Response to discussion on Approach on financial technology (Fintech)
Go back
In this regard, we support a principles based approach for regulating FinTech, along the lines of that proposed by the European Commission in its March 2017 publication ‘FinTech: A More Competitive and Innovative European Financial Sector’. In this publication the European Commission outlined three key principles to inform an approach to regulation of FinTech: i) technological neutrality; ii) proportionality; and iii) market integrity.
Of these principles market integrity should take precedence over proportionality in determining the future policy framework. Proportionality should not come at the expense of proper risk management practices; care must be taken to ensure consistent incentives to manage risks and protect consumers. This is particularly important for standards governing cybersecurity, AML/CFT and data and consumer protection. Innovation will not occur if consumers lose trust as a result of inconsistent protection, or the system as a whole is weakened by gaps in regulation. The principle of ‘same service, same rules’ should be applied to secure consistent standards, avoid regulatory arbitrage amongst market participants and allow competition to be conducted on a level playing field to mitigate risks from newly adopted technologies.
A key lesson of the financial crisis was that a globally interconnected financial system requires a globally consistent regulatory framework. This insight should inform the regulatory response to FinTech developments, both to mitigate the risk of regulatory arbitrage, but also to avoid regulatory barriers and costs acting as a barrier to new market entrants. Global coordination will ultimately provide for both more efficient and secure standards for cross-border FinTech activities for both European and non-European firms providing services to European consumers. The EBA should seek to play an active role in encouraging international cooperation in this space.
Sandboxes
Assessments of European sandboxing regimes, as proposed in paragraphs 72(c) and 74(b), and in particular eligibility requirements for sandbox participation, would benefit from further attention and harmonisation of standards.
As a next step, we encourage the EBA to promote wider participation in these useful tools across Member States, and especially amongst incumbent banks. Equal access will allow regulators and new entrants to leverage banks’ considerable experience and lessons learnt in identifying risks and helping shape standards and governance for new technologies, such as distributed ledger technology (DLT) and peer-to-peer (P2P) payment opportunities. This will also help to promote fair competition and eliminate uncertainty on whether incumbent banks that partner with start-ups may participate in sandbox initiatives.
Early interaction between regulators and market participants of all sizes would also provide clarity on regulatory and supervisory requirements at an early stage, reduce implementation risk and provide regulators with early sight of developments so that they can better calibrate their regulatory approach. As noted in the UK Financial Conduct Authority’s (FCA) first annual report on its regulatory sandbox, testing in the sandbox ‘allows [the FCA] to observe more closely the potential risks DLT may present and to feed into these tests to ensure appropriate safeguards are in place and potential consumer detriment is minimised.’ Furthermore, regulatory sandboxes would support the ongoing training of staff directly with the organisation and enhance communication with supervised entities.
With regard to the waiving of particular requirements while testing pilot programs in the sandbox (as highlighted in paragraph 72(c)) such an approach may diminish the ability to identify the full impact of, and properly risk profile, the product or service in the pilot. Any legal and regulatory framework considerations for sandbox regimes should therefore keep in mind the complexity and range of requirements a potential service may trigger, including those on outsourcing, data privacy and business-specific regulations and legal requirements.
One issue not highlighted by the EBA which creates barriers to the modernisation and digitalisation of banks, is the capital treatment of software within the EU. Software represents a core asset for banks and is an important part of banks’ contribution to the digitalisation of the EU economy. However, the current regulatory treatment (i.e. considered an intangible asset) essentially forces banks to back their investments in software with the same amount of capital required to support lending. This is despite the fact that software has shown value in the case of liquidation of a bank.
Conversely, software investments in other sectors and jurisdictions, such as the US, allows these investments to be risk weighted as an ordinary asset. The overall effect is to discourage investments in new technologies and start-ups, and to create an unlevel playing field for EU banks.
We therefore urge the European authorities to reconsider the current treatment of software within the prudential framework, as part of the ongoing review of the Capital Requirements Regulation (CRR), in order to assign a fair value to these investments. This will support the digitalisation of banks and investments in new technologies / start-ups, and contribute to the modernisation of the EU financial system.
Cyber risk
Deutsche Bank welcomes the continued focus of the EBA on addressing cyber risk, and in particular the efforts highlighted in paragraph 84 on strengthening cross-border cooperation between competent authorities across Member States in the area of cybersecurity.
Given the interconnectedness of the financial system, an appropriate and uniform end-to-end security level is needed along the complete financial services value chain to ensure robust cybersecurity resilience. A connected system is only as secure as its weakest link.
Existing initiatives addressing the financial sector, including the Directive (EU) 2016/1148 (‘NIS Directive’) or the EBA Guidelines on ICT Risk Assessment under the SREP 2017, as well as local implementation such as BaFin’s coming Minimum Requirements on Banking-IT (‘BAIT’) in Germany, create a broad and robust cybersecurity regulation for banks, irrespective of the type of FinTech engagement. These initiatives cover a range of topics, from IT strategy and governance to the management of IT risks, security and user authorisation, amongst others.
The application of FinTech in financial services must follow the same established high security standards that incumbent financial services firms use. In Europe, for example, this includes requirements set forth in the NIS Directive, General Data Protection Regulation (GDPR), Payments Services Directive 2 (PSD2), and the Committee on Payments and Market Infrastructures (CPMI) and International Organisation of Securities Commissions (IOSCO) Guidance on cyber resilience for financial market infrastructures.
Requirements on security incident reporting to regulators, such as those defined in PSD2 and the NIS Directive, should also apply across market participants, including to FinTech firms and third-party providers. Furthermore, banks should be informed of security breaches / incidents at connected FinTechs where their customer data is affected to allow for appropriate follow-up measures and notifications. To ensure cybersecurity standards are maintained as the financial services landscape evolves and new technologies adopted, regulators should actively engage with new and existing market participants to understand emerging trends and address any potential regulatory and/or enforcement gaps.
We encourage the EBA to continue to engage with cybersecurity practitioners to learn and share best practices and, due to global nature of cyber-crime, coordinate with the relevant authorities and organisations in other jurisdictions. A cybersecurity framework that encourages a risk-based approach, global coordination and sharing of cyber threat information would best serve to protect the integrity of the financial system.
Cloud services
Deutsche Bank agrees with the EBA on the growing importance of cloud services as a key driver of innovation and welcomes its efforts to provide certainty on the application of existing outsourcing requirements to the cloud services business model. As highlighted in our response to the EBA consultation on draft recommendations on outsourcing to cloud service providers (CSPs) in August 2017, regulatory clarity and harmonised standards will help to enhance risk management practices for outsourcing across market participants and jurisdictions.
We would also encourage the EBA to consider alternate approaches which reduce potential burdens without diluting risk control. For example, moving towards regulator-driven shared assessments of cloud service providers (CSPs) on behalf of a consortium of banks would be greatly beneficial from both control and cloud adoption perspectives. This will be especially useful as only a small subset of CSPs are large enough to service the scale of activities outsourced by financial institutions. Given this potential concentration risk, direct regulator involvement will help to ensure compliance with regulatory requirements, and secure the necessary contractual rights for financial institutions to support robust oversight and transition planning.
Deutsche Bank is pragmatic in its choice of FinTech solutions and we seek to apply them wherever significant value is generated. These solutions are adopted through various means, such as through business and technology groups, our internal innovation labs, industry consortia and direct investment in FinTech companies.
FinTech innovation has the potential to improve the safety and soundness of incumbent banks through improved operational, cost and post-trade efficiencies, automated KYC and AML processes, and other benefits.
Deutsche Bank is involved in a number of collaborative initiatives with other market participants which focus on cost reductions and process improvements. One such example is Symphony, a secure, cloud-based, communication and content sharing platform. It connects markets and individuals, promoting collaboration and increases workflow productivity while maintaining organisational compliance. Symphony was funded in September 2014 by 15 banks, including Deutsche Bank, and now has now over 26 active investors, including Google.
In October 2017, Deutsche Bank open sourced over 150,000 lines of code from its Autobahn platform to create a common industry standard designed to connect thousands of different applications from across the financial services industry, allowing them to work with each other and improve the user experience. This will enable the development of a whole new ecosystem of interconnected applications by the open source community that extend the boundaries of the Symphony and Autobahn capabilities.
There are a broad number of uses cases for DLT which have the potential to bring significant efficiencies and cost savings to business processes of credit institutions in the future, including:
- Collateral management: DLT offers the potential for an environment which allows for the tracking of collateral movements with enhanced clarity on underlying beneficial owners. Given regulatory requirements and the growing importance of collateral management for market participants such a development could be very beneficial.
- Record of ownership: The ability to manage chains would also allow for full tracking on the ownership of assets, without the need for full account segregation. In the context of the current discussion on full account segregation such a solution would achieve the necessary transparency without the cost of full segregation. We note that there are many legal issues to address here, not least the question of which jurisdictional law should apply in the case of cross border transactions.
- Corporate actions and proxy flows: Due to the continued manual nature of these processes and the need to distribute and exchange information with a large number of customers this would be a good candidate for DLT usage. Smart contracts in particular could be programmed with the necessary information to process corporate actions (coupon payments, covenants, dividend payment, splits etc.). Given the complexity around this, the benefits are likely to be easiest to deliver in newly issued bonds and certain new share instruments as well as mandatory corporate action events on existing shares.
- Post-trade: The use of DLT could reduce the settlement cycle for various instruments, and in turn reduce counterparty risk and free up bank capital. For example, a shortened settlement cycle for derivatives transactions would reduce the margin period of risk (MPOR), leading to a reduction in the overall amount of margin a bank would be required to post with counterparties. If the minimum timeframe (currently 10 days) were to be reduced as a result of the faster processing that DLT allows for, then margin requirements would also fall.
- Smart contracts: DLT and smart contracts have the potential to deliver operational risk reduction due to a decrease in manual errors, increased efficiency and reduced intraday liquidity risk due to true delivery vs payment (DvP). If DLT provides for centralised valuations, resultant processes such as capital calculations could be made significantly more efficient. A smart contract library via different engines (e.g. issuance engine, trading engine, netting engine and custody) could cover the complete life cycle of a security including issuance and asset servicing.
The effective deployment and application of new technology to deliver against regulatory requirements – RegTech – will provide opportunities to improve compliance processes at banks and pursue regulatory objectives more efficiently. Potential opportunities would include:
- Trade reporting and recordkeeping: Industry wide blockchain / DLT could assist with regulatory adherence in trade reporting. The current complex reporting landscape (e.g. MiFID, MMSR, SFTR, EMIR, etc.) makes this a high priority area for RegTech. Given the challenges associated with agreeing on industry wide standards (a necessary precondition for the adoption of a distributed ledger), ledgers for individual institutions would also be valuable for accounting and record-keeping purposes.
- Data analysis: Data mining algorithms based on machine learning could assist with analysis of data submitted by financial institutions to regulators.
- Regulatory mapping: Tools to map upcoming regulatory requirements by using automated software solutions, including a regulatory repository available in machine readable format.
- Risk data aggregation and management: Tools that automate and assist risk data aggregation and management, as required for capital, liquidity and large exposures reporting, valuation and risk modelling and recovery and resolution planning.
- Compliance and risk technologies: Real-time payments transactions monitoring, reporting and blocking to help enhance by anti-money laundering (AML), anti-terrorist financing (ATF) and sanctions regimes. Identity verification as required by know-your-customer regulation and monitoring employee and client behaviour and organisational culture in conduct regulation.
- Software interoperability: Application Programming Interfaces (APIs) could be used in variety of contexts to enable different software programs to communicate with each other. An example would be between banks and other providers in the context of the Payment Services Directive 2 (PSD2), although clearly many broader uses are possible.
Specifically, the liability provisions established by Article 73 of PSD2 require account-holding banks to refund their clients immediately (‘Primary Liability’) for any unauthorised payments initiated online through a third party provider (TPP), even if the TPP is at fault. A bank may then attempt to recoup the lost funds back from the TPP, unless the TPP can prove that it was not at fault. Although the liability of TPPs is covered by insurance, there may be cases where the insurance is insufficient or the claim process is prolonged (i.e. litigations in case of disagreement).
This allocation of liability forces banks to absorb the costs and risks associated with a TPP’s performance, business and operational conduct. Banks would have to allocate capital in order to cater for such unexpected incidents outside of its control and essentially take on a function it does not aim to have – that of an insurance company.
In this regard, we do not support the extrapolation of similar arrangements / allocation of liability to other areas of FinTech as this may contribute to increased risks across incumbent banks and the industry. In our view such claims should be settled directly by the insurance companies if a TPP or FinTech firm has insufficient funds. Alternatively, a TTP or FinTech firm should be required to allocate enough capital to reflect the risks stemming from its business activities. This risk assessment should also take into account the type of clients that the entity is servicing, including the specific risks associated with corporate clients whose transactions volumes and values are typically much higher than those of individual retail clients.
As highlighted in our response to Question 1, we believe that TPPs or FinTech firms providing financial services should be subject to the same set of requirements covering security and operational procedures as banks offering the same service. A responsible balance must be struck between encouraging innovation from new market participants and protecting the safety and soundness of the financial system.
In regards to paragraph 90 in the EBA consultation, banks are currently implementing significant programs under PSD2 to minimise cybersecurity risks, such as 2FA and Fraud Detection, amongst others. In this regard, we support the EBA’s continued assessment of the adequacy of such requirements, but would pay particular attention to ensuring that innovative solutions are subject the high same standards in order to avoid that the efforts to improve the security of current systems/processes are being undermined by new entrants or new technologies. Ongoing assessments of regulator perimeters and discussions with market participants and market infrastructures will compliments regulators’ understanding of the evolving landscape and help identify potential regulatory gaps.
Beyond the actions proposed in the consultation, the EBA and other European regulators should also consider more direct engagement with market participants to help specify the minimum controls needed for a DLT / blockchain-based investment product to be brought to market. Such work should look to address:
- Minimum controls for an ICO (Initial Coin Offering) to be part of our investment products in terms of market adoption.
- The related minimum information security controls needed for such a setup.
- Minimum business / payment controls needed for a DLT based system – with reference to cross-border payment implications, KYC & CDD checks.
- Minimum design controls for a DLT based system to be of satisfactory operational standards – e.g. does the blockchain network have to be open or closed?
- Agreement on what level of due diligence banks must demonstrate before supporting such products.
One important variable affecting the impact of FinTech on the development of bank business models is the extent to which regulators maintain a level playing field amongst all market participants through the application of consistent requirements and standards. Open questions on how regulation will be applied to FinTech activities – including P2P payments and lenders, ‘shadow trading’ or ‘social trading’ (i.e. set your account to mirror chosen traders’ transactions) – will clarify the competitive landscape and potential changes to incumbent bank business models.
In addition to holding interviews with sample credit institutions, as proposed in paragraph 103(a), the EBA should also engage directly with FinTech companies and incumbent banks’ digital innovation functions to experience first-hand the ‘digital first’ approach to working practices and how this may underpin corporate culture.
More specifically we currently see the impact of FinTech developments on the existing banking landscape in Europe fall in the following areas:
- Delivery Channels: changes being made within the banking business model, such as new mobile channels, automation, etc. These activities are already highly regulated in banks. For example, banks must meet minimum standards before launching a mobile platform. Conversely, the same minima do not necessarily apply to FinTech firms. This includes no clear requirements to address non-financial risk, such as cybersecurity – a risk that is equal if not higher in smaller FinTech firms. This regulatory imbalance creates an unlevel playing field and introduces potential risks to the end-consumer. Regulatory gaps should be addressed and appropriate, proportionate requirements applied to all entities providing similar services.
- Alternative products: in the digital / alternative currency space, such as bitcoin and virtual currencies. These have the potential to reshape certain financing and business models, and, as a result, banking services. However, there remains considerable regulatory uncertainty in this space, including on legal rights and dispute resolution. Regulators should look to address this and coordinate at the global level to support consistent standards across borders.
- Cross-bank platforms: development of market utilities for back-end infrastructure such as KYC and post-trade processes. The lack of regulatory guidance around the services that could / could not be mutualised by banks, and how the utilities would be funded, governed and resolved (given their sheer size and systemic importance) is curtailing innovation in this space.
- Enabling technologies: such as DLT, AI and big data. To expedite the development of standards and avoid industry fragmentation around adoption and minimum standards, regulatory steer is needed to define the minimum conditions for commercially deploying these technologies in banking.
- Competing technology platforms: such as payments, P2P lending, etc. Regulators should apply the core principles as outlined in our response to Observation 1, to ensure any future platforms/services are captured under existing regulatory frameworks. This will provide innovators with regulatory clarity and consistency, and reduce the risk of regulatory arbitrage.
To avoid these complications, we suggest that a harmonised set of rules or minimum standards be established, as proposed by the EBA in paragraph 118(a), which specify the procedures and allocation of tasks between the financial institutions and FinTechs firms.
With regards to the issues highlighted in paragraph 119(a), we recommend the EBA include the legal frameworks on digital signatures in the scope of the assessment proposed in paragraph 120(a). In Germany, we see some developments in the area of digital communication between banks and consumers, especially with respect to electronic signatures. However, further progress is constrained due to uncertainty and certain legal restrictions.
For example, consumer loans require a handwritten signature by customers to be legally binding, which can only be replaced by the strictest form of electronic signature (qualified e-signature). In light of the increasing digitalisation, policymakers and regulators should reconsider these formal requirements in view of the related risks (which are not handled via the distinction between advanced and qualified signatures), e.g. reducing requirements for low value loans from handwritten signatures to advanced signatures or text form.
In regards to disclosure in the digital environment, the following set of rules should apply when a FinTech firm has rights to access the data of customers:
1. The access should be visible to the customers but also to the banks/financial institutions who stores such data.
2. The consumer should be able to define the scope of the information accessed by a FinTech firm and to grant access on the basis of an aware decision.
3. The consumer should have control over the amount of information accessed by FinTech firm, and should have the ability and tools to limit the scope of such information.
4. The same set of data protection rules should be provided to the banks/financial institutions. This approach should be harmonised in relation to the requirements provided to the banks/financial institutions, when a FinTech firm has the right to access the accounts of the customers.
At present, topics such as big data pooling or client data processing are, in addition to existing banking secrecy limitations, subject to strict data privacy frameworks and further enhanced by the coming GDPR. Client data evaluation or related FinTech analytics services should fall within these legal and regulatory frameworks and should not require additional regulation.
With reference to the proposed actions detailed in paragraph 127, we encourage the EBA to also engage and coordinate with global bodies focused on the implications of innovative technologies, in particular the Financial Stability Board and the ongoing work of its Financial Innovation Network, including its recent publication on ‘Artificial intelligence and machine learning in financial services: Market developments and financial stability implications.’
Deutsche Bank encourages regulators to follow technological developments like artificial intelligence (AI) and DLT carefully, and assess continuously to what extent current regulation still appears to be sufficient concerning financial market risks.
With regard to the impact of FinTech firms on the resolvability of banks, as highlighted in by the EBA in paragraph 128(b), we note that banks’ arrangements with FinTech firms are typically categorised as service provider relationships and therefore subject to similar consideration of recovery and resolution requirements as part of the vendor risk management process. Each bank subject to the respective regulatory framework is already obliged today to review resolution risk in connection with a critical FinTech service and will contractually require resolution-related obligations in the FinTech service agreement for such critical relationship.
From an overall risk management perspective, however, a FinTech outage or breakdown appears to be far more likely. Institutional risk management should therefore focus on business continuity and service substitution requirements similar to the management of other outsourcing services. This can be further complemented by minimum standards for FinTech firms on continuity arrangements, which would reduce the divergent practices highlighted by the EBA in paragraph 128(a).
Question 1: Are the issues identified by the EBA and the way forward proposed in section 4.1 relevant and complete? If not, please explain why.
The issues identified by the EBA in paragraphs 72 and 73 are the relevant areas warranting further investigation. In particular, 72(a) and (b) and the proposed assessments detailed in 74(a) and 75 are crucial to ensuring regulator gaps are identified and addressed. Ongoing scrutiny of national regimes and the provision of different forms of financial products and services under national and EU law is a necessary step to ensure that regulatory and supervisory frameworks remain fit for purpose and are able to adapt to innovation and risks within the market.In this regard, we support a principles based approach for regulating FinTech, along the lines of that proposed by the European Commission in its March 2017 publication ‘FinTech: A More Competitive and Innovative European Financial Sector’. In this publication the European Commission outlined three key principles to inform an approach to regulation of FinTech: i) technological neutrality; ii) proportionality; and iii) market integrity.
Of these principles market integrity should take precedence over proportionality in determining the future policy framework. Proportionality should not come at the expense of proper risk management practices; care must be taken to ensure consistent incentives to manage risks and protect consumers. This is particularly important for standards governing cybersecurity, AML/CFT and data and consumer protection. Innovation will not occur if consumers lose trust as a result of inconsistent protection, or the system as a whole is weakened by gaps in regulation. The principle of ‘same service, same rules’ should be applied to secure consistent standards, avoid regulatory arbitrage amongst market participants and allow competition to be conducted on a level playing field to mitigate risks from newly adopted technologies.
A key lesson of the financial crisis was that a globally interconnected financial system requires a globally consistent regulatory framework. This insight should inform the regulatory response to FinTech developments, both to mitigate the risk of regulatory arbitrage, but also to avoid regulatory barriers and costs acting as a barrier to new market entrants. Global coordination will ultimately provide for both more efficient and secure standards for cross-border FinTech activities for both European and non-European firms providing services to European consumers. The EBA should seek to play an active role in encouraging international cooperation in this space.
Sandboxes
Assessments of European sandboxing regimes, as proposed in paragraphs 72(c) and 74(b), and in particular eligibility requirements for sandbox participation, would benefit from further attention and harmonisation of standards.
As a next step, we encourage the EBA to promote wider participation in these useful tools across Member States, and especially amongst incumbent banks. Equal access will allow regulators and new entrants to leverage banks’ considerable experience and lessons learnt in identifying risks and helping shape standards and governance for new technologies, such as distributed ledger technology (DLT) and peer-to-peer (P2P) payment opportunities. This will also help to promote fair competition and eliminate uncertainty on whether incumbent banks that partner with start-ups may participate in sandbox initiatives.
Early interaction between regulators and market participants of all sizes would also provide clarity on regulatory and supervisory requirements at an early stage, reduce implementation risk and provide regulators with early sight of developments so that they can better calibrate their regulatory approach. As noted in the UK Financial Conduct Authority’s (FCA) first annual report on its regulatory sandbox, testing in the sandbox ‘allows [the FCA] to observe more closely the potential risks DLT may present and to feed into these tests to ensure appropriate safeguards are in place and potential consumer detriment is minimised.’ Furthermore, regulatory sandboxes would support the ongoing training of staff directly with the organisation and enhance communication with supervised entities.
With regard to the waiving of particular requirements while testing pilot programs in the sandbox (as highlighted in paragraph 72(c)) such an approach may diminish the ability to identify the full impact of, and properly risk profile, the product or service in the pilot. Any legal and regulatory framework considerations for sandbox regimes should therefore keep in mind the complexity and range of requirements a potential service may trigger, including those on outsourcing, data privacy and business-specific regulations and legal requirements.
Question 2: Are the issues identified by the EBA and the way forward proposed in subsection 4.2.1 relevant and complete? If not, please explain why.
The issues identified by the EBA broadly cover the range of potential challenges facing banks. Deutsche Bank agrees with the EBA’s proposed approach and would encourage greater engagement between the EBA and market participants, to complement the workshops and training for supervisors proposed in paragraph 86(b), to understand the risks and opportunities arising from the use of developing technologies.One issue not highlighted by the EBA which creates barriers to the modernisation and digitalisation of banks, is the capital treatment of software within the EU. Software represents a core asset for banks and is an important part of banks’ contribution to the digitalisation of the EU economy. However, the current regulatory treatment (i.e. considered an intangible asset) essentially forces banks to back their investments in software with the same amount of capital required to support lending. This is despite the fact that software has shown value in the case of liquidation of a bank.
Conversely, software investments in other sectors and jurisdictions, such as the US, allows these investments to be risk weighted as an ordinary asset. The overall effect is to discourage investments in new technologies and start-ups, and to create an unlevel playing field for EU banks.
We therefore urge the European authorities to reconsider the current treatment of software within the prudential framework, as part of the ongoing review of the Capital Requirements Regulation (CRR), in order to assign a fair value to these investments. This will support the digitalisation of banks and investments in new technologies / start-ups, and contribute to the modernisation of the EU financial system.
Cyber risk
Deutsche Bank welcomes the continued focus of the EBA on addressing cyber risk, and in particular the efforts highlighted in paragraph 84 on strengthening cross-border cooperation between competent authorities across Member States in the area of cybersecurity.
Given the interconnectedness of the financial system, an appropriate and uniform end-to-end security level is needed along the complete financial services value chain to ensure robust cybersecurity resilience. A connected system is only as secure as its weakest link.
Existing initiatives addressing the financial sector, including the Directive (EU) 2016/1148 (‘NIS Directive’) or the EBA Guidelines on ICT Risk Assessment under the SREP 2017, as well as local implementation such as BaFin’s coming Minimum Requirements on Banking-IT (‘BAIT’) in Germany, create a broad and robust cybersecurity regulation for banks, irrespective of the type of FinTech engagement. These initiatives cover a range of topics, from IT strategy and governance to the management of IT risks, security and user authorisation, amongst others.
The application of FinTech in financial services must follow the same established high security standards that incumbent financial services firms use. In Europe, for example, this includes requirements set forth in the NIS Directive, General Data Protection Regulation (GDPR), Payments Services Directive 2 (PSD2), and the Committee on Payments and Market Infrastructures (CPMI) and International Organisation of Securities Commissions (IOSCO) Guidance on cyber resilience for financial market infrastructures.
Requirements on security incident reporting to regulators, such as those defined in PSD2 and the NIS Directive, should also apply across market participants, including to FinTech firms and third-party providers. Furthermore, banks should be informed of security breaches / incidents at connected FinTechs where their customer data is affected to allow for appropriate follow-up measures and notifications. To ensure cybersecurity standards are maintained as the financial services landscape evolves and new technologies adopted, regulators should actively engage with new and existing market participants to understand emerging trends and address any potential regulatory and/or enforcement gaps.
We encourage the EBA to continue to engage with cybersecurity practitioners to learn and share best practices and, due to global nature of cyber-crime, coordinate with the relevant authorities and organisations in other jurisdictions. A cybersecurity framework that encourages a risk-based approach, global coordination and sharing of cyber threat information would best serve to protect the integrity of the financial system.
Cloud services
Deutsche Bank agrees with the EBA on the growing importance of cloud services as a key driver of innovation and welcomes its efforts to provide certainty on the application of existing outsourcing requirements to the cloud services business model. As highlighted in our response to the EBA consultation on draft recommendations on outsourcing to cloud service providers (CSPs) in August 2017, regulatory clarity and harmonised standards will help to enhance risk management practices for outsourcing across market participants and jurisdictions.
We would also encourage the EBA to consider alternate approaches which reduce potential burdens without diluting risk control. For example, moving towards regulator-driven shared assessments of cloud service providers (CSPs) on behalf of a consortium of banks would be greatly beneficial from both control and cloud adoption perspectives. This will be especially useful as only a small subset of CSPs are large enough to service the scale of activities outsourced by financial institutions. Given this potential concentration risk, direct regulator involvement will help to ensure compliance with regulatory requirements, and secure the necessary contractual rights for financial institutions to support robust oversight and transition planning.
Question 3: What opportunities and threats arising from FinTech do you foresee for credit institutions?
While competitive pressures are expected in traditional markets, FinTech firms can also provide new partnership opportunities for incumbent banks which are mutually beneficial and may help to develop new markets. While partnership provides the opportunity for banks to tap into new revenue sources and meet quickly evolving consumer demands/preferences, FinTech firms are in turn able to deliver new products to a broader customer base, more efficiently by being able to make use of existing banking and payments infrastructures.Deutsche Bank is pragmatic in its choice of FinTech solutions and we seek to apply them wherever significant value is generated. These solutions are adopted through various means, such as through business and technology groups, our internal innovation labs, industry consortia and direct investment in FinTech companies.
FinTech innovation has the potential to improve the safety and soundness of incumbent banks through improved operational, cost and post-trade efficiencies, automated KYC and AML processes, and other benefits.
Deutsche Bank is involved in a number of collaborative initiatives with other market participants which focus on cost reductions and process improvements. One such example is Symphony, a secure, cloud-based, communication and content sharing platform. It connects markets and individuals, promoting collaboration and increases workflow productivity while maintaining organisational compliance. Symphony was funded in September 2014 by 15 banks, including Deutsche Bank, and now has now over 26 active investors, including Google.
In October 2017, Deutsche Bank open sourced over 150,000 lines of code from its Autobahn platform to create a common industry standard designed to connect thousands of different applications from across the financial services industry, allowing them to work with each other and improve the user experience. This will enable the development of a whole new ecosystem of interconnected applications by the open source community that extend the boundaries of the Symphony and Autobahn capabilities.
There are a broad number of uses cases for DLT which have the potential to bring significant efficiencies and cost savings to business processes of credit institutions in the future, including:
- Collateral management: DLT offers the potential for an environment which allows for the tracking of collateral movements with enhanced clarity on underlying beneficial owners. Given regulatory requirements and the growing importance of collateral management for market participants such a development could be very beneficial.
- Record of ownership: The ability to manage chains would also allow for full tracking on the ownership of assets, without the need for full account segregation. In the context of the current discussion on full account segregation such a solution would achieve the necessary transparency without the cost of full segregation. We note that there are many legal issues to address here, not least the question of which jurisdictional law should apply in the case of cross border transactions.
- Corporate actions and proxy flows: Due to the continued manual nature of these processes and the need to distribute and exchange information with a large number of customers this would be a good candidate for DLT usage. Smart contracts in particular could be programmed with the necessary information to process corporate actions (coupon payments, covenants, dividend payment, splits etc.). Given the complexity around this, the benefits are likely to be easiest to deliver in newly issued bonds and certain new share instruments as well as mandatory corporate action events on existing shares.
- Post-trade: The use of DLT could reduce the settlement cycle for various instruments, and in turn reduce counterparty risk and free up bank capital. For example, a shortened settlement cycle for derivatives transactions would reduce the margin period of risk (MPOR), leading to a reduction in the overall amount of margin a bank would be required to post with counterparties. If the minimum timeframe (currently 10 days) were to be reduced as a result of the faster processing that DLT allows for, then margin requirements would also fall.
- Smart contracts: DLT and smart contracts have the potential to deliver operational risk reduction due to a decrease in manual errors, increased efficiency and reduced intraday liquidity risk due to true delivery vs payment (DvP). If DLT provides for centralised valuations, resultant processes such as capital calculations could be made significantly more efficient. A smart contract library via different engines (e.g. issuance engine, trading engine, netting engine and custody) could cover the complete life cycle of a security including issuance and asset servicing.
The effective deployment and application of new technology to deliver against regulatory requirements – RegTech – will provide opportunities to improve compliance processes at banks and pursue regulatory objectives more efficiently. Potential opportunities would include:
- Trade reporting and recordkeeping: Industry wide blockchain / DLT could assist with regulatory adherence in trade reporting. The current complex reporting landscape (e.g. MiFID, MMSR, SFTR, EMIR, etc.) makes this a high priority area for RegTech. Given the challenges associated with agreeing on industry wide standards (a necessary precondition for the adoption of a distributed ledger), ledgers for individual institutions would also be valuable for accounting and record-keeping purposes.
- Data analysis: Data mining algorithms based on machine learning could assist with analysis of data submitted by financial institutions to regulators.
- Regulatory mapping: Tools to map upcoming regulatory requirements by using automated software solutions, including a regulatory repository available in machine readable format.
- Risk data aggregation and management: Tools that automate and assist risk data aggregation and management, as required for capital, liquidity and large exposures reporting, valuation and risk modelling and recovery and resolution planning.
- Compliance and risk technologies: Real-time payments transactions monitoring, reporting and blocking to help enhance by anti-money laundering (AML), anti-terrorist financing (ATF) and sanctions regimes. Identity verification as required by know-your-customer regulation and monitoring employee and client behaviour and organisational culture in conduct regulation.
- Software interoperability: Application Programming Interfaces (APIs) could be used in variety of contexts to enable different software programs to communicate with each other. An example would be between banks and other providers in the context of the Payment Services Directive 2 (PSD2), although clearly many broader uses are possible.
Question 4: Are the issues identified by the EBA and the way forward proposed in subsection 4.2.2 relevant and complete? If not, please explain why.
The issues identified are relevant and we agree with the EBA’s proposed way forward. One issue not highlighted by the EBA relates to the unbalanced allocation of liability amongst FinTech firms and banks, which warrants further consideration in this and other areas of FinTech.Specifically, the liability provisions established by Article 73 of PSD2 require account-holding banks to refund their clients immediately (‘Primary Liability’) for any unauthorised payments initiated online through a third party provider (TPP), even if the TPP is at fault. A bank may then attempt to recoup the lost funds back from the TPP, unless the TPP can prove that it was not at fault. Although the liability of TPPs is covered by insurance, there may be cases where the insurance is insufficient or the claim process is prolonged (i.e. litigations in case of disagreement).
This allocation of liability forces banks to absorb the costs and risks associated with a TPP’s performance, business and operational conduct. Banks would have to allocate capital in order to cater for such unexpected incidents outside of its control and essentially take on a function it does not aim to have – that of an insurance company.
In this regard, we do not support the extrapolation of similar arrangements / allocation of liability to other areas of FinTech as this may contribute to increased risks across incumbent banks and the industry. In our view such claims should be settled directly by the insurance companies if a TPP or FinTech firm has insufficient funds. Alternatively, a TTP or FinTech firm should be required to allocate enough capital to reflect the risks stemming from its business activities. This risk assessment should also take into account the type of clients that the entity is servicing, including the specific risks associated with corporate clients whose transactions volumes and values are typically much higher than those of individual retail clients.
As highlighted in our response to Question 1, we believe that TPPs or FinTech firms providing financial services should be subject to the same set of requirements covering security and operational procedures as banks offering the same service. A responsible balance must be struck between encouraging innovation from new market participants and protecting the safety and soundness of the financial system.
In regards to paragraph 90 in the EBA consultation, banks are currently implementing significant programs under PSD2 to minimise cybersecurity risks, such as 2FA and Fraud Detection, amongst others. In this regard, we support the EBA’s continued assessment of the adequacy of such requirements, but would pay particular attention to ensuring that innovative solutions are subject the high same standards in order to avoid that the efforts to improve the security of current systems/processes are being undermined by new entrants or new technologies. Ongoing assessments of regulator perimeters and discussions with market participants and market infrastructures will compliments regulators’ understanding of the evolving landscape and help identify potential regulatory gaps.
Beyond the actions proposed in the consultation, the EBA and other European regulators should also consider more direct engagement with market participants to help specify the minimum controls needed for a DLT / blockchain-based investment product to be brought to market. Such work should look to address:
- Minimum controls for an ICO (Initial Coin Offering) to be part of our investment products in terms of market adoption.
- The related minimum information security controls needed for such a setup.
- Minimum business / payment controls needed for a DLT based system – with reference to cross-border payment implications, KYC & CDD checks.
- Minimum design controls for a DLT based system to be of satisfactory operational standards – e.g. does the blockchain network have to be open or closed?
- Agreement on what level of due diligence banks must demonstrate before supporting such products.
Question 6: Are the issues identified by the EBA and the way forward proposed in subsection 4.3.1 relevant and complete? If not, please explain why.
The issues identified by the EBA are relevant and comprehensive, and we look forward to the completion of its first phase of work, as highlighted in paragraph 102, assessing the impact of FinTech on incumbent credit institutions’ business models.One important variable affecting the impact of FinTech on the development of bank business models is the extent to which regulators maintain a level playing field amongst all market participants through the application of consistent requirements and standards. Open questions on how regulation will be applied to FinTech activities – including P2P payments and lenders, ‘shadow trading’ or ‘social trading’ (i.e. set your account to mirror chosen traders’ transactions) – will clarify the competitive landscape and potential changes to incumbent bank business models.
In addition to holding interviews with sample credit institutions, as proposed in paragraph 103(a), the EBA should also engage directly with FinTech companies and incumbent banks’ digital innovation functions to experience first-hand the ‘digital first’ approach to working practices and how this may underpin corporate culture.
Question 7: What are your views on the impact that the use of technology-enabled financial innovation and/or the growth in the number of FinTech providers and the volume of their business may have on the business model of incumbent credit institutions?
The application of proportionate regulations based on an entity's business activities, as explained in our response to Question 1, will allow new and existing firms to compete and succeed based on the value delivered to customers. Absent any regulatory distortions then we see significant opportunities for growth of FinTech providers and development of incumbents in parallel. As stated above, far from being a ‘zero-sum’ game, FinTech innovation has the potential to improve the safety and soundness of incumbent banks through improved operational, cost and post-trade efficiencies, automated KYC and AML processes, and other benefits.More specifically we currently see the impact of FinTech developments on the existing banking landscape in Europe fall in the following areas:
- Delivery Channels: changes being made within the banking business model, such as new mobile channels, automation, etc. These activities are already highly regulated in banks. For example, banks must meet minimum standards before launching a mobile platform. Conversely, the same minima do not necessarily apply to FinTech firms. This includes no clear requirements to address non-financial risk, such as cybersecurity – a risk that is equal if not higher in smaller FinTech firms. This regulatory imbalance creates an unlevel playing field and introduces potential risks to the end-consumer. Regulatory gaps should be addressed and appropriate, proportionate requirements applied to all entities providing similar services.
- Alternative products: in the digital / alternative currency space, such as bitcoin and virtual currencies. These have the potential to reshape certain financing and business models, and, as a result, banking services. However, there remains considerable regulatory uncertainty in this space, including on legal rights and dispute resolution. Regulators should look to address this and coordinate at the global level to support consistent standards across borders.
- Cross-bank platforms: development of market utilities for back-end infrastructure such as KYC and post-trade processes. The lack of regulatory guidance around the services that could / could not be mutualised by banks, and how the utilities would be funded, governed and resolved (given their sheer size and systemic importance) is curtailing innovation in this space.
- Enabling technologies: such as DLT, AI and big data. To expedite the development of standards and avoid industry fragmentation around adoption and minimum standards, regulatory steer is needed to define the minimum conditions for commercially deploying these technologies in banking.
- Competing technology platforms: such as payments, P2P lending, etc. Regulators should apply the core principles as outlined in our response to Observation 1, to ensure any future platforms/services are captured under existing regulatory frameworks. This will provide innovators with regulatory clarity and consistency, and reduce the risk of regulatory arbitrage.
Question 10: Are the issues identified by the EBA and the way forward proposed in subsection 4.4.1 relevant and complete? If not, please explain why.
The issues identified are relevant and complete and agree with the EBA’s proposed way forward. As set out in the response to Question 1, we strongly support further assessment of issues related to regulator perimeter and the application of regulatory and supervisory requirements to all market participants providing financial services within Europe.Question 14: Are the issues identified by the EBA and the way forward proposed in subsection 4.4.3 relevant and complete? If not, please explain why.
The issues identified are relevant and complete; we agree with the EBA’s proposed way forward. We urge particular attention to the issues highlighted in paragraph 117(b) and (c). In our experience FinTech firms typically do not have established complaints procedures, which makes the resolution of any complaints between FinTech firms and associated banks more complicated and lengthy.To avoid these complications, we suggest that a harmonised set of rules or minimum standards be established, as proposed by the EBA in paragraph 118(a), which specify the procedures and allocation of tasks between the financial institutions and FinTechs firms.
Question 15: Are the issues identified by the EBA and the way forward proposed in subsection 4.4.4 relevant and complete? If not, please explain why.
The issues identified are relevant and complete and we agree with the EBA’s proposed way forward.With regards to the issues highlighted in paragraph 119(a), we recommend the EBA include the legal frameworks on digital signatures in the scope of the assessment proposed in paragraph 120(a). In Germany, we see some developments in the area of digital communication between banks and consumers, especially with respect to electronic signatures. However, further progress is constrained due to uncertainty and certain legal restrictions.
For example, consumer loans require a handwritten signature by customers to be legally binding, which can only be replaced by the strictest form of electronic signature (qualified e-signature). In light of the increasing digitalisation, policymakers and regulators should reconsider these formal requirements in view of the related risks (which are not handled via the distinction between advanced and qualified signatures), e.g. reducing requirements for low value loans from handwritten signatures to advanced signatures or text form.
In regards to disclosure in the digital environment, the following set of rules should apply when a FinTech firm has rights to access the data of customers:
1. The access should be visible to the customers but also to the banks/financial institutions who stores such data.
2. The consumer should be able to define the scope of the information accessed by a FinTech firm and to grant access on the basis of an aware decision.
3. The consumer should have control over the amount of information accessed by FinTech firm, and should have the ability and tools to limit the scope of such information.
4. The same set of data protection rules should be provided to the banks/financial institutions. This approach should be harmonised in relation to the requirements provided to the banks/financial institutions, when a FinTech firm has the right to access the accounts of the customers.
Question 19: Are the issues identified by the EBA and the way forward proposed in subsection 4.4.6 relevant and complete? If not, please explain why.
The issues identified by the EBA are relevant and complete.At present, topics such as big data pooling or client data processing are, in addition to existing banking secrecy limitations, subject to strict data privacy frameworks and further enhanced by the coming GDPR. Client data evaluation or related FinTech analytics services should fall within these legal and regulatory frameworks and should not require additional regulation.
With reference to the proposed actions detailed in paragraph 127, we encourage the EBA to also engage and coordinate with global bodies focused on the implications of innovative technologies, in particular the Financial Stability Board and the ongoing work of its Financial Innovation Network, including its recent publication on ‘Artificial intelligence and machine learning in financial services: Market developments and financial stability implications.’
Deutsche Bank encourages regulators to follow technological developments like artificial intelligence (AI) and DLT carefully, and assess continuously to what extent current regulation still appears to be sufficient concerning financial market risks.
Question 20: Are the issues identified by the EBA and the way forward proposed in section 4.5 relevant and complete? If not, please explain why.
The analysis and approach set out in section 4.5 is correct.With regard to the impact of FinTech firms on the resolvability of banks, as highlighted in by the EBA in paragraph 128(b), we note that banks’ arrangements with FinTech firms are typically categorised as service provider relationships and therefore subject to similar consideration of recovery and resolution requirements as part of the vendor risk management process. Each bank subject to the respective regulatory framework is already obliged today to review resolution risk in connection with a critical FinTech service and will contractually require resolution-related obligations in the FinTech service agreement for such critical relationship.
From an overall risk management perspective, however, a FinTech outage or breakdown appears to be far more likely. Institutional risk management should therefore focus on business continuity and service substitution requirements similar to the management of other outsourcing services. This can be further complemented by minimum standards for FinTech firms on continuity arrangements, which would reduce the divergent practices highlighted by the EBA in paragraph 128(a).