The issues have largely been correctly identified. BPFI would in particular support the EBA giving attention to ensuring a level playing field but it would be good to clarify if in 72 point A whether this is an initial investigation or on an ongoing basis as Fintech’s may change or enhance over time.
With regard to 74a BPFI notes that there may be legitimate reasons why a Fintech may not be subject to specific financial regulation and supervision. We therefore agree with the EBA in the fact that there may be merit in investigating the approaches of monitoring Fintech sector. We would also highlight that while indeed regulation may affect the development of FinTech in the EU but equally the development of FinTech in the EU may influence the direction of Regulation.
In particular, BPFI strongly welcomes the focus on innovation hubs, and believes this to be an imperative in the development of the Irish and European FinTech ecosystems. BPFI understands that the authorisation process can be time consuming, costly and adds significant time to market which may deter FinTechs from submitting an application for authorisation. Therefore, sandboxes are excellent formats for exploring opportunities and collaboration with potential for industry, technology firms, incumbents and academia to be positively stimulated by well-managed sandboxes. In this regard, BPFI believes that the EBA should take a more forward looking approach and extend recommendation 74.b to examine proposals for harmonisation of existing regimes and to in the absence of an EU wide regulatory sandbox, ensure collaboration and exchange of information across Member States regimes in order to facilitate FinTech activity growth outside specific Member States. This would yield the benefits of facilitating innovation and competition, while maintaining the prevailing directives and regulations.
Yes the issues are largely complete and BPFI welcomes the proposed way forward in identifying prudential risks and opportunities and the aim of providing guidance to supervisors on understanding and evaluating these new prudential risks. BPFI also strongly welcomes the possibility of workshops and training for supervisors, given the need for all in the sector to stay as close as possible to developments in this area.
Noting in particular the emphasis on ICT risk, and the possibility of “rigid and outdated IT systems”, BPFI would highlight that the current regulatory capital framework for credit institutions does not recognise the value of software for capital purposes. Software investment is a core asset to tackle ICT risk into the future, ensuring banks legacy systems are updated to the highest of standards, and BPFI believes that the EU should amend the regulatory framework to reflect that of other countries around the world that do not require capital deduction for software.
With regard to the opportunities identified, we note emphasis on competition and the possibility that FinTech will increase competitiveness in the Single Market which BPFI welcomes. We would highlight that fair competition in the market will stem from the principle of “same activities, same rules and same supervision”.
BPFI is also acutely conscious of possible cyber-security risks to the sector and therefore strongly welcomes the EBA approach with regard to supervisory practices. BPFI have a model in place, which links member banks with academia domestically on cyber security in Ireland and such a model could be mirrored across Europe. BPFI has also made strong recommendations in the past to the European Commission of the benefits of a “Technology Watch” initiative to observe and monitor emerging technologies to ensure adequate action and detection of potential vulnerabilities for the financial system, including cyber-security.
With regard to cloud outsourcing recommendations, BPFI believes that the recommendations could be strengthened to Guidelines or or other instruments that would require a more direct application of the requirements. In general, the recommendations proposed by the EBA remain at quite a high-level and are non-exhaustive which leaves significant uncertainty still for market players. More certainty is required for financial institutions outsourcing to CSPs and the final recommendations should leave little room for interpretation. Currently, the outsourcing of business functions to cloud providers is subject to specific regulation in the banking regulatory framework. Specifically, banks are required to ensure access to data, to ensure the security and to manage any risks arising from the outsourcing. This higher compliance risks associated with outsourcing may deter some members from adoption of cloud service models. Additionally, banks are subject to the GDPR framework and it is vital that Cloud Service Providers also adhere to these new rules to be applicable from January 2018. BPFI awaits with interest the forthcoming Recommendations from the EBA on outsourcing to cloud providers. More generally, BPFI welcomes the work of the European Commission and the Cloud Select Industry Group on a Code of Conduct. A coherent regulatory approach to cloud computing in financial services, will incentivise growth in such services to the benefit of consumers and financial institutions alike. In this regard, we would further encourage the Commission to adopt a risk-based and proportionate approach with regard to due diligence in contracting between CSPs and banks.
Having an established customer base will allow the institutions to leverage the advances in technology to provide new offerings to their existing customers.
BPFI believes that some of the opportunities include the extension of reach and opening of new markets, more suitable products through use of big data/customer data, possibility to deepen relationships and provide new value to customers through innovation, provision of additional valuable services to customers enhancing overall customer experience over the long-term.
Threats include possible pressure on margins, FinTech access to investor money which may be used to fund customer acquisition but is unsustainable in medium-term, increased cost to customers through profit taking at each point of extended value chains (while in a low rate environment), increased bank exposure to possible risks, increased net risk across sector as financial institutions move risk downstream to less regulated entities and Big tech entering credit market.
Threats may arise to customers from new and lightly regulated organisations which lack the risk maturity of established traditional banking mediums. This has the potential to erode customer confidence in FinTech as a banking platform, and potentially pose a wider risk to economic security.
No. BPFI believes that the EBA should explicitly undertake and prioritise an evaluation of Initial Coin Offerings (ICO’s), token sales, and crowd sales as these currently represent the most disruptive element of the crypto/virtual currency market. The EBA should also explicitly seek to produce guidelines or terms of reference for supervisors in the area of virtual currencies as companies and organisations in this field are increasingly presenting to financial institutions as potential customer and/or vendor which is resulting in differing approaches to treatment in absence of risk guidelines beyond the narrow scope of bitcoin and other traded virtual currencies and use of public, permission-less blockchains.
Beyond the above, BPFI largely agrees with the approach of the EBA. BPFI would highlight in relation to PSD II the benefits of an EU wide Application Programme Interface standard, in particular with regard to fair competition and future development of the single market in payments. BPFI would welcome work on prudential risks and opportunities to help supervisors understand and evaluate possible risks, again with emphasis on workshops and training for supervisors.
BPFI believes that the opportunities arising from FinTech include extended reach through creation of and/or integration with new value chains encompassing third-party suppliers, apps, and ecosystems.
Possible threats include disintermediation or relegation to utility-provider for less progressive/conservative financial institutions, regulation that is not fit for purpose/technology neutral or forward looking, regulation that may hinder innovative development and the question of liability and reputation. Even if the liability is on the side of the FinTech, the financial institution may suffer reputational damage.
Yes, the issues are largely complete and BPFI stands ready to assist the EBA in its work, as outlined in paragraph 103.
With regard to paragraph 99 and the reference to outdated legacy IT systems, BPFI would again highlight the need for consideration to be given to the regulatory framework for investment in software. The current regulatory capital framework for credit institutions does not recognise the value of software for capital purposes and BPFI believes that the EU should amend the regulatory framework to reflect that of other countries around the world that do not require capital deduction for software.
More generally, BPFI agrees that technology is changing the way people access financial services, and in the retail banking space we would highlight that the demands of the 18-24 age group are changing significantly, with nearly all access preferred via digital means. Indeed, a customer centric approach is key for financial institutions and while there is direct competition, there is also direct collaboration visible on the Irish market, which will be of huge benefit to consumers. We also strongly agree that Fintech and in particular Big Data and Regtech have strong potential to reduce operational and compliance costs for institutions and ensure maximum efficiency, which will also be of benefit to consumers. Lastly, BPFI would highlight that the role of branches is changing and closures are as a result of changing consumer demands. Moreover, safeguards are put in place to ensure that customers in affected areas still have assistance available to them e.g.; via community bankers or mobile banks.
BPFI believes that there is little overall impact in near-term due to capital and scalability issues, reticenceinability to comply with regulatory regimes, trust and privacy concerns and customer reluctance to move to more fragmented experience. However, in the medium/long-term, beyond 2020, BPFI would see the progression to open banking, facilitated in part by PSD2, and otherwise by open API’s, artificial intelligence, and entrance of ‘Big Tech’ resulting in new value chains, and consolidationacquisition across banks and FinTech as they seek more profitable and efficient businessoperational models.
Examples of impact of innovation on the business model of incumbent credit institutions include but is not limited to;
- Dynamic credit scoring facilitated by Account Information Services Providers provisions
- Dynamic finance particularly Point of Sale (POS)
- New business models for mortgages e.g. fractional ownership
- New business models for car and other finance/insurance through telematics (e.g. pay as you go models)
- Blockchain for trade finance. Facilitating efficiencies in letters of credit (LCs) as well as providing KYC and AML facilities for banks wishing to provide Open Account trading services.
However, care should be taken that the customer is at the heart of all decisions made by business. This should mean that all financial institutions, regardless of their status as FinTech, or traditional financial institutions should be subject to the same standard of governance best practice and regulation.
Yes, the issues are largely complete and BPFI stands ready to assist the EBA in its work, as outlined in paragraph 106.
Please see our response to Question 7. In addition, we note the development of mobile money services giving way to more ambient ‘unattended’ or context-aware payment services through use of geo-location, big data, and artificial intelligence. We also highlight
machine – to - machine transactions through increased IoT penetration in addition to the impact of virtual currencies and blockchain.
Yes the issues are largely correct and complete. In particular we welcome the emphasis on consumer rights in case of unclear regulatory status. As noted in Question 5, liability and reputation are interlinked. Even if the liability is on the side of the FinTech, the financial institution may suffer reputational damage and vice versa. Therefore, it is imperative that there is a clear route for consumers to understand the authorisiation status of the Fintech and the rights of the consumer in case of use of FinTech services and products.
BPFI believes that financial education and greater customer financial literacy is a key element of any response to this issue. Enhanced Digital/technology education and financial education should be encouraged at primary, secondary and third-level education in Member States.
BPFI would also highlight the work of the Central Bank of Ireland in relation to consumer protection, and the recent discussion paper on Consumer Protection Code and the Digitalisation of Financial Services.
Yes the issues are largely correct and complete. In Ireland the Consumer Protection Code is binding on all regulated entities in Ireland and must, at all times, be complied with when providing financial services.
However, we would question whether the statement in paragraph 112 that “some Fintech firms might therefore chose a Member State as their home State because the regulatory regime is perceived to be less burdensome”. Rather we understand FinTechs are attracted to certain member states because of smoother application processes, target market segments and competitor presence in certain markets.
Nonetheless, we can understand the broader concerns around regulatory arbitrage and the possible risks to the integrity of the Single Market should consumer protection law not be implemented in a similar way. Therefore, we welcome the intention of the EBA to carry out further work on cross-border issues for consumers and to enhance information sharing and coordination among regulators/supervisors.
All digital application processes and improvements by BPFI members are carried out in line with EU and domestic regulation and legislation and the Central Bank of Ireland’s Consumer Protection Code (CPC).
Yes, however this is an ongoing requirement to ensure legislation implemented consistently.
The key definitions in regulations applying to traditional financial institutions should be enhanced to cover areas of digital mediums and remediated forms of customer engagement. In order to increase customer ‘buy in’ of the FinTech market, customers need to be assured that FinTechs will be held to the same high standards as traditional banking organisations.
BPFI agree with the issues called out by the EBA. However, that greater detail is needed around some of the underlying issues the Union will need to deal with. One of the core issues is a potential move away from “static” paper based ID and address verification and onto more advanced “digital identification” which considers a host of information and data (e.g. geo location data, publicly available data bases, social media, computer ID, mobile phone records, etc) to identify a customer.
Credit card institutions use this “adaptive technology” at the moment as part of their fraud controls to ascertain in real-time whether a transaction is being carried out is genuine or potentially fraudulent. An opinion will be very welcome to give clarity as to what best practice looks like from a CDD perspective.
Yes. However, we would highlight in 117 a a lack of a common contact point for complaints may also generate reputational damage for credit institutions, linked in any way to a FinTech services/activity. In this regard, we fully support the statement in paragraph 117c that the allocation of liability among all parties involved is clear both among the parties and to the consumer. We also therefore support the work plan of the EBA to issue Guidelines around complaints handling for FinTechs and emphasis on cooperation among competent authorities, complaints handling procedures and management of complaints data.
The issues set our are not entirely complete. In particular, the EBA needs to explicitly seek to evaluate ‘Big Tech’ companies who do not currently fall within scope of financial regulation but who hold and broker large volumes of customer data which may include financial data or data that may influence credit, payments and other decisions for example, ; KYC and credit scoring models. This also applies to information gleaned from government and other entities.
Additionally, in relation to paragraph 119a, we strongly recommend that the EBA clarify the term “durable medium” so that new innovative technology and media can be used to meet the obligation to disclose information in a durable medium. It is essential that firms understand what their obligations are when using non-paper methods of communication and how they might meet them. This is particularly important given the growing use of non-paper based formats of disclosure of information. One option to ensure key information is presented and understood by customers in a digital environment, is for consideration to be given to adopting the framework for the provision of information by telephone used in the Distance Marketing Regulations, to a wider form of customer communications channels (for example smartphone, tablet, chat platform or social media interaction). In such circumstances, where the customer agrees, it could be possible to provide a smaller subset of information to customers at the time a contract is entered into, with an obligation on financial services providers to provide more detailed substantive information/contract terms in a durable medium after the entry of contract. The right of cancellation contained in the Distance Marketing Regulations could also be included here.
As noted previously all digital application processes and improvements by BPFI members are carried out in line with EU and domestic regulation and legislation and the Central Bank of Ireland’s Consumer Protection Code (CPC). Nonetheless, BPFI would strongly welcome an in-depth review of EU legislation that may restrict digitalization. EU and Member State legislation should be technology neutral and forward looking so to ensure applicable into the future. Above all, the principle of “same risks, same risks, same rules” is imperative to ensure the same level of protection for consumers across all financial products and services, regardless of whether the provider is regulated or unregulated.
Yes. BPFI sees financial education as an imperative part of ensuring consumers are informed and engaged in the digital revolution, especially as more complex/unfamiliar products are offered to the public (robo-advice, online lending, etc). Banks in Ireland recognise the importance of financial education and currently provide a wide range of initiatives and resources to schools, colleges and in the workplace. BPFI is active in the financial education space through its longstanding relationship with the Business Studies Teachers’ Association of Ireland (BSTAI). As well as developing the online resource BusinessEducation.ie jointly with the BSTAI, BPFI continues to support the BSTAI’s Business Achievement Awards which have been running for over 20 years.
BPFI is also actively engaged in European Money Week, a cross-border initiative of the European Banking Federation to highlight and learn about financial education.
Yes. BPFI believes that particular emphasis should be placed on social media predictive analytics.
Yes. BPFI would strongly welcome Guidelines on use of Big Data. BPFI Members do not believe that further regulation should be introduced to facilitate the use of Big Data technologies. Rather, members would welcome guidelines clarifying requirements of GDPR in this area. These guidelines should be directed at financial institutions and also supervisors/regulators to ensure all are aware of any boundaries in the legislation. Financial institutions need guidance on their ability to use Big Data in an evolving digital world but within the boundaries of legislation/regulation/supervision.
With regard to Big Data, we note the potential risks outlined in paragraph 126 and would believe that data quality check processes must be continuously enforced and updated. However, member banks believe that Big Data brings particular benefits in the ability to tailor products/services for different consumer segments, and offer a better customer experience. Use of Big data can also play a strong role in risk management whether credit underwriting, fraud risk management, KYV, AML, product governance and compliance with regulation.
With regard to automation in financial advice,
More generally, BPFI strongly believes that customers must be provided with full and complete information, to enable them to understand the product being provided, regardless of channel engagement. In addition, the new General Data Protection Regulation will require firms to provide more detailed information to personal customers regarding how personal data is processed (including in relation to automated decisions).
BPFI members suggest that virtual currencies, initial coin offerings and other crypto vehicles represent a significant risk in addition to the due diligence for FinTech forms from non-sanctioned countries.
Another area of concern is the increased risk of criminals being able to move money quickly through a system before relevant controls can detect and prevent the transaction. While this is not inherently different to any other products/delivery channels, care should be taken that the increased financial efficiencies offered by FinTechs do not inadvertently facilitate ML/TF activity.
Additionally, the transitional nature of digital communication means (burner phones, disposable email accounts) that require no verification could lead to difficulty in verifying customer identities through the new digital mediums.
AML/CFT obligations for FinTech companies will be dependent on the particular services they are providing (presuming they are authorised by Central Bank of Ireland or passporting into ROI). For example, many payment services providers who are not traditional payment institutions are already considered ‘obliged entities’ under current AML legislation so are subject to the same obligations as traditional financial institutions. There is nothing to prevent the use of FinTech solutions by obliged entities but obviously the AML risks would have to be identified, assessed and mitigated to ensure that any new processes/products adopted are within the company’s AML risk appetite.