Credit Agricole Group welcomes the initiative of the EBA aiming to understand challenges and impacts generated by the acceleration of the technological innovations, and the new landscape, which results from it.
The terminology and conceptual work of clarification presented in the introduction of the DP seems to us very accurate and necessary.
a) The choice to support the FSB definition of FinTech, understood as « Technologically enabled financial innovation that could result in new business models, applications, processes or products with an associated material effect on financial markets and institutions and the provision of financial services » (§4 of the DP).
As such, this definition is neutral, and includes the process of modernization and technological implementation which has taken place since decades in the banking and financial sector at the initiative of the industry, as the new developments at an accelerated pace of the recent years.
b) The more and more frequent distinctions since the mid 90’s (evoked in §1 of the DP) between
- Banking and financial products and services
- Risk linked to those products
- Financial institutions managing these risks
which can be managed more and more frequently by players having different statuses benefiting from a banking license or not.
c) Within the framework of this process of clarification, we think the classification of actors in the field of FinTech must be refined, being inspired in particular by the Basel Committee on Banking Supervision (BCBS) in its Consultative Document of August 2017 (Cf. BCBS, http:// =www.bis.org/bcbs/publ/d415.pdf =- =page15):
- Financial Firms (FF)
- Start-up company Tech Firms (SUTF)
- BigTech Firms: (BTF)
• Gafa, Microsoft, IBM, etc.
• Including TelCos.
• Or any actor who may participate tomorrow with important financial means and a significant number of clients, such as, for instance, cars manufacturers in the field of IOT…
Two other remarks that seem important to us in this introduction
1) The necessary equal treatment of the participants if their activity concerns one of the activities described in section b) above;
When rules and / or a supervision exist, they have to apply to whomever exercises these activities in a concern of level playing field as well as consumer protection and systemic risk prevention.
Regulation and supervision shall apply without consideration of the status of the provider nor its size, but according to the activity that is performed and the risks that are taken.
The purpose should mainly focus on data protection and security issues that impact our core business and the customer relationship.
Furthermore, we want to stress that international agreement shall apply to limit worldwide level playing field issues as well. Agreements are to be sought to align international regulations, for there is no more borders with digital activities. For instance, any transaction in bitcoin can be considered cross-border because it is part of a cross-border network by design.
In addition, non-sanctionable countries, rejecting international regulation, are a major issue…
Special attention should be paid to the opportunity to create an ecosystem including all the actors (start up and traditional, regulators and supervisors …) in order to stimulate and simplify the innovation process.
2) The necessary formalization of relations between Financial Firms (FF) on the one hand, and SUTF / BTF on the other hand, as the latter access or request to access the data or the infrastructures accommodated on the servers of FF.
A framework shall be designed to defined, regarding for instance:
- Conditions for access to the data (which one? frequency? response times? etc.);
- mutual liabilities in case of dysfunction;
- remuneration for the use of the banking infrastructures
- Etc. …
It is important in particular that the modalities of access are agreed upon; otherwise, they may generate clogging of access to banking networks putting FF in operational risk.
In this matter DSP2 is the illustration of a political directive which forgot to address the industrial side dealing with the infrastructure
This problem is all the more sensitive for multiplication of requests may generate sizing or dysfunction problems for FF, as well as additional costs that FF do not have to be the only ones supporting. This situation penalizes the share of added value on the whole value chain.
REPLY TO QUESTION 1
Sandboxing can of course be an opportunity to innovate on a reduced data field without necessarily respecting all regulations. Ex: card for caregivers, use of biometrics, crossing bank details / insurance...
If Europe wants to innovate and keep up with the USA or Asia, their firms should be allowed to make experiments that will make new and competitive innovations, sometimes disruptive compared to the state of the art of regulation.
In this context, easing the rules shall be a priority. For instance, in the field of protection of personal data in the case of experiments as the rules do not distinguish large-scale treatments from tests, and imply a risk of sanctions.
We think that a framework should be defined for sandboxing, in which objective criteria such as: number of clients involved in the test (e.g. less than 10 000), duration of this test, volume of transaction, etc.…) could be the kind of limits inside which tests could take place.
Obviously, authorities such as CNIL should adapt their process (authorisations …) to meet the time to market goals and the new IT innovations models based on agility such as the digital lab in our group.
Artificial Intelligence: Allow Machine Learning and Deep Learning testing, but impose a human safety barrier on the decision.
A remark to begin with: § 77 insinuates that Fintech (SUTF / BTF) would improve quality etc. letting think that FF would not be able to address customer demand for more customer-focused solutions. As a matter of fact, FF have demonstrated that they can already deliver cheap services and products as many online banking services provided by FF are… free of charges.
§ 78 seems biased by letting think that ‘credit institutions’ cope with increasing risks and specific “lack of expertise”. Recent affairs revealed by the press does not confirm the fact that SUTF / BTF would be exempted from this kind of problems, as our day-to-day work with SUTF confirms. For instance, one can just consider that PayPal is still unable to provide two factors authentication while FF have done this for years.
FF have demonstrated through years their ability to adapt their risk management to the appearance of new technologies. On line banking offers more and more functionalities without having given way to an explosion of fraud levels.
It would be more accurate to explain that any firm that deploys FinTech will be challenged by a never seen before pace of innovation, fraudsters’ cleverness and inability to legally act in a worldwide cybercrime panorama.
When reading § 80, it appears that a particular point is pointed out without really being addressed. In the recent past, the security of a financial service was spread and managed among actors inside the same group (online banking, CERT, back office, payment systems) and security measures were designed to reinforce each other. For instance, while the online banking offers the ability to transfer money to countries well known for hosting “cybercrime industry”, the back office performs more thorough verifications of these risky transactions. The emergence of risk in particular destination countries is detected thanks to threat intelligence and detection and elimination of phishing campaigns and platforms.
With new entrants, those chains of security measures will be broken. FF will have to process transactions for firms that cannot afford phishing observance and counter fighting.
In summary, while FF have demonstrated their ability to deal with technology changes and master related risks, the real change will be that the principle of coherent chains of security measures will be jeopardised.
We believe that §85 should be changed as follows: ‘The EBA considers that further work should be conducted on identifying the prudential risks and opportunities for credit institutions stemming from the use of new technologies AND THE SPREADING OF SECURITY MEASURES AND RESPONSIBILITIES AMONG UNCORRELATED ACTORS.’
And § 86.a should be changed accordingly (‘from technological innovations and uncorrelated actors’ responsibilities and roles in the global security of financial services’).
Credit Institutions have demonstrated their ability to embrace new technologies every times the opportunity arrived (dematerialisation of money, fully computerised dealing rooms, online banking, SEPA, open banking, etc.…).
There is no reason that they could not take benefit from innovation as long as every player is treated evenly in terms of constraints and regulation.
It is of paramount importance to take into consideration two different issues: the physical branch on the one side and the role of the banking advisor on the other side.
We are firmly convinced that customers wish less and less to move physically to the local branch for day to day banking operation, but they remain attached to the value of the human contact with their advisor for added value issues such as wealth or real estate management. Digital technologies make it possible to give additional value to the relevance of the banking recommendation via the advisor.
Beyond the upheaval brought by SUTF to banking landscape, it seems to us that the reflection must be especially centred on BTF.
• Indeed, SUTF possesses - and it is their excellence point - an expertise in User Experience.
• However, BTF combine key potentialities:
- Undisputed know-how in User Experience
- Considerable financial means, allowing them to invest in promising SUTF
- Powerful technological innovation.
- Data control
These innovations involve the entire financial sector (4.3.1- 92) among them IA is certainly the most interruptive one and will affect not only the bank industry but also our customer ones and will therefore apply to all of us. The impacts are not only about technology and competition but also social (casting for new higher skills leading to employment issues.
Concerning the business model, the EBA statement concerning cost and revenues (4.3.1- 93) is not so simple. The aim is to remain profitable and offer quality and services which meet the customer’s need. We need to invest in R§D, to adapt and maintain our level of performance.
Banks are committed in on long-term basis relationship with its customer and are engaged in a continuous improvement process to provide operational excellence. Even more since the matter we deal with is very sensible and concerns the intimacy of our customers.
Helping only FinTechs to launch their activities is not enough since their aim is to innovate to generate value and sell their idea to big players in order to take profit from it. They know they are not profitable on mid or long-term basis. In bank industry stability is required that is why same rules should apply to all the actors.
It is impossible to answer in an unambiguous way to this question.
We think that the analysis of consultative document of the BCBS, (August 2017), on the banking landscape in a long-term perspective are particularly enlightening.
- The five scenario they present as possible would set up completely different environments, would the future be Better Bank / New Bank / Distributed Bank / Relegated Bank / or Disintermediated Bank, or more most probably in a mix of these various scenario.
- The impact on banking business would be from strong increase in productivity of incumbents to a pure and simple disappearance of the same incumbents.
Beyond these considerations, a number of principles seem fundamental:
- Guarantee an equal treatment and requirement of the regulatory authority between all the players (FF, SUTF / BTF)
- All the participants shall assume their role regarding preservation and investment in infrastructures. The automated access to banking data without participation to the financing creates an imbalance towards FF.
- Lower costs of certain processes, thanks to technological innovations (Data, IA, dematerialization…) appearing and promoted aggressively by SUTF / BTF, makes it possible to revisit certain domains such as pricing (freemium, more custom-made products and composite offers). However, the period for depreciation of the asset, namely infrastructures has to be taken in account.
- Pricing models evolve, considering it is easier to present a very attractive pricing for the SUTF / BTF, which have no regulatory requirements of return on equity to finance in particular their credit business).
- Technologies aiming at a better knowledge of customer behaviour allow finer segmentations (easier to address new customers – credit scoring …) and more personalized proposals.
Three domains are key: Data, Customer Experience (with the risk of disintermediation if deceptive), opening and suppleness of IT systems.
Application Programming Interfaces (APIs) are key for all the players in this new competitive landscape and bring to the foreground new models such as for example:
- Model Bank as a platform: aggregation of functional components within a customer banking interface «User Experience Centric -
- Model Bank as a service: development of bricks integrated into platforms proposing financial services such as payment (e-merchants)
- Bank as a code: integration of the banking service via a code integrated directly by the developers of customer products).
We must insist on the need to monitor the way customer data is accessed to, especially from a data security and risk management perspective. This means banning screen scrapping in parallel to the opening of Banks APIs
Models of collaboration FF / SUTF / BTF seem possible in this context - where actors are able to innovate, quickly change direction if necessary and guarantee a level of customer service and strong customer expectations regarding reassurance and ethics/data management. Virtuous interactions resulting from partnerships can arise inside such ecosystems"
The answers to questions 6 and 7 also apply to the universe of payments knowing that the specific stakes around crypto-currencies, blockchain technologies and instant payment are obviously central.
Payment universe is the one BFT invested today most concretely (see the convincing success of Asian Internet giants, even if those markets are specific compared to European ones).
See answer to question 8.
As mentioned before, it is of paramount importance that same regulation applies to SUTF / BTF as the one applying to FF, if those actors manage products or services and risks in line with the ones FF deal with.
Once again, the principle of same activity, same risk, same regulation and supervision shall apply.
Second, SUTF/BTF have to respect Rome II Regulation as FF do when delivering product or services cross border.
Beyond that, it would be desirable to go further than the recommendations of the EBA by setting up similar procedures as rescript for example. Authorities would keep the control of regulations application and make sure customer protection is effective.
- Certain practices authorized in a country are exported in countries which have not authorized the same practices yet or which have not set rules already. The procedure of rescript or one equivalent would allow competent authorities to reject practices if customer’s protection is not guaranteed.
- New players are rarely regulated not even asked to have a recovery plan! The scope of regulation is sometimes difficult to establish on certain types of activities or services proposed by these new players.
The procedure of rescript or one equivalent would allow the competent authorities to take a position on the scope of deregulation in a concern of customers’ protection.
We agree with the need for more clarity on the regulatory perimeter for all firms. We want to add that the nature of the service itself has to be clarified, as well as the type of relationship that is being created by the SUTF/BTF with the client.
We also agree international cooperation among supervisors and regulators should operate for more effectiveness and they should adapt their own process and criteria when they address recommendations to our industry, which is moving forward, and adapt its process using new agile methods.
In addition to the answer to question 10,
- EBA guidelines and RTS are to be extended over time if/as some of the SUTF/BTF practices become a risk for consumers.
- All companies addressing one market should obey the same regulation. From that point of view, and for consumer protection, all firms should be regulated.
- The ultimate goal is to reduce the discrepancies between various regulations to create a more open, simpler to operate, cheaper and more efficient market place for consumers.
- The role and gap among national public authorities is also to be mentioned. To illustrate the case of the Estonian public administration and its data management (“once only” principle) vs our ….
- While country regulations remain different, the prevailing regulation for consumer protection should be the regulation of the country of residence. This is the simplest way to protect the consumer and avoid competition based on regulation.
- The harmonization and simplification would create a safer environment for firms as they would legitimately expect that financial rules apply all over the EU. Such an approach would facilitate the access to the consumer to the best possible financial services across the continent.
- Simplification of regulation across borders in the EU would be welcome, beyond the perimeter of SUFT / BFT. As to SUFT / BFT, we would expect them to abide by the same regulation as traditional financial institutions; i.e. wherever they are based; apply the regulation of the client’s country.
Considering once again that FF are also FinTech actors, we can say that the stacking of country regulation and EU regulation (lack of harmonization, gold platting during transposition, etc.…) makes it more complex for all, and more difficult to provide a broad competitive market for financial services. The awareness of the consumer and his ability and to manage and understand the different rules should not be forgotten not even mentioning the costs…
We ask for a simplification of regulation across the EU, with the progressive cancellation of country specifics and the implementation of regulation on a consistent basis across all countries and for all actors, be they SUTF/BTF or more established institutions.
We agree with the proposal of the EBA.
We want to stress the following elements:
- We do not see why firms falling outside the regulatory scope should be permitted to avoid handling a proper process for complaints. Regulators should on the contrary focus more on companies still avoiding regulation;
- We underline again that one of the greatest concern should be SUTF/BFT operating without supervision.
We agree that a proper management of complaints data has to be maintained by all actors. Their responsibility has to be clearly exposed for there is no confusion in the consumer’s mind.
We are in favour of digitalisation. We do underline here that mandatory references for clients – when issued by authorities- should be made available to financial institutions on proper request
Beyond that, we think that the standardization of the information is a sensitive subject, both on a domestic and European level.
- We are in the field of new products that sometimes do not last long. A too soon intervention of the regulator in this field could restrain innovation, and come up against difficulties such as the need to reach a compromise or the time needed to reach a consensus at European level which may be very long with solutions not fully satisfying (cf the difficulties met on MIF, PRIIPs, PAD…)
- This is even more true if the information must be displayed on devices such as mobile phones, whose display is too limited
- The mandatory information shall not have the effect of standardization of products; Standardisation kills innovation. Here again the concept of a fertile innovation ecosystem in the respect of data protection and security, promoting agility and simplification no matter who are the players traditional or new ones, should be addressed.
- On the other hand, the customer must be clearly informed about the place (e.g. by an internet link…) where he can find a complete and not misleading information on the product or the service proposed to him.
Finally, we believe that the customer must be fully aware of the risk if he multiplies the sites to which he communicates or asks to communicate his personal information, among which his banking data.
- This shall be explained carefully, for the security of storage or access to his data could differ strongly according to the actors involved, and the consumer has to be fully aware of it.
- This is even more true as the information communicated by the bank to a third party can be communicated by the third party to a fourth party, and then to a fifth, etc.… all this with the implicit or explicit consent of the customer.
- With such a chain of transmission, there is a clear issue of liability, which becomes more and more complex.
For all these reasons, the level of requirement of the regulatory authority concerning the security of storage and transfer of banking personal information has to be the same level that the one compulsory for banks.
As previously mentioned IA will drive huge changes in the chain value of our industry. It will without any doubt result in optimisation and automatization but will also have social and employment impacts and this independently of who is the provider of the IA solution!
Credit Agricole Group fully agrees with problems identified by the EBA in the wake of new technologies, and by the working program proposed.
It is necessary to indicate that, even before resolution issues appear, the conjugation of:
- The simplicity of opening an account remotely on the one hand,
- The immediate transfer of funds made possible on the other hand,
with a background of more or less verified information circulating in an uncontrollable way on the social networks may generate pro-cyclic, even accelerating, systemic effects,
We can thus be afraid of an acceleration of the volatility of the movements of funds, and the risks of flight of capital in front of a real or supposed risk.
To begin with, we would like to emphasize that the term “FinTech” is not mentioned within the Article 2 ‘obliged entities’ of the Directive (EU) 2015/849 (the AMLD), before even the lack of the distinction between Fintech and non-FinTech firms.
Moreover, we would like also to highlight that the Directive mentions the situation of “high risk” within the Article 18(3):
o “When assessing the risks of money laundering and terrorist financing, Member States and obliged entities shall take into account at least the factors of potentially higher-risk situations set out in Annex III”:
“Product, service, transaction or delivery channel risk factors: […] (e) new products and new business practices, including new delivery mechanism, and the use of new or developing technologies for both new and pre-existing products.”
Starting from that, we can conclude that the FinTech firms are classified as a ML/FT high-risk business by nature.
Considering that credit and financial institutions are ‘obliged entities’, of the importance of FinTech firms providing similar services and that some of them are not included within the ‘obliged entities’ in all Member States, it would seem appropriate to know the European best practices in this sector associated to ML/FT risk. After collecting the information, the purpose might be:
- To define a common perimeter of FinTech firms ‘obliged entities’ to AML/CFT for all the European Member States. For instance, under French regulations, the following ones are subject to AML-CFT (not exhaustive list):
♣ E-money institutions and payment institutions: located in France, licensed by an EEA member state, or using the services of one or more persons or agents to operate in France;
♣ Crowdfunding agents;
♣ Banking and payment service intermediaries when acting under mandate from a client and accepting funds as agent for the parties;
♣ Anyone who by virtue of his habitual profession is either a counterparty or intermediary in the purchase or sale of any instrument containing non-monetary units of value that may be kept or transferred in order to acquire a good or service but that do not represent a claim against the issuer.
Some of FinTech firms are ‘obliged entities’ and so, have the same AML/CFT obligations than the Credit and Financial Institutions.
o To specify some solutions on an AML/CFT risk approach and Customer Due Diligence requirements, for instance, in terms of:
- Identification and verification of the customer, know your customer files and know your business files, AML-CFT risk classification relating to the risks to which they are exposed, combination of these two above elements in order to establish a risk profile for each business relationship;
- At the establishment of the business relationship and during the course of the entire relationship, ongoing due diligence on the customer and the customer’s transactions (risk-based approach) etc.
o While taking into account a context characterized more and more by partnerships between FinTech Firms and Credit or Financial Institutions, basing at the same time on the suppleness of a start-up company and the power and the reputation of a Group:
Today, FinTech firms and Banks perceive themselves mutually as potential partners based on beneficial relationships such as business connections from customer to supplier, capital links and partnerships turned toward the innovation.
Depending on the type of FinTech firms, but from the moment when the more the new technologies join the financial services (credit, deposit, transfer, payments etc.…), the more the money laundering and terrorist financing risks associated are high.
- As already mentioned in our answer, in the EU, the Directive is not similarly implemented in the local laws; hence, the FinTech is not defined in the same way and some of them are not subject to the regulation and for instance are exempted to apply the due diligence;
- Some local laws are less stringent and this entails a global risk for the economy (competition: FinTechs prefer to operate from countries with less stringent law and not in France) and for the AML/CFT’s regulation targets, (some of the FinTechs transfer their activities or operations within the countries with less stringent law. Hence, an aggravation of illegal activities could be faced in the near future).
In the French Financial Services: need of approvals / agreements from French Regulators (ACPR and AMF) and French transposition of the Fourth Directive more restrictive (please see before).
In the issue 132, EBA mentions differences in the ways to transpose the previous AMLD (Directive 2005/60/EC) by Member States, especially in respect of financial institutions’ ability to carry out customer identification and verification remotely and through digital means.
This could not be an obstacle for some FinTech firms entering the market and a difficulty or a hindrance for the set-up of a harmonized European digital identity framework.