José Manuel Campa interview with Világgazdaság: Regulators need to watch big digital platforms, European Banking Authority head says
- Interview
- 11 JULY 2024
Regulators need to watch big digital platforms, European Banking Authority head says
Hot Hungary, a living history lesson, could lead changes
Is it hotter in Budapest than you expected?
It is hotter. Hotter than in Paris, for sure. I'm originally from Spain and it's not hotter than Madrid and Spain.
Do you have any previous memories about Hungary?
I was working for the Spanish government during the previous Hungarian presidency, in the first half of 2011, and at that time I came several times, and then also as a tourist. Also, in the 1990s, I came as an academic to a couple of conferences in Warsaw and Budapest.
Is there anything you like or hate here?
For somebody from Southern Europe, particularly Spain – we did not have much a of shared history in the times that shaped Europe – coming to Hungary and this part of the world is a learning exercise. I tell that to many of my Spanish colleagues as well that it’s really at the core of why we're working for European Union. You can hear and see very clearly the examples of having a way to resolve our differences, which is through dialogue rather than through other ways. For us, for me, it's a history lesson. That's fascinating.
Mr. Campa, you recently started your new five-year term at the helm of the EBA. The past five years were really eventful, spanning from relative calm through pandemic, inflation, a rise in interest rates, recession, and the war in Ukraine. What is your expectation about your new term? Will it be similarly exciting?
I don't know what is there to come. I hope that it will not be as exciting as you could see in the last five years, but I'm sure it would be exciting in some other ways. What we are considering are the risks. One of them is cyber risk, technology, how technology would evolve. The other one is potential fragmentation. The third one – which thankfully so far has been mild – is the combination of geopolitical tensions and the normalization of interest rates. Looking back now, I'm just happy that throughout those five years – in which there was a pandemic, a war, a big change in monetary policy, stress from high interest rates – all through that process, the banks, the financial sector, were part of the solution rather than part of the problem. It was quite different in 2011 when I was here earlier.
Do you think the normalization of interest rates will proceed, or there can be bumps ahead on the road?
It's hard to predict. But if 18 months ago, when central banks changed course after such a long period of very low interest rates, I was told that we're going to be in a situation today not just in Europe, but in other parts of the world, that employment was going to be so low, output positive and financial stability preserved in the way which we're seeing today – I would have accepted that. Now inflation seems to be coming down across most jurisdictions, interest rates seem more likely to go down rather than upgood and the economy in the euro area has slowed down a little bit, but it has not gone to recession and employment is performing well. It's a pretty good result.
Cyber resilience is key defence line to defend
Comparing the past few years' challenges to the current one, what is the difference?
During Covid we had to make sure that the operational procedures keep the banks able to serve their customers, while many of the latter were going through very difficult situations. That worked out well, I think. More recently, in certain parts of, particularly in this part of the European Union more close to the new tensions, there were issues about the financial inclusion of refugees arriving from Ukraine, their access to financial services, while at the same time there were sanctions imposed and the financial sector had to comply. That also worked out really well. Going forward, one thing that we are increasingly seeing as an area of focus and concern is cyber risk. On one side is cyber crime, like potential intentions that come through attacks, and on the other is fraud, criminals looking for money . The third aspect is operational resilience. That in the digital world, providers remain robust as we use their services more and more intensively. Those are big challenges.
Hungary is holding the EU presidency again. Are there any issues that Budapest can help the EBA to solve? Competitiveness is the main focus of the Hungarian presidency: can the EBA contribute to that effort? And, more concretely: what is the purpose of your current visit?
Starting from the end: the board of supervisors has its strategy day once a year outside of Paris, and we are here for that in Budapest, to discuss medium- and long-term monitoring challenges for the supervisory community. Beyond that, we are planning to come as well in October for a consumer protection day, for a wider audience: we expect about 500 participants. There again, technology is one of the key issues that affects consumers to a high degree. More broadly, our expectations about the Hungarian presidency are high, for two reasons. The presidency takes place at the beginning of a new European (parliament) cycle. Now is the time when the next five years are going to be shaped, so in that sense, I think, it's a very important time and it can make a difference. And the second one is because of the topics. I think that there's been a clear perception that Europe needs to build more Europe to address the challenges ahead in different areas. One of them is obviously competitiveness. And that has a lot to do with having an effective financial system. Within the effective financial system, I think that the priorities are now from our perspective on two things. One is building bigger capital market, and the regulators have a key role in that. Lots of money is being kept in bank deposits, but the money has to be put to work. And the second important aspect is to do that by building a single market that is more integrated.
Risk maps of politics and technological change
We cannot see the end of the war in Ukraine, there are crucial elections this year like the one held in France at the weekend, and we are seeing quite fast changes in politics. There is still a lot on the plate: how is the European banking system is coping with all that swirling and unpredictability?
When we think about the future, in our board, we are looking at a risk map, to see what priorities we need in the face of those risks. Geopolitical risk is very, very high. We should look at how those geopolitical risks materialize, and what implications each of them have. Different risks have different implications. Basically, for us, the way we think about this is in three big blocks. One block I mentioned before is cyber tensions, cybercrime. We have already seen that the degree of digital attacks has increased. So far, the consequences of those attacks have not been high because the banking system has proven to be robust, but we need to keep an eye on that. The second big aspect we need to think about is how those geopolitical tensions materialize into potential global fragmentation tensions. That can be very bank-specific. It's hard to make a general decision about the banking sector overall: it depends on what type of business you do, who you do business with, what sectors, what parts of the European Union. When you are a French bank, you're going to be much more affected by the French elections than elsewhere. So we ask the banks to think about those problems and about different scenarios. How would you react? You may want drastic action, like quitting a market or just to grow business in segment by only 1 percent instead of 2. And then the third one: how it affects economic variables like economic growth, unemployment, the evolution of certain financial assets or real assets. We are now very focused in parts of the union on commercial real estate where there has been significant lending from non-bank players, and that is an area of concern.
Cyber attacks come up repeatedly as a key challenge. Why is it a systemic risk? Because it's about a big amount of money, or because it threatens lots of people?
It's that, and more. The third thing is that it's a situation which is new for us. It's not that we have never had it. The complexity of the digital economy that we have today is what we never had before. Fourth: the way how that structure works. It's much more, if I may say, dispersed. There is a lot of subcontracting, a lot of players who are not necessarily regulated. The central bank goes and supervises the bank, but the bank has subcontracted a big chunk to digital providers, to big or small computing firms.
A large part of the cyber attacks target government agencies and institutions. Also, a cyber attack can materialize in various ways. It may affects many, many people at one time. It could be that you lose a lot of money. It could be just that you lose the ability to understand the information that you have. That's when the systems of a bank or of a clearing house are corrupt. And, say, we don't know how much money I have in the bank, or who has the money in the bank. Fortunately, so far – I crossed my finger – the implications have been small. But we need to pay attention.
The Authority gathers more information and tools to defend the line
Consumers tend to know the national supervisors, but know less about the European level. Does the EBA have the tools to fight cyber crime, which is international?
There are two aspects. One has more to do with cyber threats that come from cyber security. This is more in the area of national defense authorities and intelligence agencies, other parts of the economy, and those effects will not be necessarily specific to the financial industry. Other strategic sectors like transportation or energy could also be affected. But then there's a second aspect which is very specific to the financial industry, what we call operational resilience. Just making sure that the way that the system works is robust. So that has to do with maybe not crimes, but just cyber accidents, if I may call it that way. In that sense, there is a regulation that we have put into place in Europe. It's called the DORA (Digital Operational Resilience Act), which basically gives powers to us, to the EBA and the two other sectoral European regulatory authorities... ' That's coming into effect now. The supervision will start in January 2025, and that's a big step towards ensuring that there is resilience in the system. It's not about crimes, it's about resilience.
The EBA published an opinion piece recently about new types of fraud. What measures do you propose to protect people and banks?
That’s a good example on how digitalization is resulting in new situations. This is mainly about the area of payments, also when you use your credit cards, your digital currencies. What we have observed is that as the technology evolves, the criminals also evolve. So we need to monitor that and collect more information. We're coming forward with more evidence of what has happened over the last year and a half in the fall of this year. But going back, we have implemented in Europe the two PSDs, payment service directives. That regulates basically digital payments with credit cards and things like that. That regulation, that's basically the one that requires you to put a PIN. That has increased safety.
But new forms of payments are coming forward, new products. So we put forward an opinion in April of this year, so that the new payments regulation will cover new areas of fraud, and we also need to identify well another very common concern of consumers. Who is liable for that fraud? If fraud takes place, if somebody loses some money because a payment was being done with other authorization, who is responsible for that fraud? That needs to be clarified because right now there is a perception that this could be the bank. But it could be whoever the technology firm is, the phone company or the API that you're using, or it could be the customer that has done something improper.
Do you have any concrete programmes or policies on the table to counter cyber crime?
I already mentioned the DORA, the digital operational resilience act, which provides a framework for being able to oversee the banks and the providers to the banks. Th second one is about crypto currencies and also those called the stable currencies which are 100 percent backed with reserves. That regulation is called MICA – Markets in Crypto Assets – which took effect as of July.
Big digital platforms are a bigger challenge than the fintech revolution
Fintech companies have been a popular topic for years. Do you see any challenges in that segment?
When we talk about fintech firms, it's usually about technology coming into the industry. That is not necessarily new and it's certainly not necessarily bad. It just depends how that technology is being used. Over time we have seen that fintech firms have been collaborating more and more with established institutions. And that's proven reliable. What's important is that the customers have a good sense of what the business model is, and the service that those companies are bringing to them. As we go forward, two big questions arise. One is what role the big platforms, rather than the small fintech companies, will play in the financial sector. That's one big question that we need to follow closely to make sure that there is resilience, competition and that financial stability is preserved. And the second one is the newest technologies. I would not say that artificial intelligence is a big unknown at this stage, because it exists, but the specific usages and the implications of are still a bit at an early stage for us to be able to clarify.
Big platforms, could you name a few?
It's like Google, or Amazon. In the payment sector, Apple Pay is another big platform. What we monitor is for example what we call white-labelling, when through one of those digital platforms a financial product is being offered under a label or a brand that is not that new. But of course, the entity providing the financial product in the background, it's a traditional institution, a bank or an insurance company.
There is a delay in the implementation iof Basel III and the Americans are lobbying for an even bigger delay. Isn't that risky if it is a system to ensure the safety of banks?
This is a system that we think is better than what we have. So if it's better, the sooner that we have it, the better. Now what's pending is what we call the finalization of Basel III. But there are lots of pieces that have already been put in place. What is left is Basel III. Europe has already approved the regulation. It's supposed to come in January 2025, but as a result of the delay in the presentation and the uncertainty about how other countries would implement it – not only the U.S. but also the U.K. – the European Commission has announced that they're going to postpone one part, which is the part that refers to market risk, the risk of having operations in financial markets, that is called the Fundamental Review of the Trading Book or FRTB. For at least one year. Is this something that we as the EBA are happy about? No, we would like early implementation. It's something that we understand because if we are having open markets and there's a lot of global interaction between the large banks, it's important that that is done in equivalent terms. But we certainly hope that the implementation will take place as soon as possible.
Europe needs to put money into work
Are the banking systems in the Eastern EU-members still different from the West?
My perception is that overall, the banking system in Europe is robust, with good levels of capital and liquidity. That applies obviously to this region as well, even if over the last two or three years this region has been more affected by the geopolitical tensions than Western or Southwest Europa. I think we can return to the issue of the Capital Markets Union. This issue is not unique to this region. There is a high reliance of savings in deposits. As we go forward, having more of that savings being diversified into other areas, to facilitate capital markets will also be probably put forward. In the balance sheets of the banks, they also have a large amount of assets in sovereign securities. Putting that into work for investment into the private sector and capital markets will also arise. But my overall assessment is that the system is robust.