BEUC, The European Consumer Organisation

FinTech firms offering similar financial services must be subject to the same licensing scheme and be regulated throughout the EU.

BEUC considers that EBA has correctly identified the issues. We support its proposal to carry out an in depth investigation to assess national regulatory regimes, and the features of sandboxing regimes and innovation hubs.

We also support the proposal to assess the merits of converting the EBA guidelines on authorisations under PSD2 into regulatory technical standards (RTS), in order to ensure compliance.

Regulatory sandboxes cannot be understood as a shortcut to avoid regulation for any given project, as this would be against the principle of creating a level playing field for all stakeholders and would have a negative impact on consumers.

An important question is what types of firms should qualify for the sandbox. In the UK, the FCA’s regulatory sandbox has met significant demand in its first year of operation, receiving 146 applications and supporting 50 firms across the full range of sectors regulated by the FCA. The Financial Services Consumer Panel, a consumer body in the UK and a member of the BEUC network, has raised concerns regarding larger firms participating in the sandbox. If the focus is on helping the larger incumbent providers and increasing their ‘access’ to the national competent authority, then it is likely to maintain the status quo rather than act in the interest of consumers.

Consumer safety should be a key criterion for admission to the sandbox. Consumers should have the same protections as they usually have. Considering the integration of the financial market and to avoid regulatory arbitrage, a certain degree of homogeneity is needed in the definition of criteria to enter the sandbox, in the internal operating and interaction with regulators and, finally, in the conditions under which the exit will take place:

- A sandbox is a specific and defined part of the market. Strict limits on the types and amounts of products that qualify should be adopted by the regulator. In addition, a sandbox should be a closed shop for private consumers, and only open to professional consumers who are well aware of the risks involved. One of the most significant uses of digital technology which has emerged is automated investment advice. While such services have the potential to increase access to financial advice for consumers, any measures to increase retail investor participation through such innovative distribution channels should be accompanied by appropriate safeguards.
- To enter the sandbox, projects should be innovative, demonstrate the impossibility or unlikelihood they would be developed without a sandbox and provide clear benefits for the clients, following a case-by-case assessment.
- Once in the sandbox, the company must accept testing conditions that ensure compatibility with consumer rights, must prove that its offers will not affect the open economy, and must report to the regulator according to a previously agreed roadmap.
- Regulators should use sandboxes as a way to identify existing and future risks to consumers. It’s not simply about facilitating life for firms or ‘innovation at any cost’.
- Many firms see sandboxes as an endorsement or even as a marketing tool. National and EU sandboxes need to take this into account and ensure the services firms are offering under the sandboxes regime do provide value to consumers.
- Need for clearer redress attached to the products included in sandbox.
- Exiting the sandbox is a milestone in the process, as the final objective is that the project should enter the market under clear regulatory conditions. Projects entering a regulatory sandbox know in advance its limitations in time (no more than 1 year) and scope of the sandboxing environment. Once the allocated time is over, the owner of the sandbox should provide greater clarity on the application of the regulatory framework: (a) the firm decides to discontinue the project because the business case is not clear or because compliance is too burdensome; (b) the authorities consider that the project fits in the current regulatory framework and provide guidance on next steps to comply; (c) the authorities consider that the project does not fit in the current regulatory framework and expressly forbid any similar projects.
Response to questions 6 & 7

FinTech firms are challenging traditional financial business models and are likely to play a key role in firms moving towards less capital-intensive business models, where (after the initial investment) firms benefit from economies of scale with lower ongoing costs. However, it remains to be seen whether those lower costs and increased competition will translate into lower costs and better services for consumers.

See our response to questions 15 and 16 regarding the possible impact of digitation and FinTech on financial inclusion.
Response to questions 8 & 9

Traditional payment service providers (like processors and acquirers) seem to move from ‘payment only’ business models to ‘consumer data analytics’ business models. Some analyses relate to fraud prevention. Other analyses relate to profiling and marketing on behalf of retailers. Both purposes pose serious privacy issues.
For example, in the US, Google uses payment data from physical retailers to measure the effects of online marketing . They claim that data is anonymised. Yet, if the data is really anonymised, how is it then coupled with individual adverts? All these issues must be further investigated by competent authorities (where cross-sectoral cooperation between authorities will be required) in order to prevent detriment to consumer privacy, discrimination, exclusion, etc.
Response to question 10

We agree that consumer rights related to FinTech providers are not always clear due to an unclear regulatory status. First of all, it is the role of policy-makers to make sure that no FinTech stays in a grey, unregulated area. From a consumer point of view, a FinTech/non-FinTech classification of financial service providers is artificial. In the sense that consumers expect good quality services fair treatment by all providers. Consumers cannot be expected to check the registers run by national regulators to see whether a financial provider is regulated or not. They expect that all firms operating in the market are duly licensed and supervised.

As regards consumer awareness about their rights, the awareness level is quite low. This is a more general problem, not only related to FinTech firms, and weakens the effectiveness of existing legislation. For example, in 2014-15, 80% of UK consumers had some awareness of the ombudsman, though only 24% could name it without prompting. The situation is unlikely to be better in other Member States.

There is a need to have an EU-wide coordinated policy on raising consumer awareness about their rights in all financial sectors. Public authorities, consumer organisations and industry representatives should closely cooperate in that context. Next to that, it should be easy for consumers to get redress whenever they suffer damage. This means that all national supervisors should properly enforce the laws , and consumers should have access to efficient out-of-court redress mechanisms.
Response to questions 11, 12, 13

We share the EBA analysis of the issues related to enforcement (or lack of it) across the EU, which negatively impacts financial consumer protection and confidence. The reality is that market conduct supervision is fragmented across Member States which are at different levels of development with regard to consumer protection.

The quality of enforcement of EU law in the field of retail finance is a considerable problem both for consumer trust and market integration. Effective enforcement and an equally high level of consumer protection and redress everywhere across Europe are preconditions for a successful single retail financial market and Capital Markets Union. BEUC strongly advocates for supervisory convergence. Each Member State should have its own financial conduct authority in order to ensure that consumer protection legislation is properly enforced everywhere in the EU. The supervisory convergence could only be driven in a coordinated manner at EU level. We are convinced that the ongoing review of the European financial supervisory authorities, if carried out in the right way, will be crucial in that respect.

Regarding supervision of financial firms operating cross-border: we fully agree that passporting may cause regulatory arbitrage, where companies obtain the passport in a country with lower consumer protection requirements, and then operate in all other Member States. And because those companies are being supervised by their home state’s competent authorities, consumers in countries where companies operate may find themselves unprotected in case of incidents such as mis-selling, low-quality advice, fraud, or a company going bust.

PayPal is a good example in this context. Their headquarters are in Luxembourg, but they choose to follow UK law while providing services to consumers in other Member States. In case of an issue, consumers are not able to benefit from their local consumer protection and redress regimes. Our UK member the Financial Services Consumer Panel reports that UK consumers lost money depositing cash savings in Icelandic banks and buying car insurance sold through Irish providers, and did not receive the same level of compensation that they would have got if the providers had been based in the UK.

We support the need for international cooperation among regulators and supervisors. At the same time, we call for a ‘European driving license’ rather than a ‘European Passport’. Competent authorities of the host country should be empowered to supervise where a financial service provider is doing business and, in case of relevant failure, have the ability to revoke the provider’s access to the market.

It is also important to stress the need to have efficient our-of-court redress mechanisms in all Member States. EU sectoral laws on financial services impose an obligation on Member States to set up effective out-of-court complaint and redress procedures for the settlement of disputes between providers and consumers. However, just having an appropriate Alternative Dispute Resolution (ADR) scheme is insufficient. If businesses do not subscribe to the procedure, consumers are still left empty-handed. Independence of ADR bodies is another crucial aspect that impacts the efficiency of dispute resolution. We call on EU policymakers to take measures to ensure that all ADR bodies are truly independent and that financial service providers adhere to one or more ADR bodies. And in case of cross-border disputes, consumer complaints should be handled by competent bodies of their country of residence .

The above comments apply to all financial services sectors, and not only those within the EBA’s scope of action.
We agree with the EBA’s analysis and the proposed way forward: it’s important that all firms operating on the market have effective and user-friendly complaints handling processes in place.

As it is rightly pointed by the EBA, allocation of responsibilities and liabilities in multilateral relationships may raise additional challenges. Fast and efficient resolution of consumer disputes might become more complicated in such situations. Therefore, it is important to make sure that consumers always have a single point of contact to address their complaints, irrespective of the number of firms involved in the provision of the service. A good example is a provision of the revised Payment Services Directive (PSD2). In case of an unauthorised payment transaction involving a third-party service provider, the consumer will be entitled to get the refund from his bank. Then, the ultimate liability for the fraudulent transaction is to be addressed between the consumer’s bank and the third-party payment service provider. This consumer-friendly provision could serve as a model for FinTechs.

Increased cross-border cooperation among national competent authorities will also be particularly important to help foster an integrated market across the EU. As part of this cross-border cooperation, national competent authorities should share information about the nature of the most common types of complaints, the identity of the service providers that are most complained about and the issues most complained about. This would allow competent authorities to understand the wider impacts of FinTechs and avoid widespread consumer detriment.
Response to questions 15 & 16

We agree that information disclosure to consumers is not always adequate and/or sufficient when it comes to services provided through digital channels. This could be the case for both regulated and non-regulated FinTechs and traditional financial firms.

For example, an investigation by our French member UFC-Que Choisir found that major crowdfunding platforms do not live up to consumer expectations. Six platforms analysed were not properly assessing the risk of investment projects, deliberately underestimated risks, while positive elements were overemphasised, lacked transparency on the rates of default of projects financed through those platforms, and provided lower net returns than those advertised.

A study on robo-advice by our UK member the Financial Services Consumer Panel indicates that, despite rules already being in place in UK to protect consumers in this sector, there are serious shortcomings that can lead to poor consumer outcome. Poor practices relating to transparency, clarity and consistency mean some firms are not treating their customers fairly and are failing to meet their needs. In fact, many consumers are not getting regulated advice at all. An online journey that looks like advice ends in the consumer buying a product which is ‘execution only’, meaning their protection is much lower.

We agree with the way forward proposed by the EBA, but wish to add an important aspect related to growing digitalisation and its impact on financial inclusion/exclusion. FinTechs and digitalisation in general can be a useful tool for better financial inclusion (e.g. better access for people living in remote areas), but at the same time may lead to exclusion of certain consumer groups.

Incumbent firms respond to the FinTech challenge by, inter alia, cutting their legacy costs (closing down branches, reducing workforce, etc.). This fierce competition may result in the financial exclusion of certain consumer groups, for example those who do not have a broadband internet connection, who lack the access or the knowledge to navigate easily online, elderly people, some people with disabilities (visually impaired), and those who do not trust managing their financial life online for both privacy and security reasons. Digitalisation can enhance the financial inclusion of most people, but at the same should not leave vulnerable consumers behind. Basic financial services must remain available offline and at reasonable cost. Regrettably, for the time being, the risk of exclusion does not seem to be on the radar of policy-makers.
Response to questions 17 & 18

It is true that digital services carry new risks, in particular regarding security, personal data protection, limited access to comprehensive pre-contractual information, liability rules.

BEUC agrees that supervisors have to raise consumers’ awareness of these risks and disseminate information on the risk mitigation measures they should take in the digital ecosystem.

BEUC also supports the EBA proposal to promote the transparency and clarity of pre-contractual information through specific work on disclosure.

But developing educational programmes or training tools to gain consumer trust in digital financial services and FinTech firms is not the solution. Consumer confidence is based on:
 the supply of products and services that really meet their needs, regardless of the distribution channel;
 transparent and clear pre-contractual information;
 fair and transparent commercial practices,
 financial recommendations and advice centered on customer interests.

All of these conditions imply the need for all financial firms and intermediaries to adopt a culture and ethical behavior at all levels of the organisation, which is far from being fulfilled in the field of retail financial services.

In addition, consumers primarily expect both national and European authorities to enforce all consumer protection rules, both those specific to financial services, as well as all cross-cutting rules that apply to any sector. This is the prerequisite condition to restore consumer trust in the financial sector.
BEUC considers that the EBA has correctly identified the issues. Please find our additional input below.

Exclusion risk: in the insurance area, the individualisation of risk profiles is bound to have fundamental implications for the principle of solidarity and risk pooling, potentially badly affecting more vulnerable consumers. Consumers with higher risk profiles, for example in the health insurance area, might face unacceptably high premiums for basic insurance policies or may find themselves unable to find coverage.

Dutch consumer group Consumentenbond has already received complaints from consumers barred from obtaining an insurance policy, often based on questionable data such as having a “bad” postal code. German consumer organisations have been complaining for years that credit scores often are also based on irrelevant data, such as a postal code or the first name of the consumer, which the consumer is unaware of.

The cost of privacy: the possible discrimination against privacy-minded consumers, unwilling to give private information, for example geolocation, using wearable devices tracking your fitness data and/or medical parameters, at the expense of higher premiums or credit rates. Leading insurance executives seem to be keen on establishing the “no wearables = no health insurance principle”, which is very worrying.

Disparate impact of big data: millions of data points might suggest interesting correlations between consumer’s behaviour, for example, their spending habits, on-line behavior, geolocation, and expected outcomes, for example the risk of defaulting credit, or risk of driving badly. However, correlation does not mean causality. The power of algorithms, with all built-in human biases, in predicting concrete consumer outcomes is therefore always limited. Research has confirmed that, in the credit area, there is no link between the number of defaults or arrears and the amount of data points used in the creditworthiness assessment.

Conversely, price discrimination looms around the corner. In the US, one credit card company admitted considering individual consumers, who were using their cards for marriage counseling or therapy, to have a bigger credit risk based on its experiences with other consumers and their repayment histories. Overall, such big data methodologies may hide intentional or unintentional discrimination against protected classes (or vulnerable consumers), generating customer segments that are closely correlated with race, gender, ethnicity, or religion.

We would like to see an appropriate framework in place for supervision and enforcement as algorithmic decision-making continues to play an increasing role in the financial services sector. Opening-up algorithmic decision-making to regulatory scrutiny would enable stakeholders to monitor how those systems are functioning.

Price optimisation: big data supports practices where firms analyse and incorporate data which are not related to the consumer’s risk profile or their specific needs and demands. For example, over 50% of large insurers in the US take individual (online) shopping habits or perceived tolerances for price changes into account when setting premiums for an individual consumer. Such practices, which can result in consumers with otherwise identical risks paying different prices for the same coverage, have been banned or restricted in 15 US states. Similar practices could easily be introduced in the asset management and banking sector.
Personal data and credit scoring: New technology (like artificial intelligence) and easier access to more sources of data may increase the use of credit scoring based on data that should remain private. For example, as reported by our Danish member Forbrugerrådet Tænk, Danish payday-lenders intend to use the updated Payment Services Directive (PSD2) to access the consumers’ bank account with “consent” for the purpose of assessing their creditworthiness. Such developments should be prevented as they would entail a loss of control of own data from the perspective of the consumer and could lead to the discrimination of certain categories of consumers.

A recent BEUC study “The never ending European credit data mess” exposes the difficult and worrying questions arising over the gathering of consumer data by private credit bureaus and calls for an urgent rebalancing of the needs of credit data with the fundamental rights of data protection .

Big data vs. consumer inertia: customer analytics (predictive analytics) based on real time consumer data (like payment transaction data, geolocation data and social media data) might further disempower the consumer vis-a-vis the bank. To the extent that customer analytics are able to predict (which the producers claim) customer behaviour, banks will only focus their retention efforts on those customers most likely to switch bank. The customers less likely to switch bank will no longer benefit from the banks retention efforts (like the lowering of interest rates for loans).

Please also refer to BEUC’s response to the recent ESAs consultation on big data in financial services as well as our recent factsheet .
Response to questions 21, 22, 23

As far as consumers are concerned, BEUC agrees with the fact that the different ways in which the AMLD Directive 2005/60/EC was transposed by Member States, especially in respect of requirements to carry out customer identification and verification remotely and through digital means, is an issue. The AMLD does not set out in detail how firms should identify and verify the identity of their customers. They rather lay down minimum requirements that firms must comply with, giving Member States (and firms) too much flexibility in imposing more stringent standards through their national legislation.

If this may have created difficulties for financial institutions to employ innovative and/or FinTech solutions in their customer due diligence (CDD) processes, this has also created barriers for consumers to access financial services both at national and cross-border level and online, and restrict their mobility within the Single Market. It also leaves the door wide open to a possible burdening of the consumer with requests to supply unnecessary supporting documents when opening a payment account, and to provide personal data which can be misused for commercial purpose – in both instances exceeding what is strictly necessary to comply with the AMLD objective.

In several countries, the proof of residence is necessary to open a payment account, which creates difficulties for consumers in particular circumstances. Some financial institutions use legislation on money laundering to deny the opening of a payment account even if their decision is not based on the assessment of a real risk.

Immigrants as well as people having irregular incomes or receiving social benefits have more difficulties to provide supporting documents of their revenue. In addition, one can also wonder why a payment account provider should have an overview of incomes, personal properties and assets of its private customers when no suspect transactions have been identified on the account.

There is a need to achieve a more coherent application of the AMLD/CFT to reduce the eventuality of arbitrary and unfounded refusals to open payment accounts, better protect consumer personal data and privacy, and better conform to other EU legislation.
BEUC, The European Consumer Organisation