Open Finance
Why Insurers and Pension Funds Should Be Watching FIDA Right Now
FIDA will require EU insurers, pension funds, and investment firms to share customer data through APIs for the first time. What these institutions need to know — and do — before obligations begin.
When PSD2 arrived in 2018, insurers and pension funds watched from the sidelines. Open banking was a banking problem. Someone else's headache.
FIDA makes it everyone's headache.
The EU's Financial Data Access regulation will, for the first time, require insurance companies, pension providers, and investment firms to share customer data with authorised third parties through standardised APIs. Not sometime in the distant future — compliance obligations are projected to start around 2028-2029, and the regulation is expected to be formally adopted in 2026.
If your institution falls into one of these categories and you haven't started thinking about this, here's what you need to know.
You're Now a Data Holder
Under FIDA, any financial institution that holds customer data in scope is classified as a data holder with an obligation to share that data when the customer consents.
For insurers, this covers non-life insurance products — motor, home, travel, liability, and property insurance. Life insurance is excluded (due to concerns about financial exclusion), as is health and sickness insurance.
For pension providers, this covers occupational retirement provisions and pan-European personal pension products (PEPPs). The Council's position makes occupational pensions opt-in at the member state level, so the exact scope depends on whether each member state exercises this opt-in.
For investment firms and asset managers, this covers investment accounts, portfolio holdings, and transaction data.
In practical terms: when a customer asks you to share their insurance policy data, pension contributions, or investment holdings with an authorised third party, you'll be legally required to do so. In real time. Through a standardised API. In a machine-readable format.
Why This Is Harder Than It Sounds
Banks had PSD2 as a warm-up. They've spent seven years building and refining open banking APIs. They have dedicated teams for third-party data access. They know how consent management works in practice.
Most insurers, pension funds, and investment firms have none of this.
The infrastructure gap is real. Many insurers still run core systems built in the 1990s or 2000s. Policy data sits in formats designed for internal batch processing, not real-time API access. Pension administration platforms were built for annual statement generation, not continuous data streaming.
The consent model is new. FIDA requires granular, customer-controlled consent with real-time dashboards. Customers must be able to see exactly who has access to their data, what data is being shared, and revoke access at any time. This isn't a cookie banner — it's a fully functional permission management system that integrates with your data layer.
The security bar is high. FIDA compliance intersects with DORA (Digital Operational Resilience Act), which means your data-sharing infrastructure must meet stringent cybersecurity and operational resilience requirements. ICT risk management, incident reporting, and third-party oversight are all in scope.
The cost is meaningful. Industry estimates put FIDA compliance costs at up to three times what PSD2 cost for banks. And banks had more modern infrastructure to start with. For institutions starting from scratch, the investment in API infrastructure, consent management, security, and ongoing compliance is substantial.
What Customers Will Be Able to Do
It helps to think about this from the customer's perspective, because that's what's driving it.
Insurance comparison based on real data. Today, getting an insurance quote means filling out forms with information the customer may or may not remember accurately. Under FIDA, a customer could authorise a comparison platform to pull their actual policy data — coverage levels, claims history, renewal dates — from their current insurer. The comparison is based on facts, not guesswork.
Pension consolidation. The average worker in Europe changes jobs multiple times over their career. Each job may come with a different pension provider. Under FIDA, a pension aggregation service could pull data from every provider the customer has ever used, giving them a single view of their retirement savings for the first time.
Holistic financial advice. A financial advisor or robo-advisory platform that can access a customer's insurance policies, pension pots, and investment holdings — in addition to their bank accounts — can provide genuinely comprehensive advice. Today, advisors work with whatever documents the customer remembers to bring.
Faster claims and underwriting. With customer-permissioned data flows, underwriting and claims processes that currently take days or weeks could be significantly accelerated. Real data, shared in real time, reduces manual verification.
The Compensation Model Changes the Equation
Here's something that should interest CFOs: FIDA allows data holders to charge third parties a reasonable compensation for data access.
This is a departure from PSD2, where banks had to provide data for free. Under FIDA, the costs of building and maintaining data-sharing infrastructure can be partially recovered through fees charged to Financial Information Service Providers (FISPs).
The compensation must be reasonable — limited to costs directly attributable to the data request, based on an objective and transparent methodology. Overheads and sunk costs are excluded. But for institutions making significant infrastructure investments, the ability to generate revenue from data sharing softens the business case.
The rules set by Financial Data Sharing Schemes will define what "reasonable" actually means in practice. Each FDSS will establish a transparent compensation methodology within its governance framework.
Financial Data Sharing Schemes: Don't Be a Passive Participant
FIDA introduces Financial Data Sharing Schemes (FDSS) — industry-led bodies that define the technical standards, compensation methodology, and liability framework for data sharing. Every data holder and FISP must participate in at least one.
These schemes are where the real decisions get made. What do the APIs look like? How is compensation calculated? Who bears liability when something goes wrong? The institutions that engage with FDSS development now — in 2026 and 2027 — will help write the rules. The ones that show up late will inherit rules written by someone else.
For large insurers and pension providers, this is a strategic opportunity. Your input into scheme design can shape standards that favour your operating model. For smaller institutions, participation ensures your interests are represented.
What You Should Be Doing Now
The regulation isn't final. Compliance obligations won't hit until 2028 at the earliest. But that doesn't mean 2026 is too early to act.
Assess your data architecture. Where does customer data live? In what format? How accessible is it through modern APIs? For most insurers and pension providers, the answer will reveal gaps between current capabilities and what FIDA will require.
Understand the FDSS landscape. Which Financial Data Sharing Schemes are forming in your sector? Who's leading them? What standards are they proposing? Getting involved early gives you influence over the technical framework you'll need to comply with.
Start the build-vs-buy analysis. Do you have the engineering capacity to build API infrastructure, consent management, and audit logging in-house? Or does it make more sense to partner with a platform that already provides this for other regulatory frameworks? Most institutions outside the top tier will find that buying is faster and more cost-effective.
Include FIDA in your 2027 budget planning. Implementation takes time. If compliance obligations begin in 2028-2029, budget allocation needs to happen in 2027 at the latest. That means executive awareness and business case development in 2026.
Map the DORA overlap. If you're already working on DORA compliance (you should be — it applied from January 2025), much of that work feeds directly into FIDA requirements. ICT risk management, operational resilience, and third-party oversight are shared obligations. Avoid duplicating effort.
The Upside
FIDA is a compliance obligation. But it's also a market signal.
Customer expectations around data access and portability are shifting across every industry. The institutions that build transparent, high-quality data-sharing infrastructure won't just comply with a regulation — they'll meet a customer expectation that's only going to grow stronger.
Insurance customers who can easily share their data will switch more easily. That benefits the insurers who compete on service and price. Pension providers who give customers real-time visibility build trust that translates into retention. Investment firms that enable seamless data flows attract the advisors and platforms that bring them new clients.
The firms that treat data sharing as a strategic capability — not just a regulatory cost — will come out ahead.
Fiskil's Data Provider platform gives financial institutions the API infrastructure, consent management, and audit capabilities needed for open finance compliance — supporting CDR, FDX, UK Open Banking, and PSD2 today, with the flexibility to adapt as FIDA requirements are finalised. Learn more.
