New legislation sets up future for open banking and open finance in the UK

The Data (Use and Access) Bill has been enacted. The new Act touches on several topics that are relevant to financial services in the UK, including paving the way for developments with open banking and open finance. Most provisions need to be switched on by commencement regulations.

Key aspects of the Act include: 

• Open banking / open finance: The Act gives HM Treasury and the Science and Technology Secretary the power to introduce new smart data schemes. These schemes will comprise regulations governing who is required to share certain customer data, the nature of that data, how and when it should be shared, and how that data should be protected. Sharing of payment account data under open banking will become a smart data scheme and it is hoped that the extra flexibility in setting the rules for the scheme will allow it to operate under a more sustainable commercial model. Future initiatives to open up data for other types of finance will also be set up under the Act. The FCA will publish a roadmap for open finance in the coming months which is expected to confirm plans to prioritise data-sharing relating to SME lending.
• Digital verification: The Act creates a regulatory framework for digital verification services. Companies offering identity verification tools will be able to obtain certification in accordance with the DVS trust framework and receive a “trust mark” indicating that they are DVS-registered. The intention is to increase acceptance of digital identities across the UK and promote wider usage of digital identities. Financial services could then use these tools as part of their know-your-customer checks when onboarding new clients.
• Automated decision-making: The Act requires organisations making “significant” decisions which are based (i) entirely or partly on personal data, and (ii) solely on automated processing to put in place safeguards to protect individuals impacted by such decisions (e.g. the ability to contest or make representations about such decisions). The Act clarifies that decisions will fall in scope of (ii) if there is no “meaningful human involvement in the taking of the decision”, and will be deemed “significant” where they would have a legal effect or would have a similarly significant effect on the data subject.
• Data subject access requests: The Act amends the UK GDPR to provide flexibility around deadlines for responding to DSARs, with scope for extension, for example, where such DSARs are high in number or especially complex. The Act would also only require organisations to undertake a “reasonable and proportionate” search of personal data and other information on receipt of a DSAR.