Tag: EBA

Final ESMA Guidelines on cloud outsourcing

Published on by Dr. Verena Ritter-Döring and Charlotte Dreisigacker-Sartor

At the end of December 2020, the European Securities and Markets Authority (ESMA) published its final report on its guidelines on outsourcing to cloud service providers (CSP). The purpose of the guidelines is to help firms identify, address and monitor the risks that may arise from their cloud outsourcing arrangements. Since the main risks associated with cloud outsourcing are similar across financial sectors, ESMA has considered the European Banking Authority (EBA) Guidelines on outsourcing arrangements, which have incorporated the EBA Recommendations on outsourcing to cloud services providers and the European Insurance and Occupational Pensions Authority (EIOPA) Guidelines on outsourcing to cloud service providers. This ensures consistency between the three sets of guidelines. The ESMA Guidelines on cloud outscoring apply to MiFID II firms such as investment firms and other financial services providers indirectly but they describe the market standard and set the supervisory framework for the National Competent Authorities (NCAs) in Europe such as the German Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht – BaFin).

For the German jurisdiction, BaFin published guidance on outsourcing to cloud providers back in 2018. Please note that the amended MaRisk include outsourcing requirements for investment firms and other financial services providers and already reflect the EBA Guidelines on outsourcing, including cloud outsourcing. For more information on the MaRisk amendment, please see our previous Blogpost.

The guidelines in more detail

The following gives a brief overview of the main content of the ESMA cloud outsourcing guidelines.

  • Guideline 1: Governance, oversight and documentation

Firms should have a defined and up-to date cloud outsourcing strategy which should include, inter alia, a clear assignment of the responsibility for the documentation, management and control of cloud outsourcing arrangements, sufficient resources to ensure compliance with all legal requirements applicable to the firm’s outsourcing arrangements, a cloud outsourcing oversight function directly accountable to the management body and responsible for managing and overseeing the risk of cloud outsourcing arrangements, a (re)assessment of whether the cloud outsourcing arrangements concern critical or important functions as well as an updated register of information on all cloud outsourcing arrangements. For the outsourcing of critical or important functions, the ESMA guidelines include a detailed list of information which should be included in the register.

  • Guideline 2: Pre-outsourcing analysis and due diligence

ESMA provides information on what is required for the pre-outsourcing analysis (e.g. an assessment if the cloud outsourcing concerns a critical or important function). In the case of outsourcing of critical or important function, firms should conduct a comprehensive risk analysis and take into account benefits and costs of the cloud outsourcing and perform an evaluation of the suitability of the CSP.

  • Guideline 3: Key contractual elements

The guidelines provide a detailed list of what a written cloud outsourcing agreement should include in case of outsourcing of critical or important functions. Such agreements should include, inter alia, provisions regarding data protection, agreed service levels incident management, business continuity plans, termination rights and access and audit rights for the firm and its competent supervisory authority.

  • Guideline 4: Information security

Firms should set information security requirements in its internal policies and procedures and within the cloud outsourcing written agreement and monitor compliance with these requirements on an ongoing basis. In case of outsourcing of critical or important functions, additional requirements apply regarding information security organization, identity and access management, encryption and key management, operations and network security, application programming interfaces, business continuity and data location.

  • Guideline 5: Exit strategies

In case of outsourcing of critical or important functions, firms should develop and maintain exit strategies that ensure that the firm is able to exit the cloud outsourcing arrangement without undue disruption to its business activities and services to its client. Exit strategies should include comprehensive and documented exit plans, the identification of alternative solutions and provisions in the written outsourcing agreements that oblige the CSP to support orderly transfer of the outsourced function from the CSP to another CSP.

  • Guideline 6: Access and audit rights

Firms should ensure that the cloud outsourcing written agreement does not limit the firm´s and competent authority´s effective exercise of the access and audit rights on the CSP (see also Guideline 3). However, the Guideline also includes provisions aimed at reducing the organizational burden on the CSP and its clients when exercising access and audit rights: firm may use e.g. third-party certifications and external or internal audit reports made available by the CSP. However, in case of outsourcing of critical or important functions, the guidelines stipulate additional requirements that must be met in order to be able to rely on third party certifications or assessments.

  • Guideline 7: Sub-outsourcing

In case of sub-outsourcing, the firm should ensure that the CSP appropriately oversees the sub-outsourcer. In addition, ESMA provides information on the provisions that should be included in the written outsourcing agreement between the firm and the CSP in the case of sub-outsourcing critical or important function. This includes the remaining accountability of the CSP, a notification requirement for the CSP in case of any intended sub-outsourcing allowing the firm sufficient time to carry out a risk assessment of the proposed sub-outsourcer, the firm´s right to object to the intended sub-outsourcing and termination rights in case of such objection.

  • Guideline 8: Written notification to competent authorities

Firms should notify in writing its competent authority in a timely manner of planned cloud outsourcing arrangement that concern critical or important functions. The notification should include, inter alia, a description of the outsourced functions, a brief summary of the reasons why the outsourced function is considered critical or important and the individual or decision-making body in the firm that approved the cloud outsourcing arrangement.

What´s next?

In a next step, the guidelines will be translated in the official EU languages and published on the ESMA´s website. The publication of the translation will trigger a two-month period during which the national competent authorities must notify ESMA whether they comply or intend to comply with the guidelines (comply or explain mechanism). For the German jurisdiction, it is to be expected that BaFin will comply with the ESMA guidelines.

EBA´s New Role in Anti-money Laundering and Countering the Financing of Terrorism

Published on by Dr. Verena Ritter-Döring and Charlotte Dreisigacker-Sartor

At the turn of the year, there have been some new developments in anti-money laundering (AML) law at both German and EU level. Part 1 of our series dealt with the changes at German law resulting from the implementation of the Fifth EU Anti-Money Laundering Directive. Part 2 sheds some light on the European Banking Authority’s (EBA) new leading role in anti-money laundering and countering the financing of terrorism (CFT).

What is changing in the approach to AML/CFT?

In 2019, the EU legislator gave EBA a legal mandate to preventing the use of the financial system for the purposes of money laundering and terrorist financing and to leading, coordinating and monitoring the AML/CFT efforts of all EU financial service providers and competent authorities. The law implementing EBA´s new powers came into effect on 1 January 2020.

However, assigning EBA a leading role in AML/CFT will not change the EU´s general approach to AML/CFT, which remains based on a minimum harmonisation directive and an associated strong focus on national law and direct supervision of financial institutions by national competent authorities. This reduces the influence and the degree of convergence and consistency EBA´s work can achieve from the outset.

To the extent legally possible, EBA will use its new role to

  • lead the establishment of AML/CTF policy and support its effective implementation by competent authorities and financial institutions;
  • coordinate AML/CFT measures by fostering effective cooperation and information exchange between all relevant authorities;
  • monitor the implementation of EU AML/CFT standards to identify vulnerabilities in competent authorities´ approaches to AML/CFT supervision and to mitigate them before money laundering and financing of terrorism risks materialise.

How will EBA lead on AML/CFT?

To fulfill its new leading role, EBA will focus on two key point: developing an EU-wide AML/CFT policy and ensuring a consistent supervision by national competent authorities. EBA intends to develop such EU-wide AML/CFT policy through standards, guidelines or opinions where this is provided for in EU law as well as on its own initiative where it identifies, for example, gaps in competent authorities´ supervision. In 2020, EBA will be setting clear expectations on the components of an effective risk-based approach with targeted revisions to the core AML/CFT guidelines: the Risk Factors Guidelines and the Risk-Based Supervision Guidelines.

EBA intends to foster a consistent supervision by national competent authorities by assisting them through training, bilateral support and detailed bilateral feedback on their approach to the AML/CFT supervision of banks.

What will EBA do to coordinate?

To coordinate the European work against money laundering and terrorism financing, EBA will focus to coordinate national competent authorities´ AML/CFT supervision by fostering effective cooperation and information exchange. To achieve its goal, the EBA will set up a permanent internal AML/CFT standing committee (AMLSC). The AMLSC will bring together, inter alia, representatives of all AML/CFT competent authorities from Member States, along with representatives from ESMA and EIOPA, the Commission and the European Central Bank. Its main task will be to provide subject matter expertise. It will also serve as a forum to facilitate information exchange and ensure effective coordination and cooperation to achieve consistent outcomes in the EU’s work against money laundering and terrorism financing. The AMLSC has met for the first time in February 2020.

In addition to the AMLSC, EBA will create a new AML/CFT database. This database will not only contain information on AML/CFT weaknesses in individual financial institutions and measures taken by competent authorities to correct those shortcomings, but EBA will use it to meet wider AML/CFT information and data need to supports its objectives on AML/CFT work. EBA will draft two regulatory technical standards  that will specify the core information that competent authorities must submit to the date base and how EBA will analyse the obtained information and make it available to competent authorities.

What will EBA do to monitor?

One main tool for EBA to monitor the implementation of EU AML/CFT standards will be using information from the new database and to ask national competent authorities to take action if EBA has the indication that a financial institution´s approach to AML/CFT materially breaches EU law. EBA envisages to use this new tool proactively to ensure that AML/CFT risks are addressed by competent authorities and financial institutions in a timely and effective manner. This approach aims to rectify shortcomings at the level of financial institutions; they do not, however, serve to establish whether or not a competent authority may be in breach of Union law.

The difference EBA´s new role will make

As the national implementation of the Fifth European AML Directive and the EBA´s new leading role show, effective AML/CFT measures remain in the focus of the EU legislator, not least due to political developments (terrorist attacks in France, “Panama Papers” etc.). Market participants should prepare themselves for stricter audits by their competent national authorities on AML/CFT compliance. For example, the German Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht – BaFin) has announced AML/CFT as one of its focuses of its supervisory practice for 2020. By assigning a leadership role to EBA, European efforts to prevent money laundering will in future be better coordinated, bundled and consistently implemented throughout the European financial market and therefore, hopefully, be more effective. However, we need to keep in mind that BaFin and subsequently also EBA are only part of the European and national AML regime. In Germany, for example, the FIU has a leading role in AML activities. An overview of the authorities involved can be found here.

EBA’s Action Plan on Sustainable Finance

Published on by Charlotte Dreisigacker-Sartor

Climate change and the response to it by the public sector and society in general have led to an increasing relevance of environmental, social and governance (ESG) factors for financial markets. It is, therefore, essential that financial institutions are able to measure and monitor the ESG risks in order to deal with risks stemming from climate change (learn more about climate change related risks in our previous Blogpost.

To support this, on 6 December 2019, the European Banking Authority (EBA) published its Action Plan on Sustainable Finance outlining its approach and timeline for delivering mandates related to ESG factors. The Action Plan explains the legal bases of the EBA mandates and EBA´s sequenced approach to fulfil these mandates.

Why is EBA in charge ? EBA mandates on sustainable finance

The EBA´s remit and mandates on ESG factors and ESG risks are set out in the following legislative acts:

  • the amended EBA Regulation;
  • the revised Capital Requirements Regulation (CRR II) and Capital Requirements Directive (CRD V);
  • the new Investment Firms Regulation (IFR) and Investment Firms Directive (IFD) and
  • the EU the Commission´s Action Plan: Financing Sustainable Growth and related legislative packages.

These legislatives acts reflect a sequenced approach, starting with the mandates providing for the EBA to oblige institutions to incorporate ESG factors into their risk management as well as delivering key metrics in order to ensure market discipline. The national supervisory authorities are invited to gain an overview of existing ESG-related market risks. In a second step, the EBA will develop a dedicated climate change stress test that institutions should use to test the impact of climate change related risks on their risk-bearing capacity and to take appropriate precautions. The third step of the work will look into the evidence around the prudential treatment of “green” exposures.

The rationale for this sequencing is the need firstly to understand institutions´ current business mix from a sustainability perspective in order to measure and manage it in relation to their chosen strategy, which can then be used for scenario analysis and alter for the assessment of an appropriate prudential treatment.

Strategy and risk management

With regard to ESG strategy and risk management, the EBA already included references to green lending and ESG factors in its Consultation paper on draft guidelines on loan origination and monitoring which will apply to internal governance and procedures in relation to credit granting processes and risk management. Based on the guidelines the institutions will be required to include the ESG factors in their risk management policies, including credit risk policies and procedures. The guidelines also set out the expectation that institutions that provide green lending should develop specific green lending policies and procedures covering granting and monitoring of such credit facilities.

In addition, based on the mandate included in the CRD V, the EBA will asses the development of a uniform definition of ESG risks and the development of criteria and methods for understanding the impact of ESG risks on institutions to evaluate and manage the ESG risks.

It is envisaged that the EBA will first publish a discussion paper in Q2-Q3/2020 seeking stakeholder feedback before completing a final report. As provided for in the CRD V, based on the outcome of this report, the EBA may issue guidelines regarding the uniform inclusion of ESG risks in the supervisory review and evaluation process performed by competent authorities, and potentially also amend or extend other policies products including provisions for internal governance, loan origination and outsourcing agreements.

Until EBA has delivered its mandates on strategy and risk management, it encourages institutions to act proactively in incorporating ESG considerations into their business strategy and risk management as well as integrate ESG risks into their business plans, risk management, internal control framework and decision-making process.

Key metrics and disclosures

Institutions disclosures constitute an important tool to promote market discipline. The provision of meaningful information on common key metrics also distributes to making market participants aware of market risks. The disclosure of common and consistent information also facilitates comparability of risks and risks management between institutions, and helps market participants to make informed decisions.

To support this, CRR II requires large institutions with publicly listed issuances to disclose information on ESG risks and climate change related risks. In this context, CRR II includes a mandate to the EBA according to which it shall develop a technical standard implementing the disclosure requirements. Following this mandate, EBA will specify ESG risks´ disclosures as part of the comprehensive technical standard on Basel´s framework Pillar 3.

Similar mandates are contained in the IFR and IFD package. The IFD mandate for example requires EBA to report on the introduction of technical criteria related to exposures to activities associated substantially with ESG objectives for the supervisory review and evaluation process of risks, with a view to assessing the possible sources and effects of such risks on investment firms.

Until EBA has delivered its mandates, it encourages institutions to continue their work on existing disclosure requirements such as provided for in the Non-Financial Reporting Directive (NFRD) as well as participation in other initiatives. EBA also encourages institutions to prioritise the identification of some simple metrics (such as green asset ratio) that provide transparency on how climate change-related risks are embedded into their business strategies, decision-making process, and risk management.

Stress testing and scenario analysis

The EBA Regulation includes a specific reference to the potential environmental-related systemic risk to be reflected in the stress-testing regime. Therefore, the EBA should develop common methodologies assessing the effect of economic scenarios on an institutions´ financial position, taking into account, inter alia, risks stemming from adverse environmental developments and the impact of transition risk stemming from environmental political changes.

Also the CRD V mandate requires EBA to develop appropriate qualitative and quantitative criteria, such as stress testing processes and scenario analysis, to asses the impact of ESG risks under scenarios with different severities. Hence, EBA will develop a dedicated climate stress test with the main objective of identifying banks´ vulnerabilities to climate-related risks and quantifying the relevance of the exposures that could potentially hit by climate change related risks.

Until delivering its mandates, EBA encourages institutions to adopt climate change related scenarios and use scenario analysis as an explorative tool to understand the relevance of the exposures affected by and the potential magnitude of climate change related risks.

Prudential treatment

The mandate in the CRR II asks EBA to assess if a dedicated prudential treatment of exposures to assets or activities associated with environmental or social objectives would be justified. The findings should be summarised in a report based on the input of a first to be published discussion paper.

Upshot

Between 2019 and 2025, the EBA will deliver a significant amount of work on ESG and climate change related risks. The obligations for institutions with regard to a sustainable financial economy and a more conscious handling of climate change related risks are becoming increasingly concrete. Institutions should take the EBA’s encouragement seriously and consider applying the measures recommended by the EBA prior to the publication of any guidelines, reports or technical standards.

Who is Who? European Supervisory Authorities – How they Cooperate and Interact

Published on by Dr. Verena Ritter-Döring

If you are looking for guidance from national and European supervisory authorities, it is not easy to see at first glance how they work together and whose guidance is most relevant. We want to shed some light on the ‘Who is Who?’ of German and European regulators.

Financial market supervision in Germany

The first go-to regulator in Germany is the Federal Financial Supervisory Authority (BaFin), which is entrusted with the tasks of banking, insurance and securities supervision and acts as a universal financial supervisory authority. BaFin is also responsible for ensuring that financial services, banking and insurance transactions are not conducted without a license and can also sanction any violations against the regulatory regime – and does so regularly. One of the newest additions to the list of tasks of BaFin is supervising compliance with consumer protection rules within the financial market. This primarily concerns cases in which regulated institutions violate regulatory provisions that protect consumers. If these infringements go beyond individual cases, they are pursued in the public interest by BaFin. BaFin, together with criminal enforcement authorities, is also responsible for pursuing money laundering and terrorist financing and supervising compliance with AML requirements. BaFin’s banking and insurance supervisory office is based in Bonn, the office responsible for securities supervision, asset management and bank resolution is based in Frankfurt am Main.

In Germany, the task of banking supervision is shared by BaFin and the German Central Bank (Deutsche Bundesbank). BaFin and Deutsche Bundesbank, e.g., oversee whether the banks have sufficient financial resources and whether business operations are properly organised. BaFin and Bundesbank receive the necessary information from the banks themselves or obtain it through on-site audits. The Bundesbank is responsible for the majority of operational banking supervision, namely the reporting and evaluation of audit reports submitted by the institutions and the performance of special audits. Guidelines for ongoing supervision and interpretation of legal requirements are mainly issued by BaFin.

The supervision of insurance policies by BaFin is intended to ensure that the insurance companies are capable of providing the benefits to which they are obliged. To this end, BaFin checks, for e.g., whether the insurance companies have sufficient financial resources and assess risks correctly.

BaFin’s supervision of securities serves the purpose of ensuring the availability of sufficient information and transparency for all market participants by monitoring the proper publication of relevant information. BaFin also monitors insider trading and price manipulation.

European financial market supervisory regime

BaFin and Deutsche Bundesbank are not the only regulators you have to keep up with when you are a regulated institution. At the European level, the European Securities and Markets Authority (ESMA), the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA) have their say and the European Central Bank (ECB) is also responsible for financial market supervision within the Eurozone.

The Single Supervisory Mechanism (SSM) has entrusted the ECB with the direct supervision of significant financial institutions in the Eurozone. These are about 120 banks and banking groups. To fall within the ECB’s responsibility, a bank must either have a balance sheet total of more than €30 billion or more than 20% of its home country’s GDP. If these thresholds are not met, the ECB monitors the 3 largest banks in each of the countries participating in the SSM (which are 19 countries in the Eurozone). All other banks will continue to be supervised by the national supervisory authorities.

If the ECB is in charge, the ECB cooperates with the national supervisory authorities of the banks’ home countries. Joint Supervisory Teams (JSTs) are set up by the ECB for coordination. These are composed of staff from the ECB and the national supervisory authorities. In Germany JSTs consist of members of the ECB, BaFin and Deutsche Bundesbank. A consistent supervisory practice can be established through the JSTs, taking into account national standards and a uniform standard within the Eurozone.

In contrast to the day-to-day supervision of the national regulators and the ECB, the European supervisory authorities EBA, ESMA and EIOPA (together ESAs) generally do not act directly vis-à-vis individual financial institutions, but ensure uniform standards within the EU. They also monitor the application of EU law by national supervisory authorities and the market. For this purpose, they use convergence instruments such as guidelines and Q&As (Questions and Answers), which aim at a consistent application of EU law by the national supervisory authorities. In practice, however, European directives are not always implemented equally in each Member State since the directives also leave a scope of interpretation for the national legislator on certain aspects of regulatory law.

The guidelines issued by EBA, ESMA and EIOPA are binding for the national regulators in Europe. They are not directly binding for the institutions but become directly binding when adopted by the national regulators. BaFin publishes on its homepage whenever it adopts guidelines, and also when guidelines are specifically not integrated within the German administrative practice. The advantage of the ESA’s approach of having a single rulebook and consistent rules throughout the EU for the market is that the provision of cross-border services becomes easier if just one set of rules apply.

EBA, ESMA and EIOPA are also actively involved in the European legislative process by supporting the European Commission in drafting legislative proposals based on their knowledge of the European financial market and its supervisory mechanisms.

Although the ESAs do not act directly vis-à-vis the majority of the regulated institutions, it is worth monitoring their publications to get an early grip on regulatory developments. The European administrative practice is essentially formed through the ESAs. It is also worth noting that the ESAs usually publish drafts of their envisaged guidelines for consultation purposes. For lobbying purposes it is essential to participate in such consultations.

FinTech Action Plan versus Global Financial Innovation Network

Published on by Dr. Verena Ritter-Döring

As outlined in Part 3 of this series of posts giving updates on the European FinTech regulation agenda, the envisaged harmonized regulatory framework for financial innovation within the Single Market will be based on a comprehensive understanding of the innovative landscape within the financial market. Building the knowledge takes time and effort. It took EBA three and a half months after laying out its FinTech Road Map to publish the first analyses which form part of the FinTech Knowledge Hub.

The Knowledge Hub aims at fostering a better understanding of the innovative landscape within the financial market through facilitating the exchange of information between European and national regulators, innovators and technology providers. On this basis, a regulatory framework can be built that will fit the market’s demands and will support new innovative business models.

In contrast to the European approach, the Financial Conduct Authority (FCA) in London approaches the support for FinTechs in what seems to be at a first glance a more rapid way. Already in February 2018 the UK regulator encouraged the idea of a “global sandbox.” A regulatory sandbox allows the provider of innovative technology to offer his or her idea to a certain number of potential clients within the financial market for a limited period of time without the application of the full set of compliance, license and capital requirements. During this time the provider can assess if his or her innovative approach is worth the investment of full regulatory compliance. In the UK the possibility for FinTechs to approach the market via a regulatory sandbox has been successfully established in 2016.

Driven by the understanding that major emerging innovation trends (such as big data, artificial intelligence and blockchain based solutions) are increasingly global, rather than domestic, in nature, in February 2018 the FCA started an international dialogue with firms doing business, or looking to do business, in the UK or overseas, regulators, consumers, or any other interested party to assess what a global sandbox could look like. The FCA received 50 responses to their call in February with an overall positive feedback. Key themes to emerge in the feedback were:

Regulatory co-operation: Respondents were supportive of the idea of providing a setting for regulators to collaborate on common challenges or policy questions that firms face in different jurisdictions.

Speed to market: Respondents saw as one of the main advantages for the global sandbox that it could be reducing the time it takes to bring ideas to new international markets.

Governance: Feedback highlighted the importance of the project being transparent and fair to those potential firms wishing to apply for cross-border testing.

Emerging technologies/business models: A wide range of topics and subject matters were highlighted in the feedback, particularly those with notable cross-border application. Among the issues highlighted were artificial intelligence, distributed ledger technology, data protection, regulation of securities and Initial Coin Offerings (ICOs), know your customer (KYC) and anti-money laundering (AML).

Building on the FCA’s proposal to create a global sandbox, on 7 August 2018 the FCA has, in collaboration with 11 financial regulators and related organisations, announced the creation of the Global Financial Innovation Network (GFIN). The FCA is the only European regulator within GFIN. The other members are the Abu Dhabi Global Market (ADGM), the Autorité des marchés financiers (AMF, Canada), the Australian Securities & Investments Commission (ASIC), the Central Bank of Bahrain (CBB), the Bureau of Consumer Financial Protection (BCFP, USA), the Dubai Financial Services Authority (DFSA), the Guernsey Financial Services Commission (GFSC), the Hong Kong Monetary Authority (HKMA), the Monetary Authority of Singapore (MAS), the Ontario Securities Commission (OSC, Canada) and the Consultative Group to Assist the Poor (CGAP).

The idea of GFIN is to:

  1. act as a network of regulators to collaborate, share experience of innovation in respective markets, including emerging technologies and business models, and communicate to firms;
  2. provide a forum for joint policy work and discussions; and
  3. provide firms with an environment in which to trial cross-border solutions (business-to-consumer (B2C) or business-to-business (B2B)).

With the announcement of the creation of GFIN, the FCA also published a consultation document laying out a mission statement for GFIN and the idea of a global sandbox which is still based on the FCA’s concept thereof published in February. The consultation is addressed to innovative financial services firms, financial services regulators, technology companies, technology providers, trade bodies, accelerators, academia, consumer groups and other stakeholders keen on being part of the development of GFIN and will be running until 14 October 2018.

Although the knowledge centered approach of the EU for a regulatory framework for FinTechs within the Single Market surely is a reasonable approach, an international approach could have the advantage of providing speedier solutions and create a competitive advantage. With Brexit on the horizon, the FCA’s approach seems sensible and certainly a good move to keep their financial market up to date.

FinTech Action Plan and EBA Road Map: Part 3

Published on by Dr. Verena Ritter-Döring

As outlined in Part 1 and Part 2 of this series of posts giving updates on the European FinTech regulation agenda, there is a political will to create a comprehensive and harmonized regulatory framework for financial innovation within the Single Market. Part of the Road Map to a regulatory framework is a FinTech Knowledge Hub, which is meant to facilitate the exchange of information between European and national regulators, innovators and technology providers. The Knowledge Hub will foster a better understanding of the innovative landscape within the financial market.

Three and a half months after laying out its FinTech Road Map, EBA delivers first products that form part of the FinTech Knowledge Hub.

The two documents published on 3 July 2018 are reports on the impact of FinTech on incumbent credit institutions’ business models  and on the prudential risks and opportunities arising for institutions from FinTech . Both reports contain an analysis of the impact of FinTechs on the current financial landscape and aim to raise awareness within the supervisory community and the financial industry of potential prudential risks and opportunities from current and potential FinTech applications. EBA wants to convey an understanding of the main trends that could impact incumbents’ business models and pose potential challenges to their sustainability.

The first report, on the impact of FinTech on incumbent credit institutions’ business models, is an overview of the current market situation. It identifies four drivers for changes in current business models which are i. customer expectations and behaviour, ii. profitability concerns in the current low interest rate environment, iii. increasing competition and iv. regulatory changes such as PSD2 and GDPR. EBA identifies two main trends among the different digitalisation projects of the established institutions, namely digital transformation of internal processes and digital disruption by use of innovative technologies that aim to enhance customer experience. In the current FinTech ecosystem the prevailing model of interaction between FinTechs and incumbent institutions is one of collaboration and establishment of new relationships. In this way FinTechs can provide knowledge and ideas incumbent institutions have yet been too reluctant or too slow to establish themselves.

The second report, on prudential risks and opportunities arising for institutions from FinTech, is intended to raise awareness of and to share information on current and potential FinTech applications. The report focuses on seven use cases without making recommendations. The seven use cases are:

  1. Biometric authentication using fingerprint recognition,
  2. Use of robo-advisors for investment advice,
  3. Use of big data and machine learning for credit scoring,
  4. Use of Distributed Ledger Technology (DLT) and smart contracts for trade finance,
  5. Use of DLT to streamline Customer Due Diligence processes,
  6. Mobile wallet with the use of Near Field Communication (NFC),
  7. Outsourcing core banking/payment systems to a public cloud.

EBA focuses mainly on operational risk aspects, but also considers opportunities that may arise from the seven applications. The report is informative and provides a good overview for competent authorities and institutions alike of the current landscape and the inherent prudential risks that the market should be aware of.

FinTech Action Plan and EBA Road Map: Part 2

Published on by Dr. Verena Ritter-DöringLeave a comment

Part 2: Further Guidance through EBA’s FinTech Roadmap

On 15 March 2018 EBA published its FinTech Roadmap which bridges the dichotomy between consumer protection and stability of the financial system through cybersecurity on the one hand and the support for financial innovation on the other hand. It becomes clear that EBA recognises the benefits of the innovative developments for the Single Market, which include enhancing consumer experience, cost efficiency for consumers and service providers and the need to support growth.

A harmonised regulatory framework for new technologies in the financial markets is needed. A provider of an innovative idea using new financial technologies might want to test his idea in the market. He will face different challenges in countries with regulatory sandboxes compared to countries where a inflexible regulatory regime applies. A regulatory sandbox would allow the provider to offer his idea to a certain amount of potential clients for a limited period of time without the application of the whole compliance, license and capital requirements. During this time he can assess if his innovative approach is worth the investment of full regulatory compliance. In countries where the regulatory regime applies from day one when the first client is approached and on boarded, the investment of the provider is much higher. This might in turn prevent financial innovations since the hurdle to become a (regulated) market player is quite high.

EBA did not provide a practical briefing for establishing consistent regulatory sandboxes in its Roadmap. It only announced that further analysis of already established sandboxes (as e.g. in the UK, in Singapore and in Australia) will be undertaken. EBA figures that by the end of 2018 best practice guidelines for regulatory sandboxes will be issued.

Until then the German regulator BaFin will impose the classical regulatory regime drafted for traditional players on the innovative developers of the financial markets, paired with a warning to consumers regarding the risk of buying virtual currency due to a lack of statutory consumer protection. So far BaFin published some generic guidance on its regulatory assessment of ICOs, but emphasised that a case-by-case evaluation will be inevitable. For other financial innovations such as for example crowd-funding platforms, it took more than two years until regulation on a national level complemented by BaFin’s administrative practice was established.

A comprehensive and harmonised regulatory framework which leaves room for innovation is essential for a growing and competitive Single Market. Hopefully, EBA’s planned FinTech Knowledge Hub, which will facilitate the exchange of information between regulators, innovators and technology providers, will add to this understanding. Up to now EBA did not provide concrete guidance for new market players. To be fair on the national regulators, without any leeway by the legislators there is not much room to ease the burden of the current regulation for new technologies through an administrative practice alone. Throughout 2018 at least, FinTechs will thrive in countries with a flexible regulatory approach that is backed by the relevant regulator.