It is indeed important to create a supportive regulatory environment to facilitate the further development of FinTech. In line with the findings of the EBA Discussion Paper, PayPal considers that there are grounds to address the existing differences in Member State practices and regimes to incentivize innovation, and therefore believes there is room for EU regulators to promote better coordination amongst Member State authorities on sandboxing/innovation hubs, along the following lines:
Developing EU guidelines on the regulatory and supervisory approach to FinTech supervision. Financial service regulators and supervisors in the future are likely to regulate a wide range of companies, not all of which are traditional financial services entities. EU guidelines will be essential to ensure a common approach to FinTech supervision that is principles-based and industry-inclusive. The guidelines should develop a flexible approach to supervision that is able to account for new technological developments, dynamic risks, and data points. The key questions to ask from a regulatory and supervisory perspective are:
• What is the service being provided?
• What risks are associated with that service?
• How do current regulations apply to that service?
• How should updated regulations cover that service?
Developing EU guidelines for regulatory sandboxes to harmonise various national initiatives: sandboxes ease regulatory compliance without jeopardising consumer protection and create safe spaces for product testing. An EU approach to harmonise existing and future national initiatives is needed to provide consistency across the EU, giving the same opportunities to all FinTech innovators, regardless of where they set up.
Creating a cross-border EU regulatory sandbox under the ESAs: this would foster the development of true pan-EU FinTech services. This should be open to both new FinTech and established players. Established players are indeed also important FinTech players and contributors as they are often either developing new services leveraging data, mobile technology and new business models or using technology to reset and reshape existing solutions, making them more efficient, intuitive or relevant for users.
Creating interoperability between issue-specific regulators, as well as across borders: regulators and policymakers should think beyond their specific mandates and national borders. An example of a successful model comes from Singapore, where the Monetary Authority of Singapore has established a FinTech office designed to foster partnership among a variety of government agencies that might impact FinTech.
Fostering entrepreneurship: FinTech companies are just like any other nascent company; they need a friendly business environment in which to start their business and scale-up. This includes simplified and affordable processes to set up a company in a given Member State, as well as access to the right advice, tools and skills
Overall, PayPal supports EU regulators and authorities in their efforts to foster a new approach to FinTech regulation, by removing remaining areas of regulatory fragmentation in the EU, and to supervision, by taking a principles-based, technologically neutral approach.
PayPal suggests that financial services policymakers need to embrace technology in terms of the opportunities it brings for both users and regulation, but also to increase collaboration with other relevant regulators (data supervisors, consumer authorities, information security supervisors, etc.). Regulators should consider how to best shift their approach from one that is rigid and focused on classical design standards and risks to one that is flexible and able to account for new technological developments, dynamic risks and data points.
This is particularly relevant in the area of payment security, and the related operational risks involved, as mentioned in the EBA Discussion Paper, where EU regulators should consider more future-proof and flexible legislation, which is adaptable to future technologies, while providing a high level of security and fostering competitive markets. While PayPal applauds the PSD2’s achievements in terms of competition, some of its provisions remain too prescriptive and were clearly written with traditional banking payment models in mind, which will obstruct the development of innovative technologies and hinder the growth of digital payments and e-commerce in the EU.
In more detail, the Strong Customer Authentication (SCA) provisions in PSD2 do not take into account the complex payments value chain that results from the introduction of new FinTech solutions, notably through the first Payment Services Directive. This will result in a confusing and complex experience for consumers, who may be faced by multiple SCA challenges from multiple PSPs for the same payment transaction. It will furthermore hinder the development of FinTechs who will see little incentive to enter the payments market. PayPal appreciates the EBA’s attempts to include a risk-based approach in the exemptions of the RTS and stands ready to contribute to the further work that will be needed in this area.
As regards PSD2 Guidelines for incident reporting, PayPal would welcome an overall harmonisation of the format and procedures for security incident reporting, which remain fragmented across different EU legislation (e.g. NIS Directive, PSD2, GDPR, Single Supervisory Mechanism). This overlap creates redundancies in reporting to multiple competent authorities, and ties up resources which could be better deployed to manage the incident.
The partnership potential of FinTech has to be considered as an opportunity for businesses and ultimately consumers.
Partnerships allow banks to reach more consumers and explore new product offerings and markets. For FinTech, they can provide funding and immediate scale to these services. PayPal partners with card networks, banks, and technology and telecommunications companies to facilitate the delivery of simple, more efficient, affordable and secure financial services across a range of channels and platforms. Partnerships are increasingly the industry norm: a recent UK survey showed that while 25% of financial services companies reported ongoing joint ventures with FinTechs, nearly 50% were planning to do so in the next 3 years. (Mayer Brown, The ABC of FinTech: Acquisitions, Brexit and Collaboration, November 2016).
While the right focus on the possible threats should be kept, technological innovation is also relevant for businesses to master risks and security threats in a more efficient way.
As already highlighted, PayPal would urge regulators to take an approach that is based on the actual risks of the service, rather than mandating one-size-fits-all blanket rules that are not adapted to the subtleties of each business model and innovative technology. Regulation must treat each of these services individually, identify the particular risks associated with each service, and create regulation that is performance-based rather than design-driven. Future-proof: the EU regulatory approach should be fit for both today’s innovations, as well as those of tomorrow. Only an outcomes-based approach where the regulatory framework sets out principles and leaves the method with which to achieve them to the market, can achieve that.
PayPal believes there is highly positive impact on the business models of credit institutions in the use and further development of FinTech, as they promote a more consumer-oriented approach, which can benefit all. Credit institutions are already interacting positively with payment services providers by using new instruments related to FinTech. It is important however, as already highlighted, to avoid a regulatory approach which is too rigid and focused on classical design standards and risks and to focus on one that is flexible and able to account for new technological developments.
Depending on the respective setup of the regional banking ecosystem, PayPal collaborates with many partners to serve the customer needs. In the EU, PayPal has active partnerships with many banks, not only to connect the Wallet to the banking network, but also to make banking payment instruments available in digital markets. Collaborating with Deutsche Bank for SEPA payments made virtual bank accounts numbers (VIBAN) available for easier top-ups of PayPal’s wallet. PayPal was one of the first adopters of Faster Payments in the UK, bridging the gap between the instant bank payment and the actual use of this technology in the checkout of a merchant’s website. Outside the EU, PayPal partnered with Citibank (Citi), the world’s largest credit card issuer, and Fidelity National Information Services (FIS), a global leader in financial services technology. The deals allow Citi and FIS customers to use their financial instruments through PayPal at the point of sale.
PayPal focuses on the opportunities FinTech presents for the further development of payment services. PayPal has longstanding experience as a FinTech pioneer and has successfully adapted its business model to take full advantage of the positive impact of FinTech. PayPal is firmly committed to wide deployment of Fintech solutions to benefit consumers.
PayPal believes that the real impact of FinTech is not the development of apps providing traditional financial experiences more conveniently, but the meaningful improvements it can make in the lives of those using financial services. FinTech facilitates the democratisation of finance by lowering the costs of financial services and expanding access and participation across every level of society. FinTech has the potential to deliver the following across the European financial services sector:
• Huge benefits for customers including simplified experiences, increased convenience and lower costs. For example, the digital delivery of remittances has the potential to halve costs to consumers.
• Improved access to credit and analytical services for consumers and SMEs. By introducing new data elements to traditional underwriting metrics, FinTech opens up new potential for innovative services at low cost. For example, PayPal’s Working Capital product leverages customer data, as well as traditional data sources, to provide improved liquidity in the form of cash advances to SMEs.
• Enhanced security through biometrics, tokenisation, big data, transaction monitoring and case management technology, making it increasingly possible to deliver both security and convenience for end users.
• Reduced cost of compliance through RegTech tools that automate compliance functions. For example, machine learning can be used to analyse massive data sets, spot anomalies in real-time and generate compliance reports automatically.
FinTech is a driver of growth. PayPal is committed to democratising access to financial services and believes that such access is a powerful driver of growth for both SMEs and individuals alike. Being able to evaluate additional sources of data to determine eligibility for financing lowers the knowledge and administrative barriers to applying for finance and helps SMEs access critical resources to grow their businesses. PayPal’s Working Capital product offers seamless access to finance for SMEs based on their past sales data through PayPal. Such capital helps SMEs expand and create additional employment opportunities in their communities.
More generally, the development of technology, not just FinTech solutions, means a societal shift: today’s jobs will not be the same as those of tomorrow. EU policy must accompany that shift by promoting the skills of tomorrow, i.e. IT and digital skills. Roles and skillsets will certainly evolve; people in the future will need to program and design these algorithms, to service and operate these machines, to build the computers, smartphones and the next technology. The EU should therefore focus on introducing programming and coding in school curriculums, to ensure that people do not only know how to use technology, but how it actually works – what goes on behind the screen or keyboard. This in turn will also contribute to building trust in technology and accelerate the development of the Digital Single Market.
As reported in the discussion paper, FinTech businesses are already regulated by considerable existing financial legislation (PSD2, AMLD, EMD, and CCD). PayPal takes the view that the regulatory framework for FinTech is sufficient.
As highlighted in other questions, to bring the real benefits of FinTech to consumers, breaking down national barriers to the development of FinTech is critical. There are a number of areas where a lack of harmonisation between Member States is hindering the development and scaling up of FinTech firms.
However, harmonisation should be done in a smart way and should not unnecessarily hamper the development of FinTech through new requirements. PayPal supports a principle-based regulation that reduces unnecessary regulatory burden.
There is no common approach in regulatory oversight to FinTech, because it means so many things: the term lumps together a broad variety of financial services offerings with different technologies, stakeholders, and risk profiles. In addition, the vast majority of FinTech applications are in fact already regulated under existing financial regulations. For instance, in the EU, FinTech payment providers have been brought under the regulatory umbrella of instruments like the Payment Services Directive (PSD2), the e-Money Directive (EMD) and the Anti-Money Laundering Directive (AMLD4/5). Moreover, because FinTech is often about enhancing the user experience, non-financial consumer protection regulation also applies to FinTech entities, such as existing consumer protection, data protection and information security rules.
PayPal noted the EBA’s intention to consider the FinTech “regulatory perimeter” and encourage the EBA to be mindful of activity being undertaken by other regulators and recommend collaboration on the issues raised wherever possible.
PayPal shares the objectives of the EBA set out in the Discussion Paper as regards the need for supervisory convergence and cooperation among national authorities, in order to reduce double reporting and divergent compliance requirements. As a priority, work should be focused in strengthening the role of the Home Member State Supervisor and the passporting regime, notably within the credit sector.
The regulatory infrastructure underpinning both consumer and business finance remains fragmented along national lines. Within the framework of the Consumer Credit Directive, Member States have adopted disparate requirements regarding credit licensing, conduct requirements and interpretations of certain alternative lending structures. Similarly, commercial and public credit reference agencies and other commercial databases differ by Member state in both the level of access and information that is provided. This creates significant barriers to entry and to scale, and hinders the development of scalable, pan-European FinTech solutions in the credit sector. This can be a loss to would-be end-users who could have benefitted from increased product innovation and price competition driven by the presence of FinTech.
PayPal would therefore recommend more regulatory harmonisation at EU level in the credit space, by ensuring greater regulatory and supervisory convergence. Strengthening the role of the Home state supervisor and the passporting principle would decrease Member State discretion and contribute to a pan-European framework for FinTech firms.
PayPal also welcomes the Commission’s Consumer Financial Services Action Plan, published in March 2017, and specifically the action point to introduce common creditworthiness assessment standards and principles, and to develop a minimum set of data to be exchanged between credit registers in cross-border creditworthiness assessments. Further, PayPal encourages the development of a pan-EU ‘credit bureau’ to collate consumers’ financial history and credit information. This information (provided on the basis of customer consent) could be made available to registered financial services providers for the purposes of credit risk assessments, credit scoring, etc., and would encourage companies to offer products to customers in other EU Member States.
The cross-border provision of FinTech services is challenging in the EU due to regulatory fragmentation and the lack of harmonisation in several areas (e.g. credit policy, AML, consumer protection, data protection, cybersecurity). PayPal would recommend more regulatory harmonisation at the EU level, by ensuring greater regulatory and supervisory convergence.
Strengthening the role of the Home state supervisor and the passporting principle would decrease Member State discretion and contribute to a pan-EU regulatory and supervisory framework. Amongst others, the requirement of setting up a local presence in some markets is not only at odds with the concept of EU passporting, but is a huge constraint to the ability of new, online service providers to compete and bring value to consumers across borders. Physical presence requirements make little sense in the digital-first age. In addition, PayPal would recommend that regulators and policymakers think beyond national borders by fostering interoperability, including through passporting regimes, to ease the burden of complying with a multiplicity of regulatory authorities.
As outlined in previous replies, there is certainly need for more regulatory harmonisation at EU level (e.g. credit policy, security and AML legislation), without unduly restraining the potential of FinTech and by using a principle-based approach.
Overall, PayPal would support further action in the following areas:
o Strengthening the role of the Home Member State Supervisor and the passporting regime
Creating interoperability through passporting regimes is the ideal method for enabling FinTech to develop. Regulators in those markets in which FinTech has a significant physical presence should have jurisdiction and supervisory authority. An example of a successful model comes from Singapore, where the Monetary Authority of Singapore has established a FinTech office designed to foster partnership among a variety of government agencies that might impact FinTech. The passporting model for payment service providers in the EU is also a good example, which should be reinforced as stated earlier, and extended to other financial services.
• EU guidelines on the regulatory and supervisory approach to FinTech supervision (on this item, see reply to question 1)
• EU guidelines for regulatory sandboxes to harmonise various national initiatives (on this item, see reply to question 1)
• The creation of a EU cross-border regulatory sandbox (on this item, see reply to question 1)
• The development of a harmonised, pan-European e-identification and KYC system (on this item, see reply to question 21)
Overall, PayPal supports the approach outlined in the EBA Guidelines on complaints handling under PSD2. However, with regards to ensuring supervisory convergence, it wishes to underline the importance of the Home State principle and its application to the complaints procedure for alleged infringements of PSD2 requirements.
This principle is a founding block of the Single Market, providing legal certainty, removing the complexity of complying with 28 different regimes and mitigating the threat of regulatory competition. It further serves as an incentive for cross-border activity within the EU. As such, when customers file a complaint, they should do so before the relevant authority of the PSP’s Home Member State. If a customer has filed a complaint to a host Member State, that Member State should forward it to the relevant PSP’s Home State for review and processing. This Principle is especially important given that the National Competent Authority (NCA) will analyse and aggregate the data, notably to “ensure and monitor [PSPs’] effective compliance” with the PSD2, as per Article 100 of the Directive. In our view, this competence lies solely with the Home State.
PayPal agrees that some existing legal requirements at both EU and national level may be outdated and welcomes the EBA upcoming in-depth review of EU legislation requirements that may restrict digitization.
Because FinTech is often about enhancing the user experience, non-financial consumer protection regulation also applies to FinTech entities, such as existing consumer protection, data protection and information security rules. FinTech is not a single undertaking but rather represents technology shifting a broad range of traditional financial service offerings.
We should not strive to create a new legal framework imposing new obligations for financial services online. Instead, regulation must treat each of those services individually, identify the particular risks associated with each service, and create regulation that is performance-based rather than design-driven. The key questions to ask from a regulatory perspective are:
• What is the service being provided?
• What risks are associated with that service?
• How do current regulations apply to that service?
• How should updated regulations cover that service?
Beyond asking the right questions, using the right process for regulation is key. Current financial services regulation utilises rigid design standards – that impose specific business methods on innovative businesses – and a methodology that cannot iterate with rapid developments in industry. We therefore encourage financial regulators to continue to foster growth and innovation by cooperating with innovators.
PayPal is clearly committed to enhance financial participation at all levels, in order to break barriers precluding wide and equal access to financial services. There is therefore merit for further EBA activities to coordinate work of the public sector at national level, and strengthen coordination at EU level, building on already existing good practices. Cooperation with the private sector is also key.
PayPal believes in an open, accessible and inclusive financial system where everyone can participate and have full control over their financial health. We are committed to democratizing financial services so that everyone can have access to the affordable, convenient and safe financial services they need to have full agency and authority over their financial health. We need to look beyond the traditional notion of creating financial literacy and access to financial services. We need to break down the barriers that prevent people from fully participating – and thriving – in the global economy.
To fully deliver on FinTech’s potential to improve financial health and expand economic opportunity will require an unprecedented level of collaboration across the financial services ecosystem. No one organization can do it alone, and PayPal is committed to working with like-minded partners across the public, private and social sectors.
There are several ways that public sector can work to achieve a satisfactory degree of financial health. Education (offering classes and better, more transparent information on how to manage money and take advantage of digital financial services), identity (ensuring that every citizen has official government identification, which opens the door to accessing and using secure financial services), Internet access (expanding connectivity and making it more affordable for everyone), and bank accounts (lowering the regulatory requirements associated with basic banking functions for the underserved) all work together to improve financial health. Also, private/public collaboration to address the technical, economic and regulatory barriers that exist today would greatly benefit the move towards a more financially healthy society.
Furthermore, PayPal is also directly engaged in specific activities in cooperation with public and private partners to enhance financial participation and tackle barriers to access to financial services for consumers. As an example, PayPal successfully concluded of a series of financial education workshops for secondary school students in partnership with Junior Achievement Ireland, in July 2017.
PayPal’s commitment to improving financially healthy society is at the core of our business. This priority is manifested through the products and services we develop, the investments we make, the collaborations we enter into and the conversations we spark. Further initiatives are also carried out by PayPal, namely:
Working Capital: PayPal is constantly innovating to bring products to market that democratize financial services. PayPal Working Capital allows small businesses with a strong PayPal sales history to get funding in minutes, without a credit check, and repay it using a percentage of their PayPal sales [link]. Xoom helps individuals send money to their friends and family back home in another country at nearly half the cost of traditional remittances services (3.93% of the amount sent compared to 7.45% average).
Investments: PayPal has invested in companies and initiatives innovating on various approaches for improving people’s financial health. For instance, PayPal recently invested in Acorns, an app aimed at helping millennials, in particular, build long-term savings by automatically investing their change.
Partnerships: PayPal has engaged in a number of partnerships with social impact organizations who have made it their goal to improve financial participation and health. For 10 years, PayPal has partnered with Kiva, a nonprofit organization pioneering micro-lending, to process loan activity free of charge. PayPal also recently announced a global collaboration with Village Capital, an organization that finds, trains, and funds social impact entrepreneurs developing solutions for underserved populations around the world.
Thought Leadership: PayPal and its executive leaders are regularly engaging in constructive conversations with stakeholders and thought leaders, through memberships and affiliations with organizations such as the World Economic Forum and the Center for Financial Services Innovation. Through these relationships, PayPal explores ways to evolve our products to be more accessible and inclusive and help evolve the industry conversation beyond inclusion to a broader financial health vision.
PayPal welcomes the EBA’s assessment on the impact of FinTech on AML/CFT. As an obliged entity under EU Directive 2015/849, PayPal complies with all EU anti-money laundering rules.
PayPal is of the view that the regulatory fragmentation and the lack of harmonisation in several areas, including AML and e-identification, make the cross-border provision of FinTech services in the EU challenging and do indeed have an impact on the freedom to provide services and right of establishment. PayPal would therefore recommend more regulatory harmonisation at the EU level, by ensuring greater regulatory and supervisory convergence. The home state principle and more harmonisation of the e-identification and authentication frameworks will have a key role to play in that regard.
Home state: Strengthening the role of the Home state supervisor and the passporting principle would decrease Member State discretion and contribute to a pan-EU regulatory and supervisory framework. Amongst others, the requirement of setting up a local presence in some markets is not only at odds with the concept of EU passporting, but is a huge constraint to the ability of new, online service providers to compete and offer new services to consumers across borders. Physical presence requirements make little sense in the digital-first age.
Identification: The lack of a harmonised, EU-wide, secure and reliable, digital identity framework poses a significant barrier to the development of FinTech solutions, particularly those solutions which can be used across national borders. The fact that dozens of institutions are forced to repeat the same identity verification activities, for the same person, across multiple platforms to satisfy anti-money laundering, sanctions monitoring, and fraud risk management obligations is a material drain on economic resources. Digital forms of government-issued identification will be essential in a world where financial services can be increasingly offered without any physical presence. These e-ID tools should be widely accessible, user-friendly, and affordable (preferably free) to ensure their wide adoption by users.
PayPal therefore welcomes on-going work to support the roll-out of the e-IDAS framework. However, there is still a need for a unified EU identification system. The definitions and methodologies vary on a country-by-country basis, and there is no true pan-EU solution. A centralised, pan-EU e-ID infrastructure would allow FinTech companies to conduct convenient, low-cost and effective KYC and due diligence checks, enabling them to scale across the EU.
Authentication: Authentication is essential for safety and security, but classical methods continue to dominate the discussion, while digital and mobile technology enables a host of new data elements that can be used to improve authentication and KYC procedures. As with the core digital identity regime, the EU can play an important role in creating a flexible authentication and KYC regime that clarifies risk tiers and metrics, but does not mandate technological solutions. This would provide the private sector with the ability to innovate around the best way to achieve those metrics, as they can be implemented using a variety of competing technologies and models.
While the risk-based approach of the EU’s AML framework is positive, the lack of harmonisation across the EU is a challenge. Divergent local regulatory requirements significantly increase the complexity of offering and accessing services in the EU on a cross-border basis. This is particularly true regarding digital verification. A harmonised EU-wide online (i.e. non-face-to-face) KYC framework would facilitate the introduction of a truly cross-border financial services market, while also reducing the cost of compliance for digital businesses who do not have a physical presence. Pan-EU databases of beneficial ownership information and valid/up-to-date IDs (subject to data protection requirements) should be part of that framework. It is also important to provide additional flexibility for PSPs to be able to rely on KYC processes and AML controls (under certain criteria) performed by non-PSPs, for example, in cases of integration with mobile wallets, telecom partners, issuers of retail prepaid cards and operators of loyalty programs. Finally, a framework for data sharing amongst EU Member States (data elements on KYC, authentication etc.) is essential to make this truly cross-border.
Policymakers should recognize the changing landscape of technology-enabled criminal behaviour. PayPal encourages policymakers to enable the use of real-time data and account monitoring rather than a heavy reliance on static data point collection for traditional KYC procedures as well as encouraging risk-based approach.
Finally, PayPal looks forward to further clarity from the EBA on the use of FinTech solutions for AML/CFT compliance purposes.
PayPal wants to stress that FinTech is a very diverse ecosystem that includes a wide variety of firms and business models, with varying levels of money laundering and terrorism financing risks.
As a global financial services provider, PayPal is committed to compliance with all applicable laws and regulations regarding Anti- Money Laundering (“AML”). PayPal’s policy and practice is to try to prevent people engaged in money laundering, fraud, and other financial crimes, including terrorist financing, from using PayPal’s services. PayPal would like to use this opportunity to outline a number of our best practices that allow to mitigate ML/TF risk:
• PayPal is a closed-loop system (having a relationship with both the sender and receiver) that allows us to identify suspicious activity more easily than competing systems.
• PayPal’s Customer Due Diligence program collects certain identity details at sign-up while remaining relatively frictionless. Once certain thresholds are met, in compliance with relevant market regulation, PayPal will subject users to additional KYC requirements for identity verification.
• PayPal conducts a global AML/CTF and Sanctions risk assessment consistent with Financial Action Task Force guidance to identify, assess and understand the ML/TF risks PayPal faces. This is consistent with a risk-based approach which impacts global policy decision-making and implementation of program elements.
• PayPal screens accounts & transaction history on a nightly basis, covering the entire customer base. PayPal cross-references own information against a variety of lists from regulators, governments, etc.
• PayPal engages/partners with law enforcement proactively and reactively to both help stop cybercrime while also catching the bad actors that have committed crimes and are under investigation.
• From an internal standpoint, PayPal collaborates with various teams across the company (compliance, legal, risk, information security, etc.) to better identify potential bad actors and make recommendations to agencies.
Furthermore, as an e-money issuer, PayPal considers useful to provide some comments on the risks associated with e-money.
At an industry level, e-money’s risk exposure to money laundering and terrorist financing can vary from one product to another and depends on several factors such as anonymity, type of payment system (open or closed loop), etc.
As with the wider financial services industry, money laundering and terrorist financing (ML/TF) risks can be mitigated with an appropriate compliance/AML programme, underpinned with a robust control framework. As the EBA has highlighted in its opinion on the application of customer due diligence measures to customers who are asylum seekers from higher-risk third countries or territories “in most cases, money laundering and terrorist financing (ML/TF) risks - including those associated with weaker forms of customer identification - can be managed effectively by offering a more limited range of services or setting up stricter internal controls, which will facilitate early intervention in the event of suspicion”.
PayPal therefore believes that e-money can generally be characterized as low-risk when it comes to AML/CFT.