The Institute of International Finance and its members (“IIF”) appreciate the opportunity to comment on the European Banking Authority (EBA)’s consultation paper (the “Consultation”) on the EBA’s approach to financial technology (fintech) (EBA/DP/2017/02).
The global emergence of fintech will alter the shape of the financial sector in the years to come. Reaping the full benefits from these innovations in the financial system will require a coordinated global regulatory approach that balances the promotion of innovation and experimentation while guarding against the migration of existing risks and the emergence of new risk types. While the IIF has normally focused on global and international policy making processes, we believe the work of the EBA is of great importance to the global agenda and hence, the IIF is keen to contribute with comments representing its international membership.
In the below, we will first present the IIF’s key messages regarding the emergence of fintech and the EBA’s approach to this issue, and then respond in more detail to each of the EBA’s questions, particularly from an international perspective.
IIF key messages
1. The EBA’s attention to fintech and its implications for banking regulation and supervision is welcome. This, however, needs to be part of an overall, cross-sectoral approach, drawing from the other EU financial authorities from the securities, insurance, and other financial areas (including the European Securities and Markets Authority (ESMA) and European Insurance and Occupational Pensions Authority (EIOPA)). Furthermore, coordination with international standard-setting bodies, to be led by the Financial Stability Board (FSB), is also needed. Coordinating policy outside the boundaries of traditional banking and even financial regulation may also become increasingly important as digital finance operates in a data-driven economy where privacy and cyber policy make a progressively significant impact on the industry. Such developments will require a comprehensive policy framework.
2. The rapid development of fintech will certainly have significant repercussions for both financial firms and their regulators/supervisors. The EBA paper should adopt a more balanced approach, as it tends to primarily focus on potential new risks for incumbent banks but does not delve sufficiently deep on the significant implications for non-bank entities outside of the purview of the EBA’s regulatory and supervisory remit, where many potential risks could originate, or on aspects not related to prudential supervision and consumer rights.
3. The evolving nature of technological innovation will require a regulatory and supervisory approach that is sufficiently flexible, adaptable, risk-based, holistic and cross-border in nature to fully be able to address emerging risks without stifling innovation. Such approach should have such characteristics as:
a. Risk-Based: The diverse nature of new technologies (and fintech), encompassing a multitude of business plans, products, and services, gives rise to a similarly diverse set of risks and issues. Any new regulatory framework or requirement to address the emergence of fintech/tech/ecommerce in the financial services space should be graduated, risk-based and expand the regulatory perimeter to include activities and risks regardless of their business model. Indeed, there are specific activities that do warrant careful attention by regulators, regardless of what type or size of institution is engaging in the activity, such as payments, lending, investments and data collection/storage.
The risks associated with these activities have far-reaching impacts on consumers and the broader financial system (i.e. money laundering, terrorist financing, disparate impact, fraud, identity theft, unauthorized transfers, etc.), and should be subject to consistent regulation and supervision. A risk-based approach is best-placed to identify and capture activities that may migrate from traditionally regulated sectors to less or non-regulated entities. It should be built on the clear principle that similar risks should be regulated and supervised in a similar way, and with oversight tied to the scale of the activity and the risks presented rather than the party involved.
Effectively developing a risk-based approach to regulation and supervision will require that standards be set by the FSB, which coordinates policies for the entire financial sector, rather than focusing on specific types of entities. It would also imply that supervision and regulation would not address fintech as separate from incumbent institutions: the framework, through its focus on risk, would be agnostic to the type of business model or entity involved in it.
b. Flexible and principles-based – As technological innovation changes business models and activities in the financial sector, regulators and supervisors should ensure that their practices and regulations effectively address risk regardless of the status of the underlying technology or method used to execute that activity. This requires that they be principles-based and forward-looking. In contrast, detailed and prescriptive regulations risk becoming obsolete as new technologies change the way the regulated activity is conducted.
c. Holistic in Nature: Effective regulation and supervision of fintech will require expanding the focus to policy issues that are not traditionally associated with financial sector supervision, such as cybersecurity, data use and privacy. Proper coordination with non-financial regulators should be addressed, as well as the consistency of financial regulatory regimes with non-financial ones.
d. Cross-Border: regulatory and supervisory approaches should be international in nature and be based on close cross-border cooperation. This would prevent regulatory arbitrage, forum shopping and fragmentation of regulatory approaches.
4. Addressing data gaps through improved collection and sharing of information will be key in bridging existing information gaps on the risks posed by new entities, business models and technologies, their size, growth and exposures to different markets, and their impact on the structure and evolution of local and global financial networks. Such an approach could follow the example of previous FSB Data Gaps and Shadow Banking initiatives.
5. Meeting customer expectations, expanding access to finance, and managing risk increasingly rely on the ability to access and analyze data from both traditional as well as new sources. Incumbent institutions should be given equal space and opportunity to develop these data capabilities to keep pace with new entrants into the financial ecosystem.
6. The entry of large e-commerce and digital platforms (sometimes called “bigtech”) may have far-reaching implications for the financial system in terms of structure and stability, and for its clients in terms of privacy and data issues. Due to the scale and global reach of these firms and their unrivaled access to non-traditional consumer data sources, these firms could rapidly gain systemic importance. The consequences of such transformation for the system could be difficult to manage from a supervisory perspective unless supervisors and regulators adapt ex ante. A level playing field between banks and large e-commerce firms on the use of data can help ensure that customers receive the full benefit of these innovations in financial services.
7. Similarly, the entry of smaller (start-up) fintech firms should be closely monitored. Smaller firms may lack the necessary scale and infrastructure to develop appropriate anti-money laundering (AML), cybersecurity and risk controls. Their interconnectedness with other institutions could cause risks at these firms to spread through the financial system.
8. We appreciate that the consultation paper recognizes the opportunities offered by new technologies to attain efficiencies and sound risk management, and believe that emerging regulatory and supervisory approaches should recognize that the benefits of adopting new technologies at incumbent institutions outweigh the associated risks. While we agree that the implementation of technology at incumbent institutions needs to go together with rigorous management of associated risks, including to robust implementation controls and governance, it should be recognized that new technologies improve virtually all aspects of financial institutions (FIs)’ business models: the ability to aggregate and use data for risk management, compliance, lending and strategic uses, and the resilience of IT and data infrastructures to operational and cyber risk. Indeed, an inability of incumbent institutions to use new technologies to transform themselves is by far the largest strategic risk to the system as a whole.
9. We urge regulators, standard setters and supervisors to support adoption of new technology by FIs as a sound practice. It could in particular be supported through:
a. Improving data quality through standardization of formats (such as through the LEI, UPI and UTI) , taxonomies and definitions , and data sharing arrangements,
b. Creating international standards for contractual obligations for third-party providers to FIs so that contractual obligations and conditions traditionally applied to outsourced activities (such as audit rights and subcontracting clauses) can be more easily implemented.
c. Creating new rules for cloud providers based on an international framework. General outsourcing rules (such as audits and access-to-premises requirements) do not fit well with this service, and harmonization could contribute to increased competition and reduced concentration risk among cloud providers, and improve implementation of clouds across banking groups.
d. Opening innovation channels, such as hubs and sandboxes, to engage both FIs and new entrants working with new technology and new models,
e. Upgrading reporting portals and methods to create automated sharing mechanisms that accept standardized digital file types.
In addition to these general observations, below we provide answers to some of the questions raised in the consultation which merit observations and comments from an international perspective .
Responses to consultation questions
4.1 Authorisation and registration regimes and sandboxing/ innovation hub approaches
1. Are the issues identified by the EBA and the way forward proposed in section 4.1 relevant and complete? If not, please explain why.
The IIF and its members agree that the issues identified by the EBA are relevant. As laid out in our general comments, it is important that regulatory frameworks addressing risks in the financial sector, including fintech entrants, are consistent across different jurisdictions. We therefore support increased harmonization of regulatory initiatives supporting fintech innovation (such as sandboxes and innovation hubs), and specifically, the EBA’s proposal to assess national regimes and sandboxing approaches. In addition, it would be good if the EBA would also coordinate and cooperate with non-EU supervisors on these issues to possibly attain harmonization at a global scale.
However, it is equally important that regulatory and supervisory approaches aimed at promoting innovation be open to new entrants as well as incumbent players in the financial sector, as innovation and the adoption of new technology is not limited to new players. In fact, the adoption of new technology at incumbent institutions will be key in bolstering their competitiveness and the stability of the sector during this technological transformation.
Traditionally, licensing and authorization regimes have been key determinants in how different activities are regulated and supervised. Supervisors and regulators should reassess such regimes to see if new business models or technologies warrant inclusion, as is already underway in the EU and US. Given the need for a risk-based regulatory framework that addresses risk in the system equally across different entities, we do not see merit in a separate “fintech” license. Different licensing regimes would create the possibility for a two-tier regulatory environment and a risk of regulatory arbitrage.
With a view to fostering regulatory harmonization across jurisdictions, the IIF supports converting EBA guidelines on authorizations under Payment Services Directive 2 (PSD2) into regulatory technical standards (RTS).
As the impacts of the emergence of fintech on the business model of credit institutions are closely linked to prudential risks, we have chosen to answer questions 2, 3, 6 and 7 jointly.
In its analysis of potential prudential risks and business model impacts, the EBA points to a number of current technology-related impacts and risks to the financial sector that could materialize:
• The need for incumbent institutions to adapt their business models (specifically in the area of customer interaction), adjust product offerings, or adopt new technologies in response to competition from fintech entrants.
• Vulnerabilities from legacy IT systems at financial institutions, including cyber, operational and outsourcing risk,
• Risks related to the adoption of new systems, such as clouds and increased complexity of ICT systems, at financial institutions,
• Competitive pressures and risks to financial stability from the entry of new operators entering the financial sector.
We recognize that these issues are all relevant within the larger frame of technological transformation of the sector and support the EBA’s proposal to conduct further work in this area. Legacy IT systems, often an amalgamation of older subsystems, have been an issue for incumbent institutions in terms of operational and cyber vulnerabilities and risk data aggregation capabilities; however, institutions are making enormous efforts to overhaul and update these systems with the newest technologies. However, we do note that some EU regulations may provide disincentives for banks to invest in software. For example, software investment is considered as an intangible asset in terms of capital deductions. There is also evidence of different regulatory treatment of software in some jurisdictions, including the United States and Switzerland.
CRD IV limits the ratio between the variable and the fixed salary that financial institutions can pay to certain staff members identified as risk takers. This may make it harder for banks to attract and retain digital talent or the founders and management teams of acquired fintech start-ups.
While we acknowledge that the implementation of these new technologies at incumbent institutions needs to go together with rigorous management of associated risks, we stress that the potential advantages of applying new technology at incumbent institutions, subject to robust implementation controls and governance, outweigh associated risks as they improve many aspects of FIs’ business models: the ability to aggregate and use data for risk management, compliance, lending and strategic uses, and the resilience of IT and data infrastructures to operational and cyber risk. The ability of incumbent financial institutions to compete with fintech entrants will therefore rely to a significant extent on their ability to implement new technologies. Indeed, lack of transformation and digitalization in the banking sector is a bigger threat to the sector than transformation itself, threatening the sector’s competitiveness and risk management capability. Unfortunately, some aspects of European prudential regulation are perceived as a significant hurdle for banks to embrace the digital transformation and should be analyzed as part of the policy options to further incentivize innovation in the financial sector.
Similarly, new technologies do not necessarily make banks’ systems more complex. Instead, can also be applied to consolidate and streamline legacy systems, decreasing their complexity and associated operational risks. New technologies are clearly preferable to potentially unstable and complex legacy systems, and their application should generally be supported by regulators and supervisors. In our key messages, we have outlined several of the ways in which regulators and supervisors could do so.
Turning to the entry of new fintech players into the financial services market, we support the EBA’s agenda for further work in this space. As new firms are driving the innovation in the market, it will be key for standard setters like the EBA to engage with them and establish a clear understanding of the new market landscape. We emphasize that the implications of the entry of new players will have a wide range of consequences for the system (from stability to issues affecting data privacy, cybersecurity, anti-money laundering enforcement and especially consumer protection) and that the EBA should therefore set up its assessment of risks and opportunities as broadly as possible so that regulatory and supervisory gaps are avoided.
• Due to the scale and global reach of large e-commerce and digital platforms (also called “bigtech”), and their unrivaled access to non-traditional consumer data sources, these firms could rapidly gain systemic importance. The consequences from such transformation for the system could be difficult to manage from a supervisory perspective unless supervisors and regulators adapt ex ante.
• The entry of smaller (start-up) fintech firms brings a different type of potential risk to the system. As they may lack the necessary scale, infrastructure, and sometimes also life span to develop appropriate AML, cybersecurity and risk controls, their interconnectedness with other institutions could lead risks at these firms to spread through the financial system.
• Consumer protection issues should be assessed across all sectors. Customers should be equally protected irrespective of the nature of the entity providing the financial service.
As discussed in our key messages, this wide range of impacts on the system will require a regulatory and supervisory approach that is sufficiently flexible, adaptable, risk-based, holistic and cross-border in nature to be fully able to address these risks without stifling innovation.
1. A risk-based approach to supervision and regulation should ensure that risks in the financial system are addressed regardless of the entity or business model that harbors them. Several examples in the current European context run counter this principle, such as, for instance, the EBA’s 2014 Opinion on virtual currencies. This Opinion called on national supervisory authorities to prevent credit institutions, payment institutions and e-money institutions from buying, holding or selling virtual currencies. As such the same activity is not subject to the same regulatory treatment when performed within a banking group as when conducted by a non-regulated institution.
2. A flexible approach should ensure that regulation and supervision effectively address risk regardless of the status of form of the underlying technology or method of the regulated activity. In contrast, detailed and prescriptive regulations risk becoming obsolete as new technologies change the way the regulated activity is conducted.
3. Making supervision and regulation holistic in nature entails expanding the focus to policy issues not traditionally associated with financial sector supervision, such as cybersecurity, data and privacy.
4. Lastly, cross-border regulation and supervision is required to effectively address risks in the international system that is tech-based finance.
We thereby advise that the EBA map any supervisory data or information gaps in such exercise, as new activities or business models may fall outside the perimeter of existing supervisory data collection efforts. Such data should give information on risks posed by new entities, business models and technologies, their size, growth and exposures to different markets, and their impact on the structure and evolution of local and global financial networks. Such an approach could follow the example of previous FSB Data Gaps and Shadow Banking initiatives.
As we have discussed above, a “fintech risks and opportunities” identification exercise of the EBA should focus both on the entry of smaller fintechs and “bigtech” firms into the market, recognizing that each brings a different set of challenges to the system and end users.
Data regulations will be key in safeguarding the appropriate use and integrity of consumer data. The General Data Protection Regulation (GDPR) and Payment Services Directive (PSD) II ensure customers’ rights to data ownership and portability. While most requirements are binding across economic sectors, some rules such as those included in PSD II’s open banking data rules are only applicable to the financial sector. We believe that equivalent rules should be applicable to other economic sectors in terms of data standardization and scope of data covered. Relatedly, we support the EU’s initiative for a Regulation on the Free Flow of Non-personal Data.
Please see our answer to question 2.
We agree with the EBA’s analysis. We would just note that distributed ledger technology (DLT) could have ramifications for financial services beyond payments – for example as an infrastructure for financial instruments trading (stock exchanges), trade finance documentation and tracking, and automation of insurance contracts. These could best be included in the EBA’s analysis. We believe it is important that regulators closely follow progress in the development of a practically applicable and scalable DLT solution, and its implications for the opportunities and risks in conducting the affected activity.
Please see our answer to question 4.
Please see our answer to question 2.
Please see our answer to question 2.
Please see our answer to question 4.
Please see our answer to question 4.
We agree with the EBA’s analysis that some fintech business models may create uncertainty or opacity with regards to the protection of consumers. This may be the case, for example, with aggregators or market places, where consumers can access or sign up for products from different providers through the fintech intermediator. A lack of regulatory frameworks may lead to uncertainty concerning the allocation of liabilities and responsibilities between platform/aggregator and service provider.
Given the continuing development of fintech providers and business model, we believe it will be imperative for conduct and consumer rights-related supervision to follow a risk-based approach targeting activities rather than entities. Such approach should ensure that consumers are able to understand the nature of a provider or service as easily as possible.
We agree that harmonization of regulatory frameworks across the borders of the EU Member States supports the smooth functioning of the EU internal market. Given the cross-border nature of many fintech services and their interconnectedness with other services providers, the divergent approaches to regulation as existing today could create additional complexity and potential barriers to cross-border services provision, or lead to arbitrage and forum shopping. For consumers, differing regulations within the Single Market could lead to uncertainty. For example, not all European countries have developed legislation for alternative finance, creating a patchwork of diverging regulations within the Single Market.
Given the diverse nature of fintech approaches and business models, incorporating a diverse range of financial services, we believe the EBA could best cooperate and coordinate supervision and policy making with the other European Supervisory Authorities, such as ESMA and EIOPA, and with non-financial authorities such as those focused on data protection, cybersecurity or AML, to prevent or fill gaps that may fall in between regulatory frameworks targeting financial subsectors such as banking, asset management and insurance.
Please see our answer to question 11.
Please see our answer to question 11.
We agree that the issues identified by the EBA in the realm of complaints handling procedures (such as the impact of automated advice and ‘big data’ and the observation that common contact points and complaints handling procedures are often lacking in unregulated fintech services providers) are relevant. These observations illustrate the need for risk- or activities-based frameworks not only for prudential regulation, but also for consumer rights and conduct requirements. As stated in our key messages, financial activities and risks should be subject to the same regulatory requirements regardless of the business model that harbors them. This is the best way to ensure that customers are protected when using financial services, irrespective of the nature of the provider.
We agree with the analysis and proposed way forward of the EBA. In particular, we appreciate its intention to assess whether current EU regulations create any restrictions to the digitalization of financial services. As we have discussed in our key messages, we believe that enabling incumbent financial institutions to apply and use new technologies will be key in bolstering their ability to compete and to harness the sector’s overall stability.
Customers demand more individualized treatment. However, retail financial regulation is progressively establishing more standardized disclosure documents. There may be merit in the EBA undertaking an analysis of how customers understand financial information in a more granular way, as standardized documents may not be the answer for all customers.
Given the interconnectedness of some fintech services (such as product platforms, aggregators and automated financial servicers advice) with other financial services providers, it is key that liability in these new business models is adequately disclosed and allocated.
Disclosure will be especially important given the ongoing automation of financial services provisioning, where the use of algorithms could lead to opacity of decision-making if not clearly governed and audited by the applying institution. Financial services providers should be required to understand the outcomes of their automated systems, and be able to explain them to their customers. We emphasize that institutions are typically already doing this – as with any model, machine learning models undergo rigorous validation and testing before application, and institutions and vendors are applying several ways to make (the advice of) automated systems and algorithms auditable and understandable. Any financial services provider should embed its modeling process within a rigorous model governance framework, regardless of the nature of the provider or the modeling technique applied.
Please see our answer to question 15.
We support initiatives to improve the literacy of citizens both in the financial and digital spaces, and believe that they should be applied in a general fashion, rather than targeted to fintech services. Fintech covers a wide variety of business models and, due to its interconnectedness with incumbent institutions and the ongoing digital transformation of incumbent institutions, is not clearly distinguishable from non-digital finance.
Please see our answer to question 17.
Institutions are more and more using new modeling techniques such as machine learning to develop risk models underlying their risk management and lending decisions. Those new technologies and data sources may have a variety of potential effects on lending and financial inclusion. These new techniques can create a more granular insight into risks at the individual customer level (for example, through their ability to model non-linear relationships while retaining out-of-sample predictive power), and can use data more efficiently. In practice, this means that there may be pockets of consumers whose applications would previously have been turned down, and who will now receive a loan based on better risk assessments. Of course, the reverse may also happen in instances, although this may not necessarily have negative implications for consumers. Better risk assessments could prevent some consumers from obtaining loans or other financial products that would later turn out they could not afford.
On the whole, this attests to better risk management on the part of financial institutions. We believe that the overall effect of deploying more advanced modeling techniques is positive for the consumer. Importantly, several machine learning algorithms are better able to work with partial information than traditional statistical methods, and are thereby allowing institutions to assess risk and extend their services for those customers on whom previously too little information was available to do so.
The technological and methodological improvements described above should be clearly distinguished from the ability to use new tools and non-traditional data sources for “price optimization” and make lending and risk decisions based on factors outside of customers’ control, such as age, gender or race. These are practices which are clearly undesirable, and should be addressed through regulation and/or supervision.
We agree with the issues identified by the EBA. The increased processing speed and lack of intermediaries of several (future) fintech payment solutions could have significant implications for the resolvability of financial firms, whether incumbents or fintech entrants. We thereby point to the FSB’s observation on the potential influence of fintech deposit aggregators on bank liquidity. Designed to facilitate the fast movement of cash around the banking system, they could potentially increase the volatility of bank deposits, and issue that would warrant supervisors and regulators’ further attention.
Thereby, critical infrastructures such as clouds and other data services will need to be taken into account when assessing bank resolvability.
We commend the EBA for addressing regulatory issues preventing financial institutions from upgrading and modernizing their AML and Know Your Customer (KYC)-related compliance processes. These processes are typically still largely manual, and cope with the need to process large amounts of information (often still paper-based) and alerts from transaction monitoring systems (of which around 95% on average are false positives). New technologies including machine learning/AI, digital identity and KYC utilities, have significant potential in improving AML/KYC processes. Machine learning is already being applied by several institutions with positive results.
• Through its ability to analyze all kinds of data and information, both structured and unstructured, and its accuracy due to its ability to model non-linear relationships while retaining out-of-sample predictive power, machine learning can both improve transaction monitoring, and alert follow-up analysis. It provides a more complete and accurate view of the customer.
• Digital identity could allow institutions to unambiguously identify clients and counterparts, while automating and speeding up onboarding and account processes.
• KYC utilities could allow for more efficient and effective information sharing among financial institutions. If institutions were able to rely on KYC utilities-based information without having to do additional due diligence on that information, it could significantly reduce the amount of duplicative effort currently conducted in the system.
Subject to robust implementation and operational controls and governance, financial institutions should be able to use these new technologies to their full potential. Current barriers include the need for face-to-face identification, the inability to use machine learning algorithms incompatible with general statistical tests for model validation, and several data-related challenges.
We believe that supervisors and standard setters could support institutions in implement new technology for AML/KYC in several ways:
• Improving data quality by creating a ‘feedback loop’ between Financial Intelligence Units (FIUs) and institutions
• Improved bank-to-bank, bank-to-government, government-to-bank and cross-border data sharing (see IIF, “Financial Crime Information Sharing Survey Report,” February 2017, for more information)
• Increased knowledge and experience at supervisors in the field of machine learning/AI, for effective governance and oversight
• The ability for institutions to create transactions monitoring alerts based on rules defined through proprietary, supervisor-checked data analysis.
We agree that fintech solutions can create new vulnerabilities to money laundering that need to be addressed through regulation and supervision. Here again, we believe that a risk-based approach applied to all entities would provide the most effective framework. Fintech solutions creating vulnerabilities include, but are not limited to:
• Cryptocurrencies allow transactions under pseudonymity and anonymity of the transaction parties and lack a centralized oversight or clearing body, inhibiting oversight of the legality of financial flows.
• Crowdfunding and marketplace lending could also serve as vehicles for illicit flows due to the anonymity offered by many platforms, as well as through their global reach. ESMA has expressed concern that the typical lack of due diligence at these platforms create a risk of misuse for terrorist financing.
The IIF reiterates its appreciation for this opportunity to provide feedback to the EBA on this important topic. Should you need additional information on this topic please contact me (firstname.lastname@example.org), Bart van Liebergen (email@example.com) and Conan French (firstname.lastname@example.org).