fintech: a more competitive and innovative european financial … · 2017-10-22 · fintech: a more...

AsociaciónEspañoladeBanca

1 AsociaciónEspañoladeBanca

Fintech:AmorecompetitiveandinnovativeEuropeanFinancialSector

14thJune2017

1.Fosteringaccesstofinancialservicesforconsumersandbusinesses

1.1 WhattypeofFinTechapplicationsdoyouuse,howoftenandwhy?InwhichareaoffinancialserviceswouldyouliketoseemoreFinTechsolutionsandwhy?

OurmembersreportusthattheyuseanincreasingrangeofFinTechapplications,someofthemdevelopedinternallyandothersincollaborationwiththirdparties.Thespectrumandintensityoftheuseoftheseapplicationsvariesfromonebanktotheotherandincludesnewonboardingtechniques,robo-adviceapps forwealthandassetmanagementor Insurtechservices.Theultimateobjectiveofinnovationinfinancialservicesistodeliverbetterand/ormoreaffordable solutions to customers.This is something that FinTech solutionsprovidedbydigitalplayersandbankscanachieve,eitherworkingtogetherorseparately.Improvementscanbeobtainedbyenhancingthevalueproposition,reinforcingsecurityfeatures,openingnewbusinesslines,gainingefficiencyorreducingcosts,tonameafewpotentialbenefits.Whenapproachingthisphenomenon,itisimportanttounderstandwhattypesofFinTechexist, as this term covers a wide range of companies and solutions. If we analyse theirrelation with incumbents, these solutions can either compete with existing ones,unbundlingthevaluechain,orenhancethembyimprovingtheexistingofferandprocessesthrough partnerships. Another classificationmight distinguish between customer-facingservices(“abovetheglass”)orbankingservicesenablers(“belowtheglass”).Customer-facing FinTech solutions offermultiple benefits, ranging from a better digitalexperiencetobetterprices,andmightpotentiallydisintermediatetheserviceprovidedbybanks.In relation to the Fintech solutions that many banks would desire to include in theirprocesses–below-the-glassinnovation,thoserelatedtoRegTechareespeciallywelcomed.Moreover, banks feelmore comfortable approachingFintech companies in aB2Bmodelwhich is consideredbeneficial for bothparties: Fintech startups can scale-up and adapttheir technological developments to a real market need, and banks may incorporate



innovativesolutionsbothintheirinternalprocedures-byreducingcosts-andinmarketingandrelationshipwiththeircustomers.AnotherareaofinterestisFintechservicestoimprovethecurrentprocessingsolutionsinthe payments or securities space (below-the-glass innovation). In this regard, it is ofparamount importance to allow the testing and applicationof new technologies such asDistributedLedgersorcloudcomputing,aswewillhighlight in thesubsequentanswers.Moreover, our banks welcome any FinTech solution that could optimise administrativeprocesses such as reconciliation, forecasting, B2B procurement workflows, strategicadvisory,fraudcontrol,oralternativewaysoffunding,justtonameafew.ThatiswhyinitiativessuchaspromotingasandboxareessentialtobeabletodevelopandchecktheeffectivenessofFintechnewsolutions.

Artificial intelligence and big data analytics for automated financial advice andexecution

1.2 Is there evidence that automated financial advice reaches more consumers, firms,investorsinthedifferentareasoffinancialservices(investmentservices,insurance,etc)andatwhatpace?Aretheseservicesbetteradaptedtouserneeds?Pleaseexplain.

Yes.Automatedfinancialadviceisestimatedtoincreasingtheiruseintheshortrungiventhefollowingpositiveandclearbenefitsforthemarket:

- Itincreasesaccessibilitytonewsegmentsofcustomers;BigDataanalyticsallowstoreachmoreconsumersgivenitprovidesabetterpictureoftheuser’sneeds.Forinstance,therobo-advisormodelisidealforcustomerswithsimpleneeds,orforsmallaccountsthatwanttostarttoinvest.

- It provides enhanced customer experience through mobile apps and increasetransparencyintoinvestmentoptions.

- Itenhancesthefinancialandinvestmentknowledgeofclients.

- Fromacostefficiencyperspective, itallowsareductionofoperationalcostsoncetheinitialdevelopmentsareamortized.

However, theapplicationofrobo-advice isoccurringatdifferentspeeds inthemarkets -beingwider its use in countries like USA or UK - as a consequence of different factors.Probablythemostimportantoneisthatalthoughitsuseextendsmoreacrossnewsegmentsasforinstancemillennialsasdigitalnative,thereisstillanimportantpartofuserswhofeeluncomfortableacquiringandusingtheseserviceswithoutanyhumansupport.Webelievethatthefuturedevelopmentofthesefinancialapplicationsismostlyacombinationofthetwoelements, humanand artificial. In thephysicalworld, this includes a specificmodelprovidingtheautomatedtoolsatbranchlevel:thisway,thehumanisguidedbyautomated



toolsthatenhancetheconsistencyoftheprocess,butrespondtothecustomerdemandofaclosepersonalinteraction.

1.3. Is enhanced oversight of the use of artificial intelligence (and its underpinningalgorithmicinfrastructure)required?Forinstance,shouldasystemofinitialandongoingreview of the technological architecture, including transparency and reliability of thealgorithms, be put in place? (Please elaborate on your answer to whether enhancedoversight of the use of artificial intelligence is required, and explain what could moreeffectivealternativestosuchasystembe.)

No.

From thepointofviewofhow the supervision shouldbeundertaken,webelieve that itshould consist of a combination of a set of minimal rules and ongoing assessment ofsupervisors.Internalcontrolsandgovernancemechanismscanbedesignedtoguaranteefinancialstability,alongwithaconstantdialogueandinteractionwithsupervisorstoassessthe performance of these financial tools –which should be on the other hand designedaccordingtothebanks'riskappetiteframeworkandtothedifferentinternalpoliciesandproceduresandvalidatedbythesupervisor.

The use of AIwill lead tomodels that evolvemore frequently, as a consequence of theongoing learning process. The oversight should not focus on the supervision of thealgorithm that is at the end of the process, but on thedynamics of the root artificialintelligence engine that has generated the algorithm. For this, it is necessary thatsupervisorsandregulatorshaveamongtheirhumanresourcessomespecialistsinBigDataandartificialintelligencetoexerciseproperoversight.

Fromthepointofviewoftransparency,wedonotbelievethatitisconvenienttodisclosurehowthealgorithmswork;theyareasourceofcompetitiveadvantageforbank’sbusinessmodelsandthiscouldbeputatrisk.

Thereisaspecificcaseconcerningtheoversightofrobo-advicealgorithms.Webelievethatitshouldbeclarifythattherearetwomaintypesofalgorithmsbehindrobo-advisors:

1. “Profilingalgorithms”whichareusedtoobtainaparticularprofilefromtheclientthroughtheinformationobtainedfromtheknowledgeandexperience,investmentobjectives,investmenthorizon,etc.ThisprocesssometimesincludesthesuitabilityteststhatMIFIDregulates,inordertoobtaintheadequateinformationandprofileclientscorrectly.

2. “Quantitative management algorithms” which are used to undertake decisionsregardingtheinvestmentinacertaintypeofassetorportfolio.

Under theprincipleof sameservices, samerules,webelieve thatallparticipants shouldapplyMIFID toprofilingalgorithms.Thesupervisionof the “profilingalgorithms”wouldavoid that clientsperceive the same level of risk andquality of adviceby robo-advisorstakingdifferentconsumerprotectionmeasures.Atthesametime,theframeworkshouldbe



ready for evolution and allow new ways to understand customer needs without apredeterminedsetofdata.Atthismoment,allparticipantsshouldbeallowedtoproducetheiranalysisinadifferentmanner.

Inanycase,regulationsforAIshouldapplytraditionalplayersandnewentrantsgiventheirrelevanceandincreasingriskforthestabilityofthefinancialsystem.

1.4 Whatminimumcharacteristicsandamountofinformationabouttheserviceuserandthe product portfolio (if any) should be included in algorithms used by the serviceproviders(e.g.asregardsriskprofile)?

At present, there is a strict framework that prescripts the information that should begathered by all providers of financial advice, which also applies to algorithms, namelyfinancialmarketregulation(KYC,suitability)orGDPR.

Imposingspecificcharacteristicsorinformationrequirementsonalgorithmscouldrestrictthe ability to innovate, create an unbalanced competitive environment or even lead tohomogeneousapproachesresultinginsimilarvaluepropositions,henceexcludingapartofthepotentialuserbaseand,eventually,creatingherdeffects.

Aslongastheregulatoryframeworkimposesrulesonminimuminformationrequirements(such as in MIFID or KYC), we support that there should be the sameminimum set ofrequirementsasitistheonlywaythata“levelplayingfield”canbeensured.Inparallel,inordertoallowforinnovation,thereshouldbeareviewofhowmuchinformationisneededtoprovideadviceoranyotherservice,withaneventual transition toamodelwherenominimumsetofinformationisrequired.Butthisshouldbedoneforallplayersatthesametime,withoutwhichtherewouldbeacleardisadvantageforregulatedparticipants.

Informationisofhighvaluetocybercriminalsandcyberterrorists.Therefore,measurestoreduce the risk of data leaks and their consequences should be taken. Thesemeasuresshouldnotonlycomefromregulation,butplayersengagedinFintechactivities(includingfinancial institutions) should proactively take proper security and privacy measures tomitigate these risks. In this regard, all companies should be subject to equivalentsupervisoryrequirements.

1.5 Whatconsumerprotectionchallenges/riskshaveyouidentifiedwithregardtoartificialintelligence and big data analytics (e.g. robo-advice)?Whatmeasures, do you think,shouldbetakentoaddresstheserisks/challenges?

One of the main differences of these applications comes from the different way therelationshipisestablishedwiththecustomer,whicharisessomechallenges:

- Thenewchannelmusthaveaclearandunderstandablelanguageandthewaytheinformationisgatheredneedtobeveryuser-friendlyinordertoensuretheclientsbetterunderstandtheirinvestmentsandtheirrisks.



-Anotherchallengeishowtostructuretheconsentandprocessingpurposesinformationrequirementsforprotectionofpersonaldatainregardstobigdataandtheevolutionofwhatinformationcanbeprocessedandgathered.Theclientshouldknowwhichinformationisbeinggatheredandforwhichcurrentandfuturepurposes.However,weshouldtakeintoaccountthat, inmanyoccasions, inthebigdatacontext, it isnotpossibletoknowallthefutureprocessingpurposesfromtheverybeginning.Theobligationtoinformdatasubjectsaboutthespecificprocessingpurposesshouldbeflexibleenoughtobecompatiblewithbigdata.

-Lackofconsumerawareness:Inordertosolvethecustomerunderstandingissues,someaids,tutorialsand,whenneeded,humansupport,couldbeimplementedbyproviders.Alongwith it, the compliancewithMiFID II requeriments and GDPRwill provide the suitableprotectionthatconsumersneed.

Therefore,itisimportantthatallplayersprovidingrobo-advicerespecttheseprovisions,irrespectivetheirnatureortheirgeographiclocation.Althoughrobo-advicecanreducethecosttoprovideadvice,itisimportantthatcustomersareequallyprotectedandaccesshighqualitytools.

-Regulatorybarriers:uncertaintyabout the impactofrecentregulatoryreforms(MiFID,IDD, MCD, PRIIPs) and how financial entities should apply them to automated advicebusinessmodels.

Moreover,mostAIservicesarebuiltona fewplatformsownedbybig ITcompanies.Anexcessivemarketconcentrationcouldleadtoartificiallyhighprices,limitedaccesstothoseservicesbysomeconsumersand/orunbalancedcommercialrelations.Moreover,decisionstakenbyAIsystemsinvolvemechanismsandprocedures,therationaleofwhichisdifficultor impossible to understand by humans. Consequently, AI could be taking into accountdiscriminatoryparameterswithouthumansbeingabletodetermineit.

Inordertokeeptheserisksundercontrol, it is importanttoensuretheenforceabilityofcurrent regulations on consumer protection, antitrust, privacy, discrimination, etcwhenusingAI.

Socialmediaandautomatedmatchingplatforms:fundingfromthecrowd

1.6 Are national regulatory regimes for crowdfunding in Europe impacting on thedevelopment of crowdfunding? Please elaborate on your reply towhether there arenationalregulatoryregimesforcrowdfundinginEuropeimpactingonthedevelopmentofcrowdfunding.Explaininwhatway,andwhatarethecriticalcomponentsofthoseregimes.

The existence of divergent approaches among national frameworksmight fragment theinternalmarketby limitingtheprovisionofservicesacrossMemberStatesandmayalso



create legal uncertainty as towhat rules apply towhich forms, potentially harming thegrowthofcrowdfundinginEurope.

TheCommissionshouldfostertheharmonizationofregulationinordertominimizeriskstobothconsumersandinvestors,andalsotoensurealevelplayingfieldbetweenfinancialand non-financial institutions (e.g. not all crowdfunding companies make the averagedefaultrateavailabletoinvestors).Futureregulationoncrowdfundingshouldalsoaimtoeliminateanypotentialasymmetriesbetweenfinancialandnon-financialplayers(e.g.KYCandAMLrequirements).

Equity-basedcrowdfundingandcrowdlendingareregulatedinSpain(CNMV),andinthecaseoflendingormodelsinvolvingpaymentsservices,authorizationbytheBankofSpainis required. Consumer protection is at the heart of this legislation and discriminatesbetween accredited or non-accredited investors. We believe this regulation offer moreguarantees for both participants and investors than others across EU, although there isalwaysroomofimprovement.

1.7 HowcantheCommissionsupportfurtherdevelopmentofFinTechsolutionsinthefieldof non-bank financing, i.e. peer-to-peer/marketplace lending, crowdfunding, invoiceandsupplychainfinance?

Rules should be put in place to establish minimum requirements, oversight and thereinforcement of the guarantees to crowdfunding investors that will give greater legalcertaintytothesetools.

Activityshouldbesupervisedonadailybasis.Servicesthatentailsimilarlevelsofrisktothoseinherenttothebankingindustry(eitherfinancialstability,cybersecurityorinvestorprotection)shouldhavethesamelevelofsupervision.

Intermsofconsumerandinvestorprotection,webelievethatthisactivitymustprovidethesamelevelofprotectionastheexistingbankingrules(MIFIDII,ConsumerCreditDirectiveorMortgage Credit Directive). Ifwewant a sound crowdfunding ecosystem to develop,retailconsumersandinvestorsshouldnotbearmorerisksthantheyarewillingtotakeasaninformeddecision.

TheCommissioncouldalsocontributetospreadingstandardsdevelopedbytheindustryatnational and European level, improving transparency and sharing best practices. Thisapproachshouldaimatimprovingtheinformationprovidedbyusers(bothprojectownersandcontributors),protectingcontributorsfromfraudandensuringanadequatecomplaintmechanism. An example of this is The Code of Conduct developed by The EuropeanCrowdfundingNetworkforitsmembers.

1.8 Whatminimumleveloftransparencyshouldbeimposedonfund-raisersandplatforms?Are self-regulatory initiatives (as promoted by some industry associations andindividualplatforms)sufficient?



At aminimum, themeasures provided for in the Spanish banking legislation regardingconsumer protection and transparency and conflict of interest should be articulated toprotectusers,especiallyretailinvestors.Weunderstandthatinthiscaseself-regulationisnotenoughtocoverallthenecessaryaspectsinthismatter.

Moreover,aclearallocationpolicyshouldbeestablishedinordertominimiseinformationasymmetries:

- Investorsshouldhavetherighttoaccesstheinvestmentopportunitiesatthesamespeedthantheinstitutionalinvestorsortheplatformpromoters.

- There shouldalsomake sure thatnoparticipanthas access tomore informationthantherest.

- Thepromoterofaplatformshouldnotbeabletoinvestinordertoavoidtheuseofunbalancedaccesstotheinformation.

- Everyparticipantinaplatformshouldknowwhoisinvestingsignificantlyinit.- Thereshouldbethesametransparencythanforsmallcapsissuances

On the other hand, as p2p and b2p lending platforms engage in lending, this type ofplatformsshouldbemeasuredintermsofcapitalandreservessufficiencybytaking intoaccounttheprincipleofproportionality.

As mentioned before, self-regulated initiatives are often not sufficient to guarantee asymmetryofinformationbetweenfundingsuppliersandconsumers.

Sensordataanalyticsanditsimpactontheinsurancesector

1.9Canyougiveexamplesofhowsensordataanalyticsandothertechnologiesarechangingthe provision of insurance and other financial services?What are the challenges to thewidespreaduseofnewtechnologiesininsuranceservices?

1.10Aretherealreadyexamplesofpricediscriminationofusersthroughtheuseofbigdata?Pleaseprovideexamplesofwhatarethecriteriausedtodiscriminateonprice(e.g.sensoranalytics,requestsforinformation,etc.)?

**

1.11 Can you please provide further examples of other technological applications thatimproveaccesstoexistingspecificfinancialservicesoroffernewservicesandoftherelatedchallenges? Are there combinations of existing and new technologies that you considerparticularlyinnovative?

Bigdataanalyticsandartificialintelligencearetechnologieswithagreatpotentialtofurtherexpandtheaccesstofinancialservicesbyloweringthecomplexityandthecostsassociatedtocertainadvisoryandcreditscoringservices,forexample.

Other technologiesmight be used to reduce the complexity of interactingwith financial



servicesproviders.Inthissense,behavioralbiometricsisapromisingfieldthatwillallowforaseamlessuserexperiencethatpreservesahighlevelofsecurity.

Althoughdigitalplatforms(includingtheso-calledsharingeconomy)arenotadisruptivetechnology in theirself, this innovative business approach makes use of availabletechnologies suchas thepublic cloudormobile to reduce informationasymmetries andexpandmarketstopreviouslyunservedorunderservedsegments.

WewouldalsoliketohighlighttheopportunitylyingintheuseoftechnologytoimprovefinancialliteracyamongEuropeancitizens.Inthissense,informationaldashboardsfedbyanalyticenginesandadvisoryandpredictivemodelswillletconsumersandcorporationstakebetterfinancialdecisions.



2. Bringing down operational costs and increasing efficiency fortheindustry

2.1 What are the most promising use cases of FinTech to reduce costs and improveprocessesatyourcompany?Doesthisinvolvecollaborationwithothermarketplayers?

We believe that some of themost promising use cases are those related to DLT, CloudservicesandArtificialIntelligenceandDataanalytics.

Cloud computing services mean clear improvements in terms of cost efficiency. Cloudcomputing already allows for greater scalability, more flexibility and shorter time-to-market when innovating. Cloud computing is also behind the recent APIfication trend,wherebyinfrastructure,platformsanddataservicescanbeofferedtointernalorexternaldevelopersinanextremelyconvenientway.

In thecaseofAI, inaddition to itsbenefits in termsofmore tailoredproductdesign forcustomers,asprocessesaredigitized,thereisalsoanimprovementinefficiency,replacingsomeofthelessefficienttaskscarriedoutbyhuman(suchaasservicing,contracting,..).

Distributed Ledger Technologies may also boost liberation of resources and systemdecommissioning mainly in middle office and back office processes. Reporting andReconciliation processes are clear examples of this. Additionally, smart contracts thatoperateautomaticallywillrequireminormanualintervention,whichwilltranslateintocostefficiencyandatthesametimemorerobustprocesses.

Biometric authentication technologies also are very much appreciated as they canaccelerateallonboarding,digitalsignatureandevenKYCprocesses.

Another field where costs can be significantly reduced, and processes improved, isregulatorycomplianceandreporting.So-calledRegtechcanbeconsideredasasubsetofFintechaimingattheresolutionofexactlytheseissuesthroughtheapplicationofbigdataanalytics,AI,biometrics,DLTsorcloudcomputing,tomentionsomerelevanttechnologies.Thisisafieldinwhichcertainstart-ups,aswellasincumbenttechnologyfirms,areactivelycooperatingwithfinancialinstitutions.

Cooperationwithsmallerfirmsisoftenconstrainedbycontractualcomplexity(especiallywhen transferring data across borders or outsourcing infrastructure to public clouds).Regulatoryandsupervisoryobligationsoftenmakeexcessivelycomplexforbankstoengagewithinnovativestart-upsthatdonothavetheresourcesortheexpertisetodevelopriskcontrol frameworks. EU-wide regulatory frameworks are desirable for this kind ofcooperativeapproachestoo.

2.2Whatmeasures(ifany)shouldbetakenatEUleveltofacilitatethedevelopmentandimplementationofthemostpromisingusecases?HowcantheEUplayitsroleindevelopingthe infrastructureunderpinning FinTech innovation for thepublic good inEurope, be it



through cloud computing infrastructure, distributed ledger technology, social media,mobileorsecuritytechnology?

The Commission's first and foremost role should be to develop a policy framework forinnovationstothrive intheDigitalSingleMarket for financialservices.Thisextendstoaregulatory framework thatunderstandsandembraces theprofound transformation thatthefinancialservicesindustryisfacing.Thismarket-drivenapproachhasofcoursecertainshortfalls,hencetheCommissionshouldensurethatEurope'sgeostrategicautonomyandeconomiccontinuityispreserved.

The EU should be active in facilitating the development and implementation of digitalfinancialtechnologies.ItshouldhelptheEuropeanplayerstodevelopdigitalsolutions,sothattheEUislessdependentoftechnologyprovidersfromabroad,suchasinthecaseofCloudservicesorCybersecurity.

Respecting the principles announced by the Commission of technological neutrality andmarketintegrity,someofthemeasuresintheareasidentifiedabovewouldbe:

Incloudcomputing,theEUcouldplayarolein:

• Adjustingtheregulatoryenvironmenttothedigitalreality:weobservethatthelegalandregulatory constraints and the higher compliance risk derived from the use,management and storage of customer information constrain the adoption of cloudservicemodelsbyastrictly(andcomprehensively)regulatedbankingindustry.Itisvitalto adopt measures to support the creation of a clear and consistent regulatoryframework at an EU and Global level, and guaranteeing a proportionate risk-basedapproachtoduediligenceandcontractsbetweentheCloudServicingProviders(CSPs)andthebankingsector.Forinstance,thefinancialregulationonoutsourcingintheEUimpliesthatbanksshouldinformthefinancialsupervisorex-anteofeachcloudprojecttobelaunched.Thishastobe done on a case by case basis, increasing time to market and impeding banks toinnovatefaster.

• Harmonising regulatory approaches across different jurisdictions. The variation inapproachtocloudcomputinginfinancialservicesbyvariousnationalregulatorscreatesinefficiencies,particularly for institutionsoperatingwithaglobalpresenceandglobalcustomers.

ConcerningDLT, thekey isa favourableregulation inplace inordertodevelopdifferentprojectswithasafetynet.There isalso theneedtohavenetworkeffect.Theauthoritiesshouldbeprovidingtheframeworktodevelopsuchnets.Inouropinion,itisbettertoopenaflexibleframeworkforthetechnology,butwithoutimposinggeneralregulationsthatalsoincludedataprotection(righttobeforgotten,privacy).

The EU should create spaces for safe market testing of consumer-oriented innovationswithout incurring in the entire regulatory burden (prudential, data protection,cybersecurity). This “regulatory sandbox” approach would allow innovators to reduce



regulatory uncertainty and to test commercial viability before building a fully-fledgedcompliancestructure.Ontheotherhand,authoritieswouldbeabletolearnanddeterminetherisksassociatedwithstate-of-the-artinnovationsfromearlystages.

Cybersecurity is one of the key areas that the EU should strengthen, and regulatorysandboxescouldalsocontributetothisgoal.Moreover,theuseofinternationalrecognizedstandardsoncybersecuritywouldhelptocreateatleastaminimumbaselineforallplayersintheindustry.Thisnewcertificationor labellingsystemshouldbeprinciple-based.TheNISDirectiveisalreadypushingthisideabutitsscopedoesnotincludeallrelevantplayersintheindustryorinothersectorstoo.

Finally,developingoracquiringtherightdigitaltalentandskillswithintheCommissionisthebestwayforwardforEuropeanpolicymakingtokeeppace.

2.3WhatkindofimpactonemploymentdoyouexpectasaresultofimplementingFinTechsolutions?Whatskillsarerequiredtoaccompanysuchchange?

Thedigitalisationunavoidablybringsachangeinskills;someoldjobsmaydisappearandothernewoneswillappear,theneteffectnotbeingnecessarilynegative.Moreover,fintechis likely to create greater dispersion in financial services-related employment as newplayersemerge.

Bankswillneedtoimplementlarge-scalecareerchangeprogrammesfortheirpersonnel,inorder to respond ina flexiblemanner to thenewdigitalworld.Employeeswith specificcompetences on ICT, science, technology, engineering andmathematics are likely to berequirednotonlybybanks,butalsobytherestofthefirms,andsurelybypolicymakersandsupervisorstoo.

Itisimportanttonotethatthecurrentprudentialrequirementsimposedtobanksconstrainthe variable remuneration that an employee within a bank can receive; also affectingspecialists who do not perform risk taking activities, but are crucial for the digitaltransformation, which makes very challenging to retain their talent (see response toquestion3.1).

RegTech:bringingdowncompliancecosts

2.4 What are the most promising use cases of technologies for compliance purposes(RegTech)?Whatarethechallengesandwhat(ifany)arethemeasuresthatcouldbetakenatEUleveltofacilitatetheirdevelopmentandimplementation?

RegTech has the potential to transform the way financial institutions comply with theregulatoryenvironment.Someofitsmostpromisingusecasesare:

• Theapplicationofdataanalyticsandtheso-called“bigdata”canidentifypotentiallyhighriskcustomersandcanbeusedtoreducecompliancerisks inareassuchasanti-money laundering. They also could make information more accessible andeasilysearchabletoregulators.Andincombiningthemwithartificialintelligence,



could allow firms to reduce market risk through more precise modelling andforecastingofmarkettrendsandsentiments.

• Distributed ledgers can provide for the development of more efficient tradingplatforms and payments systems, as well as providing more transparentinformation sharing between financial institutions and regulators, which couldallow firms to reduce operational costs and provide regulators with greatertransparencyandriskreduction.

• Regulators have pointed to cyber-risk as one of the most important threats tofinancial stability. The use of encryption can have the potential to reducecybersecurityriskbycreatinganotherlayerofsecuritytodata.

● The introduction of biometrics for the identification of clients, followingKYC/AML/CFTlegalrequirementsalsomayimproveidentitymanagementandanti-fraudprocesses.

● Technologies such as robotics, sentiment analytics, or artificial intelligence toidentify patterns can be used to automatically monitor compliance with thecompany's policies and procedures, laws and regulations by allmembers of theorganisation by contributing to a better compliance of the customer protectionprocesses.

OneofthechallengesrelatedtotheintroductionofRegtechishowtoreducetheregulatoryuncertainty (due inpart to the stillunfinished regulatoryagenda)and toharmonise theproceduresandstandardizeinformationdemandedbydifferentauthorities,whichmakesregulatoryreportingextremelyburdensometoday.

AnotherchallengeisthefuturedevelopmentofRegTechitself;asitisquiteanimmaturemarket,itishardtopredicthowtheecosystemwillevolve.Thismightleadtodoubtswhenoutsourcing inRegTechcompanies,as there isstilluncertaintyregardingtheirefficiencyandacceptancebyregulators.Currently,thereisapromisetoleverageexistingsystemsanddatatoproduceregulatorydataandreportinginacost-effective,flexibleandtimelymannerwithouttakingtheriskofreplacing/updatinglegacysystems.However,thisisonlyafirststeptowardsamoreambitiousvisionondata-leddynamicregulation.Bigeffortsarebeingmadeonpredictingcomplianceproblemsthroughtheuseofadvanceddynamicanomalyand pattern response systems, prediction markets alongside statistical systems, andautomatedsurveillance.

Recording,storingandsecuringdata:iscloudcomputingacosteffectiveandsecuresolution?

2.5What are the regulatoryor supervisoryobstaclespreventing financial services firmsfromusingcloudcomputingservices?

Thecurrentregulatory/supervisoryframeworkgoverningoutsourcingisanobstacletothegreateruseofcloudcomputingservicesbybanks.Itisnotupdatedsince2006andnotadaptedtothecloudcomputingtechnology.Inthisregard,wewelcometherecentlaunchofapublicconsultationondraftrecommendationsoncloudoutsourcing.



Datacontrollersneedtofullyunderstandandbeaccountableforthedataandassociatedrisks (cross border, data flows to subcontracted third parties, etc) when they use theservicesofcloudservicers.Moreover,cyber-securityisoneofthemostimportantprioritieswithregards to theuseofcloudcomputingservices.Cyber-attacksareaconstant threatnowadays, and the security measures provided by cloud computing services providers(CSPs)muststayuptothenecessarylevelofsecuritystandards.SecuritymeasuresbyCSPsshouldbeasdevelopedasfinancialsectorcompaniesexpectandneedthemtobe.

Another element is the lackof harmonisation in regulatory and supervisory approachesacross different jurisdictions. Some institutions have started the migration of bankinginformationtothecloudandtheyfacetherearenotaspecificframeworkunderwhichthisshouldoperate.Thisisleadingtosomeuncertaintyamongbanksandanextraeffortfromthesideofsupervisors.Currentlytheresponsehasbeendifferentdependingoneachlocalsupervisoryauthoritythathasissueddifferentrequirements.Ithasledtosituationssuchasthatasolutionthathasbeendevelopedinonecountryandmigratedtothecloudunderthesupervisionofadeterminednationalauthoritycannotbeusedinothercountries,asitshouldbetailoredtodifferentrequirements.

Here,again,weseetheneedforsupervisorsandregulatorstogetstaffwithknowledgeonthis technology in order to allow for informeddecisions to be taken at supervisory andregulatorylevel.

In the case of Spain, Circular 2/2016Bankof Spain, deriving fromEU2013/36/EUand575/2013 Regulation, is an obstacle to awider andmore agile use of cloud computingtechnology,ascloudprojectsapprovalcouldtakeuptoamonthorevenlongerifthereareinternationaldatatransfers.

On theotherhand, there isaneed tospeedupcloudadoption in theEU.TherearealsocertainoverlapsbetweenECB/EBAanddataprotectionauthoritiesasregardshowbanksprocesspersonaldataandsafeguardsmeasurestobetakenatthisrespect.

DoesthiswarrantmeasuresatEUlevel?

WebelievethattheEuropeanCommissioncouldfocusoneffortsthatsupportthecreationofaclearandconsistentregulatoryframeworkatanEUandGloballevel.Thevariationinapproach tocloudcomputing in financial servicesbyvariousnational regulators createsinefficiencies,particularlyforbanksoperatingwithaglobalpresenceandglobalcustomers.

TheEuropeanCommissionshouldinstructtheEuropeanBankingAuthority(EBA)andtheEuropeanNetworkandInformationSecurityAgency(ENISA)toprioritiseharmonisationacross jurisdictions through the fast adoption of guidelines or an update of existingguidelinestoensureacommonapproachbyregulators/supervisorsregardingproceduresandmethodologiesandcloudprojectsapproval.Apositivestepwouldbetodevelopsomeinternationallyrecognizedstandardsforthesector,takingintoaccountthealreadyexistingstandards,andthattheprovidersarerequiredtoreachthisasaminimumlevel.Theworkcanbedonetogetherwithstandardizationagencies(suchasISO)thatcould latercertify



that the providers reach at least the minimum conditions, including cybersecurity andprivacy.

In terms of cyber-security, regulators need to be aware of risks arising from weak ITsystems.Inthisregard,cyber-securitycannotbetreatednorregulatedwithproportionalitycriteria.Cyber-attacksmustbepreventednotfromthelargestcompanies,butfromallofthem. As the European Parliament stated in its recently-approved FinTech Report, “aconnectedsystemisonlyassafeasitsweakestelement”,andduetotheinterconnectednessofthefinancialsector,itwillbecriticalthatallCSPsensurethesamelevelofcyber-security.

Moreover,theCommissionshouldcontinueitspositiveworkunderitsFreeFlowofDataInitiativetoremoveunnecessarydata localisationrequirements,exceptwherenecessaryforlegitimatepublicinterestreasons.

2.6 Do commercially available cloud solutions meet the minimum requirements thatfinancialserviceprovidersneedtocomplywith?

Yes,ingeneralterms,butitvarieswidelybetweencloudservicesproviders.Thebigcloudservices providers alreadymeet the security requirements established by internationalrecognizedstandardssuchasISO27001,NIST,PCI,andtheyevenhaveSOC2reportsbasedonSSAE16toassurecompliance.

Thedoubtsaboutdatalocalisationandprivacy–sincemostofthecloudservicesproviderscomefromoutsidetheEUwithdifferentregulations–hindertheiruse.

Bankshavetotakestepstodemonstratethataregulatorcanexercisearightofeffectiveaccess to data and to the business premises of service providers processing that data.However,thephysicalaccesstopremiseshostingthecloudinfrastructureisoftenapointoftensioninnegotiationswiththecloudservices.

Morebroadly,banksmustdemonstratethattheyareusingserviceprovidersthatcommittoco-operatingwithregulatorsinconnectionwiththeoversightofthecloudarrangement.Were cloud services providers required to comply with standards that foresee theserequirements,itwouldbeeasierforbankstocomplywithsupervisorydemands,asthesetermswouldnothavetobenegotiatedineveryindividualcontract.

Shouldcommerciallyavailablecloudsolutionsincludeanyspecificcontractualobligationstothisend?

Cloud solutions are a special type of IT contract that blends technology provisions andoutsourcing services.Therefore, contracts governing cloud services shouldbedrafted inaccordance with the regulation on those fields, in addition to the applicable financialregulation.

If the EBA/ECB undertake the homogenisation process of the different requirementsneededforthefinancialsector(includingcybersecurity,dataprotection,physicalsecurity,business continuity, right to audit, etc), then commercially available solutions should



include all the parameters in the contracts. In this regard, we expect the discussionaround the recent EBA draft recommendations on cloud outsourcing to improve theharmonizationwithintheEU.

HenceacommonregulatoryframeworkshouldbedevelopedsoastofacilitatecompliancewithacommonlyunderstoodsetofminimumrequirementstooperateinEurope,translatedinto a core of minimum contractual arrangements to be included in all contractualrelationshipsbetweenCSPsandtheirusers,certainly:

o ThatalldatastoredinCSPs’ infrastructuresare located,treatedandprocessedintheEEAzone,includingwhencloudcomputingservicesaresubcontracted.

o ThatCSPsallowtheiruserstoundertakeeveryoperationalortechnologicalcontrolsrequiredbyinternalpoliciesandprocesses,aswellaseveryrequirementregulatorsmayaskinthefuture.

o ThatalldatastoredinCSPsisencrypted.o ThatCSPscomplywithalldataprotectionandprivacyrules.o ThatCSPsobtainandmaintaineverycertificationrequiredbyspecificregulatororbodygoverningcloudcomputingservices.

o That CSPs ensure cloud users to undertake continuous monitoring activitieswhenevernecessary,aswellasvirtualorongoingaudit.

o ThatCSPsmustreportanyITorcybersecurityincident,inparticularwhenthedatabreachcouldbeidentifiedasthatpertainingtoaspecificclient,toboththeirclientsandtheirsupervisors,andthattheywillensurethat incidentreportingdeadlinesaremetbytheirclients.

o ThatCSPshaveabusinesscontinuityplanforeveryclient,soastoensurethelatterareabletoswitchproviderswhenevertheydeemnecessary.

o Thatusersofcloudcomputingservicesholdtherighttoextractdataanytime.

Disintermediatingfinancialservices:isDistributedLedgerTechnology(DLT)thewayforward?

2.7WhichDLTapplicationsarelikelytoofferpracticalandreadilyapplicableopportunitiestoenhanceaccesstofinanceforenterprises,notablySMEs?

Some of potential applications of DLT to financial services are those listed in theCommissionconsultation.Therearenumerousotherpotentialapplicationstoo,thathavebeenwidely publicised, for example, cross-borderTrade Finance, Supply Chain Finance,Bank reference data orMicropayments, B2B andP2Ppayments instantaneously settled,thatwebelievetheycanimpactenterprisesandespeciallySMEs,notonlyintermsofaccesstofinance,butalsointhewaytheydobusiness.

2.8WhatarethemainchallengesfortheimplementationofDLTsolutions(e.g.technologicalchallenges,datastandardisationandinteroperabilityofDLTsystems)?



Itisextremelydifficulttoassessthoroughlytheimpactoftheblockchain/DLTinfinancialinstitutionsservices.Itseemsclearthatsuchnewtechnologywouldhaveastrongimpactoncosts in technologyrenewand itwould leadtoadeepreshapeof training,processes,standardsandbusinessmodels.

Forsuchreasons,wethinkthatthefollowingmainareasshouldbeaddressed:

- TheGovernanceframeworkformigrationtothenewtechnologyatindustrylevel(rules governing the interactionof participants, capital requirements, conduct ofbusinessrules,riskmanagementprocesses,remunerationmodel,reversibilityrulesincaseofmistakesorfrauds)

- Issues related to privacy (for financial services the client and transaction data’sprivacyisofparamountimportance)andtheidentityofparticipants;

- Thetechnologicalneeds(scalabilityandinteroperability);- Thedefinitionofthestandardstobeusedforthedifferentbusinessareas;- Andaboveall thedefinitionofageneral legal framework(dealingalsowith legal

enforceabilityofsmartcontracts).

2.9Whatarethemainregulatoryorsupervisoryobstacles(stemmingfromEUregulationornationallaws)tothedeploymentofDLTsolutions(andtheuseofsmartcontracts)inthefinancialsector?

Althoughwerecognizethepotentialofthisnewtechnology,weshareESMA’sviewthatanyregulatorymeasureforDLTwouldbeprematureintheshorttime.Atthisstage,acautiousapproachontheDLTtechnologiesisadvisable,sinceitisnotcompletelyclearyettheimpactofthesetechnologiesonbanks’services.

Havingsaidthis,weconsiderthatthepotentialusesforDLTarenumerousanddiverseandconsequently,theadoptionofa“onesizefitsall”regulatoryframeworkforDLTwouldn’tbeeffective.Hence,anyregulatory-approachshouldfocusonthefinancialactivitythatutilizesDLT,andnotonlyonthespecifictechnology.

As in other areas mentioned in this Consultation, we think that divergent regulatoryapproachestoDLTacrossthedifferentjurisdictionsmayhindertheadoptionofDLTinanoptimallybeneficialway.To this extent, cooperationand internationalharmonisation toenableaneffectiveandfacilitativeDLTframeworkwouldbedesired.

Someofthemainobstaclesinordertoenableprojectstodevelopfurtherare:

• Thelegaldefinitionofsettlementfinality• Thegeographicallocationwheredataisphysicallystored• Theregulatorydefinitionandtreatmentoncashontheledger

Outsourcingpotentialtoboostefficiency



2.10 Is the current regulatory and supervisory framework governing outsourcing anobstacletotakingfulladvantageofanysuchopportunities?

Aswehavealreadymentioned,thereisaneedtoupdatetheframeworkonoutsourcing,sothatitisadaptedtothecloudcomputingtechnologytotakefulladvantageofthebenefitsderivedfromtheuseofthecloudandinthisregards,wewelcometherecentlaunchoftheEBA’spublicconsultationondraftrecommendationsoncloudoutsourcing

Moreover,therearecertaincaseswherethesupervisorypracticescanactasbarrierstoo,especially when the service to be outsourced could be considered essential. Regulationimposesaburdensomeprocess for financialoutsourcingapprovalandthere isaneedtobringefficiencytothisprocess

2.11Aretheexistingoutsourcingrequirementsinfinancialserviceslegislationsufficient?

Yes,althoughtheyhavetobeupdatedtogetherwiththedesiredharmonisationofcriteriaamong the different Member States and the correction of overlaps between the dataprotectionauthorities(DPAs)andtheECB/EBAregardingdatause.

2.12Canyouprovidefurtherexamplesoffinancialinnovationsthathavethepotentialtoreduceoperationalcostsforfinancialserviceprovidersand/orincreasetheirefficiencyandoftherelatedchallenges?

• Blockchainusecases• DigitalIdentitysolutions.Banksastrustprovider.Complianceobligationsrelatedto

integrity (i.e.KYC,AML, etc…) couldbemore efficient if therewere a regulatoryframework that allowed public/private institutions (indistinctly) to provideKYCservices.Thisframeworkshouldincluderules,datastandards,andcontrol&auditingsystems.Thistypeofservicewouldreducetheredtapeofnecessarydutiestoperformduediligencesandensurethattechnologiesandprovidersmeetalllegalrequirements.Inthisregard,technologiesalreadymentionedinthisconsultation,suchasbigdataorcloud,couldhelptoimproveprocesses.

• Artificialintelligence(AI)andDatatoenhancecustomersegmentationandbeabletoprovidebettercustomerserviceandproducts(forexample,contactcentertoolsorlendingengines).



3.Makingthesinglemarketmorecompetitivebyloweringbarrierstoentry

3.1WhichspecificpiecesofexistingEUand/orMemberStatefinancialserviceslegislationor supervisory practices (if any), and how (if at all), need to be adapted to facilitateimplementationofFinTechsolutions?

Thenewdigitalera is transforming thewaybanksdobusiness.However,bankscannotembracethischangeifregulationdoesnotadapttothenewdigitalenvironmentwiththeappropriatechangesandspeed.Thisisimportantbecause,aboveall,thismeanscarryingoutaneffortbyregulatorsandsupervisorstoshortendeadlinesandminimizebureaucracytoallowtheadoptionofnewtechnologieswiththeminimumbarriers.

Aholisticapproachtounderstandchangesinbusinessisneededtobeadoptedbyregulatorsand supervisors, which requires effort in terms of human resources, training andtechnology.Also,inordertofosterinnovationandbetterunderstanditsbenefitsandrisks,it is crucial that the public sector invest in secure places where incumbents and newentrantscouldtrythenewtechnologies(i.e.sandboxes)withminimumcostsforall.

Intermsofspecificregulation,webelievethatmuchremainstobedoneinthefollowingareas(notcoveredspecificallyinothersectionsofthisConsultation):

-Softwareanddigitaltalent:

Bankswillingtobecomedigitalneedtoinvestheavilyintwocriticalareas:softwareanddigitaltalent.However,theprudentialregulationinforcepenalizesbothareasindifferentwaysandimpedestechnologicalneutrality.

Software has become a key asset for businessmodels of banks thatwant to undertakedigitalisation.SoftwareinvestmentsarepenalizedinthecaseofEU-basedbanks,whereitscapitaltreatmentasanintangibleassetcausesittobefullydeductedfromCoreEquityTier1 (CET1) when calculating capital requirements (Article 4. CRR). This undoubtedlyrepresents a disincentive to invest in technology and, in turn, an element of clearcompetitive disadvantage for European banks vis-à-vis their peers, e.g. Americans, andothernewentrants.

Ontheotherhand,therecruitmentandretentionofdigitaltalentinbanksisalsoaffectedbyEuropeanprudentialregulation(CRDIV),whichlimitsthevariableremunerationthatanemployeecanreceive.Thislimithindersbanks’abilitytoattractandretaindigitaltalentforwhichbankscompeteagainstplayersthatarenotsubjecttotheserules..Tosolvethisissue,remunerationrulesshouldbeappliedinaproportionalmannersuchthatnon-significantsubsidiaries of banking groups canbe assessedon a stand-alonebasis. Furthermore, anexception(waiver)toremunerationcapsshouldbeincludedfordigitalprofessionalsandthe foundersandmanagement teamsofacquiredstart-ups.TheseamendmentscouldbeintroducedintherevisiontotheDirective(CRD5),andshouldbeimplementedconsistentlyacrossjurisdictions.



-Data:

Equality of conditions in the use of data for the provision of financial servicesmust beachieved both at European level, for all types of financial enterprises (banks and non-banks),andbetweenEuropeanandnon-Europeanfirms.

TheEuropeanrulesor initiativesthatregulatethedataandtheirexchange(PSD2,GDPRandtheFree-flowofdatainitiative)shouldbedevelopedinamannerthatisbalancedtoallmarketparticipantsandguaranteethatplayersareallowedtoextractvaluefromtheworkthey perform with data, while preserving data protection and the privacy rights forconsumers.

Ontheotherhand,stricterEuropeanrulesshouldnotinhibitEUfirms’abilitytoinnovate,tooperatedynamically,touseinnovativedataservicesandtodirectservicestotargetedmarketsegmentsiftheircompetitorsfromoutsidetheEUcanserveEuropeancustomerswithoutsimilarrestrictions.

-Electronicidentification:

Digital identity frameworks are currently not sufficiently developed and regulatoryfragmentationacrossEuroperegardingdigitalidentityremainsabigobstacletoreapthebenefits of the digital financial services. Therefore, the development and properimplementationofnewdigitalformulas,fast,simpleandsafethatallowtheidentificationandremoteaccessofcustomersbyelectronicmeansshouldbepromoted.

TheElectronicIdentificationandTrustServicesRegulation(eIDASRegulation)createsaninteroperabilityframeworkforthenationaleIDsystemstoberecognizedbypublicbodiesacrosstheEU.However,itleavesituptoMemberStatestodefinethetermsofaccesstotheonline authentication of eIDs for the private sector. This gap should be addressed bycreating a clear framework for the private sector to use national eID systems. Thisframework should clear out the liabilities in caseof vulnerabilities,misuse, fraud, cyberattackscausedonwhateverentityisactingasthecentralidentityholder..

Thereisalsoaneedtoensureaconsistencyintheimplementationofthe4thAMLDacrossMemberStatesdueto,inrelationtoelectronicidentities;someEUMemberStatesallowtheuse of non-face-to-face identification for customers bymeans of videoconference,whileothersdonot.

Alternativemethodsfore-identification(suchasbiometry)shouldalsobeallowed

3.2WhatisthemostefficientpathforFinTechinnovationanduptakeintheEU?Isactiveinvolvement of regulators and/or supervisors desirable to foster competition orcollaboration,asappropriate,betweendifferentmarketactorsandnewentrants?

Yes.Currentlythereareasymmetriesandunbalancesbetweennewentrantsandbanks,andalso between countries. Regulators should try to create a level playing field, namely byreducing restrictions applicable to incumbents to the same level established for new



entrants,insomecases,orbyensuringthenewFintechfirmsundertaketheiractivitywiththesamelevelofrequirementsintermsoftransparencyandconsumerprotection.

AstheFintechworldevolvesatahighspeed,regulatorsshouldalsomonitortheemergingrisksandtakeactionwhenneeded.Moreover,thefinancialinnovationshelptoimprovethequality and variety of banking services, complete the market and improve allocativeefficiency.Therefore,given itsexpectedgains, it isnecessary tocreatea framework thatenablesinnovationtoreachEuropeanconsumers.Inthisstrategyitisnecessarytoopenadialogue and collaborationbetween the industry and the supervisory agents.The activeinvolvementofthevariousprivateproviders,regardlessoftheirsizeornature(i.e.banks,technologycompanies,serviceprovidersorstart-ups)shouldbeallowed.Thisconversationwillleadtoalearningprocesswhereallstakeholderswillbeabletounderstandtheneedsandrequirementsofeachother,allowingthemtobettermanagethenewtypesof issuesthat might arise in the most efficient manner, while preserving financial stability andensuringcustomerprotection.

Webelieveoneofthemostefficientwaystoachievethisis,undoubtedly,thedevelopmentof Regulatory sandboxes, which are secure places for experimentation and testing thatprovide very useful information not only for participants, but also for regulators andsupervisors to monitor innovation in the financial system and increase a healthycompetition,ensuringanongoingdialogueandcollaborationbetweentheindustryandthesupervisoryagents,asthetechnologicalinnovationrunsveryfast.

Finally, although regulation is a key part to allow financial entities to embrace thetechnologicalchange,inmanyareasmaybemoreappropriatethedevelopingofstandardsandtools.

Regardingtheissuewhethertheauthoritiesshouldfostercompetitionorcollaboration,bothapproachesaredesirableandshouldcoexist,asFinTechsolutionscaneitherimprovecurrentprocessesorprovidenewproductsandservices.

FinTech companies, both incumbents and start-ups can also be supported throughnon-regulatoryinitiativesinacasebycaseapproach,suchas:

- taxoptimizationofstartups(costs/employees/insuranceetc.)

- simplifyandsupportthewayoffinancing(crowdfunding,venturecapital,privateequity,etc.)

- simplifyandsupportformsofcooperationwithorganizations(corporations)

- supportEUfunds/cooperationcountrieswithorganizations(POCco-financing)

- Clustersfordevelopmentofnewtechnology

- Supportofpublicsector(alsothroughfundingprogrammesandR&D)

- patent/trademarksimplification(longandcomplicatedregistrationprocess)



- accesstoknowledge(facilitateuniversityR&Dtobesupportedbyprivatesector)

- publicinfrastructure(publicclouds,cybersecurityservices…)

Analternativewaytohelpfintechs,differentthanloweringsecurityrequirements,islettingthemusetheinfrastructurefromtheincumbents.Thisshouldbedoneatapricethatactsasan incentive to keep on investing in it. There are precedents when governmentinfrastructureshavebeenopenedtootherplayers,suchasinthecaseofrailings:thishasalwaysbeendoneunderpayment.Thesamelogicshouldapplyifbankinginfrastructuresareopenedtothirdparties.

However,thedigitalspeeddoesnotprovidethemarketwithyearstowaitforarevision.Thedigitalprincipleof“fail fast, learnfast”shouldberenderedapplicable. Inachangingworld, it isnecessarytomakesurethatdecisionsarereversibleandthatauthoritiescanapplydifferentmeasurestoadjustforchange.

Thebankingsectorcannotbearallthecostsoffinancialinnovation.Soitisnecessarytofindan alternative way to support the Fintech startup ecosystem, without creating anirreversibleunlevelplayingfield.Thisshouldstartbyestablishingaregulatoryframeworkinwhichallmarketparticipantsarerequiredtofollowthesamerules.(Wecannotmakeconcessionsonconsumerprotection,onmarketintegrity,onsafetynoroncybersecurity.Ruleshave to followhighstandardsandshouldbe thesame forall). It is important thatauthorities leverage the deployment of new solutions with technological neutrality,proportionalityandintegrityprinciples,inordertocontributetoalevelplayingfieldamongallplayers.

FinTechhasreducedbarrierstoentryinfinancialservicesmarkets

3.3WhataretheexistingregulatorybarriersthatpreventFinTechfirmsfromscalingupandproviding services across Europe? What licensing requirements, if any, are subject todivergence across Member States and what are the consequences? Please provide thedetails.

In our view, the main barriers faced by Fintech new entrants to scale up and provideservicescrossborderarenotsomuchrelatedtoregulationastoitssizeandinitialcapitalinvestment.Intermsoflicensingrequirements,newentrantsandincumbentsfacethesamechallenges: despite the use of passporting, there are usually local requirements to befulfilled before offering services in a new country. Those should be streamlined for allplayerstoallowforamorevibrantecosystem.

Practicaldifficultiestocross-borderoperationsaresometimesextremelysubtle,asintherequirement of certain member states (e.g. Germany) for financial services providersoperating under passporting to use local IBAN numbers for accounthoders, which isimpossible to achieve by a company established in a different member country. TheenforcementoftheEuropeanpassportshouldbeguaranteed.Therefore,theIBANfromany



EuropeanCountryshouldnotbediscriminatedinanyEUcountry,orelseobtainingnationalIBANsshouldbeautomatic.

Aswealreadymentionedalongourresponse,webelievethatFinTechregulationshouldensurealevelplayingfieldforcompaniesengaginginsimilaractivities,withsimilarrisks,inanyEuropeancountry.Today,twomainbarrierstothisvisionarethelackofregulatoryhomogeneityacrosscountriesandthelackofEuropeanregulationsforcertainactivities.

Currently,wewitnesshowcertainEuropeancountriesaredevelopingnationalregulationsorsupervisorypracticesthatcreateinequalitieswithintheEuropeanUnion.Asanexample,theUKand theNetherlandshave launched regulatory sandboxes thatmake it easier forinnovatorstodevelopFinTechinnovationsinthosejurisdictions.

3.4ShouldtheEUintroducenewlicensingcategoriesforFinTechactivitieswithharmonisedandproportionateregulatoryandsupervisoryrequirements,includingpassportingofsuchactivitiesacrosstheEUSingleMarket?IftheEUshouldintroducenewlicensingcategoriesfor FinTech activities with harmonised and proportionate regulatory and supervisoryrequirements,includingpassportingofsuchactivitiesacrosstheEUSingleMarket,pleasespecifyinwhichspecificareasyouthinkthisshouldhappenandwhatroletheESAsshouldplayinthis.Forinstance,shouldtheESAsplayaroleinpan-EUregistrationandsupervisionofFinTechfirms?

Yes.Anyproviderof financial servicesmusthavea license thatensures the servicesarebeing provided with certain characteristics and level of quality. Also, different types oflicensesshouldbeput inplace,asking fordifferentsecurityobligations(dataprotection,transparencylevel,reporting),orcapitalrequirements,dependingontheservicesprovided.

WesupportFinTechlicensesforspecificactivitiesincludingpassporting,tofacilitatethequickdevelopmentforFintechsacrossEuropewouldbepositiveastheywouldensureabalanced framework and security in areas that are unregulated (digital assets,crowdfunding…),orthatarecurrentlyusing licensesthatarenotreallyadjustedtotheiractivities(cashonledgerregulatedaselectronicmoney).Thisway,effectivesupervisionsoftheriskscanbeensured.Wesupportthefastpassportingofsuchlicences,asitwillalsohelptoreducecostsandinefficiencies.

However,wedonotbelievethatgenericlicensesshouldbeputinplace:eachactivityentailsspecific risks, so there should be a specific licensing process performed by specializedauthoritiesandfurthercontrolledbythem

Whatiscrucialisthatplayersaresubjecttothesameregulationbecauseoftheproductsorservicestheyoffer,andnotbecauseoftheirnatureorsize.Europeanrulesshouldfocusonhowtobestmanagestability, integrityandconsumerprotectionriskswhileencouraginginnovationandhealthycompetition.

3.5 Do you consider that further action is required from the Commission to make theregulatory frameworkmoreproportionate so that it can support innovation in financial



serviceswithintheSingleMarket?Ifso,pleaseexplaininwhichareasandhowshouldtheCommissionintervene.

Yes.Technologicalinnovationinfinancialservicesshouldbeencouragedandhaveaneutralregulatory treatment regardless of the type of entity that undertakes it. Being a bankshouldn’t penalize the activities. The banking regulatory framework should not affectdigitalization.

Besides,proportionalityinfinancialservicesshouldbelinkedtoindividualrisks,notto the size of firms. Otherwise, smaller players would be better suited for disruption,creating less chances for incumbents to transform themselves, thus creating greaterfinancial instability. Consequently, European regulations should focus on how to bestmanage stability, integrity and consumer protection risks, rather than just promotinggreatercompetitionatallcost.

A particular case can be found in cybersecurity. The ICT Risk Assessments shouldbeproportional andbasedonprinciplesand international recognizedstandards suchasISO and NIST. Moreover, this proportionally should give room to the risk appetite ofeachcompany,basedonprovenevidencethattheriskhasbeenmitigatedorcontrolled.

3.6ArethereissuesspecifictotheneedsoffinancialservicestobetakenintoaccountwhenimplementingfreeflowofdataintheDigitalSingleMarket?Pleaseelaborateonyourreplyto whether there are issues specific to the needs of financial services to be taken intoaccountwhenimplementingfreeflowofdataintheDigitalSingleMarket,andexplaintowhatextentregulationsondatalocalisationorrestrictionsondatamovementconstituteanobstacletocross-borderfinancialtransactions.

Yes.TheabilitytotransferdatabothwithinandoutoftheEUisvitalforthebanks’activity,nomattertheirsizeortheirgeographiclocation.Toachievecross-borderdataflows,theremustnotberestrictionsondatalocalisation,otherwisethecompetitivenessandgrowthofEUcompaniesandtheefficiencyofitsoperatingfunctioningcanbethreatened.

Forinstance,weobservethatoneofthehindrancestoaconsistentEuropeanUnion(EU)andGlobalregulatory frameworkforCloudComputing inFinancialServices isrelatedtoregulation and domestic lawswhich establish barriers to the geographic location of thephysicalCloudComputinginfrastructure.

3.7 Are the three principles of technological neutrality, proportionality and integrityappropriatetoguidetheregulatoryapproachtotheFinTechactivities?Pleaseelaborateonyourreplytowhetherthethreeprinciplesoftechnologicalneutrality,proportionalityandintegrityareornotappropriatetoguidetheregulatoryapproachtotheFinTechactivities.

Yes.Wefullyagreewiththem.

Technologicalneutrality (understoodassameactivity, sameregulation) isnecessarybutnot sufficient to guarantee a level playing field. Equally important is to have samesupervision (to equal risks to those inherent to the banking activity). Moreover,



proportionalityisneeded,asarisk-basedapproachthattakesintoaccountspecificactivityrisks, and not whole company risks by default. However, there are cases whereproportionality cannot be applied: in case of cybersecurity and consumer protection allplayersshouldmakesurethattheycomplywiththehigheststandards.Smallnewentrantsshouldbesupportedthroughothermeansthananunlevelledregulatoryframework.

Itisourunderstandingthatatechnology-agnosticprincipleshouldalsobeincluded,asitfacilitatestheself-selectionofthebesttechnologiesbymarketforces.Thiscanbepracticallyappliedbyadoptinginternationalrecognizedstandardsthatarealsoagnostictotechnology.Inthesecases,sometypeofguidanceisrequiredtoavoid“reinventingthewheel”,whichcouldpotentiallyendupwithmanydifferentstandardsandfragmentation.

Roleofsupervisors:enablinginnovation

3.8 How can the Commission or the European Supervisory Authorities best coordinate,complementorcombinethevariouspracticesandinitiativestakenbynationalauthoritiesinsupportofFinTech(e.g.innovationhubs,acceleratorsorsandboxes)andmaketheEUasawholeahubforFinTechinnovation?WouldtherebemeritsinpoolingexpertiseintheESAs?PleaseelaborateonyourreplytowhethertherewouldbemeritsinpoolingexpertiseintheEuropeanSupervisoryAuthorities.

A European framework is needed to foster innovation at EU level while also avoidingregulatoryarbitrageandcompetitionamongthedifferentnationalinitiatives.Giventhatatthispointtherearealreadyanumberofnationalinitiativesthatcouldcreatedistortionsattheinternalmarket,itwouldbewelcomethatEUauthoritiesestablishbasicprinciplesforharmonization through the adoption of guidelines or recommendations and theidentificationofgoodpractices.

Theobjectivewouldbetheestablishmentofpan-Europeaninitiatives,suchasaEuropeansandboxframework.ThelevelofintegrationonthismattercouldfollowtheapproachoftheEuropeanBankingUnion.

Wesharetheviewthat itwouldbeconvenienttohaveexpertsat theESAsandNationalCompetent Authorities that could monitor the innovation advances, with a broadperspective. In this regard, it is of interest to establish a coordinating authority tounifythese efforts, as well as it would ease the establishment of agreements with externalinnovationecosystems,whichmightbenefitallEUstakeholders,asfurtherlinkswithnewmarketsmightaidtheEUinitsgloballeadershipgoal.

3.9ShouldtheCommissionsetuporsupportan"InnovationAcademy"gatheringindustryexperts, competent authorities (includingdata protection and cybersecurity authorities)and consumer organisations to share practices and discuss regulatory and supervisoryconcerns?Ifso,pleasespecifyhowtheseprogramsshouldbeorganised.

Yes, it is a good idea to convey and share knowledge among the different marketparticipants,experts,andregulatorsandsupervisors.Withthesekindofprograms,itisnotonlypossibletogettounderstandhowcertainnewtechnologies,suchasDLT,work,but



alsotoknowinmoredepththepossibleimplicationsofthenewtechnologiesinareasasrelevantasdataprotectionorcyber-risks,whicharecommontoallfinancialinnovations.

AninnovationAcademycouldhelptocentralisealltheeffortsrelatedtothedevelopmentofaFinTechfriendlyenvironmentinacoordinatedway.Oneofthekeyassetswouldbethecreationoflearningmechanismstoensurethatallknowledgecreatedcouldbeusedfortheinterestofallstakeholders.Inthissense,oneofthemainobjectivesoftheintroductionofan Innovation Academy could be the establishment of learning mechanisms providingguidanceforfutureprojects,suchastherationalebehindtheapprovalordenyingofcertainfinancialinnovationprojectsandbestpracticecasestudies,aswellasreportsregardingtheuseofnewtechnologiesandforecastingstudies.

Another important issue is ensuring that all stakeholders are represented (industry,consumer representatives, academic researchersandauthorities).Certainprojects couldimpactlegalrequirementsfrommorethanoneauthority.Toensurethatthereisacorrectdialoguebetweenalllegaljurisdictions,representativesfromallofthemshouldtakepartofthisInnovationAcademy.

The approach could be inspired by the private model of accelerators or incubators, inresearchconsortiumsoralreadyexistinginnovationhubs.Furthermore,allexamplescancomefromthefinancialsectororfromotherknowledgeareas.

3.10Areguidelinesor regulationneededat theEuropean level toharmonise regulatorysandboxapproachesintheMS?Pleaseelaborateonyourreply.

Yes. As we answered in question 3.8, some high guiding-principles for harmonizationshouldbeestablished.All sandboxesshouldbeharmonized in termsofconnectivityandtechnologytoapplyandalsointermsofthelegalframeworktoavoidregulatoryarbitrageand competition among the different national initiatives. This harmonisation should beinclusiveandtakeintoaccountallinterestpartiesregardlessoftheirsizeofbusinessmodel.

Itisofinteresttonotethatthislegalframeworkshouldincludehowthesesandboxesmustoperate: entry requirements, what happens while in the sandbox and how the projectshouldenter themarket.Furthermore,as this isa learningprocess,areviewof the finaldecisionshouldbepubliclysharedforallinterestpartiestounderstandtherationaleofthisoutcome.Nevertheless,alistofpotentialregulationsthatmightbesoftened,toolsthatallparticipantsmightaccessandthelimitationsrelatedtocustomerprotectionandsystemicstabilitymustbelistedpriorenteringthesandbox.

WouldyouseemeritsindevelopingaEuropeanregulatorysandboxtargetedspecificallyatFinTechswanting tooperate cross-border? If so,who should run the sandboxandwhatshouldbeitsmainobjective?

Yes.Itwouldbeveryusefultotestsomeinnovationsthatarebeingdevelopedcross-border,ascurrentDLTprojects.



The creation of a special regulatory sandbox for all types of FinTechs (includingbanks)willingtooperateonanintra-European,cross-borderbasisispositive.However,asstatedin question 3.8, it is also of interest the establishment of links with other innovationecosystems outside the EU and, in this case, with regulatory sandboxes from otherjurisdictions.

3.11WhatothermeasurescouldtheCommissionconsidertosupportinnovativefirmsortheirsupervisorsthatarenotmentionedabove?

Thoserelatedtodigitalknowledge,targetedtoindividualsandcompaniescouldbefurtherexploredaswellasfosteringtoadvancetowardsacashlesssociety.

In relation to the DLT projects that are currently being developed by many privateconsortia,itwouldbeveryusefultohavelegalexpertswithinauthoritiesinordertobeabletoadvanceintheinterestingusecasesunderdevelopment.

Furthermore,duetothegrowingcomplexityoftheecosystem,authoritiesmuststrengthentheir supervisory role on the new services that arise, taking a proactive role when theserviceproviderdoesnotmeetlegalrequirementsorexceedsitslicense,providingservicesthattheyhavenotbeenauthorisedto.Thismeasureensuresthatcustomersonlyaccesssafeandsecurefinancialservicesandavoidsmisusesthatmightdamagethereputationofallservicesproviders.

Roleofindustry:standardsandinteroperability

3.12IsthedevelopmentoftechnicalstandardsandinteroperabilityforFinTechintheEUsufficientlyaddressedaspartoftheEuropeanSystemofFinancialSupervision?

No.However,webelievethat thedevelopmentofstandardsshouldbe left tothemarketforcesaccordingtotheneedsandconvenienceandreadyforevolutionwhentechnologychanges.

Havingsaidthat,althoughwedonotexpectauthoritiesshouldsetthestandardsnorimposeveryprescriptiveregulations,itwouldbehelpfultheypromotesomeframeworkorspacewherethedifferentplayerscanmeetandreachagreementstodefinejointlythestandardsaswellasthedraftofsomecertainlines,asinthecaseofPSD2’sRTS.

Moreover, from the point of view of Security, the recommendation by supervisors ofstandardstofollow,suchasNIST,ISO2700XorCOBITwouldeasecompliance.Sometimestheseguidelinesorstandardsshouldbeclearertoavoiddisputes.

Finally, authorities should focus on solving overlaps between different regulations orsupervisoryrulessuchasthoseofNISDirective,NationalCriticalInfrastructurelawsandECBICTRiskAssessmentaswellasonensuringthatnon-bakFintechsaresubjecttoexplicitcybersecurity and outsourcing requirements. This will foster market efficiency and faircompetition.



Isthecurrent levelofdatastandardisationandinteroperabilityanobstacletotakingfulladvantageofoutsourcingopportunities?

Wedonotbelievethatthecurrentlevelofdatastandardisationandinteroperabilityisanobstaclefortheuseofoutsourcingopportunities(Seequestionabove).Indeed,asnon-bankFinTech operations are not always subject to oversight by financial authorities, thesecompaniesarebetterpositionedforoutsourcingthanincumbentfinancialinstitutions.

3.13 In which areas could EU or global level standards facilitate the efficiency andinteroperabilityofFinTechsolutions?Whatwouldbethemosteffectiveandcompetitionfriendlyapproachtodevelopthesestandards?

In our view the objectives of efficiency and interoperability can only be enabled bystandardsiftheyaredevelopedatagloballevel,areoutcomesbased,technologyagnostic,transparent,andinclusive,andarepromotedbythemarketforces.

EU institutionsandmarketplayersshouldhaveanactivevoice inglobalstandardizationorganizationssuchasISOandavoidthatothercountriestrytoimposeaspecificstandardorobstructtheirdevelopmentforpoliticaloreconomicpurposes.Therefore,wewelcometheadoptionofanymeasuresaimedatsupportingEUengagementwiththeseorganisations.

3.14 Should the EU institutions promote an open sourcemodelwhere libraries of opensourcesolutionsareavailabletodevelopersandinnovatorstodevelopnewproductsandservicesunderspecificopensourceslicenses?PleaseelaborateonyourreplytowhethertheEUinstitutionsshouldpromoteanopensourcemodelwherelibrariesofopensourcesolutionsareavailabletodevelopersandinnovatorstodevelopnewproductsandservicesunderspecificopensourceslicenses,andexplainwhatotherspecificmeasuresshouldbetakenatEUlevel.

No.Technologyservicesprovidersshoulddevelopopensourcesolutionswheretheyareneeded,butthisshouldnotbeimposedbyEUinstitutions.Inourview,authoritiesmayhaveanimportantroleinthepromotionofframeworkswheretheprivatesectorcancollaborateanddebateaboutit.

Challenges.Securingfinancialstability

3.15Howbig is the impactofFinTechon thesafetyandsoundnessof incumbent firms?WhataretheefficienciesthatFinTechsolutionscouldbringtoincumbents?Pleaseexplain.

In our view, FinTech solutions – in a B2B collaborative model - bring to incumbentsefficienciesespeciallyinretailandcommercialbanking,andinthreespecificfields:

1)Beingabletomeetcustomerdemands:

Theentranceofnewdigitalproviders,andtheproliferationofintermediationservicesthatincreasetransparencyandcomparability,isincreasingcompetitioninthefinancialservices



industry. This adds additional pressure to the banks’ profitability and forces banks totransform themselves in order to gain efficiency and offer new value propositions tocustomers.Tothatend,theregulatoryandsupervisoryframeworkmustallowbankstobeagileinadoptingnewtechnologiesanddevelopinginnovativeproductsandservices.

2)Rationalizationofbankingprocesses

3)Costs–savings:

Alldigitaltechnologiesbringsignificantefficiencygainsforthefinancialsystem,bothatthefront and back end, as has been explained in the previous sections of this consultation.EfficiencygainsarisefromtheapplicationoftechnologiesthatautomateordisintermediateprocessesandfromtheuseofamoreflexibleandscalableITinfrastructure.Theregulatoryand supervisory framework should facilitate the adoption of these technologies whilekeepingrisksundercontrol.

Moreover, the application of digital technologies may have positive impacts for thesoundnessofthefinancialsystem.Forinstance,thesocalled“RegTech”solutionsimproveriskmanagementfunctions,andcloudcomputingmayreducetraditionalITrisks,suchascapacityorresilience.



4. Balancing greater data sharing and transparency with datasecurityandprotectionneeds

4.1HowimportantisthefreeflowofdataforthedevelopmentofaDigitalSingleMarketinfinancialservices?Shouldserviceusers(i.e.consumersandbusinessesgeneratingthedata)be entitled to fair compensation when their data is processed by service providers forcommercialpurposesthatgobeyondtheirdirectrelationship?

Webelievethatdataisoneofthemostvaluableassetsofinstitutionsinthedigitalworld.AllowingEuropeancompaniestoextractthehighestvaluefromtheirdatawillpositivelyimpactontheircompetitiveness.

Therefore,anyregulatorydevelopmentinthefieldofdatashouldguaranteethatplayersbeallowed to extract value from the work they perform with data, while preserving dataprotectionandprivacyrightsforconsumers.

Theimportanceofhavinganappropriatecompetitiveenvironmentwithalevelplayingfieldforallthedifferentplayersshouldbethemainreasonforensuringthatnotonlybankshavetocomplywithhighstandardsinordertousepersonaldata.Thislevelplayingfieldneedstobe achievedbothwithin theEUbetweendifferent typesof firms, e.g. banksandnon-banks;andbetweenEUandnon-EUfirms.

Additionally, it isworth tomention that, given its strategic value, data issues are a keycommercial and strategic businessdecision for a company.There are someplayers thatinvesthugequantitiesofresourcesinordertoensurethattheirdataareofgoodquality,sotheyshouldhavethepossibilitytoexchangethemforapricethat isconvenient forbothsides:themarketshouldadjustthis.

Customersarealreadybeingcompensatedthroughtheaccesstodigitalservicesthatarebeingprovenveryconvenientforthem.Thebenefitsthatindividualsobtaincomefromtheaccess tomoretailoredandpersonalisedservices,which fitbetter theirpreferencesandneeds.Hence,enoughtransparencyshouldbegiventothecustomerswhentheyprovidetheirdata.

Whentheserviceusers’data isprocessedbyserviceproviders forcommercialpurposesthat go beyond their direct relationship, the users generating the data should have theopportunitytoachieveanincentiveorbenefit.However,weshouldnotunderstandthefaircompensationasapaymenttotheuserorasadirecteconomiccompensationforallowingdataprocessing.Thebenefitisderivedfromtheuserhavingaccesstoamorepersonalised,globalandtailor-madeserviceorhavingcertainservice/productsbenefitsinexchange.

Nevertheless,weshouldalsotakeintoaccountthedifferentkindofdata,bearinginmindthatenhanceddataarepartofanyorganizationknow-how,whichmeansthattheyshouldbetheonesachievingthebenefitfromit,astheyhaveinvestedresourcesandintelligenceinordertoenhancerawdata.



Itispositivethatthesystemisprovidedaframeworkthatallowssharingthedatabutitisalsonecessarythatincentivestomaintainhighqualitydatastillexist,soplayersshouldbefreetoestablishtheprice.Thereisalreadyalotoftransparencyindatagatheredbybanksbutstillnotsomuchinotherrelevantdata,suchasthoseofmerchants,delivery,etc.

Storingandsharingfinancialinformationthroughareliabletool

4.2.Towhatextent couldDLTsolutionsprovidea reliable tool for financial informationstoringandsharing?Aretherealternativetechnologicalsolutions?

OneofthemaincharacteristicsofDLTisitsimmutability.Theuseofsequentialhashingandcryptography,combinedwiththedecentralizedstructure,makeitvirtuallyimpossibleforanyparty tounilaterallyalterdataon the ledger.This canbeusedbyorganizationshandlingsensitiveinformationtomaintaintheintegrityofdata,andtopreventanddetectanyformoftampering.Inthissense,therearemanyfinancialprocessesandservicesthatcould benefit from the immutable nature of DLT storage: Customer data, contractinformation,propertyrights,andingeneral“digitalfingerprints”ofanykindofagreementaresomeofthetypesofinformationthatcouldbestoredinaDL.

ThealternativetoDLTsolutionsaretraditionaldatabasesoperatedbycentralauthorities(CCP’s,regulators,FMI’s,etc.).

4.3Aredigital identity frameworks sufficientlydeveloped tobeusedwithDLTor othertechnologicalsolutionsinfinancialservices?

No.WebelievethatthedigitalidentityframeworkstillneedstoimproveinthefollowingaspectstobeusedwithDLT:interoperability,standards,authentication,keymanagement,etc.Furtherpublicsupportisneededtodevelopmoreadvancesolutions.

4.4WhatarethechallengesforusingDLTwithregardtopersonaldataprotectionandhowcouldtheybeovercome?

Inourview,andinthelinewiththeCommission’sobjectiveofbeingtechnologyneutral,DLTshouldbe treated thesamewayasanyother technology inregard topersonaldataprotection:Personaldatashouldonlybesharedwithpartiesthathaveexplicitpermissiontohaveaccesstothedata,regardlessofencryption.Indeed,encryptionisasecuritymeasureandit isnotatoolthat impliesanonymization.However,strongencryptionisameasurethatshouldbeconsideredandpromoted.

DLTimplieshighqualitydata,beingconsistent,completeandaccurate.However,whileDLTis global, dataprotection regulation is fragmented and as for theuse ofBlockchain as atamper proof source of truth in relation to the information stored on it, regulatoryfragmentationimpliesachallenge.



In thatsense, thechallengesofDLT inregardtopersonaldataprotectionaresimilar tothose identified along this response, as for instance the issues related to geographiclocation(transferofdataacrossboundaries).

Perhaps one of the biggest challenges in regard to personal data protection that thistechnologyfacescomesfromhowtherighttoerasureortobeforgotten(introducedbytheGDPR)canbecompatiblewiththeimmutabilityoftheDLT.

Blockchain does not necessarily threaten data protection but it can also be a privacyenhancingtechnology.Itisamatterofapplyingtheprivacybydesignprincipleandprivacyimpactassessmentswheneverdesigningablockchaintechnologybasedserviceorproduct.

ThepowerofbigdatatolowerinformationbarriersforSMEsandotherusers

4.5Howcaninformationsystemsandtechnology-basedsolutionsimprovetheriskprofilingofSMEs(includingstart-upandscale-upcompanies)andotherusers?

New technology-based solutions and information systemshave increased the amountofinformationavailableonSMEs, viahigher interconnections (i.e connecting toofficial taxdatabases)orthroughtheuseofnewchannels,asforinstanceonlineplatformsandsocialmedia,thatcanbeusedtoenrichthebanks’creditscoring.

Thisincreasesthepossibilityforbankstoservecustomersthatcouldn’treachtraditionalbankingfinance,suchasyoungcompanieswithoutcredithistorybutforwhichpredictionscanbemadebasedintheirbehaviorrelatedtootheraspects.It iscriticalthatregulatorsandsupervisorsallowbanks to test thesesolutions, startingat lowscale,andbeable toextendthemiftheysucceed.

4.6HowcancounterpartiesthatholdcreditandfinancialdataonSMEsandotherusersbeincentivisedtoshareinformationwithalternativefundingproviders?Whatkindofpolicyactioncouldenablethisinteraction?Whataretherisks,ifany,forSMEs?

Thereshouldbeaframeworkthatsupportsatrulyfreeflowofnon-personaldata,suchascreditandfinancialdata.Trulyfreemeansthatnoplayershouldbeforcedtodeliverthesedata, Incentives shouldbekept toensure thathighqualitydataaregatheredandmaintained.Forthis,itisessentialthateachplayerhasthepossibilitytoextractvaluefromthedatatheymanageanddecidewhethertosharethemandunderwhichconditions.

Intermsofpolicyaction,muchhasalreadybeendoneinthefinancialsectorthroughrulessuchasPSD2(thatallowsaccountinformationserviceproviderstoaccessthetransactionaldata in a very convenient manner) and more generally in GDPR, which recognizes thecitizens’righttoporttheirpersonaldatainthemostefficientmanner.

Themarketisalreadyveryopenanddoesnotrequireanyadditionalprovisionuntiltheseregulationsarefullyinplaceandanassessmentisbeingmadethatmorehastobedone.Especially,giventhatthefinancialsectorhasbeenoneofthosemoreaffectedbyinitiatives



toopendata,inrelationtotherestofsectorsthatdonothavesimilarmeasures(andwhosedataisalsorelevantfortheprovisionofcredit).

Additionally,certainmeasurescouldalsobeofhelptoincreasefundingforSMEs,suchasallowing banks to enter crowdfunding platforms or partner with Fintech SMEs for thispurposewithoutbeingappliedthefullconsolidatedbankingframework.

The sharing of information could also be facilitated through the adoption of sharedstandardsenablingafasterandmoreeffectiverelevantdataflowbetweenfirms,i.e.forriskassessment.

On the other hand, data protection and cybersecurity should be kept in mind so theinformationsharingdoesnotputindangertheeffortsoftheindustrytomaintainhighsafetystandards.

Security

4.7Whatadditional(minimum)cybersecurityrequirementsforfinancialserviceprovidersand market infrastructures should be included as a complement to the existingrequirements(ifany)?Whatkindofproportionalityshouldapplytothisregime?

Thegapbetweentechnologyandregulationisparticularlyimportantincybersecurity,asaresultofnewsolutionswhichareevolvingatafasterpacethanregulatoryframeworks.Inthisregard,nonewrequirementsshouldbeestablisheduntilthereisaclearpictureoftheimpact of regulations on cybersecurity being implemented currently. We believe thatregulatoryeffortsshouldfocusonthesimplificationofthecurrentregulatoryframework

The number of cyber-attacks happened in recent years is a proof that no company iscompletelysafe.Andthebiggestproblem,inadditiontothetheftofpersonalandfinancialdata,istheimpacttheycouldhaveonsystems,interruptingthenormalactivityandminingthecustomerconfidence.

Cybersecurityrequirementsshouldbeproportionaltotakeintoaccountthecomplexityofthecompany,butforsmallercompaniestheyshouldnotbeloweredinordertoensureanadequatelevelofprotection.Thesystemisassafeasthelowestpointofitssecuritychain.OncetheframeworkhasbeenopenedbyregulatoryinitiativessuchasPSD2,allparticipantsshould bear the responsibility to keep it safe. If needed, the authorities could envisageestablishingcybersecurityinfrastructurestosupportcomplianceforthesmallerentities.

4.8 What regulatory barriers or other possible hurdles of different nature impede orprevent cyber threat information sharing among financial services providers and withpublicauthorities?Howcantheybeaddressed?

In our opinion, the following act as hurdles that impede information sharing on cyberthreatsandshouldbeaddressedbyEUandnationalcompetentauthorities:

Regardingreporting:



• The need to report incidents to the relevant competent authorites translates intorequirementsonproviderstoreportthesametypeofincidentstodifferentregulators,whichcreatesaburdenforallcompaniesregardlessoftheirsize.Itisnecessarynotonlyto harmonize these requirements but to establish a one-stop-shop mechanism forincidentreportingtodistributetoallrelevantauthoritiesandregulatorsinrelationtodifferentlegislativepieces.Reportingprocedures,templatesandmethodologiesusedinthedifferentMemberStatesshouldbestreamlinedandmadeconsistent.

• Major incidentsreportedshouldbeanonymisedandsharedbackwithprivatesector;this would provide them with interesting data on the incident itself and the modusoperandiand,inturn,allowthemtopreventfuturesuchincidentsandtohavebetterandshorterinterventionwhenanincidentoccurs.

Regardinginformationsharingamongprivatecompaniesandwithpublicauthorities:

• Informationonincidentsshouldbereportednotonlytosupervisorsandregulators,butitwouldaddvaluetothemarketifthisinformationwasalsosharedbetweencompaniesonaconfidentialbasis.Inparticular,sharinginformationordistributeearlywarningsonmajor incidents between entities would increase information intelligence in otherfinancial institutionsandallow themto takepro-activemeasures toavoidorpreventthose or similar incidents. FS-ISAC in the US and CiSP in the UK are examples ofinformationsharingamongpublicandprivatecompanies,butasimilarinitiativeshouldbesetupatEUlevel,ledbyENISAtogetherwiththeECBandEUROPOL.

• It would be necessary to allow and define at EU level data sharing among privatecompaniesforcybersecuritypurposes,includingharmonizingthepiecesofdatathatcanbeshared.NationalDataProtectionrulesrepresentabarriertosharecertainpiecesofdataamongprivate companies.Forexample: the IPaddressof theattackerhas tobereportedtothenationalcompetentauthorityinSpainbutcannotbesharedwithotherprivate companies for cybersecuritypurposesbecause it is consideredpersonaldata.Moreover,incaseusersaredeniedaccesstoagivenserviceonthebasisofinformationstemmingfrompreventivemeasuresofotherserviceprovidersandthisinformationwaserroneously interpreted, it could be considered an anti-competitive and/ordiscriminatoryact

What is really necessary is to promote stronger public-private cooperation in cybersecurity.

4.9Whatcybersecuritypenetrationandresilience testing in financial services shouldbeimplemented?WhatisthecaseforcoordinationatEUlevel?Whatspecificelementsshouldbe addressed (e.g. common minimum requirements, tests, testing scenarios, mutualrecognitionamongregulatorsacrossjurisdictionsofresiliencetesting)?

Therearealreadyinplaceanumberofcybersecuritypenetrationandresiliencetestinginfinancialservices.



Regarding financial market infrastructures, CPMI together with IOSCO released in June2016theirGuidanceoncyberresilienceforfinancialmarketinfrastructures.Theyadvocatethesaferesumptionofcriticaloperationswithintwohoursofadisruption.Weconsiderthatthis 2-hour period is not technically feasible in case of a serious cyberincident and thisGuidanceshouldberevisited.Besides,financialmarketsinfrastructuresareconcentratingtransactionsfromdifferentmarketsandcurrentlyitisnotclearhowprioritieswouldbesetincaseoffailureandhowtomodelandtestdifferentexistingpossibilitiesforrecovery.

WebelievethattheauthoritiescoulduseasreferencetheUKCBESTVulnerabilityTestingFrameworkdevelopedbytheBankofEngland,as itenablesbanksto think in the futurecybersecurity challenges insteadof adjusting their systems to cybersecurity supervisoryrequirementsthatarebasedoninformationfromthepast.

Regarding the future update of the NIS Directive, it should contemplate also the otherplayers in the industry such as non-bank FinTech companies, hardware and softwaremanufacturesaswellasSMEs.

Finally, freeawarenessand trainingcampaigns for thosecompanies thatare identified -undersometypeofprioritizationscheme-astheweakestlinkinthechainwouldbeuseful.

AtEUlevelitwouldbenecessarytomapcriticaleconomicfunctionsandunderstandwhicharethesinglepointsoffailureandtheavailablealternativesincaseofcyberattack.

4.10.1:What other applications of new technologies to financial services, beyond thoseabove mentioned, can improve access to finance, mitigate information barriers and/orimprovequalityofinformationchannelsandsharing?

As stated in answer 3.7, there is a principle of technology-agnosticism that should beincluded. Innovations are uncertain by nature, therefore we must assume that newtechnologies will arise which are not analysed in this consultation. In this regard, weconsiderofspecialinterestthatregulatorsfocusontheeffectsoftheapplicationratherthaninthetechnologyitselfinordertoavoidthecreationofbarriersforfuturedevelopmentscurrentlyunknown.

4.10.2: Are there any regulatory requirements impeding other applications of newtechnologies to financial services to improve access to finance, mitigate informationbarriersand/orimprovequalityofinformationchannelsandsharing?

ThenewPaymentServicesDirective(PSD2)willgrantindividualandbusinessclientstherighttodirectlytransfertheirbankaccountdatatothird-partypaymentserviceproviders(TPPs) ina standardizedway.At the same time, theGeneralDataProtectionRegulation(GDPR)willintroduceanewrightfordatasubjectstoportthepersonaldataprovidedtoanyfirmtheyareengagedwith.Toachievealevelplayingfieldintheaccesstoclients’dataunder PSD2 and GDPR, it is essential that the right to personal data portability isimplementedinawaythatisconsistentwithPSD2.

fintech: a more competitive and innovative european financial … · 2017-10-22 · fintech: a more...

Documents