Austrian Federal Economic Chamber, Division Bank and Insurance
Whilst we certainly agree that further investigation is warranted, the following findings of the survey already deserve to be highlighted:
• 53% of FinTech firms are not regulated under EU or national law;
• Considering the emphasis placed by the legislator and regulator on the need for consumer protection, the presence of so many unregulated players would suggest either a failure in monitoring, (and/)or a policy decision to privilege “innovation” experiments potentially at the expense of consumer security, (and/)or a lack of transposition of the otherwise often boasted level playing field principle.
• Should none of the above assumptions hold, then the only possible conclusion to the survey findings would be that incumbent providers of financial services are over-regulated, an onerous framework that should urgently be repelled.
In that sense, the issues identified by the EBA in section 4.1 are relevant and complete. The remark however that “there may be reasons that justify differences in treatment” can only be accepted against the background of a call for further investigation of the FinTech landscape. Otherwise, the working assumption should remain that the same regulatory and supervisory obligations apply to the provision of same services, across the single market.
With respect to the policy approach to FinTech under national regimes, it would be very useful to see a mapping of national sandboxing regimes, innovation hubs or similar regimes with the regulatory and supervisory requirements applied by Member States: it would be difficult to understand that Member States with lax or inexistent requirements deploy an ambitious approach to sandboxing, innovation hubs or other regimes.
The issues identified are comprehensive, especially the alignment of the national sandboxing regimes and their scope.
Consistency in the authorisation of credit and payment institutions should be the aim across the national legislations in the EU member states in alignment with recent drafts on RTS, ITS and Guidelines.
Sandboxing regimes allow “safe play” in regulatory frameworks for EU regulation and thus should be subsequently made use of.
The proposed way forward of the EBA – activities to be implemented in 2017/2018 - is supported.
Many FinTechs provide bits and pieces of the banking value chain, i.e. pick out certain areas only and otherwise rely on interfaces with the existing landscape of financial institutions. Some outrightly provide services that fall under current legislation for credit institutions, others not. In essence, these are shadow banks of a partly new type. For the shadow banking sector, a variety of institutions tries to improve supervision and regulation to re-introduce a “level playing field” vis-à-vis regulated credit institutions and ensure financial stability: BIS, FSB (Financial Stability Report), ECB, and others. FinTechs should be handled in this framework, particularly because they are prone to pick the profitable pieces out of the value chain while leaving others to conventional financial institutions.
Especially new regulatory requirements (as for example PSD2) can lead to effects, not transparent for customers, which need to be corrected later on.
Nevertheless we mainly see Fintechs as complementary product providers and expect close co-operation in future (partially already present). We therefore highly welcome EBAs and BCBs identified areas for further analysis in 2017/2018.
In sub-section 4.2.1 it would appear that the EBA refers to both innovative services and new market entrants when using the term “FinTech”. A clear distinction is required:
• Innovative services (based on new technology) are not only (by far) provided by new market entrants.
• Innovative services do entail ICT risks. But incumbents who have in place tested processes and procedures for the introduction of new technology and products, and are subject to stringent business continuity and resilience obligations, should be better armed than new market entrants to mitigate such risks.
• In certain fields new technology may indeed facilitate lower regulatory compliance costs. This however provides little solace to incumbent credit institutions when they have to compete with non-regulated, non-supervised market entrants.
• Generally, the experience of the past 5 years cannot but lead to challenge the assertion that FinTech (meaning: new technology) “preserv[es] fair competition”. The EBA survey certainly does not paint either any “fair” competition landscape.
• A growing participation of new market entrants in the provision of financial services (and in the market infrastructures supporting these) inevitably leads to an increase in operational risk and hence capital requirements for incumbent credit institutions, thus increasing their cost base.
• The much vaunted sharing of data provides for a good illustration to that point. The General Data Protection Regulation places data controllers under stringent obligations (and sanctions in case of non-compliance). New market entrants may struggle with the implementation of this Regulation, and may not be equipped to meet the responsibility and liability requirements that an effective sharing of data demands.
• The relevant financial service type cluster as outlined by the EBA should be further evolved with examples to guide FIs – monitoring new developments is crucial to also cover businesses that not qualify as FI in this context, but still would qualify as FinTech.
• The broad range of FinTech´s clients from consumers to FIs makes it a challenge to align existing regulations in this new setting. Especially, if involvement with FinTechs changes the regulatory status of FIs (CRR, CRD, BRRD) and their operational risk profile.
Provided these remarks are taken into consideration, the proposed way forward can be supported.
Threats: no application of the “same business – same rules”-principle to ensure a level playing field, possible decrease in revenues in payment and settlement, issues in terms of cybersecurity. However, in general, we would like to highlight that is the overall competitive landscape based on GDPR and PSD2 per se which can be regarded as threatful.
Opportunities: chance of shift from product based focus to customer based focus as well as increase revenues in retail banking, commercial banking and corporate finance. Also a decrease in cost in trading and sales, asset management and retail brokerage seems likely. The customer base could experience a growth by new multiple channels in conjunction with new cross-sectoral opportunities.
The opportunities presented for incumbent credit institutions by the deployment of FinTech are generally well presented in sub-section 4.2.1 (under consideration of the remarks immediately above). Financial institutions invest in creating a fruitful partnership with reliable FinTechs in order to benefit from comparative advantages and, consequently, be able to individualise the services delivered to customers. As financial institutions have a strong focus on customer centricity and the creation of added values for customers, open banking, for instance, would provide the opportunity to combine in-house date with data which is accessible from other sources.
Information and Communication (ICT) risks are one of the main worries as such, so a frequently updated heat map (or radar) on arising risks, threats and opportunities provided by the EBA would be a beneficial added value.
Pace is key: Quick guidance is essential, because banks already now have contact with FinTechs via accelerator programs etc.
We would not read paragraph 87 as representing accurately the Commission’s motives in revising the PSD. As evidenced by the protracted debate over the finalization of the Regulatory Technical Standards on Strong Customer Authentication, the Commission’s ambition to appear innovative may at times relegate concerns about consumer protection to secondary ranks.
This being said, we approve the way forward proposed in sub-section 4.2.2, and are looking forward to continued dialogue, including public consultations, with the EBA on the different steps planned in the way forward.
Whilst we can generally agree with the description provided under sub-section 4.3.1, it should nevertheless like to stress that the focus should not solely be on the impact of FinTech. Indeed there are 4 types of innovations currently impacting notably incumbent credit institutions: certainly technological innovation, but also behavioral innovation (in the expectations and requirements of their customers, often induced by experiences from outside the financial sector), legislative innovation (although generally not in synch with either technological or behavioral innovations), and business model innovation (of new market entrants, but primarily of large technology companies, such as the platform players referred to earlier in this response – see Question 3). These 4 innovation streams have to be taken into consideration to paint a comprehensive picture of the market landscape for notably incumbent credit institutions.
Furthermore, the relationships between technological innovation and regulatory and supervisory obligations deserve further analysis. Indeed, because of compliance with such obligations, incumbent credit institutions tend to introduce technological innovation in an “incremental” mode, where essentially new technology is applied to enhance the convenience or the efficiency of existing products and services without however changing neither (most of) the value chain nor the business model (at least in the short term), whereas less constrained new market entrants can often afford to apply a “transformational” mode, where the application of new technology radically changes how a product or service is defined, produced and/or distributed. One (amongst many) example can be found in the challenge faced by credit institutions seeking to adopt cloud services (in particular in a cross border environment, even within the EU) whilst meeting existing supervisory requirements.
Guidance on business model analysis is necessary along the distribution chains, especially for smaller institutions that have fewer resources to build up their own competence base.
This being said, we approve the way forward proposed in sub-section 4.3.1, and are looking forward to continued dialogue, including interviews and public consultations, with the EBA on the different steps planned in the way forward.
Against a general background of customer behavioral, technology and regulatory change, incumbent credit institutions are focused on finding the best solutions, including the best partners, to solving challenges and implementing these solutions as quickly and safely as possible. Thus, incumbent credit institutions generally both buy technology and build solutions, and partner with FinTech firms.
Regulators hold a key responsibility in enabling this process. On one side, as highlighted earlier in this response, regulation and supervision must enable incumbent credit institutions to deploy new technology-based products and services without any undue encumbrance, on the other side FinTech firms should be subject to the same obligations than credit institutions in this respect, in order to establish a safe foundation for partnerships, and ultimately to ensure a level playing field. Especially against the background that technology is lowering the barriers of entry to the market increasing the number of start-ups, although only a few will pass their first year.
It is also useful to remind that it is credit institutions who provide liquidity and asset safe harbour for FinTech firms.
P2P lending might bring a new twist in classic lending operations which incumbent FIs could utilise with existing customer base and IT infrastructure. This is however a more prominent case for consumer/retail credit or SME clients – the influence on e.g. project finance and other corporate lending services must be evaluated.
The proposed way of interviews and thematic reports reflects a sound approach.
Assuming that FinTechs also will significantly influence the market share of payment and electronic money institutions, steps towards understanding threats and opportunities seem legitimate. The share of payment solutions among FinTechs is also the largest which underlines this argument.
Considering that consumer protection has been at the forefront of legislators’ justification for introducing many dispositions over the past 10 years in the field of retail banking, and that these have significantly increased the cost of providing such services, it is essential that consumers obtain full transparency and clarity about their rights and limitations thereto when transacting with providers notably in the digital world.
Indeed, the fragmentation and recomposition of the provision of services induced by digitization creates challenges for consumers, notably with respect to service and product liability and redress. In the financial area, such challenges are compounded by the imperative of assessing the creditworthiness and sustainability of the provider, which often hinges on the precise role that this provider is playing in a given product or service value chain.
Generally, as highlighted earlier in this response, the complexification of the financial services value chain as well as the multiplication of partnerships call for taking another look at existing dispositions on product and service liability. The identified FinTech field of innovative use of consumer data will possible raise skepticism among more traditional consumers and authorities. Transparency is key for consumers, consequently banks need guidance on how to determine and communicate the authorisation status and thus the resulting consequences for the consumer.
Under these considerations, the way forward proposed in sub-section 4.4.1 is supported, and we look forward to continued dialogue, including interviews and public consultations, with the EBA on the different steps planned.
The issues expressed under sub-section 4.4.2 actually tie directly into the previous sub-section. It is obvious that borders tend to fade in the provision of digital services, so that all consumer issues highlighted immediately above are only compounded.
This is why not only at least equivalent yet ideally same regulation should be extended to non-regulated FinTech firms, but also such regulation should from the onset be conceived with the single market in mind, and not limited to “cross border” transactions. Harmonization of consumer protection law in member states should be a priority to enable cross-border provision of innovative services. The catchphrase: “remote consumer relationships”.
Hence the importance of the Single Market and the EU efforts on the Digital Single Market, avoiding FinTechs from “cherry picking” the legislation with most favorable regulatory regimes.
On the other hand, banks that already have a broad international network could benefit from existing synergies in cross-border business models.
Under these considerations, the way forward proposed in sub-section 4.4.2 is supported, and we look forward to continued dialogue, including interviews and public consultations, with the EBA on the different steps planned.
Contact with FinTech brought to light various topics that might affect cross-border obstacles, e.g. PSD2 requires a strong customer authentication to avoid misuse or fraud in form of passporting as published in the RTS.
Notably throughout the Commission’s Digital Single Market initiative we have been persistent in stressing the utter requirement for harmonized legislation applied throughout the EU, certainly for all matters pertaining to and affected by digitization.
All competent authorities should be brought to a table to discuss the issues (concerted effort of EBA, ESMA and EIOPA).
“FinTech” radar for banks of EU member states to be able to contain knowledge and to be informed about current banking/FinTech products and services.
If multiple firms provide a service (i.e. in automated financial advice: consumer data collection, KYC, Robo-advice, etc…), clarity must be provided to the end customer to which they can file complaints.
The issues identified by the EBA under sub-section 4.4.3 are consistent with the concerns and issues raised earlier in this response. The proposed way forward is supported.
The issues identified by the EBA under sub-section 4.4.4 are consistent with the concerns and issues raised earlier in this response. The proposed way forward is supported. A “package leaflet” (i.e. “key information document” with terms and conditions) as in the EIOPA form of the IPID (Insurance Product Information Document) could solve the problem of disclosure to consumers and could be part of a disclaimer, that e.g. has to be accepted before installing a FinTech app or before involving in online services.
Although we fully support the Austrian banking secrecy law, in some areas (e.g. data aggregation and analysis), it might act as an obstacle to fully take advantage of the digital potential. Consequently, some specific exemptions to it might be worthwhile to think about.
In Austria there is no separate FinTech regime in place as of now. However, strict banking licence issues can be a matter of hindrance for FinTechs (FMA – Austrian Financial Market Authority).
Regulations/laws (non EU) listed by the FMA in connection with FinTechs:
- Austrian Payment Service Act (Zahlungsdienstgesetz)
- Austrian E-Money Law (E-Geld Gesetz 2010) Austrian Banking Act (Bankwesengesetz)
- Austrian Capital Market Law (Kapitalmarktgesetz)
- Austrian Securities Supervision Act (Wertpapieraufsichtsgesetz)
- Austrian Alternative Investment Funds Manager Law (Alternative Investmentfonds Manager Gesetz)
- Austrian Alternative Financing Law (Alternativfinanzierungsgesetz)
As stated correctly in the EU the financial literacy is low and also varies among different legislations, also due to different age distributions, mobile affinity, non-personal services averse, risk awareness etc.
Whilst enhancing financial literacy is a general concept that can certainly be supported, notably against the background of an increasingly digital world the key recommendation would be to design legislation that is “fool-proof” by default (e.g. unfortunately neither the PSD2 nor the General Data Protection Regulation provide for a positive example in this respect). This should be achieved notably by legislators avoiding to unnecessarily fragment and complexify the provider landscape, and ensuring that harmonized conditions apply across the single market (which would also overcome the issue of language barriers) – these issues have already been raised earlier in this response.
Taking into consideration the remark made immediately above, we do not believe in the merit of specific, digital-focused financial literacy programmes. Financial literacy should be promoted from a channel and technology-neutral angle, whilst digital literacy (with a particular emphasis on cybersecurity aspects) is a field of its own and should be promoted by a number of stakeholders in society, including governments. The described kind of programs when promoted effectively could definitely reflect in an increase in penetration rates. First point of contact for most traditional consumers will still be the incumbent bank over FinTechs.
The remarks made in the response immediately above, with respect to the necessity for “fool-proof” legislation to the furthest extent possible, remain fully relevant as the key way to ease understanding by consumers and prevent complaints and claims.
Beyond financial literacy special EU efforts shall be dedicated towards increasing digital literacy. Some banks already provide digital literacy programmes but the engagement of more stakeholders shall be promoted.
Investments in robo-advisors have been increasing strongly since 2014, and by 2020 the market is expected to grow by 200%. Therefore, automated financial advice is expected to ultimately lead to a growth in the number of customers reached by banks via digital tools. The objective of robo-advisors is to both reduce costs and reach new customer segments that prefer to interact through digital channels.
There are two main types of algorithms behind the notion of “robo-advisers”:
a. “Profiling algorithms”, which are used to obtain a particular profile from the client through the information obtained from knowledge and experience, investment objectives, investment horizon, etc. This process sometimes includes the suitability tests that MiFID regulates, in order to obtain adequate information and profile clients appropriately.
b. “Quantitative management algorithms”, which are used to take decisions regarding investment in a certain type of asset or portfolio management. These algorithms take into consideration quantitative data which determines the quality of the investment made and will ultimately lead to profit differentials.
In order to enhance consumer protection (and to provide a minimum set of standards to the robo-advice sector), some sort of supervision of “profiling algorithms” will be required. Currently, many robo-advisory solutions base their profiling decisions on a very limited set of variables, and no suitability tests are undertaken, whilst customers are not able to perceive which measures each robo-adviser takes. Therefore, in order to avoid that clients perceive the same level of risk and quality of advice by robo-advisers taking different consumer protection measures, it is proposed that “profiling algorithms” should be both supervised and rigorously compliant with MiFID II rules (for which supervision might also be needed).
Thus, the benefits that the mobilization of artificial intelligence by financial service providers will bring will not be constrained by adverse reactions of an uninformed public or over-zealous legislators. A range of actions from financial service providers could usually complement the approach described above and assuage such concerns upfront:
• When deploying artificial intelligence, financial service providers should ensure that both the systems and the ways in which they are used integrate the values for which they stand.
• Artificial intelligence should be deployed responsibly, notably ensuring that:
o Systems are tested sufficiently according to purpose-designed procedures in order for their output to be in line with each bank’s values;
o To meet expectations of fairness, the algorithms used remain interpretable, i.e. both banks’ staff and customers (on request) must be able to understand how systems deal with input and why a certain output is produced;
o Customer feedback is scrupulously taken into account, in particular in case of dissatisfaction, including by providing access to staff.
• Financial service providers should abide by their responsibility and liability policies and obligations to the same extent, whether artificial intelligence is, or not, involved in an outcome that causes responsibility and liability to be assigned and claimed.
• The security and integrity of customers should be assured through the artificial intelligence systems and processes deployed.
• A continued dialogue should be instigated between financial service providers and regulators and supervisors, for the former to contribute their ever growing experience with technology, ethical management, and legal implications and potential requirements not only to sectoral but also to public debate and further research. In all instances regulation should remain technology-neutral.
• Unethic algorithms
• Artificial intelligence will more likely be part of the mid-office and back-office, while chat-bots (non-machine learning) take over front-office tasks.
With these remarks the way forward proposed by the EBA is supported.
The issues identified by the EBA would call for the following comments:
• FIs are generally already familiar with resolution and recovery plans (in terms of BRRD) and thus could in partnerships with FinTechs support with competence.
• The impact that cooperations with FinTechs on the resolution and recovery plans of FIs needs to be analysed properly by each institute individually.
• Increasing speed in transactions by means of FinTech innovations also needs to be considered.
• Indeed a generalisation of instant payments would require an amendment to current resolution procedures, in particular where a week-end is involved. At the same time, instant payment systems come with all the required audit trails which allow to ascertain without ambiguity when an instruction has been accepted and when it was, or should have been executed, thus easing the sequencing required in a resolution process. However, a large adoption of instant payments should lead to revisiting the “zero hour rule” and adjusting it to the new environment.
• Indeed digitization may speed up the movement at deposits in a time of crisis. We would however submit that as per PSD2 Art. 83, payer’s payment service provider are required to ensure that after the time of receipt, the amount of the payment transaction will be credited to the payee’s payment service provider’s account by the end of the following business day. Whilst not insignificant in times of crisis, this possible one-day difference with an instant payment scenario does not create a wholly new environment.
• Should there be a large adoption of technologies that remove intermediaries, then indeed authorities’ resolution powers should be adjusted to this new environment, and theoretically extended to the relevant distributed parties in a given value chain. However, the question whether such parties should not come under the purview of regulators and supervisors well before any resolution process should be contemplated – please see earlier remarks to that effect in this response.
With these considerations, the proposed way forward is supported.
We agree that the lack of distinction between FinTechs and non FinTechs in the AMLD and its predecessors caused a wide range of approaches on this topic in the EU. The missing harmonization in combination with cross border movement of services over the internet is raising questions that need to be answered on EU level. We agree that this situation has made it more difficult to employ innovative and/or FinTech solutions to fulfill their AML /CDD obligations.
There should be a clear definition on the categorization of “obliged entities” under AMLD, to make the coverage of FinTechs transparent – hence avoiding the possibility of loopholes for fraudulent vehicles.
The question epitomizes a number of the issues highlighted earlier in this response. A few principles – often quoted by policy makers and legislators, yet quite imperfectly transposed until now – should be reaffirmed:
• Technological innovation is not being deployed in a vacuum, but in a space (the single market) defined by other policy objectives too, notably market integration, consumer protection, and fair competition.
• In particular in a digital environment, where borders get blurred, differences between Member States are counter-productive (leading notably to consumer confusion and provider arbitraging).
• Equally, differences in the constraints applicable to different categories of providers are counterproductive, for the same reasons, i.e. consumer confusion and provider arbitrage.
• These issues get compounded in the field of AML/CFT, as it is clear that the future will see many interactions and partnerships between incumbent credit institutions and FinTech firms.
FinTech firms must thus be subject to the same obligations as incumbent credit institutions where they provide or support the same services as the latter. This is all the more indispensable as there is a need for more industry collaboration on analytics to identify and report suspicious transactions for AML/CTF and sanctions compliance and for an improvement in pattern recognition across institutions.
With these considerations, the proposed way forward is supported.
It is obvious that both new technology and FinTech firms act as an appealing beehive for fraudsters and terrorists, in particular in activities such as crowdfunding, marketplace lending, virtual currencies, and prepaid cards. This is due mostly to the lax regulatory and supervisory environment of these activities applicable to new market entrants, combined with the possibility in some activities to maintaining a certain level of anonymity.
The most critical money laundering and terrorist financing risks concerning FinTechs arise from alternative payment services, trading, virtual currencies and other payment instruments, crowdfunding and crowdinvesting. The source of funds is a basic element of the Know-Your-Customer-Principle and thereof one of the most crucial parts of daily AML work. If the risk based approach and national the KYC-regulations does not apply to FinTechs the consequence would be competitive disadvantage for obliged entities and a setback of money laundering regulation in general. Even fighting money laundering and terrorist financing would be aggravated if the banking industry standards for continuous monitoring of the customer and his transactions, built over years would be lowered or simply not applied to FinTech firms.
Systems in the DLT field that feature the promise of total anonymity might also attract money laundering activities.
Recent cases of identity theft and phishing are also a matter of concerns for FIs that worry to lose the trust of their customers once a security-breach surfaced.
P2P transactions require some kind of monitoring when there is the risk of bypassing regulation and oversight.
FinTechs are also blocked by innovative approaches (e.g. Artificial Intelligence/Machine Learning methods to improve AML Monitoring, etc.), which are unknown to the regulator and therefore not accepted. Therefore, enhancing know-how and regulatory guidelines for innovative approaches in the RegTech area is recommended.
The 3rd Money Laundering Directive was transposed in Austria in 2007 in the Austrian Ministry of Finance by amendments to the Austrian Banking Act (BWG), Stock Exchange Act (BörseG), Insurance Supervision Act (VAG) and Securities Supervision Act (WAG).
The Austrian regulator FMA published a lot of information like what defines a FinTech, what is the role of FMA concerning them is, what regulations to what area of FinTechs services apply. The current approach towards FinTech is to use existing regulations and apply them wherever possible, for example, the national implementation of the Payment Service Directive for FinTech payment services. Most of the regulations applied like the e-commerce regulation from 2010 are outdated and hardly match the fast changing and challenging FinTech environment.
The Austrian regulator’s approach towards using FinTech solutions in the customer due diligence process and transaction monitoring process of obliged entities is an adverse one.
When it comes to KYC-packages from the customer the obligated entities are required in Austria to obtain at least copies of companies’ register extracts and even those are insufficient for certain countries, where certain formalities like notarization and apostille must be attached. FinTech firms providing such services mostly sell a tool having an interface/link to a wide range of companies’ registers. Since official extracts must be bought separately they mostly are not part of the service. Thus, the data shown in the tool is official data, but cannot be used as part of the customer due diligence process because an official extract is not available. Another obstacle arises from the strict timeliness of provided documents. Services providers like SWIFT KYC Registry require their members to update their KYC-packages only once a year. Based on a Supreme Court ruling the timeliness of such documents is ending after six weeks, which very much limits practicability of such KYC platforms.
So far there is no clear commitment of the regulator to which extent the use of FinTech services and technologies for the CDD and AML monitoring processes is accepted by the regulator. This is a main obstacle for obliged entities in their aim to continuously improve their AML processes and systems by using FinTech services such as KYC provider, tuning of IT systems and use of robotics/automatization.