On March 8 2018, the European Commission published a FinTech Action Plan (read here), which has been the subject of meticulous preparation for more than a year.
As FinTech is a rapidly-evolving sector where the promotion of innovation is necessary, the Commission is keen not to overregulate the domain. Therefore, the Action Plan is limited to one legislative action, and many points of so-called ‘soft-law’ characterised by their non-binding nature.
On the other hand, a question that arises in this context is whether the proposed actions are sufficient to epitomise the Union’s aim of establishing, in the words of Vice-President Dombrovskis: “a competitive European financial sector that is able to drive innovation globally, alongside the US and Asia”1.
What is in the Action Plan?
The Action Plan is centred on three building blocks: enabling the scale-up of EU businesses, supporting technological innovation, and strengthening the security and resilience framework.
The first one of these blocks aims at harmonising legal and operational requirements and ensuring interoperability. Also, regulatory sandboxes are promoted to identify best-practices for the industry.
The second block tackles technological innovation via activities of knowledge-building of regulators and fostering the use of innovative technologies, such as cloud services and blockchain by market participants.
The last of these building blocks refers to cyber resilience, and has certainly become, over the past few months, the frontrunner of the Action Plan. In its January 2017 report on FinTech, the European Parliament upon the Commission “to make cyber security the number one priority in the FinTech Action Plan” 2.
The Commission’s President Juncker also referred to cyber security in the State of the Union Speech 2017, stating that “Europe is still not well equipped when it comes to cyber-attacks” 3. The reasoning is that cyber resilience is a necessary pre-condition for earning consumer’s trust if access to financial services is to become even more digitalised.
For the EU to become a pioneer in financial technology, standardisation, interoperability and innovation will be main areas of focus.
One way that legislators can support innovation is by providing converging licensing requirements. European and national supervisors can help by creating a business-friendly framework, through so-called regulatory sandboxes, which the Commission aims to extend by providing a system of best practices that ultimately leads to increasing innovation.
However, standardisation and interoperability cannot be underestimated. It this context, it makes sense to give the industry a leading role, as companies will ultimately be the ones to use these standards.
In this regard, the Commission wants to examine the role of a potential European Committee for Standardisation. With respect to specific legislation, such as the second Payment Services Directive, the industry participates in setting new standards. In this particular case, the Commission has convened a working group, joined by the European Banking Authority (EBA), the banking industry and new financial players to develop so-called Application Programming Interfaces (APIs) that would allow a fast and secure access to customers’ accounts to follow up on certain financial transactions.
At the same time, it also needs to be ensured that innovation is ‘tech neutral’, meaning that while EU legislation develops standards and objectives, it is up to the industry to choose which technology it applies to comply.
To ensure ‘tech-neutrality’, the Commission will set up an Expert Group in the remit of the Action Plan to review the fitness of the financial services regulatory framework. Potential implications of this action are not to be disregarded, as it could have consequence such as re-opening financial legislation that is not fit for purpose.
More specifically, in the field of technological innovation, the domain of cloud services will play a major role due to the fast-growing importance of the use of data and the lower costs compared to traditional IT systems run by large financial institutions.
One of the main challenges for firms and supervisors in the future is that cloud computing providers are outside the regulatory perimeter of financial regulation. However, as the use of cloud computing increases and services are concentrated in a handful of firms, this raises the question of systemic operational risk.
While the EBA has issued cloud computing guidelines for banks, market participants are awaiting guidance from EIOPA for insurers and from ESMA for market infrastructures and asset managers.
The other side of the coin: resilience
A recent report by Cybersecurity Ventures suggests that the global cost of cyber crime could amount to $6 trillion annually by 2021 4. This exponential growth of the global threat makes the necessity of action a pressing matter.
The Commission proposes in the Action Plan measures focused on raising awareness, increasing the exchange of information, and reinforcing supervisory co-operation.
Rather than creating a legislative framework, the actions are mostly addressed towards the European Supervisory Authorities (ESAs) and National Competent Authorities (NCAs) to improve the supervision and cooperation around already existing legislation 5. More concretely, the three following non-legislative actions have been proposed:
- Assessing the barriers limiting information sharing on cyber threats;
- Mandating the ESAs to map existing supervisory practices on ICT security;
- Mandating the ESAs to develop a cost-benefit analysis of a cyber threat testing framework.
The outcome of this preliminary exercise could potentially lead to the issuance of guidelines by the ESAs, or the collection of technical insights that could provide the basis for legislation at a future stage. However, legislative initiatives are especially delicate in the context of cyber security, as it can easily be interpreted that the domain is in scope of national security matters.
But is the EU the right body to regulate FinTech?
The international dimension of these new technological developments, with all the potential benefits and risks entailed, calls for an international answer. However, it seems there is no obvious international forum emerging to foster the necessary policy discussions.
Specialised bodies lack the horizontal overview to deliver such a framework. The Financial Stability Board (FSB) is narrowly focused on stability concerns and may not sufficiently consider the innovative dimension, the Bank for International Settlements (Basel Committee) focuses on the banking sector and that may not consider sufficiently other sectors also impacted by financial technology. A similar assessment can be made of the International Organisation of Securities Commissions (IOSCO).
Other international fora may also carry certain inconveniences. While Germany and France have recently called for deeper international co-operation in the field of cryptocurrencies in the remit of the G20 6, other more sensitive areas like cyber security may seem too politically controversial to be addressed in detail at the G20 or even the G7.
In the absence of an appropriate international framework, at least for the time being, the Union’s action can serve as a necessary solution in light of the need to stay on top of swiftly developing new technologies.
The Commission’s choice to go for an Action Plan can also be read as the aim to step in and give the necessary guidance to the financial industry. However, it also shows the Commission is not keen on developing binding legislation, given the international dimension of the phenomenon and the early stage of development.
Conclusion: Does the Action Plan go far enough?
Ultimately, the three objectives of economic efficiency, privacy and resilience may conflict at times. Pursuing one of the goals will require compromising on the two others. To reach the goal of a more future-oriented regulatory framework embracing digitalisation will therefore mean finding the right balance between innovation, standardisation and resilience 7.
While the aim of becoming a forerunner at international level would certainly call for a robust legislative framework, the complexity of the domain and vast number of affected players explains the Commission’s decision to move forward with non-legislative action of exploratory
nature at this stage 8.
One essential element becomes absolutely clear in this context: the importance of the industry, which has the required technical knowledge and is on top of the rapidly evolving dynamics. Having said that, the Union’s approach in addressing the issue from a supervisory rather than regulatory angle can also be translated as a wait and see approach, hence the industry should seek its chance to shape the landscape before ultimately binding legislation is tabled.
Questions & comments
1 VP of the Commission Dombrovskis; speech on 27 February 2018, available here 2 European Parliament Action Plan on FinTech, available here 3 State of the Union Speech 2017, available here 4 2017 Cybercrime Report, available here 5 Like the Directive on security of network and information systems (NIS), available here 6 Remarks by Vice-President Dombrovskis at the Roundtable on Cryptocurrencies, available here 7 European Council call available here and European Parliament call available here 8 With the exception of an initiative on crowd and peer-to-peer lending.