Items a) and b) are conclusively derivedAnschlußfragen from the survey. In particular, these items should provide transparency concerning the various national approaches pursued by the EBA. Even though existing differences in regulation may potentially lead to regulatory arbitrage, we believe that national particularities in developments should be preserved in order to leverage experience gained with decentralised, heterogeneous approaches. Innovation cannot be predicted. We believe that a 'best of breed' approach is the best way of dealing with this – including in regulation. Hence, tried-and-tested decentralised dezentralenapproaches should be extended to other member states, following a defined trial/testing period, thus excluding regulatory arbitrage. Temporary scope for decentralised rules should be provided by a uniform European framework.
• EBA should provide a precise definition of what it considers a 'sandbox' to be. We do not see 'sandboxes' as a form of regulatory relief, but as an option for approaching the highly-regulated financial markets. We see sandboxes and hubs as synonyms – they may be helpful for Fintechs and banks in order to understand regulatory requirements; in turn they may help regulators to understand Fintechs' requirements. The German Banking Industry Committee welcomes the introduction of this support tool. However, sandboxes or hubs must safeguard investor protection from the very first euro invested, regardless of the regulatory regime a firm is subject to. Applying existing requirements to new entrants – irrespective of business model, type of entity, or type of license – should ensure that the risks of a new entrant’s business activities are fully addressed and monitored. The idea of 'same service, same rules' should be applied to secure consistent standards and fair competition. We would welcome regulators being available as a single point of contact for a sandbox or hub, across all areas of activity and fields of law (banking supervision, data protection, consumer protection, …).
• New FinTech solutions will increasingly include cross-industry aspects, which means that services and products from the financial (and other) industries will be increasingly interlinked (such as in the Internet of Things). This needs to be considered when evaluating sandbox approaches, regulatory treatment, etc. EU law should be the leading legal framework for FinTechs, to make sure there is a consistent legal framework as a prerequisite for a strong EU FinTech ecosystem.
• Regulators should foster greater participation in sandboxes/hubs, and participation should be independent of an institution’s size (i.e. whether it is a start-up or an incumbent bank). This will foster collaboration between the different participants, and will lead to further innovation. In addition, such close relationships with the supervisors/regulators will improve their exchange with companies, and will benefit the training of staff.
Generally, we support the assessment of potential regulatory gaps through regulatory initiatives. The core principles for regulating FinTechs should be (i) technological neutrality; (ii) proportionality; and (iii) market integrity – with priority on the latter .
As regards proportionality, any regulation or regulatory initiatives (such as sandboxing) should keep in mind the need for proper risk management, customer and data protection, as well as standards governing cyber-security and AML/CFT.
From our perspective, items b) and c) have not – or not sufficiently – been substantiated to date; other reasons need to be provided to justify the expenditure involved. Technical standards should always be derived from business practice. It should be possible to adjust and further develop such standards without delay, which is why we see EBA's role as a coordinator rather than a provider of definitions.
We believe the analysis to be correct. We support a proper review of the risks and the existing risk management systems, to be elaborated together with the regulatory treatment of any adoption requirements. Best practices should be applied. The application of consistent standards to any entity providing financial services, as noted in our response to Q1, will help maintain the high standards observed by banks to date.
Looking at the approach going forward, it is worth noting that BaFin has already done the work in Germany, through its BA-IT requirements. European harmonisation should resort to this regime.
Every innovation is associated with risk that needs to be managed in order to reap the benefits. At present, developing FinTech technology is indispensable – also for traditional banks – in order to meet customer needs, and also to position the sector vis-à-vis the BigTechs (Google, Amazon, etc. as well as Alibaba et al).
Given the banking sector's vital importance for the economy as a whole, special care must be exercised. Yet on the other hand, the potential for massive fundamental change must not be impeded to an extent that other economic centres might be faster in performing the technological leap forward – in which case Europe would have difficulty catching up in a globally networked economy.
We see a problem in the fact that, outside their particular remit, banking supervisors have been asking regulatory questions only to a very limited extent. This applies to data protection in particular: we are concerned about the use of data by some BigTechs which are not fully and strictly regulated concerning data protection, such as banks.
Change is predominantly driven by customer demand. We see the following specific opportunities and threats:
1. Cooperate with FinTechs to combine banking knowledge with FinTechs' innovative power and speed, to offer innovative customer-centric products and services.
2. New opportunities to reach customers through switching services and comparison platforms. Furthermore, through this increasing transparency, customers are becoming more active in looking for the most suitable solutions. They are willing to try out new things.
3. Building a common Cloud Ecosystem for customers and banks.
4. Reduction of (transaction) costs
5. Increase transaction speed (instant transactions) – which, however, can also evolve into a threat for the system, as described in Q20.
6. Global reach
7. Enhanced transparency
8. Improved customer experience
1. A lack of regulatory direction is the biggest threat, since FinTechs and BigTechs are able to use customer data differently from banks – this creates an uneven playing field, which is a disadvantageous position that imposes enormous restrictions upon banks. Multiple FinTechs with niche offerings will cooperate via an open API banking approach and may thereby provide superior services to customers. At the same time, thanks to partly lower regulatory standards, they may no longer need to cooperate with traditional credit providers.
2. Banks may end up merely hosting customer details, providing just e-identities.
4. Investments in the basic infrastructure must continue to pay off for banks.
Some competitors have built their business models on the fact that providers within the value creation chain offer services used by downstream players, without the possibility of pricing such services. This severely restricts incentives for modernising basic infrastructure. One example for such a scenario is the most recently amended Payment Services Directive (PSD 2), pursuant to which account data required to initiate a transaction, or to provide services, must be provided to third parties.
5. Monopolisation (winner takes all)
7. Development costs
We kindly request EBA to give this issue top priority. As a first step, we suggest thoroughly analysing the existing DLT applications, such as BitCoin and Etherium, with an emphasis on their conformity with PSD 2 and the principles of orderly bookkeeping. Another focal point of the analysis should be systemic risks in connection with real-time transactions (see also question 20).
To a certain extent, the infrastructure character of the DLT seems to be confused with the applications based on the infrastructure (such as billing, money transfers, transactions, registers, etc.). EBA should clearly distinguish between the infrastructure and the applications. The same applies to the difference between Virtual and Digital Currencies. ICOs (Initial Coin Offerings) – although not payments, they are interlinked with any VC discussion.
Generally, demand from banks' clients for 'alternative currencies' is growing. A clear and exhaustive regulatory assessment is necessary to give financial institutions certainty as to how to proceed with this topic. At the same time, crypto-currencies should be considered as a potential threat to payment service providers and banks in general. It would be desirable to obtain statements from the EBA as to which supervisory functions regulators believe can be replaced by technology, and what requirements public DLT must fulfil (e.g. with regard to evidence for IT security, protection of identities, prevention of fraud or money laundering) in order to facilitate payments without involvement of a regulated intermediary. We invite regulators to collaborate with the industry in establishing standards.
Specific aspects concerning payments:
• It is important for regulators to carefully consider the balance between encouraging innovation in the payments space and the impact to the risk profile of incumbent banks.
• Specifically, the liability provisions established under Article 73 of PSD2 regarding the process for refunding clients due to unauthorised payments initiated through a TPP are a case in point. This requires a bank to refund the affected client immediately, irrespective of whether the TPP is at fault. The bank may then pursue obtaining a refund from the TPP – unless the TPP can prove it was not at fault.
• Essentially, this means that banks assume the risk stemming from a TPP’s actions and performance upfront. While TPP liability is usually covered by insurance, such cover may potentially be insufficient, or may involve a drawn-out claims process.
• This results in banks having to unfairly cater to such risks: indeed, a bank may potentially decide to allocate capital and assume the role of an insurance company.
• We do not support this approach and risk imbalance, and believe claims should be settled directly by insurance companies if a FinTech TPP does not have sufficient funds.
• Alternatively, TPP firms should ensure they allocate their own capital – in lieu of insurance cover – to address potential risks from their business activities.
• This is particularly important for larger clients, such as corporate clients, who execute frequent and sizeable transactions.
• As stated in our response to Q1, the application of consistent standards to all market participants – including TPPs – will help mitigate the risks of activities performed by TPPs.
We believe the biggest risks are unregulated and unsafe products, which are used directly by end-customers attracted by their modern appearance. However, end-customers are unaware of the existing security breaches. This includes, for instance, BitCoin et al, but also portfolios used as a replacement for overnight funds with no clear hedging mechanism in place, offered by German private limited companies. If the authorities do not provide fair market conditions for all market participants, far-reaching questions arise regarding the economic order going forward.
The biggest advantages are efficiency gains, the elimination of intermediate steps and physical deposits made using purely digital products.
Please also refer to our detailed comments on Q3.
Such a detailed investigation appears to be sensible. However, we believe the scope of the investigation should be somewhat extended – old IT is less of a problem compared to old customer behaviour (which is usually reflected in old IT). Against the background of cultural change, the support of customers with non-digital behaviour is getting more and more expensive for established players, while they simultaneously have to develop digital infrastructure (for instance, the handling of paper-based money transfers is getting more and more expensive, whilst customers are becoming simultaneously more price-sensitive).
The assessment of technological innovation must go beyond the treatment of identified emerging technologies in isolation. The reliance of projects on a combination of different technologies will become more important in the near future, and should be stressed as well. The combination of different technologies (e.g. Blockchain/DLT plus artificial intelligence plus Big Data) will lead to real innovation in the future. Especially DLT is a technology with enormous potential to reduce costs (less manual handling, less reconciliation needs, etc.) and reveal new revenue pools (e.g. through cross-industry IoT applications). Both will benefit clients (lower prices, enhanced convenience, etc.) as well as financial institutions.
We are particularly interested to learn more about the effects that customer-centric product development has on the distribution of existing products.
As we have touched upon in our response to question 6, competition on the German banking market is nothing new. The challenge with FinTech lies in the cultural change brought about digitalisation and the use of new technologies by customers. FinTechs are cherry picking to address customers over cheap distribution channels with affordable (and standardised as well as fully automated) products, while established players provide customer care for their existing customers with “old behaviour” using traditional means of communication, including individual products/services. However, most customers are unaware of the costs associated with such a service level. This is an extension of the market penetration of direct banks, covering mail, fax, internet and apps. Business models are increasingly called into question, particularly in view of the speed of change. This is challenging for all established market players.
The rise of technological possibilities and the increasing number of FinTechs require credit institutions to adapt their business model in several ways:
• To cope with the speed of new innovations, the mindset within the company must change – more collaboration will be necessary. Co-creation with universities, developers from other industries and FinTechs, together with the ability to share knowledge and critically discuss new ideas will be crucial to retaining market presence.
• Also, the increasing speed of innovation requires credit institutions to change the way their organisation works, and to adopt a more flexible organisational structure. Incumbent financial institutions will have to improve their technological capabilities. They will need to invest in know-how and skills in the field of data management, Big Data, customer interface design, etc. Furthermore, this requires employees to start to think differently, adapt a hands-on attitude, become flexible and innovative.
• On the other hand, the client-centric approach provides major benefits: the increasing application of software development principles (such as agile development) to developing banking products also helps accelerate product development.
Payment as a special market is subject to its own set of regulations, and to digitalisation in a particular way. In this respect, a separate investigation makes sense – again, the scope of investigation should be extended, given that global players, such as Alphabet, Facebook or Amazon, play a crucial role besides fintech companies. The global players have the means to analyse big data and offer payment structures (and other banking services). Therefore, the fundamental decline of supervisory authorities regarding combined banking and data protection supervision should be reconsidered. From our perspective, supervision should include product-related aspects, and should not be based exclusively on fields of law, to better reflect market developments.
Fintechs such as Ripple or Apple Pay (to name only one example for the interbank and end-customer markets, respectively) have disruptive potential and may trigger considerable change to the traditional banking landscape. Paypal has inflicted considerable change already, while the market is watching BitCoin and Ethereum very closely. In order to enforce the requirements of consumer protection, EBA should continue to consistently apply the “same risk, same rules, same regulation” principle.
Please also refer to our response to question 7.
Further investigation into the topic of consumer protection seems highly advisable. A consistent and robust regulatory framework for all participants providing banking products and services will support a stable financial services environment.
In that case, the EBA should attach particular importance to international offers not regulated by the EBA. The EBA should ensure that European providers are not obstructed by excessive regulation, and that insufficiently regulated offers by foreign providers in the European market are either prohibited or properly regulated. The harmonisation of regulatory regimes within Europe needs to be taken into account in this respect.
To meet the demands of banks and customers in the digital age, full digitalisation and simplification of onboarding procedures at EU level should be facilitated. Due to KYC/AML requirements, financial services offerings require a prior identification of the customer. This is costly and time-consuming, since digital solutions are not available in practice. In this regard, we support the European Commission's objective to facilitate cross-border use of electronic identification and know-your-customer portability. We are however sceptical that the eIDAS framework will be able to provide an appropriate solution for the private sector, at least over the medium term. Instead, we advocate a more open and market-driven regime with regard to the underlying technology. A conceivable approach could be – for instance – a regime whereby banks can rely on past identifications provided by other banks. With such an approach, customers would only go through an identification procedure once – at their own bank (as 'trusted party'); other banks or third-party service providers then should be allowed to identify their customers by using the trusted party’s data. A legal basis would have to be provided for this process; liability issues regarding a proliferation of errors are especially crucial.
As laid out in our answer to question 1, the partial heterogeneity in regulatory frameworks in the Member States should be used to roll out effective innovations such as hubs/sandboxes all over Europe following a brief trial period. This would facilitate competitiveness in an international environment, and prevent regulatory arbitrage within Europe.
It is a good idea to provide complaints handling procedures for customers. Due to language barriers and the connectivity with existing systems, such procedures should be established first and foremost on a national basis. We agree with the analysis of any regulatory gaps in this field, and support the clarification of any misleading standards. It seems appropriate to link these national systems supranationally at the EBA to ensure that that complaints regarding cross-national or supranational providers can be forwarded. It also seems appropriate to expand the option to make complaints to include unregulated providers; this might yield a different assessment of the need to regulate these providers.
Regulatory requirements that pose an obstacle to digitalisation should also be taken into consideration. In particular, signature procedures could be simplified (so-called server signatures, to which access is granted via a mobile TAN, have shown that a mobile TAN is sufficient).
Disclosure requirements seem to be overly regulated in Germany – best implementation practices would be helpful (videos instead of texts, definition of what a durable medium is, duty to keep client documents with the provider).
New two-way communication channels to assess client understanding, and imposing a time lag before a transaction can be executed to allow the consumer to digest the information provided, seem to be user-unfriendly. The way usually taken in reality to deal with restrictions of that kind seems counterproductive (the most common lie on the internet “yes, I’ve read the terms and conditions” would then probably be rephrased to read “yes, I have read the terms and conditions in the past and do not need reading time now”)
A catalogue of best practices, to be updated continuously, would be helpful. We would like to add that we welcome the EBA’s focus on securing a European level playing field by avoiding overregulation in individual countries.
It is not one single regulation that is extremely obstructive, but rather the sum of regulations that hinder traditional banks in their digitalisation process. This is due to the fact that currently much of the resources, such as IT capacity, have to be used to cope with regulatory demands. Additionally, there is a tendency for Germany to add further restrictions to EU regulations when transposing them into local law ('gold plating'). There should be efforts to avoid adding more regulations.
Especially KYC documentation is hindering banks in their digitalisation, although FinTechs have already provided solutions. We welcome the fact that the EBA is advocating a European level playing field, designed to facilitate the equal and parallel development of business models across all countries.
Please also refer to our response to question 15.
We support any analysis that provides further transparency on products which make it easier for clients to choose the products that best fit their needs. Furthermore, we support programmes to enhance financial literacy. However, we believe the EBA is not the right institution for this purpose – cf. Question 18.
Yes, but not if run by the EBA itself, because we see the EBA's task in ensuring that states place greater importance on financial literacy being taught in schools, and on promoting financial literacy in general public life. An awareness of how the economy works is essential to a basic understanding of our economic and social environment, and is thus an integral part of general education. It is also an important part of preparing for adult life in general and working life in particular. So economics education needs to begin at an early age, and hold a firm place in the school curriculum. Only by acquiring a sound basic understanding in economic and financial matters when they are young can people build on this knowledge later in life and become responsible consumers. This helps strengthen personal responsibility.
This applies especially to the topics mentioned in 120 a. regarding EU legislation requirements that may restrict digitalisation. But also more generally, consumer financial literacy will definitely be of value as European consumers' knowledge of, and trust in, digital services is comparably low (compared to the US or Japan). Spreading knowledge and establishing trust will help the EU to become more innovative, as services are more readily accepted by customers.
We encourage regulators to review technological developments and continuously assess to which extent current regulation still appears to be sufficient concerning financial market risks.
The rise in availability and speed of financial transactions may make the system more unstable. Procyclicality may increase; markets would become more nervous. In addition, the risk of abuse would rise - to an extent that is hard to predict. That is why we welcome the EBA’s intention of placing great importance on this matter and elaborating a consolidated quantitative picture with the indicators that need to be monitored. Provisioning at the level of each individual market participant does not do this justice, and other solutions on a systemic level – probably via the regulator itself – are required.
Currently, FinTech cooperations are generally part of vendor risk management processes and, thus, the respective banks are obliged to review respective impacts on their Living Will, and on recovery or resolution. Incumbent banks typically treat relationships with external FinTech firms as service provider/vendor relationships. As with any vendor relationship, the relevant recovery and resolution requirements are equally applied. Existing regulatory frameworks require banks to specifically review resolution risk related with any critical service that has been outsourced – whether or not to a FinTech – and will require contractually-required resolution rights in service agreements. Thus, the impact of FinTech firms on the resolution of incumbent banks is already taken into account, and forms part of a bank’s broader risk management processes.
To compliment this existing framework, we encourage the EBA to consider minimum business continuity and transition standards for FinTech firms. This will be especially important for FinTech firms which service a large portion of the industry.
We kindly ask the EBA to take both newer and older unregulated systems into account when dealing with money laundering at first instance (e.g. BitCoin, Hawala), as further optimisation only within the regulated systems does not seem to make sense otherwise (easy to elude).
The extended RBA of the Fourth EU AML Directive already includes an inherent risk, as different regimes for standards might be defined by banks etc. for the same customer. This provides criminals with a choice designed for customers – i.e. to decide which standard fits their criminal activities best. This risk is even higher if local legislation / supervision require different standards. And the risk will be further increased if similar services are offered by FinTechs which are not regulated to the same standard – or not even covered by any regulation and/or supervision that would ensure at least a minimum standard. Beyond FinTech solutions, evolving 'data alliance initiatives' by some banks should also be considered. The EBA should therefore require similar – if not identical – standards for the same services and/or customers.
According to the discussion paper, about 30% of FinTechs are currently still unregulated. This provides them with a considerable competitive advantage vis-à-vis banks and other regulated entities. Therefore, any indication of a level playing field in this market would be unfounded. The large degree of no regulation of the FinTech sector also affects the risk assessments of banks for clients from this sector. Additionally, unregulated FinTechs that offer innovative products in the area of payment services will increase the risk of money laundering and financing of terrorism, since they do not have to comply with disclosure requirements. This becomes especially relevant given that PSD 2 requires banks to open up access to payment accounts for payment services providers.
FinTechs usually do not enter into any direct/personal contact with customers; the relationship is usually based on electronic communications. Cyber-crime scenarios have shown a high risk for manipulation of such communications. These risks should be covered by corresponding prevention requirements.