Response to discussion on Approach on financial technology (Fintech)
Go back
The proposed approach of assessing further national level regulatory frameworks, including sand boxing regimes and other such initiatives, is needed before considering any new EU level regulations concerning the use of FinTech . What is needed is a coherent regulatory and supervisory framework for digital financial services and practices that applies to all actors and the proposed assessments will be a useful input into this work.
In our view, it is still too early for the introduction of regulatory measures on Fintech at EU level. We consider that these technologies still need to be tested through various use cases before identifying what should be the right regulatory framework and the types of rules to be envisaged. We notably believe that further assessment on the nature of new risks emerging from Fintechs is required; it would not be relevant to refer only to the types of existing risks to properly define what should be the best monitoring approach. At this stage, initiatives conducted at local level seem to be sufficient and the best way to allow effective promotion and development of Fintechs with the involvement of all relevant stakeholders.
Whatever the approach adopted, it is also crucial that level playing field between the different categories of players is ensured, i.e. the principles of “same activities, same rules” should apply. The EBA’s mapping study of Fintech amply demonstrates this is not currently the case in many instances.
Regulatory discrepancies between banks and other types of actors and between different jurisdictions present important risks for the digital transformation of the financial sector, in particular as they allow new entrants (Fintech start-ups, but also tech-giants) to provide financial services and access clients sensitive date while not subject to sufficiently stringent rules forcing them to put data subjects’ interests at the center of their priorities. This is particularly true for regulations such as PSD2 but also to some extent to broader regulations such as GDPR (in particular the provisions regarding portability) and NIS, which although applicable in theory to all players, are in reality unlikely to be applied with the same rigor by banking institutions with a long experience of regulatory compliance and startups with usually short-term approaches much more focused on customer experience than on risks or regulatory compliance issues. In this context, an appropriate regulatory framework should be elaborated, which will guarantee the highest level of customer and bank security provided by a common level playing field among the different players, together with a widespread and harmonised adoption of cybersecurity measures.
This fact stems also from a major difference between the banking sector and the Fintechs, which is the banking supervisory practices that have been significantly enhanced and tightened following the crisis. In other terms, even when those new entrants are theoretically subject to the same regulation than banks, they are by no means subject to the strict supervision of the financial authorities and the supervisory standards that are applicable to banks.
Regarding sand boxing regimes, at a later stage, an EU framework for testing of disruptive technologies / services could be envisaged, but it should be based on soft law" such as guidelines, recommendations, and codes of conduct. There is a need to facilitate innovation by all companies including banks, to create “compliant” innovation hubs with a clear set of rules and criteria that allows them to test their products, services and business models in a live environment. The idea of “compliant” innovation hubs is to put in place a strict predefined framework with limitations on clients and data used, time-limit testing, limited number of persons to access , strong security measures, etc., and testing under regulator supervision.
The French Fintech Forum Lab, launched by the ACPR in June 2017 could be seen as an example of innovation hub testing under regulator supervision. It allows mixing Fintech startups, new actors’ representatives, incumbent institutions and the national control authority to share about regulation consultations and test within the Lab new innovative projects. A first call for projects has been launched in September 2017 and the Banque de France should select three of them to be started by the end of the year.
With regards to banks’ ability to innovate in Fintech, we would also make the observation that rules capping compensation are an obstacle to attracting entrepreneurs and innovators to the regulated industry. Banks themselves need to be allowed to innovate on the same level playing field as startups and tech giants. We also point out that European banks promote the non-deductibility of equity invested in software (Article 36 of the CRR deductibility of the CET1 to modify with the following complement (b) “intangible assets with the exception of software).“
Another obstacle: The treatment of software investments in CRR2: Banks will heavily invest in software over the next few years – on average the banking sector is already investing $700 billion annually on IT innovation. Alongside this, we are witnessing the rapid growth of Fintech with 72bn USD invested in Fintech companies between 2015 and 2016. Furthermore, as recently highlighted by the Think Tank Bruegel , evidence suggests that large internet companies are yet to even enter the Fintech market on a large scale. This could further dramatically transform the Fintech landscape and financial intermediation globally.
When it comes to adopting or providing digital services, software is a strategic asset for European banks, enabling them to serve clients where and when needed and develop cyber security measures to protect their customers. However, remaining able to do this on a competitive basis is more costly for EU financial institutions than for other competitors due to the regulatory differences between jurisdictions or different actors.
More specifically, the definition of capital set in the Basel III Accord states that intangible assets should be deducted from institutions’ CET1, as defined under the relevant accounting standards. This is prudent in the case of assets like goodwill, which may not provide appropriate loss-absorbing capacity. Yet, of the assets that fall under the definitions of intangible assets for EU institutions, “software” displays some special characteristics: capacity to generate income, being central to day-to-day banking operations, and in facilitating the implementation and embedding of regulatory requirements. Moreover, experience shows that software retains some value in case of the liquidation or sale of an entity; not a null value as the current regulatory treatment implies. Indeed, under the current regulatory framework, there could be a somewhat counterintuitive case where a piece of furniture may be given more regulatory value than, for example, an IT development aimed at preserving the cybersecurity of the institution.
This is also an issue of ‘level playing field’, as software is considered as an intangible asset in the current EU accounting framework but not in others, European financial institutions are disadvantaged in comparison with other entities and jurisdictions which do not have to account for software as intangible assets. For example, under US GAAP the accounting definition of these kinds of assets is not exhaustive, so some US entities have registered items related to software under different accounts such as “other assets”, “premises & equipment” or “property, equipment and software”. As they are not classified as intangible assets, they are consequently not deducted from capital. As a result, the current drafting of capital and solvency requirements under CRR2 makes investing in innovation is more expensive for EU banks.
As a final point, we underline the need to consider the implications of Brexit and of ways to foster innovation with financial technology in the EU27."
We agree with the EBA's analysis of the changes in the credit institutions' profile risk and on the fact that the business risk is the most important, with potential distortions of competition, as well as the analysis of the systemic risk. We also concur with the analysis on systemic risk issues arising from FinTech.
With regard to cybersecurity-related risk for credit institutions, this is one of the most important challenges for banks. The financial, reputational, operational, and legal stakes are very high indeed. There is strong pressure on banks linked to open data as well as ensuring consumer protection. Compliance with GPDR and PSD2 exemplify the challenges involved.
There is a need for a principle-based and coherent overall regulatory and supervisory approach:
• Both industry and public authorities should apply cohesive principles and best practices of risk management to improving the security and resilience of critical infrastructure and services.
• Principle-based, legal or implicit market-based Cyber Security minimum standards are preferable to technical, rule-based legal requirements.
• Reinforce consistency of the regulatory framework for Cyber Security at EU level (interplay between GDPR, PSD2, NIS Directive, etc). There is a need for harmonization of regulations and reporting of incidents, safe bi-directional and efficient sharing of information, etc.
• EU needs to increase Financial Institutions’ cyber-resilience capabilities by better coordination and 2-way inter-action among banks and supervisors and regulators. A potential solution would be a European Financial CSIRT coordinated with National CSIRTs and Financial Institutions with the purpose of preventing, detecting, countering or investigating cybersecurity threats or incidents.
• Level Playing Field: Ensure a cross-industry Level-Playing-Field including all players in financial services industry, including startups and hardware/software vendors as the whole ecosystem is only as secure as its weakest element. In addition, a cross-industry LPF, with regards to the opening up of the industry due to PSD2, as for proportional risk sharing and a balanced digital authentication system between TPPs and banks, as well as for financial capacity and capital requirements to deal with customer harm, such as unauthorised withdrawals, identity theft or damaged credit.
Regarding legal constraints with Big Tech actors, besides the fact that almost all are non-EU companies and the inherent risks this brings, there is a need for a better understanding about the benefits of cloud technology by financial supervisors. The benefits of cloud computing are significant: reduction of risk via the best IT and risk management; efficiency, simplicity and cost reduction of IT processes; unlimited velocity and elasticity under demand; ubiquitous (authorized) network access from any country where the bank is present; employee and customer ability to collaborate in a multi-channel environment.
There needs to be collaboration with the financial sector and cloud service providers, to identify practical interpretations of regulatory requirements that work across multiple jurisdictional and regulatory frameworks (financial supervisors’ regulation on outsourcing introduces requirements for banks and it is not harmonized at an EU level).However, security remains a major source of concern for the supervisors who place too heavy a reliance on the ability to conduct an onsite audit which is unlikely to yield results or provide the necessary assurance. Security concerns can instead be overcome by creating a cloud computing culture among stakeholders. Regulators should promote and facilitate this with the aid of cloud service providers and cloud users, such as financial institutions. In many occasions, cloud service providers do have more certifications than cloud customers organizations, so migrating to the cloud can contribute to security improvements for the whole financial industry.
There is also a need to adapt and clarify horizontal cloud regulation: There are challenges concerning regulation on security, the control of data, data location, access and audit, and in particular, ensuring that contracts accommodate the rights of regulators and other supervisory authorities to access and audit relevant data. In order to address these concerns, there is a need for regulatory guidance and simplifying and streamlining compliance. One example is different interpretation of GDPR by banks and cloud suppliers. Need for standard contract clauses setting out minimum requirements -e.g., for audit-
This transformation has the potential to greatly benefit European consumers offering them the opportunity to have direct access anytime, anywhere and on any device to better information and new products and services. The application of new technologies such as distributed ledgers or cloud computing can increase efficiency in existing processes and activities; big data and analytical techniques allow firms to better address individual customer needs and help people take better financial decisions; and digital channels — together with automation technologies in general — reduce operating costs and improve access to financial services. Moreover, these technologies have lowered the barriers to entry to a number of financial services activities, in many cases through new business models such as marketplace platforms and enhanced market resilience through more sound and consistent processes. This increased competition is a stimulus for all players to offer greater value to customers.
The digitalization of financial services is also an opportunity to strengthen the EU single market, as recognized in the European Commission’s action plan on Retail Financial Services and CMU. For example, digital channels allow providers to cost-efficiently reach geographically dispersed customers without having to expand their physical presence. Therefore, with a harmonized regulatory framework, the Fintech transformation can help to overcome the existing EU market fragmentation and further increase choice for European consumers.
Financial institutions, as well as transforming their traditional activities and internally developing new digital businesses, are investing in Fintech start-ups. This is not only a growth or diversification strategy, but also a way for banks and insurers to learn about new technologies and in some cases acquire new capabilities to keep the pace with digital change. On the other hand, Fintech start-ups might be looking for financial institutions to help them scale up and in some cases support them with their capabilities, such as carrying out customer identification, compliance tasks, bank account provision and other complex or highly regulated functions. Moreover, some Fintech firms (e.g. lending marketplaces) and financial institutions have reached agreements to refer customers to each other under certain circumstances.
These interrelations — and new ones — will gain even more relevance in the near future. Taking this into account, any policy or regulatory approach to Fintech must be broad enough with respect to the different types of providers.
In terms of challenges, we can see several important challenges:
• Ensuring a level playing field among all actors including fintechs and Tech giants
• Providing maximum protection and prevention of cyber risks, with start-ups being generally more vulnerable than incumbents
• Ensuring an appropriate European data governance in a context of continuous technological evolution and expanding data sets
• Implementing GDPR, in particular, and ensuring that customers and the public understand how their data is used and have confidence that it is treated appropriately; and
• Integrating open source technologies
In our view, the danger would be to regulate even more specifically the incumbent credit institutions without regulating the actors who are performing similar activities, this is particularly important because of potential distortions of competition given the comparative advantage of Big Tech players. The approach should therefore be holistic and by nature of activity and should remain competitive compared to other sectors, while players are becoming more and more multi-sector.
Another risk in a different area may be illustrated by Internet of Things applications. IoT means that more personal information and business data will exist in the cloud and be passed back and forth through thousands of devices that may have exploitable vulnerabilities. One weak link in the security chain could provide hackers with nearly limitless doorways that could potentially be unlocked and lead them to data. Privacy is a serious concern not just in the IoT, but in all the applications, devices or systems where we share information. Even when users take precautions to secure their information, there are conditions that are beyond their control. Hackers can now craft attacks with unprecedented sophistication and correlate information not just from public networks, but also from different private sources, such as cars, smartphones, home automation systems and even refrigerators.
Currently, more things are connected to the Internet than people, according to an infographic from Cisco. It goes on to say that 25 billion devices are expected to be connected by 2015 and 50 billion are slated to connect by 2020. In this quickly evolving world, all the things that connect to the Internet are exponentially expanding the attack surface for hackers. A recent study showed that 70 percent of IoT devices contain serious vulnerabilities. There is undeniable evidence that our dependence on interconnected technology is defeating our ability to secure it.”
Startup due to their youth and relative lack of resources, as compared to large groups, can be exposed to certain types of cyber security risks linked IoT:
1.Insecure Web interface
2.Insufficient authentication or authorization
3.Insecure network services
4.Lack of transport encryption
5.Privacy concerns
6.Insecure cloud interface
7.Insecure mobile interface
8.Insufficient security configuration
9.Insecure software or firmware
10.Poor physical security"
We concur with the observation that the current context is quite a challenging period, with low profitability and huge competition in the battle for the customer relationship and customer data. The rise of digital identity and data flow monetization are also leading to customer-centric approaches and leading to a distributed bank scenario. Digitalisation is also forcing many incumbents to modernize banking infrastructure to support transaction immediacy.
FinTech is leading incumbent credit institutions to adapt their business models, and this has been the case for several years. That said, we banks are creating value by linking up with ecosystems of start-ups and technology innovators, and also innovating themselves in significant ways.
BNP Paribas has partnered with dozens of start-ups as well as made a number of strategic acquisitions, such as recently Compte Nickel in France. The bank also sponsors a number of incubators and innovation hubs in several of our major domestic markets. Hereunder we provide but a few examples of BNP Paribas’ ongoing work using innovation with FinTech.
A pilot project using DLT technology. A recent BNP Paribas pilot successfully demonstrated the feasibility of using blockchain to optimize the global internal treasury operations of the bank. It highlighted how an internal, private blockchain could be used to improve operational efficiency by providing a more integrated cash management approach between businesses, allowing greater flexibility and a 24/7 capability. This marks a milestone for us in using blockchain-based solutions as a practical and innovative approach to respond to a business-driven need, in particular extending the working hours up to 11 hours. This not only allows treasury optimization improvements, but also a common view of liquidity positions across locations globally. It also allowed the bank to boost the interoperability of the legacy systems combining the private blockchain with the existing IT environment via software robots and APIs.
Although it is still too early to determine how the technology will evolve and whether it is suitable for large-scale deployment, the pilot demonstrated the clear strengths of private blockchain and its potential as one of the most effective ways to improve the existing internal processes between different businesses on an international level.
This research project is part of a larger group of initiatives conducted by other entities of the bank regarding blockchain for example the Cash without Borders launched this year by our Transaction Banking business, and highlights how BNP Paribas is gaining on those technologies.
Internet of Things (IoT): In March 2017, BNP Paribas became Munich Watson Internet of Things Centre’s exclusive partner for the banking sector. This is an opportunity for the BNP Paribas Group to experiment and create new solutions. This self-learning and cognitive software has since been put to use in three major fields: healthcare, automotive and banking. A proper new hub for new technology and an innovation ecosystem, the Munich IOT Centre is Watson’s first experimentation and development laboratory in Europe. The first result of this partnership is a private Investors assistant for Consorsbank (part of BNPP Personal Investors) clients. “Digital Advice” will be the personal advisor to Consorsbank’s clients and will be fully digital, MiFID compliant advice solution. It will engage and interact with the client in a natural way throughout the advice process, from first contact, through client profiling and the investment proposal, to the execution of orders. The client can ask questions of any complexity at any time, for example: how does an investment fund actually work? Why does it make sense to invest in Europe? Digital Advice is capable of immediately answering all questions, whether they relate to products, financial know how and/or portfolio information.
Telematics (interdisciplinary field involving telecommunications, vehicular technologies, road transportation, road safety, electrical engineering ...): Developed in a Parisian start-up incubator by a dedicated team, Arval Active Link is a one-of-a-kind telematics offer, initially launched in September 2015. Now available in various European countries (Belgium, Czech Republic, France, Germany, Italy, Netherlands, Spain and UK), Arval Active Link was the first integrated telematics offer on the market. This innocuous in-car telematic box provides a wide range of information to Arval’s (our car leasing subsidiary) subscribing customers, including data about fuel efficiency and consumption, CO2 emissions, mileage and driving styles. Drivers can use the platform for feedback and analysis about their driving, which should lead to their driving more responsibly. Subscribing fleet managers can track the performance of the fleet in real time, while Arval can use the data to statistical ends and for claims management. Data privacy is obviously a critical issue and the service has been setup from the very beginning to ensure compliance with personal data protection regulations in liaison with various control authorities
It is fundamental that the level playing field" rule (the same rights and obligations for all actors and in all countries for a given activity) be applied (see Q1). Current asymmetries hinder innovation, for example for traditional banking players subject to the existing banking financial regulation. They can also create risk situations for consumers who do not have a homogeneous level of protection but also for all the financial institutions.
For example, financial institutions can be directly affected by fraud problems linked to cyber security issues encountered by certain actors, or more indirectly by the weakening of the consumer confidence in financial services.
The diffusion of digital technologies potentially leads to several new types of risks for consumers, linked to the quality of information, the cyber-security, the data protection, the emerging new models and new players that are challenging in terms supervision evolution. Innovations are indeed valued differently depending on the different countries' authorities. As an example, idnow's videoconferencing solution used by Number 26 in Germany has been approved by the BAFIN as a possible means of remote identification. However, such solutions are not available in some other Member States creating an uneven competition market. A European technical authority might able to quickly assess the reliability of innovative technical solutions, to which local authorities could rely.
As a conclusion, EBA acknowledges that the authorization status of FinTech firms is crucial not only in terms of competition but also in terms of consumer protection. It seems difficult to envisage that 53% of FinTech firms could remain outside the EU framework considering the imperatives of stability of the financial system and protection of the consumer.
As a level playing field is key to ensure not only fair competition but also consumer protection, the same regulatory conditions and supervision should apply to all actors who seek to innovate and compete on Fintech: Incumbent banks, start-ups and Big tech firms. The authorities must always apply the "same services/activities, same risk, same rules same supervision" in order to ensure consumer protection and market integrity. As the value chain includes different kind of actors and becomes more complex, all firms should go through the same process from design to sales to avoir any regulatory arbitrage in responsibility-sharing."
Also we would point to a report by the Financial Service Information Sharing and Analysis Center (FS ISAC) published In July 2016, "Survival Guide: European laws and regulation regarding cyber information sharing, " which constitutes a good illustration of the lack of harmonization regarding national customer protection's laws, and which limits the sharing of data, even to fight cybercrime."
It is also necessary to harmonize the European framework regarding the prevention of money laundering and terrorism financing (AML/CFT), to ensure the 4th Anti-Money Laundering directive is implemented in a consistent way as the acceptance of the means for identifying customers remains on the Member States.
In this regard, the European framework needs a deeper orchestration of the regulations that will pave the way for the use of digital solutions, such as e- identities, with financial regulated processes such as Know Your Customer and Anti Money Laundering in order to provide a frictionless entry point into financial services. Therefore, consistency between overlapping frameworks of regulation (data privacy, consumer protection, cybersecurity, financial regulation…) should be guaranteed.
In particular, we would support the appropriate standardization and regulatory frameworks to enable cross-border transactions and contractual agreements across EU borders, through non-physical channels.
For consumers, the main benefit is having a digital identity which is readily verified and can be used by them across borders and multiple parties, and which results in a more seamless, faster, more secure and successful application journey.
We firmly believe that the main benefit of the e-ID will be its transportability. Although the EU eIDAS Regulation creates an interoperability framework for the national eID systems, currently it remains up to Member States to define the terms of access to the online authentication of government eIDs by the private sector. We believe that this issue should be addressed. National eID systems should be made rapidly interoperable between Member States and with third countries and accessible for the private sector to verify the identity of customers at distance.
However, some texts cover only credit institutions. Some specialized or alternative actors, who have pushed for the creation of new accreditation categories in certain countries and for crowdfunding, are not always subjected to the same requirements and supervised in the same way, which creates a distortion and does not guarantee good consumer protection.
With regards to security, financial actors are subject to a specific supervisory regime as a result of their activities, which is more supervised than other sectors. We believe it is necessary to extend the scope of cybersecurity regulation and supervision to all players who offer financial services and manage financial data. The security constraints imposed by regulators must be the same for all actors who handle or collect personal and bank data from end-to-end with the highest level of security (no weak link).
At European level, the European Commission wants to promote competition and innovation among financial players by opening up" certain systems. It is necessary that these initiatives not be detrimental to the soundness (and even the "usability") of the systems in place.
Several points should be highlighted:
• The start-ups, which intervene between the client and the bank, should not conceal the information necessary to detect the fraud;
• The personal and banking information of our customers must be protected against the leakage of information, in the internal systems but also and especially in the "new actors" who consume this information and when they circulate between actors. This dissemination of information can facilitate identity theft or the development of models based on the monetization of customer financial data;
• The responsibility of each of the actors must be clearly defined in the event of an incident. CF language elements already elaborated in the context of the Green Paper on dual consumer protection laws
In conclusion, concerning disclosure requirements, as already acknowledged by the European Commission, a lot has been done over recent years to insure that information disclosure is effective, transparent and comparable. EU measures such as the MCD, the CCD, the PAD, the Undertakings for Collective Investment in Transferrable Securities (UCITS) Directive, MiFID II, PRIIPs Regulation and IDD, have a heavy impact on retail financial services. They entail tremendous costs which have not yet completely been implemented in many countries.
In our view, no new regulation is required at the moment. It is preferable to make use of existing extensive regulation protecting consumers and to give them time to produce their effects. Secondly, the impact of new technologies, in terms of benefits and potential risks, has to be studied before deciding on new regulations which may stifle innovation. In line with the principles of better regulation and proportionality, it would be important to evaluate the impact of these measures before introducing new ones."
We agree on the findings of the EBA concerning non-regulated FinTech firms, which may have unsuitability or non-existing complaints handling procedures should receive attention. Currently the regulators tend to assign to incumbent banks the role of claim concentrator" without fair compensation (notably in PSD2).
As far as regulated Fintech firms (banks) are concerned consumer protection is ensured:
- Thanks to the quite recent Consumer ARD Directive, low-priced mediation and reconciliation mechanisms will be expanded further. In addition, directives on unfair-terms and unfair business-to-consumer commercial practices provide the consumer with sufficient protection from any abusive sale of financial products.
- To help consumers to find adequate redress mechanism in cross-border situations the Financial Dispute Resolution Network (FINt-NET) was founded in 2001. We are in favor of measures for expanding the use of FIN-NET.
We also agree that an issue to look into in the context of consumer protection is the legal liability of each actor involved in a given service. As such, it could be argued that the best approach for ensuring consumer protection is for banks to take a risk-based approach to mitigating and controlling for possible consumer protection risks"
The present landscape is very fragmented and there are strong cultural and technical differences between the available products in the EU. So, we are of the view that improving the EU passport with a better harmonisation of prudential rules, for instance would be in the short to medium term a way to give larger choice to customers and improve competition between financial service providers including in the digital space.
Here are some examples:
• Contractualisation: The rules governing the remote selling and canvassing of financial services and are not harmonized, contrary to what has been done for other sectors with the Hamon Law, transposing the Directive 2011/83/EU on consumer rights, resulting in the merger of the legal regimes of so-called direct marketing and distance selling. In the financial sector, it is therefore necessary to apply two regulations instead of one, with provisions that are not completely identical. This does not facilitate the implementation of multichannel paths.
• Execution of the contract: the electronic writing is still discriminated against the written paper (according to article 314-26 of the RGAMF, a formal option of the customer is need for electronic communications. This article could be adapted.
Other trends besides digitalization and FinTech push for making very significant progress in improving financial and technological literacy. Prior to the 1980s, Social Security and employer-sponsored defined benefit (DB) pension plans were the primary sources to support retirement. Today employers, and therefore employees, are increasingly turning to defined contribution (DC) plans and Individual Retirement Accounts. The transition to the DC retirement saving model has the advantage of permitting more worker flexibility and labor mobility than in the past, yet it also imposes on employees a greater personal responsibility to save, invest, and accumulate retirement wealth sensibly. Furthermore, the spread of DC plans means that workers today are directly and immediately exposed to financial market risks.
Research has clearly identified the pressing need for greater financial literacy, but the challenge is not yet being met. A review of studies and surveys in the United States and other countries shows that the level of financial literacy among the population is very low. Moreover, financial literacy does not seem to be improving over time. Financial illiteracy is both widespread and particularly severe among specific demographic groups. This has consequences for both individuals and society as a whole because financial literacy plays an important role in financial decisions.
Financial consumer protection should be reinforced with investor education policies. Such initiatives need to be embraced by Public authorities, industry associations and investment advisors/managers. The public authorities have a leading role to promote financial education, especially starting at school. Of course, authorities should also call on industry to co-ordinate common actions and incentivize all actors to do their part.
BNP Paribas favors putting in place financial education programs integrating specifically digital aspects. In this regard, our company is implementing several new initiatives (either directly or by supporting actions of various associations). We are well aware that banking in the digital era requires specific measures due for example to new risks from the increase of online payments and cyber security issues. Financial education should serve to allow safer usages on the part of consumers and as a result generate higher consumer trust.
As a general observation on big data and AI, we believe that big data analytics will have positive impacts for customers in terms of availability and affordability of services and products. Big data can be used to help industry to ensure that products will be sold to the relevant customers, but also to ensure that products are perfectly adapted to clients’ needs. It can also improve consumer access to credit. Indeed, traditional data do not always allow the extension of credit to some more vulnerable sectors of the population. Big data allows having a better knowledge of consumer behavior which can help facilitate access to credit. Also, big data can help make services available to more people by lowering costs and barriers to access. In insurance, for example, the use of big data can allow to fine tune prices and to reduce them, to insure more people and specially to improve prevention in the first place.
Regarding consumer protection, we would underline that large banks are required to establish and operate sound and strong conduct and internal control mechanisms. They also must have in place effective procedures for consumer protection and risk assessment under numerous regulations implemented since the crisis. Also, supervisory authorities have the required competences to enforce regulations. Finally, we would underline that consumers have been entrusting banks with their personal data for a long time and expect them to make appropriate use of it. For these reasons we do not feel that there are significant risks for consumers arising from the use of big data by financial institutions.
Thus, regarding regulation, we would underline that there are sufficient existing regulations already aimed at improving availability and affordability (i.e., PAD, consumer protection regulations…). We do not see the need for additional measures at this point - with a caveat regarding cybersecurity issues. Moreover, we do not think there would be merit in prohibiting the use of big data at this stage. Rather the focus should be on effective implementation of existing directives and regulations (e.g., NIS, GDPR, PSD2, e-IDAS…) and on allowing for research in the development of new products and services through the use of big data. As mentioned earlier, regulatory sandboxes can provide the opportunity to do this. Once again, the issue of cybersecurity should be carefully assessed.
We are of the view that resolution requirements should be proportional to the risks involved and should not be generic.
It appears necessary to strengthen the knowledge and expertise of the local authorities regarding Fintech initiatives, in order to:
1. enable them to understand and to identify more concretely the AML /FT issues raised by Fintechs,
2. harmonize the approach, in terms of controls, and sanctions,
3. provide guidelines on the roles’ and responsibility of each actor Fintech firms and existing financial institutions (banks, management companies, insurance companies, asset managers, …).
Providing that the data are accurate and up-to-date, the use of Big Data tools can help financial institutions to comply with their KYC obligations, in particular the obligation of vigilance in respect of customers and business relationships, and the obligation to report any suspicions to the Financial Intelligence Unit (FIU) in France and similar agencies in other Member States.
Due to the continuing expansion and very high volumes of real-time banking transactions (which poses systemic risk issues) and customer information, an KYC/AML/FT policy is inconceivable and ineffective without the use of computer tools that allow the automatic filtering of transactions and countries under embargo, as well as the ability to profile and scan customer transactions against AML/CFT scenarios configured by each financial institution (in order to be able to detect suspicious behavior and finally and report AML/FT suspicions to FIU).
However, the performance of computer tools depends entirely on the reliability of the data they contain and their configuration. The development of Big Data technology can be used to collect, share and process a vast quantity of multi-structured data (for example: card payments, withdrawals from ATMs, account consultations via smartphone) and semi-structured data (mails and customer Internet site history), as well as unstructured data from call centers or tele-meetings with advisors. Big Data tools make it possible to analyze transactions very fast and to cross-check them, for example with geolocation data. A thorough predictive analysis of customer behavior can be used to anticipate customer behavior and to enrich the scenarios configured in the profiling AML/FT tools.
In addition, Big Data tools can increase the reliability of customer data analysis by using the technology to find absent data or data that has not been updated in customer records, in order to allow the financial institutions to comply with their obligation to have an accurate knowledge of their customers and business relationships. The main benefits for the update of customer records through big data tools allow financial institutions to:
• improve their knowledge of their customers on a permanent and continuous basis as the update can be automatized
• decrease the administrative costs linked to such manual research of KYC data, or linked to requests to the customers to obtain the required updated KYC data
• improve the customer experience (no regular requests of information from the financial institution, which can be several times in a same year when the customer has multiple relationships in different business lines within a financial institution not having a common and shared KYC database).
The same benefits can be transposed at the time of the first acceptance of the customer, especially when the financial institutions business model is based on digital processes (Internet, phone…) or through commercial partners, where a short time-to-yes for acceptance is a key success factor in a more challenging and competitive framework.
In concluding we would also note that KYC legal obligations rely on official documents (e.g. ID, passport…), external documents (e.g. proof of residency, proof of incomes…), external databases (e.g. anti-money laundering…) and information provided by the customer (e. g. income and assets…). The efficiency of the process could be enhanced by the usage of digitalization allowing delivering a better user experience and combat fraud. Banks should be allowed to access some databases in order to assess the authenticity of information provided by the customer. This access should be granted under very strict conditions and mechanisms (e.g. positive / negative answer) to preserve the confidentiality of the data. Such schemes could also be used to keep KYC elements up-to-date. Digital identity, as defined in the framework of the e-IDAS regulation, will be a critical tool to improve the efficiency of KYC processes
The biggest money laundering and terrorist financing risks associated with Fintech firms are based on the following issues:
• The innovative approach and the rapid growth of Fintech firms have created a legal vacuum and a lack of regulation which could generate significant AML/TF risks (Example of crypto-currency, new card payments services between individual clients, crowdfunding platforms).
• The lack of clear and homogeneous regulation and legislation of these new players from one country to another makes it difficult the checks and controls carried out by financial institutions inefficient, in countries where regulation is more severe. In the context of the internationalization of money transfers between individuals, the approach between the different EU countries could raise the AML risks, for example issues of crypto-currency.
• Fintech offers/services/products which are often complementary and/or simplified compared to the traditional banking offers (eg payment service providers), they rely heavily on KYC due diligence carried out by bank or others financial institutions. Financial institutions which are also relying on Fintechs for final transaction checks could impact the complete overview and risk management of the global business relationships monitoring. Banks which impose and put in place a strong and rigorous approach must rely on the diligence implemented by Fintech firms without being able to assess and ascertain the quality of the process and control implemented.
• Some products offered by Fintech can create opacity / anonymity in transactions between individuals, which increase the risks of money laundering and terrorism financing. For example the payment service providers offering payment services between individuals through their bank cards. Based on the principle that it is not possible to formally identify a cardholder only through the number of their own cards. Cards transactions carried out through these Fintechs for bank could generate a break in the traceability of financial flows between individuals.
In this area also, with regard to passporting of firms, it is critical to ensure that supervision is carried out with high level standards across EU Member States.
It appears important to facilitate and to promote the development of Regtech in order to reduce/mitigate the risks associated with Fintech products
Question 1: Are the issues identified by the EBA and the way forward proposed in section 4.1 relevant and complete? If not, please explain why.
We believe that the identified issues are particularly relevant and the proposed actions to further assess potential actions appropriate at this stage.The proposed approach of assessing further national level regulatory frameworks, including sand boxing regimes and other such initiatives, is needed before considering any new EU level regulations concerning the use of FinTech . What is needed is a coherent regulatory and supervisory framework for digital financial services and practices that applies to all actors and the proposed assessments will be a useful input into this work.
In our view, it is still too early for the introduction of regulatory measures on Fintech at EU level. We consider that these technologies still need to be tested through various use cases before identifying what should be the right regulatory framework and the types of rules to be envisaged. We notably believe that further assessment on the nature of new risks emerging from Fintechs is required; it would not be relevant to refer only to the types of existing risks to properly define what should be the best monitoring approach. At this stage, initiatives conducted at local level seem to be sufficient and the best way to allow effective promotion and development of Fintechs with the involvement of all relevant stakeholders.
Whatever the approach adopted, it is also crucial that level playing field between the different categories of players is ensured, i.e. the principles of “same activities, same rules” should apply. The EBA’s mapping study of Fintech amply demonstrates this is not currently the case in many instances.
Regulatory discrepancies between banks and other types of actors and between different jurisdictions present important risks for the digital transformation of the financial sector, in particular as they allow new entrants (Fintech start-ups, but also tech-giants) to provide financial services and access clients sensitive date while not subject to sufficiently stringent rules forcing them to put data subjects’ interests at the center of their priorities. This is particularly true for regulations such as PSD2 but also to some extent to broader regulations such as GDPR (in particular the provisions regarding portability) and NIS, which although applicable in theory to all players, are in reality unlikely to be applied with the same rigor by banking institutions with a long experience of regulatory compliance and startups with usually short-term approaches much more focused on customer experience than on risks or regulatory compliance issues. In this context, an appropriate regulatory framework should be elaborated, which will guarantee the highest level of customer and bank security provided by a common level playing field among the different players, together with a widespread and harmonised adoption of cybersecurity measures.
This fact stems also from a major difference between the banking sector and the Fintechs, which is the banking supervisory practices that have been significantly enhanced and tightened following the crisis. In other terms, even when those new entrants are theoretically subject to the same regulation than banks, they are by no means subject to the strict supervision of the financial authorities and the supervisory standards that are applicable to banks.
Regarding sand boxing regimes, at a later stage, an EU framework for testing of disruptive technologies / services could be envisaged, but it should be based on soft law" such as guidelines, recommendations, and codes of conduct. There is a need to facilitate innovation by all companies including banks, to create “compliant” innovation hubs with a clear set of rules and criteria that allows them to test their products, services and business models in a live environment. The idea of “compliant” innovation hubs is to put in place a strict predefined framework with limitations on clients and data used, time-limit testing, limited number of persons to access , strong security measures, etc., and testing under regulator supervision.
The French Fintech Forum Lab, launched by the ACPR in June 2017 could be seen as an example of innovation hub testing under regulator supervision. It allows mixing Fintech startups, new actors’ representatives, incumbent institutions and the national control authority to share about regulation consultations and test within the Lab new innovative projects. A first call for projects has been launched in September 2017 and the Banque de France should select three of them to be started by the end of the year.
With regards to banks’ ability to innovate in Fintech, we would also make the observation that rules capping compensation are an obstacle to attracting entrepreneurs and innovators to the regulated industry. Banks themselves need to be allowed to innovate on the same level playing field as startups and tech giants. We also point out that European banks promote the non-deductibility of equity invested in software (Article 36 of the CRR deductibility of the CET1 to modify with the following complement (b) “intangible assets with the exception of software).“
Another obstacle: The treatment of software investments in CRR2: Banks will heavily invest in software over the next few years – on average the banking sector is already investing $700 billion annually on IT innovation. Alongside this, we are witnessing the rapid growth of Fintech with 72bn USD invested in Fintech companies between 2015 and 2016. Furthermore, as recently highlighted by the Think Tank Bruegel , evidence suggests that large internet companies are yet to even enter the Fintech market on a large scale. This could further dramatically transform the Fintech landscape and financial intermediation globally.
When it comes to adopting or providing digital services, software is a strategic asset for European banks, enabling them to serve clients where and when needed and develop cyber security measures to protect their customers. However, remaining able to do this on a competitive basis is more costly for EU financial institutions than for other competitors due to the regulatory differences between jurisdictions or different actors.
More specifically, the definition of capital set in the Basel III Accord states that intangible assets should be deducted from institutions’ CET1, as defined under the relevant accounting standards. This is prudent in the case of assets like goodwill, which may not provide appropriate loss-absorbing capacity. Yet, of the assets that fall under the definitions of intangible assets for EU institutions, “software” displays some special characteristics: capacity to generate income, being central to day-to-day banking operations, and in facilitating the implementation and embedding of regulatory requirements. Moreover, experience shows that software retains some value in case of the liquidation or sale of an entity; not a null value as the current regulatory treatment implies. Indeed, under the current regulatory framework, there could be a somewhat counterintuitive case where a piece of furniture may be given more regulatory value than, for example, an IT development aimed at preserving the cybersecurity of the institution.
This is also an issue of ‘level playing field’, as software is considered as an intangible asset in the current EU accounting framework but not in others, European financial institutions are disadvantaged in comparison with other entities and jurisdictions which do not have to account for software as intangible assets. For example, under US GAAP the accounting definition of these kinds of assets is not exhaustive, so some US entities have registered items related to software under different accounts such as “other assets”, “premises & equipment” or “property, equipment and software”. As they are not classified as intangible assets, they are consequently not deducted from capital. As a result, the current drafting of capital and solvency requirements under CRR2 makes investing in innovation is more expensive for EU banks.
As a final point, we underline the need to consider the implications of Brexit and of ways to foster innovation with financial technology in the EU27."
Question 2: Are the issues identified by the EBA and the way forward proposed in subsection 4.2.1 relevant and complete? If not, please explain why.
We concur that the identified issues and the proposed actions are particularly relevant to further assess potential risks at this stage.We agree with the EBA's analysis of the changes in the credit institutions' profile risk and on the fact that the business risk is the most important, with potential distortions of competition, as well as the analysis of the systemic risk. We also concur with the analysis on systemic risk issues arising from FinTech.
With regard to cybersecurity-related risk for credit institutions, this is one of the most important challenges for banks. The financial, reputational, operational, and legal stakes are very high indeed. There is strong pressure on banks linked to open data as well as ensuring consumer protection. Compliance with GPDR and PSD2 exemplify the challenges involved.
There is a need for a principle-based and coherent overall regulatory and supervisory approach:
• Both industry and public authorities should apply cohesive principles and best practices of risk management to improving the security and resilience of critical infrastructure and services.
• Principle-based, legal or implicit market-based Cyber Security minimum standards are preferable to technical, rule-based legal requirements.
• Reinforce consistency of the regulatory framework for Cyber Security at EU level (interplay between GDPR, PSD2, NIS Directive, etc). There is a need for harmonization of regulations and reporting of incidents, safe bi-directional and efficient sharing of information, etc.
• EU needs to increase Financial Institutions’ cyber-resilience capabilities by better coordination and 2-way inter-action among banks and supervisors and regulators. A potential solution would be a European Financial CSIRT coordinated with National CSIRTs and Financial Institutions with the purpose of preventing, detecting, countering or investigating cybersecurity threats or incidents.
• Level Playing Field: Ensure a cross-industry Level-Playing-Field including all players in financial services industry, including startups and hardware/software vendors as the whole ecosystem is only as secure as its weakest element. In addition, a cross-industry LPF, with regards to the opening up of the industry due to PSD2, as for proportional risk sharing and a balanced digital authentication system between TPPs and banks, as well as for financial capacity and capital requirements to deal with customer harm, such as unauthorised withdrawals, identity theft or damaged credit.
Regarding legal constraints with Big Tech actors, besides the fact that almost all are non-EU companies and the inherent risks this brings, there is a need for a better understanding about the benefits of cloud technology by financial supervisors. The benefits of cloud computing are significant: reduction of risk via the best IT and risk management; efficiency, simplicity and cost reduction of IT processes; unlimited velocity and elasticity under demand; ubiquitous (authorized) network access from any country where the bank is present; employee and customer ability to collaborate in a multi-channel environment.
There needs to be collaboration with the financial sector and cloud service providers, to identify practical interpretations of regulatory requirements that work across multiple jurisdictional and regulatory frameworks (financial supervisors’ regulation on outsourcing introduces requirements for banks and it is not harmonized at an EU level).However, security remains a major source of concern for the supervisors who place too heavy a reliance on the ability to conduct an onsite audit which is unlikely to yield results or provide the necessary assurance. Security concerns can instead be overcome by creating a cloud computing culture among stakeholders. Regulators should promote and facilitate this with the aid of cloud service providers and cloud users, such as financial institutions. In many occasions, cloud service providers do have more certifications than cloud customers organizations, so migrating to the cloud can contribute to security improvements for the whole financial industry.
There is also a need to adapt and clarify horizontal cloud regulation: There are challenges concerning regulation on security, the control of data, data location, access and audit, and in particular, ensuring that contracts accommodate the rights of regulators and other supervisory authorities to access and audit relevant data. In order to address these concerns, there is a need for regulatory guidance and simplifying and streamlining compliance. One example is different interpretation of GDPR by banks and cloud suppliers. Need for standard contract clauses setting out minimum requirements -e.g., for audit-
Question 3: What opportunities and threats arising from FinTech do you foresee for credit institutions?
The Fintech world is made up of start-ups developing new solutions and business models alongside and often in collaboration with traditional financial institutions and mature tech companies who themselves are digitising and innovating the way they deliver products and services for their customers.This transformation has the potential to greatly benefit European consumers offering them the opportunity to have direct access anytime, anywhere and on any device to better information and new products and services. The application of new technologies such as distributed ledgers or cloud computing can increase efficiency in existing processes and activities; big data and analytical techniques allow firms to better address individual customer needs and help people take better financial decisions; and digital channels — together with automation technologies in general — reduce operating costs and improve access to financial services. Moreover, these technologies have lowered the barriers to entry to a number of financial services activities, in many cases through new business models such as marketplace platforms and enhanced market resilience through more sound and consistent processes. This increased competition is a stimulus for all players to offer greater value to customers.
The digitalization of financial services is also an opportunity to strengthen the EU single market, as recognized in the European Commission’s action plan on Retail Financial Services and CMU. For example, digital channels allow providers to cost-efficiently reach geographically dispersed customers without having to expand their physical presence. Therefore, with a harmonized regulatory framework, the Fintech transformation can help to overcome the existing EU market fragmentation and further increase choice for European consumers.
Financial institutions, as well as transforming their traditional activities and internally developing new digital businesses, are investing in Fintech start-ups. This is not only a growth or diversification strategy, but also a way for banks and insurers to learn about new technologies and in some cases acquire new capabilities to keep the pace with digital change. On the other hand, Fintech start-ups might be looking for financial institutions to help them scale up and in some cases support them with their capabilities, such as carrying out customer identification, compliance tasks, bank account provision and other complex or highly regulated functions. Moreover, some Fintech firms (e.g. lending marketplaces) and financial institutions have reached agreements to refer customers to each other under certain circumstances.
These interrelations — and new ones — will gain even more relevance in the near future. Taking this into account, any policy or regulatory approach to Fintech must be broad enough with respect to the different types of providers.
In terms of challenges, we can see several important challenges:
• Ensuring a level playing field among all actors including fintechs and Tech giants
• Providing maximum protection and prevention of cyber risks, with start-ups being generally more vulnerable than incumbents
• Ensuring an appropriate European data governance in a context of continuous technological evolution and expanding data sets
• Implementing GDPR, in particular, and ensuring that customers and the public understand how their data is used and have confidence that it is treated appropriately; and
• Integrating open source technologies
Question 4: Are the issues identified by the EBA and the way forward proposed in subsection 4.2.2 relevant and complete? If not, please explain why.
We share the findings of the EBA regarding the series of risks identified: increased conduct problems, fraud, cybersecurity, subcontracting and personal data management issues, lack of expertise, inadequate technological infrastructure, increasing use of the cloud, in addition to a stronger competitive pressure. In this new context, a certain number of texts, specific to the banking industry or based on a cross-sectorial approach, already cover these risks, such as the GDPR, the NIS Directive or the guidelines on subcontracting.In our view, the danger would be to regulate even more specifically the incumbent credit institutions without regulating the actors who are performing similar activities, this is particularly important because of potential distortions of competition given the comparative advantage of Big Tech players. The approach should therefore be holistic and by nature of activity and should remain competitive compared to other sectors, while players are becoming more and more multi-sector.
Question 5: What opportunities and threats arising from FinTech do you foresee for payment institutions and electronic money institutions?
One the main issues of the new Open Banking" approach is when it bypasses the one-on-one contract between the third party service providers and the bank, and when it allows to keep using uncontrolled technologies like screen scraping. First it makes it more difficult to put in place win-win business models between the actors but doing so, it makes it almost impossible for the bank to assume its responsibility regarding protecting client personal data. The bank will rely on the third party capability to grant the security and the data protection with few audit trail possibilities even if the bank will be most often the first point of contact of the customer in case of claim.Another risk in a different area may be illustrated by Internet of Things applications. IoT means that more personal information and business data will exist in the cloud and be passed back and forth through thousands of devices that may have exploitable vulnerabilities. One weak link in the security chain could provide hackers with nearly limitless doorways that could potentially be unlocked and lead them to data. Privacy is a serious concern not just in the IoT, but in all the applications, devices or systems where we share information. Even when users take precautions to secure their information, there are conditions that are beyond their control. Hackers can now craft attacks with unprecedented sophistication and correlate information not just from public networks, but also from different private sources, such as cars, smartphones, home automation systems and even refrigerators.
Currently, more things are connected to the Internet than people, according to an infographic from Cisco. It goes on to say that 25 billion devices are expected to be connected by 2015 and 50 billion are slated to connect by 2020. In this quickly evolving world, all the things that connect to the Internet are exponentially expanding the attack surface for hackers. A recent study showed that 70 percent of IoT devices contain serious vulnerabilities. There is undeniable evidence that our dependence on interconnected technology is defeating our ability to secure it.”
Startup due to their youth and relative lack of resources, as compared to large groups, can be exposed to certain types of cyber security risks linked IoT:
1.Insecure Web interface
2.Insufficient authentication or authorization
3.Insecure network services
4.Lack of transport encryption
5.Privacy concerns
6.Insecure cloud interface
7.Insecure mobile interface
8.Insufficient security configuration
9.Insecure software or firmware
10.Poor physical security"
Question 6: Are the issues identified by the EBA and the way forward proposed in subsection 4.3.1 relevant and complete? If not, please explain why.
We agree with the EBA’s proposed approach and would be pleased to take part in one of the interviews of credit institutions to take the opportunity to discuss our approach to adapt our business models in the context of digitalization.We concur with the observation that the current context is quite a challenging period, with low profitability and huge competition in the battle for the customer relationship and customer data. The rise of digital identity and data flow monetization are also leading to customer-centric approaches and leading to a distributed bank scenario. Digitalisation is also forcing many incumbents to modernize banking infrastructure to support transaction immediacy.
Question 7: What are your views on the impact that the use of technology-enabled financial innovation and/or the growth in the number of FinTech providers and the volume of their business may have on the business model of incumbent credit institutions?
There are huge economies of scale in nearly monopolistic structures that Big Tech companies have become. So there is a high concentration and market dominance risk.FinTech is leading incumbent credit institutions to adapt their business models, and this has been the case for several years. That said, we banks are creating value by linking up with ecosystems of start-ups and technology innovators, and also innovating themselves in significant ways.
Question 8: Are the issues identified by the EBA and the way forward proposed in subsection 4.3.2 relevant and complete? If not, please explain why.
We agree that is important to focus on these two areas as they are at the forefront where actors are making use of FinTech and driving innovations and changes in consumer behavior.Question 9: What are your views on the impact that the use of technology-enabled financial innovation and/or the growth in the number of FinTech providers and the volume of their business may have on the business models of incumbent payment or electronic money institutions?
Fintech has the potential to increase efficiency and reduce costs, to improve access to, and delivery of, financial services, to enhance the customer experience and to create markets in new and innovative financial services products. It also poses risks, including money laundering, cyber-security, consumer protection and data privacy. However, we believe the benefits far outweigh the risks, including those to the business models of incumbents, because banks are increasingly adopting FinTech and partnering with startups in pursuing these new opportunities.BNP Paribas has partnered with dozens of start-ups as well as made a number of strategic acquisitions, such as recently Compte Nickel in France. The bank also sponsors a number of incubators and innovation hubs in several of our major domestic markets. Hereunder we provide but a few examples of BNP Paribas’ ongoing work using innovation with FinTech.
A pilot project using DLT technology. A recent BNP Paribas pilot successfully demonstrated the feasibility of using blockchain to optimize the global internal treasury operations of the bank. It highlighted how an internal, private blockchain could be used to improve operational efficiency by providing a more integrated cash management approach between businesses, allowing greater flexibility and a 24/7 capability. This marks a milestone for us in using blockchain-based solutions as a practical and innovative approach to respond to a business-driven need, in particular extending the working hours up to 11 hours. This not only allows treasury optimization improvements, but also a common view of liquidity positions across locations globally. It also allowed the bank to boost the interoperability of the legacy systems combining the private blockchain with the existing IT environment via software robots and APIs.
Although it is still too early to determine how the technology will evolve and whether it is suitable for large-scale deployment, the pilot demonstrated the clear strengths of private blockchain and its potential as one of the most effective ways to improve the existing internal processes between different businesses on an international level.
This research project is part of a larger group of initiatives conducted by other entities of the bank regarding blockchain for example the Cash without Borders launched this year by our Transaction Banking business, and highlights how BNP Paribas is gaining on those technologies.
Internet of Things (IoT): In March 2017, BNP Paribas became Munich Watson Internet of Things Centre’s exclusive partner for the banking sector. This is an opportunity for the BNP Paribas Group to experiment and create new solutions. This self-learning and cognitive software has since been put to use in three major fields: healthcare, automotive and banking. A proper new hub for new technology and an innovation ecosystem, the Munich IOT Centre is Watson’s first experimentation and development laboratory in Europe. The first result of this partnership is a private Investors assistant for Consorsbank (part of BNPP Personal Investors) clients. “Digital Advice” will be the personal advisor to Consorsbank’s clients and will be fully digital, MiFID compliant advice solution. It will engage and interact with the client in a natural way throughout the advice process, from first contact, through client profiling and the investment proposal, to the execution of orders. The client can ask questions of any complexity at any time, for example: how does an investment fund actually work? Why does it make sense to invest in Europe? Digital Advice is capable of immediately answering all questions, whether they relate to products, financial know how and/or portfolio information.
Telematics (interdisciplinary field involving telecommunications, vehicular technologies, road transportation, road safety, electrical engineering ...): Developed in a Parisian start-up incubator by a dedicated team, Arval Active Link is a one-of-a-kind telematics offer, initially launched in September 2015. Now available in various European countries (Belgium, Czech Republic, France, Germany, Italy, Netherlands, Spain and UK), Arval Active Link was the first integrated telematics offer on the market. This innocuous in-car telematic box provides a wide range of information to Arval’s (our car leasing subsidiary) subscribing customers, including data about fuel efficiency and consumption, CO2 emissions, mileage and driving styles. Drivers can use the platform for feedback and analysis about their driving, which should lead to their driving more responsibly. Subscribing fleet managers can track the performance of the fleet in real time, while Arval can use the data to statistical ends and for claims management. Data privacy is obviously a critical issue and the service has been setup from the very beginning to ensure compliance with personal data protection regulations in liaison with various control authorities
Question 10: Are the issues identified by the EBA and the way forward proposed in subsection 4.4.1 relevant and complete? If not, please explain why.
Existing regulations provide a solid level of protection and will continue to do so. A prerequisite is to ensure that consumers are protected and that the financial stability is ensured, irrespective of who the provider is. Therefore, it is necessary to maintain a level playing field regarding the regulation of potential competitors/sectors and between Members States, when issues such as KYC, digital signature, MiFID are addressed. Several risks have been identified which may have an impact on consumers' rights when dealing with cross-border operations: as far as two different laws could be applied, there is a necessary clarification on which is the right one to be applied. Divergences in national regulations could lead to difficulties in the context of the Freedom to provide services.It is fundamental that the level playing field" rule (the same rights and obligations for all actors and in all countries for a given activity) be applied (see Q1). Current asymmetries hinder innovation, for example for traditional banking players subject to the existing banking financial regulation. They can also create risk situations for consumers who do not have a homogeneous level of protection but also for all the financial institutions.
For example, financial institutions can be directly affected by fraud problems linked to cyber security issues encountered by certain actors, or more indirectly by the weakening of the consumer confidence in financial services.
The diffusion of digital technologies potentially leads to several new types of risks for consumers, linked to the quality of information, the cyber-security, the data protection, the emerging new models and new players that are challenging in terms supervision evolution. Innovations are indeed valued differently depending on the different countries' authorities. As an example, idnow's videoconferencing solution used by Number 26 in Germany has been approved by the BAFIN as a possible means of remote identification. However, such solutions are not available in some other Member States creating an uneven competition market. A European technical authority might able to quickly assess the reliability of innovative technical solutions, to which local authorities could rely.
As a conclusion, EBA acknowledges that the authorization status of FinTech firms is crucial not only in terms of competition but also in terms of consumer protection. It seems difficult to envisage that 53% of FinTech firms could remain outside the EU framework considering the imperatives of stability of the financial system and protection of the consumer.
As a level playing field is key to ensure not only fair competition but also consumer protection, the same regulatory conditions and supervision should apply to all actors who seek to innovate and compete on Fintech: Incumbent banks, start-ups and Big tech firms. The authorities must always apply the "same services/activities, same risk, same rules same supervision" in order to ensure consumer protection and market integrity. As the value chain includes different kind of actors and becomes more complex, all firms should go through the same process from design to sales to avoir any regulatory arbitrage in responsibility-sharing."
Question 11: Are the issues identified by the EBA and the way forward proposed in subsection 4.4.2 relevant and complete? If not, please explain why.
As indicated in the previous answer, we would see a need to extend the regulation in place to non-regulated FinTech firms in order to address cross-border issues and minimize the risk of regulatory arbitrage (as well as Member States gold plating. This also raises the issue of passporting of licenses from Member States that may be less rigorous in their application of EU rules and standards or arising from incoherence among different EU texts –witness the 23 national discretions under GDPR. Thus, effective harmonization of existing rules is needed. Moreover, regarding any future actions or regulations, the principle same service, same risk, same rules" should apply.Also we would point to a report by the Financial Service Information Sharing and Analysis Center (FS ISAC) published In July 2016, "Survival Guide: European laws and regulation regarding cyber information sharing, " which constitutes a good illustration of the lack of harmonization regarding national customer protection's laws, and which limits the sharing of data, even to fight cybercrime."
Question 12: As a FinTech firm, have you experienced any regulatory obstacles from a consumer protection perspective that might prevent you from providing or enabling the provision of financial services cross-border?
The rules of international private law require that professionals comply with the consumer-protection rules of the consumer's habitual country of residence when professional directs his activities to consumer from another Member State. Consequently, it would be very costly for banks to adapt their contracts to each Member State's market.It is also necessary to harmonize the European framework regarding the prevention of money laundering and terrorism financing (AML/CFT), to ensure the 4th Anti-Money Laundering directive is implemented in a consistent way as the acceptance of the means for identifying customers remains on the Member States.
In this regard, the European framework needs a deeper orchestration of the regulations that will pave the way for the use of digital solutions, such as e- identities, with financial regulated processes such as Know Your Customer and Anti Money Laundering in order to provide a frictionless entry point into financial services. Therefore, consistency between overlapping frameworks of regulation (data privacy, consumer protection, cybersecurity, financial regulation…) should be guaranteed.
In particular, we would support the appropriate standardization and regulatory frameworks to enable cross-border transactions and contractual agreements across EU borders, through non-physical channels.
For consumers, the main benefit is having a digital identity which is readily verified and can be used by them across borders and multiple parties, and which results in a more seamless, faster, more secure and successful application journey.
We firmly believe that the main benefit of the e-ID will be its transportability. Although the EU eIDAS Regulation creates an interoperability framework for the national eID systems, currently it remains up to Member States to define the terms of access to the online authentication of government eIDs by the private sector. We believe that this issue should be addressed. National eID systems should be made rapidly interoperable between Member States and with third countries and accessible for the private sector to verify the identity of customers at distance.
Question 13: Do you consider that further action is required on the part of the EBA to ensure that EU financial services legislation within the EBA’s scope of action is implemented consistently across the EU?
The supervision of credit granting actors should be reviewed at European level with a view to greater convergence of accreditation and supervisory practices. In the area of credit granting, the principles of solvency analysis are governed by the Mortgage Credit (MCD) and Consumer Credit (CCD) Directives. It is important to ensure that they are respected, including by new actors, notably those who operate remotely and bring innovative models. It will help ensure that the consumer is protected, with a focus on the risk of over-indebtedness.However, some texts cover only credit institutions. Some specialized or alternative actors, who have pushed for the creation of new accreditation categories in certain countries and for crowdfunding, are not always subjected to the same requirements and supervised in the same way, which creates a distortion and does not guarantee good consumer protection.
With regards to security, financial actors are subject to a specific supervisory regime as a result of their activities, which is more supervised than other sectors. We believe it is necessary to extend the scope of cybersecurity regulation and supervision to all players who offer financial services and manage financial data. The security constraints imposed by regulators must be the same for all actors who handle or collect personal and bank data from end-to-end with the highest level of security (no weak link).
At European level, the European Commission wants to promote competition and innovation among financial players by opening up" certain systems. It is necessary that these initiatives not be detrimental to the soundness (and even the "usability") of the systems in place.
Several points should be highlighted:
• The start-ups, which intervene between the client and the bank, should not conceal the information necessary to detect the fraud;
• The personal and banking information of our customers must be protected against the leakage of information, in the internal systems but also and especially in the "new actors" who consume this information and when they circulate between actors. This dissemination of information can facilitate identity theft or the development of models based on the monetization of customer financial data;
• The responsibility of each of the actors must be clearly defined in the event of an incident. CF language elements already elaborated in the context of the Green Paper on dual consumer protection laws
In conclusion, concerning disclosure requirements, as already acknowledged by the European Commission, a lot has been done over recent years to insure that information disclosure is effective, transparent and comparable. EU measures such as the MCD, the CCD, the PAD, the Undertakings for Collective Investment in Transferrable Securities (UCITS) Directive, MiFID II, PRIIPs Regulation and IDD, have a heavy impact on retail financial services. They entail tremendous costs which have not yet completely been implemented in many countries.
In our view, no new regulation is required at the moment. It is preferable to make use of existing extensive regulation protecting consumers and to give them time to produce their effects. Secondly, the impact of new technologies, in terms of benefits and potential risks, has to be studied before deciding on new regulations which may stifle innovation. In line with the principles of better regulation and proportionality, it would be important to evaluate the impact of these measures before introducing new ones."
Question 14: Are the issues identified by the EBA and the way forward proposed in subsection 4.4.3 relevant and complete? If not, please explain why.
Unfair, deceptive or aggressive commercial practices and unfair terms are already largely regulated. More generally, customer information is subject to many obligations for all financial services.We agree on the findings of the EBA concerning non-regulated FinTech firms, which may have unsuitability or non-existing complaints handling procedures should receive attention. Currently the regulators tend to assign to incumbent banks the role of claim concentrator" without fair compensation (notably in PSD2).
As far as regulated Fintech firms (banks) are concerned consumer protection is ensured:
- Thanks to the quite recent Consumer ARD Directive, low-priced mediation and reconciliation mechanisms will be expanded further. In addition, directives on unfair-terms and unfair business-to-consumer commercial practices provide the consumer with sufficient protection from any abusive sale of financial products.
- To help consumers to find adequate redress mechanism in cross-border situations the Financial Dispute Resolution Network (FINt-NET) was founded in 2001. We are in favor of measures for expanding the use of FIN-NET.
We also agree that an issue to look into in the context of consumer protection is the legal liability of each actor involved in a given service. As such, it could be argued that the best approach for ensuring consumer protection is for banks to take a risk-based approach to mitigating and controlling for possible consumer protection risks"
Question 15: Are the issues identified by the EBA and the way forward proposed in subsection 4.4.4 relevant and complete? If not, please explain why.
BNP Paribas very much supports the proposal for the EBA to conduct an in-depth review of the EU legislation requirements that may restrict digitization. We would also recommend that a strong link be made with to the Commission’s retail financial services action plan as well as its CMU initiatives. It is important to remember that much has been and is being done and it is key therefore to coordinate efforts.The present landscape is very fragmented and there are strong cultural and technical differences between the available products in the EU. So, we are of the view that improving the EU passport with a better harmonisation of prudential rules, for instance would be in the short to medium term a way to give larger choice to customers and improve competition between financial service providers including in the digital space.
Question 16: Are there any specific disclosure or transparency of information requirements in your national legislation that you consider to be an obstacle to digitalisation and/or that you believe may prevent FinTech firms from entering the market?
Yes, the national provisions on dematerialized documents still discriminate on many points.Here are some examples:
• Contractualisation: The rules governing the remote selling and canvassing of financial services and are not harmonized, contrary to what has been done for other sectors with the Hamon Law, transposing the Directive 2011/83/EU on consumer rights, resulting in the merger of the legal regimes of so-called direct marketing and distance selling. In the financial sector, it is therefore necessary to apply two regulations instead of one, with provisions that are not completely identical. This does not facilitate the implementation of multichannel paths.
• Execution of the contract: the electronic writing is still discriminated against the written paper (according to article 314-26 of the RGAMF, a formal option of the customer is need for electronic communications. This article could be adapted.
Question 17: Are the issues identified by the EBA and the way forward proposed in subsection 4.4.5 relevant and complete? If not, please explain why.
Financial and digital literacy go hand in hand in the context of the digitalization of financial services, CMU, and consumer protection, in particular from cyber risks. Financial literacy has been increasingly considered by policy and decision makers as a life skill of the 21st century necessary to enable individuals to achieve a long term financing of the economy. The importance of financial education has also been recognized at the highest policy level by G20 Leaders as a complement to financial consumer protection and inclusion with a view to achieving financial stability.Other trends besides digitalization and FinTech push for making very significant progress in improving financial and technological literacy. Prior to the 1980s, Social Security and employer-sponsored defined benefit (DB) pension plans were the primary sources to support retirement. Today employers, and therefore employees, are increasingly turning to defined contribution (DC) plans and Individual Retirement Accounts. The transition to the DC retirement saving model has the advantage of permitting more worker flexibility and labor mobility than in the past, yet it also imposes on employees a greater personal responsibility to save, invest, and accumulate retirement wealth sensibly. Furthermore, the spread of DC plans means that workers today are directly and immediately exposed to financial market risks.
Research has clearly identified the pressing need for greater financial literacy, but the challenge is not yet being met. A review of studies and surveys in the United States and other countries shows that the level of financial literacy among the population is very low. Moreover, financial literacy does not seem to be improving over time. Financial illiteracy is both widespread and particularly severe among specific demographic groups. This has consequences for both individuals and society as a whole because financial literacy plays an important role in financial decisions.
Financial consumer protection should be reinforced with investor education policies. Such initiatives need to be embraced by Public authorities, industry associations and investment advisors/managers. The public authorities have a leading role to promote financial education, especially starting at school. Of course, authorities should also call on industry to co-ordinate common actions and incentivize all actors to do their part.
Question 18: Would you see the merit in having specific financial literacy programmes targeting consumers to enhance trust in digital services?
We welcome the way forward suggested by the EBA to continue to coordinate and foster national initiatives on financial literacy as the financial instruction and education are everyone's concern, specially including the public authorities, as these are issues that go far beyond the framework of a mere banking relationship.BNP Paribas favors putting in place financial education programs integrating specifically digital aspects. In this regard, our company is implementing several new initiatives (either directly or by supporting actions of various associations). We are well aware that banking in the digital era requires specific measures due for example to new risks from the increase of online payments and cyber security issues. Financial education should serve to allow safer usages on the part of consumers and as a result generate higher consumer trust.
Question 19: Are the issues identified by the EBA and the way forward proposed in subsection 4.4.6 relevant and complete? If not, please explain why.
We agree that EBA should do further work with the other ESAs on big data and produce recommendations or guidelines on its use in the financial sector. In pursuing that work, however, we would underline the importance of analyzing the potential gains and benefits of Big Data applications for consumers (increased access to credit, better product targeting and advice, lower costs, improved KYC, security….) and businesses (efficiency, lower cost of risk, customer experience….), not only the risks. This will help balance policy perspectives on the potential benefits and costs of any eventual proposed measures.As a general observation on big data and AI, we believe that big data analytics will have positive impacts for customers in terms of availability and affordability of services and products. Big data can be used to help industry to ensure that products will be sold to the relevant customers, but also to ensure that products are perfectly adapted to clients’ needs. It can also improve consumer access to credit. Indeed, traditional data do not always allow the extension of credit to some more vulnerable sectors of the population. Big data allows having a better knowledge of consumer behavior which can help facilitate access to credit. Also, big data can help make services available to more people by lowering costs and barriers to access. In insurance, for example, the use of big data can allow to fine tune prices and to reduce them, to insure more people and specially to improve prevention in the first place.
Regarding consumer protection, we would underline that large banks are required to establish and operate sound and strong conduct and internal control mechanisms. They also must have in place effective procedures for consumer protection and risk assessment under numerous regulations implemented since the crisis. Also, supervisory authorities have the required competences to enforce regulations. Finally, we would underline that consumers have been entrusting banks with their personal data for a long time and expect them to make appropriate use of it. For these reasons we do not feel that there are significant risks for consumers arising from the use of big data by financial institutions.
Thus, regarding regulation, we would underline that there are sufficient existing regulations already aimed at improving availability and affordability (i.e., PAD, consumer protection regulations…). We do not see the need for additional measures at this point - with a caveat regarding cybersecurity issues. Moreover, we do not think there would be merit in prohibiting the use of big data at this stage. Rather the focus should be on effective implementation of existing directives and regulations (e.g., NIS, GDPR, PSD2, e-IDAS…) and on allowing for research in the development of new products and services through the use of big data. As mentioned earlier, regulatory sandboxes can provide the opportunity to do this. Once again, the issue of cybersecurity should be carefully assessed.
Question 20: Are the issues identified by the EBA and the way forward proposed in section 4.5 relevant and complete? If not, please explain why.
We concur with the finding that resolution-related requirements for the authorization of startup FinTech firms are needed as some divergent practices are adopted in various Member States. Here again, we point to the need for apply the principle of “same service, same rules” for all actors.We are of the view that resolution requirements should be proportional to the risks involved and should not be generic.
Question 21: Do you agree with the issues identified by the EBA and the way forward proposed in section 4.6? Are there any other issues you think the EBA should consider?
We share the EBA's view that it may be appropriate to explore the different national approaches for AML/CFT purposes.It appears necessary to strengthen the knowledge and expertise of the local authorities regarding Fintech initiatives, in order to:
1. enable them to understand and to identify more concretely the AML /FT issues raised by Fintechs,
2. harmonize the approach, in terms of controls, and sanctions,
3. provide guidelines on the roles’ and responsibility of each actor Fintech firms and existing financial institutions (banks, management companies, insurance companies, asset managers, …).
Providing that the data are accurate and up-to-date, the use of Big Data tools can help financial institutions to comply with their KYC obligations, in particular the obligation of vigilance in respect of customers and business relationships, and the obligation to report any suspicions to the Financial Intelligence Unit (FIU) in France and similar agencies in other Member States.
Due to the continuing expansion and very high volumes of real-time banking transactions (which poses systemic risk issues) and customer information, an KYC/AML/FT policy is inconceivable and ineffective without the use of computer tools that allow the automatic filtering of transactions and countries under embargo, as well as the ability to profile and scan customer transactions against AML/CFT scenarios configured by each financial institution (in order to be able to detect suspicious behavior and finally and report AML/FT suspicions to FIU).
However, the performance of computer tools depends entirely on the reliability of the data they contain and their configuration. The development of Big Data technology can be used to collect, share and process a vast quantity of multi-structured data (for example: card payments, withdrawals from ATMs, account consultations via smartphone) and semi-structured data (mails and customer Internet site history), as well as unstructured data from call centers or tele-meetings with advisors. Big Data tools make it possible to analyze transactions very fast and to cross-check them, for example with geolocation data. A thorough predictive analysis of customer behavior can be used to anticipate customer behavior and to enrich the scenarios configured in the profiling AML/FT tools.
In addition, Big Data tools can increase the reliability of customer data analysis by using the technology to find absent data or data that has not been updated in customer records, in order to allow the financial institutions to comply with their obligation to have an accurate knowledge of their customers and business relationships. The main benefits for the update of customer records through big data tools allow financial institutions to:
• improve their knowledge of their customers on a permanent and continuous basis as the update can be automatized
• decrease the administrative costs linked to such manual research of KYC data, or linked to requests to the customers to obtain the required updated KYC data
• improve the customer experience (no regular requests of information from the financial institution, which can be several times in a same year when the customer has multiple relationships in different business lines within a financial institution not having a common and shared KYC database).
The same benefits can be transposed at the time of the first acceptance of the customer, especially when the financial institutions business model is based on digital processes (Internet, phone…) or through commercial partners, where a short time-to-yes for acceptance is a key success factor in a more challenging and competitive framework.
In concluding we would also note that KYC legal obligations rely on official documents (e.g. ID, passport…), external documents (e.g. proof of residency, proof of incomes…), external databases (e.g. anti-money laundering…) and information provided by the customer (e. g. income and assets…). The efficiency of the process could be enhanced by the usage of digitalization allowing delivering a better user experience and combat fraud. Banks should be allowed to access some databases in order to assess the authenticity of information provided by the customer. This access should be granted under very strict conditions and mechanisms (e.g. positive / negative answer) to preserve the confidentiality of the data. Such schemes could also be used to keep KYC elements up-to-date. Digital identity, as defined in the framework of the e-IDAS regulation, will be a critical tool to improve the efficiency of KYC processes
Question 22: What do you think are the biggest money laundering and terrorist financing risks associated with FinTech firms? Please explain why.
The new financial players may be outside the scope of the banking sector regulation and subject to less stringent AML/CFT rules that are banks. These regulatory gaps or loopholes may lead to some distortion of competition, which may violate the level playing field principle and lead to increased potential for financial crimes.The biggest money laundering and terrorist financing risks associated with Fintech firms are based on the following issues:
• The innovative approach and the rapid growth of Fintech firms have created a legal vacuum and a lack of regulation which could generate significant AML/TF risks (Example of crypto-currency, new card payments services between individual clients, crowdfunding platforms).
• The lack of clear and homogeneous regulation and legislation of these new players from one country to another makes it difficult the checks and controls carried out by financial institutions inefficient, in countries where regulation is more severe. In the context of the internationalization of money transfers between individuals, the approach between the different EU countries could raise the AML risks, for example issues of crypto-currency.
• Fintech offers/services/products which are often complementary and/or simplified compared to the traditional banking offers (eg payment service providers), they rely heavily on KYC due diligence carried out by bank or others financial institutions. Financial institutions which are also relying on Fintechs for final transaction checks could impact the complete overview and risk management of the global business relationships monitoring. Banks which impose and put in place a strong and rigorous approach must rely on the diligence implemented by Fintech firms without being able to assess and ascertain the quality of the process and control implemented.
• Some products offered by Fintech can create opacity / anonymity in transactions between individuals, which increase the risks of money laundering and terrorism financing. For example the payment service providers offering payment services between individuals through their bank cards. Based on the principle that it is not possible to formally identify a cardholder only through the number of their own cards. Cards transactions carried out through these Fintechs for bank could generate a break in the traceability of financial flows between individuals.
In this area also, with regard to passporting of firms, it is critical to ensure that supervision is carried out with high level standards across EU Member States.
Question 23: Are there any obstacles present in your national AML/CFT legislation which would prevent (a) FinTech firms from entering the market, and (b) FinTech solutions to be used by obliged entities in their customer due diligence process? Please explain.
Here we would mention in particular the lack of transposition, as is the case today in France, of digital identity as an obstacle to the deployment of new identification solution (digital identification, facial recognition, finger prints identification, ...) which presents a higher level of reliability than the classical solutions of identification especially in case of remote relationships but also in face-to-face.It appears important to facilitate and to promote the development of Regtech in order to reduce/mitigate the risks associated with Fintech products