The regulatory landscape is constantly evolving, becoming increasingly complex for financial institutions to navigate. This article focuses on the practical implications of implementing the Financial Information Directive and Access (FiDA) and what financial institutions should consider for their IT systems. Luxat is not a law firm, and we attempt in this article to focus on the IT implementation challenges.
FiDA can be viewed as an extension of PSD2 (Payment Services Directive 2), with broader requirements for sharing financial information with approved data users. While PSD2 enables third-party applications to access account balances and execute payments, FiDA mandates the sharing of additional data, such as security positions, loan conditions, and saving accounts whenever a customer provides consent. Importantly, this data must be immediately retracted if the customer revokes their consent.
Developing New APIs to Share Data as Mandated by FiDA
Article 2 of the FiDA law outlines the scope of data that must be shared. In addition to account balances and payments, banks must also provide access to mortgage information, portfolio positions, and savings account details. This will necessitate significant IT development to ensure these data points are accessible via APIs to external providers.
Banks will need to conduct a thorough analysis of their databases to identify and retrieve the necessary data. New APIs must be created to allow external providers to access this information. It is crucial that these APIs are configured to share only the data that the customer has explicitly consented to, as outlined in Article 7. Furthermore, only data necessary for the intended processing should be transmitted.
Implementing Financial Data Access Permission Dashboards
One of the central requirements of FiDA is the creation of a permission management dashboard within e-banking platforms. This dashboard will enable clients to view a summary of the data being shared and with whom. Clients must have the ability to revoke or re-establish permissions easily from this interface.
Given the complexity of this feature, it will likely need to integrate closely with the bank’s core banking system. This integration will ensure that the data access permissions are accurately reflected and updated in real-time.
Ensuring 24/7 Infrastructure Availability
FiDA’s requirements extend beyond just data sharing; they also mandate continuous availability of the APIs. This is particularly impactful for private banks, as retail banks have already addressed this challenge under PSD2. Although minor downtimes (e.g., during patch deployments or end-of-day processes) are common, FiDA requires that your APIs remain accessible to external requests at all times.
To meet this demand, banks may need to invest in clustered server infrastructures that ensure high availability and load balancing. While this will increase costs and maintenance requirements, it offers a significant opportunity to enhance performance and reliability. Additionally, it’s essential to ensure that all middleware, such as JBoss, is upgraded to the latest versions to support modern clustering and failover capabilities.
Verifying Data User Insurance Policies
Article 12, Point 3 of FiDA mandates that all data users (e.g., third-party service providers) have insurance coverage to protect against unauthorized or fraudulent access to, or use of, customer data. This insurance must cover the following:
- The liability arising from unauthorized or fraudulent data access or use.
- The value of any excess, threshold, or deductible from the insurance or comparable guarantee.
- Ongoing monitoring of the insurance coverage or comparable guarantee.
As a data holder, it is crucial to verify that each data user has adequate insurance coverage before granting them access to customer data. This verification should include ensuring that the coverage amount is sufficient to mitigate the risks associated with data sharing.
For further guidance on FiDA requirements, do not hesitate to contact Luxat via: info@lux-at.com.