The Data (Use and Access) Act 2025 (DUA) received royal assent on 19 June 2025, with changes coming into force in phases from June 2025 to June 2026. The primary aim of the legislation is to promote innovation and economic growth.
In the first instance DUA seeks to achieve this by reforming UK data protection laws to make it easier to innovate and reduce the administrative burden of compliance, whilst retaining and strengthening important privacy protections. One such reform is the introduction of pre-recognised legitimate interests, which will make it easier for firms to rely on the legitimate interests lawful basis.
However, there are also wider changes coming into force under DUA, aimed at unlocking the economic potential of data. Specifically, the creation of new frameworks for digital verification services and smart data schemes. These changes, along with enhanced data sharing, are particularly notable for the fintech sector.
This article explains how DUA will drive fintech innovation through digital verification services, smart data schemes, and enhanced legitimate interests. We also outline the next steps for fintech firms as DUA moves towards implementation.
Digital verification services will reshape know-you-client (KYC) checks across multiple industries where identity verification is critical, including financial services.
For regulated firms KYC checks are non-negotiable and traditional verification methods often lead to delays, customer frustration, increased costs for the business and can represent a greater fraud risk.
Digital verification services offer a solution for this. They will enable individuals to prove their identity digitally, through secure and standardised means.
Certified providers will appear on a central public register. These providers will verify information about an individual and then generate credentials which the individual can use to prove who they are to third parties, without needing to present their identity documents again. The third parties will be able to rely on the credentials because they have been generated by a digital verification services provider that is certified and listed on the public register.
This will streamline onboarding and remove the need for consumers to complete separate KYC checks for every new service provider.
The security risks associated with handling identity documentation will also be removed for organisations, if they no longer need to collect and retain copies of these documents.
For those operating within the financial services sector, it's clear to see why digital verification services will result in an improved user experience, increased trust and confidence and reduced operational costs.
Smart data schemes will enable the secure sharing of data between authorised third parties.
Following the success of Open Banking, which allows individuals to share banking data between trusted providers to access financial services, the government is launching smart data schemes across a wider number of sectors, as well as looking to expand the use of smart data schemes within financial services.
The secretary of state will establish sector-specific smart data schemes through secondary legislation. The initial sectors identified for this are financial services, energy, home-buying, telecoms, transport and retail. Each scheme will be subject to different rules which will determine what data may be shared under it, and what the conditions for access to the data are.
The key areas of focus for financial services are pensions and insurance, together with investments and savings, essentially a goal of expanding Open Banking concepts and initiatives into these other areas.
For consumers, there will be significant benefits. Consent-driven data sharing for a wider range of financial products will make it easier and quicker to switch providers, manage insurance renewals and consolidate pensions. Smart data schemes will unlock new opportunities for organisations operating within the financial services sector as well. They will enable innovation and competition by increasing the availability of quality, real-time data. Organisations will be able to tap into richer data sets to better understand their customers and offer customised financial products and services, this should also result in more effective pricing decisions and potentially lower costs to users.
Once smart data schemes are launched across a greater number of sectors, this will also open the door for more sophisticated cross-sector partnerships. It will facilitate the combination of financial data with data from other sectors such as energy or retail. As a few examples, we expect to see an increase in subscription management tools, including those which help consumers to switch services in order to access better deals, as well as cross-sector loyalty programs, more tailored product recommendations and motor insurance considering vehicle data and financial data.
DUA also introduces a practical change, making it easier for firms to rely on legitimate interests as a lawful basis for processing personal data in prescribed circumstances.
Broadly, DUA will amend the UK's General Data Protection Regulation (GDPR) to allow controllers to rely on certain 'recognised legitimate interests' (RLIs) without having to apply the legitimate interests balancing test. This removes the need for the controller to balance the impact on the people whose personal information is used, against the benefits arising from that use, to determine whether the legitimate interest lawful basis is available.
These RLIs include activities linked to detecting, investigating or preventing crime; safeguarding of vulnerable individuals; and national security and defence. This creates a clearer route for firms to rely on these RLIs.
We're expecting the new RLIs to come into force in early 2026.
Financial service firms and fintechs should benefit from this enhancement to the existing legitimate interests framework once the RLIs come into effect, for example: in respect of due diligence activities, fraud prevention and transaction and on-going monitoring activities for financial crime purposes. A positive step given the UK’s financial conduct authority’s continued focus on financial crime risk within the sector.
DUA presents an opportunity for further transformation within the fintech sector, moving beyond the Open Banking features and services that are now fairly common place, to a more sophisticated Open Finance landscape, offering better user experience and wider access to data.
By introducing frameworks for digital verification services and smart data schemes as well as enhancing the existing legitimate interests framework, it also works to address current challenges around identity verification and financial crime risk whilst allowing for more joined-up data sharing and collaboration across different industries and sectors. All of this opens the door for the next phase of innovation.
Whilst we wait for the relevant secondary legislation to implement these changes, it's an exciting time for firms to explore new product and partnership opportunities and also consider practical benefits of leveraging digital verification schemes. Firms would be wise to consider current data strategy and approaches to data collection and processing, to determine how RLIs may apply to their activities.
If you have any queries on DUA and the topics in our article, please contact Hannah Elliott in our commercial team who specialises in data protection and technology, and Oliver Woodhouse, who leads our financial services regulatory practice.
We produce a range of insights and publications to help keep our clients up-to-date with legal and sector developments.
Sign up
