Swedbank EU Transparency Register, registration number: 960532323803-6.
SWEDBANK REPLY TO THE EUROPEAN BANKING AUTHORITY'S DISCUSSION PAPER ON THE APPROACH TO FINTECH
Swedbank appreciates the opportunity to comment on the European Banking Authority’s (EBA) discussion paper on the approach to Fintech. We believe that financial innovation (Fintech) has the potential of making financial services more attractive, cheaper and more accessible for all European citizens. In this response, Swedbank wishes to share with the EBA some reflections on a number of topics mentioned in the Consultation which are relevant to Swedbank. These reflections focus especially on:
- The definition of Fintech needs to be linked to the activity, product or service offered and not to the legal structure, size or age of the innovative entity.
- A properly balanced level playing field and risk-based approach to regulation and supervision is required to ensure safety and soundness without unnecessarily hampering the benefits of innovations.
- A holistic approach to supervision is needed in order to capture risks that are reallocated from regulated sectors to less or non-regulated entities.
- Both financial and digital literacy should be promoted from a channel and technology-neutral angle, with a particular emphasis on cybersecurity aspects.
- In order to evaluate new processes and foster innovation we encourage sandboxes. Sandbox participation should, however, be limited both in time and scope, under close supervision and communication between the engaged parties and competent authorities.
- Areas such as flagging and investigating suspicious activity in the financial system would benefit from an increased degree of automation.
Swedbank is committed to both innovation and cooperation; where we already have embarked on several cooperation’s with third parties (see link). We believe that Europe’s policy approach needs to encourage trust in Fintech services no matter the legal structure, size or age of the entity. Consequently, in order to create an environment where newcomers, as well as incumbents, can be innovative, cooperate and develop their businesses a properly balanced level playing field and risk-based approach to regulation and supervision is required.
It is therefore important for competent authorities and regulators to maintain a forward-looking approach, where customer protection, data protection and trust in financial services remains high; where the primary goal of any policy initiative needs to be a balance between high levels of consumer protection and the capacity to innovate. This against the backdrop of new prudential risks, cybersecurity and consumer protection, as well as the implications global entities have with respect to the formulation, entry into force and enforceability of European regulation.
Swedbank welcomes and supports the EBAs approach to communicate and work with the whole industry in the different topics identified in the consultation. Furthermore, Swedbank notes and appreciates that the EBA has invited a broad range of stakeholders to provide feedback on this consultation and we particularly recognize the contributions from the Swedish Bankers Association, European Banking Federation, the European Savings and Retail Banking Group and the Institute of International Finance.
1. Finding a balanced level playing field
Fintech and innovation is not restricted to certain parts of the industry and come with both threats and opportunities. As technological innovation continuously changes business models and activities offered, policymakers need to ensure that supervision and regulations effectively address potential risks regardless of the underlying technology or method used to execute that activity. Hence, to ensure that both new entrants and incumbent institutions should have equal opportunity to apply new technologies, the definition of Fintech needs to be linked to the activity, product or service offered and not to the legal structure, size or age of the innovative entity.
In addition, given the nature of digitalisation, a coordinated global regulatory approach is required. Therefore, under the principles that the same risks should be regulated and supervised in an appropriate manner, no matter where they occur, we believe that a risk-based approach to supervision is the most optimal one for a digital environment. Regulation and supervision therefore need to remain risk-based, technology-neutral and cooperate on an international level, balancing the mitigation of potential risks whilst simultaneously harnessing the benefits of innovation in European Fintech.
In order for regulators and competent authorities to identify, understand and evaluate new risks arising from applications of new technologies including data protection and cyber-security, a holistic perspective becomes increasingly important. If innovation is addressed in silos, supervisors might risk overlooking the broader picture of the transformations and opportunities offered by Fintech. A holistic approach would also position supervisors to capture risks that are reallocated from regulated sectors to less or non-regulated entities.
There are indications that some entities are using inconsistencies in different regulations such as Solvency II and Capital Requirements Directive (CRD). For instance, some insurance and pension institutions are bypassing the credit institutions and extending mortgages directly to the consumer through independent brokers. Since this is done in a Solvency II environment they are therefore circumventing capital requirements, stipulated in CRD by which credit institutions must abide.
Such examples raise similar concerns as identified by the Financial Stability Board (FSB) concerning Shadow Banking(1); defined as “credit intermediation involving entities and activities (fully or partially) outside the regular banking”. The FSB highlighted that as long as such activities and non-bank entities remain subject to a lower level of regulation and supervision than the rest of the financial sector, reinforced banking regulation could drive a substantial part of banking activities beyond the boundaries of traditional banking and towards shadow banking.
On the other hand, regulators and competent authorities simultaneously need to take the opportunities and advantages of technology into account; in particular regarding regulations on remote identification and verification of customers. Concerning these challenges, technology can increase the usability of financial services and ease the industry’s processes to ensure secure identification of customers both remotely or in person whilst reducing current national obstacles with AML and CFT requirements.
A balanced approach would promote the safety and soundness of banks, financial stability, consumer protection and compliance with applicable laws and regulations, including anti-money laundering and countering financing of terrorism (AML/CFT) regulations, without unnecessarily hampering beneficial innovations in financial services. While these changes may result in new risks, they also open up new opportunities for consumers, banks, other financial institutions and competent authorities.
These issues call for a deeper understanding of the threats and opportunities that Fintech is generating in the structure and functioning of the financial industry especially in terms of the relationships and interconnections between different types of players and, accordingly, in the generation and distribution of risks throughout the system. Hence, a coordinated risk-based approach to the use of technologies for regulatory and supervisory purposes is necessary to identify and mitigate the major risks at hand.
1. Strengthening Oversight and Regulation of Shadow Banking Policy Framework for Strengthening Oversight and Regulation of Shadow Banking Entities, Financial Stability Board (2013)
2. Data, consumer protection and cybersecurity
Considering the emphasis, supervisors and regulators place on the need for high levels of consumer protection, the presence of so many non-regulated entities (53% non-supervised)(2) suggests that further investigation is required to ensure that entities are treated equally. Such an inventory, would most likely find a large number of Fintechs that need neither to be supervised nor regulated. Here, Fintech has the potential of making financial services more attractive and more accessible for clients hence EU-policy needs to work for encouraged trust in Fintech services, in particular addressing threats of cybersecurity and consumer protection.
Management of new business risks such as cybersecurity and data management is central to maintain high levels of consumer protection and needs to be the guiding principle for policymakers. Data protection has been and is at the core of trust in financial institutions. Customers expect banks to protect their personal data, i.e. maintaining systems to combat cybersecurity and maintain high levels of consumer protection. Today, however, there is a risk that consumers are not being properly informed of and/or do not understand how their data is being processed and applied.
This reasoning is highlighted by the European Parliament’s report on Fintech(3), wherein they express that many Fintech developments are directly based on the innovative use of data. However, the current EU-legal data framework is complicated due to several overlapping pieces of legislation. To avoid positioning the European Fintech industry at a competitive disadvantage, it is necessary to ensure a coherent application and harmonized supervision of the relevant regulations, such as General Data Protection Regulation (GDPR) and the Second Payment Services Directive (PSD2).
Additionally, moves towards open banking in Europe and similar initiatives can be perceived as a call for action towards the industry. These regulations make access to payments data easier for third-party players that do not own the primary customer relationships and where customers expect banks to protect their personal data. Therefore, there is a trend where both large and small Fintechs are building business models around financial and payment related data.
Credit institutions, however, are restricted by data secrecy regulation from analysing or providing customer data to a third party without clear consent from the customer. However, several global non-bank internet firms offer a range of financial products based on the evaluation of data collected from sources such as customers’ web-browser history, emails and social media presence; this despite the incumbents having the infrastructure to manage risks and the experience to sustain a high level of consumer protection.
In their report, the European Parliament, also emphasise the risks that come with more data collection and its use, especially with regard to GDPR and PSD2. They underline the need to allow better access for consumers to Fintech services whilst ensuring that data protection measures are put in place so that consumers are given a choice in how data is collected and used. This is also important concerning the responsibilities that come with data collection and data handling. Consumers expect banks to store and manage their data in a responsible and safe manner, but it is difficult and costly to take responsibility for personal data that has been accessed by potentially hundreds of other institutions.
Also with respect to crowdfunding platforms, for the sake of consumers’ and investors’ protection initiatives are needed in the following areas:
- requirements for registration as a crowdfunding platform in national registers,
- rules on customer on-boarding requirements, , including clear information about the risks involved,
- procedures for the collection of non-performing loans and failed projects,
- a framework for partnerships between these platforms and other entities participating in crowdfunding projects.
Similarly, new tools such as automated financial advice (robo-advisors) both reduce costs and reach new customer segments which is expected to lead to growth in the number of customers who receive financial advice. In order to enhance consumer protection, advice neutrality and to provide a minimum set of standards to the robo-advice sector, supervision of these services is required.
Currently, it is common that robo-advisors base their profiling decisions on a limited set of variables and few undertake suitability tests. This makes it difficult for customers to understand how the robo-adviser constructs its recommendations. In order to ensure that customers receive the same level of risk and quality of advice through robo-advisers. We suggest that robo-adviser activities need to be MiFID II compliant.
For these reasons, initiatives such as enhancing financial literacy through further work to coordinate and foster national initiatives are supported. However, against the background of an increasingly digital world, the key recommendation would be to design legislation having consumers’ financial and digital literacy in mind. We believe that financial literacy should be promoted from a channel and technology-neutral angle, whilst digital literacy, with a particular emphasis on cybersecurity aspects, is a field of its own and should be promoted by a number of stakeholders in society, including governments.
(2) “Discussion Paper on the EBA’s approach to financial technology (FinTech)”; European Banking Authority (2017)
(3) “The influence of technology on the future of the financial sector” (2016/2243(INI)); European Parliament (2017)
3. The impact of Fintech on supervision
New technologies enable faster time to market of new products that mainly aim at providing the best possible client experience. It is important that the other business processes, especially those related to new product approval, are not overlooked despite the increased speed of product creation. It should be specially highlighted that a new activity should not be undertaken until adequate resources to understand and manage the associated risks are available, see EBA Guidelines (4). Hence, it is important that competent authorities and other policy makers not only focus on the innovation in the front-end part of the value chain, but also create the preconditions for credit institutions to continuously invest and improve existing products, services or process.
It is also important that regulators take a key role in supporting the effective implementation and use of new technologies within financial institutions for risk management, compliance and regulatory reporting. Here technologies such as artificial intelligence, big data and clouds contribute to more effective processes in financial institutions through better risk data aggregation, money laundering and fraud detection, and early warning systems for credit risk. Thereby, replacing legacy systems with cloud computing, data lakes and APIs can make banks infrastructures more robust and reliable.
AML/CFT provides a good example of an area where it is important to reach a proper balance between safeguarding the safety and soundness of the system, while supporting financial innovation. New technologies, such as machine learning, are starting to play a key role in flagging and investigating suspicious activity in the financial system – a task that, given the number of flagged transactions for institutions to investigate, would benefit greatly from a certain degree of automation. It is therefore imperative that institutions can apply robust, tested new technologies for these tasks.
Where regulations were to cause difficulty for innovation, these should be reconsidered. To stay with the example of AML/CFT, applying new technology to KYC processes could significantly improve AML investigations at financial institutions by enabling them to share relevant information efficiently with each other. However, they are currently not used optimally, as data regulations typically do not allow institutions to provide or access consumer information cross-border through a third-party provider, thereby inhibiting the effective use of such utilities.
Hence, digital tools can offer competent authorities, incumbents and Fintechs new possibilities to provide such transparency to consumers, especially as the future value chain is believed to be more complex. A lack of transformation and digitalisation in the banking sector could be a greater risk than transformation itself, threatening both the sector’s competitiveness and risk management capability. Therefore, we encourage the EBA when performing their in-depth review of EU legislation requirements, to take technical developments into account to find the right balance between consumer protection and fostering innovation.
(4) See EBA Guidelines on Internal Governance and EBA guidelines on product oversight and governance requirements for manufacturers and distributors of retail banking products (EBA/GL/2015/18)
To facilitate the introduction of Fintech activities, some member states have already started to experiment with regulatory sandboxes, innovation hubs or similar relaxed regimes. These are structures which allow the service providers to operate in a controlled environment, without being subject to the full array of regulatory requirements. This could, however, introduce new risks to consumers and potentially undermine financial stability.
To evaluate new processes and services, Swedbank believes that sandbox participation should be limited in time and scope, under close supervision and communication between the engaged parties and competent authorities, rather than used for the circumvention of the existing regulations in financial services. Concerning the activities proposed by the EBA for 2017/18, we support this initiative, especially the inventory and assessment of different sandbox regimes.
Moreover, we believe that participation in potential sandboxes should not discriminate on the basis of the entity’s legal structure or size, but rather allow all types of entities to participate on equal terms. New entrants and incumbent institutions should have equal opportunity to apply new technologies, and experiment with them through sandboxes, innovation hubs and other innovation-supporting initiatives. Therefore further work to assess the features of sandboxing regimes, innovation hubs and similar regimes is supported and we encourage the EBA to move forward with guidelines in this area.
When discussing innovation we also need to take incremental innovation, both common systems and bank specific, into account, i.e. innovation to enhance existing products and services without changing the business model. Therefore, it is important to distinguish between a technical innovation which leads to a new products or services and a technical innovation which improves the characteristics of current products and services. This should also be taking into consideration when discussing sandboxes.