Written by Carla Stamegna and Cemal Karakas,
The financial technology (fintech) sector encompasses firms that use technology-based systems either to provide financial services and products directly, or to make the financial system more efficient. Fintech is a rapidly growing sector: in the first half of 2018, investment in fintech companies in Europe alone reached US$26 billion.
The fintech sector brings rewards including innovation and job creation, but also challenges, such as data and consumer protection issues, and the risk of exacerbating financial volatility or cybercrime. To tackle these multi-disciplinary challenges, policy- and lawmakers in the European Union (EU) have adopted and announced several initiatives, for instance on intra-EU payment services, data protection, crowdfunding and regulatory sandboxes.
This briefing outlines current and upcoming fintech-related laws at EU level. It follows on from a March 2017 EPRS briefing that focused, inter alia, on the evolution, scope and economic prospects of fintech.
Fintech, short for financial technology, is a broad term used mainly to refer to firms that use technology-based systems either to provide innovative and cheaper financial services directly (i.e. without the involvement of banks or other intermediaries) or to make traditional financial business more efficient. Fintech covers a range of services and products, such as cashless payments, peer-to-peer (P2P) lending platforms, robotic trading, robo-advice, crowdfunding, and virtual currencies.
With investment in fintech companies hitting US$26 billion in Europe in the first half of 2018, this dynamic and rapidly growing sector is attracting increasing interest at political level. In the EU, attention is being paid to the contribution that fintech could make to increasing efficiency, strengthening financial integration and enhancing the EU’s role in financial services. Meanwhile, there is a pressing need for safe and effective common rules supporting innovation and protecting consumers.
Indeed, in the EU, areas remain where Member States can choose to apply individualised or less strict rules at national level (e.g. peer-to-peer lending and virtual currencies). This can result in a fragmented environment, preventing businesses from expanding across borders, or an uneven playing field and arbitrage opportunities, incentivising companies to obtain permits in less restrictive jurisdictions so as to minimise red tape while operating internationally.
Fintech-related laws at EU level
No one piece of EU legislation covers all aspects of fintech. Fintech companies providing financial services (e.g. lending, financial advice, insurance, payments), must comply with the same laws as any other firms offering those services. Therefore, different laws apply depending on the activity (e.g. payment services, crowdfunding), such as Directive 2000/31/EC (e-commerce), Directive 2002/65/EC (distance marketing of consumer financial services), Directive 2009/110/EC (electronic money), Directive (EU) 2015/2366 (payment services), etc.
The Payment Services Directive (PSD I) (Directive 2007/64/EC) established the single European payments area (SEPA) in 2007. While SEPA has been successful in harmonising card and bank-to-bank payments, online payments remain fragmented.
In July 2013, the European Commission announced a new financial regulation package including PSD II, the updated Payment Services Directive (Directive (EU) 2015/2366), which repealed PSD I, and a proposal for a regulation on interchange fees for card-based payment transactions (Regulation (EU) 2015/751). PSD II came into force on 12 January 2016; the deadline for implementation in national law was 13 January 2018.
PSD II is designed to respond to technological changes in the payments industry. In this context, the definition of payment services has been expanded, and the diversity of traditional payment service providers (PSPs), such as banks and financial institutions, has increased. PSD II classifies both types of provider, i.e. account information service providers (AISPs) and payment initiation service providers (PISPs), as third-party service providers (TPPs). Under the new directive, payment service providers are subject to the same rules as other payment institutions. In return, banks are obliged to provide third parties with API (application programming interface) access. Non-banks would then have the right to access customers’ data (provided they have the customers’ permission).
One particular set of regulatory technical standards (RTS), concerning the processes and data structures of communication between parties, is key to achieving the objectives of PSD II. Mandated by PSD II, the European Banking Authority (EBA) drafted these standards in cooperation with the European Central Bank (ECB). The European Commission adopted the final RTS proposal in November 2017, the RTS are due to apply from September 2019. According to the new rules, banks will have to set up a communication channel that would allow third-party service providers to access the data they need. This would also allow banks and TPPs to identify one another when accessing customer data, and to communicate through secure messaging. Banks may establish this communication channel either by adapting their customer online banking interface or by creating a new dedicated interface. Should they opt for the latter, banks will have to provide the same level of availability and performance as the interface offered to, and used by, their own customers, and provide the same level of contingency safeguards.
While some experts argue that PSD II would level the field and might be a ‘key change’ towards the creation of an open banking system, there is, however, criticism of PSD II. Some experts note that access to bank account information raises the question as to who should pay for the infrastructure needed for such interconnectivity. In addition, the sharing and use of client identification details would heighten the threat of cyber-attacks. To this end, banks are calling for tighter security regulations for newcomers, and have raised concerns about the authentication systems they use.
Data and consumer protection
The legal cornerstone for data protection (in terms of ‘personal data protection’) is Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data. This directive was repealed by the General Data Protection Regulation (EU) 2016/679 (GDPR). This regulation entered into force in 2016 and became applicable from 25 May 2018. Some experts say that current EU legislation on data protection, competition and consumer protection is noticeably lacking in its definition of ‘big data’, creating a regulatory blind spot that needs addressing. Here, the European supervisory authorities (ESAs) – i.e. the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA) – on financial issues have evaluated the fintech-specific additions to the GDPR and/or other general consumer protection regulations.
In their March 2018 report on big data, the ESAs state that the existing legislative requirements constitute an ‘already quite solid framework to mitigate the risks identified’. They also note that this framework will be further strengthened with the entry into application of several key pieces of legislation in the financial sector as well as in the data protection sector. The ESAs consequently consider that a legislative intervention at this point would be ‘premature’.
In the field of virtual currencies, the EU has not yet adopted any specific regulation. However, following up on a June 2017 Commission report, in December 2017, European legislators agreed to extend the scope of the Anti-money-laundering Directive to virtual currency exchanges and wallet providers. Member States must bring the laws, regulations and administrative provisions necessary to comply with this directive into force by 10 January 2020.
Fintech action plan and crowdfunding
Having been invited by Parliament in a May 2017 own-initiative resolution to take more action in fintech sectors such as big data, cybersecurity, blockchain, interoperability, financial stability, financial and IT skills, the European Commission presented a fintech action plan in March 2018. The plan sets out 19 steps to promote innovative business models, the uptake of new technologies (e.g. artificial intelligence and cloud services), to increase cybersecurity and the integrity of the financial system, and to enhance further investor, consumer and data protection. It promotes innovation and regulatory certainty. It also envisages the introduction of regulatory sandboxes, which can be considered ‘safe spaces’ where (national) supervisors apply rules to fintech firms in a more flexible way so that businesses can test their models, products and services for a limited time and without being exposed to red tape. The EU FinTech Lab was set up to build capacity and knowledge among regulators and supervisors. It held its first meeting in June 2018.
In this context, the Commission has put forward new rules to help EU crowdfunding platforms scale up. In March 2018, it tabled a proposal for a regulation aimed at introducing an optional EU regime to enable crowdfunding platforms to operate easily across the EU. Instead of facing differing regimes, platforms would have to comply with one set of rules only, both in their home market and in other Member States. The accompanying proposal for a directive amends the scope of Directive 2014/65/EU (MiFID II), adding crowdfunding service providers authorised under the proposed regulation to the list of exempted entities to which the scope of the directive does not apply.
In its action plan, the European Commission mandated the ESAs to report on best practices and issue guidelines. The Commission also encouraged competent authorities to take initiatives to enable innovation on the basis of these best practices and invited the ESAs to facilitate supervisory cooperation and the consistency of supervisory practices. Following up on the Commission’s recommendations, in March 2018 the EBA published a fintech roadmap setting out its priorities for 2018 and 2019. The roadmap addresses the challenge of appropriately regulating innovation in finance. It also envisages the establishment of a fintech knowledge hub to improve expertise sharing and promote technological neutrality in regulatory and supervisory approaches.
In its 2019 work programme, one of ESMA’s key objectives for fintech is to achieve a coordinated approach to the regulation and supervisory treatment of new or innovative financial activities and provide the EU institutions, market participants and consumers with advice. It is also committed to implementing the framework for the use of the product intervention powers provided by the Markets in Financial Instruments Regulation (MiFIR).
To tackle issues stemming from insurtech, EIOPA set up the InsurTech Task Force (ITF) to analyse the use of big data by (re-)insurance undertakings and intermediaries. It maps the initiatives taken at national level in this area, with a view to establishing efficient and effective supervisory practices. At a later stage, the ITF will also focus on the convergence of algorithm supervision and investigate the benefits and risks arising from the use of blockchain and smart contracts in insurance activity.
In their January 2019 report, the ESAs set out a comparative analysis of innovation facilitators, and describe best practices for their design and operation. According to the report, a lack of cooperation between financial regulators across the EU could be hindering businesses from expanding their innovative new fintech services beyond national borders. Twenty-one EU Member States and three European Economic Area (EEA) countries currently have innovation hubs, while only five Member States (Denmark, Lithuania, the Netherlands, Poland, and the UK) have fully operational regulatory sandboxes. Based on the ESAs’ report, the European Commission is expected to present a report with best practices for regulatory sandboxes in the first quarter of 2019.
The European Commission is also monitoring the development of crypto-assets and initial coin offerings (ICOs) with the ESAs. Based on an assessment of risks, opportunities and the suitability of the applicable regulatory framework, the Commission will assess whether regulatory action at EU level is required.
Regarding payment services, the Commission (together with market players) is aiming to develop, by mid-2019, standardised application programming interfaces that are compliant with the PSD II and the GDPR as a basis for a European open banking eco-system, covering payment and other accounts.
- Karakas C. and Stamegna C., ‘Defining an EU-framework for financial technology (fintech): Economic Perspectives and Regulatory Challenges‘, Law and Economics Yearly Review, Vol. 7 (1), 2018, pp. 106-129.
- Karakas C. and Stamegna C., Financial technology (fintech): Prospects and challenges for the EU, European Parliamentary Research Service, European Parliament, March 2017.
Read this briefing on ‘Fintech (financial technology) and the European Union: State of play and outlook‘ on the Think Tank pages of the European Parliament.