Search Legislation

Advanced Search

Data (Use And Access) Act 2025

Contents

Commentary on provisions of Act

Part 1: Access to Customer Data and Business Data

Introductory

Section 1: Customer data and business data

  1. Section 1 defines key terms and concepts for the regulation-making powers in Part 1.
  2. Subsection (2) defines the terms "business data", "customer data", "data holder", "data regulations" and "trader".
  3. "Business data" is general information about goods, services and digital content supplied or provided by a trader; information about the supply or provision of the goods, services or digital content by the trader, which may include information about their availability (for example, in a communications context, information about a supplier’s broadband coverage), price (which enables price comparisons against competitors) and other terms of supply; and information about their use, performance or quality; and information about feedback. Business data may also include information about the provision of business data under the regulations.
  4. "Customer data" is information specific to a customer of a trader. Without limitation, customer data includes information about the goods, services or digital content supplied or provided by a trader to that customer or to another person (recipient) at the customer’s request. This might encompass information on the prices that customer or recipient has paid or is paying (which could aid personalised price comparisons), information about other terms relating to the supply or provision of the goods, services or digital content in question to that customer or recipient, information on the use of the goods, services or digital content by that customer or recipient such as usage patterns, and information about the performance or quality of the goods, services or digital content when used by that customer or recipient. In the context of the provision of banking services, customer data could include the customer’s balance and transaction history. Customer data may also include information about the provision of customer data to a person under the regulations.
  5. A "data holder" is a trader (paragraph (a) of the definition) but also covers a person who, in the course of business, processes the data (paragraph (b)). Regulations under sections 2 and 4 impose obligations on data holders, and paragraph (b) of the definition ensures that those obligations may apply to persons who process data on the trader’s behalf.
  6. "Data regulations" are regulations relating to customer data and business data under sections 2 and 4 (and may be read to include regulations to which section 23 (related subordinate legislation) applies: see section 23(3)).
  7. Aside from the "data regulations", Part 1 contains other, ancillary, regulation-making powers in sections 8 (enforcement of regulations under this part), 11 (fees), 12 (levy), 14 (the FCA and financial services interfaces), 16 (the FCA and financial services interfaces: penalties and levies), 17 (the FCA and co-ordination with other regulators), 18 (liability in damages) and 19 (duty to review regulations). References in these notes to "Part 1 regulations" are to regulations under any or all powers in Part 1 whether or not they are data regulations.
  8. A "trader" is a person who supplies or provides goods, services or digital content in the course of a business whether acting personally or through another person.
  9. The definitions of "business data", "customer data", and "trader" are framed by reference to the supply or provision of goods, services and digital content. The application of Part 1 to "goods", "services", "digital content" reflects the approach of Part 1 (consumer contracts for goods, digital content and services) of the Consumer Rights Act 2015. However, "digital content" and "goods" are defined for the purpose of Part 1 in section 25(1). Unlike the 2015 Act, "goods" includes water, gas and electricity without restriction as to how or in what quantity they are supplied.
  10. Subsections (3) to (5) describe when, and in relation to what, a person is a customer of a trader for the purposes of Part 1.
  11. Subsection (3) ensures that a person (C) may be a customer of a trader (T) not only where C purchases goods, services or digital content ("goods etc.") from T, but where C is supplied goods etc. purchased by another person and where C receives goods etc. free of charge.
  12. Subsection (4) ensures that a person may be treated as a customer in relation to the purchase, supply, provision or receipt of goods etc. before this section comes into force.
  13. Subsection (5) confirms that a person is considered a customer from the point of entering into agreement to purchase the goods etc. from T, and not just when those things are provided to the customer or recipient.
  14. Customers are intended to include, but are not restricted to, consumers. Regulations may therefore apply to customers acting for purposes relating to a course of business including customers which are corporate entities. The breadth of the concept of customer reflects that business customers – particularly small businesses – may suffer from similar disadvantages relating to access to data as consumers. Pursuant to section 21(1)(a) and (b), data regulations may be made to apply only to certain categories of customer.
  15. Subsection (6) provides that references to the provision or receipt of data should be read as including access to data by that person or other persons. This reflects that, in practice, data might not be transferred from one person to another; rather, it may be the case that the person is granted access to data which is, and remains, held by the data holder.

Data regulations

Section 2: Power to make provision in connection with customer data

  1. Section 2 provides the principal regulation-making power in relation to customer data.
  2. Subsection (1) enables the Secretary of State or the Treasury to make regulations requiring data holders to provide customer data either directly to a customer (paragraph (a)) or to a person of a specified description who is authorised by the customer to receive the data (an "authorised person"), at the request of the customer or the authorised person (paragraph (b)).
  3. It is intended that data regulations will most likely require the provision of customer data to an authorised person (under paragraph (b)) rather than directly to the customer (under paragraph (a)) since the authorised person will be best able to make use of the data on the customer’s behalf (for instance, in the provision of innovative services such as account management services via a visual dashboard of accounts, displayed on a smartphone application). However, the regulation-making powers have been kept broad to allow regulations to provide for direct provision of data to customers in the future.
  4. Subsection (2) defines, in relation to customer data, a "third party recipient". A third party recipient is a person of a description specified (see further "specified" in section 25(1)) under subsection (1)(b) who a customer is able to authorise. The concept of a third party recipient is distinct from that of an authorised person: this is because regulations may impose requirements (such to have appropriate IT systems or to pay fees or a levy) on persons of the specified description. That may be the case where a person is "accredited" as a third party recipient by a decision-maker under section 6, but might not necessarily be authorised by a customer at any particular time. Section 3(2)(b) and (c) illustrates possible means by which the regulations may restrict the persons customers may authorise to act on their behalf.
  5. Subsection (3)(a) provides for the making of regulations which enable or require data holders to produce, collect or retain customer data or arrange for that to be done. The purpose of this power is to ensure that data holders have specific data to hand in order to ensure that Smart Data schemes can operate consistently and effectively.
  6. Subsection (3)(b) provides for the making of regulations which enable or require data holders to make changes to customer data if requested by the customer or an authorised person. This power is intended, in particular, to provide customers with rights to rectify data beyond the right to rectification in Article 16 of the UK GDPR which is limited to personal data and therefore does not cover customer data where a customer is not an individual.
  7. Subsection (4) enables the making of regulations which provide for an authorised person to be able take, on the customer’s behalf, action that the customer could take in relation to the goods, services or digital content supplied or provided by the data holder. The intention is that this power might, for instance, be used to allow the authorised person to access and use the goods, services, or digital content in question (for instance, to make a payment from the customer’s account) or transact with the trader (for instance, to negotiate an improved deal) on the customer’s behalf.
  8. Subsection (5) requires that in deciding whether to make regulations under section 2, the Secretary of State or the Treasury must (among other things) consider the likely effect of the regulations on customers, data holders, small and micro businesses, and on innovation in the supply of goods and products and competition. The concepts of small and micro-business are defined in section 25(1) by reference to the Small Business, Enterprise and Employment Act 2015.

Section 3: Customer data: supplementary

  1. Section 3 illustrates provisions that data regulations under section 2 may, among other things, contain. Data regulations do not have to contain all of these provisions, neither are they limited to them.
  2. Subsection (2) envisages that regulations may include: provisions about the procedure by which customers authorise a person to access their data or otherwise act on their behalf (paragraph (a)); provisions restricting the persons that a customer may authorise to those complying with conditions specified by or under the regulations (paragraph (b)); and provisions for a person (a decision-maker) to decide whether a person satisfies those conditions (paragraph (c)). Paragraph (c) envisages the possibility of a system of accreditation for third party recipients: if so, section 6 (decision-makers) will apply and that section contains further provisions and requirements about decision-makers.
  3. Subsection (3) envisages provisions about the making of requests relating to customer data: the regulations may, for instance, impose requirements as to how requests may be made. Subsection (3) also envisages that regulations may provide circumstances in which a data holder may or must refuse to act on a request: such circumstances might, for instance, include unfounded or excessive requests.
  4. Subsection (4) envisages provisions about how customer data is to be provided and action is to be taken on the customer’s behalf in accordance with regulations under section 2(4).
  5. Subsection (4)(a) envisages that customer data may be provided on one or more occasions, for a specified period (e.g., continuously available for a set amount of time) or at specified intervals.
  6. Subsection (4)(b) envisages requirements for the use of specified facilities or services, including electronic communications services or application programming interfaces (see section 25(1)) (APIs). APIs are software intermediaries that allow two applications to talk to each other, e.g. share data and typically adhere to standards that are developer- friendly and easily accessible. Banks in scope of the CMA’s Retail Banking Market Order were required to comply with API standards that were designed by a separate implementation body, to ensure the timely sharing of customer data.
  7. Subsection (4)(c) envisages requirements on data holders and third party recipients to comply with specified standards, or participate in specified arrangements, relating to, or to the use of, those facilities or services. For example, data holders and third party recipients may be required to participate in the design and implementation of mechanisms or protocols that allow for efficient and timely provision of data. Using the example of APIs, data holders may be required to establish and maintain their APIs in alignment with standards prescribed or identified in the regulations.
  8. Subsection (4)(d) envisages requirements on data holders and third party recipients to provide for, or arrange, specified assistance in relation to establishing, maintaining or managing those facilities or services. Subsection (11) provides that assistance may include actual or contingent financial assistance and gives examples of such assistance.
  9. Subsection (4)(e) envisages provisions about interface bodies. These are dealt with in section 7 (interface bodies). Interface bodies may undertake the tasks in subsection (1) of that section.
  10. Subsection (5) envisages provisions requiring or enabling data holders and third party recipients to produce, collect, or retain records of their provision or (as the case may be) receipt of customer data.
  11. Subsection (6) envisages that a person who processes customer data may be required to assist a trader in complying with the regulations.
  12. Subsection (7) envisages requirements about the processing of customer data provided to third party recipients. Paragraphs (a) to (c) envisage requirements on third party recipients reflecting paragraphs (b) to (d) of subsection (4) with subsection (11) applying in relation to the specified assistance referred to paragraph (c). Paragraph (d) envisages requirements about interface bodies in accordance with section 7. Paragraph (e) envisages requirements about further disclosure of customer data including for "downstream" data recipients to be subject to some or all requirements imposed by the regulations on third party recipients or to conditions imposed on them by the third party recipient.
  13. Subsection (8) envisages provisions enabling or requiring a data holder or third party recipient to publish specified information about rights and obligations under the regulations. Such provisions may be important, for instance, to require traders to draw customers’ attention to their rights and how they may be exercised.
  14. Subsection (9) envisages provision about complaints which may include a requirement for data holders and third party recipients to implement complaints procedures (decision-makers may also be required to implement such procedures under section 6(7)).
  15. Subsection (10) envisages provision for dispute resolution. This may include appointing a person to determine disputes, with provisions about their powers when determining disputes, the effect of decisions relating to disputes, and provisions about review of decisions and for appeals to a court or tribunal. By way of example, a person determining a dispute may be a recognised ombudsman in a given sector, or simply an alternative dispute resolution (ADR) provider.
  16. Subsection (11) is explained in the context of subsections (4)(d) and (7)(c).

Section 4: Power to make provision in connection with business data

  1. Section 4 provides the principal regulation-making power in relation to business data. This regulation-making power may be used in conjunction with section 2 or on its own.
  2. Subsection (1) enables the Secretary of State or the Treasury to make regulations requiring data holders to publish business data and/or provide business data to the customer (paragraph (a)) or to another person of a specified description (paragraph (b)).
  3. As business data does not directly relate to a particular customer, there are two important differences as compared with the equivalent regulation-making power for customer data in section 2(1). First, regulations under subsection (1) of this section may require publication of data: this is because, depending on the Smart Data scheme in question, it might be efficient to publish data in accordance with such arrangements as the regulations may prescribe. Second, if the regulations take the approach of requiring provision of data to a person of a specified description, that person does not require the authorisation of a customer.
  4. Subsection (2) defines, in relation to business data, a "third party recipient" for the purpose of Part 1: a third party recipient is a person of a description specified under subsection (1)(b). In practice, the same person may be a third party recipient under section 2(1) and 4(1) for both customer data and business data.
  5. Subsection (3) provides for the making of regulations which enable or require data holders to produce, collect or retain business data or arrange for that to be done. As with section 2(3)(a), the purpose of this power is to require data holders to have specific data to hand in order to ensure that Smart Data schemes can operate consistently and effectively.
  6. Subsection (4) enables the making of regulations which require a third party recipient of business data, which is a public authority (see section 25(1)) or a person appointed by a public authority, to publish or provide that data. This is to enable a model in which business data is provided to, and then published or disclosed onwards by, a public authority or a person acting on its behalf. To enable this model to function, paragraph (c) allows the regulations to impose requirements (except a requirement to pay the levy under section 12) on the public authority or its appointee as if it were a data holder and paragraph (d) allows the regulations to treat a person ultimately receiving the data from the public authority or its appointee as a third party recipient.
  7. Subsection (5) mirrors section 2(5) and requires that, in deciding whether to make regulations relating to business data, the Secretary of State or the Treasury must (among other things) consider the likely effect of the regulations on customers, data holders, small and micro businesses, and on innovation in the supply of goods and products and competition.

Section 5: Business data: supplementary

  1. Section 5 illustrates provisions that data regulations under section 4 may, among other things, contain. This section largely mirrors section 3 (customer data: supplementary) and, as with that section, data regulations do not have to contain all of the provisions envisaged by section 5 and neither are they limited to them.
  2. Subsection (2) envisages that regulations may require business data to be provided on request. The regulations may provide for requests for business data to be made by a customer, third party recipient or by other persons. If the regulations provide for the provision of data on request then, as with section 3(3) in relation to customer data, the regulations may contain provision about those requests including circumstances in which a data holder may or must refuse to act on a request.
  3. Subsection (3) envisages provisions restricting provision of business data to customers or to third party recipients who are approved to receive it. If so, as with section 3(2), the restriction may be achieved by conditions specified by or under the regulations (paragraph (a)) and the regulations may provide for a specified person (a decision-maker) to decide whether a person satisfies those conditions. Section 6 (decision-makers) contains further requirements about decision-makers, should the regulations make such provision.
  4. Subsection (4) envisages provisions about how business data is to be published or provided, reflecting, in relation to provision of business data, section 3(4).
  5. Subsection (5) envisages provisions requiring or enabling data holders and third party recipients to produce, collect, or retain records of their provision or (as the case may be) receipt of business data, reflecting section 3(5).
  6. Subsection (6) envisages that a person who processes business data may be required to assist a trader in complying with the regulations, reflecting section 3(6).
  7. Subsection (7)(a) to (d) envisages requirements on third party recipients, reflecting section 3(7)(a) to (d). Subsection (7)(e) envisages provisions about further disclosure of business data, including to make "downstream" recipients subject to some or all the requirements imposed by the regulations on customers or third party recipients.
  8. Subsection (8) envisages provisions enabling or requiring a data holder or third-party recipient to publish specified information about rights and obligations under the regulations, reflecting section 3(8).
  9. Subsection (9) envisages provision about complaints, which may include a requirement for data holders or third party recipients to implement complaints procedures, reflecting section 3(9).
  10. Subsection (10) envisages provisions for dispute resolution, reflecting section 3(10).
  11. Subsection (11) sets out what is meant by assistance in subsections (4)(d) and (7)(c), reflecting section 3(11).

Section 6: Decision-makers

  1. Section 6 outlines provisions relating to decision makers that data regulations may, among other things, provide for. The possible provisions in this section are non-exhaustive, but, if regulations do provide for a decision-maker, subsection (7) is mandatory.
  2. A decision-maker (see subsection (2)) is a person on which the regulations confer the function of deciding whether a person satisfies conditions restricting who customers may authorise to receive customer data or do other things (section 3(3)(b)) and who may be approved to receive business data (section 5(3)(b)). Decision-makers might (if they are a public authority), or might not, be persons who are enforcers under section 8 (enforcement of regulations under this Part).
  3. Section 6 deals with the conferral of decision-making functions in the context of those provisions. Section 21(1)(g) allows for the conferral of functions involving the exercise of a discretion in other contexts.
  4. Subsection (3) provides that regulations may make provision about the appointment of the decision-maker.
  5. Subsection (4) provides that regulations may enable or require decision-makers to suspend or revoke decisions. A revocation or suspension may result in the person concerned ceasing to be able to request or receive data or to act on a customer’s behalf. However, it is anticipated that a suspension or revocation might alternatively be used to impose a lesser sanction for instance, through a partial suspension or revocation, one which allows a third party recipient to continue to act in that capacity subject to conditions or additional conditions. In providing for, or requiring, a decision-maker to suspend or revoke its decisions, the regulations may, among other things, make different provisions for different cases and may make consequential, supplementary and incidental provisions (see section 21(1)).
  6. Subsection (5) provides for the conferral of powers on decision-makers to monitor compliance by third party recipients with the conditions under which they are authorised or approved, and these powers are enforceable in the same way as powers conferred on enforcers under section 8.
  7. Subsection (6) clarifies that the monitoring powers referred to in subsection (5) include enabling a decision-maker to require the provision of documents or information, but this is subject to the restrictions on investigatory powers in section 9.
  8. Subsection (7) requires that regulations must make provision about the rights of persons affected by the exercise of decision-makers’ functions. These rights may include provisions for review of decisions or rights of appeal to a court or tribunal.
  9. Subsection (8) provides that regulations may make provision about complaints, including requiring a decision-maker to implement procedures for the handling of complaints.
  10. Subsection (9) provides for the regulations to enable or require the publication of specified documents or information relating to the exercise of a decision-maker’s functions.
  11. Subsection (10) provides for a decision-maker to conduct its investigations through another person and reflects section 8(11) in relation to enforcers.
  12. Subsection (11) provides for the appointment of multiple decision-makers and reflects section 8(12) in relation to enforcers.
  13. Subsection (12) provides for regulations to enable or require a decision-maker to produce guidance about how it intends to exercise its functions under the regulations. Regulations may require the decision maker to publish the guidance and provide copies to specified persons.

Section 7: Interface bodies

  1. Section 7 is about the provision that regulations under section 2 and 4 may (among other things) contain about "interface bodies". Such bodies may be required to be established and maintained in order to provide facilities and services, set standards or make related arrangements for data sharing interfaces. The Open Banking Implementation Entity is an example of an interface body; it has developed API standards to which the largest banking providers are required to adhere under the CMA Order.
  2. Subsection (1) outlines the tasks that interface bodies may perform. These are establishing interfaces, which are facilities or services for the sharing of data or taking action under section 2(4); setting standards or making arrangements relating to, or to the use of, interfaces (which could include interfaces established, managed or maintained by other persons); and maintaining or managing such interfaces, interface standards or interface arrangements.
  3. Subsection (2) defines interface bodies with reference to subsection (1).
  4. Subsection (3) enables regulations to be made requiring a data holder or a third party recipient to set up an interface body, and to make provision about the type of body to be set up. This is to allow the Secretary of State or the Treasury to require a scheme to have an interface body, and to require participants in the scheme to establish it.
  5. Subsection (4) sets out the provisions that regulations may make in relation to an interface body. These include provisions about the composition and governance of the body, things the body must do in relation to interface standards or arrangements, provisions about the body’s objectives and how it carries out its functions, requirements in relation to persons required to set up the body including the provision of assistance (see subsection (7)), transparency requirements, and the conferral of monitoring powers on the body. The intention of this is to ensure that interface bodies can be appropriately regulated and that regulations can require industry participants to effectively support such bodies.
  6. Subsection (5) confirms that where an interface body is provided with monitoring powers, these include the power to require the provision of documents. The intention of this is to ensure that an interface body can effectively monitor the use of its interface, standards and arrangements. For example, the Open Banking Implementation Entity monitors the implementation, availability and performance of the APIs that it oversees. As with section 6(6) in relation to decision-makers, these powers are subject to the restrictions on investigatory powers in section 9.
  7. Subsection (6) provides examples of the facilities referred to in subsection (1).
  8. Subsection (7) provides that references to "assistance" in subsection (4)(b) and (c) include actual or contingent financial assistance and gives examples of financial assistance.

Enforcement

Section 8: Enforcement of regulations under this Part

  1. Section 8 enables monitoring compliance with, and enforcement of, Part 1 regulations and requirements imposed under them. This may be conducted by a public authority (see section 25(1)) which is specified in the regulations and authorised or required to do so (an "enforcer").
  2. Subsection (4) deals with the powers of investigation that may be conferred on an enforcer. These include: powers to require provision of information or documents; powers to require an individual to be interviewed; and powers of entry, inspection, search and seizure. The conferral of investigatory powers is subject to the restrictions in section 9 (restrictions on powers of investigation etc) as well as any further restrictions in the regulations.
  3. Subsections (5) and (7) deal with enforcement powers that may be conferred on an enforcer.
  4. Subsection (5)(a) provides for the regulations to enable an enforcer to issue a notice ("compliance notice") requiring compliance with Part 1 regulations, any condition for authorisation or approval of a third party recipient (see sections 3(2) and 5(3)), or any other requirement imposed in exercise of a power conferred by Part 1 regulations. Subsection (5)(b) enables regulations to make provision for enforcement of compliance notices, including enforcement as if they were orders of a court or tribunal.
  5. Subsection (5)(c) provides that regulations may enable an enforcer to publish a statement that the enforcer considers that a person is not complying with Part 1 regulations, a requirement imposed by a compliance notice or any other requirement imposed in exercise of a power conferred by Part 1 regulations. This allows an enforcer to "name and shame" the person concerned which may, for instance, be useful in persistent or egregious cases of non-compliance.
  6. Subsection (7) enables the regulations to allow an enforcer to impose financial penalties in the cases of: provision of false or misleading information; failure to comply with a requirement imposed by Part 1 regulations; failure to comply with a requirement imposed in exercise of a power imposed by Part 1 regulations; failure to comply with a compliance notice. Where either could be imposed, a financial penalty may be imposed additionally or alternatively to the sanctions in subsection (5).
  7. Sections 10 (financial penalties) and 21(3) contain further provisions relating to financial penalties, including procedural and other safeguards that the regulations must contain if they are to provide for the imposition of financial penalties. These are described further in the context of section 10.
  8. Subsection (6) enables the regulations to create offences, punishable with an unlimited fine or a fine not exceeding a specified amount, in cases where a person provides false or misleading information and for an act or omission (including falsification) which prevents an enforcer, interface body or a decision-maker from accessing information, documents, equipment, or other material. Section 21(2) deals with setting maximum amounts of fines and is explained in the commentary on that section.
  9. Subsection (8) enables the regulations to make provision about rights for those (for instance data holders and third party recipients) affected by an enforcer’s actions. Such rights may include reviews of the decisions made by an enforcer or appeals to a court or tribunal. In addition, there are specific and mandatory safeguards if the regulations empower an enforcer to issue financial penalties: see section 10.
  10. Subsection (9) enables the regulations to make provision about complaints, including requiring enforcers to implement procedures for the handling of complaints.
  11. Subsection (10) enables the regulations to require an enforcer to publish, or provide to a specified person, documents or information relating to its monitoring or enforcement of the regulations. This may include documents or information about activities undertaken by the enforcer of its functions, and documents or information about convictions for offences.
  12. Subsection (11) enables an enforcer’s powers of investigation to be carried out by another person. This reflects the investigatory powers in relation to consumer law in Schedule 5 to the Consumer Rights Act 2015.
  13. Subsection (12) provides for the appointment of multiple enforcers. Where this is the case, regulations may appoint a "lead" enforcer. Other enforcers may be required to consult the lead before exercising their functions, and the lead may issue directions as to which enforcer may exercise a function in a particular case.
  14. Finally, subsection (13) allows the regulations to enable or require an enforcer to produce, publish and provide copies of guidance about how it intends to exercise its functions.

Section 9: Restrictions on powers of investigation etc

  1. Section 9 restricts the powers of investigation that may be conferred on enforcers by section 8. The section also restricts the monitoring powers that may be conferred on decision-makers (see section 6(6)) and interface bodies (see section 7(5)).
  2. Subsection (1)(a) ensures that regulations may not authorise entry of an enforcer to a private dwelling without a court-issued warrant.
  3. Subsection (1)(b) ensures that regulations may not require a person to give a decision-maker, an interface body or an enforcer information to which subsections (2) to (7) apply. This information consists of information:
    • The provision of which would infringe the privileges of Parliament (subsection (2));
    • In respect of a communication between a professional legal adviser and the adviser’s client in connection with legal advice relating to obligations, liabilities or rights under Part 1 regulations (subsections (3) and (5));
    • In respect of a communication between a professional legal adviser and the adviser’s client or another person, in connection with or contemplation of, and for the purpose of, proceedings under or arising out of Part 1 regulations (subsections (4) and (5));
    • The provision of which would expose a person to prosecution for an offence, other than an offence under the regulations or other legislation listed in subsection (7) (subsections (6) and (7)).
  1. Subsection (8) prevents an oral or written statement given in response to a request for information from a decision-maker, an interface body or an enforcer being used in evidence against the person being prosecuted for an offence, other than an offence created by the data regulations, subject to the exceptions in paragraphs (a) and (b).

Section 10: Financial penalties

  1. Section 10 makes provision in relation to financial penalties and imposes safeguards as to their use.
  2. Subsections (2) (except as provided for) and (3) set out requirements with which regulations must include if they confer a power to impose a financial penalty.
  3. Subsection (2) provides that, except where section 16 (the FCA and financial services interfaces: penalties and levies) provides otherwise, a financial penalty may be a penalty of a specified amount, or an amount determined in accordance with the regulations, or an amount not exceeding those amounts. Section 21(3) and (4) provide additional safeguards on the setting of financial penalties and is explained in the commentary on that section.
  4. Under subsection (3)(a) and (b), the regulations must require an enforcer to produce, have regard to, and publish guidance about how the enforcer proposes to exercise any discretion to determine the amount of a financial penalty where it has that discretion.
  5. Under subsection (3)(c), the regulations must require an enforcer to provide a person on which a financial penalty is to be imposed with a written notice of the proposed financial penalty in advance of imposing it ("a notice of intent").
  6. Under subsection (3)(d) and (e), the regulations must require an enforcer to provide that person with an opportunity to make representations about the proposed financial penalty. For example, the regulations may provide the opportunity to submit an official statement to the enforcer before it makes a decision.
  7. Under subsection (3)(f), the regulations must require that, if the enforcer then decides to impose a financial penalty, the enforcer must issue that person with a notice in writing (final notice) imposing that penalty.
  8. Subsection (3)(g) to (h) requires that the regulations provide the person on which the penalty is imposed with a right of appeal and the regulations must specify the powers of the court or tribunal on such an appeal (this includes, for example, whether the court may substitute the enforcer’s decision with its own or remit the decision to be retaken by the enforcer).
  9. Subsection (4) provides that regulations may:
    • Require or enable an enforcer to provide copies of the guidance to which subsection (3)(a) and (b) to specified persons (paragraph (a));
    • Enable a notice of intent or final notice to be withdrawn or amended, for example if the circumstances change (paragraph (b));
    • Set out circumstances under which the enforcer is required to withdraw a final notice (paragraph (c));
    • In the case of a late payment, increase a financial penalty by up to a specific amount or an amount determined in accordance with the regulations (paragraph (d)) but this provision is subject to section 21(3) and (4);
    • Make provision as to how financial penalties are recoverable (paragraph (e));
    • Make provision about what must or may be done with amounts paid as penalties (paragraph f).

Fees etc and financial assistance

Section 11: Fees

  1. Subsection (1)(a) of section 11 provides for regulations to allow persons listed in subsection (2), or those acting on their behalf, to require the payment of fees in connection with activities described in subsection (3). Subsection (1)(b) enables regulations to make provision as to what must or may be done with the monies.
  2. Subsection (2) lists the persons who the regulations may enable to charge fees.
  3. Subsection (2)(a) allows regulations to enable fee charging by data holders. It is intended that, unless the regulations provide otherwise, a data holder’s provision of data and its performance of other obligations should be free to customers and third party recipients.
  4. Subsection (2)(b) to (e) allows regulations to enable fee charging by decision-makers, interface bodies, enforcers and any other persons carrying out functions imposed or conferred by or under Part 1 regulations.
  5. The activities described in subsection (3), in connection with which regulations may enable fees to be charged, are activities consisting of the performance of duties or exercise of powers imposed or conferred by or under Part 1 regulations.
  6. Subsection (4)(a) limits the persons who may be charged fees. That subsection only permits regulations to provide for payment of fees by persons that appear to the Secretary of State or the Treasury to be capable of being directly affected by the performance of duties, or exercise of powers, under Part 1 regulations. This would include data holders, customers who exercise any rights granted to them under data regulations or by whom a third party recipient is authorised to act, and third party recipients.
  7. Subsection (4)(b) allows for regulations to provide that the amount of the fee (and the amount of fees in aggregate) may exceed the cost in respect of which it is charged. This is intended to allow fees to be set at standardised amounts and/or on a reasonable commercial basis, where appropriate.
  8. Subsection (5) requires that, except where section 15 (the FCA and financial services interfaces: supplementary) provides otherwise, a fee must be of a specified amount, an amount determined in accordance with the regulations, or an amount not exceeding those amounts. Section 21(3) and (4) provide additional safeguards on the setting of fee amounts and are explained in the commentary on that section.
  9. Subsection (6) allows regulations specifying an amount, or maximum amount, of a fee to allow fees to increase at times and amounts determined in accordance with the regulations for instance to cater for inflation. This is again subject to section 21(3) and (4).
  10. Subsection (7) provides that where regulations give a person a discretion to determine the amount of the fee, the regulations must require that person to publish information about the amount and how it is determined.
  11. Subsection (8) allows the regulations to make provision about interest on, and recovery of, unpaid sums. This is intended to ensure that interest can be charged, and payments can be collected, in the event that fees are not paid on time.
  12. Subsection (9) enables regulations to make provision about whether a person can require payment otherwise than in reliance on regulations made under subsection (1). This power could be used to "preserve" other powers for charging or to clarify that they may not be used.
  13. Subsection (10) stipulates that neither section 11 nor regulations under it prevent or limit the charging of fees by third party recipients (other than those to which section 4(4)(a) or (b) applies) otherwise than in reliance on regulations under subsection (1). The intention is that the basis of charging arrangements between third party recipients and customers is a commercial matter for them to determine.
  14. Subsection (11) clarifies that requirements to pay fees otherwise than in reliance on regulations under subsection (1) include requirements imposed under other legislation, contracts or other arrangements whenever entered into.

Section 12: Levy

  1. Subsections (1)(a) of section 12 enables regulations to impose, or (subject to subsection (5)) provide for a specified public authority to impose, a levy on data holders or third party recipients to meet the expenses described in subsection (2). Subsection (1)(b) enables the regulations to make provision as to what must or may be done with the monies.
  2. The expenses described in subsection (2) are expenses incurred, or to be incurred, by a person listed in subsection (3), or a person acting on their behalf, in the conduct of functions imposed or conferred on them by or under Part 1 regulations.
  3. The persons listed in subsection (3) are decision-makers, interface bodies, enforcers and public authorities on which requirements are imposed by regulations under section 4(4).
  4. The purpose of the levy is to meet all or part of the costs incurred by those persons so that the expenses of a Smart Data scheme may be met by the relevant sector without incurring a cost to the taxpayer.
  5. Subsection (4) limits the persons on whom the levy may be imposed. That subsection only permits a levy to be imposed on data holders or third party recipients that appear to the Secretary of State or the Treasury to be capable of being directly affected by the exercise of the functions of persons listed in subsection (3).
  6. Subsection (5) ensures that, where regulations provide for a levy to be imposed by a public authority, the regulations must specify how the rate of a levy and the period in respect of which it is payable are to be determined. The regulations must also require the public authority to publish information about that rate and period and how they are determined.
  7. Subsection (6) allows the regulations to make provision about interest on, and recovery of, unpaid sums. This is to ensure that interest can be charged, and payments can be collected effectively, in the event that those to whom the levy applies do not pay on time.

Section 13: Financial assistance

  1. Subsection (1) of section 13 provides statutory authority for the Secretary of State or the Treasury to give financial assistance to a person for the purpose of meeting any expenses incurred by that person in performing duties or exercising powers imposed or conferred by or under Part 1 regulations and in exercising connected functions.
  2. Subsections (2) and (3) stipulate that financial assistance cannot be provided to data holders, customers, or third party recipients (other than a third party recipient that is a public authority which is subject to requirements imposed by regulations under section 4(4)), or persons acting on their behalf.
  3. Under subsection (4), the assistance may be given on terms and conditions that the Secretary of State or the Treasury deem appropriate.
  4. Subsection (5) defines "financial assistance" as any kind of financial assistance whether actual or contingent, including a grant, loan, guarantee or indemnity but does not include the purchase of shares.
  5. It is intended that Smart Data schemes will be "self-financing" (through the fees and levies provided for by sections 11 and 12) but it is deemed appropriate for there to be a statutory spending authority as a "backstop" should that be necessary.

Financial Services Sector

Section 14: The FCA and financial services interfaces

  1. Section 14 enables the Treasury to make regulations to confer powers on the Financial Conduct Authority ("FCA") to impose requirements, via rules, on interface bodies used by the financial services sector and on persons participating in, or using the facilities and services provided by, such bodies. This is to allow the FCA to regulate financial services Smart Data schemes and interface bodies in a manner broadly consistent with its regulation of the wider financial services sector (although with some differences to reflect the specific nature of such bodies and schemes). Direct regulatory oversight of financial services interface bodies is also necessary to allow financial services Smart Data schemes to operate consistently with the arrangements for Open Banking that have been in place to date under the CMA Order.
  2. Subsection (1) permits the Treasury to make regulations to enable or require the FCA to make rules about interfaces used in relation to customer data and business data in financial services. Subsection (1)(a) provides that rules may require financial services providers to use a prescribed interface, comply with prescribed interface standards or participate in prescribed interface arrangements when providing or receiving data which is required to be provided by data regulations. Such rules could include requiring data holders to comply with a certain API standard, for example. Subsection (1)(b) provides that rules may require persons described in the regulations to use a prescribed interface, comply with prescribed interface standards or participate in prescribed interface arrangements when, in the course of business, they receive data from a financial services provider that is required to be provided by data regulations. Subsection 1(c) provides that the FCA can impose interface-related requirements on a person taking the action described in section 2(4) (also referred to as ‘action initiation’). This ensures that Open Banking and future Smart Data schemes in financial services are able to function properly. Subsection (1)(d) provides that rules may impose interface-related requirements on persons falling within subsection (3).
  3. Subsection (3) defines the categories of person to which the interface-related requirements can apply. This includes interface bodies, persons required to set up interface bodies and persons who use related interfaces, standards or arrangements or are required to do so. The application is limited to interface bodies, and interfaces, standards and arrangements linked to the financial services sector (see subsection (5)).
  4. Subsection (4) sets out the types of interface-related requirements that the FCA may impose. These include requirements relating to the composition, governance or activities of an interface body linked to the financial services sector. Subsection (5) details when an interface body, an interface, interface standards and interface arrangements are considered to be linked to the financial services sector.
  5. Subsection (6) permits the Treasury via regulations to enable or require the FCA to impose additional requirements on firms to whom its rules apply. The intention of this is to allow the FCA to effectively regulate firms and interface bodies and intervene where necessary.
  6. Subsection (7) provides that the FCA may impose requirements by notice or direction.
  7. Subsection (8) and subsection (9) confirm that the same restrictions on powers of investigation apply to the FCA interface rules and requirements as apply under section 9.
  8. Subsection (10) provides definitions of "financial services provider", "prescribed", "relevant financial services action", and "section 2(4) actor" in respect of the section.

Section 15: The FCA and financial services interfaces: supplementary

  1. Section 15 sets out provisions that regulations made by the Treasury under section 14 may or must contain. The intention of these provisions is to set appropriate parameters for the sub-delegation of rulemaking powers from the Treasury to the FCA via regulations.
  2. Subsection (2) permits regulations to require or enable the FCA to impose any interface requirement that could be imposed by regulations made under section 7(4) or (5), but with the exception that the FCA may not enable or require a person to set up an interface body (only the Treasury may do that via regulations).
  3. Subsection (3) requires that regulations must specify the purposes which the FCA must advance when exercising functions, matters to which the FCA must have regard, and provisions about the procedure for the making of any FCA interface rules.
  4. Subsection (4) provides that regulations may impose requirements and make provision in relation to the FCA’s exercise of any sub-delegated rulemaking powers. This might include, for example, requiring the FCA to carry out a cost benefit analysis in relation to the rules, requiring it to modify or waive the rules as they apply in a particular case, or requiring it to publish guidance about how it proposes to exercise its functions.
  5. Subsection (5) provides that regulations may require or enable the FCA to impose requirements on a person to review conduct, take remedial action and to make redress for loss or damage suffered as a result of misconduct. Subsection (12) clarifies the things that redress may include.
  6. Subsection (6) allows regulations to require or enable the FCA to make rules about the fees that persons listed in subsection (7) must pay to an interface body or another person listed in that subsection, or someone acting on their behalf, in connection with the activities described in subsection (8). This enables FCA rules to allow participants to charge for, and make profits on, activities done in performance of duties or exercise of powers conferred on the person by or under Part 1 regulations.
  7. Subsection (7) provides that fees may be required to be paid by persons within section 14(3)(b) or (c) or financial services providers.
  8. The activities described in subsection (8), for which rules may enable fees to be charged under subsection (6), are performing or exercising duties or powers imposed or conferred on the interface body or persons listed in subsection (7), by Part 1 regulations or by FCA interface rules.
  9. Subsection (9) includes provisions that regulations must or may provide in relation to FCA rules providing for such fees, such as allowing fees to exceed the cost of the things in connection with which the fee is charged, and for the total amount of fees payable in connection with things to exceed the total cost. This subsection also enables the FCA to make provision about the treatment of amounts paid as fees to the persons listed in subsection (7).
  10. Subsection (10) mirrors sections under subsections (9) to (11) of section 11 in enabling FCA rules to specify whether – otherwise than in reliance on FCA rules – certain persons may or may not require payment in relation to activities described in section 15(8).
  11. Subsection (11) provides examples of the avenues by which those persons might require payment other than in reliance on FCA interface rules (e.g. by relying on powers conferred by other legislation or powers arising under contracts entered into).
  12. Subsection (12) provides that regulations may provide that the FCA’s powers to make interface rules includes powers to do things described in section 21(1)(a) to (h), for example to make different provision in relation to different purposes or areas, or for particular cases, and that the restriction in relation to fees in section 21(3) does not apply.
  13. Subsection (13) provides relevant definitions.

Section 16: The FCA and financial services interfaces: penalties and levies

  1. Section 16 makes provision about regulations that the Treasury may make providing for the FCA to impose financial penalties.
  2. Subsection (2) makes provision about the way in which the FCA may be required or enabled to set penalties by regulations. The FCA may set the amount or maximum amount of a penalty or set the method for calculating such amount. Subsection (3) sets out provisions that such regulations may or must make in relation to the FCA’s policy in setting financial penalties.
  3. Subsection (4) permits the Treasury to impose, or provide for the FCA to impose, a levy on data holders or third-party recipients for the purpose of meeting expenses incurred by the FCA, or a person acting on its behalf, in performing functions imposed or conferred by regulations under section 14. This is to allow the FCA to recover expenses arising from its regulatory functions under Part 1. The regulations may make provision about what may or must be done with the funds. Subsection (5) provides that only directly affected persons should be subject to the levy. Subsections (6) and (7) confirm that the same requirements apply to regulations providing for this FCA levy, as apply to regulations for other levies in Part 1.

Section 17: The FCA and co-ordination with other regulators

  1. Section 17 enables the Treasury to make regulations amending section 98 of the Financial Services (Banking Reform) Act 2013. Regulations may amend the definition of "relevant functions" to add or remove a function conferred on the FCA by regulations under Part 1 or amend the definition of "objectives" to add or remove an objective of the FCA relevant to such a function. This is intended to ensure that the FCA’s functions under Part 1 regulations can be brought within scope of existing arrangements for co-ordination between the regulators of payment systems under Part 5 of the 2013 Act.

Supplementary

Section 18: Liability in damages

  1. Section 18 permits the Secretary of State or the Treasury to make regulations to provide that a public authority cannot be liable in damages when they exercise their functions under Part 1. This power is conferred to ensure that a public authority can carry out its functions effectively and derives from the exemption from liability in damages for the FCA under the Financial Services and Markets Act 2000 (FSMA 2000) which prevents the FCA from the need to defend vexatious claims that are a significant resource burden.
  2. Subsection (2) lists the types of person eligible to be excluded from liability.
  3. Subsection (3) ensures that liability cannot be excluded where person has acted in bad faith or if this would conflict with the Human Rights Act 1998, reflecting the FSMA 2000 provision.

Section 19: Duty to review regulations

  1. Subsections (1) and (2) of section 19 require (subject to the exceptions in subsection (8)) the Secretary of State and the Treasury ("the relevant person"), by regulations, to provide for review of provisions made by them in other Part 1 regulations ("Part 1 provision").
  2. Under subsection (3), the regulations must require review of the Part 1 provision in question, followed by publication of a report setting out the findings of that review and the laying of a copy of the report before Parliament. The intention is to give Parliament ongoing oversight of Smart Data schemes after they are introduced.
  3. Under subsection (4), the regulations must require the first report to be published within five years of the of the Part 1 provision coming into force and the publication of subsequent reports at intervals of no more than five years, the intention being that Smart Data schemes are reviewed at least once every five years.
  4. Subsection (5) deals with the criteria against which the regulations must require the review to be conducted. In all cases, the regulations must require the relevant person to consider whether the Part 1 provision in question remains appropriate. That must be assessed having regard to whether the provision continues to achieve the objectives it is intended to be achieved but may also be assessed having regard to other matters. Where that provision is part of data regulations, the review must have regard to the matters to which the regulation-maker was required to have regard in sections 2(5) and 4(5).
  5. Subsection (6) requires the regulations to provide that the published report omits material that the relevant person thinks might harm a person’s commercial interests.
  6. Subsection (7) allows the regulations to provide for a joint review and report in respect of Part 1 provisions made respectively by the Secretary of State and the Treasury.
  7. Subsection (8)(a) and (b) is intended to disapply the review requirement in relation to regulations which amend Part 1 regulations ("substantive regulations") to which the review provision already applies, the intention being that provisions inserted (or otherwise modified) in the substantive regulations will be reviewed in accordance with the existing review requirements and timetable of the substantive regulations. Subsection (8) also ensures that the relevant person is not required to review revoked provisions.
  8. Subsection (9) disapplies the review requirements in section 28 of the Small Business, Enterprise and Employment Act 2015 to avoid multiple review requirements.

Section 20: Restrictions on processing and data protection

  1. Subsection (1) of section 20 ensures that, except as provided for by subsection (2) in relation to data protection, Part 1 regulations may provide for the processing of information not to be in breach an obligation of confidence (paragraph (a)) or any other restriction on the processing of information (paragraph (b)).
  2. Subsection (2) provides that Part 1 regulations are not to be read as authorising or requiring processing of personal data that would contravene the data protection legislation. However, in determining whether processing of data would do so, account may be taken of the requirements of those regulations. Subsection (3) defines "the data protection legislation" and "personal data" by reference to the DPA 2018.
  3. Subsections (1) and (2) reflect the provisions relating to pensions dashboards inserted by the Pension Schemes Act 2021 at section 238B(6) and (7) of the Pensions Act 2004.

Section 21: Regulations under this Part: supplementary

  1. Subsection (1) of section 21 is largely self-explanatory. However, readers may, in particular, wish to note the following provisions.
  2. Paragraph (f) allows Part 1 regulations to make provision by reference to standards, arrangements, specifications or technical requirements as published from time to time. This reflects section 238A(5)(a) of the Pensions Act 2004 relating to pensions dashboards. The purpose of this provision is, in particular, to allow for technical requirements by reference to published standards that are updated in line with developments in information technology.
  3. Paragraph (g) allows the regulations to confer functions on a person which may include the exercise of a discretion and to make related procedural provisions. The ability to confer discretions reflects section 91(1)(b) of the Enterprise and Regulatory Reform Act 2013, which Part 1 of this Act replaces, and section 238A(6) of the Pensions Act 2004.
  4. Subsection (2) prevents Part 1 regulations from requiring or enabling a person to set the maximum amount of a fine, but regulations may refer to the standard scale, the statutory maximum or a similar amount.
  5. Subsection (3) prevents Part 1 regulations (except where otherwise provided for by sections 15 and 16 in relation to the FCA) from requiring or enabling a person to set the amount or maximum amount of a penalty or fee or the method by which that amount may be determined or, likewise, to set the amount, maximum amount or method of any increase of a penalty or fee. However, subsection (4)(a) enables the regulations to provide for that amount or method by reference to a published index. Subsection (4)(b) enables the regulations to require or enable a person to make decisions about the amount payable, or its increase or reduction, in a particular case, within the framework of the maximum amount or methodology set out in the regulations.
  6. Subsection (3) also clarifies that the regulation-making power under section 11(9) is not restricted by section 21(3).
  7. Subsection (5) allows for amendment, repeal or revocation of primary legislation (as defined in section 25(1)) in limited circumstances, these being to make provision about handling of complaints, dispute resolution and appeals and for provisions under subsection (1)(h) (incidental, supplementary, consequential, transitional or saving provisions). It is envisaged that subsection (5) might, for instance, be used to extend any statutory dispute resolution scheme in a specific sector to any Smart Data scheme which applies to that sector.

Section 22: Regulations under this Part: Parliamentary procedure and consultation

  1. Subsection (1) specifies the circumstances in which Part 1 regulations must be subject to affirmative Parliamentary scrutiny.
  2. Under paragraphs (a) and (b), affirmative scrutiny is required for the first regulations under sections 2(1), (3) and (4) and 4(1), (3) and (4) making provision about a particular description of customer data or business data. It is intended that regulations introducing a Smart Data scheme will be subject to affirmative scrutiny.
  3. Under paragraph (c), affirmative scrutiny is required for regulations which make requirements more onerous for data holders or interface bodies.
  4. Under paragraph (d), affirmative scrutiny is required where regulations are made under, or in reliance on, the following sections:
    • Section 6(5) (monitoring power of a decision-maker);
    • Section 7 (interface bodies);
    • Section 8 (enforcement of regulations under this Part);
    • Section 11 (fees);
    • Section 12 (levy);
    • Section 14 (the FCA and financial services interfaces);
    • Section 16 (the FCA and financial services interfaces: penalties and levies);
    • Section 17 (the FCA and co-ordination with other regulators); or
    • Section 18 (liability in damages).
  1. Under paragraph (e), affirmative scrutiny is required for regulations to which section 21(5) applies, which amend, repeal or revoke primary legislation.
  2. Subsection (3) requires that before making regulations of the kind requiring affirmative resolution, the Secretary of State or the Treasury must, as they consider appropriate, consult:
    • Persons likely to be affected the regulations e.g., businesses who would become data holders under the regulations, or their representatives;
    • Sectoral regulators with functions in relation to data holders under the proposed regulations.
  1. Subsection (4) clarifies that, in making regulations, the Secretary of State or the Treasury can rely on a consultation which takes place before this section comes into force.
  2. Neither the consultation obligation in subsection (3) nor anything else in Part 1 affects the obligation of the Secretary of State to consult the Information Commissioner under Article 36.4 of the UK GDPR, where it applies.

Section 23: Related subordinate legislation

  1. Section 23 provides that the regulation-making powers in Part 1 may be exercised so as to make, in connection with related subordinate legislation, any provision that they could be exercised to make as part of, or in connection with, provision made under sections 2(1) to (4) or 4(1) to (4). This is intended to allow Smart Data provision to be made by amending, or making provision consequential to, existing subordinate legislation, rather than making stand-alone regulations. This could include for example amending existing data sharing requirements in financial services legislation such as Open Banking provisions in the Payment Services Regulations 2017.

Section 24: Repeal of provisions relating to supply of customer data

  1. Section 24 repeals sections 89 to 91 (supply of customer data) of the Enterprise and Regulatory Reform Act 2013, which Part 1 replaces.

Section 25: Other defined terms

  1. Subsection (1) of section 25 defines terms which have not been defined elsewhere in Part 1. Some of these definitions are referred to in these notes in the context of specific sections. Readers should, in particular, note the definition of "specified" in relation to the contexts in which that section is used and "third party recipient" which may refer to a third party recipient for customer data (section 2(2)), business data (section 4(2)) or both according to the context.
  2. Subsection (2) explains what is meant by references in Part 1 to something being done "in the course of business".

Section 26: Index of defined terms for this Part

  1. Section 26 sets out an index of terms defined in Part 1.

Back to top