knowledge 16 December 2016

On the Way to a Europe-wide FinTech Regulatory Sandbox?

The FinTech Regulatory Sandbox

A regulatory sandbox creates a ‘safe space’ in which businesses can test innovative products, services, business models and delivery mechanisms in a live environment without immediately having to apply for authorisation or incur the associated expenses. A number of jurisdictions have introduced a regulatory sandbox approach in the FinTech area over the last several months, including, for example, the UK and Singapore.

In its paper, which is entitled ‘Innovate. Collaborate. Deploy.’, (“Paper”) the EBF calls on the European Commission to consider adopting a Europe-wide approach on sandboxes in order to avoid additional fragmentation in the single market and the distortion of competition. If implemented properly, the EBF argues that such an approach could benefit consumers by making a significant contribution to financial services innovation and would also foster innovation in cross-border services. Proper implementation would include:

• defining and publishing clear and harmonised criteria for projects to enter the sandbox - among other things, the proposed project should be innovative with a short duration and there should not be similar products or services on the market where the sandbox operates;
• limiting the scale of the activities carried out within the sandbox to avoid additional risks to the financial system and consumers;
• having a simple and transparent authorisation process with waivers to amendments to particular rules if test activities would otherwise breach them; and
• establishing a clear supervision process once the experimentation is running, in order to guarantee that the testing company meets the agreed milestones.

E-Identification

As consumers are becoming more digitally and globally-oriented, banks and other financial services providers (“FSPs”) need to be able to adopt simpler and more userfriendly onboarding solutions, including distant digital onboarding. While the current proposal revising the Fourth Money Laundering Directive 2015/849 introduces the possibility of relying on electronic identification means for customer due diligence purposes as set out in the eIDAS Regulation 901/2014, the EBF recommends extending this possibility to any other remote identification processes recognised and approved by the competent authority. It also recommends setting up an eID Digital Service Infrastructure project for the financial sector to look at the needs of the banking sector with regard to digital onboarding.

Prudential Regulation

The EBF recommends that the definition of “intangible assets” in the Capital Requirements Regulation 575/2013 (“CRR”) should be amended to exclude software so as to ensure that it does not need to be fully deducted from Core Equity Tier 1 (“CETI”) when calculating requirements. The existing definition, which includes software as an intangible asset, is a significant disincentive for investments in innovation and contributes to unfair competition.

In addition, the rules applicable to remuneration should not apply to digital specialists who do not engage in risk-taking activities. According to the EBF, “it is extremely difficult to attract and retain scarce digital talent when banks cannot offer packages that compare with their digital peers.” 

Lower capital charges should apply to long-term investment in growth promoting infrastructure as the default rate of project finance is generally low. In addition, the upcoming revision of the CRR should consider an appropriate calibration of the Net Stable Funding Ratio requirement so as not to impose additional constraints on long-term investment in growth promoting (IT) infrastructure.

Cloud Services

Cloud computing offers a means to support the sustainable digitalisation of the banking sector. However a number of factors are inhibiting its adoption in Europe, including legal and regulatory constraints, lack of regulatory harmonisation and lack of clarity regarding the applicable rules. The European Commission should focus its efforts on supporting the creation of a clear and consistent EU and global regulatory framework and guarantee a proportionate risk-based approach to due diligence and to contracts between Cloud Servicing Providers and the banking sector.

Data

Article 20 of the General Data Protection Regulation 2016/679 (“GDPR”) gives the data subject a right to receive the personal data which he or she has provided to a data controller and to transmit that data to another controller. The EBF calls for further EU guidance on this ‘data portability right’ which should, in particular, clarify that it only applies to raw personal data, which has been input directly by the customer and has not been enhanced/verified or analysed further.

Further guidance should also be provided regarding the interpretation of the requirement to notify a data breach. This requirement should be clearly limited to relevant tangible and effective data breaches, to the exclusion of potential breaches.

The EBF is also seeking the development of a practical approach to the sharing of data by regulated sectors with regulatory authorities, both within the EU and in third countries, as well as a clear legal basis to share information among jurisdictions at group company level.

Cybersecurity

The battle against cybercrime is of paramount importance in ensuring the effective delivery of the digital single market. The format and procedures for security (IT) incident reporting should be harmonised to avoid overlap and redundancy in reporting to multiple competent authorities. In addition, the EU authorities should put in place a framework which allows the possibility for the banking industry to share sensitive information related to fraud and cyber-attacks at national and cross-border level.

Digital Platforms

Platforms are changing the design of traditional business models and marketing activities, offering a plug-and-play infrastructure that enables producers and consumers to connect and interact in a new manner. In the financial sector, the emergence of platforms is raising organisational, regulatory and competition issues. While the revised Payment Services Directive 2015/2366 (“PSD2”) will require financial institutions to provide customer data in an interoperable format in certain circumstances, there is no equivalent obligation imposed under the GDPR portability principle, meaning that different rules apply to financial institutions on the one hand and digital providers on the other. In addition, digital platforms command significant market power and it may be necessary to take measures to ensure that they cannot impose contractual conditions which would prevent European companies deriving a fair share of the value of their innovations.

According to the EBF, the complexity of the issues raised by the scale of digital platforms calls for a holistic approach that puts a strong emphasis on the protection of consumer and corporate data. It will be necessary to conduct further analysis to identify solutions to the issues raised in the Paper and specific attention should be given to finding ways of preventing platforms from unfairly exploiting market power.

Payments

PSD2 requires strong customer authentication (“SCA”) for all electronic payments, subject to certain exemptions. SCA means that payment service providers have to verify at least two from a list of three factors – something you know (eg a password), something you have (eg a payment card) and something you are (eg a biometric). 

Article 74(2) of PSD2 permits a merchant and its payment service provider not to apply SCA in exchange for taking liability for the transaction. However, in August 2016, the European Banking Authority (“EBA”) published draft regulatory technical standards which propose to impose SCA for all transactions above €10 from October 2018.

According to the EBF, as PSD2 makes banks liable towards the customer in case of fraudulent, wrongly or non-executed payment transactions, they should not be required to apply SCA but should be allowed to take a risk-based approach to this issue. In addition, the EBA and the European Commission should address the current time gap between the application of PSD2 (13 January 2018) and the delegated legislation on SCA which is unlikely to be implemented before October 2018, at the earliest.

Digital Skills

The financial sector is competing for talent with the IT sector in areas such as cybersecurity, big data and artificial intelligence. This competition is taking place in the context of a digital skills gap, where 37% of the workforce in Europe has insufficient digital skills. Many banks are willing to sign up to the Digital Skills and Jobs Coalition and work closely with stakeholders to address this gap. The EBF would also like to add digital education as a component of its activities on financial education.

Next Steps

The EBF presented the Paper to European Commission Vice-President Valdis Dombrovskis (Financial Services and Capital Markets Union) and Commissioner Gunther Oettinger (Digital Economy and Society) at a meeting of the European Commission’s Roundtable on Banking in the Digital Age. The Roundtable was set up by Commissioner Oettinger with a number of CEO representatives of the banking sector and the EBF. One of its objectives is to identify what should be done at EU level to help enhance banks’ competitiveness and their ability to leverage digitalisation more effectively to serve citizens and firms. Another is to identify how banks can continue to support the European economy, in particular by investing in innovation, and what should be done at other levels, including by the banks themselves.

Presumably the Paper will now feed into the work of the Roundtable. In addition, we expect that the EU authorities, including the EBA and the European Commission, will take it into consideration in the context of their on-going work in the various sectors addressed in the Paper.

You may access the Paper here.

Download PDF