banking Authority Guidelines on loan origination and monitoring detail how consumer information may be used based on the Mortgage Credit Directive (MCD). Thus, Option A.3 would ensure the strongest coherence with the existing regulatory framework.

The impact of options A.1 to A.3 on SMEs is linked to their representation in the main three stakeholder groups (customers, data holders, and data users), which is very high 151 . As customers, SMEs would benefit from the empowerment implied by these options, and this would have a positive impact on security and trust in data sharing. This should enable them to access more innovative services, which may lower their financing costs and contribute to their competitiveness (see Annex 7 for the use case on SME financing). As data holders or data users, SMEs would face the cost of providing open finance dashboards. As data users, SMEs would also face the cost of licensing to become eligible to access customer data. However, there is no evidence from PSD2 implementation that such cost has served as an obstacle for SMEs to become licensed as AISPs. 152 . In view of the overwhelming number of SMEs among customers, it can be expected that the overall impact of these policy options on them would be positive.

These policy options will have an impact on fundamental rights of consumers, notably Articles 7 and 8 on the right to respect for private life and the right to the protection of personal data enshrined in the Charter of Fundamental Rights of the European Union. The policy options under this specific objective would enhance customer trust in data sharing and act as strong safeguards against potential adverse consequences on the fundamental rights to data protection and privacy. The introduction of data processing control tools, notably open finance dashboards (Options A.1-A.3) and personal data use perimeters (Option A.3), would strengthen the framework of sharing personal data based on the lawful grounds for processing under Article 6(1) of the GDPR, notably when personal data is processed based on consent or necessary for the performance of a contract. These control tools would also contribute to the obligation of data controllers to demonstrate compliance with the GDPR in light of the principle of accountability under its Article 5(2). Open finance dashboards (Options A.1-A.3) could also tackle customer issues specific to the lawful grounds for processing based on consent, notably ‘consent fatigue’. In addition, introducing licensed ‘financial information service providers’ (Options A.2-A.3) would ensure that only trusted and secure providers are eligible to access and process customer data in the financial sector. These policy options would determine the respective roles and responsibilities of the relevant entities to ensure that personal data processing in regard to the activities of open finance comply with applicable the GDPR.

The comparison of policy options under this objective are summarised in Table 2 below. Overall option A.3 is the preferred option.

Table 2. Comparison of policy options to enhance customer trust in data sharing

Note: Effectiveness is assessed in terms of the achievement of the corresponding specific objective (+ for low; ++ for medium; +++ for high). Efficiency is assessed in terms of the associated costs (- for low costs/high efficiency; -- for medium costs/efficiency; --- for high costs/low efficiency). Coherence is assessed with respect to the existing EU legislative framework on data sharing (+ for basic; ++ for advanced; +++ for strong).

5.4.2Oblige data holders to share customer data with data users (specific objective B)

The policy options under this objective include mandatory data access rights for all banking data (Option B.1), for selected customer data sets across the financial sector (Option B.2) or for all customer data sets across the financial sector (Option B.3). Mandatory data access rights would target data holders and impact both customers and data users. Options B.1-B.3 would ensure that additional data are made available by all holders of the customer data covered by such mandatory data access rights. All options would be coherent with the PSD2, as they do not cover payment accounts data. Given that policy options B.1-B.3 create rules that legally oblige data holders to make data available, this initiative would activate the obligations for data holders as set out in Chapter III of the Data Act proposal (in particular, as regards compensation, dispute settlement, and technical protection measures) with respect to customer data in the financial sector beyond payment accounts, which would further facilitate data sharing. Despite seemingly similar levels of coherence with the existing regulatory framework, Option B.1 would exhibit only basic coherence, as it would arbitrarily exclude from the scope of this initiative large chunks of customer data sets covering many types of financial services outside banking, which is contrary to the wider objectives of the EU data strategy. Whilst Option B.3 may seem to offer the highest level of coherence due to its universal coverage, Option B.2 is actually most coherent precisely because it excludes the most sensitive customer data sets for consumer protection reasons.

The impact on customers and data users would be positive for all options: customers would be able to share additional data in exchange for improved services, whereas data users would be able to launch new business models. Based on the results of the targeted consultation, the boxes in Annex 7 illustrate three potential use cases – SME financing, investment advice and insurance dashboards – where access to data under Option B.2 would bring clear benefits to consumers and firms 153 . Options A.1-A.3 assessed in section 5.4.1 above would limit any potential negative effects of mandatory data access rights on customers. Access to data required for SME creditworthiness assessments could facilitate SME financing. The framework would develop a type of a referral scheme for SMEs through an API-based infrastructure based on standardised data. The open finance proposal would be proportionate, in that it could help SMEs rejected from a bank loan to seek alternative access to finance. The degree of positive impact on customers and data users is the key difference between the three options and would depend on the amount of data sets with a high innovative potential which would be covered: Option B.3 would imply the highest positive impact as it covers all data. Options B.1 and B.2 would be more consistent with PSD2 154 as they would specify certain data which would have to be made available. Option B.1 would have the most limited positive impact. For example, it would not enable use cases on investment advice such as the one set out in Annex 7 as the data necessary for it would not be covered. Option B.2 would have a relatively strong positive impact as it would cover the key data sets with high innovative potential (see Annex 5).

New data access rights would create opportunities for all market participants, but the scale at which these opportunities arise would depend on whether these access rights are also being taken advantage of by data holders. The latter is a matter of existing capacities and skills, and business decisions on whether to engage in such activities. For example, inclusion of CWA-related data of SMEs would have a positive impact for SMEs as data holders, as innovative services would increase their efficiency whilst data standardisation would offer new business opportunities. Mitigating measures will support SMEs as data holders (see Annex 8). The PSD2 experience shows that regulatory focus on data access and processing encourages financial firms to think how they can develop data-driven business models, either themselves or by buying external expertise. The immediate impact on data holders would be negative though due to additional costs arising from the need to put in place APIs to make data available. Under Option B.1, this negative impact would only affect credit institutions and would also be more limited (only about 10-20% compared to the impact under Option B.2), since economies of scope with existing payment data access rights under the PSD2 could be expected. Under Option B.3, this impact would be higher compared to Option B.2 mainly due to the need to standardise and implement common standards for the additional customer data sets covered 155 . As regards level-playing field, the Digital Markets Act would ensure reciprocity in terms of data access between financial sector firms and large technology companies. To make it effective, the data access right under this initiative would not become operational before the corresponding data access right under the Digital Markets Act does.

The social impact on consumers of these policy options would vary. Compared to the other options, Option B.2, which consists of a targeted scope of data sets that have high added value for consumers and low financial exclusion risks, would serve as the first line of defence against privacy and financial exclusion risks. In other words, the most sensitive types of customer data would be excluded from the scope of this initiative outright. The policy measures described in Option A.3 would further guard against potential privacy and financial exclusion risks within the defined scope of this initiative. Simultaneously, the scope of this initiative would ensure a positive impact for consumers in the form of more competition, easier access to finance, and improved customer experience via automation (see Annex 5) due to the inclusion of data sets with high added value.

The social impact of Option B.1 and Option B.3 is uncertain, as an approach creating a general access right for all data in banking (B.1) or in finance (B.3) could lead to risks of financial exclusion in instances where financial products are individually priced according to a customer’s risk profile (e.g. in case of financial products related to access to credit, or health or medical insurance). Whilst the broad scope of Option B.3 may allow for the development of more innovative products, it also carries the highest risk of financial exclusion or discrimination based on a consumer risk profile. Notably, it would cover datasets that present the highest risk to consumers, such as those used in life and health insurance, as well as credit risk assessment. As further detailed in Annex 5, the underlying risks for these data sets are higher than potential benefits. Safeguards under Option A.3, notably personal data use perimeters, would mitigate financial exclusion risks related to how data can be used to provide financial products and services under Options B.1 and B.3. Overall, however, the social impact on customers of Option B.2 would be more favourable than that of Option B.1 and B.3.

The environmental impact of these options would also vary. Only Options B.2 and B.3 would, as part of investment data also cover data on sustainability indicators (see also use case in Annex 7) which would allow customers to have simpler access to financial services aligned with their sustainability preferences, in line with the Commission’s broader sustainable finance agenda. In terms of the environmental impact from more intensive use of data centres, Options B.1-B.3 are not expected to be very significant as this initiative is predominantly about opening up access to data that is already stored in a digital format. To the extent that making this data available via APIs will undoubtedly increase data traffic, the scope of these options will have a marginal impact on the level of data centre use. Thus, Option B.2 would involve a slightly higher intensity of use than Option B.1, whilst Option B.3 would involve the highest intensity of use.

There will be an impact of these policy options on the fundamental rights of consumers, notably Article 7 and 8 of the EU Charter on Fundamental Rights. The policy options B.1-B.3 establish access rights in the financial sector, which will contribute to increased sharing of data, including personal data, at customers’ request. As a result, the GDPR will apply in full when personal data is processed. The impact to fundamental rights will be mitigated by only obliging data sharing subject to the request of the customer in line with the GDPR. In addition, consumers will be protected against possible data misuse and data breaches as the policy options introduce strong security safeguards in line with the requirements under the GDPR. Additional policy options assessed as part of the specific objective to enhance customer trust, including personal data use perimeters (Option A.3), will act as a further safeguard.

As described above, the broad scope of Option B.3 carries the risk of financial exclusion, unfair bias or discrimination based on a consumer’s risk profile with regard to datasets that present the highest risk to consumers, such as those used in case of life and health insurance, as well as credit risk assessment. The same would apply to Option B.1, as the distinction by subsector (banking data in scope – other financial data out of scope) would mean that some data which is potentially sensitive to financial exclusion risks (for example data relevant to personal creditworthiness assessments for loans or mortgages) would be covered. Contrary to that, Option B.2 would scope out the data sets which have a higher potential of financial exclusion, and would therefore create the least risks to negatively impact on fundamental rights (see Annex 5 for more detail).

The impact of these options on SMEs would reflect their high representation among the various stakeholder groups. SMEs would clearly benefit in their capacity as customers of financial service providers. One pertinent example with a positive impact on SME financing is presented in Box 1 in Annex 7, which would be covered and enabled under all three policy options B.1-B.3, as the necessary data would be in scope in each of these options. They would equally benefit in the role of data users since many fintech firms are SMEs, whereas they would benefit less in their capacity as data holders provided they do not simultaneously act as data users. Overall, the more these options would result in additional data being made available, the more competitiveness of SMEs in their role as customers would improve.

The comparison of policy options under this objective are summarised in Table 3 below. Overall option B.2 is the preferred option.

Table 3. Comparison of policy options to oblige data holders to share customer data with data users

Note: Effectiveness is assessed in terms of the achievement of the corresponding specific objective (+ for low; ++ for medium; +++ for high). Efficiency is assessed in terms of the associated costs (- for low costs/high efficiency; -- for medium costs/efficiency; --- for high costs/low efficiency). Coherence is assessed with respect to the existing EU legislative framework on data sharing (+ for basic; ++ for advanced; +++ for strong).

5.4.3Promote standardisation of customer data and interfaces (specific objective C)

Option C.1 requires market participants to adhere to a scheme with the aim of developing common data and interface standards with respect to data sets subject to mandatory access under the specific objective B.

Standardisation of customer data and data access interfaces can lower the cost of data sharing, thereby facilitating direct connections between data holders and data users. In order to ensure advanced coherence with the existing regulatory framework, standardisation would take into account the work related to the European Data Innovation Board (EDIB) and the Data Spaces Support Centre (DSSC) 156 . When standards are developed as part of open schemes based on a multi-stakeholder approach, the positive impact is reinforced by consistent governance and a contractual framework for data sharing. A scheme would complement standardised data and interfaces by way of a framework governing the relations of the multitude of data holders and data users. The tool of schemes has already been tried and tested in the financial sector as a result of private initiative (see Annex 9) and it would complement the tool of standard contractual clauses which the Commission may establish under Article 34 of the Data Act proposal. Schemes would also play an important role in monitoring implementation of the common standards under the specific objective D. To ensure that they do not exhibit anticompetitive features, contractual schemes would be subject to Article 101 TFEU and would also need to comply with Chapters III and IV of the Data Act proposal, including the prohibition of unfair terms. To complement the Data Act, schemes would have the additional benefit of providing a full contractual framework for data access not requiring the conclusion of specific contracts between individual members of the scheme.

Option C.1 would affect all three stakeholder groups (data holders, data users, data subjects). The direct cost of standardisation schemes would be related to their management costs 157 , whereas the benefits would stem from the promotion of data sharing and its coherence. The direct annual management cost of schemes is estimated at EUR 5 million. In view of the fact that schemes would involve both data holders and data users, the management cost would be split accordingly among them 158 . The potential benefits for data users (and by extension – customers) would be comparable to a share of potential profits from data intermediation activity. In other words, if the data interfaces (APIs) would be standardised, data users could set up individual connections to each data holder themselves. The economic impact of common data formats is going to be directly proportionate to the volume of customer data sharing, since the aggregate cost of standardisation will be fixed whilst the benefits will vary with the volume of data shared. Customers would be positively affected by data standardisation since it would enable new innovative and/or lower priced services. Option C.1 is likely to affect the market structure of data sharing and the ensuing value distribution. As argued above, in absence of standards, some value will be captured by intermediaries who will set up individual connections to data holders and provide single API access to data users, whereas in the opposite case more of it is likely to flow to the data users who may themselves prefer to set up individual connections to data holders and thereby avoid paying intermediaries for single API access.

Option C.2 would only set in the legislation the basic principles of common standards for customer data and interfaces with respect to data that are subject to mandatory access under the specific objective B, but not require the development of standards, in line with the approach used under PSD2. Compared to Option C.1 this option may be less effective: the evaluation of PSD2 shows that without a legal requirement to develop standards, market participants are still likely to do so over time. However, this process would be very long and uncoordinated, at least initially. The initial absence of standards may increase implementation costs, as market participants may need to adjust to emerging standards at a later stage. Efficiency may also be harmed by excessive proliferation of competing standards as a result of parallel activity. Although the impact of this inefficiency cannot be precisely quantified, it would inevitably lead to some cost duplication. At the same time, Option C.2 demonstrates strong coherence with the existing regulatory frameworks, as PSD2 standards have been developed in exactly the same way, with no changes envisaged as part of the PSD3 initiative.

Empowering the European Supervisory Authorities to develop a single EU-wide standard for customer data and interfaces for the entire financial sector concerning data that are subject to mandatory access under the specific objective B (Option C.3) would have the advantage of ensuring a single standard applied by all data holders. However, the drawback of Option C.3 would be that technical developments for data and interfaces in the financial sector advance very quickly and a single standard imposed by public bodies may lag behind the latest technological achievements. It may also be challenging for public authorities to update standards in a timely manner. Furthermore, it is less likely that a single standard satisfies all of the rather diverse demands of data users in different parts of the financial sector. Lower ownership of these standards by the market participants could in turn complicate their implementation. Development of a single standard for the entire financial sector would also be more complex and, hence, more costly. As in the case of Option C.2, it is not possible to precisely quantify this standardisation approach. However, it could be argued that Option C.3 would be the costliest to implement compared to Options C.1 and C.2, since it would require much more substantial modifications to the data holders’ existing IT systems. Finally, as regards coherence, such a centralised approach to standardisation of customer data and interfaces has not been taken in the past, resulting in only basic coherence with the current regulatory framework.

For these same reasons PSD2 and the PSD3 initiative also do not follow option C.3 159 .

The impact of these options on SMEs would reflect their high representation in the three stakeholder groups. Given their substantial share in the customers and data users group, it can be expected that SMEs would rather benefit from these options. For example, innovative services would increase their efficiency whilst data standardisation would offer new business opportunities to SMEs in their capacity as data users.

Fundamental rights of consumers would be impacted, as data standardisation could lead to greater interoperability between market participants and, as a result, to increased data sharing within the financial sector. The GDPR would therefore apply in full when personal data is processed. The impact to fundamental rights will also be mitigated by only obliging data sharing subject to the request of the customer in line with the GDPR. The introduction of personal data use perimeters (Option A.3) and open finance permission dashboards (Options A.1-A.3) would act as further safeguards. Greater data standardisation would contribute to the fundamental right to conduct business in accordance with Article 16 of the Charter of Fundamental Rights.

The social and environmental impacts of these options are similar to the ones described in section 5.4.3. In particular options ensuring a higher degree of standardisation (Options C.1-C.3) would also cover sustainability related data and would therefore have a limited potentially positive social and environmental impact.

The comparison of policy options under this objective are summarised in Table 4 below. Overall Option C.1 is the preferred option.

Table 4. Comparison of policy options to promote standardisation of customer data and interfaces

Note: Effectiveness is assessed in terms of the achievement of the corresponding specific objective (+ for low; ++ for medium; +++ for high). Efficiency is assessed in terms of the associated costs (- for low costs/high efficiency; -- for medium costs/efficiency; --- for high costs/low efficiency). Coherence is assessed with respect to the existing EU legislative framework on data sharing (+ for basic; ++ for advanced; +++ for strong).

5.4.4Promote implementation of high-quality interfaces for customer data sharing (specific objective D)

The policy option to require data holders to put in place free APIs which data users can access without a contractual relationship with data holders implementing common standards on customer data and interfaces (Option D.1) would closely mirror the current one under PSD2 and would thus show advanced coherence with the existing regulatory framework, as well as full consistency with PSD3 160 . In terms of benefits, Option D.1 would allow overcoming the coordination problem mentioned in section 5.2.4 and maximising the opportunities for customers and data users, including data holders themselves. In terms of costs, implementation of the standards developed under the specific objective C concerning data sets that are subject to mandatory access under the specific objective B constitute the bulk of the costs associated with this initiative and would affect all data holders. The total one-off cost of putting in place APIs implementing the common standards for data and interfaces developed under the specific objective C is estimated for data sets in scope: under Option B.1 is estimated in the range of EUR 220 million to 440 million; under Option B.2 in the maximum 161 range of EUR 2.2 billion to EUR 2.4 billion; and under Option B.3, in the maximum range of EUR 2.3 billion to EUR 2.7 billion. In addition, running an API involves recurring monthly costs for API hosting, maintenance and management. This aggregate annual cost is estimated for data sets in scope: under Option B.1, at some EUR 50 million; under Option B.2 in the range of EUR 70 million to EUR 194 million; and under Option B.3 in the range of EUR 70 million to EUR 195 million, depending on the number of monthly API calls (see Annex 3). Both the one-off cost and this recurring cost would have to be borne by the data holders under Option D.1.

The impact of Option D.1 on customers would depend on the extent to which they make use of products and services provided by data users. Customers who request services from data users would benefit from more innovative products based on high quality APIs. However, data holders may eventually pass on the associated costs to their own customers. As regards data users, free access to data would make their services more competitive and would facilitate market entry of new companies than in a scenario with compensation. It should be noted once again though that data users may also include data holders, which introduces additional dynamic. Those data holders that are successful in their capacity as data users would be able to offset at least some part of the cost from putting in place APIs with the additional revenue from new services in their capacity as a data user. Ultimately, some may even manage to cancel out this cost entirely. In sum, the free access model would have the most pronounced negative impact on those data holders that are not active as data users 162 .

As experience from the PSD2 shows, however, the effectiveness of Option D.1 would depend on effective enforcement by public authorities 163 , since there would be no contractual relationship between data holder and data user, and hardly any economic incentive for data holders to put in place high quality interfaces, also in absence of any compensation mechanism for putting in place such an infrastructure. Option D.1 would therefore require significant enforcement resources by public authorities, as confirmed by the experience from PSD2. While payments supervisors have already invested significant resources for implementation of PSD2 164 , building an open finance framework based on these approaches would require banking, investment, insurance and pensions supervisors to set up fully new supervisory arrangements.

The policy option of requiring data holders to put in place APIs implementing the common standards against compensation based on a contract between data holder and data user (Option D.2) would create benefits, in a similar way to Option D.1. While the cost of putting in place APIs would be the same as in Option D.1, in addition, Option D.2 would also have the effect of shifting this cost on the data users and, indirectly 165 , on their customers who will also be the ultimate beneficiaries of innovative services provided based on these data. However, data users would not have to fully compensate these costs upfront on first access – that could indeed pose a threat to data sharing activity taking off – but costs would be allocated gradually to all data users over a specific reference period based on the applicable accounting rules 166 . There is an inherent trade-off here: data holders have no interest in making an effort to develop high-quality APIs unless it is economically reasonable, whereas data users are not interested in using APIs that do not offer them the minimum level of functionalities required for the purposes of the business model they wish to pursue. Thus, both sides of the market need to meet halfway for it to work: as a minimum, data holders need to be compensated for the cost of putting in place APIs for them to have satisfactory quality in view of the needs of data users. At the same time, these costs will be outweighed by the benefits for data users and customers 167 .

The risk that compensation may have a foreclosure effect would be mitigated by applying the principles of the Data Act proposal, which foresees that compensation must be reasonable 168  and, in cases where the data user is an SME, any compensation shall not exceed the costs directly attributable to the individual data request. Furthermore, the governance rules of schemes would aim to ensure that any anticompetitive behaviour is excluded ex ante. For example, data holders and data users would have equal rights and say in the decision-making process of schemes. Schemes would also have to remain open to any new members at any point in time based on the same rules that apply to existing members. Finally, competition authorities would retain full responsibility for enforcing EU competition law ex post. Overall, this initiative is expected to create pressure on firms to compete on innovation and costs to the benefit of consumers. Weak market offers would be pushed out of the market and competition would remain high due to the permanently open access to customer data and the resulting lower barriers to market entry.

As regards data holders, compensation would relieve them of their costs, depending on data users’ willingness to pay, and provide them with clear incentives to make the necessary investment to ensure the APIs they have to set up are in line with the developed standards and of sufficiently high quality, since only data users for whom the data is of sufficient quality would be willing to pay compensation. Implementation of Option D.2 may still pose challenges as regards the exact methodology for calculating reasonable compensation. Indeed, without further concrete rules and mechanisms, data holders and data users may need to litigate about what compensation level is reasonable, leading to a risk of delaying and foreclosing data access significantly. Option D.2 would however address this, by indicating specific criteria, in particular relating to the cost of making data available 169 and the framing of the reasonable compensation under the Data Act. This would provide data users with a genuine opportunity to set up a business case to provide their services. Moreover, specific methodologies would be developed as part of the schemes, subject to applicable competition law.

Option D.2, which unlike Option D.1 is based on a contractual data sharing model based on the Data Act, would also ensure a resource efficient enforcement avoiding the need for significant additional enforcement resources from financial supervisors: contracts between data holders and data users would be enforced via dispute settlement mechanisms established by the Data Act. Contracts could be concluded based on standard contractual clauses established under the Data Act. If combined with Option C.1 above, collective contractual schemes would establish joint contractual frameworks and avoid the need to conclude multiple bilateral contracts.

In terms of coherence, Option D.2 differs from the PSD2 approach and from the preferred option under PSD3, which does not allow charging for access to data covered by it, and which proposes to strengthen public powers to ensure effective enforcement 170 . This divergence may however be justified due to the fact that APIs and public enforcement structures are already in place under PSD2, while under this initiative APIs will in many instances still have to be developed, entailing significant additional investment in order to achieve the need to ensure high quality data sharing. Furthermore, the principle of compensation to data holders for making data available is fully consistent with the Data Act proposal, ensuring strong coherence with the future regulatory framework.

Option D.3, which builds on Option D.2 above by requiring that market participants agree on detailed arrangements for contractual liability for data breaches as part of schemes, would contribute further to a supportive environment for implementing effective data sharing infrastructures, as such arrangements would provide clarity and predictability on liability risks for the specific use cases and circumstances of data sharing in the financial sector. These arrangements could be most appropriately implemented in the context of contractual scheme membership (scheme costs already quantified under Option C.1). Option D.3 would therefore be the most effective one in achieving the specific objective D while not entailing higher costs than Option D.2. In terms of coherence with the regulatory framework, Option D.3 would largely be similar to Option D.2, albeit showing marginally stronger coherence.

The impact of these options on SMEs per stakeholder group would be as follows. As data users, SMEs may benefit in monetary terms under the free API option (Option D.1) in which the full cost is allocated to data holders. At the same time, they may not obtain access to high-quality APIs, limiting their business opportunities. While costs are allocated to data users under Option D.2 and D.3, proportionality for SMEs would be ensured, as data holders would be obliged to cap compensation at cost for SMEs acting as data users, in line with Article 9(2) of the Data Act proposal. In their capacity as customers, the overall impact on SMEs would depend on the extent they request to make use of products and services provided by data users. Compared to Option D.1, customers would benefit from more innovative products based on higher quality APIs under Option D.2 and D.3. SMEs in a capacity of data holders would be affected by the costs relating to APIs under Option D.2 and D.3 and would primarily benefit if they also act as data users. However mitigating measures under Option D.2 and D.3 would ensure that SMEs acting as data holders are not disproportionately affected by implementation costs. Option D.2 and D.3 enable SMEs acting as data holders to seek compensation for making data available. In specific cases, both options would also allow SMEs to rely on APIs developed by larger entities or to establish joint APIs in a pooled manner with other SMEs. Issues around proportionality and costs related to the preferred scope are elaborated on in Annex 8.

Fundamental rights of consumers will be affected, as the requirement to implement APIs for data sharing under Options D.1-D.3 would contribute to increased sharing of data at customers’ request, including personal data. However, the GDPR will apply in full when personal data is processed. The introduction of personal data use perimeters (Option A.3) and open finance dashboards (Options A.1-A.3) will act as further safeguards. Compensation (Options D.2 and D.3) would not have a direct impact on fundamental rights, since it represents cost shifting between data holders and data users. Under both Options D.2 and D.3, compensation is strictly limited to the provision of infrastructure between data holders and data users and customer data per se, in particular personal data, would not be traded, since access to such data is subject to customer request. Clear liability and dispute resolution rules under Option D.3 would create a more predictable environment for consumers who agree to share their data, and liability rules under Article 82 GDPR would also apply to provisions on contractual liability (Option D.3).

The social and environmental impacts of these options are similar to the ones described in section 5.4.3. In particular, options ensuring more effective access rights (Options D.1-D.3) would also cover sustainability related data and would therefore have a limited potentially positive social and environmental impact.

The comparison of policy options under this objective are summarised in Table 5 below. Overall, Option D.3 is selected as the preferred option.

Table 5. Comparison of policy options to promote implementation of high-quality interfaces for customer data sharing

Note: Effectiveness is assessed in terms of the achievement of the corresponding specific objective (+ for low; ++ for medium; +++ for high). Efficiency is assessed in terms of the associated costs (- for low costs/high efficiency; -- for medium costs/efficiency; --- for high costs/low efficiency). Coherence is assessed with respect to the existing EU legislative framework on data sharing (+ for basic; ++ for advanced; +++ for strong).

6.Preferred option

As a result of the above impact analysis of policy options, the preferred options under each specific objective are compiled into a preferred option bundle that is considered most effective, efficient and coherent in achieving the general objective of this initiative. The preferred option bundle is described and analysed below.

6.1Preferred policy option bundle

Summarising the above analysis of policy options, the preferred option involves an EU Regulation that establishes an open finance framework with the following characteristics:

·Require market participants to provide customers with open finance permission dashboards, set eligibility rules on access to customer data and empower ESAs to issue guidelines on personal data use perimeters (Option A.3)

·Mandate access for data users to selected customer data sets across the financial sector (Option B.2)

·Require market participants to develop common standards for customer data and interfaces concerning data that are subject to mandatory access under the specific objective B, as part of schemes (Option C.1)

·Require data holders to put in place APIs against compensation, implementing the common standards for customer data and interfaces developed as part of schemes under the specific objective C and require scheme members to agree on contractual liability (Option D.3)

The preferred policy bundle builds upon and complements the ‘open banking’ provisions under PSD2 and is fully consistent with the PSD3 proposal 171 .

6.2Overall impact of the preferred option bundle

Given the limited data availability and the nature of the open finance initiative, it is inherently difficult to make quantitative predictions about its benefits at the whole economy level. Likewise, it is equally challenging to disentangle the effects of each policy measure from the potential aggregate impact. Whilst the costs of each policy option are already challenging to estimate, its isolated benefits are even more difficult to gauge. Though it may be possible to develop a theoretical model, too many assumptions which cannot be fully substantiated would have to be made, rendering the outcome in terms of quantification unreliable 172 . This is why a qualitative assessment of benefits for the individual measures was mainly used. An attempt was made to provide a macroeconomic assessment of the potential benefits of the open finance initiative based on a macro-level study aimed at quantifying the benefits of enhanced data sharing in the EU financial sector. However, the aim of this study was not to quantify the benefits of the open finance initiative explicitly, as presented and discussed in this impact assessment. Thus, the range of figures presented below should be taken as an illustration of the potential benefits rather than a dedicated estimate. The proposed methodology for the quantitative assessment of the benefits of the open finance initiative is laid out in detail in Annex 4. Whilst this methodology could theoretically lead to an overestimation of benefits of this initiative, a backward-looking comparison of this macroeconomic assesment covering the entire financial sector (including banking, investments, insurance and pensions) with the estimated annual benefits of the PSD2 open banking provisions from increased market access for third-party providers of EUR 1.6 billion 173  (for payments alone and based on a different methodological approach) confirms its general relevance. According to the macroeconomic assessment, the total annual impact on the EU economy produced by enhanced access to and sharing of data in the EU financial sector ranges between EUR 4.6 billion and EUR 12.4 billion, including the direct impact on the EU financial data economy in the range of EUR 663 million to EUR 2 billion per year 174 . 

Furthermore, Annex 7 provides microeconomic assessments of the estimated benefits of three specific use cases which will be enabled by this initiative. Based on the estimates provided, the benefits of the SME financing use case could be as high as EUR 2 billion in annual SME funding, whilst the investment advice use case has the potential of delivering annual savings of EUR 160 million by halving the time needed for carrying out the suitability and appropriateness testing of new clients. As explained in Box 2 of Annex 7 though, in addition and beyond these savings it is expected that the investment advice use case would generate much higher benefits for customers in terms of improved investment outcomes which are however difficult to quantify. Faster suitability and appropriateness testing would also facilitate switching and lower frictional costs thus increasing competition. It should be stressed that these are only two illustrative use cases to complement the macroeconomic analysis, and a more important number of such use cases can expected to be built, and additional benefits to be reaped from them.

As a result of this initiative, customers would benefit from wider choice of innovative services. Data holders would be obliged to put in place APIs, but would upgrade their IT infrastructure as a result and also obtain access to customer data held by other financial service providers. Data users would obtain effective access to customer data held by financial service providers where permitted by customers, enhancing business opportunities in innovative data-driven services.

The overall estimated cost of the preferred option bundle is in the maximum range of EUR 2.2 billion to EUR 2.4 billion in one-off costs and between EUR 147 million to EUR 465 million in recurring annual costs. These costs can be broken down by stakeholder group, as follows. The total annual cost of open finance permission dashboards and schemes for data holders is estimated in the range of EUR 57 million to EUR 217 million. In addition, they would have to pre-fund the one-off cost of putting in place APIs, which is estimated in the range of EUR 2.2 billion to EUR 2.4 billion, involving 17,745 data holders. This one-off cost would be amortised over time via the compensation mechanism from 3,838 data users envisaged under Option D.3. In addition to amortising this cost over time, data users would bear an annual recurring cost for API maintenance, permission dashboards, supervision, professional indemnity insurance and scheme membership in the range of EUR 90 million to EUR 248 million. A subset of data users, financial information service providers would also face a one-off licensing cost of EUR 22 million.

Figure 4 depicts the overall impact of the preferred option bundle on the customer data flow in the financial sector beyond payment accounts. This Figure should be compared to the current situation depicted in Figure 1 in section 2.1 on problem definition.

Figure 4. Customer data flow after implementation of the preferred option bundle

Source: DG FISMA

After implementation of the preferred option bundle, customers would enjoy more transparency and effective control over their data sharing relationships due to open finance permission dashboards, leading to more confidence in managing data users’ access to their data and thereby to more data sharing transactions, which would in turn facilitate customer access to innovative and/or lower priced financial services whilst the risk of financial exclusion for consumers would be limited through respect of guidelines on personal data use perimeters. The eligibility rules would contribute to a high level of customer data protection when data is accessed, whilst the use of standardised APIs would further strengthen security. The ultimate effect of compensation on individual customers would depend on the extent to which they use financial and information services provided by data holders and data users, since it has the effect of merely shifting the cost from data holders to data users. Data-driven services would also enhance financial literacy by helping consumers and firms make effective use of financial services that meet their specific needs (see use cases in Annex 7).

Obliging data holders to enable data users’ access to key customer data sets with high innovative potential and low financial exclusion risks through standardised high-quality APIs would boost data-driven innovation, enabling new use cases and revenue streams for data users. Standardisation of customer data and interfaces would promote data sharing through greater interoperability, with more value likely flowing to the data users who may enjoy cheaper data intermediation services of single API access or may even prefer to set up individual connections to data holders themselves. The reasonable compensation to data holders and the cost of open finance dashboards would fall entirely on data users and would need to be integrated into their pricing strategy related to the new services enabled by their access to new customer data sets. Eligibility rules for access to customer data would ensure that all data users are licensed and supervised by financial supervisors. This would require them to have basic governance and customer protection structures in place, and to be subject to cyber and digital operational resilience requirements under DORA. Thus, eligibility rules would also indirectly safeguard the reputation of data holders.

Reasonable compensation would incentivise data holders to make the necessary investment to ensure the APIs they have to set up are in line with common standards and of sufficiently high quality to meet the specific needs of data users. As the cost of putting in place APIs would be shifted to data users over time, the positive impact on data holders would depend on the extent to which they would be ready to act also as data users themselves. Those data holders that would not also act as data users would have no benefits from implementing high-quality APIs. However, the ultimate impact on such pure data holders would still be neutral over time, as they would be able to recoup their investment costs through the reasonable compensation mechanism.

Mandatory adherence of market participants (data users and data holders) to standardisation schemes would promote data sharing in a consistent manner. Scheme membership would increase the chance of agreeing on standards that are well suited for both sides of the market whilst at the same time avoiding a disproportionate cost. It would also promote implementation by fostering agreement on rules and modalities for data sharing as part of the scheme, including as regards the compensation levels for customer data access, while limiting the need for enforcement resources by public authorities. Overall, this initiative would strengthen international competitiveness of EU firms by enabling them to build on the achievements in the area of open banking where the EU has been at the forefront of putting in place a dedicated regulatory framework for access to payment accounts data. Many jurisdictions have followed in the footsteps of EU regulators and are extending data sharing in the financial sector beyond payment accounts (see Section 2.3). This initiative will allow the EU to continue leading the way globally in terms of a balanced regulatory framework for data sharing in the financial sector.

The impact on SMEs would reflect their high representation in the three main stakeholder groups: customers, data users and data holders. In their capacity as data holders, SMEs would have to implement high-quality APIs at the average cost of EUR 7,000 per IORP (on the assumption of joint APIs covering many IORPs) and EUR 100,000 per investment firm. Furthermore, mitigating measures in the latter case would also allow investment firms to rely on third-party APIs or to establish joint APIs in a pooled manner with other SMEs (see Annex 8). This cost would be amortised over time by data users through the compensation mechanism. In their capacity as data users, SMEs would face the total compensation cost for high-quality APIs of some EUR 600,000 per data user, which would most likely be collected on a “pay per API call” basis over an extended period of time. In addition, SMEs would face an annual API maintenance cost of EUR 34,400, which may add some EUR 0.021 to the cost of an API call. FISPs would also need to prepare their application and obtain a licence, which is altogether estimated at EUR 63,000. They would also be liable to spend some EUR 6,400 per year on a supervisory fee and professional indemnity insurance. As there are more SMEs among the customer group, however, it is expected that this initiative would have an overall positive effect on SMEs as a result of the new use cases enabled by the additional customer data that would become available, such as the SME financing use case presented in Box 1 in Annex 7. Furthermore, .

The expected overall economic impact of open finance policy is improved access to better-quality services, improving the overall price-quality relationship. Open finance would result in more user-centric services: personalised services could benefit consumers seeking investment advice, and automated creditworthiness assessment can be expected to help facilitate access to finance for SMEs (see Annex 5). For these positive impacts to materialise, however, it is important to ensure that data reuse does not lead to anti-competitive behaviour and collusion, especially given the requirement for mandatory adherence to contractual schemes, and that data holders, in particular, do not foreclose competitors through high fees for accessing data. The expected impact on the wider economy is positive due to more efficient service provision as a result of more effective competition.

The preferred option bundle will impact fundamental rights, notably Article 7 and 8 of the Charter of Fundamental Rights. The introduction of data access rights in specific areas of the financial sector - alongside greater interoperability due to data standardisation - will increase the sharing of data, including personal data, in the financial sector. Open finance will therefore be designed in full compliance with the GDPR when personal data is processed. Some specific elements of this initiative will reinforce and give additional practical effect to the GDPR: open finance dashboards and personal data use perimeters (see Section 5.4) will strengthen the means of data subjects to control and manage their data use in line with their rights under Articles 16-21 GDPR. To be effective, these customer tools will need to be operational from the start of the application of the open finance framework. In addition, scoping out high-risk data sets, such as data related to life and medical insurance, will act as a safeguard to limit the impact on fundamental rights (see Annex 5). The open finance framework would put the existing data sharing relationships into a secure and responsible framework that facilitates compliance with the GDPR with respect to personal data.

Given the above, the preferred policy bundle can be expected to have an overall positive social impact provided that the associated risks highlighted in the problem definition section are kept in check. Sharing of customer data would be controlled as it is subject to customer request - mandatory access would only be triggered once the customer has requested his or her data to be shared. More detailed data sharing can open up access to finance to previously excluded users. It can facilitate targeted savings and pensions by facilitating a comprehensive overview of private and occupational pension entitlements as well as other savings for retirement. On the other hand, more data use can, in specific cases, lead to a risk of higher cost or even further exclusion of customers with an unfavourable risk profile. Particular attention needs to be paid to services with inherent risk mutualisation, such as insurance. The preferred option would however minimise any such impact since data sets which are directly relevant to essential financial services for citizens would be excluded from the scope (see Annex 5) 175 . This would be done as part of further work on specific use cases, also using ESA guidelines on the applicable personal data use perimeters. On the other hand, open finance can also lead to financial benefits by widening the use of data sets to other types of financial services. 

Overall, open finance can be expected to have a neutral to positive indirect impact on the environment, as it would likely support the uptake of innovative investment services, including those that channel investments towards more sustainable activities. At the same time, there could also be potentially more direct negative implications from more intensive use of data centres that would go together with wider data reuse.

6.3Application of the “one in one out” approach and REFIT

While this initiative involves significant adjustment costs (subject to compensation), the direct administrative costs would be limited. There would be no administrative costs for consumers and the majority of data holders and users. Administrative costs to data holders would be limited to those firms that would, for the purpose of the implementation of the eligibility rules (Option A.3), be required to seek a licence to become eligible to access customer data in the financial sector. Regulated financial institutions that already have a licence would not be affected by the requirement, and there would be no additional regulatory reporting or other requirements. For the firms that would need to seek a licence, the total costs of seeking a licence is estimated to be about EUR 18.5 million, assuming that about 350 firms would apply to become financial services information providers (FISPS) to be able to access customer data (see Annex 3). These firms would also have to comply with the DORA requirements and put in place the required cyber-security standards.

Further detail is available in Annex 3. There are no administrative cost savings, as it is a new legislation not amending previous EU rules. For the same reason, this is also not a REFIT initiative.

7.How will actual impacts be monitored and evaluated?

The impacts of the initiative will be monitored with respect to the specific objectives set out in section 4, notably as regards:

A.customer trust in data sharing

B.obliging data holders to share customer data with data users

C.standardisation of customer data and interfaces

D.implementation of high-quality interfaces for customer data sharing

Given the expectation that profit margins of third parties which merely access and analyse data will be low and given the absence of any significant financial stability or investor protection risks arising from these activities, the initiative does not foresee any additional mandatory supervisory reporting for these entities. This will minimise costs for market participants and customers and help to increase market efficiencies. All fully regulated institutions and investment firms are subject to supervisory reporting already under the respective framework regulating them (CRR, Sol2, MiFID/R etc.). In effect, all regulated activities (e.g. execution of orders on behalf of clients) will continue to be monitored effectively.

In absence of supervisory reporting requirements, monitoring the effects of open finance will have to rely on consumer surveys, studies and stakeholder consultations. For example, the European Data Market study assesses and quantifies the effects of the legal initiatives undertaken in the implementation of the EU data strategy. Its methodology would be adapted accordingly, including modification of interview questions. Thus, this European data market monitoring tool will continue to provide essential information to the European Commission on the size and trends of the EU data market and data economy, the number of data professionals, the number of data companies and the revenues created by them.

In view of the crucial role of the common European data spaces in the implementation of the EU data strategy, this initiative can also be monitored through insights collected by the Data Spaces Support Centre that will be funded under the Digital Europe Programme. While the development of data spaces itself will be difficult to dissociate from the effects of other initiatives under the Data Strategy, regular interaction between the Commission services, the Support Centre and the European Data Innovation Board should play a role in monitoring progress. Evidence could be gathered through the Support Centre from stakeholders on the efficiency and effectiveness of measures taken under this initiative, such as the extent to which the situation concerning customer data access in the financial sector has improved.

A progress indicator for objective A would be the number of end-users of open finance services offered by data users, including financial information service providers.

As regards progress indicators for objectives B, C and D, they would have to measure effective access to customer data for data users in the financial sector. One such indicator would be the number of new and/or upgraded APIs enabling direct connections between data holders and data users as a result of this initiative.

Another progress indicator would be the number of data users connecting to these APIs, including new market entrants, as well as the number of API calls executed. The latter may enable quantitative estimates about developments in the size of the financial customer data market and the distribution of its benefits between data users and financial sector customers. In this context, the share of data holders acting as data users would also be monitored. In more qualitative terms, the emergence of new use cases and business models as a result of this initiative would also be monitored.

Any evaluation of the initiative should be undertaken no earlier than three years after its entry into force to make it meaningful, but no later than 2030. However, the monitoring process should start as of its entry into force. Monitoring will largely be done in the normal course of supervisory practice by the national competent authorities and the European Supervisory Authorities. To the extent possible, this will be complemented by relevant data from private sources. No dedicated reporting procedure for market participants is envisaged under this initiative for the purposes of monitoring and evaluation.

Annex 1: Procedural information

1.Lead DG, Decide Planning/CWP references

DG FISMA is the lead DG of this initiative, which is labelled PLAN/2021/11368 in Decide planning. The Commission work programme for 2023 states that data access in financial services will be further improved with a legislative initiative for a framework on open finance as part of the priority “an economy that works for people” based on Article 114 TFEU in Q2 2023.

2.Organisation and timing

The first joint interservice group meeting on PSD2 review and open finance took place on 28 January 2022. The first draft of an incomplete impact assessment was discussed at the second interservice group meeting, which took place on 28 September 2022. Notably, the text covered the problem definition and outlined the potential policy options for analysis. The first full draft of the impact assessment was discussed at the fourth interservice group meeting on 6 December 2022. The modified final draft was discussed at the sixth interservice group meeting on 20 January 2023. The interservice group includes members of the following DGs: SG (chair), SJ, CNECT, JUST, COMP, TRADE, MOVE, ECFIN, GROW, TAXUD, ENER, ENV, HOME, EMPL and SANTE.

3.Consultation of the RSB

The Regulatory Scrutiny Board reviewed the draft impact assessment and issued a positive opinion (with reservations) on 3 March 2023. The following summarises the main suggestions by the RSB and how they were addressed in this revised impact assessment.

4.Evidence, sources and quality

The call for evidence was launched on 10 May 2022, including a joint public consultation on PSD2 review and open finance, ending on 2 August 2022. A targeted consultation on open finance was also launched on 10 May 2022, ending one month earlier – on 5 July 2022. The feedback received as a result of this fact-finding exercise has been used throughout this impact assessment.

In June 2021, DG FISMA established an expert group on European financial data space. This expert group includes a dedicated subgroup on open finance. The expert group delivered a report on open finance on 24 October 2022, which is also taken into account in this impact assessment.

In addition, the present impact assessment takes account of the relevant public and private studies and publications, including those relating to the PSD2 review and European data strategy. E.g. evidence from the PSD2 evaluation report and the study on the application and impact of Directive (EU) 2015/2366 on Payment Services (PSD2) FISMA/2021/OP/0002 has been extensively used in this impact assessment, as well as the EU data market study 2021-2023.

Annex 2: Stakeholder consultation

1.Expert group on European Financial Data Space

On 24 October, the Commission received a report on open finance from the Expert Group on the European Financial Data Space. 176 The Expert Group brings together experts from academia, consumers, and industry (including banking, insurance, pensions, investment, as well as third party providers and fintech firms).

2.Results of the call for evidence

Figure 1: Respondents to the call for evidence on open finance by country

Source: DG FISMA

On 10 May 2022, the European Commission launched a call for evidence on open finance. The call for evidence closed on 2 August 2022, gathering 79 responses. Most were submitted by citizens (57), but also by trade associations (14), businesses (3), consumer organizations (1), unions (1) and others (3). The majority of the responses came from Slovakia (24), Germany (22) and Belgium (8), see Figure 1. The attitude of individual responses towards open finance was generally negative, whereas that of responses by firms was positive subject to safeguards. If designed in an appropriate way, open finance is seen to have the potential to have a positive impact. The attitude of individual responses was that the framework of this initiative should tackle issues by adopting clear safeguards, such as privacy dashboards, clear delineation of its scope and a level playing field among market participants.

3.Results of the public consultation

Introduction

On 10 May 2022, the European Commission launched a public consultation on the review of the revised payment services directive (PSD2) and open finance. The public consultation closed on 2 August 2022.

Section 3 of the public consultation focused on open finance, for which the results are presented in this Impact Assessment. The purpose of Section 3 of the public consultation was to gather views from the general public on open finance, thereby also complementing the Commission’s targeted consultation on open finance. Section 3 of the public consultation was however also open to replies from professional stakeholders interested in open finance (corporate users, fintech firms, consumer organisations as well as relevant public authorities and national regulators).

Overview of respondents and responses

Figure 2: Respondents to the public consultation focused on open finance by country

Source: DG FISMA

Section 3 of the public consultation focused on open finance, for which the results are presented in this Impact Assessment. In this section there were 92 respondents from 28 countries (see Figure 2). 55 were citizens and 37 professional respondents. Most of the professional respondents were companies or business organisations (18 respondents), followed by business associations (8), public authorities (3), consumer organisations (2), trade unions (2), academics/research institutions (1) and others (3).

Summary of respondents’ feedback

Respondents’ feedback was mixed. While many citizen respondents would in principle want to share their data based on strong consumer consent/agreement, they are concerned to share financial data due to a lack of trust which stems from concerns over privacy, data protection and digital security, and a generalised sense of not being able to control how their data is used.

Professional respondents were more favourable to data sharing and citied benefits to the customer journey in terms of increased competition and innovation for financial products and services. However, a significant minority of professional respondents also voiced concerns over competition, security and data misuse.

The most typical opinions voiced by respondents are listed below.

-Sharing of data

Asked whether they would be willing to share specific types of data held by their financial service provider (savings account data, consumer credit data, mortgage loan data, pension data, insurance data) with other financial or third-party service providers in return for access to new services, an average of two thirds of citizen respondents (an average of 33 out of 55 citizens) replied that they were unwilling to share their data. Citizen respondents against data sharing typically justified their replies as follows: (1) Financial data is too personal to be shared; (2) There is no trust in the system and the data could be misused; (3) There is no transparency and not enough supervision in the system; (4) Data could be passed on indefinitely to third parties, as a data subject’s consent is usually not informed or understandable.

Professional respondents, on the other hand, were more split on the issue, although the abstention rate was high (around 61%, 23 out of 37 respondents). While companies/business organisations and business associations tended to support data sharing (about a quarter of all respondents were in favour of sharing different types of data, about a tenth against), other respondents were rather opposed to it (from a quarter up to half of the respondents opposed sharing different types of data). Common arguments used by professional respondents in favour of data sharing were as follows: (1) Data sharing could help with creating new services and increase competition; (2) Data sharing will help payment institutions offer smart and fast solutions to SMEs; (3) Data sharing will increase consumers’ decision-making power.

Professional respondents against data sharing typically justified their replies as follows: (1) Non-personal data is likely to be commercially sensitive information; (2) Sharing sensitive data is particularly significant and risky in certain financials sectors (i.e. the insurance sector); (3) Making the sharing of data mandatory could lead to distortions in competition if there are enforced disclosures for large companies and if data sharing is not reciprocal.

-Security and privacy risks

The overwhelming majority of respondents cited concerns over security and/or privacy risks in giving other service providers data access. 84% of citizen respondents (46 out of 55 respondents) and 68% of professional respondents (25 out of 37 respondents) agree that data sharing increases those risks. 177

Citizen respondents concerned over security and/or privacy risks typically justified their replies as follows: (1) The more often data is stored by different service providers, the greater the risk that the data will be misused or hacked; (2) It is unclear with whom data is shared and what standards apply (e.g. the data may be outdated); (3) There has to be clear information before consent/agreement is given and it has to be assured that data is only used for specific purposes; (4) There is no trust in the system and data could be misused (e.g. data shared could be used for unsolicited advertising); (5) There is the danger that the consumers are coerced into giving consent/agreement (e.g. via pricing mechanisms).

Some professional respondents concerned over security and/or privacy risks argued that sharing of data could generate “negative externalities” (e.g. risk of reconstruction of “strategic” information, risk of undermining the principle of mutualisation, risk of auctioning policy holders’ data, risk of significant price increases)

-Lack of trust in the processing of personal data

The majority of citizen respondents do not believe that financial service providers that hold their data always ask for consent/agreement before sharing those data with other financial or third-party service providers (57%, 26 out of 46 respondents). Of the professional respondents who replied, however, the majority believe that financial service providers do ask for consent/agreement (61%, 14 out of 23 respondents).

Moreover, the majority of active citizen respondents believe that financial or third-party service providers do not use the shared data exclusively for the purposes to which they have agreed (71%, 32 out of 45 respondents).

-Consumer consent/agreement

A majority of citizen respondents say that financial service providers holding data should be obliged to share them with other financial or third-party service providers, if customers have given consent or agreement (55%, 30 out of 55 respondents).

To ensure trust and data subject-supported data usage, citizen respondents suggested a range of solutions strengthen consumer consent/agreement. Solutions typically cited included: (1) The introduction of privacy dashboards such as consent management tools that builds trust, transparency and user ownership of all data concerning them; (2) There should be a high-level system in which all data brokers are intensely monitored and supervised; (3) There should be a technical mechanism that prevents data from being repurposed; (4) There has to be strict compliance with the GDPR at all times.

Professional respondents suggested a range of solutions to strengthen consumer consent/agreement. (1) All players in data sharing ecosystem should be subjected to the same rules. (2) There has to be a strong permission management system that also includes the recipient of shared data.

-Compensation

Regarding the question of compensation, there is an inconclusive result among the surveyed citizen respondents. While in about a quarter seemed to be undecided (24%, 13 out of 55 respondents chose the "don't know" option), 42% (23 respondents) of citizen respondents oppose the idea of service providers charging a fee to other service providers who access data using infrastructure they put in place. 178  The rest spoke in favour of a compensation (35%, 19 respondents).

Citizen respondents against charging typically argued that: (1) If the consumer wants the data to be shared, charging a fee is an obstacle; (2) If fees are charged, they may end up with the customer. Citizen respondents in favour of charging were also clear that charging should come with conditions. Conditions cited typically included: (1) Services should be remunerated according to market conditions. But there should be a way for the customer to transfer his/her input data to another provider for free; (2) The fee should benefit the consumer, not the service provider; (3) Money should not be made by selling private data.

A large number of professional respondents also seemed undecided on the issue of compensation (43%, 16 out of 37 respondents did not answer the question or chose the "don't know" option). However, among the remaining professional respondents, a slight majority of active professional respondents believed that they should be able to charge a fee (11 out of 21 respondents). 179 The professional respondents in favour of charging typically argued (1) A fair commercial model should be established to provide a financial incentive to develop well-functioning solutions that meet market demands; (2) As long as there is competition in the infrastructural space, there should be a fee.

4.Results of the targeted consultation

Introduction

On 10 May 2022, the European Commission launched a targeted consultation on open finance and data sharing in the financial sector. The targeted consultation closed on 5 July 2022.

The purpose of the targeted consultation was to gather input from professional stakeholders that have in-depth knowledge and/or working experience in the field of data sharing in finance. Professional stakeholders targeted included financial institutions, data vendors, fintechs, corporate users, consumer protection associations as well as relevant public authorities and national regulators).

Overview of respondents and responses

A total of 94 professional stakeholders from 19 European countries replied to the targeted consultation. The stakeholders responded to be active in many different financial sectors, payments (51 respondents), insurance (42 respondents), banking (38 respondents), as well as pensions (35 respondents), asset management (33 respondents), data information services (31 respondents), securities trading (30 respondents) or brokerage (30 respondents). Professional respondents who identified as ‘other’ namely consisted of industry associations/organisations (4 respondents), government authorities (2 respondents) supervisory authorities (2 respondents), consumer protection organisations (1 respondent), leasing/real estate mortgages firms (5 respondents). Other professional respondents included qualified trust services, digital accounting, risk management, investment platform, and actuarial services, and business information services. Moreover, 23 respondents indicated that they would wish to provide responses on anonymous basis. 180

Summary of respondents’ feedback

Overall, responses to the targeted consultation highlight that most professional respondents see the potential benefits of an open finance framework and accordingly express support for regulatory intervention in some areas. However, views diverge substantially and support comes with conditions. The following is a summary of views:

-Data access

Overall, most respondents believe that there is today no adequate framework for data access rights in the financial sector (62%, 58 out of 93 respondents). Also, within the group of data holders, the majority support this view (53%, 25 out of 47 respondents). Just over half of the respondents thought that the Commission should consider proposing new data access rights in open finance (55%, 48 out of 87 respondents). Nevertheless, most incumbent financial institutions do not support legislation granting new mandatory access. 181 On the contrary, many customers and third-party providers argue in favour of such access rights, with the latter pointing towards experienced difficulties in gaining access in the absence of legislation. 182  Still, a majority of those arguing in favour of mandatory access acknowledge the cost of building the infrastructure for granting such access and expressed support for compensating data holders for such costs.

-Customer concerns

Many customers would in principle want to share their data to get access to better financial products, nevertheless, some customers still hesitate to share financial data due to a lack of trust which stems from concerns over privacy, data protection and digital security, and a generalised sense of not being able to control how their data is used. A large majority of respondents — also among data holders — expressed support for digital identity solutions (78%, 68 out of 87 respondents) and privacy dashboards like consent management tools (71%, 62 out of 87 respondents) as potential tools to address these concerns that strengthen the ability of customers to grant track and withdraw consent/agreement.

Asked which risks related to customer data sharing they would consider a key concern, the majority (64%, 56 out of 87 respondents) answered the misuse of data, followed by 60% (52 out of 87 respondents) for privacy breaches and 29% (25 respondents) for financial exclusion. Other risks mentioned were: identity theft, cyber and information risks, and competition issues (unlevel playing field or creation of monopolies). In particular, insurance companies warned that sharing of insurance data could generate negative externalities (e.g. risk of standardization, impoverishment of the market, lower levels of consumer protection, reverse engineering, undermining of the principle of mutualisation).

-Limited current portability of data

Customers have problems in ensuring that the firms holding their data make it available to third-party providers – which strongly suggests that the existing data portability right of Article 20 GDPR is not operational in the financial sector. Of the respondents who answered, the majority either never made use of Article 20 GDPR (21%, 18 out of 87 respondents) or rarely made use of Article 20 GDPR (32%, 28 out of 87 respondents) to grant data access in the financial sector. Considering only the data users, 65% stated that they rarely or never applied Article 20 GDPR (30 out of 46 respondents). Only a small fraction of respondents replied that they use Article 20 GDPR regularly (5%, 4 out of 87 respondents).

-Lack of standardisation

A majority of respondents – in particular among data holders (65%), data users (69%) and data intermediaries (73%) – believe that standardisation of data could usefully be complemented by contractual schemes between data holders and users (55% overall, 48 out of 87 respondents), less than a tenth (9 %, 8 respondents) explicitly opposed this. Most also stressed that such schemes could cover liability rules that clarify the attribution of liability for the quality of customer data that is shared (55%, 48 out of 87 respondents). A large majority of respondents (64%, 56 out of 87 respondents) also said that an open finance framework would need a dispute settlement mechanism, i.e. an ability to settle disputes without having to resort to judicial proceedings (e.g. for who should be liable for e.g. erroneous data sharing).

Data holders appear to lack incentives to develop high-quality technical access points for data sharing (APIs). Most firms using customer data held by financial firms have had difficulties to access data. Most had concluded ad hoc contracts to access data (67%, 20 out of 30 respondents), which they argued were very costly. Responses suggest that the key reasons for lack of data sharing is that (1) there is lack of a standardised ways for sharing data (40%, 35 out of 87 respondents); (2) the absence of standardized APIs (38%, 33 respondents); (3) the absence of clarity as to which types of data are within scope (36%, 31 respondents); (4) The absence of clear rules on liability in case of data misuse (32%, 28 respondents); (4) the absence of an obligation to provide the data on a continuous/real time bases (30%, 26 respondents).

-Compensation

In the public consultation, a small majority of the professional respondents had already spoken out in favour of compensation rights. 183 In the targeted consultation the response is even more pronounced. A large majority of respondents believe that financial firms holding customer data should be entitled to compensation by third parties for making data available in an appropriate quality, frequency and format (75%, 70 out of 93 respondents). While the level of support is even higher looking only at data holders (83%, 39 out of 47 respondents), the majority of data users and data intermediaries are also in favour of such compensation (77%, 43 out of 56 respondents). References were made to the PSD2, with some respondents suggesting that free of charge data access by third parties did not foster the best outcome as the implementation investments have been disproportionate to benefits and return on investment for data providers.

Looking in more detail at data users and data intermediaries who are not data holders, it becomes apparent that an appropriate quality of the data is decisive for the acceptance of compensation fees. While the vast majority of them support in principle the general right to data access without compensation (80%, 8 out of 9 active respondents), a majority consider compensation payments to be reasonable when making the data available in appropriate quality, frequency and format (56%). On the level of compensation, some respondents believe that compensation should allow for a reasonable return on investment (19%, 18 out of 93 respondents). Only a minority argued compensation should be limited to the cost of putting in place the required data infrastructure (9%, 8 out of 93 respondents). The majority of respondents argued that compensation should be set in another way (46%, 43 out of 93 respondents): certain stakeholders favoured a market-value compensation (e.g. not defined by a legislation) for data sharing as it would provide necessary incentives, avoid dis-incentivizing market pioneers and would be adjustable depending on specific use cases. However, it was noted that even where compensation is regulated by the market, the market itself could establish principles for what is considered as a reasonable compensation. Criteria for fairness, reasonableness and non-discrimination should nonetheless be followed.

Some respondents suggested that compensation based models would negatively impact smaller players and competition as a whole. References were also made to existing portability under the GDPR and avoidance of commercializing it.

-Aggregated data for research and innovation

Only a minority of the professional respondents see legal obstacles today to obtain and use fully anonymised and aggregated supervisory data for research and innovation purposes (12%, 9 out of 74 respondents), while most of the stakeholders had no opinion (34 respondents) or did not answer the question at all (9 respondents). The main obstacles concern data protection and confidentiality requirements. However, the respondents came up with various areas, in which anonymized and aggregated supervisory data could hold research and innovation potential, e.g. fraud prevention (including AML), AI, data analytics, or the areas of ESG data, financial inclusion and financial literacy.

A clear majority stated that they would find it useful to provide an enabling clause comparable to the Commission’s proposal for a Digital Operational Resilience Act in the financial sector 184 for different types of information exchange among financial institutions (58%, 46 out of 74 respondents). Among data holders, the approval rate is even higher (73%, 30 out of 41 respondents). Such a clause aim to ensure legal certainty about the possibility of exchange of such information and data. A large number mentioned the fight against financial crime and fraud, which they considered could become more (cost) effective with increased data sharing. Also risk monitoring, compliance and due diligence were seen as fields where enabling clauses for information exchange could play a positive role.

Annex 3: Who is affected and how?

1.Practical implications of the initiative

As explained in sections 5 and 6, the initiative will have an impact on the main stakeholder groups, including business and retail customers of financial service providers, financial data holders, financial data users and public authorities. As regards the relative number of each stakeholder group, data holders include: 4,000 credit institutions (already subject to PSD2) 185 , 2,585 insurance firms 186 , 6,120 institutions for occupational retirement provision (IORPs) 187 and 5,040 investment firms 188 that receive and transmit orders. Thus, the total number of data holders is 17,745.

As for data users, their number is estimated at 3,838, based on the following considerations. First, based on the PSD2 experience we estimate that about 30% of financial institutions would also act as data users 189 . Applying the same proportion to the other categories of data holders, except for occupational pension providers 190 , would yield 3,488 entities in total, including 1,200 banks, 776 insurance firms and 1,512 investment firms. Second, 324 payment institutions were providing account information services in the EU under PSD2 in January 2023, of which 91 are licensed solely as account information service providers (AISPs) 191 . In view of the fact that payment accounts command the highest number of clients, compared to other types of financial services, as well as the highest transaction frequency (with the notable exception of high-frequency trading), the future number of financial information service providers (FISPs) is estimated at 350. Thus, the total number of data users is equal to 3,838, of which 1,200 banks are already active under PSD2.

The methodology for quantifying the benefits and costs of this initiative is laid out below.

Benefits

Given the limited data availability and the nature of the open finance initiative, it is inherently difficult to make quantitative predictions about its benefits at the whole economy level. Likewise, it is equally challenging to disentangle the effects of each policy measure from the potential aggregate impact. Whilst the costs of each policy option are already challenging to estimate, its isolated benefits are even more difficult to gauge. Though it may be possible to develop a theoretical model, too many assumptions which cannot be substantiated would have to be made, rendering the outcome in terms of quantification unreliable. This is why a qualitative assessment of benefits for the individual measures was mainly used. In addition, an attempt was made to provide a macroeconomic assessment of the potential benefits of the open finance initiative based on a macro-level study aimed at quantifying the benefits of enhanced data sharing in the EU financial sector, as laid out in detail in Annex 4. However, the aim of this study was not to quantify explicitly the benefits of the open finance initiative, as presented and discussed in this impact assessment. Thus, the range of figures presented below should be taken as an illustration of the potential benefits rather than a dedicated estimate. These figures are relevant and useful to gain a general idea about the magnitude of potential benefits and to provide a range of potential estimates.

Based on the methodology and strong assumptions set out in Annex 4, the total annual impact on the EU economy produced by enhanced access to and sharing of data in the EU financial sector is estimated in the range of EUR 4.6 billion to EUR 12.4 billion. This figure includes: the direct annual impact on the European financial data economy in the range of EUR 663 million to EUR 2 billion; the indirect annual impact on the European financial data economy in the range of EUR 1.4 billion and EUR 5.4 billion; as well as the induced annual impact on the EU GDP in the range of EUR 2.5 billion to EUR 5 billion. Based on one estimate the number of end users could reach 54 million in 2024 192 , implying EUR 80 to EUR 226 annual benefit per end user. The relatively wide estimation margin in the macroeconomic study is largely due to the uncertainty regarding the three scenarios used in the study and their effects on the data market. It is not possible to accurately predict which types of new services would be offered and how they would impact competition in respective sub-sectors. If the markets remain fragmented and data innovation remains at medium levels, we would see outcomes close to the lower bound of the range. If, however, open finance manages to spark more competition, unify the currently fragmented infrastructure and provide benefits to a wide and socially diverse set of consumers, we should expect the actual benefits to be much closer to the upper bound. The order of magnitude of these figures which cover the entire financial sector including banking, investments and insurance and pensions appear to be consistent with the assessment of the estimated annual benefits of EUR 1.6 billion from increased market access for third-party providers as a result of PSD2 implementation 193 , for payments alone and based on a different methodological approach.

In order to complement the macroeconomic estimates above and to illustrate such benefits at microeconomic level, reference is made to three specific use cases presented in Boxes 1, 2 and 3 in Annex 7, which are illustrative of the potentially manifold use cases of innovative services that can be expected to be built based on this initiative. It is estimated that the SME financing use case would result in additional EUR 2 billion in annual SME funding, whilst the investment advice use case has the potential of delivering annual savings of EUR 160 million by halving the time needed for carrying out the suitability and appropriateness testing of new clients. As explained in Box 2 of Annex 7 though, in addition and beyond these savings it is expected that the investment advice use case would generate much higher benefits for customers in terms of improved investment outcomes which are however difficult to quantify. Faster suitability and appropriateness testing would also facilitate switching and lower frictional costs thus increasing competition. By providing a holistic overview of consumers’ insurance policies, the use case described in Box 3 of Annex 7 on the insurance dashboard can help consumers make effective use of insurance services by increasing their knowledge of their insurance situation. Insurance dashboard information can also make the advisory process for insurance providers more seamless and cost-effective by allowing the customer to compare different products based on their needs and overall insurance situation. It should be stressed that these are only three illustrative use cases to complement the macroeconomic analysis, and a considerable number of such use cases can be expected to be built with additional benefits.

Costs

The costs of this initiative have been estimated to a large extent based on the experience of PSD2 as reported by the industry, which provides estimates on costs of similar policy measures in a closely related sector. However, the dedicated situation of open finance compared to open banking has been taken into account where relevant. Obtaining specific evidence from stakeholders on the possible cost of open finance or validation of these figures by stakeholders has not been possible in spite of attempts via the public consultation and the European Data Space expert group, as stakeholders have been reluctant to share any specific views. The most important cost factors have already been presented as part of the options assessment in the main text. This Annex provides slightly more details on those figures.

The first cost factor is related to the requirement that market participants (data holders and data users) provide open finance permission dashboards. Industry cost estimates for such dashboards fall in a range of EUR 3,000 to EUR 12,000 per year 194 . Multiplying this cost by 17,745 data holders yields an annual cost range of some EUR 53 million to EUR 213 million whilst the cost for 3,838 data users would be in the range of EUR 12 million to EUR 46 million, including from EUR 1 million to EUR 4.2 million per year for 350 FISPs. Thus, the total annual cost of permission dashboards would fall in the range of EUR 65 million to EUR 259 million. A cheaper alternative could be to implement permission dashboards in a centralised manner, e.g. via an e-IDAS wallet that is held by the customer, largely because it would allow to avoid a proliferation of such dashboards.

The second cost factor for firms that are not already regulated entities in the financial sector is related to the eligibility rules to access customer data. Multiplying the estimated cost to prepare the application of some EUR 53,000 195 by the estimated number of 350 FISPs across the EU yields EUR 18.5 million. In view of the rather simple business nature of FISPs, it would be reasonable to assume registration fees for this license at EUR 10,000 196 , which adds up to EUR 3.5 million for 350 FISPs. The annual cost of professional indemnity insurance for one FISP is estimated at EUR 5,000 197 and yields a total of EUR 1.75 million in recurrent expenses. The competent authorities would need to set up an IT system and corresponding supervisory process. This is estimated at EUR 200,000 per each of the 27 Member States, yielding a one-off cost of EUR 5.4 million. A similar amount is assumed per Member State to hire additional 2 members of staff, yielding another EUR 5.4 million in recurrent annual expenses. Assuming that supervisory fees would be calibrated to cover the associated expenses, each of the 3,838 data users would face an annual supervisory fee of some EUR 1,400. Collectively, all except FISPs would also need to amortise the additional EUR 1.9 million from the one-off cost of putting in place the supervisory process not covered by the FISP licensing revenues of EUR 3.5 million. In aggregate, FISPs would face a EUR 22 million cost to obtain a license and EUR 3.2 million to EUR 6.4 million in annual costs for permission dashboards, professional indemnity insurance and supervision.

The third cost factor is linked to the adherence of market participants (data holders and data users) to data sharing schemes. The direct annual management cost of schemes is estimated at EUR 5 million, which would be split accordingly among schemes members. Estimating that 80% of all market participants would be pure data holders 198 , these may have to bear EUR 4 million of the annual cost, whilst data users would bear the remaining EUR 1 million, under the assumption that no weighting is applied 199 .

The fourth and most significant cost factor is that of putting in place APIs implementing common standards for customer data and interfaces developed under the specific objective C for data sets in scope under the specific objective B. API development costs are estimated for each category of data holders separately. The estimates of this cost factor presented below are based on the PSD2 evaluation which provides recent and actual cost assessments of a comparable measure in the same sector (although the evaluation indicates that the evaluated cost are likely overstated as the figures collected lack representativeness and they likely mix costs of setting up access with other unrelated costs linked to the provision of online banking or related services: IT, security), and are adjusted for the structural differences of firms in payments and other parts of the financial sector, as outlined in more detail below. A number of further factors distinguish the likely costs arising from this initiative compared to the PSD2, which it is not possible to quantify:

·Technological development between the implementation date of PSD2 and this initiative and experience gained with PSD2 interfaces are likely to lead to significantly lower costs.

·This initiative provides for standardisation of interfaces prior to implementation, lowering the costs for each interface further.

·Both initiatives cover financial data, but the exact data sets and use cases will have slightly different features, leading to divergences in detailed costs.

Credit institutions are already subject to PSD2 and have an interface in the context of payment accounts data. Thus, they would only be required to adjust their existing APIs so that the additional data sets subject to mandatory access under the open finance initiative are made available 200 . According to an industry study 201 , the existing APIs put in place under PSD2 cost them on average close to EUR 2 million per organisational entity. This initial cost estimate is likely to be overestimated though, since only two credit institutions provided specific figures for this purpose 202 . Furthermore, application of dedicated industry methodology suggests that initial development of an API may cost as little as EUR 25,000 203 . Thus, the substantial chunk of the costs estimated in this study must clearly relate to revamping the legacy IT infrastructure of banks that was needed to ensure appropriate functioning of the new APIs or also possibly for other purposes than PSD2 implementation. Bearing this in mind, the fractional costs for adjusting the existing APIs are assumed at some 10-20% of the initial cost of putting in place APIs under PSD2, which is between EUR 200,000 and EUR 390,000 per organisational entity. Multiplying this by 1125 organisational entities 204  yields a total cost range of EUR 220 million to EUR 440 million. Once again, this estimate does not consider the specificities of the entities considered, including in terms of IT resources and economies of scale and scope resulting from APIs being already in place. 

Extending the scope of mandatory access to data sets outside banking, it seems reasonable to assume that the average cost of putting in place APIs for insurance companies would be similar to the one borne by banks under PSD2, as the market has certain similarities with a few large and many smaller players. First, when it comes to the number of APIs to be put in place, taking the PSD2 experience as a guide, it is assumed that the number of APIs to be put in place by insurance firms would reflect a similar percentage of total population as in the case of banks under PSD2. Indeed, in both cases several individual entities belong to the same group allowing them to put in place a single API as part of a centralised group ICT infrastructure. Applying this percentage to the total population of insurance firms yields about 727 organisational entities in the insurance sector. Secondly, when it comes to the cost of each APIs, again a similar average cost as in the PSD2 study is assumed, which took into account a mix of larger more complex group APIs and smaller APIs. Applying these assumptions to the 727 organisational entities in the insurance sector estimated see above yields roughly EUR 1.4 billion in total cost. Clearly, the same caveats apply to this estimate as in the case of banks.

The calculation for occupational pension providers takes into account that these are mostly small firms with a couple of employees only and a relatively straightforward nature of the data they hold as regards individual pension entitlements of persons. In this context, and given the general efforts of the pensions industry to put in place more generalised pension dashboards at national level, it is assumed that these providers would cooperate on a country-wide basis and put in place a centralised API through which data from all national occupational pension providers would be accessible 205 . In view of the fact that 5 Member States have no occupational pension providers, the overall cost of putting in place APIs implementing the common standards for data and interfaces by occupational pension providers is estimated at 22 times the average cost of about EUR 2 million as reported by the banking industry, yielding a total cost of EUR 43 million. As for investment firms, each entity is assumed to put in place a separate API, but the cost of putting in place an API is also estimated to cost EUR 100,000 in view of the highly standardised nature of data in the field of securities trading 206 and the relatively advanced IT infrastructure of these firms. Against this background, the total cost for investment firms is estimated at EUR 504 million.

Adding up all categories of stakeholders yields a total cost range of EUR 220 million to 440 million for data sets in scope under Option B.1 (banking only), in the range of EUR 2.2 billion to EUR 2.4 billion under Option B.2 (selected data sets across the financial sector), and in the range of EUR 2.3 billion to EUR 2.7 billion under Option B.3 207 (all data sets across the financial sector). Over time, this one-off cost for putting in place standardised high-quality APIs for data sets covered under the preferred Option B.2 would result in EUR 570,000 to EUR 630,000 of aggregate costs for each of the 3,838 data users as a result of the compensation mechanism envisaged under the preferred Option D.3. 

The fifth and final cost factor is that of running these APIs, which involves recurring monthly costs for API hosting, maintenance and management. At the end of 2021, the number of open banking API calls in the EEA was estimated at 1 billion per month 208 involving 1,550 TPPs. The same number of API calls is assumed for data sets covered under Option B.1 (banking only), yielding an annual API maintenance cost of some EUR 50 million. The maximum number of API calls in the open finance environment is estimated based on the total number of data users and the number of new APIs in the EU. This yields a range from 2.5 billion (based on 3,838 data users) to 6.2 billion (based on the assumption of 6,914 APIs 209 ) 210 API calls per month. Based on this range of API calls and using industry methodology 211 , the aggregate annual cost under Option B.2 (selected data sets across the financial sector) is estimated in the range of EUR 70 million to EUR 194 million. In view of the fact that the additional data sets under Option B.3 (all data sets across the financial sector) would be mainly limited to the insurance sector, it is assumed that this would have only a marginal effect on the API maintenance costs. Hence, these annual costs are estimated in the range of EUR 70 million to EUR 195 million. The estimated recurring cost under the preferred Option B.2 translates into the total annual cost of about EUR 10,000 to EUR 28,000 per API, with a resulting average cost per API call of EUR 0.021, which coincidentally matches the assumed maintenance cost per API call of EUR 0.021 used in the Study on the application and impact of Directive (EU) 2015/2366 on Payment Services (PSD2) FISMA/2021/OP/0002. Under the preferred Option D.3, the annual API maintenance cost would be integrated into the compensation mechanism to data holders for putting in place APIs and would result in some EUR 34,400 per data user for the data sets covered under the preferred Option B.2. In case these costs are eventually passed on to the end users, this would result in a yearly cost per end user of some EUR 2.45 based on about 54 million of expected end users 212 .

The requirement for market participants to agree on contractual liability, including appropriate dispute resolution mechanisms would need be achieved in the context of scheme membership. As such, it would give no rise to additional costs beyond those already quantified above.

2.Summary of costs and benefits

(1) Estimates are gross values relative to the baseline for the preferred option as a whole (i.e. the impact of individual actions/obligations of the preferred option are aggregated together); (2) Please indicate which stakeholder group is the main recipient of the benefit in the comment section;(3) For reductions in regulatory costs, please describe details as to how the saving arises (e.g. reductions in adjustment costs, administrative costs, regulatory charges, enforcement costs, etc.;); (4) Cost savings related to the ’one in, one out’ approach are detailed in Tool #58 and #59 of the ‘better regulation’ toolbox. * if relevant

(1) Estimates (gross values) to be provided with respect to the baseline; (2) costs are provided for each identifiable action/obligation of the preferred option otherwise for all retained options when no preferred option is specified; (3) If relevant and available, please present information on costs according to the standard typology of costs (adjustment costs, administrative costs, regulatory charges, enforcement costs, indirect costs;). (4) Administrative costs for offsetting as explained in Tool #58 and #59 of the ‘better regulation’ toolbox. The total adjustment costs should equal the sum of the adjustment costs presented in the upper part of the table (whenever they are quantifiable and/or can be monetised). Measures taken with a view to compensate adjustment costs to the greatest extent possible are presented in the section of the impact assessment report presenting the preferred option.

3.Relevant sustainable development goals

Digital finance has many aspects that can improve the workings of economies and further the cause of sustainable development. Access to finance is one of the major challenges of sustainable development. While not the direct aim of the initiative, open finance will indirectly help advance inclusive and sustainable economic growth, employment and decent work for all (SDG 8) and reduce inequality (SDG 10) by supporting inclusive growth. It can help socially excluded individuals (those engaged in informal employment or affected by income inequality) gain better access to finance. Technology that works for people (responsible AI – investment in connectivity – skills – data protection / consumer protection) is another relevant priority.

Open finance is in line with building resilient infrastructure, sustainable industrialisation, and innovation (SDG 9). It can unleash competitive economic forces that improve connectivity in the area of finance. A fair and competitive economy (data strategy – industrial strategy – Digital Services/markets act – digital taxation) is also a directly relevant EU priority.

Open finance will help promote access to affordable, reliable, sustainable and modern energy (SDG 7) and take action to address climate change (SDG 13) through more informed and targeted investment advice. This is being achieved, as open finance can help investors make more informed decisions which can help to channel of capital flows towards sustainable investments.

Annex 4: Analytical methods

Given the limited data availability and the nature of the open finance initiative as enabling future innovation, it is inherently difficult to make quantitative predictions regarding its benefits at the whole economy level.

The proposed methodology for the quantitative assessment of the benefits of the open finance initiative relies on estimates from the European Data Market Study 2021-2023 . Despite the fact that the purpose of this study was not to quantify the benefits of the open finance initiative as presented and discussed in this impact assessment, the Commission’s JRC confirmed that the proposed methodology is relevant and useful to gain a general idea about the magnitude of potential benefits and to provide rough estimates. However, the resulting figures should be interpreted with the relevant assumptions in mind, as laid out below, and compared to the backward-looking assessments of benefits of the PSD2 open banking provisions as set out in the PSD2 evaluation. They should also be complemented with microeconomic assessments of the potential benefits of two specific use cases out of the larger number of use cases which will be enabled by the initiative, as set out in Annex 7.

The European Data Market Study 2021-2023 contains several reports that focus on the size and trends of the EU data market and data economy, including the number of data professionals, data companies and their associated revenues. It includes multiple indicators such as the skill gaps of data professionals, or the effect of the data economy on the GDP divided into different categories of impacts. Figure 6 shows the relationship between the Data Suppliers Companies’ Revenues, the European Data Market, and the European Data Economy.

Figure 1. Relationship of Data Market, Data Revenues and Data Economy

 Source: European Data Market Study

Data companies are organisations that are directly involved in the production, delivery, and/or usage of data in the form of digital products, services, and technologies. They can be both data suppliers’ and data users’ organisations.

Data companies’ revenues correspond to the aggregated value of all the data-related products and services generated by Europe-based data suppliers, including exports outside the EU.

The data market is the marketplace where digital data is exchanged as “products” or “services” as a result of the elaboration of raw data. The data market captures the aggregate value of the demand of digital data without measuring the direct, indirect, or induced impacts of data in the economy as a whole. The value of the data market is not exactly equal to the aggregated revenues of European data companies because it includes imports (data products and services bought on the global digital market from suppliers not based in Europe) and excludes the exports of the European data companies.

The data economy measures the overall impacts of the data market on the economy as a whole. It involves the generation, collection, storage, processing, distribution, analysis elaboration, delivery, and exploitation of data enabled by digital technologies. The data economy captures a wider concept than the data market only, as it considers the value and wealth generated in the economy as a whole (not just across businesses) by the exploitation of data.

The data economy includes three sets of impacts in the economy: the data companies revenues in the form of direct impacts on the economy, the indirect impacts (as backward and forward) and the induced impacts effects of the data market on the economy, as follows:

·The direct impacts are the initial and immediate effects generated by the data supplier companies; they represent the activity potentially engendered by all businesses active in the data production. The quantitative direct impacts will then be measured as the revenues from data products and services sold, i.e. the value of the data market. We consider the data market value as a good proxy of the direct impacts. Therefore, for the sake of simplicity, direct impacts will coincide with the value of the data market.

·The indirect impacts are the economic activities generated along the company's supply chain by the data supplier companies, considering input providers and customers of data supplier companies.

·The induced impacts include the economic activity generated in the whole economy as a secondary effect. Induced additional spending is generated both by new workers, who receive a new wage, and by the increased wage of existing jobs. This spending induces new revenues creation in nearly all sectors of the economy. The additional consumption will support economic activity in various industries such as retail, consumer goods, banks, entertainment, etc.

The European Data Strategy presented in 2020 describes Europe's vision to become a global leader in the data-agile economy and a leading role model for a society empowered by data to make better decisions in industry and government. The EU Data Market Study 2021-2023 introduces three possible scenarios until 2030, which are driven by a number of different conditions, with a particular emphasis on the role of policies. These 2030 scenarios outline different pathways of the evolution of the European data market and the data economy in the next three to eight years, exploring a different mix of factors and policy choices which may lead to achieving the EU’s ambitious objectives or, on the contrary lead to a setback. The scenarios are structured as follows:

·Baseline scenario: due to 2022 disruptive events (Ukraine war, COVID-19 resurgence in China, macroeconomic risks of stagflation), the current growth trends and framework conditions are substantially worsened, and their extrapolation leads to weaker 2025 indicators with consequent lower potential growth in 2030. Therefore, this scenario is characterised by a slower than previously foreseen growth of data innovation to 2025 followed by acceleration after 2025, a modest concentration of power in the hands of dominant data owners, a data governance mechanism that protects individual data rights, and unequal but relatively broad distribution of data innovation benefits across society.

·High growth scenario: a faster than expected resolution of international conflicts leads to improved economic conditions already by 2024-25 with faster growth than the Baseline from 2025 onwards. This scenario remains characterised by advanced data innovation and digital transformation across Europe and a globally recognised data framework. This is also characterised by global supply chains more integrated than before between Europe, neighbours such as Ukraine, the US, South Korea and Japan and a reduced dependency from China manufacturing by 2030.

·Challenge scenario, characterised by continuing geopolitical crisis (long Ukraine war followed by weak cease-fires rather than lasting peace) hard economic conditions (stagflation) up to 2025, with uncertain economic growth perspectives to 2030. This context results in strong disparities between countries with solid economies (US, Germany and France) continuing to invest in digital technologies with a moderate innovation level and development of the data market-data economy, and a growing gap with weaker economies and countries. This scenario is also characterised by fragmented data flows and low level of digital innovation by SMEs.

Notably, the factor that links these scenarios to the current initiative are their policy assumptions with respect to the implementation of the European strategy for data, including the European financial data space, of which open finance is a constitutive element.

For example, the challenge scenario assumes that the EU market for data remains fragmented with uneven data sharing, barriers and stakeholder’s reluctance to data sharing remain high, with only high performing enterprises and regions making progress. This unfavourable scenario envisages slower adoption of digital transformation and data-driven business models due to lower private investments, lower expectation of take-up of innovative services, as well as lack of trust and confidence in data sharing. The baseline scenario assumes that progress in the development of the new regulatory framework enhances data access and sharing in time, but the main effects are deployed at the end of the forecast period as the single market for data gradually emerges. The high growth scenario envisages fast progress with implementation of the European strategy for data, enhancing data access, sharing and re-use, achieving a level playing field and contributing to the effective single market for data.

For each of the three scenarios, the study mentions multiple categories of impacts through which the data landscape influences the economy: direct impacts, indirect impacts and induced impacts.

  Table 1. The estimated value of the EU data economy in 2030 across 3 scenarios ( EUR, billion )

 summarises the estimated value of the EU data economy in 2030 in the 3 different scenarios (challenge, baseline, high growth). The total value is estimated in billions of euros and broken down by the type of impact described above 213 . 

Table 1. The estimated value of the EU data economy in 2030 across 3 scenarios (EUR, billion)

Source: European Data Market Study, First Report on Facts and Figures, European Commission, 2022

The proposed methodology uses the impact of the data economy to compute the expected benefits of enhanced access to and sharing of data in the EU financial sector, under a set of assumptions.

First, it is assumed that there is no substantial change in the relative EU industry sizes and the share of financial sector over the total economy remains the same until 2030 214 . This allows us to estimate the relevant impacts specifically for the financial sector in Error! Reference source not found. .    

Table 2. The estimated value of the EU financial data economy in 2030 across 3 scenarios (EUR, billion)

Source: European Data Market Study, DG JRC calculations

Second, it is assumed that if the open finance regulation were to be implemented, either the high growth scenario or the baseline scenario would materialize, depending on the specific implementation. Otherwise, under a situation where the Commission takes no action, the challenge scenario would take place. Indeed, among the current regulatory and policy initiatives in the financial sector, open finance is the main key additional initiative aimed to promote additional data sharing (PSD3 consists of a finetuning of already existing access rights). To quantify the benefits, we look at the differences of corresponding impacts between the relevant scenarios. In order to get the lower bound for the expected benefits, we look at the difference between the challenge and the baseline scenarios, while in order to obtain the upper bound for the expected benefits, we evaluate the difference between the challenge and the high growth scenarios. Estimates are summarised in Error! Reference source not found. .

Table 3: The estimated annual benefits from enhanced access to and sharing of data in the EU financial sector (EUR, billion)

Source: data from European Data Market Study, DG JRC own calculations

Third, impact on the economy per industry is calculated according to the industry-relative ICT spending. The model applies a top-down approach where the output variables are estimated for the whole EU economy and consequently downscaled based on the sectoral ICT expenses. In finance, this might result in an underestimation of the actual value that the sector will extract.

According to these assumptions, the total estimated annual benefits for the EU economy produced by enhanced access to and sharing of data in the EU financial sector range between EUR 4.6 billion and EUR 12.4 billion. The relatively wide estimation margin is largely due to the uncertainty regarding the three scenarios used in the study and their effects on the data market. If the markets remain fragmented and data innovation remains at medium levels, we would see outcomes close to the lower bound of the range. If, however, the regulation manages to spark more competition, unify the currently fragmented infrastructure and provide benefits to a wide and socially diverse set of consumers, we should expect the actual benefits to be much closer to the upper bound.

The order of magnitude of these figures which cover the entire financial sector including banking, investments and insurance and pensions appear to be consistent with the assessment of the estimated annual benefits of EUR 1.6 billion from increased market access for third-party providers as a result of PSD2 implementation 215 , for payments alone and based on a different methodological approach.

As a result of this initiative, customers would benefit from wider choice of innovative services. Data holders would be obliged to put in place APIs, but would upgrade their IT infrastructure as a result and also obtain access to customer data held by other financial service providers. Data users would obtain effective access to customer data held by financial service providers where permitted by customers, enhancing business opportunities in innovative, data-driven services. In order to complement the macroeconomic estimates above and to illustrate such benefits at microeconomic level, reference is made to three specific use cases in Boxes 1, 2 and 3 presented in Annex 7, which are illustrative of the potentially manifold use cases of innovative services that can be expected to be built based on this initiative. It is estimated that the SME financing use case would result in additional EUR 2 billion in annual SME funding, whilst the investment advice use case has the potential of delivering annual savings of EUR 160 million by halving the time needed for carrying out the suitability and appropriateness testing of new clients. As explained in Box 2 of Annex 7 though, in addition and beyond these savings it is expected that the investment advice use case would generate much higher benefits for customers in terms of improved investment outcomes which are however difficult to quantify. Faster suitability and appropriateness testing would also facilitate switching and lower frictional costs thus increasing competition. It should be stressed that these are only three illustrative use cases to complement the macroeconomic analysis, and a more important number of such use cases can expected to be built, and additional benefits to be reaped from them.

Annex 5: Scope of Consumer Data under Policy Option B.2 (access to selected data sets)

This Annex sets out in greater detail how the scope of the option ‘selected data sets’ as described in Policy Option B.2 has been determined with respect to consumer data. Policy Option B.2 introduces data access rights for a selected set of data based on a clear benefit of customers (consumers and firms). The criteria for inclusion into the scope of the open finance framework is based on the objective of enhancing customer trust in data sharing (Specific Objective A) and the objective to oblige data holders to share customer data with data users (Specific Objective B). To fulfil these objectives, financial data sets that are in scope must demonstrate: (1) high value added and innovative potential and (2) low financial exclusion risk for customers.

The objective of the assessment in this Annex is to ensure that categories of personal data included in the scope of Option B.2 allow for innovative products to the benefit of consumers to be developed, while being least intrusive for data subjects in terms of limiting fundamental rights, notably the right to privacy and the protection of personal data 216 . In this respect the assessment leads to the reduction of the scope of data processing under this option, in areas deemed to unjustly limit fundamental rights to privacy and the protection of personal data in line with the proportionality and necessity principles 217 . Notably, a negative impact on fundamental rights is used as an exclusion criterion.

The financial data sets analysed in this annex were identified based on the results of the targeted consultation on open finance. The analysis also draws on the outcomes of the use case work conducted by the Expert Group on Financial Data Space 218 . Where relevant, additional sources are also used 219 . This Annex consists of two sections:

·Section 1 provides an overview of the preferred scope of consumer data based on the above-mentioned criteria.

·Section 2 provides a detailed analysis of the consumer data sets outlined in Section 1.

The purpose of this annex is to assess for key consumer datasets available in the financial sector (1) whether, based on stakeholder feedback, data sharing has the potential for innovative financial products to develop which would provide real benefits for consumers as data subjects, and (2) whether there are sector-specific exclusion risks arising from the use certain data sets. Other risks related to data access are cross-cutting and are therefore directly assessed in the wider strategic approach of Section 5 of this impact assessment. Data security and ICT/cyber risk, for example, are crosscutting issues. Safeguards against these risks are assessed in the policy options.

Section 1: Overview of the preferred scope of consumer data

In line with the overview provided by the table above, the financial data sets in the preferred scope of open finance include data on consumers’ holdings of savings accounts, securities accounts, investment-related insurance products, occupational pensions and personal saving plans that are all necessary to develop innovative financial services and products such as improved investment advice and investment management tools.

Section 2: Detailed analysis of consumer data in scope

1.Banking-related data

Banking-related consumer data consists of information on client accounts of consumers held by financial service providers (credit and savings account data, mortgages-related data). This includes data relevant to the risk and sustainability profile of such products, and data related to consumer mortgage account balances and payment history.

a)Value added & innovative potential for consumers

55% of respondents to the targeted consultation were in favour of introducing new data access rights 222  and 49% of respondents recommended covering banking-related data, including saving accounts, lending and mortgage products, with less than half of that (23%) opposing. These respondents are predominantly business representatives, as 86% of respondents to the targeted consultation represent either a company or business association.

When asked about the innovative potential of the sharing and reuse of data related to credit, savings, and mortgages, stakeholders – data users, data holders and consumer protection authorities - cited several key benefits for customers 223 :

-Better financial advice based on personal financial management dashboards, which could give a ‘holistic view’ of a customer’s financial situation.

-Personalised credit offers that fit a consumer’s needs and circumstances, in line with the sustainability of a consumer’s debt profile.

-Improved customer journey to access credit based on automated processing. Mortgages can be complex and time consuming: access rights would allow for automated processing that could reduce the burden for consumers to collect the information when choosing or comparing credit offers (mortgage amount, applicable fees and interest, required guarantee, etc).

b)Financial exclusion risk & necessary safeguards

The results of the targeted consultation on open finance indicates some scepticism about access rights to risk assessment data, i.e. credit risk (13%), although a large majority of respondents were also in favour of such access rights (71%).

Mortgages are highly regulated products 224 . However, not every consumer segment faces the same issues related to access to qualitative mortgage credit and therefore exclusion risks vary:

-introducing access rights to mortgage-related data may promote financial inclusion by creating a better overview of the financial profile of a customer which may increase access to finance for consumers, including those with ‘thin credit’ files 225 .

-introducing access rights to mortgage-related data may increase risks for financially vulnerable consumers 226 . The problem of loan arrears is common among vulnerable consumers, 227 and it is unclear if new services could allow access to cheaper credit at the expense of the ability of consumers to reimburse the credit. There may be situations where the underlying risks are higher to consumers due to possible over-indebtedness 228 . 

Moreover, mortgages as a particular type of credit market for consumers is particularly sensitive – as outlined by EDPS in its opinion on the consumer credit directive 229 . Some stakeholders caution that the combination of mortgage credit with other financial services (insurance products, payment accounts) also increases complexity and can lead to unfair discrimination 230 . Standard mortgage credits for a consumer may contain sensitive personal data. Given the significant consequences for consumers, it is appropriate that necessary safeguards are in place 231 . 

c)Result of assessment:

Credit and savings account data: in scope. Introducing access rights related to savings and credit account data (e.g. balance and transaction information) could bring benefits to the consumer. However, a consumer’s data related to creditworthiness assessments should be out of scope, given financial exclusion risks (see subsection on CWA-related data).

Mortgages-related data: in scope. Introducing access rights related to mortgage account balances could bring benefits to the consumer. Clear safeguards, such as personal data use perimeters that specify when mortgage-related data should be used for the different types of use cases, would delineate appropriate use of data.

2.Data required for creditworthiness assessments

CWA-related data consists of information collected and held by credit institutions during a loan application process for consumers.

a)Value added & innovative potential for customers

Introducing access rights to CWA-related data related to consumers could promote financial inclusion by opening up access to finance to customers that lack extensive financial history 232 .

b)Possible financial exclusion risks

CWA-related data of a consumer are out of scope. Use of such data may create risks for consumers to be targeted with unfair or discriminatory credit offers (e.g. high cost payday loans). As noted in the Consumer Credit Directive, and as stated in the EDPS opinion on the review of the Consumer Credit Directive, unfair practices can misuse personal data in the field of consumer credit, which may have a detrimental impact on the ability of consumers to obtain fair access to credit 233 . 

c)Conclusion

CWA-related data of a consumer. Out of scope. This data would fall out of scope of the open finance framework to in order to safeguard consumers from being targeted with unfair or discriminatory credit offers.

3.Investment-related data

Investment-related data consists of securities account data of consumers; investor profile data of an individual consumer for the purposes of a suitability and appropriateness assessment, and insurance-based investment products.

a)Value added & innovative potential for customers

Open finance could enable a portfolio-centric approach to investment advice. Enabling data to be shared between financial intermediaries with the customer’s permission could prove to be an important element of the customer-centric and portfolio focused approach to investing. 49% of respondents to the targeted consultation were in favour of new data access rights to securities accounts and financial instruments holdings, whereas less than half of that (23%) spoke out against. The majority of respondents (55%) from those who replied and had an opinion 234  believe that access should be granted to all data on all investments. More specifically, the majority of respondents (64%) from those who answered and had an opinion 235 believe that financial intermediaries and other third-party service providers should be able to access data on customers’ current investments. These respondents are predominantly business representatives, as 86% of respondents to the targeted consultation represent either a company or business association.

When asked about the innovative potential of the sharing and reuse of investment-related data – data users, data holders and consumer protection authorities - cited several key benefits for customers:

-Better investment advice and improved investment outcomes based on a clear understanding of customer’s knowledge and experience, financial situation and needs and objectives when investing. 236  

-Improved customer journey to access credit based on automated processing, which can significantly reduce the time required for a consumer to collect information required to complete sustainability and appropriateness assessments.

-Better investment management tools, which would provide an overview of all the assets of a consumer, including information needed for risk profiling. Personal finance management tools are already being developed in the market today but could develop more effectively in the context of greater access to investment-related data.

a)Possible financial exclusion risks

As with other sectors, there is a risk of misuse due to increased data sharing. Insurance-based investment products are a simple version of life contracts that contain personal data. Investor profile data also contains personal data. Clear information tools would also be needed to ensure enable customers to control the use of their data and keep track of whom they have granted access to more effectively. Markets participants would need to adhere to existing guidelines 237 . 

b)Conclusion

Securities account data and investment profile data of a consumer: in scope, given the benefits in terms of better investment advice and investment management tools.

Insurance-based investment products of a consumer: in scope. However, a consumer’s data related to other insurance products on medical and health insurance should be out of scope, given financial exclusion risks (see subsection on insurance).

4.Insurance-related data

Insurance is a key part of a consumer’s personal finances and cashflow, and a significant part of retail costs for households. Insurance-related data consist of data on consumers’ investment-related insurance products, life insurance, and nonlife insurance products that could be used to develop innovative financial services and products such as improved investment advice and investment management tools.

a)Value added & innovative potential for customers

49% of respondents to the targeted consultation were in favour of introducing new data access rights 238 related to insurance and pension products should be covered by new data access rights, while only half of that (25%) opposed. These respondents are predominantly business representatives, as 86% of respondents to the targeted consultation represent either a company or business association.

When asked about the innovative potential of the sharing and reuse of data related to insurance, stakeholders – data users and data holders - cited several key benefits for customers:

-Easier onboarding evaluation

-The development of personalised tools for consumers, such as insurance and financial management dashboards. This could help consumers better manage their risks, get better prices and assist in the avoidance of double insurance or underinsurance.

-Easier switching

-Greater transparency

-Better comparative services that match a consumer with more appropriate insurance products that can decrease risks in personal finance.

From EIOPA's perspective, useful use cases could include pricing and underwriting, claims management, product comparison, or new forms of advisory services. 239 This would benefit consumers through increased transparency and efficiency, better-tailored products and giving consumers a better understanding of risks, which could allow them to select more appropriate insurance products. The majority of respondents to the EIOPA consultation (consumers and insurance-related stakeholders) confirmed these benefits 240 .

b)Possible financial exclusion risks

Open finance products and insurance could also help to reach new consumers and work against financial exclusion, e.g. by offering new/increased coverage 241 . However, more data use can, in some cases, also lead to a risk of higher cost or even further exclusion of customers with an unfavourable risk profile. Particular attention needs to be paid to services with inherent risk mutualisation of insurance, and how the personalisation of products may affect this model. Given the nature of sensitive personal data, overall risks around health data, for example, would be more severe 242 . Access to most forms of life insurance as well as health and medical data may make it difficult to protect clients who do not get insurance or have to pay unreasonably high insurance premiums due to their ‘unfit’ risk profile 243 .

c)Conclusion

Data on health and medical insurance products related to accident and sickness as outlined in Annex I (non-life insurance) and Annex II (life insurance) to Directive 2009/138/EC: out of scope. Scoping out high-risk data sets, such as data related to life and medical insurance, will act as a safeguard to limit the impact on fundamental rights.

Data relating to other insurance products listed in Annex II to Directive 2009/138/EC: in scope. Strong potential for innovative products.

5.Pensions-related data

Pensions is a key part both of social protection and a consumer’s personal finances. Public pensions are not a financial product and are therefore not covered by this initiative. Beyond public pensions, pensions-related data consists of data on customer savings and products related to occupational and personal pensions that could be used to develop innovative financial services and products such as improved investment and savings advice and, in case of personal pensions, investment management tools. This includes savings in pension funds, insurance-based pension products or other financial vehicles with the primary purpose of retirement saving.

Data on insurance and pension products related to consumers held by financial service providers, including:

·For occupational pensions: institutions for occupational retirement provision (IORPs) 244

·For personal pensions: financial undertakings authorised to manufacture and distribute Pan European Pension Products (PEPP providers);

·For occupational and personal pensions, life and non-life insurance undertakings activity in scope of Solvency II 245 ;

·Other financial undertakings involved in occupational or personal pension products regulated at national level.

a)Value added & innovative potential for customers

49% of respondents to the targeted consultation were in favour of introducing new data access rights 246 related to insurance and pension products should be covered by new data access rights, while only half of that (25%) opposed. These respondents are predominantly business representatives, as 86% of respondents to the targeted consultation represent either a company or business association.

In terms of value added and innovative potential for customers related to increased access to pensions data, stakeholder feedback from pension providers from the targeted consultation 247 and the analysis of the Expert Group on European Financial Data Space, cited several key benefits for customers:

-Personal finance management tools and investment advice: data related to retirement income and pension entitlement is an important part of a customer’s financial profile, and asset managers could include these to provide consumers with a holistic overview of assets. Having access to pension-related data could provide more holistic overview of an individual’s saving situation and thus enable improved investment advice and investment management tools.

-Pension tracking: open finance can help develop pension tracking tools that provide savers with a comprehensive overview of entitlements and retirement income both within specific Member States and cross-border in the Union in terms of occupational and personal pension savings. Pension tracking tools play an important role for consumers in projecting retirement income and stimulating financial awareness and planning. 248 The majority of all professional respondents to the targeted consultation indicated that pension tracking tools that provide a comprehensive overview of entitlements would be beneficial for retail customers (54%). 249   

-Improved user friendliness of pension services that require data from several pension providers; by reducing the manual collection of information. This also includes pension investment tracking on behalf of pension participants and enhanced communication with pension participants regarding the ESG impact of these investments.

In line with the above, individual stakeholders argue that websites comparing personal pension products and pension tracking services could ‘provide transparency on pension entitlements’ and could ‘support people’s retirement planning process’ by providing a consolidated overview of an individuals’ retirement assets. 250

b)Possible financial exclusion risks

Appropriate action is needed to further improve complementary retirement savings without, however, calling into question the major importance of social security pension systems in terms of secure, durable and effective social protection, which should guarantee a decent standard of living in old age and should therefore be at the centre of the objective of strengthening the European social models. 251  

The impact of introducing access rights depends on the type of pension data. Notably any opening of data must respect collective agreements and social rights.

-Public pensions form part of social security and are administrative data. Member States should retain full responsibility for the organisation of their pension systems as well as for the decision on the role of institutions providing occupational pensions. 252 The assessment of the benefits of sharing data on public pensions therefore rest with the Member States, as public pensions are beyond the scope of this initiative which targets financial intermediaries.

-Occupational pensions are distinct financial market products, as they are embedded in social and labour law of Member States and often based on collective bargaining. Any opening of data should take into account the outcomes of collective bargaining agreements. Occupational pensions are not contracted individually by consumers and therefore the use of data does not involve financial exclusion risks.

-Personal pension products: Such products are financial products which supplement public and occupational pensions and have the objective to ensure retirement income beyond basic pension needs. In the cases of complex products (e.g. pension), switching between products and/or services could on one hand help consumers make effective use of these services and make responsible choices that meet their expectations. On the other hand, it could also give rise to potential risks, such as misleading/wrong financial advice and in worst case misselling of products to the customer/consumer. Pension products are not always directly comparable with products offered by another financial institution. Some stakeholders in the pensions sector argue that switching can potentially have negative consequences for the customer /consumer. 253 Data about consumers’ actual pension holdings based on existing contracts on the other hand would involve little financial exclusion risks.

Pensions data can contain sensitive personal data of consumers. The type of consent required for processing of this information may need to rely on Article 9 GDPR.

c)Conclusion

-Data related to a consumer’s public pensions: out of scope. Public pensions fall under exclusive national competence as recognised by the Treaties.

-Data related to a consumer’s occupational pensions: in scope. Occupational pensions plays a significant role in the wealth profile of a consumer. Knowing this data could provide more holistic overview of an individual’s saving situation and thus enable improved investment advice and investment management tools. Introducing access rights to data related to occupational pensions is without prejudice to national social and labour law on the organisation of pension systems, including membership of schemes and the outcomes of collective bargaining agreements. 254 With regard to costs, mitigating measures will support SMEs as data holders (see Annex 8).  

-Pension risk assessment and other enriched data in relation to personal pensions related to a consumer: out of scope, as these data may involve financial exclusion risks.

-Other data in relation to personal pensions related to a consumer, in particular data about consumers’ actual pension holdings based on existing contracts: in scope, as these data are unlikely to lead to an exclusion, and have a high potential for pension tracking and investment advice products.