Response to discussion on Approach on financial technology (Fintech)
Go back
In our view, the principle of level playing field ought to comprise two aspects. First, activities involving the same risks in terms of financial stability, consumer protection and the integrity of the financial system should receive the same regulatory treatment. Therefore, any difference in regulation and supervision should be based on the risks posed by different products and services. Second, there should not be unnecessary barriers to competition in the market beyond those justified by risk considerations. This means, for example, granting different types of players access under fair conditions to payments infrastructure, customer data, and regulatory and supervisory guidance, where the latter is aimed at keeping unavoidable risk-justified regulatory barriers to a minimum.
Regarding the first aspect, we have identified two main sources of unlevelled playing between banks and non-bank players. One arises from the regulatory framework currently applicable to banks. Banking groups are subject to prudential regulations that have implications for most of their businesses, including those in which they compete with non-bank players that are only subject to activity-specific regulations or benefit from regulatory loopholes. Therefore, FinTech activities are generally subject to additional rules on internal governance when they are carried out within a banking group, leaving banks in a situation of competitive disadvantage. The second issue refers to the existence of loopholes in the regulatory framework, as some new services or business models are not yet covered under existing regulations. The results of the EBA are quite telling. This means that not only are potential risks to financial stability, consumer protection and the integrity of the financial system left unaddressed, but also asymmetries between players arise, given that regulated providers often face obstacles to engaging in unregulated activities.
The second aspect of the level playing field principle refers to the removal of unnecessary barriers to fair competition. The problems related to the asymmetry in the contribution to the payments infrastructure and in the access to personal data in a standardized manner will be explained in detail in question 9.
To ensure a level playing field among all providers of financial services, be they banks or not, the regulatory and supervisory framework should progress on three fronts:
● Limiting the implications of prudential regulation for non-core businesses (i.e. ringfenced, non deposit-taking activities) in which banks compete with non-bank players. The internal governance of these businesses should be subject to the same activity-specific regulations that apply to non-bank players. To this end, either temporary exceptions within the regulatory framework or exclusions from the perimeter of prudential consolidation could be allowed.
● Plugging existing gaps in the regulation by developing a regulatory and supervisory framework for new services. These rules should apply to both banks and non-bank players, the latter being authorised by narrowly defined (activity-specific) FinTech licenses with EU passporting facilities for specific activities. These licences should be activity and risk specific (otherwise, a generic fintech license would practically equal a banking license) and banks should be allowed to perform any of the activities regulated under narrow fintech licenses. This is particularly useful in areas where market developments have not been followed by a thorough risk analysis and, the case being, appropriate regulation (such as crowdlending, financial services marketplaces or virtual asset management). Anyway, this authorization to provide a specific service should not be understood as a shortcut to provide additional services outside the scope of the initial license.
● Facilitating innovation for all players, under safe and even conditions, in case regulatory obstacles or uncertainties come to hinder the development of innovative solutions that would benefit consumers. Regulatory sandboxes are a useful tool in this respect, and therefore, we support the EBA’s intention to further assess the features of regulatory sandboxes, innovation hubs and similar regimes, as these offer promising benefits for regulators, incumbents, new entrants and consumers alike. We agree with the EBA in that the emergence of different initiatives in some Member States could lead to an internal competition that may potentially distort the financial stability in the EU and negatively influence the creation of a predictable regulatory framework to foster innovation.
In this regard, we believe that it is of vital importance to establish a common EU framework, in order to avoid fragmentation within the EU. This requires, first, collaboration among institutions (the European Commission and the ESAs), as each of them has different legal powers and goals. Secondly, a coordinating authority should unify these efforts and provide guidance to individual authorities. This European authority could ensure that all different European and national initiatives have the same approach, provide the same service and allow the same exceptions. Otherwise an uneven playing field will arise among different Member States, as it now occurs with the aforementioned example of regulatory sandboxes. Also, this coordination authority would easen the establishment of agreements with external innovation ecosystems, which might benefit all EU stakeholders, as further links with new markets might aid the EU in its global leadership goal.
The deployment of this public innovation policy framework should lead, in the long term, to the establishment of an EU framework of experimentation with participation on a voluntary basis. The deployment of a European regulatory sandbox should be inclusive and take into account all interested parties, regardless of their size or business model. The ESAs should coordinate and provide guidance on regulatory sandboxes to National Competent Authorities, while the ECB could run a special regulatory sandbox for cross-border innovations within the SSM.
The legal framework governing this setup should clarify how these sandboxes must operate: entry requirements, what happens while in the sandbox and how the project should enter the market:
● To enter the sandbox, at least one of the following reasons must be met:
○ There is uncertainty on how the existing regulatory framework applies. This may be the case, for instance, for applications of distributed ledger technologies.
○ Approval requirements from regulatory or supervisory bodies delays testing with real customers (for instance, a new identity verification method)
○ Complying with all the regulatory obligations is too costly and time consuming just for testing. This may be the case in the process of a creating a new venture firm that meets all licensing requirements.
○ The innovation would breach rules that are not fit in the current market. This refers, for example, to requirements to obtain and record physical copies of IDs in digital onboarding processes.
● Once in the sandbox, the company that has entered the sandbox must accept testing conditions that imply no detriment of consumer rights, must prove that the proposition will not affect the open economy, and report to the regulator according to a previously agreed roadmap.
● Exiting the sandbox is a key milestone in the process, as the final objective is that the project should enter the market under clear regulatory conditions. If regulatory change is needed, this possibility should be assessed and eventually undertaken by the regulators.
Furthermore, as this is a learning process, a review of the final decision should be publicly shared for all interested parties to understand the rationale of this outcome. Nevertheless, a list of potential regulations that might be softened, tools that all participants might access and the limitations related to customer protection and systemic stability must be listed prior entering the sandbox.
Firstly, on the issue of cloud outsourcing, we thank the EBA’s efforts to adapt outsourcing recommendations to the specificities of cloud computing technology. However, as highlighted in BBVA’s response to the EBA’s recent consultation, we believe that the instrument used (EBA recommendations, that by nature are not directly applicable nor mandatory in a first instance) could introduce an element of divergence and lack of harmonization across Member States. To avoid this, technical standards or any other directly applicable instrument would have been a better option.
Also, it should be perfectly clear that neither these EBA recommendations on cloud, nor the whole SSM supervisory mechanism, applies to cloud outsourcing by financial institutions that are not under the SSM mechanism, even though the parent company is under the SSM. Instead, outsourcing by financial entities that are not under the SSM must be ruled exclusively by local outsourcing and local data protection rules (unless these are non-existent).
Secondly, as mentioned in the previous question it is important to highlight the role that prudential regulation and supervision play in explaining the main asymmetries between bank and non-bank players. As explained, fintech activities are usually subject to more stringent regulation when they are performed within a banking group than if they are provided by other types of institutions. An illustrative example can be found in the remuneration rules under the CRD. This Directive sets a limit to the ratio between the variable and the fixed salary that financial institutions can pay to certain staff members identified as risk takers. These, and other rules on internal governance or outsourcing requirements leave banks in a situation of competitive disadvantage in terms of cost, time-to-market and talent attraction and retention.
In order to ensure a level playing field, we call on the EBA and other European policy-makers to review prudential regulation with the aim of reducing the limitations these rules pose on businesses which do not imply deposit-taking and in which banks now face uneven competition. With this aim, regulators could contemplate either exceptions within the regulatory framework or exclusions from the perimeter of prudential consolidation, as allowed by Article 19 of the CRR.
As brought forward by the EBA in this discussion paper, in addition to the acknowledged benefits of fintech, the developments in the digitalization of finance have implications on efficiency, financial stability, consumer protection and the integrity of the financial sector. This requires a holistic response by regulators and supervisors to construct a renewed framework that enhances the resilience against future crisis while fully capturing the potential of digital innovation.
A recent paper written by Mr. González-Páramo, Executive Board Member at BBVA, in Banco de España’s Financial Stability Review(*) , presents a thorough analysis of the potential benefits of the digitisation of finance and of the new risks (in terms of stability and integrity of the financial system, and consumer protection) that digital infrastructures, business and distribution models and customer solutions may pose, and the expected regulatory and supervisory response. We believe that this could be of interest for the EBA’s analysis and future work.
The paper presents an analytical framework that first summarizes the main changes and disruptions that are taking place in each of the blocks (infrastructure, banking products and distribution) and then assesses the impact of those changes. For the latter, the paper first presents the potential efficiency gains, and then the implications, which may be positive, negative or ambiguous, for financial stability, financial integrity and the protection of financial consumers.
(*) José Manuel González-Páramo. Financial innovation in the digital age: Challenges for regulation and supervision. Banco de España, Financial Stability Review Num. 32. May 2017. Available at: http://www.bde.es/f/webbde/GAP/Secciones/Publicaciones/InformesBoletinesRevistas/RevistaEstabilidadFinanciera/17/MAYO 2017/Articulo_GonzalezParamo.pdf
In relation to PSD2, although BBVA fully supports the objectives of the Directive, we also believe that the technical implementation of these requirements must ensure the highest level of security and control for the client. Therefore, less secure practices such as credential sharing and webscraping should be banned, since the same information can be obtained through efficient, secure and widespread APIs.
Furthermore, we would like to emphasize two issues here. First, the EBA has decided to use the FSB’s definition of fintech, which is inclusive. We completely support this definition, as it is consistent with the vision of the financial services market as a fast-evolving ecosystem that includes banks, new entrants, bigtech companies and also regulators. It is clear from the FSB’s fintech definition that the key is the innovative use of exponential technologies to revamp the provision of financial services, regardless of the nature and size of the provider of the services. However, throughout the rest of the discussion paper, and particularly in this section, the EBA seems to identify fintech firms with smaller new entrants. This is inconsistent with the definition and may result in an overestimation of the short-term impact of start-ups, and an underestimation of that of bigtech companies. For instance, the EBA states that “credit institutions may be forced to adapt their business models in response to the increasing competition from FinTech” (94). This is a misconception, as the broad fintech definition that rests on the innovative application of technologies encompasses also banks. As a result, business models need to be adapted due to the application of fintech by financial institutions’ competitors, regardless of whether these are incumbents or new entrants.
The second issue that needs to be raised is that the EBA’s assessment of the fintech ecosystem does not include any reference to the role played by big technological companies. We believe that these bigtech companies could challenge the sector already in the short and medium term, as they not only have the disruptive potential that comes from technology, but also the scale and, in some cases, a proven willingness to offer financial services (applying for payments institutions licenses, for instance).
Despite the above, it is certain that European credit institutions are facing fierce competition from new digital players (be it small new entrants or big technological companies), who are not burdened by outdated legacy IT infrastructures. As acknowledged by the EBA, modernisation of these systems is a must for those financial institutions that seek to survive in this new digital age, but this demands a significant investment. However, prudential regulation is perceived as a significant disincentive for banks to invest in software. Thus, software investment should not be considered as an intangible asset in terms of capital deductions, as it implies a competitive disadvantage of banks against digital competitors. Furthermore, there is also evidence of different regulatory treatment of software in some jurisdictions, including the United States and Switzerland, which is creating an even weaker competitive position for EU banks. A similar situation derives from remuneration rules under CRD/CRR framework, that create hurdles for banks to hire digital talent on equal footing than other sectors, as already commented in question 2.
New payment services -based on existing or new infrastructures- and greater accessibility of data increase competition in the payments business, and add pressure on the revenues of incumbent players. In this context, they will be forced to gain efficiency and cut costs to remain competitive in the payments arena. But furthermore, incumbent institutions will be bound to find new sources of value in payments, including finding ways to monetize the data itself, as well as means to enhance customer experience by offering data-based value-added services to clients. Customers’ trust is the cornerstone for incumbent institutions that wish to become a data-driven organisation of the kind just described. In fact, trust and access to customers’ data interact in a virtuous circle that can be characterized as follows. Clients’ trust is key to obtaining their consent to access their data. The more data institutions have, the more insight they will be able to build on their clients, and therefore the more personalized and appreciated value-added services they can create for them. Enhanced customer experience will contribute to reinforce client satisfaction and trust on the organisation.
Regulation should reflect and be proportionate to the characteristics, type, and variety of the financial products and consumers, their rights and responsibilities and be responsive to new products, designs, technologies and delivery mechanisms. To promote the market union, the mechanisms that assure the correct application of the same rules, the same standards of interpretation, should be established (and not only harmonization by Directives and Regulations) (*)
Furthermore, as mentioned by the EBA, some particular business models create extra difficulties in terms of consumer protection. This is the case, for instance, of marketplaces in which consumers can directly sign up to products from different providers. In this context, the lack of a regulatory framework generates uncertainty as regards the allocation of liabilities, and whether the responsibility lies with the provider or with the platform. As platforms are not regulated, this would ultimately lead to an overburden of the liability on the providers, which are regulated figures.
Also, it is important for consumers to know the location of the trader/seller with whom is negotiating or considering to contract, as it is necessary to know how and where to make any complaints or initiate judicial proceedings. In this sense, an issue that could facilitate the exercise of consumer rights is the introduction of one-stop-shop mechanisms for incident reporting. This would significantly simplify the process for consumers, by preventing them from having to identify who is the ultimate responsible for the service received, its regulatory status and without dealing with the complex institutional architecture comprised by bank supervisors, financial services regulators and data protection authorities
(*) Exploratory study of consumer issues in online peer-to-peer platform markets. European Commission. 2017. Available at: https://www.researchgate.net/publication/317586468_Exploratory_study_of_consumer_issues_in_online_peer-to-peer_platform_markets?enrichId=rgreq-d77033179b19edcd8a9643fbedbc9d5d-XXX&enrichSource=Y292ZXJQYWdlOzMxNzU4NjQ2ODtBUzo1MDUxODYzNDgyMTIyMjRAMTQ5NzQ1NzIxOTA1OQ%3D%3D&el=1_x_2&_esc=publicationCoverPdf
For instance, not all European countries have developed legislation for alternative finance, creating a mosaic of diverging regulatory frameworks within the EU. In these cases, new fintech players trying to operate cross-border face a practical impossibility due to the lack of passporting facilities.
In other cases, practical difficulties to cross-border operations are even more subtle, as in the requirement of certain member states (e.g. Germany) for financial services providers operating under passporting to use local IBAN numbers for account holders (not fully standardized), which is impossible to achieve by a company established in a different member country. The enforcement of the European passport should be guaranteed. Therefore, the IBAN from any European Country should not be discriminated in any other EU country, or else obtaining national IBANs should be automatic.
Considering all of the above, it is essential that the EBA and other European authorities continue working to shed some light on the rules of the game, as the only way to fully exploit the opportunities of digitization and the Single Market is by eliminating unnecessary barriers and promoting the provision of cross-border services, while ensuring a homogenous consumer protection regime.
Currently, supervisory practices focus primarily on risk taking within supervised entities instead of on the actual risks taken by any player in the market. As an example, a bank is always supervised by the Competent Authority, while a technology company which provides similar services might not. In our understanding, when the activities and assumed risks are related to financial services, there should be an ex officio supervision to ensure that all legal safeguards are applied. This measure ensures that customers only access safe and secure financial services and avoids regulatory arbitrage.
Another issue that is of relevance here, is how consumer protection regulations interact with financial services that are not offered by providers located in Europe, or that, due to their immaturity, have an uncertain legal nature or a lack a clear legal framework that deals with territoriality or liability issues. This is the case for instance with bitcoin and other digital cryptocurrencies. The terms and conditions of the P2P platforms systematically exclude any liability of the platform in relation to the contracts concluded between the peers, and explicitly state that the platform is not a party to such contracts. For instance, all case study platforms exclude liability for the accuracy of information provided by the peer to establish whether they are a commercial or a private provider; non-performance, noncompliance of the performance by the peer providers; and the accuracy of information provided in peer-to-peer reviews.
According to a recent Study conducted by the European Commission regarding consumer issues in online P2P platform market, most platforms set minimal identification requirements for registration and access (e.g. name and email address), and usually do not adopt adequate measures to verify users’ identities. Almost all platforms deny responsibility for the accuracy of user information. Most platforms rely on user information checks through email or social media accounts. Some offer optional identity verification services and very few require official identity documents for registration. There is therefore a need for platforms to be transparent about the mechanisms they use to manage review and rating systems, and to ensure consumer understanding of the underlying quality control system.
Platforms should ensure that consumers receive pre-contractual information when they engage in transactions with commercial providers. In addition, platforms could make their Terms and Conditions more user-friendly and ensure that key information about rights and responsibilities is presented more clearly and at the point of the transaction when it is most useful. In general, terms and conditions of digital platforms exclude any liability of the platform in relation to the contracts concluded between the peers, and explicitly state that the platform is not a party to such contracts.
On the other hand, the use and reuse of consumer data is an essential part of the fintech business models. Especially in the case of larger platforms these data represent significant value, in terms of price setting, dynamic pricing, marketing and other commercial purposes. But the information given by platforms about their data use, re-use, sharing and selling practices is in many cases not fully transparent, and it is therefore not clear if current national data protection rules are respected. In general, platforms do not have a clear data use policy regarding transfers to third parties. These practices, or the lack of transparency about current practices of data use and reuse, raise concerns regarding the protection of personal data, especially when they are shared and/or transferred to third parties for commercial purposes. Transparency about the personal and behavioural data that platforms collect, how they use them, who they share them with or sell them to, as well as information about data protection rules that apply is crucial for both platforms providers and consumers. As of 25 May 2018, platforms need to comply with new obligations set out by the General Data Protection Regulation (GDPR). It is suggested that the accompanying measures to facilitate the implementation of the GDPR include specific measures focusing on its implications for online P2P platforms.
Cross-sectoral coordination of all interested stakeholders is thus essential when designing and implementing financial education initiatives. These should encompass all relevant public authorities (governments, central banks, financial authorities, bank supervisors…), but their actions should be mindful not to substitute or duplicate existing efficient initiatives by private parties. Therefore, we strongly advocate for joint public-private efforts that ensure that the role of the private sector and financial service providers is promoted, while preventing the emergence of potential conflicts of interest.
Finally, to illustrate the above recommendations, we would like to highlight BBVA’s inclusive and scalable model of financial education, which is based in the belief that digital transformation inevitably means developing customers’ financial capabilities. BBVA’s approach is based on the collaboration with public institutions and other bodies relevant in the field. A significant group of these institutions collaborate in BBVA’s Center for Financial Education and Capability, which seeks to forge alliances and promote empowerment of people of any age, socio-economic background or level of engagement with the financial sector.
More information on BBVA's Center for Financial Education and Capability here: https://www.bbvaedufin.com/en/
In summary, we believe that big data analytics and artificial intelligence are technologies with a great potential to further expand the access to financial services by lowering the complexity and the costs associated to certain advisory and credit scoring services, for example.
Regarding the effects of more granular risk segmentations, we agree that these could lead to higher premiums, but this has been occurring long before the digital era, so this is not a new issue affecting customers. Before, in the predigital era, information was gathered in an analog way with less information or with more time needed to segment or take a decision. Today, new digital ways and data have helped create faster, more affordable and smaller segmentations, but this phenomenon and the consequent constraints on access to credit for certain customers has been happening since the origins of credit.
As for price adjustments based on consumer features and behaviour based factors, charging different prices to different individuals for the same product or service has been a common practice since old times. Pricing practices take different forms and evolve over time. Not always such pricing practices should be a concern, only when they are discriminatory with no objective foundation. Moreover, any assessment of pricing practices should be specific to the product and market in question. Furthermore, it is not the form of pricing that matters, but rather the effect on consumers or consumer outcome. The effect of such pricing depends on the market context. There is a need for an assessment on a case-by-case basis to avoid the risk of identifying the problem incorrectly and proposing an inadequate solution. Moreover, as a natural evolution of the use of consumer data by financial institutions, we expect prices to be driven down towards perfect competition, which will be a major improvement for consumers.
Finally, we believe that financial inclusion can be promoted not only due to the use of more detailed information derived from the use of big data, but also because of the use of alternative sources of data. Using non-traditional sources of data and methods can benefit consumers that otherwise would be unscorable, thus improving access to credit for key sectors including SMEs and those individuals with no previous financial history.
Apart from the above, we particularly welcome EBA’s intention, together with ESMA and EIOPA, to issue an opinion on the use of FinTech solutions for AML/CFT compliance. We believe that the development of so-called RegTech solutions can provide benefits to the whole financial services sector as well as to authorities, as it will easen the relationship among these parts. In particular, we value those solutions like shared market utilities for KYC could be highly useful to facilitate compliance with KYC/due diligence requirements under AML/CFT rules. However, since banks are still liable for information retrieved from third parties, they still need to double-check any information obtained from a shared KYC utility. Therefore, to really benefit from this approach, regulators must provide clear guidance as to what is needed for financial institutions to rely upon these market utilities for the majority of KYC cases, rather than being limited to use them only as another source of information supporting their own due diligence process. Furthermore, access to public registries should be a as well, as it would further facilitate compliance with AML/CFT rules.
The Basel Committee on Banking Supervision’s revision of the risks related to AML/CFT in relation to correspondent banking, finalised earlier this year, devoted great attention to the usefulness of these KYC utilities, recognising that they may provide efficiency gains for both correspondent and respondent banks. The BCBS expressed no objection to the use of KYC utilities in correspondent banking risk assessment processes, provided sufficient safeguards are met and accountability for CDD remains with the correspondent."
Areas presenting potential anti-money laundering (AML) and terrorist finance risk include:
● Virtual currencies: Decentralised virtual or “crypto” currencies are a potential new criminal tool for terrorist financiers and money launderers to move and store criminal funds. FATF identify the potential anti money laundering (“AML”) and counter terrorist financing (“CTF”) risks of anonymity, lack of a centralised oversight body, global reach and the complex infrastructures as the basis for the cause for concern. The money laundering risk is said to materialise when criminals or terrorist financiers use virtual currency to transfer goods or funds anonymously.
● Crowdfunding and marketplace lending, The threat related to crowdfunding platforms is based on the anonymity offered by the online presence and the worldwide reach of the platforms.
Crowdfunding platforms are sometimes used for campaigns seeking backers for fictitious charitable initiatives abroad or the use of fake individuals backing a fake company. The money is then removed from the platform and transferred for illicit activities. The European Securities and Markets Authority (ESMA) has explicitly said “Investment-based Crowdfunding carries a risk of misuse for terrorist financing, particularly where platforms carry out limited or no due diligence on project owners and their projects. Project owners could use investment-based Crowdfunding platforms to raise funds for terrorist financing, either overtly or secretly.”
● Prepaid cards, and other technologies that facilitate the raising, disbursement, and transmittal of funds between end users (often internationally).
While many of these products and services are already subject to direct AML regulation as money services businesses, others do not fit neatly within existing AML regulatory frameworks, even though they facilitate financial transactions. Still some businesses may not appreciate the application of the AML laws to their technology or, even if they do, may not have the resources or experience to implement appropriate compliance programs.
Some jurisdictions are taking regulatory action, others are monitoring and studying the developments and potential ML/TF risks, as the usage still develops in those jurisdictions. For some jurisdictions, putting in place an effective AML/CFT regulatory regime may require a more thorough understanding of the the platforms.
It is necessary to establishing some form of Guidance across at an international level that treats similar products and services consistently according to their function and risk profile is essential to enhance the effectiveness of the international AML/CFT standards.
Question 1: Are the issues identified by the EBA and the way forward proposed in section 4.1 relevant and complete? If not, please explain why.
All the issues identified by the EBA and the way forward proposed seem relevant. In particular, we would much appreciate an EBA report or opinion assessing the national regulatory regimes that are in place, as this could contribute to achieving a level playing field in the EU both across players and Member States.In our view, the principle of level playing field ought to comprise two aspects. First, activities involving the same risks in terms of financial stability, consumer protection and the integrity of the financial system should receive the same regulatory treatment. Therefore, any difference in regulation and supervision should be based on the risks posed by different products and services. Second, there should not be unnecessary barriers to competition in the market beyond those justified by risk considerations. This means, for example, granting different types of players access under fair conditions to payments infrastructure, customer data, and regulatory and supervisory guidance, where the latter is aimed at keeping unavoidable risk-justified regulatory barriers to a minimum.
Regarding the first aspect, we have identified two main sources of unlevelled playing between banks and non-bank players. One arises from the regulatory framework currently applicable to banks. Banking groups are subject to prudential regulations that have implications for most of their businesses, including those in which they compete with non-bank players that are only subject to activity-specific regulations or benefit from regulatory loopholes. Therefore, FinTech activities are generally subject to additional rules on internal governance when they are carried out within a banking group, leaving banks in a situation of competitive disadvantage. The second issue refers to the existence of loopholes in the regulatory framework, as some new services or business models are not yet covered under existing regulations. The results of the EBA are quite telling. This means that not only are potential risks to financial stability, consumer protection and the integrity of the financial system left unaddressed, but also asymmetries between players arise, given that regulated providers often face obstacles to engaging in unregulated activities.
The second aspect of the level playing field principle refers to the removal of unnecessary barriers to fair competition. The problems related to the asymmetry in the contribution to the payments infrastructure and in the access to personal data in a standardized manner will be explained in detail in question 9.
To ensure a level playing field among all providers of financial services, be they banks or not, the regulatory and supervisory framework should progress on three fronts:
● Limiting the implications of prudential regulation for non-core businesses (i.e. ringfenced, non deposit-taking activities) in which banks compete with non-bank players. The internal governance of these businesses should be subject to the same activity-specific regulations that apply to non-bank players. To this end, either temporary exceptions within the regulatory framework or exclusions from the perimeter of prudential consolidation could be allowed.
● Plugging existing gaps in the regulation by developing a regulatory and supervisory framework for new services. These rules should apply to both banks and non-bank players, the latter being authorised by narrowly defined (activity-specific) FinTech licenses with EU passporting facilities for specific activities. These licences should be activity and risk specific (otherwise, a generic fintech license would practically equal a banking license) and banks should be allowed to perform any of the activities regulated under narrow fintech licenses. This is particularly useful in areas where market developments have not been followed by a thorough risk analysis and, the case being, appropriate regulation (such as crowdlending, financial services marketplaces or virtual asset management). Anyway, this authorization to provide a specific service should not be understood as a shortcut to provide additional services outside the scope of the initial license.
● Facilitating innovation for all players, under safe and even conditions, in case regulatory obstacles or uncertainties come to hinder the development of innovative solutions that would benefit consumers. Regulatory sandboxes are a useful tool in this respect, and therefore, we support the EBA’s intention to further assess the features of regulatory sandboxes, innovation hubs and similar regimes, as these offer promising benefits for regulators, incumbents, new entrants and consumers alike. We agree with the EBA in that the emergence of different initiatives in some Member States could lead to an internal competition that may potentially distort the financial stability in the EU and negatively influence the creation of a predictable regulatory framework to foster innovation.
In this regard, we believe that it is of vital importance to establish a common EU framework, in order to avoid fragmentation within the EU. This requires, first, collaboration among institutions (the European Commission and the ESAs), as each of them has different legal powers and goals. Secondly, a coordinating authority should unify these efforts and provide guidance to individual authorities. This European authority could ensure that all different European and national initiatives have the same approach, provide the same service and allow the same exceptions. Otherwise an uneven playing field will arise among different Member States, as it now occurs with the aforementioned example of regulatory sandboxes. Also, this coordination authority would easen the establishment of agreements with external innovation ecosystems, which might benefit all EU stakeholders, as further links with new markets might aid the EU in its global leadership goal.
The deployment of this public innovation policy framework should lead, in the long term, to the establishment of an EU framework of experimentation with participation on a voluntary basis. The deployment of a European regulatory sandbox should be inclusive and take into account all interested parties, regardless of their size or business model. The ESAs should coordinate and provide guidance on regulatory sandboxes to National Competent Authorities, while the ECB could run a special regulatory sandbox for cross-border innovations within the SSM.
The legal framework governing this setup should clarify how these sandboxes must operate: entry requirements, what happens while in the sandbox and how the project should enter the market:
● To enter the sandbox, at least one of the following reasons must be met:
○ There is uncertainty on how the existing regulatory framework applies. This may be the case, for instance, for applications of distributed ledger technologies.
○ Approval requirements from regulatory or supervisory bodies delays testing with real customers (for instance, a new identity verification method)
○ Complying with all the regulatory obligations is too costly and time consuming just for testing. This may be the case in the process of a creating a new venture firm that meets all licensing requirements.
○ The innovation would breach rules that are not fit in the current market. This refers, for example, to requirements to obtain and record physical copies of IDs in digital onboarding processes.
● Once in the sandbox, the company that has entered the sandbox must accept testing conditions that imply no detriment of consumer rights, must prove that the proposition will not affect the open economy, and report to the regulator according to a previously agreed roadmap.
● Exiting the sandbox is a key milestone in the process, as the final objective is that the project should enter the market under clear regulatory conditions. If regulatory change is needed, this possibility should be assessed and eventually undertaken by the regulators.
Furthermore, as this is a learning process, a review of the final decision should be publicly shared for all interested parties to understand the rationale of this outcome. Nevertheless, a list of potential regulations that might be softened, tools that all participants might access and the limitations related to customer protection and systemic stability must be listed prior entering the sandbox.
Question 2: Are the issues identified by the EBA and the way forward proposed in subsection 4.2.1 relevant and complete? If not, please explain why.
The analysis of the risks and opportunities provided by the EBA seems relevant and mostly complete. However, we would like to comment on two issues:Firstly, on the issue of cloud outsourcing, we thank the EBA’s efforts to adapt outsourcing recommendations to the specificities of cloud computing technology. However, as highlighted in BBVA’s response to the EBA’s recent consultation, we believe that the instrument used (EBA recommendations, that by nature are not directly applicable nor mandatory in a first instance) could introduce an element of divergence and lack of harmonization across Member States. To avoid this, technical standards or any other directly applicable instrument would have been a better option.
Also, it should be perfectly clear that neither these EBA recommendations on cloud, nor the whole SSM supervisory mechanism, applies to cloud outsourcing by financial institutions that are not under the SSM mechanism, even though the parent company is under the SSM. Instead, outsourcing by financial entities that are not under the SSM must be ruled exclusively by local outsourcing and local data protection rules (unless these are non-existent).
Secondly, as mentioned in the previous question it is important to highlight the role that prudential regulation and supervision play in explaining the main asymmetries between bank and non-bank players. As explained, fintech activities are usually subject to more stringent regulation when they are performed within a banking group than if they are provided by other types of institutions. An illustrative example can be found in the remuneration rules under the CRD. This Directive sets a limit to the ratio between the variable and the fixed salary that financial institutions can pay to certain staff members identified as risk takers. These, and other rules on internal governance or outsourcing requirements leave banks in a situation of competitive disadvantage in terms of cost, time-to-market and talent attraction and retention.
In order to ensure a level playing field, we call on the EBA and other European policy-makers to review prudential regulation with the aim of reducing the limitations these rules pose on businesses which do not imply deposit-taking and in which banks now face uneven competition. With this aim, regulators could contemplate either exceptions within the regulatory framework or exclusions from the perimeter of prudential consolidation, as allowed by Article 19 of the CRR.
Question 3: What opportunities and threats arising from FinTech do you foresee for credit institutions?
We appreciate the EBA’s effort to provide a comprehensive assessment of prudential risks and opportunities arising from the fintech environment. Recently, several institutions and standard-setting bodies at EU and international level have shared their views on fintech. In this regard, the BCBS has recently issued for comments a Sound Practices paper which contains a highly valuable assessment of the risks and opportunities from fintech in five future potential scenarios.As brought forward by the EBA in this discussion paper, in addition to the acknowledged benefits of fintech, the developments in the digitalization of finance have implications on efficiency, financial stability, consumer protection and the integrity of the financial sector. This requires a holistic response by regulators and supervisors to construct a renewed framework that enhances the resilience against future crisis while fully capturing the potential of digital innovation.
A recent paper written by Mr. González-Páramo, Executive Board Member at BBVA, in Banco de España’s Financial Stability Review(*) , presents a thorough analysis of the potential benefits of the digitisation of finance and of the new risks (in terms of stability and integrity of the financial system, and consumer protection) that digital infrastructures, business and distribution models and customer solutions may pose, and the expected regulatory and supervisory response. We believe that this could be of interest for the EBA’s analysis and future work.
The paper presents an analytical framework that first summarizes the main changes and disruptions that are taking place in each of the blocks (infrastructure, banking products and distribution) and then assesses the impact of those changes. For the latter, the paper first presents the potential efficiency gains, and then the implications, which may be positive, negative or ambiguous, for financial stability, financial integrity and the protection of financial consumers.
(*) José Manuel González-Páramo. Financial innovation in the digital age: Challenges for regulation and supervision. Banco de España, Financial Stability Review Num. 32. May 2017. Available at: http://www.bde.es/f/webbde/GAP/Secciones/Publicaciones/InformesBoletinesRevistas/RevistaEstabilidadFinanciera/17/MAYO 2017/Articulo_GonzalezParamo.pdf
Question 4: Are the issues identified by the EBA and the way forward proposed in subsection 4.2.2 relevant and complete? If not, please explain why.
Although current work on PSD2 will promote a safer and more integrated payments environment, we support the proposed way forward. A deeper assessment of risks posed by these new institutions, a better understanding of the new payments environment and a new regulatory approach towards new technologies such as DLT is needed. Additionally, payments institutions and electronic money institutions should be subject to the same security requirements as other payment service providers. In particular, practices such as credential sharing and webscraping should be discouraged as they increase the risks of information breaches and their potential effects.Question 5: What opportunities and threats arising from FinTech do you foresee for payment institutions and electronic money institutions?
Payment institutions and electronic money institutions, as regulated entities, are subject to regulatory frameworks that affect the provision of many of their services. However, many other players participating in payment markets may not be regulated, and thus may benefit from the existence of regulatory loopholes. These loopholes, therefore, constitute a source of asymmetries among different players, given that regulated players often face obstacles to engage in non-regulated activities. A clear example of this is the EBA’s opinion in 2014, that called on national supervisory authorities to prevent credit institutions, payment institutions and e-money institutions from buying, holding or selling virtual currencies. Therefore, regulating the activity of virtual currencies is necessary to ensure a level playing field and eradicate asymmetries in financial markets. This is consistent with our comments to question 1.In relation to PSD2, although BBVA fully supports the objectives of the Directive, we also believe that the technical implementation of these requirements must ensure the highest level of security and control for the client. Therefore, less secure practices such as credential sharing and webscraping should be banned, since the same information can be obtained through efficient, secure and widespread APIs.
Question 6: Are the issues identified by the EBA and the way forward proposed in subsection 4.3.1 relevant and complete? If not, please explain why.
Yes. We particularly appreciate the EBA’s intention of holding interviews with representative credit institutions. In BBVA we are looking forward to discussing the issues covered here with the authorities and therefore would be pleased to participate in this exercise.Furthermore, we would like to emphasize two issues here. First, the EBA has decided to use the FSB’s definition of fintech, which is inclusive. We completely support this definition, as it is consistent with the vision of the financial services market as a fast-evolving ecosystem that includes banks, new entrants, bigtech companies and also regulators. It is clear from the FSB’s fintech definition that the key is the innovative use of exponential technologies to revamp the provision of financial services, regardless of the nature and size of the provider of the services. However, throughout the rest of the discussion paper, and particularly in this section, the EBA seems to identify fintech firms with smaller new entrants. This is inconsistent with the definition and may result in an overestimation of the short-term impact of start-ups, and an underestimation of that of bigtech companies. For instance, the EBA states that “credit institutions may be forced to adapt their business models in response to the increasing competition from FinTech” (94). This is a misconception, as the broad fintech definition that rests on the innovative application of technologies encompasses also banks. As a result, business models need to be adapted due to the application of fintech by financial institutions’ competitors, regardless of whether these are incumbents or new entrants.
The second issue that needs to be raised is that the EBA’s assessment of the fintech ecosystem does not include any reference to the role played by big technological companies. We believe that these bigtech companies could challenge the sector already in the short and medium term, as they not only have the disruptive potential that comes from technology, but also the scale and, in some cases, a proven willingness to offer financial services (applying for payments institutions licenses, for instance).
Question 7: What are your views on the impact that the use of technology-enabled financial innovation and/or the growth in the number of FinTech providers and the volume of their business may have on the business model of incumbent credit institutions?
When approaching this phenomenon, it is important to understand what types of FinTech exist, as this term covers a wide range of companies and solutions. If we analyse their relation with incumbents, these solutions can either compete with existing solutions, unbundling the value chain, or enhance them, improving the existing offer and processes through partnerships. Thus, financial institutions and new entrants should not be seen as entities in full confrontation. In contrast, fintech may provide solutions that compete with existing solutions, unbundling the value chain, or enhance them, improving the existing offer and processes through collaborative approaches. Unsurprisingly, major banks have made strategic partnerships and investments in fintech companies. In this new fintech ecosystem, composed of banks, new entrants, bigtech companies and regulators, the lines between competition and collaboration are blurring.Despite the above, it is certain that European credit institutions are facing fierce competition from new digital players (be it small new entrants or big technological companies), who are not burdened by outdated legacy IT infrastructures. As acknowledged by the EBA, modernisation of these systems is a must for those financial institutions that seek to survive in this new digital age, but this demands a significant investment. However, prudential regulation is perceived as a significant disincentive for banks to invest in software. Thus, software investment should not be considered as an intangible asset in terms of capital deductions, as it implies a competitive disadvantage of banks against digital competitors. Furthermore, there is also evidence of different regulatory treatment of software in some jurisdictions, including the United States and Switzerland, which is creating an even weaker competitive position for EU banks. A similar situation derives from remuneration rules under CRD/CRR framework, that create hurdles for banks to hire digital talent on equal footing than other sectors, as already commented in question 2.
Question 9: What are your views on the impact that the use of technology-enabled financial innovation and/or the growth in the number of FinTech providers and the volume of their business may have on the business models of incumbent payment or electronic money institutions?
The business model of incumbent payment institutions is being challenged by increased competition and a reshape of the relationship with end-clients. This is due to a number of factors. In the long term, disruption may come from the emergence of payment services based on cryptocurrencies and new DLT infrastructures, particularly for cross-border transfers. Today, the appearance of new intermediaries that rely on the existing payments infrastructure is already a reality: digital wallets -for card-based payments-, and third-party payment initiation services -for account-to-account payments. The latter are being promoted by the new Payment Services Directive (PSD2), which grants third parties access to payment accounts, both for payment initiation and account information services. This increased competition is welcomed, but since third-parties will not pay for accessing payment accounts, this imposes an unfair burden on incumbents and creates an asymmetry in the contribution to the sustainability of the payments infrastructure. Furthermore, sector regulations on third-party access to customer data (such as PSD2) might create asymmetries between players in a digital context in which the boundaries between sectors are becoming blurred. Although the new General Data Protection Regulation (GDPR) will bring in a new right to personal data portability which applies to all sectors, this way of accessing customer data will be less standardised than in PSD2 and only affects individual customers (whereas PSD2 also applies to business accounts).New payment services -based on existing or new infrastructures- and greater accessibility of data increase competition in the payments business, and add pressure on the revenues of incumbent players. In this context, they will be forced to gain efficiency and cut costs to remain competitive in the payments arena. But furthermore, incumbent institutions will be bound to find new sources of value in payments, including finding ways to monetize the data itself, as well as means to enhance customer experience by offering data-based value-added services to clients. Customers’ trust is the cornerstone for incumbent institutions that wish to become a data-driven organisation of the kind just described. In fact, trust and access to customers’ data interact in a virtuous circle that can be characterized as follows. Clients’ trust is key to obtaining their consent to access their data. The more data institutions have, the more insight they will be able to build on their clients, and therefore the more personalized and appreciated value-added services they can create for them. Enhanced customer experience will contribute to reinforce client satisfaction and trust on the organisation.
Question 10: Are the issues identified by the EBA and the way forward proposed in subsection 4.4.1 relevant and complete? If not, please explain why.
In this sense, it is essential that any new regulation or policy ensures a level playing field and works on the reduction of asymmetries among the different players. The level playing field should be understood as a framework in which activities involving the same risks receive the same regulatory treatment, regardless of the institution offering it, and in which there are no unnecessary barriers to fair competition. Otherwise, users of the same financial service could end up being subject to different levels of protection depending on whether the service is provided by an incumbent or a new entrant.Regulation should reflect and be proportionate to the characteristics, type, and variety of the financial products and consumers, their rights and responsibilities and be responsive to new products, designs, technologies and delivery mechanisms. To promote the market union, the mechanisms that assure the correct application of the same rules, the same standards of interpretation, should be established (and not only harmonization by Directives and Regulations) (*)
Furthermore, as mentioned by the EBA, some particular business models create extra difficulties in terms of consumer protection. This is the case, for instance, of marketplaces in which consumers can directly sign up to products from different providers. In this context, the lack of a regulatory framework generates uncertainty as regards the allocation of liabilities, and whether the responsibility lies with the provider or with the platform. As platforms are not regulated, this would ultimately lead to an overburden of the liability on the providers, which are regulated figures.
Also, it is important for consumers to know the location of the trader/seller with whom is negotiating or considering to contract, as it is necessary to know how and where to make any complaints or initiate judicial proceedings. In this sense, an issue that could facilitate the exercise of consumer rights is the introduction of one-stop-shop mechanisms for incident reporting. This would significantly simplify the process for consumers, by preventing them from having to identify who is the ultimate responsible for the service received, its regulatory status and without dealing with the complex institutional architecture comprised by bank supervisors, financial services regulators and data protection authorities
(*) Exploratory study of consumer issues in online peer-to-peer platform markets. European Commission. 2017. Available at: https://www.researchgate.net/publication/317586468_Exploratory_study_of_consumer_issues_in_online_peer-to-peer_platform_markets?enrichId=rgreq-d77033179b19edcd8a9643fbedbc9d5d-XXX&enrichSource=Y292ZXJQYWdlOzMxNzU4NjQ2ODtBUzo1MDUxODYzNDgyMTIyMjRAMTQ5NzQ1NzIxOTA1OQ%3D%3D&el=1_x_2&_esc=publicationCoverPdf
Question 11: Are the issues identified by the EBA and the way forward proposed in subsection 4.4.2 relevant and complete? If not, please explain why.
The issues gathered under section 4.2.2. are of the utmost importance. As commented in other questions, we believe that fintech regulation should ensure a level playing field for companies engaging in similar activities, with similar risks, in any European country. Currently, the existence of divergent approaches in national frameworks and the lack of European regulations for certain activities might lead to a fragmentation of the internal market, limiting the provision of services across Member States and impeding the exercise of consumer rights when services are provided cross-border.For instance, not all European countries have developed legislation for alternative finance, creating a mosaic of diverging regulatory frameworks within the EU. In these cases, new fintech players trying to operate cross-border face a practical impossibility due to the lack of passporting facilities.
In other cases, practical difficulties to cross-border operations are even more subtle, as in the requirement of certain member states (e.g. Germany) for financial services providers operating under passporting to use local IBAN numbers for account holders (not fully standardized), which is impossible to achieve by a company established in a different member country. The enforcement of the European passport should be guaranteed. Therefore, the IBAN from any European Country should not be discriminated in any other EU country, or else obtaining national IBANs should be automatic.
Considering all of the above, it is essential that the EBA and other European authorities continue working to shed some light on the rules of the game, as the only way to fully exploit the opportunities of digitization and the Single Market is by eliminating unnecessary barriers and promoting the provision of cross-border services, while ensuring a homogenous consumer protection regime.
Question 13: Do you consider that further action is required on the part of the EBA to ensure that EU financial services legislation within the EBA’s scope of action is implemented consistently across the EU?
Following our comments to previous questions, we believe that authorities, including the EBA, must strengthen their supervisory function on the new services that arise, taking a proactive role when the service provider does not meet legal requirements or exceeds its license, providing services that they have not been authorised to. To achieve this, and building on the results of the mapping exercise, it could be useful that the NCAs conduct a more in-depth assessment of companies engaged in FinTech in their jurisdiction, seeking to identify whether there are firms that should be subject to authorisation or registration and in practice are not.Currently, supervisory practices focus primarily on risk taking within supervised entities instead of on the actual risks taken by any player in the market. As an example, a bank is always supervised by the Competent Authority, while a technology company which provides similar services might not. In our understanding, when the activities and assumed risks are related to financial services, there should be an ex officio supervision to ensure that all legal safeguards are applied. This measure ensures that customers only access safe and secure financial services and avoids regulatory arbitrage.
Question 14: Are the issues identified by the EBA and the way forward proposed in subsection 4.4.3 relevant and complete? If not, please explain why.
As brought forward in the response to question 10, the introduction of one-stop-shop mechanisms could streamline the process of filing complaints for consumers, especially in cases where the financial service is provided through an interaction of various firms with different regulatory status.Another issue that is of relevance here, is how consumer protection regulations interact with financial services that are not offered by providers located in Europe, or that, due to their immaturity, have an uncertain legal nature or a lack a clear legal framework that deals with territoriality or liability issues. This is the case for instance with bitcoin and other digital cryptocurrencies. The terms and conditions of the P2P platforms systematically exclude any liability of the platform in relation to the contracts concluded between the peers, and explicitly state that the platform is not a party to such contracts. For instance, all case study platforms exclude liability for the accuracy of information provided by the peer to establish whether they are a commercial or a private provider; non-performance, noncompliance of the performance by the peer providers; and the accuracy of information provided in peer-to-peer reviews.
Question 15: Are the issues identified by the EBA and the way forward proposed in subsection 4.4.4 relevant and complete? If not, please explain why.
The issues identified by the EBA and the proposed way forward are relevant and complete. Particularly, we appreciate the EBA’s intention to assess whether EU legislation in place generates restrictions to digitisation of financial services. We believe it is of the utmost importance to replace the use of paper or non-digital-native (e.g. pdf) documents in any form of communication, as the above prevails even in pieces of legislation that have been produced in recent years. Instead, financial institutions should be given the opportunity to communicate with their clients in whatever format is best suited to the client’s needs and to the channel deployed.According to a recent Study conducted by the European Commission regarding consumer issues in online P2P platform market, most platforms set minimal identification requirements for registration and access (e.g. name and email address), and usually do not adopt adequate measures to verify users’ identities. Almost all platforms deny responsibility for the accuracy of user information. Most platforms rely on user information checks through email or social media accounts. Some offer optional identity verification services and very few require official identity documents for registration. There is therefore a need for platforms to be transparent about the mechanisms they use to manage review and rating systems, and to ensure consumer understanding of the underlying quality control system.
Platforms should ensure that consumers receive pre-contractual information when they engage in transactions with commercial providers. In addition, platforms could make their Terms and Conditions more user-friendly and ensure that key information about rights and responsibilities is presented more clearly and at the point of the transaction when it is most useful. In general, terms and conditions of digital platforms exclude any liability of the platform in relation to the contracts concluded between the peers, and explicitly state that the platform is not a party to such contracts.
On the other hand, the use and reuse of consumer data is an essential part of the fintech business models. Especially in the case of larger platforms these data represent significant value, in terms of price setting, dynamic pricing, marketing and other commercial purposes. But the information given by platforms about their data use, re-use, sharing and selling practices is in many cases not fully transparent, and it is therefore not clear if current national data protection rules are respected. In general, platforms do not have a clear data use policy regarding transfers to third parties. These practices, or the lack of transparency about current practices of data use and reuse, raise concerns regarding the protection of personal data, especially when they are shared and/or transferred to third parties for commercial purposes. Transparency about the personal and behavioural data that platforms collect, how they use them, who they share them with or sell them to, as well as information about data protection rules that apply is crucial for both platforms providers and consumers. As of 25 May 2018, platforms need to comply with new obligations set out by the General Data Protection Regulation (GDPR). It is suggested that the accompanying measures to facilitate the implementation of the GDPR include specific measures focusing on its implications for online P2P platforms.
Question 18: Would you see the merit in having specific financial literacy programmes targeting consumers to enhance trust in digital services?
Alongside with prudential regulation, both consumer protection and literacy are critical and complementary elements in ensuring a safe and sound financial system. Therefore, we believe that further joint action is needed by public authorities and relevant private stakeholders to help consumers make the best use of digital financial services, expanding awareness and empowering individuals with financial and digital skills.Cross-sectoral coordination of all interested stakeholders is thus essential when designing and implementing financial education initiatives. These should encompass all relevant public authorities (governments, central banks, financial authorities, bank supervisors…), but their actions should be mindful not to substitute or duplicate existing efficient initiatives by private parties. Therefore, we strongly advocate for joint public-private efforts that ensure that the role of the private sector and financial service providers is promoted, while preventing the emergence of potential conflicts of interest.
Finally, to illustrate the above recommendations, we would like to highlight BBVA’s inclusive and scalable model of financial education, which is based in the belief that digital transformation inevitably means developing customers’ financial capabilities. BBVA’s approach is based on the collaboration with public institutions and other bodies relevant in the field. A significant group of these institutions collaborate in BBVA’s Center for Financial Education and Capability, which seeks to forge alliances and promote empowerment of people of any age, socio-economic background or level of engagement with the financial sector.
More information on BBVA's Center for Financial Education and Capability here: https://www.bbvaedufin.com/en/
Question 19: Are the issues identified by the EBA and the way forward proposed in subsection 4.4.6 relevant and complete? If not, please explain why.
BBVA’s comments on the ESAs’ Consultation on the use of Big Data by financial institutions and on the EBA’s Discussion Paper on Innovative uses of consumer data lay out our views on these topics.In summary, we believe that big data analytics and artificial intelligence are technologies with a great potential to further expand the access to financial services by lowering the complexity and the costs associated to certain advisory and credit scoring services, for example.
Regarding the effects of more granular risk segmentations, we agree that these could lead to higher premiums, but this has been occurring long before the digital era, so this is not a new issue affecting customers. Before, in the predigital era, information was gathered in an analog way with less information or with more time needed to segment or take a decision. Today, new digital ways and data have helped create faster, more affordable and smaller segmentations, but this phenomenon and the consequent constraints on access to credit for certain customers has been happening since the origins of credit.
As for price adjustments based on consumer features and behaviour based factors, charging different prices to different individuals for the same product or service has been a common practice since old times. Pricing practices take different forms and evolve over time. Not always such pricing practices should be a concern, only when they are discriminatory with no objective foundation. Moreover, any assessment of pricing practices should be specific to the product and market in question. Furthermore, it is not the form of pricing that matters, but rather the effect on consumers or consumer outcome. The effect of such pricing depends on the market context. There is a need for an assessment on a case-by-case basis to avoid the risk of identifying the problem incorrectly and proposing an inadequate solution. Moreover, as a natural evolution of the use of consumer data by financial institutions, we expect prices to be driven down towards perfect competition, which will be a major improvement for consumers.
Finally, we believe that financial inclusion can be promoted not only due to the use of more detailed information derived from the use of big data, but also because of the use of alternative sources of data. Using non-traditional sources of data and methods can benefit consumers that otherwise would be unscorable, thus improving access to credit for key sectors including SMEs and those individuals with no previous financial history.
Question 20: Are the issues identified by the EBA and the way forward proposed in section 4.5 relevant and complete? If not, please explain why.
In general terms, the main issues regarding the impact of FinTech on the resolution of financial institutions have been identified by the EBA. In the near future, some FinTech companies will be considered as critical providers in the context of operational continuity of critical economic functions in resolution. If it is the case, all the criteria used in the assessment of those providers, when applicable, shall be analysed. In particular, appropriate legal framework, financial resilience, operational resilience, separability,...Question 21: Do you agree with the issues identified by the EBA and the way forward proposed in section 4.6? Are there any other issues you think the EBA should consider?
Yes, we agree. Consumers are becoming more digitally and globally-oriented, asking banks and financial services’ providers to develop simple and rapid digital onboarding solutions. The e-IDAS Regulation clearly presents e-identification and e-signature as a new opportunity to facilitate the establishment of non-face-to-face business relationships. Nevertheless there is inconsistency between e-IDAS, which promotes e-identification to access online products and services and carry out online transactions safely, and the 4th AML directive, that still favours face-to-face customer due diligence and considers non-face-to-face relationship as high risk", requiring Enhanced Due Diligence.Apart from the above, we particularly welcome EBA’s intention, together with ESMA and EIOPA, to issue an opinion on the use of FinTech solutions for AML/CFT compliance. We believe that the development of so-called RegTech solutions can provide benefits to the whole financial services sector as well as to authorities, as it will easen the relationship among these parts. In particular, we value those solutions like shared market utilities for KYC could be highly useful to facilitate compliance with KYC/due diligence requirements under AML/CFT rules. However, since banks are still liable for information retrieved from third parties, they still need to double-check any information obtained from a shared KYC utility. Therefore, to really benefit from this approach, regulators must provide clear guidance as to what is needed for financial institutions to rely upon these market utilities for the majority of KYC cases, rather than being limited to use them only as another source of information supporting their own due diligence process. Furthermore, access to public registries should be a as well, as it would further facilitate compliance with AML/CFT rules.
The Basel Committee on Banking Supervision’s revision of the risks related to AML/CFT in relation to correspondent banking, finalised earlier this year, devoted great attention to the usefulness of these KYC utilities, recognising that they may provide efficiency gains for both correspondent and respondent banks. The BCBS expressed no objection to the use of KYC utilities in correspondent banking risk assessment processes, provided sufficient safeguards are met and accountability for CDD remains with the correspondent."
Question 22: What do you think are the biggest money laundering and terrorist financing risks associated with FinTech firms? Please explain why.
Digital finance gives rise to an increasing number of new financial players and eases cross-border transactions, which makes the monitoring of transactions more complex for financial institutions and public authorities. Fintechs are not in the scope of banking sector regulation and therefore are subject to less stringent AML/CFT rules than banks. These regulatory loopholes may lead to certain competition distortion, which may violate the level playing field principle and lead to increased potential risk for financial crime.Areas presenting potential anti-money laundering (AML) and terrorist finance risk include:
● Virtual currencies: Decentralised virtual or “crypto” currencies are a potential new criminal tool for terrorist financiers and money launderers to move and store criminal funds. FATF identify the potential anti money laundering (“AML”) and counter terrorist financing (“CTF”) risks of anonymity, lack of a centralised oversight body, global reach and the complex infrastructures as the basis for the cause for concern. The money laundering risk is said to materialise when criminals or terrorist financiers use virtual currency to transfer goods or funds anonymously.
● Crowdfunding and marketplace lending, The threat related to crowdfunding platforms is based on the anonymity offered by the online presence and the worldwide reach of the platforms.
Crowdfunding platforms are sometimes used for campaigns seeking backers for fictitious charitable initiatives abroad or the use of fake individuals backing a fake company. The money is then removed from the platform and transferred for illicit activities. The European Securities and Markets Authority (ESMA) has explicitly said “Investment-based Crowdfunding carries a risk of misuse for terrorist financing, particularly where platforms carry out limited or no due diligence on project owners and their projects. Project owners could use investment-based Crowdfunding platforms to raise funds for terrorist financing, either overtly or secretly.”
● Prepaid cards, and other technologies that facilitate the raising, disbursement, and transmittal of funds between end users (often internationally).
While many of these products and services are already subject to direct AML regulation as money services businesses, others do not fit neatly within existing AML regulatory frameworks, even though they facilitate financial transactions. Still some businesses may not appreciate the application of the AML laws to their technology or, even if they do, may not have the resources or experience to implement appropriate compliance programs.
Some jurisdictions are taking regulatory action, others are monitoring and studying the developments and potential ML/TF risks, as the usage still develops in those jurisdictions. For some jurisdictions, putting in place an effective AML/CFT regulatory regime may require a more thorough understanding of the the platforms.
It is necessary to establishing some form of Guidance across at an international level that treats similar products and services consistently according to their function and risk profile is essential to enhance the effectiveness of the international AML/CFT standards.