RozporządThe Regulation of the European Parliament and of the Council on the framework for access to financial data and amending Regulations (EU) No 1093/2010, (EU) No 1094/2010, (EU) 1095/2010 and (EU) 2022/2554 (FiDAR) will impose new obligations on financial institutions. These relate to the provision of data on certain types of customer contracts to financial information service providers (FISPs) or other financial institutions. At the same time, financial institutions remain obliged under national regulations to maintain secrecy in respect of a significant part of their activities.  

As such, EU regulations do not require implementation and are directly applicable in Member States from the moment they come into force. However, given the stringent provisions of national law regarding the protection of secrecy in the financial market, if the contents of the FiDAR are adopted in their current form, amendments to national laws may be necessary to allow access to secrecy data. The following is particularly important, as it is an unfortunate practice of the national legislator to delay aligning national law with directly applicable EU law (for example, the prolonged work on laws aligning national orders with the DORA or MiCA Regulations). In the case of the commencement of the application of FiDAR, while national norms are not being amended, financial institutions may be faced with the dilemma of whether it is permissible to waive secrecy to FISPs or other financial institutions. 

As a general rule, the sharing of information with customers receiving financial services, to the extent that the information concerns them (e.g. sharing data with an insured, a payment service user, or a customer of banks), is excluded from the secrecy obligation. However, FiDAR considers a twofold approach to the data-sharing model: 

  • firstly, data will be able to be made available directly to the customer upon request (such a situation will be explicitly covered by already existing national legislation in the financial market), 
  • secondly, however, according to one version of FiDAR, FISP or financial institution will be able to access customer data acting on behalf of that customer (similar to open banking services – AIS).  

The latter case may prove problematic in the absence of corresponding changes made to some national laws.  

Comparatively, it is worth pointing out that while the provisions of the Polish Banking Law provide for the possibility of providing information covered by secrecy to third parties (with the consent of the person to whom the information relates), the provisions of the Act on Insurance and Reinsurance Activity limits the above right only to explicitly designated entities. The general principles concerning the data subject’s right to dispose of data may be considered as a basis to provide data also to a third party not explicitly mentioned in the legislation. However, in the absence of an explicit provisions, such a situation may prove problematic for insurance companies in practice. 

Moreover, while the provisions of the Banking Law accept the disclosure of information about the client with their consent to third parties, they require that the granted consent must be verified every time. Given the anticipated massiveness of the FIS service, provided on the basis of FiDAR, such an obligation may become far from onerous for banks. 

As can be seen from this brief overview, the adoption of FiDAR will present several challenges, including those related to the processing of sensitive information. The role of the legislator will be to adapt national legislation to the requirements of FiDAR to ensure that, on the one hand, customer data is protected from unauthorised access and, on the other hand, not to paralyse the ability of financial institutions and FISPs to take advantage of the possibilities envisaged by the new legislation.