Response to discussion on Approach on financial technology (Fintech)
Go back
● Assess national regulatory regimes and produce an EBA report or an opinion with a view to reviewing the perimeter of regulation.
Considering the results obtained in the mapping exercise, it is very relevant that an analysis of the different regulatory regimes is addressed by the EBA. Should this analysis reveal the need to review the perimeter of regulation because of an uneven playing field and the existence of regulatory arbitrage, then the EBA could draw up an opinion to EU legislators suggesting measures as necessary.
We would also see merit in the issuance of narrow fintech licences with EU passporting facilities for specific activities, as long as the level playing field is ensured. These licences should be activity and risk specific and banks should be allowed to perform any of the activities regulated under narrow fintech licenses. This is particularly useful in areas where market developments have not been followed by a thorough risk analysis and, the case being, appropriate regulation (such as crowdlending, financial services marketplaces or virtual asset management).
● Further assess the features of sandboxing regimes, innovation hubs and similar regimes.
We consider the role that EBA can play in the field of harmonisation of criteria applied by national sandboxes to be very important, following the detailed study announced in the proposed way forward.
In our opinion, we believe that it is of utmost importance to pursue a common EU framework for sandboxes, to avoid the increasing fragmentation within the EU. This requires, first, collaboration among institutions (the European Commission and the ESAs), as each of them has different legal powers and goals.
Secondly, a coordinating authority should unify these efforts and provide guidance to individual authorities. This European authority could ensure that all different national initiatives have the same approach, provide the same service and allow the same exceptions. Otherwise an uneven playing field will arise among different Member States. Moreover, this authority would help to:
• Share information on the typology of the areas or projects studied by the different national sandboxes;
• Identify test cases, with clear benefits for the market, and scale their use at European level.
• To promote the establishment of agreements with external innovation ecosystems, which might benefit all EU stakeholders, as further links with new markets might aid the EU in its global leadership goal.
The deployment of this public innovation policy framework should lead, in the long term, to the establishment of an EU framework of experimentation with participation on a voluntary basis. The European regulatory sandbox should be inclusive and take into account all interested parties, regardless of their size or business model. The ESAs should coordinate and provide guidance on regulatory sandboxes to national competent Authorities, while the ECB could run a special regulatory sandbox for cross-border innovations within the SSM.
The legal framework governing this setup should clarify how these sandboxes must operate: entry requirements, what happens while in the sandbox and how the project should enter the market. Furthermore, as this is a learning process, a review of the final decision should be publicly shared for all interested parties to understand the rationale of this outcome. Nevertheless, a list of potential regulations that might be softened, tools that all participants might access and the limitations related to customer protection and systemic stability must be listed prior entering the sandbox.
**
Finally, we believe that converting the EBA Guidelines on authorisations under PSD2 into RTS would be very positive as this will provide higher harmonization since Guidelines are mere recommendations that not all supervisors follow in the same way. At the same time, RTS will also offer more detailed provisions than the Guidelines. For the same reasons, we support EBA’s intention to harmonize the assessment of applications, since these would be helpful not only for the harmonization of the EU framework, but also for raising the standards of security for consumers and the financial system in the EU.
In our opinion, technology should not only be assessed as a possible new source of risk. Supervisors should bear in mind that new technology (artificial intelligence, automation, Cloud, APIs, biometry, among others) has the potential to contribute positively to the stability of the financial system by enhancing compliance, regulatory reporting and risk management. At the same time, as technology evolves, there is merit on the EBA providing guidance to other supervisors and promote knowledge sharing to keep pace with innovative technologies, to avoid creating barriers in the use of technologies supervisors are less familiar with.
We support the BCBS’s approach to use the PSMOR (Principles for Sound Management of Operational Risk) framework to control for the operational risks arisen by technological developments. These are well established within banks and this will help introduce any additional monitoring needed in a more efficient way. At some point, digital transformation will happen across the whole organization and the integration of any risk in the PSMOR will also allow for a more holistic approach.
Considering proportionality, we believe that non-banks should also need to apply PSMOR principles in their functions, especially BigTechs that have the potential to spread the consequences of an incident to an important number of consumers and businesses. Moreover, governance requirements should also be applicable to non-banks that can create a consumer protection or financial stability impact.
We also believe, however, that the assessment of the risks arising from the application of new technologies, particularly with regard to increasing competition, should take into account the contribution of the regulatory framework to the greater or lesser flexibility of the banking industry to deal with emerging opportunities and risks in an effective manner.
The process of bank transformation necessary to adopt the new fintech challenges must necessarily be accompanied by a review of the regulatory field of banking institutions.
To name a few examples:
- The role that prudential regulation and supervision play in explaining the main asymmetries between bank and non-bank players. Banks, as deposit-taking institutions, are subject to prudential regulation (under the framework of the CRR/CRD) and supervision, which affect any activity within their consolidation perimeter. In many of these activities, regulated institutions now compete with non-bank players that are only subject to activity-specific regulation and supervision, at best, or are not even regulated, as seen in the responses to the survey conducted by the EBA. Therefore, fintech activities are usually subject to more stringent regulation when they are performed within a banking group than if they are provided by other types of institutions. An illustrative example can be found in the remuneration rules under the CRD. This Directive sets a limit to the ratio between the variable and the fixed salary that financial institutions can pay to certain staff members identified as risk takers. These, and other rules on internal governance or outsourcing requirements leave banks in a situation of competitive disadvantage in terms of cost, time-to-market and talent attraction and retention.
- National rules that impede the adoption of new technologies. For instance, if a bank wants to make use of the cloud, although the authorization of outsourcing falls within the scope of the SSM for entities under its supervision, there are national rules (of approval procedure, data localization, etc.) that can hinder the migration to the cloud of certain data and processes and therefore, prevent to fully reap the benefits of this technology. This lack of harmonisation of national rules or supervisory approaches affects, particularly, to institutions with a pan-European presence.
Although we thank the EBA’s recent efforts to adapt outsourcing recommendations to the specificities of cloud computing technology, these recommendations do not prevent the emergence of different national approaches in the adoption of cloud, nor do they apply to new entrants providing financial services, thus creating an uneven playing field.
Nevertheless, we would like to comment some additional risks not treated specifically in the EBA discussion paper:
1. Potential unfavourable treatment on data:
After the entry into force of PSD2 and GDPR, the financial sector has been one of those more affected by initiatives to open data, in relation to the rest of sectors that do not have similar measures.
We are a highly regulated sector, for obvious reasons. To conduct the banking business, institutions must invest significant amounts of resources in internal systems for effective risk control. Banks are continuously enhancing the credit rating and scoring systems and testing them with the behaviour of the debtors. It is an assessment that the banks perform based on their experience. It is qualitative proprietary information that banks should not be forced to share with third parties. If banks are compelled by prudential rules to invest heavily in ensuring high quality of credit data but at the same time they are forced to open them, there will be a continuous drain of value from banks to other players.
A hypothetic situation where information obtained and created by banks were forced to be shared with other investors would lead to an imbalanced situation: third parties would be able to grant credit in better conditions than banks as they do not have to incur those systems costs.
Initiatives to open data were driven by an interest from policy makers to increase competition. We believe that supervisors should monitor regulatory developments towards further opening bank’s data without a similar opening in other industries, at the risk that bank’s business models may be severely damaged while competition objectives are not attained.
As the FSB comments on its report “Other oligopolies or monopolies may also emerge, for example, in the collection and use of customer information, which is essential for providing financial services”. This is clearly the case of BigTechs that can have a potential disruptive impact on the financial sector due to:
- They have the technological resources and expertise as well as a large customer base to deploy financial products with agility and gain presence in the financial sector.
- Some of them are also tech providers of critical services for financial institutions (banks are increasingly using their cloud‐based infrastructure to scale and deploy processes, as well as their AI capabilities to build new services).
Therefore, the opportunities that new technologies offer to extract value from the information of clients and therefore proceed with a refined assessment of their needs must be fostered along with the necessary mechanisms to:
- balance the use of data with the risks associated with data protection and cyber security and;
- create the data market with appropriate guarantees, such as the parties’ freedom to agree on a fair price; and in that sense, from the banking sector we believe that any data initiative must respect the principles of reciprocity and voluntariness.
Moreover, it would seem also relevant to extend the analysis of risks and opportunities for the system to the systemic BigTechs and conduct some specific study on its impact on the financial sector both from a prudential point of view and their impact on the business model of financial institutions.
2. Third-party risks: outsourcing and partnership:
Another type of risk not covered in this paper, but tackled at least partially in the EBA Draft recommendations on cloud outsourcing published last August 2017, is the risk arising from the increasing partnership of the banking industry with third parties both at the front end with fintech firms partnering with banks (via for instance APIs), and in back offices and supporting functions where more IT infrastructure and services are outsourced to globally active Bigtech firms and start-ups.
As the BCBS consultative document states, “Banks should ensure they have appropriate processes for due diligence, risk management and ongoing monitoring of any operation outsourced to a third party, including fintech firms”. We believe however that, at the same time, Authorities should promote:
- A clear allocation of responsibilities so new players should be responsible of their own operational risk as well as AML requirements, as for instance. A special support from banking supervisors would be welcome by establishing clear responsibilities for helping banks to deal with technology providers.
- A harmonisation across jurisdictions to ensure a common approach by regulators/supervisors regarding procedures and methodologies and outsourcing projects process approval and at the same time ensure that outsourcing in the banking industry does not face unjustified burdensome requirements, not faced by other players (e. g. the right to physical access to data in the cloud is not consistent with its global and decentralised nature).
We agree that the EBA should assess the risks and opportunities generated by Distributed Ledger Technologies in the field of payments. However, the EBA should not restrict this assessment to payment institutions or electronic money issuers, but also to traditional banks that are also very active in these technologies. It would be very positive for the development of the technology to have more clarity on which is the nature of different DLT use cases from the point of view of authorities and that this assessment is harmonized at EU level as most of the consortia working on it are cross-border.
Additionally, we believe security should be a relevant point of attention for authorities in the field of payments, especially from the entrance into force of PSD2. Higher interconnection will lead to higher cybersecurity risk, so authorities should be vigilant that each point in the information chain meets the cybersecurity standards required to protect customers and the integrity of the financial system. There would be merit on the EBA to assess coherence of cybersecurity requirements and assessments across countries within the EU.
In our view, some of the scenarios depicted by BCBS are already a reality and will develop further. The combination of scenarios or situations that may arise in the future will depend on the capacity and agility of banks’ transformation processes. As mentioned before, this cannot be carried out efficiently if no measures are taken to:
• guarantee a level playing field, either by eliminating unnecessary barriers to traditional players or by regulating all participants according to activities and risks;
• to encourage the creation of an ecosystem (bidirectional data access, infrastructure investment shared by all participants);
• apply the principle of technological neutrality (see our answer to Questions 15 and 16);
• to encourage innovation (hubs, sandboxes);
As proposed in our answer to Question 1, if these interviews lead to relevant issues that need to be addressed by European and/or national regulators, it would be appropriate for EBA to provide an opinion to the European authorities if deemed necessary.
If we analyse the relationship of new entrants and incumbents, the new solutions of the former can either compete with existing solutions, unbundling the value chain, or enhance them, improving the existing offer and processes through partnerships. In some cases, banks follow a user-centric strategy, leveraging the possibilities offered by technology, and not as a defensive reaction.
In other cases, it is not a question of analysing the impact of new entrants on the traditional market, but directly, the effects of the emergence of new technologies that alter, or can substantially alter, the way of doing business (for example, cloud or DLT). These new technologies offer great opportunities for the financial sector, as they may address inefficiencies at the core of the banking infrastructure. However, currently financial institutions face certain supervisory obstacles that impede them to use these technologies to their full potential. As new entrants that construct themselves on these technologies continue to gain market share, these regulatory and supervisory obstacles together with the burden of legacy IT infrastructures faced by banks could make credit institutions in competitive disadvantage with the new entrants (be it start-ups or technology giants).
As acknowledged by the EBA, modernisation of these systems is a “must” for those financial institutions that seek to survive in this new digital age, but this demands a significant investment.
However, there are important regulatory factors impacting the competitiveness of banks in relation with new entrants. Regulatory asymmetries offer new entrants the opportunity to compete with unequal requirements in terms of solvency, liquidity, reporting or governance among others, allowing non-banks to provide the services at a more competitive pricing.
PSD2 is a paradigm of regulation for digital banking. It encompasses some disruptive features such as opening data, sharing bank’s infrastructures and facilitate the entrance of new players through lighter requirements concerning initial capital or proportionate cybersecurity requirements. It also finds a solution for customer’s safety by requiring banks to restore the account’s balance irrespective which party caused the damage. The objectives of the Directive are welcomed. However, since third parties will not pay for accessing payment accounts, this creates an asymmetry in the contribution to the sustainability of the payments infrastructure. Besides, different standardization requirements between this regulation and GDPR as regards access to personal data will also create an asymmetry between financial institutions and other players.
Moreover, banks that want to perform activities related to payment services are not only bound by PSD2 but by the general banking regulatory framework. Even if a bank is using an autonomous subsidiary purely dedicated to this activity, general rules such as CRR/CRDIV apply to this entity (including the need to deduct investments in software from capital , the need to limit equity-linked remunerations typical of the digital ecosystem or the need to establish tight governance processes) to the extent to the consolidation rules apply, unless the bank avoids taking a controlling stake. As this is not applicable to the rest of competitors that don’t belong to a banking group, this is putting an extra layer of regulatory burden in banks and lowering their capacity to deliver on innovation, not only to the detriment of shareholders, but also to the communities these innovations would have benefitted.
For all of this, we support the EBA approach to further develop their understanding of the impact of Fintech and new competitors within banks business models and work on how to level the playing field, as it will have an impact in the EU financial system and the economy, especially as disintermediation progresses. Actions should be taken to avoid the risks that this can generate not only on banks but on the rest of the financial system and consumers.
As mentioned by the EBA, some business models create extra difficulties in terms of consumer protection. This is the case, for instance, of marketplaces in which consumers can directly sign up to products from different providers. In this context, the lack of a regulatory framework generates uncertainty about the allocation of liabilities, and whether the responsibility lies with the provider or with the platform. As platforms are not regulated, this would ultimately lead to an overburden of the liability on the providers, which are regulated figures.
Another example would be the comparison websites that show financial information in a manner that may not always be fair or complete. When conducting comparison, information, recommendations, advisory services or distribution services online a clear distribution of responsibilities is needed as well as oversight by financial authorities.
Given that in the digital space the boundaries among sectors are unclear and new business models appear constantly, we believe it is paramount to establish the monitoring of players from an activity based perspective: supervise the activity and not the actors would be more practical in a context where the number and nature of actors evolve rapidly.
It is essential that any new regulation or policy ensures a level playing field and works on the reduction of asymmetries among the different players. The level playing field should be understood as a framework in which activities involving the same risks receive the same regulatory treatment, regardless of the channel or the institution offering it, and in which there are no unnecessary barriers to fair competition. Otherwise, users of the same financial service could end up being subject to different levels of protection depending on whether the service is provided by an incumbent or a new entrant.
- Concerning equivalent regulation to be extended to non-regulated firms when providing the same services. For instance, not all European countries have developed legislation for alternative finance, creating a set of diverging regulatory frameworks within the EU. In these cases, new fintech players trying to operate cross-border face a practical impossibility due to the lack of passporting facilities.
- In setting up a harmonized framework for cooperation, setting a clear distribution of competences between home/host supervisors and the EBA playing the role of being a forum for facilitating information sharing.
At the same time, there is a lack of an interoperable digital identity system, which creates a problem of fraud and identification. It is key to ensure that identification means are effective and can be used across national boundaries (e.g. in case of videoconference, it is only accepted in a limited number of countries).
There are practical steps that could be taken in this direction. For instance:
- Product conditions should be clearer to facilitate the understanding for customers, even at cross-border basis.
- As mentioned in the previous question, it is key to ensure that identification means are effective, and they can be used across national boundaries (i.e. in case of videoconference, it is only accepted in a limited number of countries).
- It is key for the consumer to determine who is the entity he is dealing with. Without this, the customer cannot make a claim.
- There is also a need to have a dispute resolution mechanism that is supranational, whose decisions cannot be reviewed by local courts, especially to ensure that a foreign court is not going to decide to apply a foreign law. This may not necessarily require the creation of a new body, but could instead be articulated on the existing institutional architecture.
- Besides, to enforce the decisions taken by this mechanism, it could be complemented with the setup of a mechanism at EU level that anticipates the payment of any compensation to the customer and then deals with the other party at cross-border level.
Although some of these suggestions may exceed EBA's powers a priori, we believe that they are essential for effective consumer protection and to ensure a high level of transparency in the information he receives, matters that fall under its mandate.
On the other hand, we believe that authorities, including the EBA, must strengthen their supervisory function on the new services that arise, taking a proactive role when the service provider does not meet legal requirements or exceeds its license, providing services that they have not been authorized to. Currently, supervisory practices focus primarily on risk taking within supervised entities instead of on the actual risks taken by any player in the market. As an example, a bank is always supervised by the Competent Authority, while a technology company which provides similar services might not. In our understanding, when the activities and assumed risks are related to financial services, there should be an ex officio supervision to ensure that all legal safeguards are applied. This measure ensures that customers only access safe and secure financial services and avoids regulatory arbitrage.
An issue that could facilitate the exercise of consumer rights is the introduction of one-stop-shop mechanisms, that could streamline the process of filing complaints for consumers, especially in cases where the financial service is provided through an interaction of various firms with different regulatory status (for instance, platforms models).
One of the fears of the banking industry, especially aggravated under PSD2, is that whenever a traditional provider is involved (such as a bank), most of customer claims will be addressed to it, as the procedures are more familiar for the customer. And this, even if the traditional provider has not been actively involved in the service (for example, in case of a PISP that makes payments through the bank’s account). This can generate an increase in the level of complaints that can be a source of the bank's reputational risk and a source of administrative burden, even if most of them are finally not declared to be the bank’s fault.
Similar risks to the concerns identified for complaints may also apply to any risk management process as the lack of common regulatory standards regarding risk management across all players may create more risks for customers in this market. We would welcome the EBA to conduct further work on how the current risk management process can present the same degree of protection for customer regardless of the entity providing the service.
Moreover, concerning precontractual information, at present, there are strict frameworks that prescribes the information that should be gathered, such as in the case of MIFID or the Mortgage Credit Directive. These provisions are in place for one kind of players (banks), but are not being applied by all providers, jeopardizing market integrity, consumer protection and security. We support that all players comply with consumer protection obligations, including disclosure requirements so that consumer is equally protected irrespective the nature of the financial service provider. This will drive a framework based on the principles “same services, same risks, same rules, same supervision”.
Finally, given the way of interaction with customers is changing due to the digitalization, EBA should further explore whether the current disclosure rules should move from standardized documents (KIDs, PAD’s statement of fees, etc.) to alternative, more personalized ways of providing the information that is significant to each customer, provided the relationship follows high level principles established in the regulation. Authorities should bear in mind that innovations (mainly mobile technology, big data and robots) provide an opportunity for firms to significantly personalize the way they interact with customers, according to their needs and preferences. We do not believe that the change should be made by adding more documentation or information, but replacing it by other interactive formats.
For instance, when subscribing a mortgage loan that includes limitations on the variability of the interest rate (floor and ceiling clauses) or that involve the subscription of an interest rate risk hedging instrument, or that are granted in one or more currencies, the public deed shall be required to include, together with the client's signature, a handwritten expression by which the borrower declares that he or she has been adequately warned of the possible risks arising from the loan.
Another example is the requirement by Spanish laws of a physical signature before a notary for a mortgage to become enforceable. This means that only part of the experience can be digital, but the end should be done in a specific place (the notary’s office). We believe there should be merit on integrating the digital public faith for these purposes.
We do not believe that using big data will generate financial exclusion. This is more related to conduct and not to the fact that the company is using more or less data driven technologies. In fact, the traditional relationship in the financial sector could have led to more discriminatory practices as it relied more on the behaviour of individual employees. The more the decisions are automated, the lesser the risk that these situations arise.
Regarding the effects of more granular risk segmentations, we agree that these could lead to higher premiums, but this has been occurring long before the digital era, so this is not a new issue affecting customers. Pricing practices take different forms and evolve over time. Not always such pricing practices should be a concern, only when they are discriminatory with no objective foundation.
Applying Big Data techniques is vital for financial institutions as well as for other industries that are increasingly using these techniques. We must bear in mind that the rest of economic sectors are not subject to any regulation concerning Big Data, so developing one specific to the financial sector would have very negative consequences for the competitiveness of regulated financial entities. We believe the ESAs should avoid this. The principle “same activities and risks, same rules and supervision” should apply to all companies regardless of the sector or location. Big Data should be subject to same rules disregarding who applies it.
1. Liquidity and retail funding stability issues:
o Payment aggregators can make automatic transfer orders on behalf of clients if they also hold payment initiation services license. Depending on the goal that leads the decision by which a client decides to hire an aggregator (e.g. search for profitability, a combination of liquidity and profitability, search for quality, …), the automatic orders are developed taking into consideration the available information on regards of the product, the bank and the economy and with the objective to maximize that goal. Information may comprise ratios, indicators, financial and non-financial information of the bank and the country where the bank is present. The possibilities to exploit the available information has increased drastically due to the improvement of technology. In a feasible scenario where the population of aggregators reaches a relevant size, the combined result of the way they operate, even though they operate individually, will for sure increase the volatility of retail deposits, as recognised by the FSB (“Aggregators (…) could increase the volatility of bank deposits, with implications for banks’ liquidity positions. More generally, in more competitive environments, an increase in the speed and ease of switching between service providers could potentially make the financial system more excessively sensitive to news.”).
Although banks have the needed tools to manage and control daily their liquidity inflows and outflows (LCR) and must analyse the stability of their sources of funding (NSFR), the introduction of such a phenomenon may pose some risks to the financial stability. The scenario that suddenly a big amount of deposits were to be withdrawn from several banks and were to be allocated in just a few banks is something that cannot be disregarded.
Therefore, we agree with the issues identified by the EBA on the fact that increased digitalisation may also speed up the movement of deposits. The risks that may arise should be faced not by impeding clients to move their money through digital channels but by designing the necessary tools to tackle these risks. For that reason, we believe that controls should be introduced to avoid these hypothetical scenarios. Consideration should be given to the possibility to ask for internal controls in the aggregator itself and external control and supervision to the whole of the platforms that may act as aggregators.
o Equally important is that when depositors move their funds, they can clearly distinguish between a bank, where their deposits are covered by the DGS, and different financial services provider. If contagion were to happen (it was for example the case in Spain some years ago with the Afinsa society), financial stability issues might arise, and the deposits stability could be put at risk.
As Fintech develops, we also expect cross-border digital banking to be more available for retail customers. We consider this to be a positive development for consumers and competition and to create a true European retail financial market. The Deposit Guarantee Scheme Directive adopted in 2014 has enhanced the functioning of national Deposit Guarantee Schemes and offers better protection to depositors through a harmonised coverage of depositors across the European Union and a shortened time-limit for pay-outs. However, some important differences remain across Member States in the implementation of the Deposit Guarantee Scheme Directive rules.
We believe that different conditions in retail deposit guarantee schemes, linked to national financial divergences, can cause important troubles in case of sovereign debt crisis. We expect fluidity of funds outside the affected countries can dramatically increase with these solutions available. For example, N26 Bank is using the fact its funds are protected by German schemes as a commercial argument. Besides this creating an unlevel playing field with entities based in other jurisdictions, we are in the opinion this could exacerbate liquidity runs in case of troubles such as the ones experienced during the financial crisis.
We want to draw the attention of EBA to the fact that if DGSs remain purely national the sovereign-bank link will not be completely broken, and Member States and financial institutions will continue to be exposed to financial instability. Greater harmonisation of national Deposit Guarantee Schemes is needed as it will be beneficial further reducing financial fragmentation, but this needs to advance in parallel with the establishment of the European Deposit Insurance Scheme ensuring the correct functioning of that Scheme.
2. Financial stability issues:
It is important to highlight the increasing importance of some fintech firms by providing essential services or infrastructures that must be ensured in case of resolution of the bank or the fintech firm.
o Critical infrastructures used by Banks. As FSB points out, “Third-party service providers to financial institutions are quickly becoming more prominent and critical, especially in the areas of cloud computing and data services […] In this regard, authorities should determine if current oversight frameworks for important third-party service providers to financial institutions are appropriate, e.g. in cloud computing and data services, in particular if financial institutions are relying on the same third-party service providers”. Currently “Bigtech” players are external service providers of most of the Financial institutions for data storage and cloud services among others. In most cases, these services support critical economic functions the banking institutions provide to local economies, which need to be continued even if the bank enters int o resolution if we want to prevent any type of financial instability. We strongly urge that this matter also be taken into consideration when a resolution framework is implemented for these companies.
o Essential services. Some of these new entrants may provide services that are essential for the economy. An example would be peer-to-peer lending provided by Bigtech platforms, which is increasingly relevant. They may end not being easily substitutable in case they discontinue this business line.
On the other hand, consumers are becoming more digitally and globally-oriented, asking banks and financial services’ providers to develop simple and rapid digital onboarding solutions. The e-IDAS Regulation clearly presents e-identification and e-signature as a new opportunity to facilitate the establishment of non-face-to-face business relationships. Nevertheless, there is inconsistency between e-IDAS, which promotes e-identification to access online products and services and carry out online transactions safely, and the 4th AML directive, that still favours face-to-face customer due diligence and considers non-face-to-face relationship as high risk", requiring Enhanced Due Diligence. The ESAs opinion to come should tackle this inconsistency.
We would also encourage the EBA to work with other regulators in order to consider e-identification as a valid mechanism for customer identification in the EU, as consumers are becoming more digitally and globally oriented which calls for simple and globally oriented solutions. We would welcome the EBA to support this initiative and to consider its applicability on an activity (instead of an entity) basis. Pursuing a level playing fields across the EU, we would also welcome the EBA to promote the use of the eID Digital Service Infrastructure (DSI) across the EU."
Although some of these new products and services are already subject to direct AML regulation as money services businesses, others do not fit neatly within existing AML regulatory frameworks, even though they facilitate financial transactions. Still some businesses may not appreciate the application of the AML laws to their technology or, even if they do, may not have the resources or experience to implement appropriate compliance programs.
It is necessary to enhance the effectiveness of the international AML/CFT standards by establishing some form of Guidance at an international level that treats similar products and services consistently according to their function and risk profile.
Question 1: Are the issues identified by the EBA and the way forward proposed in section 4.1 relevant and complete? If not, please explain why.
We agree with the way forward proposed by the EBA, although we would like to highlight a few points for these initiatives to unleash their full potential.● Assess national regulatory regimes and produce an EBA report or an opinion with a view to reviewing the perimeter of regulation.
Considering the results obtained in the mapping exercise, it is very relevant that an analysis of the different regulatory regimes is addressed by the EBA. Should this analysis reveal the need to review the perimeter of regulation because of an uneven playing field and the existence of regulatory arbitrage, then the EBA could draw up an opinion to EU legislators suggesting measures as necessary.
We would also see merit in the issuance of narrow fintech licences with EU passporting facilities for specific activities, as long as the level playing field is ensured. These licences should be activity and risk specific and banks should be allowed to perform any of the activities regulated under narrow fintech licenses. This is particularly useful in areas where market developments have not been followed by a thorough risk analysis and, the case being, appropriate regulation (such as crowdlending, financial services marketplaces or virtual asset management).
● Further assess the features of sandboxing regimes, innovation hubs and similar regimes.
We consider the role that EBA can play in the field of harmonisation of criteria applied by national sandboxes to be very important, following the detailed study announced in the proposed way forward.
In our opinion, we believe that it is of utmost importance to pursue a common EU framework for sandboxes, to avoid the increasing fragmentation within the EU. This requires, first, collaboration among institutions (the European Commission and the ESAs), as each of them has different legal powers and goals.
Secondly, a coordinating authority should unify these efforts and provide guidance to individual authorities. This European authority could ensure that all different national initiatives have the same approach, provide the same service and allow the same exceptions. Otherwise an uneven playing field will arise among different Member States. Moreover, this authority would help to:
• Share information on the typology of the areas or projects studied by the different national sandboxes;
• Identify test cases, with clear benefits for the market, and scale their use at European level.
• To promote the establishment of agreements with external innovation ecosystems, which might benefit all EU stakeholders, as further links with new markets might aid the EU in its global leadership goal.
The deployment of this public innovation policy framework should lead, in the long term, to the establishment of an EU framework of experimentation with participation on a voluntary basis. The European regulatory sandbox should be inclusive and take into account all interested parties, regardless of their size or business model. The ESAs should coordinate and provide guidance on regulatory sandboxes to national competent Authorities, while the ECB could run a special regulatory sandbox for cross-border innovations within the SSM.
The legal framework governing this setup should clarify how these sandboxes must operate: entry requirements, what happens while in the sandbox and how the project should enter the market. Furthermore, as this is a learning process, a review of the final decision should be publicly shared for all interested parties to understand the rationale of this outcome. Nevertheless, a list of potential regulations that might be softened, tools that all participants might access and the limitations related to customer protection and systemic stability must be listed prior entering the sandbox.
**
Finally, we believe that converting the EBA Guidelines on authorisations under PSD2 into RTS would be very positive as this will provide higher harmonization since Guidelines are mere recommendations that not all supervisors follow in the same way. At the same time, RTS will also offer more detailed provisions than the Guidelines. For the same reasons, we support EBA’s intention to harmonize the assessment of applications, since these would be helpful not only for the harmonization of the EU framework, but also for raising the standards of security for consumers and the financial system in the EU.
Question 2: Are the issues identified by the EBA and the way forward proposed in subsection 4.2.1 relevant and complete? If not, please explain why.
We believe that risks and opportunities are well identified, and the proposed way forward by the EBA is welcomed by industry.In our opinion, technology should not only be assessed as a possible new source of risk. Supervisors should bear in mind that new technology (artificial intelligence, automation, Cloud, APIs, biometry, among others) has the potential to contribute positively to the stability of the financial system by enhancing compliance, regulatory reporting and risk management. At the same time, as technology evolves, there is merit on the EBA providing guidance to other supervisors and promote knowledge sharing to keep pace with innovative technologies, to avoid creating barriers in the use of technologies supervisors are less familiar with.
We support the BCBS’s approach to use the PSMOR (Principles for Sound Management of Operational Risk) framework to control for the operational risks arisen by technological developments. These are well established within banks and this will help introduce any additional monitoring needed in a more efficient way. At some point, digital transformation will happen across the whole organization and the integration of any risk in the PSMOR will also allow for a more holistic approach.
Considering proportionality, we believe that non-banks should also need to apply PSMOR principles in their functions, especially BigTechs that have the potential to spread the consequences of an incident to an important number of consumers and businesses. Moreover, governance requirements should also be applicable to non-banks that can create a consumer protection or financial stability impact.
We also believe, however, that the assessment of the risks arising from the application of new technologies, particularly with regard to increasing competition, should take into account the contribution of the regulatory framework to the greater or lesser flexibility of the banking industry to deal with emerging opportunities and risks in an effective manner.
The process of bank transformation necessary to adopt the new fintech challenges must necessarily be accompanied by a review of the regulatory field of banking institutions.
To name a few examples:
- The role that prudential regulation and supervision play in explaining the main asymmetries between bank and non-bank players. Banks, as deposit-taking institutions, are subject to prudential regulation (under the framework of the CRR/CRD) and supervision, which affect any activity within their consolidation perimeter. In many of these activities, regulated institutions now compete with non-bank players that are only subject to activity-specific regulation and supervision, at best, or are not even regulated, as seen in the responses to the survey conducted by the EBA. Therefore, fintech activities are usually subject to more stringent regulation when they are performed within a banking group than if they are provided by other types of institutions. An illustrative example can be found in the remuneration rules under the CRD. This Directive sets a limit to the ratio between the variable and the fixed salary that financial institutions can pay to certain staff members identified as risk takers. These, and other rules on internal governance or outsourcing requirements leave banks in a situation of competitive disadvantage in terms of cost, time-to-market and talent attraction and retention.
- National rules that impede the adoption of new technologies. For instance, if a bank wants to make use of the cloud, although the authorization of outsourcing falls within the scope of the SSM for entities under its supervision, there are national rules (of approval procedure, data localization, etc.) that can hinder the migration to the cloud of certain data and processes and therefore, prevent to fully reap the benefits of this technology. This lack of harmonisation of national rules or supervisory approaches affects, particularly, to institutions with a pan-European presence.
Although we thank the EBA’s recent efforts to adapt outsourcing recommendations to the specificities of cloud computing technology, these recommendations do not prevent the emergence of different national approaches in the adoption of cloud, nor do they apply to new entrants providing financial services, thus creating an uneven playing field.
Question 3: What opportunities and threats arising from FinTech do you foresee for credit institutions?
We appreciate the EBA’s effort to provide a comprehensive assessment of prudential risks and opportunities arising from the fintech environment. Recently, several institutions and standard-setting bodies at EU and international level have shared their views on fintech. In fact, the BCBS has recently issued for comments a Discussion paper (Sound Practices: Implications of fintech developments for banks and banks supervisors), which contains a highly valuable assessment of the risks and opportunities from fintech in five future potential scenarios.Nevertheless, we would like to comment some additional risks not treated specifically in the EBA discussion paper:
1. Potential unfavourable treatment on data:
After the entry into force of PSD2 and GDPR, the financial sector has been one of those more affected by initiatives to open data, in relation to the rest of sectors that do not have similar measures.
We are a highly regulated sector, for obvious reasons. To conduct the banking business, institutions must invest significant amounts of resources in internal systems for effective risk control. Banks are continuously enhancing the credit rating and scoring systems and testing them with the behaviour of the debtors. It is an assessment that the banks perform based on their experience. It is qualitative proprietary information that banks should not be forced to share with third parties. If banks are compelled by prudential rules to invest heavily in ensuring high quality of credit data but at the same time they are forced to open them, there will be a continuous drain of value from banks to other players.
A hypothetic situation where information obtained and created by banks were forced to be shared with other investors would lead to an imbalanced situation: third parties would be able to grant credit in better conditions than banks as they do not have to incur those systems costs.
Initiatives to open data were driven by an interest from policy makers to increase competition. We believe that supervisors should monitor regulatory developments towards further opening bank’s data without a similar opening in other industries, at the risk that bank’s business models may be severely damaged while competition objectives are not attained.
As the FSB comments on its report “Other oligopolies or monopolies may also emerge, for example, in the collection and use of customer information, which is essential for providing financial services”. This is clearly the case of BigTechs that can have a potential disruptive impact on the financial sector due to:
- They have the technological resources and expertise as well as a large customer base to deploy financial products with agility and gain presence in the financial sector.
- Some of them are also tech providers of critical services for financial institutions (banks are increasingly using their cloud‐based infrastructure to scale and deploy processes, as well as their AI capabilities to build new services).
Therefore, the opportunities that new technologies offer to extract value from the information of clients and therefore proceed with a refined assessment of their needs must be fostered along with the necessary mechanisms to:
- balance the use of data with the risks associated with data protection and cyber security and;
- create the data market with appropriate guarantees, such as the parties’ freedom to agree on a fair price; and in that sense, from the banking sector we believe that any data initiative must respect the principles of reciprocity and voluntariness.
Moreover, it would seem also relevant to extend the analysis of risks and opportunities for the system to the systemic BigTechs and conduct some specific study on its impact on the financial sector both from a prudential point of view and their impact on the business model of financial institutions.
2. Third-party risks: outsourcing and partnership:
Another type of risk not covered in this paper, but tackled at least partially in the EBA Draft recommendations on cloud outsourcing published last August 2017, is the risk arising from the increasing partnership of the banking industry with third parties both at the front end with fintech firms partnering with banks (via for instance APIs), and in back offices and supporting functions where more IT infrastructure and services are outsourced to globally active Bigtech firms and start-ups.
As the BCBS consultative document states, “Banks should ensure they have appropriate processes for due diligence, risk management and ongoing monitoring of any operation outsourced to a third party, including fintech firms”. We believe however that, at the same time, Authorities should promote:
- A clear allocation of responsibilities so new players should be responsible of their own operational risk as well as AML requirements, as for instance. A special support from banking supervisors would be welcome by establishing clear responsibilities for helping banks to deal with technology providers.
- A harmonisation across jurisdictions to ensure a common approach by regulators/supervisors regarding procedures and methodologies and outsourcing projects process approval and at the same time ensure that outsourcing in the banking industry does not face unjustified burdensome requirements, not faced by other players (e. g. the right to physical access to data in the cloud is not consistent with its global and decentralised nature).
Question 4: Are the issues identified by the EBA and the way forward proposed in subsection 4.2.2 relevant and complete? If not, please explain why.
We believe there is merit on the EBA conducting research on innovations in the field of payments. The objective should be promoting innovation, ensuring security (both cybersecurity and financial sector stability) and guarantee consumer protection.We agree that the EBA should assess the risks and opportunities generated by Distributed Ledger Technologies in the field of payments. However, the EBA should not restrict this assessment to payment institutions or electronic money issuers, but also to traditional banks that are also very active in these technologies. It would be very positive for the development of the technology to have more clarity on which is the nature of different DLT use cases from the point of view of authorities and that this assessment is harmonized at EU level as most of the consortia working on it are cross-border.
Question 5: What opportunities and threats arising from FinTech do you foresee for payment institutions and electronic money institutions?
Payment institutions and electronic money institutions, as regulated entities, are subject to regulatory frameworks that affect the provision of many of their services. However, many other players participating in payment markets may not be regulated, and thus may benefit from the existence of regulatory loopholes. These loopholes, therefore, constitute a source of asymmetries among different players, given that regulated players often face obstacles to engage in non-regulated activities. A clear example of this is the EBA’s opinion in 2014, that called on national supervisory authorities to prevent credit institutions, payment institutions and e-money institutions from buying, holding or selling virtual currencies. Therefore, regulating the activity of virtual currencies is necessary to ensure a level playing field and eradicate asymmetries in financial markets. This is consistent with our suggestion in the answer to question 1 about the introduction of narrow fintech licences.Additionally, we believe security should be a relevant point of attention for authorities in the field of payments, especially from the entrance into force of PSD2. Higher interconnection will lead to higher cybersecurity risk, so authorities should be vigilant that each point in the information chain meets the cybersecurity standards required to protect customers and the integrity of the financial system. There would be merit on the EBA to assess coherence of cybersecurity requirements and assessments across countries within the EU.
Question 6: Are the issues identified by the EBA and the way forward proposed in subsection 4.3.1 relevant and complete? If not, please explain why.
We agree with the issues identified and the way forward proposed by the EBA. A similar exercise has been carried out by the BCBS, in its recently published consultative document Sound Practices: Implications of fintech developments for banks and banks supervisors, identifying 5 possible scenarios for the future, which are not mutually exclusive.In our view, some of the scenarios depicted by BCBS are already a reality and will develop further. The combination of scenarios or situations that may arise in the future will depend on the capacity and agility of banks’ transformation processes. As mentioned before, this cannot be carried out efficiently if no measures are taken to:
• guarantee a level playing field, either by eliminating unnecessary barriers to traditional players or by regulating all participants according to activities and risks;
• to encourage the creation of an ecosystem (bidirectional data access, infrastructure investment shared by all participants);
• apply the principle of technological neutrality (see our answer to Questions 15 and 16);
• to encourage innovation (hubs, sandboxes);
As proposed in our answer to Question 1, if these interviews lead to relevant issues that need to be addressed by European and/or national regulators, it would be appropriate for EBA to provide an opinion to the European authorities if deemed necessary.
Question 7: What are your views on the impact that the use of technology-enabled financial innovation and/or the growth in the number of FinTech providers and the volume of their business may have on the business model of incumbent credit institutions?
When approaching this phenomenon, it is important to understand what types of FinTech exist, as this term covers a wide range of companies and solutions. In the new fintech ecosystem, composed of banks, new entrants, Bigtech companies and regulators, the lines between competition and collaboration are blurring. We should therefore avoid the equalization of the fintech phenomenon with the entrance of small new entrants, as this may lead to an underestimation of the challenge that Bigtech companies may pose already in the short term. The consequences for the financial sector may be far-reaching, given these companies’ scale and global reach. Also, regulatory initiatives such as PSD2 and GDPR, and their interaction, are likely to favour these players as they already have access to large amounts of data from their large customer base.If we analyse the relationship of new entrants and incumbents, the new solutions of the former can either compete with existing solutions, unbundling the value chain, or enhance them, improving the existing offer and processes through partnerships. In some cases, banks follow a user-centric strategy, leveraging the possibilities offered by technology, and not as a defensive reaction.
In other cases, it is not a question of analysing the impact of new entrants on the traditional market, but directly, the effects of the emergence of new technologies that alter, or can substantially alter, the way of doing business (for example, cloud or DLT). These new technologies offer great opportunities for the financial sector, as they may address inefficiencies at the core of the banking infrastructure. However, currently financial institutions face certain supervisory obstacles that impede them to use these technologies to their full potential. As new entrants that construct themselves on these technologies continue to gain market share, these regulatory and supervisory obstacles together with the burden of legacy IT infrastructures faced by banks could make credit institutions in competitive disadvantage with the new entrants (be it start-ups or technology giants).
As acknowledged by the EBA, modernisation of these systems is a “must” for those financial institutions that seek to survive in this new digital age, but this demands a significant investment.
However, there are important regulatory factors impacting the competitiveness of banks in relation with new entrants. Regulatory asymmetries offer new entrants the opportunity to compete with unequal requirements in terms of solvency, liquidity, reporting or governance among others, allowing non-banks to provide the services at a more competitive pricing.
PSD2 is a paradigm of regulation for digital banking. It encompasses some disruptive features such as opening data, sharing bank’s infrastructures and facilitate the entrance of new players through lighter requirements concerning initial capital or proportionate cybersecurity requirements. It also finds a solution for customer’s safety by requiring banks to restore the account’s balance irrespective which party caused the damage. The objectives of the Directive are welcomed. However, since third parties will not pay for accessing payment accounts, this creates an asymmetry in the contribution to the sustainability of the payments infrastructure. Besides, different standardization requirements between this regulation and GDPR as regards access to personal data will also create an asymmetry between financial institutions and other players.
Moreover, banks that want to perform activities related to payment services are not only bound by PSD2 but by the general banking regulatory framework. Even if a bank is using an autonomous subsidiary purely dedicated to this activity, general rules such as CRR/CRDIV apply to this entity (including the need to deduct investments in software from capital , the need to limit equity-linked remunerations typical of the digital ecosystem or the need to establish tight governance processes) to the extent to the consolidation rules apply, unless the bank avoids taking a controlling stake. As this is not applicable to the rest of competitors that don’t belong to a banking group, this is putting an extra layer of regulatory burden in banks and lowering their capacity to deliver on innovation, not only to the detriment of shareholders, but also to the communities these innovations would have benefitted.
For all of this, we support the EBA approach to further develop their understanding of the impact of Fintech and new competitors within banks business models and work on how to level the playing field, as it will have an impact in the EU financial system and the economy, especially as disintermediation progresses. Actions should be taken to avoid the risks that this can generate not only on banks but on the rest of the financial system and consumers.
Question 8: Are the issues identified by the EBA and the way forward proposed in subsection 4.3.2 relevant and complete? If not, please explain why.
-Question 9: What are your views on the impact that the use of technology-enabled financial innovation and/or the growth in the number of FinTech providers and the volume of their business may have on the business models of incumbent payment or electronic money institutions?
-Question 10: Are the issues identified by the EBA and the way forward proposed in subsection 4.4.1 relevant and complete? If not, please explain why.
We agree with the proposed way forward by the EBA. The establishment of a clear regulatory perimeter is clearly a positive step towards solving the problem of customers not being able to determine who they are dealing with and how their rights would be protected.As mentioned by the EBA, some business models create extra difficulties in terms of consumer protection. This is the case, for instance, of marketplaces in which consumers can directly sign up to products from different providers. In this context, the lack of a regulatory framework generates uncertainty about the allocation of liabilities, and whether the responsibility lies with the provider or with the platform. As platforms are not regulated, this would ultimately lead to an overburden of the liability on the providers, which are regulated figures.
Another example would be the comparison websites that show financial information in a manner that may not always be fair or complete. When conducting comparison, information, recommendations, advisory services or distribution services online a clear distribution of responsibilities is needed as well as oversight by financial authorities.
Given that in the digital space the boundaries among sectors are unclear and new business models appear constantly, we believe it is paramount to establish the monitoring of players from an activity based perspective: supervise the activity and not the actors would be more practical in a context where the number and nature of actors evolve rapidly.
It is essential that any new regulation or policy ensures a level playing field and works on the reduction of asymmetries among the different players. The level playing field should be understood as a framework in which activities involving the same risks receive the same regulatory treatment, regardless of the channel or the institution offering it, and in which there are no unnecessary barriers to fair competition. Otherwise, users of the same financial service could end up being subject to different levels of protection depending on whether the service is provided by an incumbent or a new entrant.
Question 11: Are the issues identified by the EBA and the way forward proposed in subsection 4.4.2 relevant and complete? If not, please explain why.
As commented in other questions, we believe that fintech regulation should ensure a level playing field for companies engaging in similar activities, with similar risks, in any European country. Therefore, we support the issues identified by the EBA and the way forward, since they are of utmost importance. In particular:- Concerning equivalent regulation to be extended to non-regulated firms when providing the same services. For instance, not all European countries have developed legislation for alternative finance, creating a set of diverging regulatory frameworks within the EU. In these cases, new fintech players trying to operate cross-border face a practical impossibility due to the lack of passporting facilities.
- In setting up a harmonized framework for cooperation, setting a clear distribution of competences between home/host supervisors and the EBA playing the role of being a forum for facilitating information sharing.
Question 12: As a FinTech firm, have you experienced any regulatory obstacles from a consumer protection perspective that might prevent you from providing or enabling the provision of financial services cross-border?
We believe that different consumer protection regimes act as a barrier to the provision of cross-border retail banking products and services, both for consumers and banks. Companies need to assess the legal regime to undertake the provision of services on a cross-border basis and in some cases, it cannot be adapted to the legal regime of the country of origin of each potential customer.At the same time, there is a lack of an interoperable digital identity system, which creates a problem of fraud and identification. It is key to ensure that identification means are effective and can be used across national boundaries (e.g. in case of videoconference, it is only accepted in a limited number of countries).
Question 13: Do you consider that further action is required on the part of the EBA to ensure that EU financial services legislation within the EBA’s scope of action is implemented consistently across the EU?
For a genuine cross-border retail financial market to operate in Europe, it is key that a harmonized consumer protection framework is developed, either by reforming current national regulations or by adding a new 29th regime to govern distant relationships (cross-border, whether or not digital).There are practical steps that could be taken in this direction. For instance:
- Product conditions should be clearer to facilitate the understanding for customers, even at cross-border basis.
- As mentioned in the previous question, it is key to ensure that identification means are effective, and they can be used across national boundaries (i.e. in case of videoconference, it is only accepted in a limited number of countries).
- It is key for the consumer to determine who is the entity he is dealing with. Without this, the customer cannot make a claim.
- There is also a need to have a dispute resolution mechanism that is supranational, whose decisions cannot be reviewed by local courts, especially to ensure that a foreign court is not going to decide to apply a foreign law. This may not necessarily require the creation of a new body, but could instead be articulated on the existing institutional architecture.
- Besides, to enforce the decisions taken by this mechanism, it could be complemented with the setup of a mechanism at EU level that anticipates the payment of any compensation to the customer and then deals with the other party at cross-border level.
Although some of these suggestions may exceed EBA's powers a priori, we believe that they are essential for effective consumer protection and to ensure a high level of transparency in the information he receives, matters that fall under its mandate.
On the other hand, we believe that authorities, including the EBA, must strengthen their supervisory function on the new services that arise, taking a proactive role when the service provider does not meet legal requirements or exceeds its license, providing services that they have not been authorized to. Currently, supervisory practices focus primarily on risk taking within supervised entities instead of on the actual risks taken by any player in the market. As an example, a bank is always supervised by the Competent Authority, while a technology company which provides similar services might not. In our understanding, when the activities and assumed risks are related to financial services, there should be an ex officio supervision to ensure that all legal safeguards are applied. This measure ensures that customers only access safe and secure financial services and avoids regulatory arbitrage.
Question 14: Are the issues identified by the EBA and the way forward proposed in subsection 4.4.3 relevant and complete? If not, please explain why.
We believe it is very important that all players have clear complaints handling procedures for their customers as well as resources or insurance enough to make sure that they can respond to any responsibilities derived from their activity.An issue that could facilitate the exercise of consumer rights is the introduction of one-stop-shop mechanisms, that could streamline the process of filing complaints for consumers, especially in cases where the financial service is provided through an interaction of various firms with different regulatory status (for instance, platforms models).
One of the fears of the banking industry, especially aggravated under PSD2, is that whenever a traditional provider is involved (such as a bank), most of customer claims will be addressed to it, as the procedures are more familiar for the customer. And this, even if the traditional provider has not been actively involved in the service (for example, in case of a PISP that makes payments through the bank’s account). This can generate an increase in the level of complaints that can be a source of the bank's reputational risk and a source of administrative burden, even if most of them are finally not declared to be the bank’s fault.
Similar risks to the concerns identified for complaints may also apply to any risk management process as the lack of common regulatory standards regarding risk management across all players may create more risks for customers in this market. We would welcome the EBA to conduct further work on how the current risk management process can present the same degree of protection for customer regardless of the entity providing the service.
Question 15: Are the issues identified by the EBA and the way forward proposed in subsection 4.4.4 relevant and complete? If not, please explain why.
We agree on the issues identified by the EBA and the proposed way. Particularly, we appreciate the EBA’s intention to assess whether EU legislation in place generates restrictions to digitization of financial services. We believe it is of the utmost importance to replace the use of paper or non-digital-native (e.g. pdf) documents in any form of communication, as the above prevails even in pieces of legislation that have been produced in recent years. Instead, financial institutions should be given the opportunity to communicate with their clients in whatever format is best suited to the client’s needs and to the channel deployed.Moreover, concerning precontractual information, at present, there are strict frameworks that prescribes the information that should be gathered, such as in the case of MIFID or the Mortgage Credit Directive. These provisions are in place for one kind of players (banks), but are not being applied by all providers, jeopardizing market integrity, consumer protection and security. We support that all players comply with consumer protection obligations, including disclosure requirements so that consumer is equally protected irrespective the nature of the financial service provider. This will drive a framework based on the principles “same services, same risks, same rules, same supervision”.
Finally, given the way of interaction with customers is changing due to the digitalization, EBA should further explore whether the current disclosure rules should move from standardized documents (KIDs, PAD’s statement of fees, etc.) to alternative, more personalized ways of providing the information that is significant to each customer, provided the relationship follows high level principles established in the regulation. Authorities should bear in mind that innovations (mainly mobile technology, big data and robots) provide an opportunity for firms to significantly personalize the way they interact with customers, according to their needs and preferences. We do not believe that the change should be made by adding more documentation or information, but replacing it by other interactive formats.
Question 16: Are there any specific disclosure or transparency of information requirements in your national legislation that you consider to be an obstacle to digitalisation and/or that you believe may prevent FinTech firms from entering the market?
In Spain, the rules governing disclosure and transparency of information in case of mortgage lending are an obstacle to digitalization.For instance, when subscribing a mortgage loan that includes limitations on the variability of the interest rate (floor and ceiling clauses) or that involve the subscription of an interest rate risk hedging instrument, or that are granted in one or more currencies, the public deed shall be required to include, together with the client's signature, a handwritten expression by which the borrower declares that he or she has been adequately warned of the possible risks arising from the loan.
Another example is the requirement by Spanish laws of a physical signature before a notary for a mortgage to become enforceable. This means that only part of the experience can be digital, but the end should be done in a specific place (the notary’s office). We believe there should be merit on integrating the digital public faith for these purposes.
Question 17: Are the issues identified by the EBA and the way forward proposed in subsection 4.4.5 relevant and complete? If not, please explain why.
We consider all initiatives related to promote financial education and transparency to be very relevant. Digital channels increase the accessibility to financial products which might not always be suitable for customers or of which customers might not have sufficient knowledge. Fintech and new competitors are increasing the variety of products available for the common user, and the pace of innovation will further boost this trend.Question 18: Would you see the merit in having specific financial literacy programmes targeting consumers to enhance trust in digital services?
Yes. We believe that further joint action is needed by public authorities and relevant private stakeholders to help consumers make the best use of digital financial services, expanding awareness and empowering individuals with financial and digital skills. However, the digital changes open challenges that have similar nature across sectors (i.e. data protection, privacy, informed consent), and therefore, general digital literacy programs, as independent initiatives, are also needed across sectors.Question 19: Are the issues identified by the EBA and the way forward proposed in subsection 4.4.6 relevant and complete? If not, please explain why.
We believe that big data analytics and artificial intelligence are technologies with a great potential to further expand the access to financial services by lowering the complexity and the costs associated to certain advisory and credit scoring services, for example.We do not believe that using big data will generate financial exclusion. This is more related to conduct and not to the fact that the company is using more or less data driven technologies. In fact, the traditional relationship in the financial sector could have led to more discriminatory practices as it relied more on the behaviour of individual employees. The more the decisions are automated, the lesser the risk that these situations arise.
Regarding the effects of more granular risk segmentations, we agree that these could lead to higher premiums, but this has been occurring long before the digital era, so this is not a new issue affecting customers. Pricing practices take different forms and evolve over time. Not always such pricing practices should be a concern, only when they are discriminatory with no objective foundation.
Applying Big Data techniques is vital for financial institutions as well as for other industries that are increasingly using these techniques. We must bear in mind that the rest of economic sectors are not subject to any regulation concerning Big Data, so developing one specific to the financial sector would have very negative consequences for the competitiveness of regulated financial entities. We believe the ESAs should avoid this. The principle “same activities and risks, same rules and supervision” should apply to all companies regardless of the sector or location. Big Data should be subject to same rules disregarding who applies it.
Question 20: Are the issues identified by the EBA and the way forward proposed in section 4.5 relevant and complete? If not, please explain why.
We believe there is merit on the EBA monitoring the effect of digital innovations on the resolution framework. We can already witness certain developments that would need to be considered:1. Liquidity and retail funding stability issues:
o Payment aggregators can make automatic transfer orders on behalf of clients if they also hold payment initiation services license. Depending on the goal that leads the decision by which a client decides to hire an aggregator (e.g. search for profitability, a combination of liquidity and profitability, search for quality, …), the automatic orders are developed taking into consideration the available information on regards of the product, the bank and the economy and with the objective to maximize that goal. Information may comprise ratios, indicators, financial and non-financial information of the bank and the country where the bank is present. The possibilities to exploit the available information has increased drastically due to the improvement of technology. In a feasible scenario where the population of aggregators reaches a relevant size, the combined result of the way they operate, even though they operate individually, will for sure increase the volatility of retail deposits, as recognised by the FSB (“Aggregators (…) could increase the volatility of bank deposits, with implications for banks’ liquidity positions. More generally, in more competitive environments, an increase in the speed and ease of switching between service providers could potentially make the financial system more excessively sensitive to news.”).
Although banks have the needed tools to manage and control daily their liquidity inflows and outflows (LCR) and must analyse the stability of their sources of funding (NSFR), the introduction of such a phenomenon may pose some risks to the financial stability. The scenario that suddenly a big amount of deposits were to be withdrawn from several banks and were to be allocated in just a few banks is something that cannot be disregarded.
Therefore, we agree with the issues identified by the EBA on the fact that increased digitalisation may also speed up the movement of deposits. The risks that may arise should be faced not by impeding clients to move their money through digital channels but by designing the necessary tools to tackle these risks. For that reason, we believe that controls should be introduced to avoid these hypothetical scenarios. Consideration should be given to the possibility to ask for internal controls in the aggregator itself and external control and supervision to the whole of the platforms that may act as aggregators.
o Equally important is that when depositors move their funds, they can clearly distinguish between a bank, where their deposits are covered by the DGS, and different financial services provider. If contagion were to happen (it was for example the case in Spain some years ago with the Afinsa society), financial stability issues might arise, and the deposits stability could be put at risk.
As Fintech develops, we also expect cross-border digital banking to be more available for retail customers. We consider this to be a positive development for consumers and competition and to create a true European retail financial market. The Deposit Guarantee Scheme Directive adopted in 2014 has enhanced the functioning of national Deposit Guarantee Schemes and offers better protection to depositors through a harmonised coverage of depositors across the European Union and a shortened time-limit for pay-outs. However, some important differences remain across Member States in the implementation of the Deposit Guarantee Scheme Directive rules.
We believe that different conditions in retail deposit guarantee schemes, linked to national financial divergences, can cause important troubles in case of sovereign debt crisis. We expect fluidity of funds outside the affected countries can dramatically increase with these solutions available. For example, N26 Bank is using the fact its funds are protected by German schemes as a commercial argument. Besides this creating an unlevel playing field with entities based in other jurisdictions, we are in the opinion this could exacerbate liquidity runs in case of troubles such as the ones experienced during the financial crisis.
We want to draw the attention of EBA to the fact that if DGSs remain purely national the sovereign-bank link will not be completely broken, and Member States and financial institutions will continue to be exposed to financial instability. Greater harmonisation of national Deposit Guarantee Schemes is needed as it will be beneficial further reducing financial fragmentation, but this needs to advance in parallel with the establishment of the European Deposit Insurance Scheme ensuring the correct functioning of that Scheme.
2. Financial stability issues:
It is important to highlight the increasing importance of some fintech firms by providing essential services or infrastructures that must be ensured in case of resolution of the bank or the fintech firm.
o Critical infrastructures used by Banks. As FSB points out, “Third-party service providers to financial institutions are quickly becoming more prominent and critical, especially in the areas of cloud computing and data services […] In this regard, authorities should determine if current oversight frameworks for important third-party service providers to financial institutions are appropriate, e.g. in cloud computing and data services, in particular if financial institutions are relying on the same third-party service providers”. Currently “Bigtech” players are external service providers of most of the Financial institutions for data storage and cloud services among others. In most cases, these services support critical economic functions the banking institutions provide to local economies, which need to be continued even if the bank enters int o resolution if we want to prevent any type of financial instability. We strongly urge that this matter also be taken into consideration when a resolution framework is implemented for these companies.
o Essential services. Some of these new entrants may provide services that are essential for the economy. An example would be peer-to-peer lending provided by Bigtech platforms, which is increasingly relevant. They may end not being easily substitutable in case they discontinue this business line.
Question 21: Do you agree with the issues identified by the EBA and the way forward proposed in section 4.6? Are there any other issues you think the EBA should consider?
Yes, we agree. We support the EBA to enhance the framework, so all participants ensure that the system is secure in terms of AML and contribute to it in the same manner. Some of the less regulated entities, namely Bigtech, have access to much customer information that could make the system safer if they also engage in AML the same manner than banks. We cannot support a framework where all players rely on bank’s AML processes without contributing to its cost.On the other hand, consumers are becoming more digitally and globally-oriented, asking banks and financial services’ providers to develop simple and rapid digital onboarding solutions. The e-IDAS Regulation clearly presents e-identification and e-signature as a new opportunity to facilitate the establishment of non-face-to-face business relationships. Nevertheless, there is inconsistency between e-IDAS, which promotes e-identification to access online products and services and carry out online transactions safely, and the 4th AML directive, that still favours face-to-face customer due diligence and considers non-face-to-face relationship as high risk", requiring Enhanced Due Diligence. The ESAs opinion to come should tackle this inconsistency.
We would also encourage the EBA to work with other regulators in order to consider e-identification as a valid mechanism for customer identification in the EU, as consumers are becoming more digitally and globally oriented which calls for simple and globally oriented solutions. We would welcome the EBA to support this initiative and to consider its applicability on an activity (instead of an entity) basis. Pursuing a level playing fields across the EU, we would also welcome the EBA to promote the use of the eID Digital Service Infrastructure (DSI) across the EU."
Question 22: What do you think are the biggest money laundering and terrorist financing risks associated with FinTech firms? Please explain why.
The risks associated with money laundering and terrorist financing are mainly linked to the ability of institutions to mobilize funds. Therefore, the risks to which Fintech firms offering this service are exposed will be the same as those to credit institutions. In this sense, those areas that can present potential anti-money laundering (AML) and terrorist finance risk are activities related to the use of alternative means of payment and virtual currencies or crowdfunding and marketplace lending.Although some of these new products and services are already subject to direct AML regulation as money services businesses, others do not fit neatly within existing AML regulatory frameworks, even though they facilitate financial transactions. Still some businesses may not appreciate the application of the AML laws to their technology or, even if they do, may not have the resources or experience to implement appropriate compliance programs.
It is necessary to enhance the effectiveness of the international AML/CFT standards by establishing some form of Guidance at an international level that treats similar products and services consistently according to their function and risk profile.