A Vision of the Future

To make FiDA work smoothly, the ecosystem will need common identity and verification infrastructure and shared standards including:

1. A Central European Registry

The EBA is tasked with maintaining central registers of all PSD3, PSR & FiDA authorised entities; however, it should be noted that the EBA does not take liability for the data in the registers, its quality, consistency or timeliness of updated information. It will not provide the fine-grained mapping between Data Holders’ and FISPs’ membership of relevant FiDA schemes. This means there is no single source of “truth” that European financial institutions can reference to understand the validity of a FISP’s licence, its passporting permissions for specific jurisdictions and the FiDA scheme(s) of which it is a member.

2. Linking regulatory authorisation to strong digital identity certificates (eIDAS)

Linking regulatory authorisation to strong digital identity certificates would enable a data holder to automatically verify a TPP’s identity when it connects to an API. However, unlike under PSD2, certificates should be used solely for what they are designed to provide: cryptographic proof of identity, not proof of regulatory status or permissions.

Authorisation, regulatory permissions and Scheme(s) membership are dynamic: they can be granted, amended, restricted, suspended, or withdrawn over time. Embedding those permissions into a certificate at the point of issuance creates a static snapshot that can quickly become inaccurate. Relying on such certificates for authorisation and regulatory permissions in isolation is insufficient and risky. It could result in a financial institution continuing to grant access to a third party whose regulatory status has changed without that change being reflected in the certificate.

For this reason, identity (who the TPP is) should be established through its eIDAS certificates, whilst authorisation (what the TPP is permitted to do) should be verified against an authoritative, up-to-date regulatory register at the time of access.

3. Industry-Led Utilities

National banking associations or European consortia could develop shared “authorisation gateways” to simplify compliance.

An example could be whereby a shared authorisation gateway acts as a trusted intermediary that:

• Centralises verification of third parties’ credentials and their regulatory status
• Issues or validates tokens/certificates for secure API access
• Provides a unified trust and identity layer for all participating entities

Such an approach can deliver simplified compliance, lower integration costs, improved security and simplified interoperability, supporting and underpinning innovation.

4. Risk-Based Access Controls

Financial institutions could tailor the level of verification to the risk profile of the requesting party (i.e. FISP), balancing compliance and innovation. However, arguably this becomes a little difficult and complex in an European open finance (FiDA) context, as FISPs are regulated entities and therefore cannot be denied access if they can: a) prove their identity (e.g. eIDAS certificate), b) have the appropriate regulatory authorisations and the right to operate within the given jurisdiction, and c) are a member of a relevant FiDA scheme(s).

However, the financial institution does have the ability to decline a data/payment request if: a) the consumer/business has not provided explicit consent, b) the FISP does not hold the relevant authorisations, c) it believes that there is suspicion of fraud or malicious activity or d) that fulfilling the request would violate other legal or regulatory requirements.

Europe is Unique however there are Lessons to be Learnt

Europe is unique as a political and economic union, combining supranational governance, deep economic integration and legal harmonisation. This structure delivers substantial benefits to Member States, their economies, businesses and citizens, but it also creates a level of institutional and regulatory complexity that shapes how open data-sharing frameworks are designed and implemented.

That complexity is particularly visible in open finance. Europe’s model of EU-level rulemaking, combined with national-level supervision, enables strong cross-border consistency; yet it also requires careful coordination to ensure that legal, supervisory and technical frameworks operate seamlessly across Member States. These challenges are most evident in the cross-border data-sharing regimes that will be established under PSD3, the PSR and FiDA, where common technical standards must function within diverse market and supervisory environments.

However, jurisdictions that were able to build on the lessons learned from PSD2 have had the opportunity to embed strong technical and governance frameworks into their open banking and open finance ecosystems from the outset. This has helped provide consumers and businesses with greater confidence that their data is shared securely, only with authorised third party providers and strictly in accordance with the consent they have given.

A feature common to many of these newer implementations is the use of shared technology infrastructure that supports the entire open banking or open finance ecosystem. Such infrastructure can provide a consistent foundation for identity, security and regulatory verification, strengthening trust, reducing friction and supporting scalable cross-border data sharing.

A Single Unified Central Directory (Source of Truth) Underpins the Success of FIDA

Trust, confidence, security, control and regulatory certainty are all prerequisites to underpin a thriving, successful open data sharing ecosystem. Trust and confidence are the lifeblood that give users (i.e. consumers and businesses) the confidence to engage in open finance services to deliver better outcomes and personalised services that are tailored to meet their specific needs and requirements.

For FiDA, a single, unified central directory, (delivered by an organisation with the capability to collect data from varied and disparate sources in real time that standardises and normalises the data, to correct missing or inconsistent information and to keep it continuously aligned with the legal systems of record), will deliver the trust, confidence, security, control and regulatory certainty to deliver effective FISP verification.

This would deliver:

• Real-time FISP identity validation via digital certificates connecting to Qualified Trust Service Providers (QTSPs) and revocation lists
• Automated monitoring of NCA registers to provide real-time FISP authorisation accreditation and passporting rights
• Automated monitoring of FISP scheme(s) membership to know which data sets can be accessed
• Timestamped data to demonstrate when data changes occur
• Cross-checks with national competent authorities for ambiguous or high-risk cases

Unlike the transition to PSD3, the scope of data under FiDA is broad and draws on multiple data sources. Under FiDA, European Open Banking (PSD2) will become one of several schemes of which a Participant may be a member, alongside, for example, investment schemes, insurance schemes, mortgage schemes and pension schemes.

Participants may be overseen by multiple regulators/NCAs. In Italy, for example, these would include:

• Italy Banking & Payments: Banca D’Italia
• Italy Insurance & Intermediaries: IVASS
• Italy Investment Firms & Securities: CONSOB

A Participant may also be assigned different identifiers by the different regulators, each following its own format, for example:

• IT-BI-00000
• IT-IVASS-11111
• IT-CONSOB-22222