The European Commission will present, on 28 June, its proposal for a regulation on a framework for business-to-business and business-to-customer financial data access.
The Commission’s text – a copy of which EUROPE has obtained – sets out a number of rules for data holders. They should make the customer’s data available on request. The text is in full alliance with the General Data Protection Regulation (GDPR). Data users may only use the data for the purposes and under the conditions agreed with the customer.
The document details a broad list of affected entities, such as investment firms, crypto-asset service providers, alternative investment fund managers, management companies, undertakings for collective investment in transferable securities (UCITS) and insurance and reinsurance undertakings and intermediaries.
Institutions for occupational retirement provision, credit rating agencies and providers of crowdfunding services would also be affected, as would credit and payment institutions.
The text should also provide guidance to companies on how to ensure that there will be no discrimination or restrictions on access to services. Particular emphasis is placed on guarantees to ensure that customers who refuse to provide their data are not denied access to financial products solely on the grounds of their refusal.
Dashboards and Transparency Register
Dashboards for access authorisations to financial data should also be introduced so that customers can control their access authorisations by having an “overview” of them.
Data falling within the scope of the text can only be made available to members of a financial data sharing system, making the existence of such systems and membership of them compulsory. These systems, the document explains, would bring together data holders, data users and consumer organisations. Standards would be developed for data and interfaces, and coordination mechanisms for the operation of financial data access authorisation dashboards would be put in place.
Still on the subject of governance, the Commission is proposing that data-sharing systems be notified to the competent authorities and that, for the purposes of transparency, they be granted “a passport for operations throughout the Union”. A register of financial information service providers and data sharing systems would be created and maintained by the European Banking Authority (EBA).
Fines of up to €500,000 for legal entities
For their part, the Member States will be obliged to designate the competent authorities for the purposes of the regulation. They will have the power to conclude settlement agreements and accelerated enforcement procedures, and to impose administrative penalties.
For an individual, these penalties could be up to €25,000 per offence and a maximum of €250,000 per year. Any member of the management body of the service provider in question could be temporarily banned from practising. In the event of infringement, a ban of at least 10 years could be imposed.
For legal entities, the Commission is proposing that penalties could be as high as €50,000 per infringement – up to a total of €500,000 per year – or 2% of annual turnover, based on the most recent financial statements approved by the management body.
See the document: https://aeur.eu/f/7lj (Original version in French by Thomas Mangin)