The French Banking Federation (FBF) particularly welcomes this opening discussion of the EBA on the concept of FinTech. FBF finds it relevant that the EBA chose (as did the European Parliament and the BCBS) to align the definition of FinTech with the one given by the FSB stating that it should be understood as “finance enabled or provided by via new technologies meaning the application of new technologies to financial services”.
As technology-enabled innovation in financial services does not depend on the size or legacy of a firm and as innovative financial technology-based solutions and services are being developed by Banks, we find particularly accurate for risk assessment purposes the definition by the BCBS of 3 categories of players: Incumbent Banks, FinTech start-ups and Big Tech firms (including GAFA, BATX, Telcos, Transportations, Utilities, IoT services…).
It is worth noting that in its discussion paper the EBA refers to both innovative services and new entrants when using the term FinTech" which could be confusing.
The French Banking Federation finds that the issues identified by the EBA are complete and particularly relevant.
Innovations related to digital technologies are currently abounding in many fields.
They come from both traditional players (Banks) and new players. New players develop new models of intermediation between customers and credit institutions. Some FinTech firms are only subject to national authorisation or registration regimes. Some FinTech firms are not subject to a regulatory regime at all. Crowdfunding is a good example and the extension of a regulation like the French one within the EU could be studied. Additionally, emerging FinTech companies perform activities that are traditionally performed by regulated Banks. It can potentially results in gaps in traditional supervisory and regulatory framework.
In the meantime, the banking industry is a highly regulated activity, and it seems obvious that there are divergences in the treatment of FinTech across the EU.
We therefore need to ensure that the regulation and supervisory systems cover the new players in financial services and is applied consistently for the same activity and throughout Europe, regardless of whether the players are financial or not, without hampering Innovation.
To give some examples:
- KYC using videoconference which is authorized by the German supervisor, BAFIN, was banned in France. Note: On this point, the recent authorisation given by the CNIL to Société Générale to implement a system of identification by facial recognition of the prospects during a remote connection, will be carefully followed up.
- Credit with regard to solvency analysis and the prevention of over-indebtedness: In a number of European countries credit institutions are not supervised or subject to approval.
- The fight against money laundering or fraud: The traceability of end-to-end operations is called into question by new actors' interfaces or models, which in fact weaken fraud detection systems and money laundering by masking the information necessary for a proper identification of the frauds.
Moreover, many digital projects are constrained by the absence of a coherent transversal regulatory framework that takes into account all the issues and aspects (eg. electronic identity certificate, biometrics, etc.). This situation applies not only to digital developments in a country but also to the developments of the group's foreign operations, which are often subject to stricter constraints than their counterparts because they have to apply both their national regulation and the regulation of the country of the parent company.
Level playing issue:
These differences lead to imbalances both in terms of consumer responsibility and therefore in terms of protection, and in terms of cost, and therefore of a distortion of competition. As level playing field is key to ensure not only fair competition but also consumer protection, the same regulatory conditions and supervision should apply to all actors who seek to innovate and compete on FinTech: Incumbent Banks, FinTech start-ups and Big tech firms.
The authorities must always apply the "same services/activities, same risks, same rules same supervision" principle in order to ensure consumer protection and market integrity. As the value chain includes different kind of actors and becomes more complex, all firms should go through the same process from product and service design to sales to avoid any regulatory arbitrage in responsibility-sharing. As an example, a compulsory minimal framework of internal controls and compliance according to the complexity and the size of the players could be set up.
Regarding innovation hubs, accelerators and regulatory sandboxes:
We agree that innovation requires the experimentation of new technology solutions and business models. However, it is too early to draw conclusions on the benefits and challenges of initiatives under labels such as innovation hubs, accelerators and regulatory sandboxes.
The United Kingdom and the United States accept sandboxes, which allow new FinTech firms but also institutions to test innovative solutions on a very small number of willing customers ("family and friends") without having to immediately analyse all the regulatory implications.
This approach should not lower regulatory standards, as consumer protection is paramount and all participants, consumers and stakeholders, must be informed that the service is provided under a sandbox regime.
In our opinion, competition between national supervisors on the basis of regulatory arbitrage should be avoided at all costs. The main risk of a national approach might be to create uneven level playing field and further fragmentation with different approaches among the EU Member States, with the final result that neither financial institutions nor consumers can benefit from these initiatives.
The principle of the "regulatory sandbox" (with prior authorization) does not seem to us necessarily adapted. It seems to us more effective, where necessary, to adapt the legislation applicable to all the actors concerned by a given activity, whatever their nature, size or other criterion.
Innovation hubs should provide an access for all FinTech firms, both new entrants and incumbents, regardless their size or business model. They should rely on a limited series of eligibility criteria, such as the amount, the duration, the number of customers and of countries…
The principle to be defended is genuinely the ability to make "test & learn", in terms of European regulation.
Our principles can be summarized as follows:
The financial sector must benefit from technological improvements, so regulation should not stifle innovation or prevent healthy competition. Europe must therefore promote agile, proportionate and efficient regulation of financial innovation:
1. Agile regulation: With regard to the emergence of new technologies and business models, regulatory adjustments (including simplifications) could be envisaged and new statutes could be introduced at European level, focusing on the main risks raised by the given activity (see specific regulation of crowdfunding since 2014). Agile regulation is also encouraged by initiatives that could be described as "test and learn". The normative framework thus recognizes the blockchain technology for the register of unlisted shares. Based on this first experience, blockchain technology could later be recognized for a wide range of services.
2. Proportionate: The level of regulation and supervision must always be proportionate and supported by the taking into account of risks (consumer protection and AML / CFT mainly). This philosophy makes it possible to soften the entry into the normative framework of the services in question.
3. Efficiency-oriented: Rather than being too prescriptive or detailed, guidelines-based regulation is more likely to be effective and adequate in an innovation environment. The introduction of more proportionality is nevertheless a matter to be treated with the utmost caution in order to properly assess the effects both on consumer protection and on the distortion of competition and on non-hazardous aspects to generate risks
The development of exchange of good practices and the establishment of European guidelines or high-level guiding principles at EU level could contribute to a convergence in domestic innovation policies across the EU, thereby facilitating the emergence of a single market for financial services.
Regarding the potential introduction of new licensing categories:
The relevant regulators must provide a clear and comprehensive regulatory and supervisory framework before the introducing new licensing categories for FinTech activities.
- FinTech new companies should have similar, if not the same, capital and/or liquidity and/or consumer requirements for a given activity as a financial institution.
- The EC must establish a fair and level competitive playing field to address the concern that specially licensed FinTech firms would be able to offer services and products in direct competition with full-service Banks, but subject to a more limited and less burdensome regulatory regime.
- Existing FinTech new companies often have atypical funding models and complex equity and ownership structures due to their venture capital and private equity investors, and in many cases will also have non-traditional balance sheet compositions that do not fit readily into the existing capital frameworks for Banks.
- Discretion should be reserved for activities that are not routine for conventional Banks.
- It is important to determine what activities are core banking activities and what activities a company has to undertake in order to be licensed as a national bank.
- Related to the issue above, there are financial stability concerns if established Tech industry players (Microsoft/Amazon/Apple/Google) and/or merchants are able to seek a limited purpose license in addition to FinTech firms (this issue is whether non-bank subsidiaries can benefit from the licence). The larger techs/merchants activities would have systemic implications. Any proposal for an EU FinTech licence must have a well-defined scope.
- Issues of consumer protection and financial inclusion must be the subject of consistent, rigorous, and transparent application across FinTech licenses and full-service national Banks.
There are specific activities that do warrant careful attention by regulators, regardless of who is engaging in the activity – namely payments, lending activities, and data storage – as the risks associated with these activities have far reaching impacts to consumers and the broader financial system (i.e. money laundering, terrorist financing, disparate impact, fraud, identity theft, unauthorized transfers, etc.).
The types of services offered by non-banking providers should be covered by banking licenses or new ones should be created, but if the services are comparable to banking services, they should be regulated in the same way. The guiding principle shall always be “same business, same risks, same rules”.
In conclusion, FBF supports the implementation of a fair and harmonized regulatory framework for credit institutions and new entrants and is not supportive to a "sandboxing regime". Besides, the significant number of sandboxing regimes, innovation hubs or similar regimes appear to have varying features which suggests that there may be a need that the EBA further analyse these regimes. FinTech requirements vary between European countries. The EBA should assess the various European regimes of sandboxes in order to harmonize supervisory practices.
Moreover, no soft or specific regulatory framework should be implemented to FinTech to a specific actor. For this reason, we do not support the introduction of protective measures (e.g. the establishment of regulatory sandboxes and innovation hubs). Any regime introducing regulatory distortions would be dangerous and contrary to the financial stability and to the consumer protection. Rules should be the same for all stakeholders, small or big, new entrant or established actors.
In addition, we believe that a comprehensive regulatory and supervisory framework must be provided before the introducing of new licensing categories for FinTech activities."
French Banking Federation supports the prudential areas of analysis detailed in paragraph 71.
If it is essential to welcome new actors in FinTech in financial markets because they are a necessary source of innovation, the dynamics they carry should not damage the financial system safety but rather protect traditional stakeholders and new entrants. For this reason, we support a responsible innovation" funded on the following rule: "same business, same risk, same rules". As such, independent FinTech firms must be regulated in the same way than the ones which are subsidiaries of a credit institutions.
While innovations are necessary, they can contribute to the disruption of the financial system. For this reason, it is essential to detect and to understand the deep transformations which result from the introduction of FinTech :
1) As such, it seems useful to underline that FinTech start-ups can be exposed to the operational risk, as the major risk. In the current framework, this kind of risk is not specifically covered by a proportioned regulatory capital requirement applicable to FinTech. Any operational adverse event could impact the reputation of small and big stakeholders and damage the financial environment, by contagion. As such, this risk could oblige FinTech partners/owners to intervene (step in risk) due to the absence of capital buffer or recovery requirements.
2) In addition to these operational risks, which could affect the FinTech firms themselves but also their trading partners and shareholders, consumer protection must be a high priority for regulators. Therefore, the interactions between the activities of certain FinTech firms and guarantee deposit funds must be considered with great vigilance.
3) If it is easy to consider the risks carried by FinTech firms and relative to the safety of financial transactions or the risk relative to AML/CFT, it is also essential to consider the solvency/credit risk carried by these companies. For example, the crowd-lending business carry a credit risk and some bankruptcy examples reminded this reality for consumers and investors, during the last few months. The financial intermediaries in crowd-lending should be submitted to the same requirements as the leading players which risk is supervised by the SSM. Indeed, it is essential to modify the regulation to prevent any financial risk.
4) Besides, the development of the high-frequency trading (HFT) by some FinTech firms requires to strengthen the liquidity regulation. This activity modifies the organization of equity markets, as well as the organization of trading platforms. When they provide liquidity to capital market without regulatory requirement, FinTech firms specialized in HFT evict traditional actors with a distortion of the competitive environment. These new unregulated actors could generate sudden « flash crash » through market manipulations strategies (they send a disproportionate number of orders dedicated not to be executed with the aim to slow the functioning of trading platforms and to benefit from trading opportunities) and benefit from the lack of the current regulatory framework.
At least, it is necessary to better identify the specific risk carried by new entrants in FinTech. Currently, 31% of FinTech firms are not subject to a regulatory regime under EU or national law and the regulatory status of 8% of FinTech firms is not identified (cf. part 3.2.2 of the EBA/DP/2017/02). Moreover, the majority of FinTech firms is not subject to recovery and resolution plan requirements nor member of a deposit guarantee scheme protecting their customers in case of failure, even if some FinTech firms provide credit, deposit or capital raising services. This percentage of FinTech firms not submitted to a statutory framework is significant. For these reasons, we support the EBA in its work.
If we focus on cybersecurity threats which remain one of the most important challenges for Banks. As recently confirmed by Europol in the wake of the Wannacry ransomware attack, Banks have made substantial progress on this front compared to other sectors of the economy. More needs to be done and increased cooperation among the regulatory and supervisory authorities at national, European and global level will enhance progress on this front significantly.
The EU could play a role in:
- Streamlining harmonised format and procedures for security (IT) incident reporting to avoid overlap and redundancy in reporting to multiple competent authorities (NIS Directive, PSD2, Data protection regulation, Single Supervisory Mechanism SSM).
- For resilience purpose and risk mitigation, establishing a legal framework for data sharing which allows the possibility to sensitive information related to fraud & cyber-attacks at national and cross-border level should be put in place.
- The current collaboration between the industry and regulators and among regulators needs improvement. This would help to overcome the regulation challenges and maintain the speed of innovation/digitalization. The public sector needs to work proactively with the private sector, across borders, to share information about attacks, exchange best practices and continually improve security systems to deter cyber criminals.
European Banking Authority (EBA) and the European Network and Information Security Agency (ENISA) could prioritise harmonisation across jurisdictions through the fast adoption of guidelines or an update of existing guidelines to ensure a common approach by regulators/supervisors regarding procedures and methodologies and cloud projects approval. It is also essential to update EBA Guidance on outsourcing, which dates back from 2006. It needs to be adapted to the cloud computing technology.
In conclusion, FBF agrees that an in-depth analysis has to be conducted, in addition to further exchanges with the supervisors on these topics. The guidelines should be updated in view of the rapidly changing environment. Nevertheless, these rules should cover an ecosystem that is increasingly trans-sectorial.
Whether they are traditional Banks, or new entrants, all actors rely on GAFA today. Therefore, GAFA become new systemic institutions. A "prudential" supervision of these players should be studied."
First, it seems necessary to underline that the Banks are FinTech too.
The banking industry is often the source of the innovation in the financial sector. This innovation is built by the knowledge of the need of theirs clients and the joint work carried out with FinTech start-ups. It is worth pointing out that Banks do a lot of FinTech themselves, in the meaning of developing innovative, technology-based financial solutions and services.
This comes with huge investments, jobs and growth, for all sorts of suppliers (including incumbent tech giants). While there are still strategic reasons for Banks to rely on internal IT departments, there is considerable potential to create value — for themselves and the economy at large — by nurturing an ecosystem of start-ups and technology innovators that can assist Banks in developing shared platforms increasing resilience and cost effectiveness of banking and payment systems.
For example, in France the “Pôle de compétitivité Finance &Innovation” allows the joint work between start-ups and Banks. Moreover, several Banks have set up some physical infrastructure to offer a framework for giving good conditions to nurture the start-ups and elaborate a partnership with FinTech small firms.
One of the challenges is that smaller companies are often less ready to meet all the regulatory requirements that Banks need to adhere to so there is often support from Banks’ compliance areas to bridge the knowledge gap.
Firstly, it is important to mention that technology has been implemented in Banks for decades, and efficiency improvement was always a driver in four major segments:
- Interaction and communication with clients (from paper to online);
- Security of the data and funds protection for their clients;
- Enhancement of interoperability by way of standardisation and common rules (e.g. SEPA);
- Industrialisation and automation in operations.
A high percentage of Banks views the possibility of partnerships with FinTech start-ups, or other actors of the FinTech, with great interest. The objective is to obtain concrete benefits that enhance specific key business areas, products and/or services by leveraging:
- Solutions that focus on cost reduction via process improvement or replacement of platforms/ IT solutions by either new business models or technologies;
- Solutions enabling Banks to attract and on-board new customers, to improve customers’ relationship or to increase the offer of new and innovative products/services;
- Risk management;
- Cybersecurity (e.g. fraud detection and data protection);
- Regulatory (RegTech);
- Big data and artificial intelligence;
- Current processing solutions in the payments or securities space.
We share the findings of the EBA regarding the series of risks they identified: increased conduct problems, fraud, cybersecurity, subcontracting and personal data management issues, lack of expertise, inadequate technological infrastructure, increasing use of the cloud, in addition to a stronger competitive pressure.
In this new context, a certain number of texts, specific to the banking industry or based on a cross-sectorial approach, already cover these risks, such as the GDPR, the NISE Directive or the guidelines on subcontracting.
In our view, the danger would be to regulate even more specifically the incumbent credit institutions without regulating the actors who are performing similar activities. The approach should therefore be holistic and by nature of activity. Moreover, the financial sector as a whole, including existing incumbent players, must benefit from a regulatory framework that does not stifle innovation. It should remain competitive compare to other sectors, while players are becoming more and more multi-sector.
The FinTech makes a valuable contribution to the innovation effort in the area of payments (new technologies, new customer paths). Indeed, this sector naturally lends itself well to the use of new technologies and the regulation facilitated its opening to non-banking actors. This is a field favoured by the FinTech.
For the time being, the impact in terms of market share is marginal. In addition, the FinTech are less competitors than partners. They stimulate an already successful market, which is appreciated by the customers. They provide agility to test new offers, to make faster progress in existing offers and to offer complementary services to certain market segments or niches. The impact of the DSP2 is still difficult to assess and may depend on how the directive is transposed into national laws.
Aggregation capabilities, and even transfers between Banks, already exist, even if they still remain limited. The new regulations will certainly simplify the implementation of such solutions, for the relevant scope of accounts, by replacing screen scraping with standardized and documented APIs. It should facilitate the development of new services by developing partnerships based on an Open Bank" architecture and APIs which should enhance the services we offer to customers. It could enable us to position ourselves more as a regional player and as an attractive partner for all FinTech actors."
It is first and foremost the evolution of customer behavior and expectations that drives the transformation of Banks. Competition from FinTech is another stunt.
In this context, Open Innovation's approach intensifies relations with the external innovation ecosystem to bring it closer to the operational transformation needs of the businesses. This facilitates a lower-cost transformation thanks to smaller and cheaper players than traditional suppliers, and a differentiation provided by alternative actors in terms of customer experience, integrated digital paths, technologies, and so on.
This approach makes it possible to multiply the collaboration and its surface of contact with the different actors of the ecosystems such as start-ups to bring the most relevant solutions to business transformation needs.
Relationships range from collaboration with service providers to equity participation until acquisition when their activity is considered core business".
The proposed approach by EBA does not seem to call for comment."
As described above (Q3), Banks will go on investing their IT departments to upgrade their IT infrastructure and core banking systems and applications, but also to develop new products and services.
In the meantime, the development and the integration with an ecosystem of start-ups and technology innovators will require additional investments to further enhance the interoperability by way of standardisation, common rules and new technological capabilities (see Q 9 regarding blockchain/DLT, APIs…).
New opportunities linked to the strong development of the payment and securities markets will have an important impact on the volumes of data and transactions. The Banks will have to capitalize on their experiences in managing important customer databases in order to upscale their IT systems and upgrade their data management processes.
It makes sense that the work foreseen on incumbent credit institutions should be expanded to include in its scope payment institutions and electronic money institutions.
The best way to foster innovation in Europe will rely on the strengths of all actors and their complementarities and not by favoring some of them.
The arrival of FinTech start-ups has spurred innovation, accelerated the transformation of Banks and opened door to new win-win collaboration. The FinTech could bring solutions in the payments or securities field:
- Distributed Ledgers Technology: was initially popularized through the exchange of the digital currency Bitcoin. However, DLT may have many potential applications beyond digital currencies, many of which are relevant to the financial services industry. Distributed ledgers can provide for the development of more efficient trading platforms and payments systems, as well as providing more transparent information sharing between financial institutions and between financial institutions and regulators. Properly developed, it can lead to a win-win situation for financial institutions and regulators, allowing firms to reduce operational costs and providing regulators with greater transparency and risk reduction in the financial system. (e.g. via the development of a proper business case at Banks and industry level). DLT is the innovation where collaboration with other market players will be most needed as no DLT system will be possible without global and far-reaching collaboration
- Interoperability could be in relevant areas, provided it is developed in a way that ensures high levels of cybersecurity, data safety and customer protection, fair competition (the actors that use an infrastructure have to pay for its real cost) . A wide adoption of Applications Programming Interfaces (APIs) will pave the way for a secure, competitive and innovative environment for financial services.
The standards and interoperability must be defined at sector level and not supervision level. Various standards for many types of transactions and services have been defined in the banking sector over the years. Furthermore, the complexity of the standards makes the process of definition and sharing among the players complex, since it is necessary to take the operating and technological needs of all of them into account. Nevertheless, prescriptive regulations should be avoided. The European Commission should support the creation and/or adoption of proposed technical standards (on a voluntary basis) with a view to greater flexibility in the development of global technology solutions
From the point of view of Security, guidance from supervisors on which standards to follow, such as NIST, ISO 2700X or COBIT would ease compliance.
In addition, authorities can be helpful by delivering the Regulatory Technical Standards in advance to allow sufficient time for the industry to adapt
- Real time payment: Today the financial industry relies on a network of correspondent Banks that allow payments to be made cross-borders on average on a T+1 / T+2 basis (though this timescale can extend especially if there are compliance/legal rules to follow e.g. because of the country of the payee). A number of Banks have been reviewing new blockchain-based payment protocols available on the market like Ripple and experimenting with a proof of concept platform based on Ethereum. These solutions take advantage of the capabilities of blockchain to execute payment obligations netting and enable real-time clearing without the involvement of correspondent Banks on each transaction.
Existing regulations provide a solid level of protection and will continue to do so. A prerequisite is to ensure that consumers are protected and that the financial stability is ensured, irrespective of who the provider is. Therefore, it is necessary to maintain a level playing field regarding the regulation of potential competitors/sectors and between Members States, when issues such as KYC, digital signature, MiFID are addressed. Several risks have been identified which may have an impact on consumers' rights when dealing with cross-border operations: as far as two different laws could be applied, there is a necessary clarification on the right to be applied. Divergences in national regulations could lead to difficulties in the context of the Freedom to provide services.
It is fundamental that the level playing field" rule (the same rights and obligations for all actors and in all countries for a given activity) be applied (see Q1). Current asymmetries hinder innovation, for example for traditional banking players subject to the existing banking financial regulation. They can also create risk situations for consumers who do not have a homogeneous level of protection but also for all the financial institutions.
For example, financial institutions can be directly affected by fraud problems linked to cyber security issues encountered by certain actors, or more indirectly by the weakening of the consumer confidence in financial services.
The diffusion of digital technologies potentially leads to several new types of risks for consumers, linked to the quality of information, the cyber-security, the data protection, the emerging new models and new players that are challenging in terms supervision evolution. Innovations are indeed valued differently depending on the different countries' authorities.
As an example, IDnow's videoconferencing solution used by Number 26 in Germany has been approved by the BAFIN as a possible means of remote identification. In France, such a solution does not fall within the competence of the ACPR (because it is too technical) banking authority or the technical authority (ANSSI) because it does not fall within its remit. A European technical authority might able to quickly assess the reliability of innovative technical solutions, to which local authorities could rely.
As a conclusion, the EBA acknowledge that the authorization status of FinTech firms is crucial not only in terms of competition but also in terms of consumer protection. It seems difficult to envisage that 53% of FinTech firms could remain outside the EU framework considering the imperatives of stability of the financial system and protection of the consumer.
As level playing field is key to ensure not only fair competition but also consumer protection, the same regulatory conditions and supervision should apply to all actors who seek to innovate and compete on FinTech: Incumbent Banks, FinTech start-ups and Big tech firms. The authorities must always apply the "same services/activities, same risk, same rules same supervision" in order to ensure consumer protection and market integrity. As the value chain includes different kind of actors and becomes more complex, all firms should go through the same process from design to sales to avoid any regulatory arbitrage in responsibility-sharing."
It should not be forgotten that cross-border operations are an exception and not the rule. According to many studies, there is a very low demand for cross-border operations, and there are limited examples of products and services being offered in more than one jurisdiction.
It is difficult to determine whether this is driven by the complexity of managing across differing licensing and regulatory framework, or if the FinTech business models have yet to achieve full penetration of domestic markets that would warrant the increased investment.
The impact of passporting facilities on the cross-border deployment of Fintech new actors should be further assessed.
Consumer protection laws are far to be harmonized within the Member States in Europe. We totally agree with the conclusion of the EBA that this could result in regulatory arbitrage and different levels of consumer protection across the Member States.
Maximum harmonisation of consumer-protection rules in retail financial services has not prevented a divergence in national legislations, particularly due to Member States' growing tendency to gold-plate, either when transposing or in the extensive interpretations of the texts by national regulators. It prevents all European Banks from being on a level playing field".
We would see a need to extend the regulation in place to non-regulated FinTech firms in order to address cross-border issues. On any foresee action or regulation, the principle "same service, same risk, same rules" should apply."
Again as stressed in the EBA’s discussion paper, consumer protection laws, which is a very important component to fulfil when selling products or services cross-borders, are not harmonized within the EU Member States. We believe that different consumer protection regimes act as a barrier to the provision of cross-border retail banking products and services, both for consumers and banks. Indeed it would be very costly for banks to adapt their contracts to each Member State’s market in order to comply with the rules of international private law (i.e. Professionals must apply the consumer-protection rules of the consumer’s habitual country of residence when the professional directs his activities to a consumer from another Member State).
Examples of regulatory obstacles:
- The development of foreign settlements in French establishments, which are often subject to stricter constraints than their counterparts in the extent to which, in certain aspects, the rules of the two countries, of the establishment and of the parent company, have to be considered.
- Digital identity frameworks are currently not sufficiently developed and even if they were, regulatory fragmentation across Europe regarding digital identity remains a big obstacle for a harmonized European digital identity framework as eIDAS could be.
As acceptance of the means for identifying customers remains with the Member States it is necessary to harmonize the European framework regarding the prevention of money laundering and terrorism financing (AML/CFT), to ensure the 4th Anti-Money Laundering Directive is implemented in a consistent way. We are in favour of providing for a broad scope of possible methods to be used in the process of digital on boarding, ranging from those notified in line with the eIDAS Regulation to others. As different national requirements still apply to the remote identification of customers, in our view, as a first step, harmonization is required, notably to allow for digital on-boarding including via video.
- To facilitate innovations and shorten cycles of innovation in the banking sector, they should be able to be housed in ad hoc subsidiaries not subject to regulatory and sectoral banking requirements. Moreover, the fact of intervening in certain extra-banking projects, as a bank, excludes us because we are caught up by our regulatory constraints. Thus a project of digital identity LABCHAIN in which the identity declared by a bearer would be guaranteed by different guarantors of his choice, of which Banks, our standards of KYC exclude us because the enrolment identity of the bearer is less detailed than what is required by our KYC constraints.
The supervision of the credit granting actors should be reviewed at European level with a view to greater convergence of accreditation and supervisory practices.
We suggest to set-up a status like the French one : société de financement" , which is lighter than a status of credit institution with less prudential constraints.
In the area of credit granting, the principles of solvency analysis are governed by the Mortgage Credit (MCD) and Consumer Credit (CCD) Directives. It is important to ensure that they are respected, including by new actors, notably those who operate remotely and bring innovative models. It will help ensure that the consumer is protected, with a focus on the risk of over-indebtedness.
However, some texts cover only credit institutions. Some specialized or alternative actors, who have pushed for the creation of new accreditation categories in certain countries and for crowdfunding, are not always subjected to the same requirements and supervised in the same way, which creates a distortion and does not guarantee good consumer protection.
With regards to security, financial actors are subject to a specific supervisory regime as a result of their activities, which is more supervised than other sectors. We believe it is necessary to extend the scope of cybersecurity regulation and supervision to all players who offer financial services and manage financial data. The security constraints imposed by regulators must be the same for all actors who handle or collect personal and bank data from end-to-end with the highest level of security (no weak link).
At European level, the European Commission wants to promote competition and innovation among financial players by "opening up" certain systems. It is necessary that these initiatives not be detrimental to the soundness (and even the "usability") of the systems in place.
Several points should be highlighted:
- The FinTech, which intervene between the client and the bank, should not conceal the information necessary to detect the fraud;
- The personal and banking information of our customers must be protected against the leakage of information, in the internal systems but also and especially in the "new actors" who consume this information and when they circulate between actors. This dissemination of information can facilitate identity theft or the development of models based on the monetization of customer financial data;
- The responsibility of each of the actors must be clearly defined in the event of an incident.
In conclusion, concerning disclosure requirements, as already acknowledged by the European Commission, a lot has been done over recent years to insure that information disclosure is effective, transparent and comparable. EU measures such as the MCD, the CCD, the PAD, the Undertakings for Collective Investment in Transferrable Securities (UCITS) Directive, MiFID II, PRIIPs Regulation and IDD, have a heavy impact on retail financial services. They entail tremendous costs which have not yet completely been implemented in many countries.
In our view, no new regulation is required at the moment. It is preferable to make use of existing extensive regulation protecting consumers and give them time to produce their effects and to assess if the apply to all players. Secondly, the impact of new technologies, in terms of benefits and potential risks, has to be studied before deciding on new regulations which may stifle innovation. The accumulation and inflexibility of excessively detailed rules prevents the banks from developing their products and services in line with new technologies, which has the effect of distorting competition with new, less regulated players."
Unfair, deceptive or aggressive commercial practices and unfair terms are already largely regulated. More generally, customer information is subject to many obligations for all financial services.
For example, in France, there are national provisions on forced sales and tied selling. If he considers that he has been the victim of breaches of these obligations, the consumer has free and easy recourse before the courts, which the Directive on consumer ADR has just framed. Companies are also required to notify their customers and referrals (see price brochure, website, etc.). Most financial institutions also commit to a processing and response time on receipt of a claim, usually less than the two-month regulatory period.
In the event of an abusive sale, the consumer will receive appropriate financial compensation, which he can always contest if he deems it unsuitable, by taking legal action. The system seems to be functioning in a balanced and impartial manner, and to be largely sufficient.
Also noteworthy is the FIN NET device, which enables a European consumer to have easy and free access to a remedy in the event of a dispute, irrespective of his place of residence and that of the supplier of the product or service. FIN-NET has natural" correspondents in each country concerned (eg. AMF, ASF or FFSA in France) that cooperate to facilitate consumers' access to out-of-court complaints procedures in cross-border cases.
In conclusion, we agree on the findings of the EBA concerning non-regulated FinTech firms, which may have unsuitability or non-existing complaints handling procedures should receive attention. Currently the regulators tend to assign to incumbent Banks the role of "claim concentrator" without fair compensation (notably in PSD2).
As far as regulated FinTech firms (Banks) are concerned the consumer protection is fulfilled:
- Thanks to the quite recent Consumer ARD Directive, low-priced mediation and reconciliation mechanisms will be expanded further. In addition, directives on unfair-terms and unfair business-to-consumer commercial practices provide the consumer with sufficient protection from any abusive sale of financial products.
- To help consumers to find adequate redress mechanism in cross-border situations the Financial Dispute Resolution Network (FIN-NET) was founded in 2001. As banking industry, we are totally in favour of measures for expanding the use of FIN-NET.
We also agree that an issue to look into in the context of consumer protection is the legal liability of each actor involved in a given service. As such, it could be argued that the best approach for ensuring consumer protection is for Banks to take a risk-based approach to mitigating and controlling for possible consumer protection risks."
Preserving the consumer confidence is key. The development of the digital economy in financial services necessarily means that the consumer must be protected. However, the diffusion of digital technologies potentially leads to several new types of risks for consumers related to the quality of information, the cyber security, the data protection, the emergence of new models and new players, with a challenge in terms of evolution of the supervision.
Consumer protection must be based on comprehensive, accurate, clear and non-misleading information in order to reduce the risk of misunderstanding of information and therefore a product that is unsuited to the needs and wishes of the customer. It is therefore necessary to ensure the transparency and clarity of information delivered to customers. For example, websites providing advice or recommendations to consumers should be strictly governed by a policy of transparency and control so that they are objective and comply with the necessary level of transparency.
If the consumer protection legislation has to be applied to the digital environment alike, it has not always been thought of for this type of use. An evaluation of the adaptation of all existing regulatory texts to remote operation modes via mobile or internet should also be carried out.
Today, means of contracting remotely are efficient (eg. electronic signature). However, the way they are implemented to comply with the regulatory framework can lead to a heavier subscription path for the remote client than for the face-to-face one. It can reduce the potential of the actors to provide dematerialized services. For example, the multiplicity of documents to be provided may be a deterrent: three application summary forms and a telephone interview summary" document must be provided when subscribing to an on-line consumer credit.
Some concrete proposals:
- Consumer Identity: Many means of identification or authentication included in online customer paths, particularly remotely, go through the customer's smartphone. The smartphone becomes a central pivot point with the applications carried. It turns out that quite often there is no robust identity verification by telecom operators during the sales of the smartphones. It would therefore be desirable for telecom operators to have stricter obligations to verify the identity of the customer (personal ID document and identification) and of the address.
- Contractualisation: The rules governing the remote selling and canvassing of financial services are not harmonized. In the financial sector, it is therefore necessary to apply two regulations instead of one, with provisions that are not completely identical. This does not facilitate the implementation of multichannel paths.
The concept of communication on a durable medium is outdated and difficult to implement in the context of efficient remote paths that are fluid for the consumer.
- The European regulation on remote selling of financial services is old and deserves to be reviewed. It leads to paths with many ruptures, too long that discourage the user. Moreover, the European directive has been interpreted in a very extensive sense by the case law of the Court of Justice of the European Communities (5 July 2012), which has led to considerably heavier customer paths (with no use of hyperlinks possible) . Simpler paths might be implemented, where the different contractual documents appear as links with an explicit title. It is also possible to ensure that the customer will open the link, as otherwise the subscription cannot be finalized.
- Execution of the contract: The best way to use a consumer's favourite channel is to ask him which he wants to use and to stick to that channel. However, electronic writing is still too often discriminated against in paper form.
In terms of data protection, we believe that the GDPR is a major step forward. Any additional regulations on this subject would be counterproductive at this stage
In conclusion, as acknowledged by the European Commission, technological developments and the expansion of new distribution channels may make it difficult to provide appropriate pre-contractual information to customers - for example, by supplying mandatory disclosure via mobile devices with small screens.
A lot has been done over recent years to ensure that information disclosure is effective, transparent and comparable. A number of EU measures have addressed the area of information disclosure (MCD, the CCD, the PAD, UCITS, MiFID II, PRIIPss and IDD).
The intention of the EBA to conduct an in-depth review of the EU legislation requirements that may restrict digitization is the good option. In our view, the priority should be to adjust the already adopted measures to the new digital technologies. In that way, the assessment how information should be presented in the digital ecosystem is essential and Banks could help to provide some elements in that field.
Any new requirement on additional information to provide to the consumer should be considered with caution, particularly looking at the concrete impact on consumers. It seems useful to recall at last, that in its Green Paper on retail financial services the European Commission underlines the need for “proportionate information on retail financial service products”."
We agree that the national provisions on dematerialized documents still discriminate on many points.
Here are some examples:
- Contractualisation: The rules governing the remote selling and canvassing of financial services are not harmonized, contrary to what has been done for other sectors with the Hamon Law, transposing the Directive 2011/83/EU on consumer rights resulting in the merger of the legal regimes of so-called direct marketing and distance selling.
In the financial sector, it is therefore necessary to apply two regulations instead of one, with provisions that are not completely identical. This does not facilitate the implementation of multichannel customer paths.
- Execution of the contract: The electronic writing is still discriminated against the written paper (according to article 314-26 of the RGAMF, a formal option from the customer is need for electronic communications. This article could be adapted.
The provisions of the Monetary and Financial Code on the account agreement (resulting from the transposition of the Payment Service Directive) distinguish the information provided by and the information provided to the customer. In order to prevent information relating to banking transactions (which need to be secured) from being sent to public e-mail addresses, or that the customer is saturated with SMS alerts notifying him of mails linked to the execution of the contract, contractual relations would be simplified by introducing a possibility, as in the case of account statements, that information relating to the execution of contracts could be provided or made available to the customer.
Ordonnance No. 2017-1433 of October 4, 2017 on the dematerialization of contractual relations in the financial sector (JO of 05/10/17) which has just been signed also discriminates the electronic writing of the paper: for the exercise of the right to open an account under the PDA, which must be made in paper form, for the operations carried out in the context of direct marketing.
In terms of data protection, we believe that the GDPR is a major step forward. Any additional regulations on this subject would be counterproductive at this stage.
The adoption by customers of new digital services requires that these technologies be explained, popularized and validated by an undisputed body. Customer confidence is the main driver for their adoption. For example, informing policy-holders that an electronic transaction meets a European standard with a high level of assurance would be a guarantee of confidence.
The risk of financial exclusion linked to a low level of financial education is real and effectively reinforced by the use of digital. It mainly concerns people who are financially fragile, disabled or elderly. The integration of these people will mainly be through:
- Digital and financial education to be integrated into school curricula. For example, France has launched a vast program of financial education, which will be integrated into national education programs (primary and secondary schools) under the aegis of the Banque de France.
- Access to free points, for example, in town halls. This is a much broader public policy problem than the banking and financial relationship. However, the Banks have developed programs to support digital awareness and security.
But this issue is not specific to the financial sector and appears to be primarily a matter of national action. At this stage, a European regulation on this point does not appear necessary. The initiatives of the profession are numerous and can make it possible to propose interesting and innovative solutions. In any event, any initiatives that might be taken should involve all actors, including those who do not currently have obligations to serve non-digital consumers.
The PAD Directive, which is currently being transposed in the various European states, addresses the issue of economic banking inclusion. Its results will have to be evaluated after a sufficient time.
Conscious of the importance of the financial literacy of consumers, the banking profession – in France - produces educational material for all customer segments through dedicated programs and through Banks' individual initiatives.
Financial/digital literacy could help customers to understand the benefits and risks that they assume when using these new digital services. It should be targeted at individuals as well as at any company that offers these types of services. As an example, the increasing use of customer data to improve services might be explained in relation to the GDPR new framework.
In conclusion, we welcome the way forward suggested by the EBA to continue to coordinate and foster national initiatives on financial literacy as the financial instruction and education are everyone's concern, specially including the public authorities, as these are issues that go far beyond the framework of a mere banking relationship.
It must be remembered that artificial intelligence (AI) is still in its initial growth phase and the technology continues to develop and evolve on a near constant basis. We must also be clear that AI is an umbrella term to cover a confluence of multiple technologies, such as machine learning, which includes deep learning, cognitive computing, natural language processing, neural networks, etc.
It is too early to make any statistically significant measurements about the use of automated financial advice" today. Although "automated financial advice" can produce more reactive, real-time solutions to customers; for the time being it remains a niche technology.
There is no need for any new regulation concerning advice itself as in principle, “automated financial advice” is ‘financial advice’ and is covered by MiFiD2/MiFiR. Any definition of customer segmentation is based on the customer profile and not on the technology used.
With respect to customer protection, the EBA has identified two main risks namely a possible malfunctioning of the tool or exclusion due to micro segmentation.
We would like to stress that human reasoning should always be more valued that machine reasoning and reasonable exceptions to machine-generated decisions should always be implemented. For instance, a bank can be asked to give customer credit, despite her/his history and AI analysis because such customer is making a change in her/his life or profession or probably needs the credit to do so.
It is also important to stress that although the characteristics of “automated financial advice” limit human intervention, an access to an operator (via online chat, mail or telephone) may be provided to help the customer along the process. This issue is very important in particular where customer’s financial or digital knowledge is low. AI and big data analytics can be used throughout, but human intervention must not be cut out completely."
With regard to the resolution of financial firms, FBF supports the proposed EBA way forward.
Interactions between FinTech start-ups and credit institutions are increasing. The development of FinTech allows an improvement of reporting and monitoring processes, thus facilitating operational continuity in resolution period and providing an answer to regulators and supervisors that require more frequent reporting on larger volumes.
Combined with the development of social networks that are a vector for the spread of rumours and the deployment of real-time processes, the increasing digitalisation of the financial ecosystem may also speed up the movement of deposits in a time of crisis and could modify the timing of the determination when an institution is “failing or likely to fail”.
FBF agrees on the EBA findings that resolution-related requirements on FinTech new actors are not common and that divergent practices are emerging across jurisdictions. Recognising the statement that a business is as strong as its weakest link", there should be requirements for all FinTech firms to have a resolution/recovery plan.
At this time, it is not clear how resolution authorities can apply their resolution powers to those FinTech entities. It seems essential that a proper set of rules apply to FinTech firms entering in the financial markets in order not to create further undesirable impediment to recovery/resolution for Banks or unnecessary external impediment to resolution for Resolution Authorities."
The EBA findings are true for third parties in general. The findings are not different if the third party is a FinTech company, except in one case: if the technology masks certain information and weakens the detection system of the Banks, especially for the fraud.
We share the EBA's view that it may be appropriate to explore the different national approaches for AML/CFT purposes. Not all FinTech firms have been designated as obliged entities" in all EU Member States, even where they provide similar services to firms that have been designated as such. It has to be considered as a huge issue for scrutiny."
The new financial players may be outside the scope of the banking sector regulation and subject to less stringent AML/CFT rules that are Banks. These regulatory gaps or loopholes may lead to some distortion of competition, which may violate the level playing field principle and lead to increased potential for financial crimes.
Regarding customer identification and verification remotely and through digital means, the differences in the ways in which the Directive 2005/60/EC was transposed by EU Member States have a several consequences. They could hamper the development of FinTech firms using innovative CDD solutions. They also represent a big obstacle to a harmonized European digital identity framework as eIDAS could be.
We are in favour of providing for a broad scope of possible methods to be used in the process of digital on boarding, ranging from those notified in line with the eIDAS Regulation to others. As different national requirements still apply to remote identification of customers, harmonization is required, as a first step, notably to allow digital on boarding including via video.
The financial industry compliance obligations (i.e. KYC, AML, etc.) could be more efficient if there were a regulatory framework that allowed public/private institutions to provide services related to KYC.
In conclusion, it is necessary to harmonize the European framework regarding the prevention of money laundering and terrorism financing (AML/CFT), to ensure that the 4th Anti-Money Laundering directive is implemented in a consistent way as the acceptance of the means for identifying customers remains on the Member States.