Choose the experimental features you want to try

This document is an excerpt from the EUR-Lex website

Document 52024AB0029

OPINION OF THE EUROPEAN CENTRAL BANK of 30 August 2024 on a proposal for a regulation on a framework for Financial Data Access and amending Regulations (EU) No 1093/2010, (EU) No 1094/2010, (EU) No 1095/2010 and (EU) 2022/2554 (CON/2024/29)

CON/2024/29

OJ C, C/2024/5923, 2.10.2024, ELI: http://data.europa.eu/eli/C/2024/5923/oj (BG, ES, CS, DA, DE, ET, EL, EN, FR, GA, HR, IT, LV, LT, HU, MT, NL, PL, PT, RO, SK, SL, FI, SV)

ELI: http://data.europa.eu/eli/C/2024/5923/oj

European flag

Official Journal
of the European Union

EN

C series


C/2024/5923

2.10.2024

OPINION OF THE EUROPEAN CENTRAL BANK

of 30 August 2024

on a proposal for a regulation on a framework for Financial Data Access and amending Regulations (EU) No 1093/2010, (EU) No 1094/2010, (EU) No 1095/2010 and (EU) 2022/2554

(CON/2024/29)

(C/2024/5923)

Introduction and legal basis

On 28 June 2023 the European Commission adopted a proposal for a regulation of the European Parliament and of the Council on a framework for Financial Data Access and amending Regulations (EU) No 1093/2010, (EU) No 1094/2010, (EU) No 1095/2010 and (EU) 2022/2554 (1) (hereinafter the ‘proposed regulation’). The European Central Bank (ECB) considers that the proposed regulation falls within its scope of competence and has therefore decided to exercise its right, as provided for in Article 127(4), second sentence, and in Article 282(5) of the Treaty on the Functioning of the European Union, to adopt an own initiative opinion on the proposed regulation.

The ECB’s competence to deliver an opinion is based on Articles 127(4) and 282(5) of the Treaty on the Functioning of the European Union, since the proposed regulation contains provisions affecting the ECB’s tasks concerning prudential supervision of credit institutions under Article 127(6) of the Treaty. In accordance with the first sentence of Article 17.5 of the Rules of Procedure of the European Central Bank, the Governing Council has adopted this opinion.

1.   General observations

1.1.

The proposed regulation is an important component of the European strategy for data (2). The establishment of a robust legal framework for the management of customer data sharing in the financial sector beyond payment accounts aims to enable customers, individual consumers and businesses to access personalised, data-driven products and services that better meet their specific needs. The ECB welcomes the objective of the proposed regulation with regard to introducing a framework for access to and use of customer data. This should promote innovation, make financial services more competitive and give customers more control over their own financial data. The proposal could also contribute to the development of the Capital Markets Union to the extent that it encourages providers to offer a broader range of services that are better tailored to customers’ needs and to lower fees as the marketplace becomes more competitive.

1.2.

The proposed regulation adopts a customer-focused approach by providing tools that allow for control over customer financial data. In this respect, the proposed regulation grants customers the right to request that data holders (3) share customer data with data users (4) for the purposes and under the conditions specifically permitted by the customers (5), thus ensuring that data sharing always follows the customer’s granting of permission for such data sharing. To this end, the proposed regulation imposes obligations on data holders to provide such access (6) and to provide customers with financial data access permission dashboards (7) that allow them to monitor and manage the permissions they have granted. This set of rules, which is designed to enhance transparency and customer trust in the data-sharing process, is complemented by additional safeguards. These include ensuring responsible data handling by restricting access to customer data to already authorised financial institutions and to newly authorised financial information service providers (8), which constitute a new category of service providers (9). Moreover, the European Banking Authority and the European Insurance and Occupational Pensions Authority, in cooperation with the European Data Protection Board, are required to develop targeted guidelines establishing a data use perimeter that protects the consumer against unfair treatment or exclusion risks (10). Additionally, the proposed regulation requires the standardisation of customer data and establishes requirements for creating and governing financial data sharing schemes to streamline data sharing and to ensure a level playing field by developing a contractual framework for access, transparency, compensation, liability, and dispute resolution. The proposed regulation also requires competent authorities to assess compliance with these governance requirements (11).

1.3.

The ECB notes that the customer data that data holders are obliged to provide to data users upon request from a customer may include data on mortgage credit agreements, loans and accounts, except payment accounts, as well as data which forms part of a creditworthiness assessment of a firm which is collected as part of a loan application process or a request for a credit rating (12). Data collected pursuant to Regulation (EU) 2016/867 of the European Central Bank (ECB/2016/13) (13) (hereinafter the ‘AnaCredit Regulation’) that have been shared with credit institutions via the feedback loop mechanism on the basis of Article 11 of the AnaCredit Regulation must not be further shared with data users on the basis of Articles 4 and 5 of the proposed regulation. Such sharing would contravene Article 11(1) of the AnaCredit Regulation, which restricts the use of this data exclusively to the management of credit risk by the credit institutions and improving the quality of credit information, expressly prohibiting its disclosure to other parties except in certain restricted circumstances. Therefore, the ECB would welcome an explicit statement in the proposed regulation to clarify that the data shared with credit institutions via the feedback loop mechanism on the basis of Article 11(1) of the AnaCredit Regulation are excluded from being shared with customers or data users under Articles 4 and 5 of the proposed regulation.

1.4.

The proposed regulation requires Member States to designate the competent authorities responsible for carrying out the functions and duties provided for in it (14). With reference to financial institutions, the proposed regulation identifies as competent authorities those specified in Article 46 of Regulation (EU) 2022/2554 of the European Parliament and of the Council (15) (hereinafter ‘DORA’) (16). The competent authorities are to ensure compliance with the proposed regulation in accordance with the powers granted by the proposed regulation and by the respective legal acts listed in Article 46 of DORA (17), which provides that compliance with DORA is to be ensured for credit institutions classified as significant in accordance with Article 6(4) of Council Regulation (EU) No 1024/2013 (18) (hereinafter the ‘SSM Regulation’) by the ECB in accordance with the powers and tasks conferred by the SSM Regulation (19). It is crucial to note that DORA focuses on operational resilience, while the primary focus of the proposed regulation is consumer protection, and this difference may necessitate different competencies.

1.5.

Against this backdrop, the ECB’s role under the proposed regulation, in terms of its prudential supervisory competence, should be clarified (see paragraph 2).

2.   Clarification of the ECB’s supervisory competence

2.1.

The proposed regulation provides that the ECB supervises significant credit institutions’ compliance with it. The ECB is concerned that the proposed regulation thereby assigns to the ECB supervisory tasks which are not prudential in nature, but rather relate to consumer protection. This would be inconsistent with the fact that the Council may unanimously confer only specific tasks relating to prudential supervision on the ECB under Article 127(6) of the Treaty. Accordingly, the SSM Regulation assigns to the ECB, for prudential supervisory purposes, the task of ensuring compliance by significant credit institutions with all relevant Union acts, which impose requirements on credit institutions to have in place, inter alia, robust risk management processes and internal control mechanisms (20). The ECB’s prudential supervisory role in this respect is limited to ensuring that credit institutions implement policies and processes to evaluate and manage their exposure to prudential risks, including risks related to different aspects of banks’ business models, governance, and operational risks. These tasks are assigned to the ECB to ensure the safety and soundness of credit institutions and the stability of the financial system (21). Therefore, the ECB may be considered a competent authority only insofar as is necessary for it to carry out the tasks conferred on it under the Treaty and the SSM Regulation (22).

2.2.

The proposed regulation pursues the objective of consumer protection and not of ensuring the safety and soundness of credit institutions. It does so (1) by setting out rules on the sharing of and access to customer’s financial data, and (2) by seeking to ensure that these rules meet the requirements and obligations needed to increase control and transparency. Consequently, supervising significant credit institutions’ compliance with the requirements set out in the proposed regulation falls outside the scope of the ECB’s prudential supervisory competences under the Treaty and the SSM Regulation. This conclusion aligns with recital 28 of the SSM Regulation, which clarifies that consumer protection is not among the supervisory tasks conferred on the ECB and remains within the remit of national authorities. Therefore, the text of the proposed regulation should unambiguously clarify that the ECB is not designated as competent authority entrusted with any consumer protection tasks (23), including in its role as consolidating supervisor (24).

2.3.

Nonetheless, the ECB emphasises the need to provide a clear legal basis to ensure cooperation (25), including facilitating relevant information exchanges between the ECB and the competent authorities designated under the proposed regulation. This is in line with recital 29 of the SSM Regulation, which specifies that the ECB should cooperate, as appropriate, fully with the national authorities which are competent to ensure a high level of consumer protection.

2.4.

On that basis, the ECB suggests that Articles 3(4) and 17(4), Article 18(1), point (b)(v), and Article 26(1) of the proposed regulation should be amended to ensure that the ECB’s competences under the proposed regulation reflect the tasks conferred on it by the Treaty and the SSM Regulation.

Where the ECB recommends that the proposed regulation is amended, specific drafting proposals are set out in a separate technical working document accompanied by an explanatory text to this effect. The technical working document is available in English on EUR-Lex.

Done at Frankfurt am Main, 30 August 2024.

The President of the ECB

Christine LAGARDE


(1)  COM(2023) 360 final.

(2)  COM(2020) 66 final.

(3)  See Article 3, point (5), of the proposed regulation.

(4)  See Article 3, point (6), of the proposed regulation.

(5)  See Article 3, point (2), and Article 5 of the proposed regulation.

(6)  See Articles 4 and 5 of the proposed regulation.

(7)  See Article 8 of the proposed regulation.

(8)  See Article 6 of the proposed regulation.

(9)  See Articles 12 to 14 of the proposed regulation.

(10)  See Article 7 of the proposed regulation.

(11)  See Articles 9 and 10 of the proposed regulation.

(12)  See Article 2(1), points (a) and (f), and Articles 4 and 5 of the proposed regulation.

(13)  Regulation (EU) 2016/867 of the European Central Bank of 18 May 2016 on the collection of granular credit and credit risk data (ECB/2016/13) (OJ L 144, 1.6.2016, p. 44).

(14)  See Article 17(1) of the proposed regulation.

(15)  Regulation (EU) No 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (OJ L 333, 27.12.2022, p. 1).

(16)  See Article 17(4) of the proposed regulation.

(17)  See Article 17(4) of the proposed regulation.

(18)  Council Regulation (EU) No 1024/2013 of 15 October 2013 conferring specific tasks on the European Central Bank concerning policies relating to the prudential supervision of credit institutions (OJ L 287, 29.10.2013, p. 63).

(19)  See Article 46, point (a), of DORA.

(20)  See Article 4(1), point (e), of the SSM Regulation.

(21)  See recital 30 of the SSM Regulation.

(22)  The observation that only prudential supervisory tasks can be assigned to the ECB is without prejudice to the possibility for the Member States to assign the supervisory tasks set out under the proposed regulation to national prudential authorities.

(23)  See paragraph 2 of Opinion CON/2021/40 of the European Central Bank of 29 December 2021 on a proposal for a regulation laying down harmonised rules on artificial intelligence (OJ C 115, 11.3.2022, p. 5).

(24)  See Article 18(1), point (b)(v), of the proposed regulation.

(25)  See paragraph 3 of Opinion CON/2022/4 of the European Central Bank of 16 February 2022 on a proposal for a regulation establishing the Authority for Anti-Money Laundering and Countering the Financial of Terrorism (OJ C 210, 25.5.2022, p. 5).


ELI: http://data.europa.eu/eli/C/2024/5923/oj

ISSN 1977-091X (electronic edition)


Top