Skip to main content

Stefano Nicoletti, Head of MEF’s Sender ID Registry in the UK, discusses news that the EU’s Financial Data Access Regulation (FIDA), currently in its final stages of negotiation, is set to exclude some of the biggest names in tech from participation. What are the implications and what does the move mean for MEF Members and the wider industry?

The EU’s Financial Data Access Regulation (FIDA) is entering its final negotiation phase, with a major development announced: Big Tech firms, such as Apple, Google, Meta, and Amazon, are likely to be excluded from participating in the framework. 

This decision, backed by Germany and other member states, is aimed at protecting Europe’s digital sovereignty and ensuring a level playing field for banks and fintech. We understand, this is a political choice aimed at protecting sensitive financial information from dominant digital platforms and avoiding market concentration while fostering EU-based innovation and supporting banks and SMEs in developing competitive digital finance offerings.

What Is FIDA and what happens outside of the EU

FIDA is a proposed EU regulation designed to expand Open Banking into Open Finance, enabling consumers to share a broader range of financial data—including savings, investments, pensions, and insurance—with third-party providers. The regulation builds on PSD2 and is part of the EU’s broader Digital Finance Strategy. The Key objectives of FIDA is to empower consumers with control over their financial data, to foster innovation and competition in financial services and to ensure secure and consent-based data sharing.

As FIDA moves toward finalization, MEF members—particularly those involved in mobile messaging, identity verification, and authentication—will play a critical role in enabling secure, compliant, and user-friendly financial services across Europe.

The closest equivalent to FIDA in the U.S. is the Consumer Financial Protection Bureau’s (CFPB) rulemaking under Section 1033 of the Dodd-Frank Act, approved in in October 2024, but not yet fully implemented. Similarly to FIDA, CFPB on consumer access to financial data. Its implementation is facing significant resistance and challenges from the incumbent US financial industry, who see the current regulatory environment as too fragmented and uncertain to support sustainable open banking operations.

India’s Account Aggregator (AA) Framework, launched by the Reserve Bank of India (RBI), is the country’s closest equivalent to the EU’s FIDA regulation. Operational since 2021, it enables consumers to securely share financial data—such as banking, insurance, and investment information—across institutions with their consent. The framework is built on India’s Data Empowerment and Protection Architecture (DEPA), emphasizing interoperability, privacy, and user control. Supported by major banks and financial entities, the AA system uses standardized APIs and encryption to facilitate safe, transparent data exchange, laying the foundation for a robust open finance ecosystem.

In the UK there is no direct equivalent to FIDA. Government is developing its own Open Finance framework through regulatory consultations (FCA) and the proposed Data Protection and Digital Information Bill, which will establish the legal basis for smart data schemes in financial services and enable broader data sharing.

Current Status and Timeline

FIDA is still under discussion. The European Parliament and Council are expected to finalise the regulation by late 2025.  Implementation will be in three steps likely starting in late 2027:

  • Q4 2027: The first implementation phase begins, covering savings, consumer credit agreements, and property & casualty insurance. 
  • Q3 2028: The second phase will expand to investments, personal pensions, crypto assets, mortgages, and insurance-based investment products. 
  • Q3 2029: The third phase will include other credit agreements, business creditworthiness assessments, and occupational pensions.

Transitional periods will give banks and other financial institutions time to adapt; however, they are still likely to encounter challenges in implementing new technical standards, modernizing legacy systems, and ensuring regulatory compliance.

Cybersecurity and Compliance: What Banks Must Do

FIDA’s requirements will push banks to strengthen their cybersecurity posture including in developing Secure APIs for real-time data sharing, managing customers permissions through consent dashboards, produce robust encryption and authentication which will have to align with GDPR and NIS2 standards, as well as preparing for cross-border interoperability to support EU-wide compliance and competition. Banks will need to invest in scalable, cloud-based solutions and collaborate with fintech to meet these demands. Perhaps as part of the stronger authentication piece they may well consider abandoning SMS…

The Role of SMS OTP in Authentication

While there is a global trend toward stronger authentication methods, SMS OTP remains widely used and valued by consumers for its simplicity and accessibility. Regulatory bodies—including the European Banking Authority—are encouraging banks to adopt more secure alternatives, but SMS OTP is not being banned outright in the EU. 

From our perspective, while the industry explores alternatives, SMS OTP continues to serve as a vital tool—especially in regions or demographics where app-based solutions are less accessible. We believe the transition will be gradual, and banks may continue to rely on SMS OTP during the FIDA implementation period.

What FIDA Means for MEF Members

As FIDA moves toward finalization, MEF members—particularly those involved in mobile messaging, identity verification, and authentication—will play a critical role in enabling secure, compliant, and user-friendly financial services across Europe.

Key implications:

  • Authentication innovation: While SMS OTP remains a trusted and widely used method, MEF members will be instrumental in supporting banks as they explore complementary solutions like app-based authentication, biometrics, and passkeys. The transition will be gradual, and SMS will continue to serve many users during and beyond the FIDA rollout.
  • Secure messaging infrastructure: With increased data sharing and consent flows, secure and reliable messaging channels—especially for transactional alerts and authentication—will be essential. MEF members can help ensure that mobile communications remain resilient against fraud and phishing.
  • Compliance support: MEF members can assist financial institutions in meeting FIDA’s cybersecurity and consent management requirements by offering tools and services that align with EU standards, including GDPR and NIS2.
  • Consumer trust and accessibility: As banks adopt new digital identity and data-sharing models, MEF members have a unique opportunity to advocate for inclusive, accessible solutions that work across devices and demographics—ensuring no one is left behind in the shift to Open Finance.

In short, FIDA presents a strategic opportunity for MEF members to shape the future of secure digital finance in Europe. By collaborating with banks, regulators, and technology providers, MEF can help build a trusted ecosystem that balances innovation, security, and consumer choice.

Stefano Nicoletti

Head of MEF Sender ID Registry

 

Leave a Reply

Share
MEF