The Ministry of Finance of the Czech Republic (MFCR) supports EBA’s intention to further investigate and assess different national regulatory regimes of Fintech companies. We however do not think that differences between those national regimes have only negative effect on European economy and ultimately lead to ‘forum shopping’ with all its bad consequences.
On the contrary – our view is that regulatory differences (and flexible European framework which makes them possible) could lead to potential benefits for both Fintech companies and European customers. Fintech is such a dynamic market segment that trying to quickly implement universal European solutions might do more harm than good. Common European framework for Fintech should be based on regulatory solutions already tested and proven to be successful in member states.
We would also like to stress out that in our opinion, authorisation and registration regimes should in all cases stay ‘service oriented’. That means regulation should be the same for both new and traditional companies if they provide essentially the same services with differences only in regard to distribution channels, internal processes etc. That is the reason why we would support a new licensing regime only in a case there would really be a new financial service that would have to be regulated.
We also think there is an urgent need to remove unnecessary regulatory barriers, especially for small and medium sized enterprises. But perspective changes should be in all cases strictly ‘service based’ and ‘technology neutral’ benefiting both new and traditional companies.
MFCR agrees with EBA’s preliminary findings in the area of prudential risks and opportunities for credit institutions. We would however like to point out that not all the risks mentioned by EBA are caused or magnified by emerging fintech companies and services.
Outdated IT systems, mismanagement of personal data and all the other cybersecurity issues might be in some cases connected with credit institutions’ engagement with fintech but in many cases these are the risks credit institutions have been already trying to mitigate for years. In our opinion, it is important to distinguish between risks arising specifically from fintech and between risks arising from digitalization in general.
MFCR agrees with EBA’s view that ICT risks arising from highly innovative retail payments market are significant. We however do not think that strengthening security requirements in legislation is the right way how to cope with those risks.
The trouble is that all the legislative solutions we were able to see and analyse (including EBA’s RTS on SCA and CSC) tend to be very prescriptive and introduce solutions that aren’t (at least in some of the member states) user friendly and convenient to use. Because of that, we generally support risk based approach which on one hand allows payment service providers to choose security solutions that suit them and their clients, but on the other hand increases their liability for fraudulent transactions or data misuse. In our opinion, EBA should this need for greater risk based flexibility take into account when further developing its approach to security of payments. Moreover, we think that clients are very well protected from the legal point of view as the regime of unauthorised payment transactions under PSD/PSD2 applies to whatever technology used.
We also strongly encourage EBA, as proposed in the consultation, to investigate distributed ledger technology and its use in the field of payments. It is possible that number of payment services based on this technology will grow rapidly in coming years and both legislators and regulators should be ready for that.
While we in general agree with EBA’s claim that investment in technology and pace of innovation have increased in last few years, we also think it’s important to stress out that we have experienced even more profound changes in the recent past – e.g. universal expansion of internet banking – and credit institutions were able to deal with those without any serious trouble. We therefore urge caution when analysing potential negative implications of fintech on traditional credit institutions and their business models.
MFCR doesn’t think EBA should prepare any new implementing legislation. In our opinion, EBA should rather concentrate on delivering implementing legislation to directives or regulations on time. Fact that many important RTSs or guidelines (such as RTS on SCA and SCS under PSD2) haven’t been adopted yet is a main obstacle for consistent application of EU financial law across the bloc.
On the other hand, we think EBA should be very active in delivering non-binding opinions, recommendations and responses to frequently asked questions. One of the areas where such an initiative could be of utmost importance is the relationship between GDPR and financial market directives or regulations especially in regard to ‘new services’.
We agree with EBA’s claim that there are significant differences between member states’ approach to implementation of AML/CFT identification rules. In some member states, strict rules effectively prevent fintech companies from providing their services and thus harm European digital economy (see our response to question 23).
MFCR therefore supports ESAs’ initiative in preparing an opinion on the use of fintech solutions for AML/CFT compliance purposes. We actually see this as an example of good practise that should be followed in other cases as well. Flexible European framework allows member states to set their own requirements for AML/CFT identification procedures and when time comes, member states can quickly adapt those rules e.g. to needs of new market participants, to new AML/CFT threats or to recommendations of European agencies.
There is one obstacle in Czech AML/CFT legislation which may prevent some FinTech firms that are obliged entities (e.g. providers of regulated services) from entering the market and FinTech solutions to be used in obliged entities’ customer due diligence process (CDD).
Obliged entities are required by Czech law to carry their customer’s first identification generally in person, which excludes the use of innovative solutions. However, subject to the condition that the client has an existing payment account with an EU credit institution, financial institutions (including those that are FinTech firms) can use means of distant identification when opening new payment account for their client (client identifies himself by sending money from his previous account to this new one). This possibility is however limited only to certain services (payment account must be part of that service) and certain clients (client must already have a payment account elsewhere).
The restriction which is described above may render the use of FinTech services (such as account information service or payment initiation service) more difficult and inconvenient. (Due to PSD2, currently unregulated providers are bound to become licensed institutions with an obligation to comply with AML/CFT identification rules.) It also naturally prevents other FinTech companies from providing innovative identification and verification solutions to companies which provide customer-facing services.
We are however currently discussing changes to our law that would allow obliged entities to identify their clients during their first contact using innovative ways of identification (e.g. video). Our ministry is also proposing to amend AMLD IV directive in a way that would exclude entities providing account information service and payments initiation service from the list of obliged entities – AML/CFT risks connected with these new services are in our opinion virtually nonexistent (CDD measures are already implemented by providers of payments accounts) so we think that even identification using innovative technology is redundant.