EUSurvey     All public surveys   
Login | |
system message icon

Published Results: fintech-2017

Export
For performance reasons you can only set a maximum of 3 filters
Are you replying as:(replying-as)
First name and last name:(organisation-identity-public)
Name of your organisation:([ID2])
Name of the public authority:([ID3])
Is your organisation included in the Transparency Register? (If your organisation is not registered, we invite you to register here, although it is not compulsory to be registered to reply to this consultation. Why a transparency register?)(transparency-register)
If so, please indicate your Register ID number:(id-transparency-register)
Type of organisation:(organisation-type)
Please specify the type of organisation:(specify-organisation-type)
Please indicate the size of your organisation:([ID182])
Type of public authority(public-authority-type)
Please specify the type of public authority:(specify-public-authority-type)
Where are you based and/or where do you carry out your activity?(country)
Please specify your country:(specify-country)
Field of activity or sector (if applicable):(activity-field)
Please specify your activity field(s) or sector(s):(specify-activity-field)
Contributions received are intended for publication on the Commission’s website. Do you agree to your contribution being published? (see specific privacy statement )(contributions-publication)
Question 1.1: What type of FinTech applications do you use, how often and why? In which area of financial services would you like to see more FinTech solutions and why?([ID16])
Question 1.2: Is there evidence that automated financial advice reaches more consumers, firms, investors in the different areas of financial services (investment services, insurance, etc.)?([ID55])
If there is evidence that automated financial advice reaches more consumers, firms, investors in the different areas of financial services, at what pace does this happen? And are these services better adapted to user needs? Please explain.([ID20])
Question 1.3: Is enhanced oversight of the use of artificial intelligence (and its underpinning algorithmic infrastructure) required? For instance, should a system of initial and ongoing review of the technological architecture, including transparency and reliability of the algorithms, be put in place?([ID59])
Please elaborate on your answer to whether enhanced oversight of the use of artificial intelligence is required, and explain what could more effective alternatives to such a system be.([ID54])
Question 1.4: What minimum characteristics and amount of information about the service user and the product portfolio (if any) should be included in algorithms used by the service providers (e.g. as regards risk profile)?([ID60])
Question 1.5: What consumer protection challenges/risks have you identified with regard to artificial intelligence and big data analytics (e.g. robo-advice)? What measures, do you think, should be taken to address these risks/challenges?([ID73])
Question 1.6: Are national regulatory regimes for crowdfunding in Europe impacting on the development of crowdfunding?([ID74])
Please elaborate on your reply to whether there are national regulatory regimes for crowdfunding in Europe impacting on the development of crowdfunding. Explain in what way, and what are the critical components of those regimes.([ID62])
Question 1.7: How can the Commission support further development of FinTech solutions in the field of non-bank financing, i.e. peer-to-peer/marketplace lending, crowdfunding, invoice and supply chain finance?([ID66])
Question 1.8: What minimum level of transparency should be imposed on fund-raisers and platforms? Are self-regulatory initiatives (as promoted by some industry associations and individual platforms) sufficient?([ID68])
Question 1.9: Can you give examples of how sensor data analytics and other technologies are changing the provision of insurance and other financial services? What are the challenges to the widespread use of new technologies in insurance services?([ID61])
Question 1.10: Are there already examples of price discrimination of users through the use of big data?([ID75])
Please provide examples of what are the criteria used to discriminate on price (e.g. sensor analytics, requests for information, etc.)?([ID69])
Question 1.11: Can you please provide further examples of other technological applications that improve access to existing specific financial services or offer new services and of the related challenges? Are there combinations of existing and new technologies that you consider particularly innovative?([ID70])
Question 2.1: What are the most promising use cases of FinTech to reduce costs and improve processes at your company? Does this involve collaboration with other market players?([ID71])
Question 2.2: What measures (if any) should be taken at EU level to facilitate the development and implementation of the most promising use cases? How can the EU play its role in developing the infrastructure underpinning FinTech innovation for the public good in Europe, be it through cloud computing infrastructure, distributed ledger technology, social media, mobile or security technology?([ID171])
Question 2.3: What kind of impact on employment do you expect as a result of implementing FinTech solutions? What skills are required to accompany such change?([ID76])
Question 2.4: What are the most promising use cases of technologies for compliance purposes (RegTech)? What are the challenges and what (if any) are the measures that could be taken at EU level to facilitate their development and implementation?([ID17])
Question 2.5.1: What are the regulatory or supervisory obstacles preventing financial services firms from using cloud computing services?([ID86])
Question 2.5.2: Does this warrant measures at EU level?([ID87])
Please elaborate on your reply to whether the regulatory or supervisory obstacles preventing financial services firms from using cloud computing services warrant measures at EU level.([ID88])
Question 2.6.1: Do commercially available cloud solutions meet the minimum requirements that financial service providers need to comply with?([ID77])
Please elaborate on your reply to whether commercially available cloud solutions do meet the minimum requirements that financial service providers need to comply with.([ID89])
Question 2.6.2: Should commercially available cloud solutions include any specific contractual obligations to this end?([ID90])
Please elaborate on your reply to whether commercially available cloud solutions should include any specific contractual obligations to this end.([ID91])
Question 2.7: Which DLT applications are likely to offer practical and readily applicable opportunities to enhance access to finance for enterprises, notably SMEs?([ID94])
Question 2.8: What are the main challenges for the implementation of DLT solutions (e.g. technological challenges, data standardisation and interoperability of DLT systems)?([ID95])
Question 2.9: What are the main regulatory or supervisory obstacles (stemming from EU regulation or national laws) to the deployment of DLT solutions (and the use of smart contracts) in the financial sector?([ID96])
Question 2.10: Is the current regulatory and supervisory framework governing outsourcing an obstacle to taking full advantage of any such opportunities?([ID102])
Please elaborate on your reply to whether the current regulatory and supervisory framework governing outsourcing is an obstacle to taking full advantage of any such opportunities.([ID99])
Question 2.11: Are the existing outsourcing requirements in financial services legislation sufficient?([ID103])
Please elaborate on your reply to whether the existing outsourcing requirements in financial services legislation are sufficient, precising who is responsible for the activity of external providers and how are they supervised. Please specify, in which areas further action is needed and what such action should be.([ID100])
Question 2.12: Can you provide further examples of financial innovations that have the potential to reduce operational costs for financial service providers and/or increase their efficiency and of the related challenges?([ID101])
Question 3.1: Which specific pieces of existing EU and/or Member State financial services legislation or supervisory practices (if any), and how (if at all), need to be adapted to facilitate implementation of FinTech solutions?([ID107])
Question 3.2.1: What is the most efficient path for FinTech innovation and uptake in the EU?([ID108])
Question 3.2.2: Is active involvement of regulators and/or supervisors desirable to foster competition or collaboration, as appropriate, between different market actors and new entrants?([ID109])
If active involvement of regulators and/or supervisors is desirable to foster competition or collaboration, as appropriate, between different market actors and new entrants, please explain at what level?([ID110])
Question 3.3: What are the existing regulatory barriers that prevent FinTech firms from scaling up and providing services across Europe? What licensing requirements, if any, are subject to divergence across Member States and what are the consequences? Please provide the details.([ID113])
Question 3.4: Should the EU introduce new licensing categories for FinTech activities with harmonised and proportionate regulatory and supervisory requirements, including passporting of such activities across the EU Single Market?([ID116])
If the EU should introduce new licensing categories for FinTech activities with harmonised and proportionate regulatory and supervisory requirements, including passporting of such activities across the EU Single Market, please specify in which specific areas you think this should happen and what role the ESAs should play in this. For instance, should the ESAs play a role in pan-EU registration and supervision of FinTech firms?([ID117])
Question 3.5: Do you consider that further action is required from the Commission to make the regulatory framework more proportionate so that it can support innovation in financial services within the Single Market?([ID118])
If you do consider that further action is required from the Commission to make the regulatory framework more proportionate so that it can support innovation in financial services within the Single Market, please explain in which areas and how should the Commission intervene.([ID119])
Question 3.6: Are there issues specific to the needs of financial services to be taken into account when implementing free flow of data in the Digital Single Market?([ID120])
Please elaborate on your reply to whether there are issues specific to the needs of financial services to be taken into account when implementing free flow of data in the Digital Single Market, and explain to what extent regulations on data localisation or restrictions on data movement constitute an obstacle to cross-border financial transactions.([ID121])
Question 3.7: Are the three principles of technological neutrality, proportionality and integrity appropriate to guide the regulatory approach to the FinTech activities?([ID122])
Please elaborate on your reply to whether the three principles of technological neutrality, proportionality and integrity are or not appropriate to guide the regulatory approach to the FinTech activities.([ID123])
Question 3.8.1: How can the Commission or the European Supervisory Authorities best coordinate, complement or combine the various practices and initiatives taken by national authorities in support of FinTech (e.g. innovation hubs, accelerators or sandboxes) and make the EU as a whole a hub for FinTech innovation?([ID126])
Question 3.8.2: Would there be merits in pooling expertise in the ESAs?([ID127])
Please elaborate on your reply to whether there would be merits in pooling expertise in the European Supervisory Authorities.([ID128])
Question 3.9: Should the Commission set up or support an "Innovation Academy" gathering industry experts, competent authorities (including data protection and cybersecurity authorities) and consumer organisations to share practices and discuss regulatory and supervisory concerns?([ID129])
If you think the Commission should set up or support an "Innovation Academy" gathering industry experts, competent authorities (including data protection and cybersecurity authorities) and consumer organisations to share practices and discuss regulatory and supervisory concerns, please specify how these programs should be organised.([ID130])
Question 3.10.1: Are guidelines or regulation needed at the European level to harmonise regulatory sandbox approaches in the MS?([ID131])
Please elaborate on your reply to whether guidelines or regulation are needed at the European level to harmonise regulatory sandbox approaches in the MS?([ID132])
Question 3.10.2: Would you see merits in developing a European regulatory sandbox targeted specifically at FinTechs wanting to operate cross-border?([ID133])
If you would see merits in developing a European regulatory sandbox targeted specifically at FinTechs wanting to operate cross-border, who should run the sandbox and what should be its main objective?([ID134])
Question 3.11: What other measures could the Commission consider to support innovative firms or their supervisors that are not mentioned above?([ID135])
Question 3.12.1: Is the development of technical standards and interoperability for FinTech in the EU sufficiently addressed as part of the European System of Financial Supervision?([ID138])
Please elaborate on your reply to whether the development of technical standards and interoperability for FinTech in the EU is sufficiently addressed as part of the European System of Financial Supervision.([ID139])
Question 3.12.2: Is the current level of data standardisation and interoperability an obstacle to taking full advantage of outsourcing opportunities?([ID140])
Please elaborate on your reply to whether the current level of data standardisation and interoperability is an obstacle to taking full advantage of outsourcing opportunities.([ID141])
Question 3.13: In which areas could EU or global level standards facilitate the efficiency and interoperability of FinTech solutions? What would be the most effective and competition-friendly approach to develop these standards?([ID142])
Question 3.14: Should the EU institutions promote an open source model where libraries of open source solutions are available to developers and innovators to develop new products and services under specific open sources licenses?([ID143])
Please elaborate on your reply to whether the EU institutions should promote an open source model where libraries of open source solutions are available to developers and innovators to develop new products and services under specific open sources licenses, and explain what other specific measures should be taken at EU level.([ID145])
Question 3.15: How big is the impact of FinTech on the safety and soundness of incumbent firms? What are the efficiencies that FinTech solutions could bring to incumbents? Please explain.([ID147])
Question 4.1: How important is the free flow of data for the development of a Digital Single Market in financial services? Should service users (i.e. consumers and businesses generating the data) be entitled to fair compensation when their data is processed by service providers for commercial purposes that go beyond their direct relationship?([ID150])
Question 4.2: To what extent could DLT solutions provide a reliable tool for financial information storing and sharing? Are there alternative technological solutions?([ID153])
Question 4.3: Are digital identity frameworks sufficiently developed to be used with DLT or other technological solutions in financial services?([ID154])
Please elaborate on your reply to whether digital identity frameworks are sufficiently developed to be used with DLT or other technological solutions in financial services.([ID155])
Question 4.4: What are the challenges for using DLT with regard to personal data protection and how could they be overcome?([ID156])
Question 4.5: How can information systems and technology-based solutions improve the risk profiling of SMEs (including start-up and scale-up companies) and other users?([ID159])
Question 4.6: How can counterparties that hold credit and financial data on SMEs and other users be incentivised to share information with alternative funding providers ? What kind of policy action could enable this interaction? What are the risks, if any, for SMEs?([ID162])
Question 4.7: What additional (minimum) cybersecurity requirements for financial service providers and market infrastructures should be included as a complement to the existing requirements (if any)? What kind of proportionality should apply to this regime?([ID165])
Question 4.8: What regulatory barriers or other possible hurdles of different nature impede or prevent cyber threat information sharing among financial services providers and with public authorities? How can they be addressed?([ID166])
Question 4.9: What cybersecurity penetration and resilience testing in financial services should be implemented? What is the case for coordination at EU level? What specific elements should be addressed (e.g. common minimum requirements, tests, testing scenarios, mutual recognition among regulators across jurisdictions of resilience testing)?([ID167])
Question 4.10.1: What other applications of new technologies to financial services, beyond those above mentioned, can improve access to finance, mitigate information barriers and/or improve quality of information channels and sharing?([ID168])
Question 4.10.2: Are there any regulatory requirements impeding other applications of new technologies to financial services to improve access to finance, mitigate information barriers and/or improve quality of information channels and sharing?([ID169])
Please elaborate on your reply to whether there are any regulatory requirements impeding other applications of new technologies to financial services to improve access to finance, mitigate information barriers and/or improve quality of information channels and sharing?([ID170])
Should you wish to provide additional information (e.g. a position paper, report) or raise specific points not covered by the questionnaire, you can upload your additional document(s) here:(file-upload)
All Values
Apply Filter
a private individual
an organisation or a company
a public authority or an international organisation
All Values
Apply Filter
Academic institution
Company, SME, micro-enterprise, sole trader
Consultancy, law firm
Consumer organisation
Industry association
Media
Non-governmental organisation
Think tank
Trade union
Other
All Values
Apply Filter
less than 10 employees
10 to 50 employees
50 to 500 employees
500 to 5000 employees
more than 5000 employees
All Values
Apply Filter
International or European organisation
Regional or local authority
Government or Ministry
Regulatory authority, Supervisory authority or Central bank
Other public authority
All Values
Apply Filter
Austria
Belgium
Bulgaria
Croatia
Cyprus
Czech Republic
Denmark
Estonia
Finland
France
Germany
Greece
Hungary
Iceland
Ireland
Italy
Latvia
Liechtenstein
Lithuania
Luxembourg
Malta
Norway
Poland
Portugal
Romania
Slovakia
Slovenia
Spain
Sweden
Switzerland
The Netherlands
United Kingdom
Other country
All Values
Apply Filter
Accounting
Asset management
Auditing
Banking
Brokerage
Credit rating agency
Crowdfunding
Financial market infrastructure (e.g. CCP, CSD, stock exchange)
Insurance
Investment advice
Payment service
Pension provision
Regulator
Social entrepreneurship
Social media
Supervisor
Technology provider
Trading platform
Other
Not applicable
All Values
Apply Filter
Yes, I agree to my response being published under the name I indicate (name of your organisation/company/public authority or your name if your reply as an individual)
No, I do not want my response to be published
All Values
Apply Filter
Yes
No
Don’t know / no opinion / not relevant
All Values
Apply Filter
Yes
No
Don’t know / no opinion / not relevant
All Values
Apply Filter
Yes
No
Don’t know / no opinion / not relevant
All Values
Apply Filter
Yes
No
Don’t know / no opinion / not relevant
All Values
Apply Filter
Yes
No
Don’t know / no opinion / not relevant
All Values
Apply Filter
Yes
No
Don’t know / no opinion / not relevant
All Values
Apply Filter
Yes
No
Don’t know / no opinion / not relevant
All Values
Apply Filter
Yes
No
Don’t know / no opinion / not relevant
All Values
Apply Filter
Yes
No
Don’t know / no opinion / not relevant
All Values
Apply Filter
Yes
No
Don’t know / no opinion / not relevant
All Values
Apply Filter
Yes
No
Don’t know / no opinion / not relevant
All Values
Apply Filter
Yes
No
Don’t know / no opinion / not relevant
All Values
Apply Filter
Yes
No
Don’t know / no opinion / not relevant
All Values
Apply Filter
Yes
No
Don’t know / no opinion / not relevant
All Values
Apply Filter
Yes
No
Don’t know / no opinion / not relevant
All Values
Apply Filter
Yes
No
Don’t know / no opinion / not relevant
All Values
Apply Filter
Yes
No
Don’t know / no opinion / not relevant
All Values
Apply Filter
Yes
No
Don’t know / no opinion / not relevant
All Values
Apply Filter
Yes
No
Don’t know / no opinion / not relevant
All Values
Apply Filter
Yes
No
Don’t know / no opinion / not relevant
All Values
Apply Filter
Yes
No
Don’t know / no opinion / not relevant
All Values
Apply Filter
Yes
No
Don’t know / no opinion / not relevant
All Values
Apply Filter
Yes
No
Don’t know / no opinion / not relevant
an organisation or a company(organisation-replying-as)
 
Real Time Economy and Taltio programs
 
No(no-transparency-register)
 
Other([ID14])
Innovation network
less than 10 employees([ID4])
 
 
Finland([ID29])
 
Accounting([ID4])
Banking([ID8])
Financial market infrastructure (e.g. CCP, CSD, stock exchange)([ID6])
Payment service([ID9])
Other([ID180])
eInvoicing, eReceipts, automated real time accounting, automated risk evaluation for credits and crowd financing
Yes, I agree to my response being published under the name I indicate (name of your organisation/company/public authority or your name if your reply as an individual)(yes-contributions-publication)
E-Banking, E-id, E-invoicing, E-Receipts - all the time. The by far most important sector is automated accounting based on e-invoicing and e-receipts (+ real time payments). Then it is possible to speed up and improve financing processes, lower risks and automate pricing.
Yes([ID56])
AI has been around for a long time through data mining. More intelligence is being added - but so far rather slowly. E-receipts and e-invoicing will automatically provide linespecific spending analysis for consumers.
No([ID57])
Not needed
Investment products should of course classify themselves as more or less risky
Less risky than human advice
Don’t know / no opinion / not relevant([ID58])
Crowdfunding does not need regulation - up to institutions to warn investors.
Same rules as for banks.
Selfregulation and clear risk warnings sufficient - same rules as for banks.
 
No([ID57])
 
 
Same ecosystem for e-invoice and e-receipt service providers. All ecosystems need wide collaboration. Pricing should be transparent so that manual work, use of cash etc cost more.
Standardization support is important for EU and then pick up and demonstrate best practises.
We cannot afford to not automate processes. Freed up workforce should be encouraged to move forward as early as possible,
 
 
Don’t know / no opinion / not relevant([ID58])
 
Yes([ID56])
 
Don’t know / no opinion / not relevant([ID58])
 
DLT is a background
 
 
Don’t know / no opinion / not relevant([ID58])
 
Yes([ID56])
 
Credit evaluation based on automated accounting
Level playfield a must. Traditional service providers cannot be obligated to cover losses caused by failed start-ups.
The work is done in member states. EU can observe and ask "laboratory countries do demonstrate for others. EU should support pilots and standardisation.
Yes([ID56])
Public-private also in this respect. Early learning makes supervisors more efficient and useful
FinTech firms will network with banks - very few will actually gain considerable market shares.
No([ID57])
 
Don’t know / no opinion / not relevant([ID58])
 
Yes([ID56])
PSD2-like standardisation needed for accounting data and for data from the public sector
Yes([ID56])
 
By observing and demonstrating achievements, plans and visions from member states
Don’t know / no opinion / not relevant([ID58])
Network probably better
Don’t know / no opinion / not relevant([ID58])
 
Don’t know / no opinion / not relevant([ID58])
 
Don’t know / no opinion / not relevant([ID58])
 
 
Don’t know / no opinion / not relevant([ID58])
 
Don’t know / no opinion / not relevant([ID58])
 
Same standard for e-invoice and e-receipt. Accounting data standardization (XBRL)
Don’t know / no opinion / not relevant([ID58])
 
 
Very important in the accounting area.
 
Yes([ID56])
Bank login credentials and attachment rules must be (and are) secure and should be used as part of e-id service ecosystem (important for public sector) - both for id and signing contracts - in private and employee role. No need for different tool in seldom needed other services.
 
Real time accounting and cash flow estimates + all shares - also unlisted to CSDs to provide golden information source.
SMEs decide who they share their data to.
Level play field important as weakest link can destroy ecosystems
 
 
 
Don’t know / no opinion / not relevant([ID58])
 
an organisation or a company(organisation-replying-as)
 
Ipso Microelectronics
 
No(no-transparency-register)
 
Company, SME, micro-enterprise, sole trader([ID6])
 
less than 10 employees([ID4])
 
 
Switzerland([ID50])
 
Technology provider([ID178])
 
Yes, I agree to my response being published under the name I indicate (name of your organisation/company/public authority or your name if your reply as an individual)(yes-contributions-publication)
Online banking predominantly. Often cross-border payments for paying suppliers and staff, most of which are located in different countries. The area of authentication is of primary concern, with data privacy as a close secondary concern.
Yes([ID56])
The main drivers, we believe, for these services is cost reduction (for the service providers), combined with a greater ability to reach customers. The pace of adoption is quite amazing considering the early stage of readiness of the underlying technology. We would advise caution so as to prevent security breaches and/or financial losses.
Yes([ID56])
Human monitoring of results is crucial until data can be gathered over an extended time period. Experiments in the world of foreign exchange trading (FX trading) make it clear that a strategy that works most of the time, can be disastrous during times of market turmoil, for example. Our particular area of expertise is in digital identity and authentication. We believe the links between the individual and data is not well established, as evidenced by the lack of preparedness for GDPR. We also do not believe the authentication solutions in the market are sufficiently secure to introduce further complexity, in the form of AI/bots, without a robust digital identity framework.
Irrefutable digital identity and authentication for users, service providers, and any AI/bots employed is a foundational requirement. Similarly, any parameters that determine AI decisions must be cryptographically linked to the entities in a contractually sound manner.
We have identified robust digital identity and authentication as the primary risk, and are focusing our efforts in achieving that. Our solution involves a user-centric, air-gapped digital identity management tool, which also provides air-gapped, user-controlled authentication. This eliminates any potential for hacking or malware attack vectors, and concurrently gives service providers the necessary mechanisms to tie user data to the user, and achieve compliance with privacy regulations.
Don’t know / no opinion / not relevant([ID58])
 
Provide lower-hurdle licensing for smaller market experiments to give smaller Fintech companies the opportunity to compete with incumbents.
We believe irrefutable digital identity, linked to any interactions and data, can provide regulators with sufficient real-time oversight and transparency to completely eliminate malpractice and fraud.
The use of so-called IoT sensor data to enable real-time (or at least rapid) assessment and service provision is a well established principle. The questions that arise include the ownership of generated data, allocation of any revenues from this data, and the privacy concerns. Solid and irrefutable digital identity lies at the heart of solving these issues.
Don’t know / no opinion / not relevant([ID58])
 
We believe that user-centric digital identity, and distributed, blockchain-enabled digital platforms offer the best architecture for providing digital services, financial services primarily. New financial inclusion strategies point to these technologies as the most promising.
Digital currencies in the context of blockchain technology are the most promising for a small enterprise such as ours. This indicates that Peer-to-Peer services should be encouraged. The opening of financial services (banks) via APIs is a good first step, as it will allow innovative P2P companies to grow their offerings.
Enhanced consultation, perhaps through workshop events, will lead to greater collaboration between regulators, policy makers, and members of the business community. Sandboxes, or lower-hurdle licencing, especially in financial services, will further accelerate innovation.
Higher skilled workers will flourish, but an overall reduction in employment can be expected, regardless of policy. The advent of AI and robotics will impact worker numbers in the services economy, much as automation reduced employment in agriculture and industry. The real question is what is the next economic sector that will emerge, and will it have the ability to employ large numbers.
Without a doubt digital identity combined with blockchain. The greatest challenge will be the orderly transitioning of regulations to allow the abilities of the technology to be fully used.
Irrefutable digital identity and authentication, combined with a data handling platform that supports this, is the primary obstacle to regulatory supervision and compliance. While dangerously high levels of data breaches and individual privacy transgressions cannot be contained, the regulatory outlook is concerning.
Yes([ID56])
A universal digital identity framework, beyond the current eIDAS regime, must be agreed and adopted, not only at EU and national level, but must be adopted by service providers in order to properly address public needs.
No([ID57])
None of the existing cloud solutions are able to adequately and securely tie users to data (ownership), and enforce data access and usage according to that ownership. Geofencing of data is also entirely inadequate.
Yes([ID56])
Cloud service providers must ensure that data is only accessible to the owner, by default. Currently the cloud provider is commercially motivated to access all the data in its system. This is an aspect that can only be managed through regulations.
Yes, although disintermediation is perhaps too broad and poorly understood. DLT in its own right is simply a technology, and not a goal. It adds to a body of technology that can achieve division of service from control of users and user data.
The technical challenges (especially scalability), although significant, are not the main factors. Standardization will emerge, as it always does, from the solutions that are ultimately successful in the market. Standardizing too early can be as detrimental as no standardization. I believe interoperability is entirely achievable, but it starts with a universal, suer-controlled digital identity schema.
Sufficient knowledge transfer to regulators and policy makers is the greatest obstacle. Once the technology is understandable, it can be placed within the context of public interest, which will result in coherent and progressive regulations.
Don’t know / no opinion / not relevant([ID58])
 
Don’t know / no opinion / not relevant([ID58])
 
 
Streamlining immigration processes for innovators, especially startups. Additionally, filling the void left by more restrictive H1B regulations emerging in the USA will see a surge of innovative activity inside the EU.
Create a favourable regulatory environment, and business will innovate. Government cannot innovate - nor is it mandated to do so. Maintaining oversight to avoid exploitation is required, but excess intervention ultimately reduces innovation.
Yes([ID56])
Sandboxes, or lower-hurdle licencing regimes.
In a broader sense there is a need for a lower tier of banking, insurance and other financial services licensing in order to allow new entrants the opportunity to compete directly, rather than being forced to work with incumbents.
Yes([ID56])
This cannot happen without an EU-wide digital identity schema for individuals, companies and a new class of digital entity (AI/robotics). Once this is in place it becomes possible to passport all these players across the EU.
Don’t know / no opinion / not relevant([ID58])
 
No([ID57])
There are other areas such as: Medical technology, specifically patient data management and service provision. Supply chain providence and logistics Policing and tracking of victims and perpetrators Media and news (preventing propogation of "fake news")
Don’t know / no opinion / not relevant([ID58])
 
Allocation of resources, or qualification for resources to innovation hubs, accelerators and sandboxes, should have a regional dimension. Furthermore, the ability for transitioning into lower-hurdle licenses must also be supported.
Don’t know / no opinion / not relevant([ID58])
 
Don’t know / no opinion / not relevant([ID58])
 
Don’t know / no opinion / not relevant([ID58])
 
Yes([ID56])
The availability of expertise in this area, in combination with infrastructure, would be immensely helpful for companies such as ours.
Actively seek and attract innovative companies abroad to set up an EU presence.
Don’t know / no opinion / not relevant([ID58])
 
Don’t know / no opinion / not relevant([ID58])
 
Focus on foundational standards that will drive the greatest amount of innovation across the market.
Yes([ID56])
 
 
Yes, undeniably. This is an emerging asset class that is not yet legally defined - unlike physical and intellectual property. Providing a technology platform that allows for the definition, capture and assignment of this new form of asset is a requirement, else it will be problematic or impossible for service providers to adequately comply with any matching regulations. Data, and access to it, must be controlled by its owner.
DLT offers part of the solution, but is not the entire solution. DLT is a technology related to data storage between disparate entities. It does not solve digital identity and data ownership issues directly, but only in combination with other technologies.
No([ID57])
Several frameworks are emerging that are promising, but standardization will take time. We are particularly focused on the secure storage of underlying private keys by the individual, in a user-centric model. We also provide irrefutable authentication - critical in underpinning secure online interaction and data management.
DLT by itself cannot scale sufficiently, but can underpin secure and trusted infrastructure between disparate entities. We are working, with partners, to tie our digital identity framework into a truly scalable cloud infrastructure, and can therefore confirm the technical merits with a lot of confidence.
 
Common registries of credits will eliminate fraudulent use of financial facilities.
Securing the endpoints (users and underlying system hardware) of the system is critical to resilient cybersecurity in the scope of malware and hacking attacks. At the same time, distributed architectures can resolve Denial of Service (DOS) attacks, as well as provide for 100% availability in the event of systemic or other disastrous events.
Market (perception and liability) risks are probably the foremost reasons for not sharing information. The other is a lack of awareness - many attacks go undetected. Only a more resilient and secure operating platform can solve this in our view.
 
 
Don’t know / no opinion / not relevant([ID58])
 
a private individual(public-replying-as)
Bruno Ferreira
 
 
 
 
 
 
 
 
 
Portugal([ID44])
 
Crowdfunding([ID7])
Social entrepreneurship([ID175])
 
Yes, I agree to my response being published under the name I indicate (name of your organisation/company/public authority or your name if your reply as an individual)(yes-contributions-publication)
Decentralized Crowdfunding Platforms Microcredit National Programs
Don’t know / no opinion / not relevant([ID58])
 
Don’t know / no opinion / not relevant([ID58])
 
 
 
Yes([ID56])
Comparatively with Bank loan guarantees and venture capital funds we see a lack of institutional support (at the EU-level and the national level), funding for training and public education, guarantees schemes for crowdfunding small investors and small lenders
Provide guarantee and counter guarantee schemes for regulated Crowdfunding platforms and their accredited members, at the microcredit level (loans up to 25.000 euros) and startup seed funding (up to 250.000 euros) . Guarantee schemes limited to small investors only (up to 10.000 euros max counterguarantee per investor)
Public data available in a blockchain decentralized network solution promoted by the EU commission and the European Investment Bank. However this blockchain should not be in the cloud managed by a third party IT, but decentralized along local (juridically) independent nodes (blockchain servers / data validators).
 
Don’t know / no opinion / not relevant([ID58])
 
Regulating the trading of trading contracts (following the UCC standards) in the blockchain through mobile apps by end consumers/businesses. Company property Real estate property Patents etc.
Promoting an ethereum based blockchain with sate / payment channels for Supply Chain Finance Fintechs supporting local SMEs. Ethereum based blockchain would be locking collateral / guarantees; state channel / payment channel enabling scalability and privacy.
 
Expecting focus in the creation of local employment in new business niches related to the Circular Economy, Biomimicry, and Sustainability of Ecossystems
 
 
Don’t know / no opinion / not relevant([ID58])
Promote pay-per-use cloud services instead of licencing solutions ( licences being an obstacle for SME entry) Facilitate consorciums of SME to adopt cloud licenses
Don’t know / no opinion / not relevant([ID58])
 
Don’t know / no opinion / not relevant([ID58])
 
Based in Ethereum + Raiden Network ( This means programmable blockchain with hard coded smart contract , formal verification of smart contract envolving regulators, confidential state channels / payment channels)
Lack of cooperative (regulators + fintech) formal verification pools, lack of dual integration (legal + technological) standards.
Lack of a classification of business cases in blockchain (crypto currencies are not the only case)
Yes([ID56])
Lack of regulation and supervision entities for ICOs - Initial Coin Offerings. ICOs should clearly demonstrate the functional necessity of the existance of a token issuance. (there are two main types of ICOs : claim of goods / services vs equity/debt claim)
Don’t know / no opinion / not relevant([ID58])
 
Commercial Credit Circuit (C3) - Social Trade Shared Resource Platform based in Mutual Credit Systems - CLIP Bank Payment Obligation - SWIFT Guarantee Market - Extendind the P2P layer to the european guarantee system (EIB Guarantee -> State counterguarantee -> national guarantee, P2P guarantee - > crowdfunding platform financing) Circular Economy Reward-Loyalty Points / Credit Systems - Circularchain
Directive on the "Electronic Money Institutions" should be updated to a "Digital Currency Issuing Institutions"
accelerating and promoting the adoption of PSD2 would be a major first step.
Yes([ID56])
 
License fees reduced for the EMI Directive to issue digital scrip and digital currencies, backed by collateral instruments.
Yes([ID56])
License fees reduced for the EMI Directive to issue digital scrip and digital currencies, backed by collateral instruments. (current 350,000 euros)
Yes([ID56])
 
 
 
 
 
 
 
 
Yes([ID56])
 
 
 
 
 
 
 
 
 
 
 
Yes([ID56])
Validation (formal verification) of open source libraries Dual Integration (for example with legal enforcement of smart contracts that follow the UCC)
 
The most important is that the citizen should be the owner and manager of its personal data and identity. However, there should be a secure history record of all the changes made by the citizen. Also, storing sensitive biometric data in public or centralized databases is a risk. Usage of a model of multisignature is advisable.
DLT solutions are best for storing hashes of data rather than the data itself.
 
Digital identity frameworks are not sufficiently developed, mainly for business entities. There needs to be a standard of which characterizing items constitute a valid digital identity
Instead of each entity creating their own permissioned blockchain, they could use zero knowledge proofs protocol in permissionless blockchains, or use state channels to build entire (private) side chains,
This is a good question to ask to commercial information companies. Your question implies that risk profiling is public service, however traditionally is managed by private entities. In Portugal you can ask Informa D&B what should be the business model for the industry of risk profiling in a blockchain.
In Portugal you can ask that question to the Central Bank. The Central bank stores that information in the "Central de Registo de Créditos". Only banks allowed to access this information. I see banks having a unloyal competitive advantage here. The three main national regulators and supervisors (Banking, Insurance and Securities Markets) need to coordinate and make available credit information for crowdfunding and other capital / lending regulated institutions.
For example, end users, should operate with Hardware Wallets, this should be the standard. Mobile Phones and NFC are proved not secure for financial services.
 
 
Mobile Operating System for the Entrepreuner, based in open source OS, Open source Business Apps (ERP, CRM; wallet)
Yes([ID56])
For example, in Supply chain financing, the use of scrip currency, even when 100% backed by the euro currency, may not be legally binding to extinguish a debt from a transaction between two or more entities.
an organisation or a company(organisation-replying-as)
 
SAFIC Finances
 
No(no-transparency-register)
 
Consultancy, law firm([ID7])
 
less than 10 employees([ID4])
 
 
Spain([ID48])
 
Banking([ID8])
Brokerage([ID9])
Crowdfunding([ID7])
Investment advice([ID8])
 
Yes, I agree to my response being published under the name I indicate (name of your organisation/company/public authority or your name if your reply as an individual)(yes-contributions-publication)
Lendix mytriplea arboribus setpay. I use it for my customers. I think we need to be an alternative to banking the capability to issue current accounts.
No([ID57])
 
Yes([ID56])
Public regulator
Strengthness and CV of developers and control upon them
Unknowingly who is behind it
Yes([ID56])
Limit the development. Warn without limiting amounts.
USE regulation for all the states
None.
Nope
Don’t know / no opinion / not relevant([ID58])
Nope
 
 
 
 
 
 
No([ID57])
 
No([ID57])
 
No([ID57])
 
 
 
 
Don’t know / no opinion / not relevant([ID58])
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
an organisation or a company(organisation-replying-as)
 
Transpact.com
 
No(no-transparency-register)
 
Company, SME, micro-enterprise, sole trader([ID6])
 
less than 10 employees([ID4])
 
 
United Kingdom([ID52])
 
Payment service([ID9])
 
Yes, I agree to my response being published under the name I indicate (name of your organisation/company/public authority or your name if your reply as an individual)(yes-contributions-publication)
 
Don’t know / no opinion / not relevant([ID58])
 
Yes([ID56])
 
 
 
Don’t know / no opinion / not relevant([ID58])
 
 
All fund-raisers and platforms should be required to be registered as payment service providers, since they remit funds. They will then be correctly regulated for anti-money laundering and counter terrorist-financing requirements.
 
Don’t know / no opinion / not relevant([ID58])
 
EIDAS and like identity verification schemes will revolutionise Fintech, and greatly bring barriers and costs of conducting financial transactions down. The sooner these schemes are brought into public use, the better. But they will require that every person and every entity has a unique public registration and ID. This ID can then be used within payments to uniquely designate a payer/payee. At present across the EU, not all entities and not all individuals have a uniquely attributed ID. For example, in some countries, Trusts do not have such IDs. So the EU should concentrate on requiring each individual and each entity to have a unqiue public ID, and these IDs should be mandated to appear in all payments, to prevent money laundering and terrorist financing.
 
 
 
 
 
Don’t know / no opinion / not relevant([ID58])
 
Don’t know / no opinion / not relevant([ID58])
 
Don’t know / no opinion / not relevant([ID58])
 
 
 
 
Don’t know / no opinion / not relevant([ID58])
 
Don’t know / no opinion / not relevant([ID58])
 
See answer to Question 1.11
 
 
Don’t know / no opinion / not relevant([ID58])
 
 
Don’t know / no opinion / not relevant([ID58])
 
Don’t know / no opinion / not relevant([ID58])
 
Don’t know / no opinion / not relevant([ID58])
 
No([ID57])
Any treatment of Fintech which does not put anti-money laundering and counter terrorist-financing (AML/CTF) at the core of the process, around which every other activity must be considered, is badly designed. Therefore, a fourth core principal must be added, so that AML/CTF is also listed as a core principal. To treat AML/CTF as an add-on consideration at a lower level or later stage is a failing, and cannot prevent money laundering and terrorist financing.
 
Don’t know / no opinion / not relevant([ID58])
 
Don’t know / no opinion / not relevant([ID58])
 
Don’t know / no opinion / not relevant([ID58])
 
Don’t know / no opinion / not relevant([ID58])
 
 
Don’t know / no opinion / not relevant([ID58])
 
Don’t know / no opinion / not relevant([ID58])
 
 
Yes([ID56])
 
 
 
 
No([ID57])
See answer to question 1.11
 
 
 
 
 
 
 
Don’t know / no opinion / not relevant([ID58])
 
 
a private individual(public-replying-as)
Yannis Kalfoglou
 
 
 
 
 
 
 
 
 
United Kingdom([ID52])
 
Asset management([ID6])
Crowdfunding([ID7])
Social entrepreneurship([ID175])
Technology provider([ID178])
 
Yes, I agree to my response being published under the name I indicate (name of your organisation/company/public authority or your name if your reply as an individual)(yes-contributions-publication)
I currently use * banking-as-a-service * crowdfunding * foreign exchange services * equity shareholding * accounting - invoicing and compliance I would like to see more finTech for * micro-services * digital currencies * micro-investments * responsible lending
Yes([ID56])
people are turning to robo-advisors as a cheaper alternative to wealth creation compared to traditional financial advisors historic returns show that passive management outperforms active management in certain asset classes client onboarding on robo-advisory services is very easy and straightforward compared to the traditional wealth management approaches
Yes([ID56])
we should be able to always go back in the algorithm and prove why we made a decision regarding a financial product (credit rating, card, loan, etc) - current state-of-the-art AI doesn't provide that regulatory oversight, some neural networks are too deep and complex to even understand why they arrive at the decisions they do
why decisions have been made they way they did - trace all the way back to the logical steps followed to offer a financial service to the european citizen
Liability regarding the performance of the service should lie with the provider, not the consumer, regulatory oversight needed to protect the consumer
Yes([ID56])
currently, crowdfunding platforms are fragmented, country-specific, it's hard for startups from different european countries to apply and get funding in another country, the platforms are in theory country-agnostic, but once the campaign closes and pledges are converted to hard funding commitment, there are issues with locality - in certain countries you need to have legal presence to collect the funds, etc.
support and implement a pan-european umbrella framework that transcends national boundaries and local legislation
all aims and goals should be visible at the platform level - any potential investors should be aware of what they are investing into and have legal backing in case things go wrong
use latest IoT sensor technology to track and provide real-time insurance for world events as they happen impact on agriculture, motoring, life events, etc enable insurance-on-demand for all life activities and pay-as-you-go models
Yes([ID56])
we should avoid overfitting our machine learning models and selection bias - a training set for certain lending criteria should be free from cultural bias otherwise the recommendation will always discriminate against certain pockets of the population we should place social scientists and policy makers along side machine learning statisticians to ensure unbiased results - most engineers do not have background knowledge of the data used
blockchain technologies to enable micro-services at the citizen level and peer-to-peer economies of scale AI systems for automation of mundane back office processes and provision of personalized financial products
use fintech to cut down on friction costs, avoid duplication of work, reconciliation, double book running and other cases where fintech makes a real difference to the balance sheet. We need a strong ecosystem so choice will be given not stuck with monopolies. EU should ensure there is no monopolies in the system and level the playing field, so everybody has a chance of service provision and servicing, not only the big multinattionals
awareness of fintech and its benefits for the consumer hold up roadshows and education across the EU about the role of fintech to consumer finance, at the moment most fintechs try to sell to the big banks and FI companies, consumers are not targeted directly
roles might or could be automated but that shouldnt lead to job losses, rather redeployment and opportunities for new jobs creation
regulatory compliance analytics - when a new legislation comes out, fintech deployed to (semi-) automatically alert on conformance to fiduciary obligations - done in seconds rather than months of work among compliance experts Also use as planning for new products to ensure maximum exposure and compliance with regulatory frameworks
fear of data or control loss ignorance of the safety protocols and security of cloud environments public perception that data close to me (e.g, my laptop) are safer than data at distance (cloud servers in another continent) safe heaven, and other regional and country specific regulations requiring certain limitations to the use of data - we live in a global business environment, you can't slice and dice the data in regional chunks when operating globally
Yes([ID56])
EU regulatory should be both protecting the consumer from abuse of their data but also enabling new business and facilitating existing ones by providing the right operational frameworks for use of the data for societal, business and personal benefit
Yes([ID56])
Yes, they do - cloud solutions meet the strictest of security standards
Don’t know / no opinion / not relevant([ID58])
 
blockchains that are open, not private, and easy to modify and fine tune to specific industries and sectors, more open source protocols and universally agreed upon operational semantics for blockchains (who are the miners, the validators, the protocol dispatchers, who are the token issuers, etc)
not proven at a large scale - with the exception of bitcoin - very end user unfriendly technology, consumers are not warmed up to the uses of blockchain other then digital currencies trading - more needs to be done to make blockchains more consumer friendly
understanding the ramifications of using blockchain as a surrogate to a legal process - smart contracts are not legally enforceable. Best practice is not available yet and the technology is still evolving
Don’t know / no opinion / not relevant([ID58])
 
Don’t know / no opinion / not relevant([ID58])
 
we should be able to share resources and capital across the region without much red tape - country specific legislation could overpower EU wide, and there are known unknown about the impact of brexit, if and when it finally happens, regarding passporting for fund products, etc.
make fintech solutions emerge in one member state, readily available and endorsed across all member states - have a common supervisory framework - PSD2, MIFID2 etc,. are great but need to take into a/c country specific sensitivities
early stage support, both financial and structural mobility of talent and capital quick fail-safe schemes, it's okay to fail as long as you learn and start again - this is a huge difference with US startup culture where failure is not a social and financial stigma education - our current education system doesnt support these sort of entrepreneurial activities level the playing field - force if necessary, the big companies to work with fintechs for the benefits of everyone
Yes([ID56])
look at FCA, they are setting up accelerators, sand boxes, etc. These should be widespread across the region and let everyone enjoy the benefits of working hand in hand with the regulators and policy makers
licensing can be prohibitively expensive and take a long time to come - not in line with the pace and requirements of fintechs different member states have different licensing requirements, it's sort of a regulator of flow, but flow needs to be uniform across the region to realize maximum effects - licensing also used for protectionism and political reasons, rather than as an engine for innovation
Yes([ID56])
fintech friendly and affordable licensing for lending, mirco-investments, accreditation, financial credit worthiness and solvency
Don’t know / no opinion / not relevant([ID58])
 
Yes([ID56])
protection and curation of personal data (PII) and ensure the end user is always aware of where and how his/her data are being used - this is far from true today
Yes([ID56])
all three needed to ensure not only leveling the playing field but also there is no favorable measures for certain fintechs and market segments - open scrutiny policies and consultations is the best way to achieve this
take best practice in one member state and replicate across the region empower local expertise and decision making before making something pan-european - we are all europeans but also all so different - europe works best bottom-up, not top-down enforcement
Yes([ID56])
ESA and other units at EU level have a unique birds eye view on what's going on in the market and region as a whole - therefore can provide a high level, strategic advisory role
Yes([ID56])
this has been done for years in science (FP programmes, etc) so it could be applied to fintechs, consultations with experts is important to understand lessons learnt, what works and what doesnt
Yes([ID56])
sandbox approaches are very country specific at the moment, best practice from these can be used at the european level to establish eu level sandbox approaches endorse by all member states
Yes([ID56])
it makes perfect sense, it will cut down red tape and make movement of capital, people and innovation across member states seamless and frictionless
enable collaboration and co-operations between market participants, not only competition - at the moment a lot of FI firms are traditionally focused on competition, not co-operation
Don’t know / no opinion / not relevant([ID58])
 
Yes([ID56])
data standards and interoperability is a constantly moving target, you can never get it 100% right as technologies and data evolve faster than the introduction of standards, but we should have, at the very least, platform level and sector specific standards and enforce interoperability across member states
data dictionaries common frameworks for developing and enforcing smart contracts on DLTs post-trading settlement and recon processes cross border payments frameworks unification of digital tokens
Yes([ID56])
absolutely! open source is the only viable paradigm to work on with the frenzy pace of technology innovation - it provides an excellent framework for global co-operation and co-invention on a planetary scale EU should endorse and work with open source, but not try to stifle innovation by over-regulating open source
incumbents are wary of their status and market positions so it is likely they will resist fintechs if they threaten their very existence - but fintech could solve problems with efficiency and effective operations that large incumbents can't - by their very nature of size and shareholder pressure
yes, it is a scheme that is long way coming - it a truism of our times that social media and other corporate giants are profiting on the back of peoples' data, but people who make these corporations what they are today, get nothing in return - that's can't go on for long and it won't EU could trailblaze the path here with introducing ways that member states citizens can monetize the use of their data
blockchains are the right vehicle for storing, securely, and cryptographically encrypted, sensitive data and give full ownership to its users - however, as the technology is still evolving today, more work is needed to ensure proper uses of blockchains are in place for the benefit of member states' citizens
Yes([ID56])
yes, they could be of help, digital ID handling on blockchain technology offers a tamper proof and immutable records of ID history which could battle forgery and ID theft
often in blockchains you are not fully aware who are the participants (unless permissioned settings) and the handling of private and public keys is still work in progress
risk profiling can become a routine operation with access to common datasets across the region - at the time of application for a financial service, the provider should know in a matter of seconds everything that is pertinent to the applicant's history without operational friction and delays or uncertainties (today's AML and KYCC is way too slow and fraud laden)
data is a commodity - use it as such credit worthy information and probing on financial data should be done once and used many times - data is the same but need re purposing
standard cloud security requirements should apply here - eCommerce standards and credit card transactions standards are good enough
N/A
testing across the region in sandbox environment, then expand steadily at regional level, invite fintechs, incumbents and consumer groups in the testing phase, learn lessons, repeat and roll out when certain thresholds of service acceptability are met
banking for everyone social education on the importance and future of finance encourage and incentivize people
Don’t know / no opinion / not relevant([ID58])
 
 
an organisation or a company(organisation-replying-as)
 
Objecttech group limited
 
No(no-transparency-register)
 
Company, SME, micro-enterprise, sole trader([ID6])
 
10 to 50 employees([ID6])
 
 
United Kingdom([ID52])
 
Technology provider([ID178])
 
Yes, I agree to my response being published under the name I indicate (name of your organisation/company/public authority or your name if your reply as an individual)(yes-contributions-publication)
we are a solution provider ad use as many applications that will enhance the customer experience and create competition with-in the financial services industry. All of the Financial services industry need to look at new business models and new ways to expedite customer inclusion.
Yes([ID56])
mobile phones are the best example of new growth in financial services where the non bank banks are gaining share through improved customer experiences and adopting the needs of the consumer (Financial wellbeing)
Yes([ID56])
Regulations should be put in place to protect consumers, to ensure transparency and accuracy of the algorithms. Maybe to enhance the GDPR along these lines.
safe guards should be included in algorithms to ensure ethical and accurate management. ISO standard should be implemented and some form of regulatory oversight.
safe guards should be included in algorithms/robo advice to ensure ethical and accurate management. ISO standard should be implemented and some form of regulatory oversight. GDPR to cover most of this.
Yes([ID56])
some regulatory appear to support the growth of crowdfunding while some seem to disparage them. The over-riding principal of customer protection must be of paramount importance and transparency of the underlying crowdfunded investments.
the Commission must openly support the rise and introduction of new innovative ways of business models and take a softly softly approach to initial regulation
the highest level of transparency should always be a priority, for better consumer information, self regulation initiatives are a starter, these are generally an excuse not to be supervised as the costs of being regulated are far to high and can be over complicated.
sensor data can be a good thing for the consumer as it tends to give real time and accurate data which can help cut premiums and speed up payouts for claims.
Don’t know / no opinion / not relevant([ID58])
 
 
 
 
 
 
Not sure if there are any regulatory obstacles preventing financial services from using cloud computing as they all most adhere to the GDPR and when signing contacts with cloud providers the use of specialized solicitors in this field should be recommended.
Yes([ID56])
supervisors should recommend the use of specialist solicitors who are expert in this field.
Yes([ID56])
they should not just meet minimum regulatory requirements but also exceed.
Yes([ID56])
the use of specialist solicitor and advisers should be expert enough to cover all contractual obligations.
ObjectTech Group www.objecttechgroup.com which is looking to create genuine competition by putting the consumer/SMEs at the heart of PSD2 and Open Banking by the use of its innovative "Consensus Ledger Aggregator" which allows individuals/customers, and SME's to bring together a richer set of data, and, hold it privately - in their own "Aggregator" rather than in a third party Aggregator. This is a game-changer for the consumer, There are also benefits to the Banks with massive cost/ efficiency savings to their their AML/KYC processes, data liabilities and risk exposures The "consensus Ledger Aggregator" (CAL) meets, and exceeds all regulatory and legal requirements, where the customer owns and controls how they share their data, at the same time keeps their privacy. (shields them from the GAFAs, Google, Amazon,Facebook Apple) The "Consensus Ledger Aggregator" opens the door to what I call ‘PSD2 Extra’ as the customer now has the capability to add all of their financial accounts and transactions in one place and gives them the ability to use this data to solve other consumer problems, such as switching Energy Companies. we use blockchain DLT,AI,Cryptographic and distributed filling technologies.
One of the challenges for DLT is standards, and this is being rectified by the BSI who have teams working to build ISO standards.Regulations must stress that all blockchains need to be inter-operabill.
The main obstacle to the use of smart contacts is that governments not understanding how smart contract work ( they are neither smart nor a contract) a greater understanding of smart contracts by supervisors is needed.
No([ID57])
when a company outsources their work the requirements/rules of the home regulatory must still be met, this does of course increase other risks' Ie "concentration risk"
Yes([ID56])
though most home regulators accept that there is an increase in risk they do appear to have a more intrusive regime towards firms that outsource.
 
Not aware of any existing EU or Member state financial services legislation that needs to be adapted to facilitate implementation of Fintech solutions.
The EU to openly support and assist innovative and creative Fintech startups through regulatory run sandboxes.
Yes([ID56])
Government through regulators need to create the environment for competition and new business models such as PSD2
 
No([ID57])
 
Yes([ID56])
In all areas where new Fintech actors are coming into play as they need to be nurtured and lightly regulated so as not to stifle innovation and the creation of new business models.
Yes([ID56])
does the GDPR cover the free flow of data in europe.
Don’t know / no opinion / not relevant([ID58])
 
 
Yes([ID56])
shared experiences offers better solutions and ideas.
Yes([ID56])
A collaboration of industry practitioners, consumer groups and experts is always a good thing to find solutions to legal and regulatory concerns.
Yes([ID56])
all regulators across Europe should offer the facility of a sandboxes not just to Fintech Startups but to the incumbent banks as well
Yes([ID56])
All sandboxes should have the facility to help startups to operate cross border
 
Don’t know / no opinion / not relevant([ID58])
I suspect not
Don’t know / no opinion / not relevant([ID58])
I think this is covered in PSD2 and the GDPR
 
Yes([ID56])
EU institutions should promote Open source models as it help to create standards makes it easier to be more innovative and to build on each others ideas to develop new ideas.
is not the object of Fintech startups to create competition and new business model and to embrace the un-banked. If the incumbent firms do not adopt to the digital world they will not survive but be replaced.
Does not the GDPR cover the requirements for Data sharing, transparency,security and protection.
 
Yes([ID56])
ObjectTech Group www.objecttechgroup.com which is looking to create genuine competition by putting the consumer/SMEs at the heart of PSD2 and Open Banking by the use of its innovative "Consensus Ledger Aggregator" which allows individuals/customers, and SME's to bring together a richer set of data, and, hold it privately - in their own "Aggregator" rather than in a third party Aggregator. This is a game-changer for the consumer, There are also benefits to the Banks with massive cost/ efficiency savings to their their AML/KYC processes, data liabilities and risk exposures The "consensus Ledger Aggregator" (CAL) meets, and exceeds all regulatory and legal requirements, where the customer owns and controls how they share their data, at the same time keeps their privacy. (shields them from the GAFAs, Google, Amazon,Facebook Apple) The "Consensus Ledger Aggregator" opens the door to what I call ‘PSD2 Extra’ as the customer now has the capability to add all of their financial accounts and transactions in one place and gives them the ability to use this data to solve other consumer problems, such as switching Energy Companies. we use blockchain DLT,AI,Cryptographic and distributed filling technologies.
storing personal data on a blockchaon DLT should be a NO NO as once it on there it can not be removed so misses the right to be forgotten and the right to have ones personal data removed.
 
 
 
 
 
 
Don’t know / no opinion / not relevant([ID58])
 
 
a private individual(public-replying-as)
John Copping
 
 
 
 
 
 
 
 
 
United Kingdom([ID52])
 
Other([ID180])
Regulatory, and Technology, Business Consulting
Yes, I agree to my response being published under the name I indicate (name of your organisation/company/public authority or your name if your reply as an individual)(yes-contributions-publication)
I currently use Contactless Card Payments; EMV Card Payments; International Money Transfers and cross border puirchases; on-line and App based banking. I should like to see more Fintech Solutions in the area of P2P, P2B & B2B lending with a view toward increasing competition and lower charges and rates.
No([ID57])
 
Yes([ID56])
The algorithms used will have been written (in the most part) by Humans. Humans have natural biases that could be reflected in the Algorithm. (See the recent case where an algorithm used to identify the worlds most beautiful women failed to take into account ethnicity). Therefore any algorithms created for FinTech purposes must be carefully reviewed to ensure that biases in their creation, or operation, take place.
A standard Credit Check should be sufficient for most purposes. Analysis of transactions made by individuals should be carefully managed. A parent may be purchasing items for their children or partners, and as such, the data gathered may not be representative of the individual themselves. This could result in poor advice being provided or, exclusion from a product set that would be ideal for the individual. For example: a parent may be paying for Horse Riding lessons for their child. There is a risk of injury in riding horses, but an algorithm may consider the risk to be on the parent, not the child. This could impact Life/ health insurance premiums for the parent.
Consumers should have the right to challenge, and correct any data associated with their lifestyle/ activities. I would expect any product provider to facilitate such challenges, however, a centralised mediation function may be necessary in some cases.
Yes([ID56])
Local legislative and regulatory processes will, and do, impact on crowdfunding activities. This is not necessarily a bad thing. Full deregulation would encourage fraud.
It may be possible for the Commission to set-up an EU register of crowdfunding/ P2P operators, to provide some form of certification as to their legitimacy and capability/ quality. The register should be for the whole of the EU and not nation based. this would offer consumers the greatest level of choice of "certified" providers. A rating service/ solution can be provided in parallel to this to allow consuners to make an educated choice of provider, and provide feedback on the service provided.
Self regulation is not the answer. Most self regulation functions favour the big players over the smaller ones, ensuring that the smaller operators comply fully with any new requirements, whilst the big players defer implementation to reduce costs. Self regulated organisations also tend to favour the organisation (as any business would) over their consumer, sometimes to the detriment of the service that they provide, reducing comptitiveness and qualitrry
Such analytics must be capable of being challenged. as mentioned aboe, and included again here:Analysis of transactions made by individuals should be carefully managed. A parent may be purchasing items for their children or partners, and as such, the data gathered may not be representative of the individual themselves. This could result in poor advice being provided or, exclusion from a product set that would be ideal for the individual. For example: a parent may be paying for Horse Riding lessons for their child. There is a risk of injury in riding horses, but an algorithm may consider the risk to be on the parent, not the child. This could impact Life/ health insurance premiums for the parent.. Insurance companies are in the business of taking a risk based approach to the services that they provide. An analysis of individuals DNA to see if they are at risk of developing a serious disease later in life may impact the value of the policy that they are offered, as the provider will always opt for a risk adverse approach. however, DNA alone is not a true indicator of a risk, and many other factors should be taken into consideration. Again an independent regulator may be required to adjudicate on any interpretation of analsees that have been made about an individual.
Yes([ID56])
Insurers already have a great deal of data on their existing customers and use this to calculate the risk profiles of new customers, this profiling can have gender; age; and location biases built in that impact the value of the policies offered. Further data capture (e.g. from social media) would also impact that profiling. The face an individual shows on social media is not always their true face.
RPA Robotic process automation will impact upon the clerical sector. it has the potential to work 24x7 and could replace 3 workers with one robot. However, it is likely that the quality of work undertaken by the robot will be higher, and that does offer efficiency gains. also, whilst a reduction in staff may occur, due to there only being a need for them to step in to manage exceptions, a wise manager may take the opportunity offered by automating away certain boring processes, to allow staff to bring in morework for the robot to perform, thus prviding not just efficiency gains, but also increased business.
We are currently looking at various solutions in RPA, data analytics, and cloud based functions to help our clients.
The EU should not be prescriptive is setting standards and requirements. but it should provide a centralised capability of reporting on the effectiveness and validity of any innovation that is launched. It should be able to openly report on any issues identified and, where necessary, engage with providers of the services to ensure that they are transparent and meet the ethical and legal requirements of the EU as determined through the existing democratic processes.
There will be some significant impacts in the next 10 years. This will result in people losing their jobs. Alternatives such as reducing the working hours/ setting increased holiday requirements, may enable the job losses to be reduced, but this will impact the competitiveness of EU businesses against the rest of the world. The future workforce will need to be educated in critical thinking, and the management and operation of "exceptions" to standard processes, as the standard processes will be increasingly handled by non-human devices.
RPA for data gathering will improve the quality of the data returned to the auditor. If the EU wants to facilitate implementation the key piece would be to create a stable compliance regime, one that is based upon adequate risk assessments and does not pander to minority demands. Meeting the compliance requirements of 90% of the citizens (corporate and individual) should be seen as sufficient. any extras after that are expensive to implement and maintain and offer minimal value to the majority of users.
The person that owns the data should have some say as to where that data is held, and on the security measures applied to that data. Cloud computing has had to compromise by creating "clouds" in different territories in order to support local regulatory data privacy requirements. However, most contracts still include the clause allowing the cloud provider to move the data when and where they see fit. There is also no guarantee that the data will not be lost. A cloud can be made relatively secure, by restricting access to data held through isolation and data access controls. however, a breach of security would leave the entire cloud open to data theft. The "Safe Haven" act for those keeping data in the USA cloud is broken, as Trump has now given the US authorities permission to look at any data on any computers/ databases in the USA. Again, if your data is in the cloud., how can you check that the hardware is managed in a secure way when you don't know where the hardware is?
Yes([ID56])
The EU should set a central policy that covers the requirements of the majority of EU citizens (corporate and individual) for cloud computing security, location and compliance. Individual nation states should not impose extra functional requirements above the central policy.
No([ID57])
Who audits the cloud, to determine the location of an individuals' data, and the effectiveness of the locations security, when there is no fixed place where that data can be held?
Yes([ID56])
Any cloud solution should enable the service user to know who wants to access their data, and who has accessed their data. The location of where that data is held, and the security applied to keep that data safe.
I do not believe that DLT will have any significant benefits on the SME estate. The providers of Financial Services (FS) like DLT as it will reduce their operational costs. However, the role of the FS provider is to make a profit, so reduced costs are seldom passed, in full, to the consumer. The move to CHIP & PIN resulted in banks implementing higher transaction charges for the "new technology" and forced retailers to buy new equipment to support this, even though it was going to reduce fraud losses to the banks - a win/ win result for those companies. The SME always pays...
The main challenges are the potential loss of control on monetary policy when the method of exchange is disinter-mediated from a nation state.
There would be a need to standardise all EU laws to ensure that DLT can be used in each nation without breaching any local regulation.
No([ID57])
it is not an obstacle. however AI based technologies may impact upon this during the next decade, removing the need to outsource, or providing even lower costs by have the automation off-shored.
Yes([ID56])
The requirements are sufficient. The effective monitoring of compliance to those requirements is absent.
RPA, and future AI based solutions will impact upon operational costs and on the whole of society. Reducing operational costs will increase operational profits, and could distort the distribution of income in society.
The EU should not be prescriptive is setting standards and requirements. but it should provide a centralised capability of reporting on the effectiveness and validity of any innovation that is launched. It should be able to openly report on any issues identified and, where necessary, engage with providers of the services to ensure that they are transparent and meet the ethical and legal requirements of the EU as determined through the existing democratic processes.
A free market approach should be implmented. However, the market offerings should perhaps be Risk assessed by a central authority and the ratings for each solution made freely available to the citizenry for them to decide on what option to take. The citizenry may need to be educated, or have carefully explained to them, what the risk assessment actually means.
Yes([ID56])
Regulators should be there to assess the viability of a solution and manage any disputes. They should not restrict the launch of new initiatives except where those initiatives break existing legal requirements. However, the advent of new technologies may make those requirements irrelevant, or in need of review, as automated / AI processes may offer improved quality and adherence to legislation.
national legislation impacts upon innovation. development of solutions in one country may not meet the local legislative or regulatory requirements in another. Standardisation of legislation across the EU would facilitate the rapid adoption of novel and effective FinTech solutions. Individual nation states should not be allowed to introduce legislative or regulatory requirements that would prevent a solution form outside of their country operating there, in order to protect their existing corporations. An example of this is the deregulation of the rail industry, this should have completed years ago, but some EU countries are still failing to abide by the requirements and have actively introduced regulations to prevent de-regulation.
Yes([ID56])
Standardised data privacy regulations (GDPR should deliver some of this). Standardised conditions of business operation (minimum deposits to maintain or run a financial service). EU wide legislation that does not get compromised by individual countries attempting to protect their incumbent corporations/ operating practices.
Yes([ID56])
Standardised conditions of business operation (minimum deposits to maintain or run a financial service). EU wide legislation that does not get compromised by individual countries attempting to protect their incumbent corporations/ operating practices.
No([ID57])
 
No([ID57])
who guarantees that the three principles are being followed?
There should be a free exchange of such local initiatives in order to produce a set of best in class products for use by any EU citizen.
Yes([ID56])
Inter-collaboration and the sharing of ideas between ESA's will result in improved products and standards for the whole of the EU.
No([ID57])
 
No([ID57])
the sand box is intended to be an open environment to determine the best solution. regulations already exist for a provider to follow when developing a new solution. regulation should review the output from a sandbox to determine if any regulations need to be updated.
No([ID57])
 
 
Yes([ID56])
The requirements for improvement have already been recognised. I expect the EU to maintain this approach to evolving solutions.
Yes([ID56])
However, actions are underway to address the issue.
A clear set of standards that do not get adjusted by individual countries.
No([ID57])
Let the market decide.
I expect the impact will be significant. however, the smart forms will buy up/ join and implement the new services in order to maintain their market position. Consumers like a known institution, and newcomers represent an unknown risk. a known company name would provide assurance to consumers that a solution is viable. Newcomers would have to establish their reliability very quickly in order to make a significant challenge to existing systems (e.g. PayPal)
data is money. therefore the use of data for commercial purposes should be paid for by the company using that data for commercial gain.
too early to tell. However, indications of fraudulent activity around Bitcoin and similar solutions would suggest that further development is required in order to bring these items into mainstream use.
No([ID57])
The implementation and importance of data security is poorly understood, and poorly implemented. It is seen by many companies as another cost that does not generate extra income. it is not seen as a form of insurance against losses that could cripple a company should they occur. many companies adopt a bare minimum approach to compliance in the hope that an event resulting in a loss of data never occurs.This is primarily because they do not understand the risk, nor do they understand the size of the loss that may occur.
too early to tell. However, indications of fraudulent activity around Bitcoin and similar solutions would suggest that further development is required in order to bring these items into mainstream use.
They could be used to help SME's in forecasting their business operations and cost/ income timings.
For any business the holding of data that a potential competitor does not have is a key commercial edge. demanding transparency on the data held would remove that commercial advantage. this may result in a stagnant and bland market giving very little choice between products for any SME. If all the data is available to each solution provider it is quite likely that the solutions proposed will all be the same.
it does not matter what requirements are introduced. what matters is ensuring that they are adhered to, and effectively "policed". There is no point in setting minimum standards if no one checks to make sure they are followed.
it is more about ensuring the confidentiality of any threats that have materialised. the sharing of information is important (the UK has the CPNI that provides an environment that supports such data sharing). This needs to be a European/ global initiative. Nation states should initiate regulations for cybersecurity in the same way, and also ensure that policing of incidents is managed in the same way to prevent individuals in one state being protected from prosecution by another. Nation states acting against other nation states is not for discussion here.
Existing requirements should be adequate if properly implemented. The EU should promote international collaboration of cybersecurity so all states can be at the same technical standard. Standardised tests should exist to allow certification of companies throughout the EU against the same standard. differing standards and certifications confuse the consumer and reduce competition.
A universal basic income will enable the setting of minimum standards, these can be used to provide appropriate financial services to all individuals. it doesn't need a new technology, it needs a new approach to managing society.
No([ID57])
 
 
a private individual(public-replying-as)
Bart Van den Keybus
 
 
 
 
 
 
 
 
 
Belgium([ID22])
 
Banking([ID8])
Crowdfunding([ID7])
Insurance([ID7])
Payment service([ID9])
Social entrepreneurship([ID175])
Social media([ID176])
Technology provider([ID178])
Other([ID180])
Startup that wants to develop insurance and leasing possible of using shared car per minute!
Yes, I agree to my response being published under the name I indicate (name of your organisation/company/public authority or your name if your reply as an individual)(yes-contributions-publication)
I use mobile banking app and online payment apps. I want to see more fintech solutions in ocr for payments receipts, digital receipts, analysis of purchases per product item, buying advices, cost saving guides, health insurance, health cost payments, tax free vouchers, company cars, salary in natura, instant insurance, short term leasing, leasing per minute and carsharing.
Don’t know / no opinion / not relevant([ID58])
 
Don’t know / no opinion / not relevant([ID58])
 
 
 
Yes([ID56])
In Belgium there is tax refund possible for charity and startups for example. It is difficult to give refund to Belgiandms via for example kickstarter.
Commision can forbid any financial stimulus of government that can stimulate traditional banks. All kinds of state financing have to be forbidden so disruptive tech startups can compete with equal chances.
There need to be mentioned clear on government websotes what ministers expect if they support a specific platform. This platforms need to fulfill expectations of minister if they received support and users of customers need to be able to receive from platform what the ministee expect to the platform to deliver.
If you give assurances access to data of car sensors, assurances can avoid accidents by learnings cars and drivers to avoid accidents by changing driving style. Challenges are to make money by helping clients to avoid accidents instead over covering costs from accidents. Instead of that an assurance tells me why I am responsible for accident, I want assurance that helps me to live without accidents. Imagine if assurrances give price fir every mobility solution before you use it. It should be assurance upside down if assurance of Tesla self driving car pays you money every time you helped the car to avoid accidents. The assurance of Tesla self driving car can sell all the data of user interaction and lacking driver abilities of Tesla autopilot to Tesla company. Users can avoid that car manufacturing companies get data for free. Assurances can reward drivers to drive safe via gamification and instant bonusses.
Don’t know / no opinion / not relevant([ID58])
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
an organisation or a company(organisation-replying-as)
 
Open Risk
 
No(no-transparency-register)
 
Company, SME, micro-enterprise, sole trader([ID6])
 
less than 10 employees([ID4])
 
 
The Netherlands([ID51])
 
Technology provider([ID178])
Other([ID180])
Risk Management
Yes, I agree to my response being published under the name I indicate (name of your organisation/company/public authority or your name if your reply as an individual)(yes-contributions-publication)
We think the successful scaling of fintech in Europe will require much broader and deeper capabilities around risk management by all parties involved. Whether it is cyberisk, consumer literacy, regulatory oversight (regtech) or fintech's own ability to assess and mitigate risks, this is a vital ingredient that is not yet fully on the radar screen.
Don’t know / no opinion / not relevant([ID58])
 
Yes([ID56])
Artificial intelligence is not a completely new software technology but the evolution of a long line of algorithmic methodologies (also known as machine learning). As such, they have been already tried in financial services (e.g. in credit scoring) and there are significant takeaways from the successes and failures of such tools. Key problems are 1) the black box nature of algorithms and 2) the pattern recognition use cases that propelled AI into the forefront are very different from the dynamic (and little understood) economic realm
See 1.5
Potential risks include 1) algorithmic failure, leading to poor performance, biases 2) opaqueness, leading to inability to explain outcomes to customers 3) confidence / reputation / financial stability issues, to the extend that algorithmic driven firms collapse There are many classes of measures that can help proactively address issues 1) requiring evidence of stable performance over a meaningful (sandbox) period 2) building-in from the beginning a culture of high quality model governance (compare with the ex-post expenditure to review internal bank models (ECB TRIM project) 3) developing open source platforms to facilitate transparency, benchmarking and validation
Yes([ID56])
 
 
Our view is that self-regulation is a powerful and required component but its efficacy is not given but always depends on the details of the economic network under consideration. This can be analyzed (at least in principle) by considering the incentives of the different agents involved and their rational risk-reward calculations. The (in)ability of the different existing strands of the financial sector to self-regulate provide good (and recent) prior examples to examine. For example the incentives of independent profit-driven rating agencies when evaluating the risks of investment vehicles.
 
Don’t know / no opinion / not relevant([ID58])
 
 
We see the current fintech effort as the second wave of digitalization in financial services. The first wave involved ring fenced centralized databases / servers and desktop PC clients used by internal staff in conjunction with e.g. office productivity such as spreadsheets. Fintech 2.0 * adds decentralized networks as the essential new ingredient * leverages open source as common software infrastructure * develops open API's to facilitate communication between network nodes Once the above ingredients are deployed and secured at scale they enable a myriad use cases. Our focus (and we believe a cause that would resonate across Europe is facilitating the credit financing of SME's with a transparent, low cost credit risk assessment platform
We would recommend * encourage above all Standards rather than specific implementations or infrastructures (which all too easily become obsolete) * encourage member states to jointly support key open source projects (thereby creating critical developer mass and anticipating of long-term support) * focus not only on the "backend" but also on mobile clients. Mobile clients are the only or main gateway to the digital network and the current duopoly cannot possibly considered as healthy or sustainable from an economic, social or civic perspective
In our view the impact of fintech solutions will be only commensurate with the degree to which it they are decentralized, versatile and usable toolkits that can be used by individuals and SME's to create additional value themselves. There is a risk that fintech will simply be a glorified hashtag for accelerating the digitization of lagging banking infrastructure. This will not create new jobs, it will merely help banks become more efficient. Helping along with the diffusion of enhanced means of digital production (along with the training required for operating them) would be the best seed for the digital economy of the future. The current technology landscape does not fulfill this objective (widely known also as the "tech productivity paradox").
Our view is that regtech is a bit of a misnomer and perpetuates into the fintech era the structural failure to improve self-regulation in financial services. Heavy regulation and a compliance mindset kicks in when agent' s incentives are not properly aligned with stakeholder expectations. In this spirit we think risktech should be the mindset to strive for, developing the technical toolkit for improving risk management along all facets of financial services provision (e.g., analysis and management of operational risks such as cyber, credit risks, model risks associated with using algorithms etc.)
 
Don’t know / no opinion / not relevant([ID58])
 
Don’t know / no opinion / not relevant([ID58])
 
Don’t know / no opinion / not relevant([ID58])
 
 
 
 
Don’t know / no opinion / not relevant([ID58])
 
Don’t know / no opinion / not relevant([ID58])
 
 
 
 
Yes([ID56])
There are major challenges in the successful scaling of fintech, what is required above all is controlled experimentation. Regulators can help with the creation of sandboxes, limited purpose licenses, standards, public ex-ante analyses and ex-post post-mortems
Currently fintech sidesteps the linchpin of finance, namely deposit taking in the currency of account. This is done by either focusing exclusively on investment activities or using alternative crypto-currencies. Excessive focus on developing a rigorous EU-wide licensing landscape before the full scope of fintech is visible might lead to outcomes that don't meet developing requirements. It would be valuable to envisage a not-to-distant end-game where there are e.g. individual accounts of ordinary citizens with the ECB and a variety of deposit oriented fintech solutions.
Yes([ID56])
The ESA's could play a key role in pan-EU registration and supervision. They embody the institutional knowledge of the range of pathologies in the financial sector and that is invaluable contribution. On the other hand there should be consideration for the possible subtle biases in favor of incumbent regulated firms or even the explicit dependence on incumbent profitability.
Don’t know / no opinion / not relevant([ID58])
 
Yes([ID56])
 
Yes([ID56])
We fully support these principles
In the first years of the recent fintech resurgence there has been a lot of attention on the possibilities enabled by technology, contrasting with the perceived delayed adoption of such by the existing providers. There has been commensurately less focus on establishing a strong proposition versus trust and risk management competency. Yet these are indispensable ingredients for fintech to ever graduate as large scale financial infrastructure. The EC and ESA's can help create a competitive advantage by encouraging the development of standards, practices and infrastructures that enhance trust.
Don’t know / no opinion / not relevant([ID58])
 
Yes([ID56])
Any initiative that would increase the rapidity of the exchange of ideas, best practices, failures etc. can only be positive
Don’t know / no opinion / not relevant([ID58])
 
Don’t know / no opinion / not relevant([ID58])
 
 
No([ID57])
As indicated above, there is much more that can be done in this space
Yes([ID56])
We would like to highlight a success story in the space of data standardisation, the SDMX standard (Eurostat, ECB). Lets have more of that type of initiatives across the fintech space.
W3C is a good role model
Yes([ID56])
Open Source is a very powerful paradigm that was hardly adopted in finserv till recently. Yet perceptions seem now to be changing quite rapidly and the EU institutions can help shape a toolkit that optimally serves the needs of a safe, efficient and modern EU fintech infrastructure. As mentioned before, specific implementations may suffer the risk of obsolescence if not adopted by a critical mass of independent entities that have a stake in further development.
Fintech enables re-calculating (in principle) the cost of financial services provision using a zero marginal cost assumption. Our best current estimate is therefore that fintech will entirely replace incumbent firms but on a timescale that dependents on the ability to execute on the promise (create trusted infrastructure *and* demonstrable risk management / behavioral qualities). This timescale may still be too fast (e.g less than 10 years from now) for a natural "winding" down of existing firms. As discussed before, cost reduction is not the only consideration. Fintech may enable significantly healthier economic activity to the degree that it manages to democratize financial knowledge, transaction and service provision ability for individuals and firms.
We should collectively develop a much more advanced European data culture focused on privacy where required and ease of exchange where desired. We like our real wallets stuffed with widely exchangeable Euro's but we don't like somebody keeping tabs on whats inside or how it is used. Similarly we should have our digital "data" wallets. In the first instance the value and contents therein are only the business of the owner. If the owner chooses, it should be possible to monetize data across a digital space that has built-in safeguards. Developing and deploying a distinct culture and technology around monetizing and sharing of private digital data will be a huge competitive advantage of the EU and an essential part of the future jobs landscape.
DLT is still largely coupled to cryptocurrency roots. Might be advantageous to think broader about distributed databases
Don’t know / no opinion / not relevant([ID58])
 
 
 
 
 
Lax standards are self-defeating in the long-term as any significant incidents will color the new technologies as unreliable, thereby delaying the adoption
 
Without any claim to completeness some of our favourites * semantic web technologies for annotating services etc. * sophisticated visualization clients (screen based, not VR/AR) * serious gaming for improving financial literacy
Don’t know / no opinion / not relevant([ID58])
 
 
an organisation or a company(organisation-replying-as)
 
Accountancy Europe
 
Yes(yes-transparency-register)
4713568401-18
Industry association([ID9])
 
10 to 50 employees([ID6])
 
 
Belgium([ID22])
 
Accounting([ID4])
Auditing([ID7])
Other([ID180])
Tax advice
Yes, I agree to my response being published under the name I indicate (name of your organisation/company/public authority or your name if your reply as an individual)(yes-contributions-publication)
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
an organisation or a company(organisation-replying-as)
 
OpenCBS
 
No(no-transparency-register)
 
Company, SME, micro-enterprise, sole trader([ID6])
 
10 to 50 employees([ID6])
 
 
Other country([ID53])
Kyrgyzstan
Social entrepreneurship([ID175])
Technology provider([ID178])
 
Yes, I agree to my response being published under the name I indicate (name of your organisation/company/public authority or your name if your reply as an individual)(yes-contributions-publication)
We are a Fintech Provider. We welcome PSD2 and regulations that help break the monopoly of banks on data.
Yes([ID56])
Digital lending but it does not necessarily benefits poor people.
Yes([ID56])
Most people do not understand the value of their social media data and are ready do share it to easily with Fintech and more generally other companies.
 
Mostly lack of education of customers.
Yes([ID56])
For instance France is positive.
Generally reduce barriers to entry and provide regulatory sandboxes.
Investors should be well aware of risks especially counterpart risk
No
Yes([ID56])
Difficult to know what elements are included for scoring.
For instance in our case we offer a low cost platform for financial institutions. By switching to our platform they can offer more transparent services at a lower cost.
Generally our Open Source CBS and our solutions around digital finance.
Do not subsidise
None, some jobs will die but some others will be created.
For instance we want to link our software OpenCBS with regulator through APIs so that the smallest Financial Institutions, which are often our clients, can have their reporting done automatically and without mistake. Usually those institutions do not have resources de report accurately.
Data is often to be hosted in country Reliability of some platform Non ubiquitous internet access
No([ID57])
I am referring mostly to developing countries.
No([ID57])
Some platforms are breaking laws but I cannot mention them.
Yes([ID56])
I think they need to comply with all regulations in the countries they operate.
 
 
 
Yes([ID56])
 
Yes([ID56])
 
 
For us the VAT is a problem, and to have EU wide regulatory reporting and regulations would be very efficient. For instance for each client regulated by a Central Bank in Europe we need to design different reports.
EU-wide regulatory powers to replace national regulatory powers.
No([ID57])
 
As above, the absence of a EU single regulator
Yes([ID56])
 
Yes([ID56])
 
Yes([ID56])
Take over national regulators.
Yes([ID56])
 
Reduce regulations to the minimum.
Yes([ID56])
 
Yes([ID56])
 
Yes([ID56])
 
Yes([ID56])
Cross border is the key point, Fintech do not like to be bothered by ESA.
 
Yes([ID56])
 
Yes([ID56])
 
 
Yes([ID56])
 
Safety and privacy of client data is a key issue.
Yes user should give informed consent
 
No([ID57])
 
 
For instance cash flows should be well known and forcing banks to give access through PSD2 is a good start.
By law and enforcement
 
 
 
 
No([ID57])
 
 
a private individual(public-replying-as)
Francesco De Gennaro
 
 
 
 
 
 
 
 
 
Italy([ID36])
 
Accounting([ID4])
Auditing([ID7])
Banking([ID8])
 
Yes, I agree to my response being published under the name I indicate (name of your organisation/company/public authority or your name if your reply as an individual)(yes-contributions-publication)
I regularly use online banking and mobile app supplied by my bank. I think that, following explicit or implict client needs, the fintech startup ecosystem will find the way to innovate (for example in the investment and savings market)
Don’t know / no opinion / not relevant([ID58])
 
Don’t know / no opinion / not relevant([ID58])
 
 
 
No([ID57])
 
 
 
 
Don’t know / no opinion / not relevant([ID58])
 
 
 
 
 
The main challenge for Ue and member states to boost Regh Tech sector and the level of efficiency of the entire regulatory landscape is to establish a mandatory obbligations for UE and member state lawmaker body (Parliament, Commission, independent sectorial authority like EBA) to produce a "by default" mapping of the law text using current technologies like XML. A machine-readable version of new regulation should be made so that rules could be applied automatically. In other words, every legislative measure should be produced not only in a "readable" format (like .doc and .pdf) but also mapped towards a shared and official taxonomy in order to facilitate its implementation. The taxonomy should be "vertical" (for example regarding the world of credit and loans) and developed jointly between all the public and private entity interested in its application (following the example above, together with EBF-European Banking Federation). This innovation could reduce regulatory compliance costs (because the law requirements are natively organized and ready-to-be implementend) and provides an opportunity for regulators to access data more easily and to customise the compliance requirements.
 
Don’t know / no opinion / not relevant([ID58])
 
Don’t know / no opinion / not relevant([ID58])
 
Don’t know / no opinion / not relevant([ID58])
 
 
 
 
Don’t know / no opinion / not relevant([ID58])
 
Don’t know / no opinion / not relevant([ID58])
 
 
 
 
Yes([ID56])
 
 
No([ID57])
 
Don’t know / no opinion / not relevant([ID58])
 
Don’t know / no opinion / not relevant([ID58])
 
Yes([ID56])
 
 
Yes([ID56])
 
No([ID57])
 
Yes([ID56])
 
No([ID57])
 
 
Don’t know / no opinion / not relevant([ID58])
 
Don’t know / no opinion / not relevant([ID58])
 
 
Yes([ID56])
 
 
 
 
Don’t know / no opinion / not relevant([ID58])
 
 
 
 
 
 
 
 
Don’t know / no opinion / not relevant([ID58])
 
an organisation or a company(organisation-replying-as)
 
EUF - EU Federation for Factoring & Commercial Finance
 
Yes(yes-transparency-register)
39275004756-35
Industry association([ID9])
 
less than 10 employees([ID4])
 
 
Belgium([ID22])
 
Other([ID180])
European Industry Association for Factoring & Commercial Finance
Yes, I agree to my response being published under the name I indicate (name of your organisation/company/public authority or your name if your reply as an individual)(yes-contributions-publication)
Within the factoring industry, digital platforms to exchange data on invoices have recently become more and more popular, in particular in the case of reverse factoring, a kind of supply chain finance where a big buyer sets up a factoring facility for its suppliers. Web-based factoring services (although they are not properly “Fintechs”) are also growing in their market share, and there is a growing interest for FinTechs specialised in "big data". Many Fintech applications are meant to serve forms of invoice finance or even trading. The factoring industry is closely monitoring the development of such applications.
Don’t know / no opinion / not relevant([ID58])
 
Yes([ID56])
As some of the services offered through the Fintech applications are outside of the scope of the banking and financial supervision and may be seen as alternatives or competitors of factoring and commercial finance services, it is likely that, without a proper oversight of those players, some transactions may be shifted towards the shadow banking sector and go “out of the sight” of regulators. This implies obvious consequences both on the demand side, in terms of lower customer protection (e.g. data protection, transparency etc…), and on the supply side, in terms of breaching the level playing field due to the high costs of supervision borne by the traditional players, as well as an increase in the overall systemic risk. Hence, enhanced oversight could ensure a level playing field in the financial industry, particularly with regard to data protection, operational and IT-risks, etc.
At least the minimum information required to collect/enforce an invoice/receivable against a debtor.
There is a risk of non-compliance with e.g. data protection rules as well as fraud risks and the risk of perpetuating system flaws and incorrect entries into the system; furthermore, consumers generally want to be able to get in touch with a human contact person.
Don’t know / no opinion / not relevant([ID58])
 
 
To ensure a level playing field, self-regulatory initiatives are not enough. The neutrality principle comes into play here.
 
Don’t know / no opinion / not relevant([ID58])
 
Blockchain and distributed ledger are also seen as groundbreaking innovation in invoice finance, with many related projects in the pipeline, yet analysis of potential consequences and pitfalls is still ongoing. Technology may foster access to Asset based lending facilities, and in particular inventory finance, through the implementation of new technology allowing, e.g., a constant and direct access for the financier to the inventory data of the client. Also the existing hardware technology might improve easyness and promptness of credit in the commercial finance industry: direct scan and upload of invoices through e.g. smartphones is helpful for factoring clients/assignors, particularly for SMEs.
In factoring, electronic processing of invoices and other data is already widespread and has been done for several years, in some countries even decades. As stated above, technological platforms to implement blockchain in order to distribute ledgers have been launched and some others are in the pipeline, both within the banking, factoring and commercial finance industry and outside of the industry. Such platforms are intended to dramatically increase efficiency and rapidity of data exchange, as well as allowing the establishment of reliable security on the purchased assets. This usually involves a technological partner (sometimes even a consortium of banks and financial institutions). However, certain aspects of the business model in factoring cannot be replaced by technological solutions, e.g. the direct contact and exchange of information between the factoring company and its clients - this direct contact helps assess situations and risks of the individual case, thereby enabling the factoring company to take sound decisions based not only on algorithms but also on personal experience and impressions. As reliable as technology may be, professional evaluation of the assets - the invoices - and of the risks entailed in the trade relationship between the seller and the buyer should not be neglected. In general, there is concern that an approach exclusively relying on data analysis may overlook important, qualitative signals of deteriorating credit worthiness and/or business relationship, if not even fraud, and would end up increasing the overall systemic risk.
A level playing field also means that new business models or ideas and technologies are given the same amount of support as established and well-functioning ones obtain. The principle of proportionality also entails that enterprises with similar business models and structures are treated similarly, irrespective of other traits such as innovation. Having said this, asset based lending such as factoring and other forms of invoice finance requires, as a fundament of the product, the ability to get proper and reliable security on the pledged or purchased assets. Therefore, legal certainty is crucial. In order to allow an orderly implementation of most recent technology advancements like distributed ledger within the industry, it is of the utmost importance that the information exchanged obtains legal recognition when opposed to third party interests.
It is difficult to assess the impact on employment. FinTechs outside of the financial perimeter are usually run with a very limited number of employees, but the business model is not exactly the same of factoring. The factoring industry is likely to see a shift of required competences towards IT applications and supply chain solutions. Hopefully, FinTech solutions with connections to or useful for factoring will help in increasing the number of well-trained future experts in factoring, thereby supporting the number of eligible employees for factoring companies.
 
EU data protection rules and reputation risks entail that cloud services located outside the EU are not really eligible cloud computing services.
Don’t know / no opinion / not relevant([ID58])
 
Don’t know / no opinion / not relevant([ID58])
 
Yes([ID56])
Regulatory requirements for financial institutions do not only establish specific contractual obligations with regard to cloud solutions (e.g. management of operational risks, outsourcing requirements), but also in other industries such as for credit insurances (specific requirements for such insurances to be considered as credit risk mitigating).
Blockchain appears to be dominant in the projects currently in the pipeline.
From the operational point of view, data standardization and interoperability of systems are definitely crucial for a successful implementation of DLT. Legal recognition of the information exchanged is fundamental as well. From the regulatory point of view, EU data protection rules and reputation risks are the main challenges in this area.
 
Yes([ID56])
Certain areas of business in the financial sector cannot be (fully) outsourced due to regulatory constraints.
Yes([ID56])
Regulatory rules and requirements on outsourcing limit the amount of outsourcing that is possible as the last responsibility and a minimum of knowledge or expertise has to remain with the financial institution that uses outsourcing, thereby often nearly defeating the purpose of outsourcing, namely obtaining cost-efficient expertise from outside the company.
 
Similar services require similar supervision (level playing field). A proper, prudent and sound regulatory oversight of the “new” players should be provided to avoid the shift of transactions outside of the supervised environment with increment of systemic risk. Moreover, established forms of financing such as factoring should be put in the position to compete with new business models which often merely use the name of the established product to draw attention, while their business model and product in reality is completely different, often being closer to brokerage rather than to providing financing/liquidity. Investors purchasing invoices/receivables through this channels usually are not “professionals” but are institutional investors or even individuals. The factoring industry also expresses concerns about the reputation of its well established form of finance being potentially endangered by such new businesses due to their significant exposures to credit risk and fraud issues, which may, at the end of the day, involve risks for individual customers.
 
No([ID57])
 
 
No([ID57])
 
Yes([ID56])
More proportional regulation and supervision is needed not only for FinTechs, but also for the other, more established businesses in the financial industry with specific and lower risk profiles such as factoring.
Don’t know / no opinion / not relevant([ID58])
 
Yes([ID56])
Technological neutrality is particularly important in order to establish and maintain a level playing field in the financing industry. To the aforementioned principles, the principle of considering all comparable actors on an equal footing could be added - in other words: maintaining a level playing field while considering in particular the principle of proportionality is important.
Political institutions such as the EU Commission may support FinTech, but the question whether the EU can become a hub for FinTech innovation is more a question of market competition.
Don’t know / no opinion / not relevant([ID58])
 
No([ID57])
 
No([ID57])
Fostering FinTechs is more a matter of market environment/competition and less a matter of political solutions.
No([ID57])
 
 
Don’t know / no opinion / not relevant([ID58])
 
No([ID57])
Regulatory requirements such as outsourcing rules are more of an obstacle, technical issues can often be overcome.
 
Don’t know / no opinion / not relevant([ID58])
 
As always with innovative trends which become very popular in a short period of time, there is the risk of a "bubble". Therefore, the risk of FinTechs becoming the next "bubble" should be taken into account carefully, considering that focussing too much or even solely on these new ideas and business models may be counterproductive.
 
 
Don’t know / no opinion / not relevant([ID58])
 
 
 
 
The IT-/cybersecurity requirements for financial institutions are already very strict; in order to create a level playing field and to follow the principle of technology-neutrality, such requirements should also apply to FinTechs where appropriate and proportional.
Data protection rules are the main regulatory barrier which prevent this kind of information sharing.
 
 
Don’t know / no opinion / not relevant([ID58])
 
an organisation or a company(organisation-replying-as)
 
Austrian Federal Economic Chamber, Division Bank and Insurance
 
No(no-transparency-register)
 
Industry association([ID9])
 
500 to 5000 employees([ID8])
 
 
Austria([ID21])
 
Banking([ID8])
Insurance([ID7])
 
Yes, I agree to my response being published under the name I indicate (name of your organisation/company/public authority or your name if your reply as an individual)(yes-contributions-publication)
Current Usage: Institutions currently use robo-advisory tools to optimize asset management portfolios - used as a tool for physical advisors – as well as use payment solutions that combine digital payment with real life payment (e.g. smartphone as debit card). They also offer online-products completely processed E2E digitally (e.g. savings products/factoring and others implemented); consumer credit online at the moment not E2E due to national legislation. Further current usage: • Transactions analysis • Screen scraper/wallet and PSD2-API: In development/testing In the following areas insititutions would like to see more FinTechs: • Machine Learning/Artificial Intelligence: Reduce false positives in regulatory activities (AML, sanctions, fraud, etc.) and combat future attacks using AI • Prediction analysis tools: Gain customer insight for x-selling opportunities • Robotics: Increase efficiency and effectiveness, user experience/convenience as well as regulatory adherence • Biometrics: Increase security and user experience/convenience • Blockchain/DLT: Increase efficiency and security and user convenience/experience • SmartContracts: Automation, efficiency/effectiveness, security and user convenience/experience • Big Data: Gain indepth knowledge, cross-selling opportunities and financial crime protection • e-Identity, eSignature: Automation, efficiency/effectiveness, security and user convenience/experience • Digital payment: Automation, efficiency/effectiveness, security and user convenience/experience
Yes([ID56])
Although ‘automated financial advice’ can produce more reactive, real-time solutions to customers, for the time being, it remains a niche technology. Overall, it is too early to make statistically significant measurements about the use of ‘automated financial advice’ today. Advantage for the customer: it is simpler than advice through a person and can be offered for lower price (expensive HR costs can be leveraged by AI logic). Once in place and properly marketed, these financial advices could outperform current advices by order of magnitude within the next 3-5 years, due to the following benefits: • In order to be effective, they are pre-configured and easy to use with immediate feedbacks. • Independent of location and time, i.e. 24/7 • Implicit regulatory compliance • Increased usage of mobile devices by younger generations
Yes([ID56])
For the time being, ‘artificial intelligence’ is a niche technology. It is too early to make statistically significant measurements about the use of ‘artificial intelligence’ today. Regulation should not be technology-oriented but rather use-oriented. In our view, enhanced oversight is required in order to • gain trust of public in general and users in specific in the new technology • avoid LIBOR-type fraud, for consumer protection purposes and to establish a balanced “level playing field” among differently regulated entities • early identify malfunctions • make comparison between technologies possible Currently, there are no effective alternatives known.
In principle, ‘automated financial advice’ is ‘financial advice’ and is covered by MiFID2/MiFIR. Any definition of customer segmentation is based on the customer profile and not on the technology used. This has also always to be seen in light of Article 5 GDPR (e.g. purpose limitation and data minimisation).
In principle, ‘automated financial advice’ is ‘financial advice’ and consumer protection is covered by MiFID2/MiFIR. Additionally, the GDPR provides extra protection to the customer. We would see the following risks: • Identified customer insights can become available to third parties. • These insights should not be sold/be specially protected (similar to PCI/DSS for credit card information). • Missing transparency of which data has been processed and how automatic decisions have been made. Measures that should be taken to address these risks: • Transaction transparency to the customer (which machine did what with my data) • A mandatory "STOP" function for autonomous FinTech robo-solutions (e.g. trading robots) like autonomous driving vehicles have. • Ensure sufficient data security and protection
 
For an overview we also refer to the Cambridge Centre for Alternative Finance’s 2016 European Alternative Finance Benchmarking Report. For the time being, crowdfunding (in the sense of crowd lending) is a niche in continental Europe. Crowdfunding has many advantages, but it might also result in potentially high-risk investments. As such, crowdfunding should be subject to the small investor protection law (level playing field). Passporting rules are necessary; current country-specific regulation (eg tax breaks, minimum requirements…) segregates the market on national level, thus creates inefficiencies and a Delaware-type “race to the bottom”.
Imbalances and the lack of a level playing field concerning non-bank financing can create potential for regulatory arbitrage, with also a lack of clarity as to the contractual situation in peer-to-peer lending – Who is lending to whom? Who is a principal, who is an agent? But this lack of clarity has not prevented the ballooning of P2P as savers scramble to find attractive returns, believing P2P investment is an alternative to protected bank savings. Non-bank financing solutions/companies should also be put in a basic regulatory framework to enhance trust of customers in such solutions and foster a competitive market with similar basic rules (level playing field).
No, we consider self-regulatory initiatives as being insufficient. A level playing field for all market participants is necessary. Furthermore transparency in this context is important regarding fraud, money laundering and terrorism financing. Personal data has also to be secure and protected. Banks have a high level of transparency to customers for all the services they provide; other providers of similar financial services should be regulated accordingly, also taking into consideration the risks for consumers; in particular, we suggest creating three levels of transparency (as for the financial sector): • Precontractual; • Contractual; and • Post-contractual.
Insurance based on individual profiles and/or real-time monitoring of behaviour is a general challenge. In principle, insurance is based on statistical probability. Targeting individuals on an individual basis is not ‘insurance’ in the traditional sense but individual risk mitigation. This being said, we believe that the challenges would be the following: • Potential exclusion of certain consumers from certain services. • There could be risks related to customer data quality and veracity. • Challenges linked to budget and human capital: Indeed, errors/inadequacies of sensor data analytics and other technologies are more likely to arise if tools are developed without the in-put of qualified staff. The need to ensure proper staff and the creation of new multidisciplinary teams with employees of different background is critical. The list of challenges is in a way already mitigated by regulations and not necessarily caused by sensor data analytics and other technologies. It is crucial for banks to have a more harmonised implementation of regulation across the European Union.
Yes([ID56])
Mostly American companies: Amazon and other retailers (for example travel sites) change prices due to usage of end devices, time, geo-location, etc.
Technology has been improving communication between customers and financial services providers for decades: from telephone banking (1980s) via internet banking (1990s) to banking apps and automated calculation based on ‘artificial intelligence’ today. This are market-driven developments in a free market economy. Further examples of other technological applications: • Innovative user interface design and functions • Access could also be improved for handicapped persons using techniques to facilitate access to digital services (e.g. natural language question answering). • AI systems could warn people of upcoming danger • Usage of smartphones sensors Examples for further combinations: • Combination of Adapted Distributed Ledger (Slimming), eIdentity/eSignature, biometrics and SmartContracts to provide a comprehensive business model. • RoboAdvice together with AI • eIdentity/eSignature in combination with automatization of document management, i.e. automatic assignment of scanned documents to customers which would enable a provider to provide more online services which currently require offline signatures/processes.
Literally every banking process/service can be enhanced, be made more efficient/effective with Fintech, especially in the field of mid- and back office operations, or front-office advice activities by using roboadvice. More obligatory cooperation in information exchange requests in the field of compliance would facilitate such processes. The most promising use cases at the moment are: • Robo-advisory to leverage sales in retail with better/more sophisticated products at low costs • Robotics to reduce costs by re-framing existing processes to E2E processes • AI/Big data (which customer needs/which product at which period of his life) • The use of web APIs should lead to more modular and flexible solutions which could improve processes and costs.
Any regulation should be: (i) principle-based rather than rule-based; (ii) proportional; (iii) consistent; (iv) balanced; (v) fully technology agnostic; and (vi) required only when justified by measurable data about any kind of misconduct or market misuse. We are convinced that no specific regulations are needed at EU level. However, the banking sector would welcome specific measures aimed at fostering FinTech development. Experience (e.g. Singapore’s Government initiatives) demonstrates that there are many factors that can improve or block FinTech. The most important are capital for investments and government support also in terms of sponsorships. A powerful mix could be to support FinTech initiatives by introducing or extending specific development programmes to finance experimentations (e.g. with fiscal exemptions), the creation of sandboxes to freely test innovations, encourage ideas sharing, production and execution, promoting acknowledgement, diffusion and training on such topics by facilitating cooperation between universities, financial institutions, talent gardens, customer associations and other stakeholders. Further measures could be: • Provide a clear, transparent and x-industry wide regulatory and legal framework to give a common playing field. • Define basic needs on cloud computing to special services to avoid a potential worldwide collapse of cloud computing to be transferred to Europe. • DLT - define the framework how it can be used in Europe (currency yes/no, business processes, ...) • Social media – It is more a topic of data security to make transparent which data is used for which company/analysis.
We expect less employment in mid-/backoffice routine administration, but there will be additional higher qualified employees needed in the area of data analytics, product/pricing management, personal financial consulting, and personal omnichannel servicing. Furthermore a field of needs and correlated skills is rapidly growing. New job opportunities in many sectors can be invented, too. Therefore, new competences have to be developed and encouraged. These competences have to be a mix of technological, business, banking and user experience ideas. These competences change fast, due to fast emerging innovations, so it is difficult for traditional HR units to follow, and sometimes understand or anticipate, trends and needs. Therefore, financing and promoting programmes in this direction are welcome. For Austria we see a gap between digital dexterity and education.
Banks have been implementing technology for compliance purposes (e.g. for statuary reporting) for decades. Should further and more concrete RegTech solutions become available, they could be useful as compliance costs are still the most complex obstacles to freeing up the growth of innovative solutions. But RegTechs alone are not sufficient. Concrete initiatives to facilitate innovation without too many burdens are to be put in place by the EU. No new rules are required but positive measures, deregulation in certain ‘safe’ areas as well as financing or facilitating economic support to create simple compliance frameworks or examples to follow. These measures should be the same for start-ups and for traditional financial institutions so as to guarantee a level playing field. Machine Learning/Artificial Intelligence are about to replace rule-based solutions (AML, Sanctions/CTF, MAD 2, etc.). Control and evaluation can be done more effectively via AI in the future. Using robots (virtual, but also physical ones) can improve quality and also quantity of regulatory control and as a result lower risks. Measures that could be taken are: • European innovation lab for new technologies and digital infrastructure • Solely European market regulations for European markets and business models • Centralized digital services for law enforcement and criminal prosecution data inquiries • European sourcing regulations for service and information processing and sourcing • The EU can support development by offering regulatory frameworks not only as texts, but also as script base data to make implementation in digital solutions easier (do not read legislation - implement the "legal blocks" into your IT systems). Challenges: data protection legislation and principles as well as transparency towards the different types of involved data subjects
As a general comment, financial institutions generally support the European Commission’s steps to remove obstacles to the free movement of data, as stated in the communication on ‘Building a European Data Economy’ adopted on 10 January this year. In particular, we support the Commission’s intention to enter into structured dialogues to address unjustified or disproportionate data location measures as well as further initiatives on the free flow of data. Moreover, whether it is ‘cloud’, ‘outsourcing’, ‘hosting’ or ‘on premise’, banks have to comply with data security regulations in Europe. The reasons to use a given operational model are based on commercial calculations. One specific example is the use of SWIFT by banks for messaging services, with SWIFT storing message data (which may contain personal data) in multiple operating centres for resilience, availability and security purposes in the EU and in the US. Therefore, the European Commission’s initiative to launch the ‘EU-U.S. Privacy Shield’ (July 12, 2016) for stronger protection for transatlantic data flows was highly appreciated. Data protection rules may prohibit this external storage, if no appropriate technical or organisatorial measures have been taken to ensure security of personal data. Especially for financial service firms this may be problematic. • National banking laws and banking secrecy are not in compliance with foreign legal regulatory data accesses • Data Protection: formal requirements for third data transfer • Material outsourcing criteria setup by local banking regulator • For most cloud services the exit scenarios are unclear
No([ID57])
In our view, EU law is flexible enough to enable cloud computing. The trigger lies with national banking law (EU initiatives might be supportive) and public opinion about having banking data not at the bank.
No([ID57])
Banks decide their IT operational models based on costs, quality, security and capabilities. Depending on the kind of cloud solution offered, providers could facilitate adoption by banks through a sort of ‘standard legend’ based on icons or compliance tables. In this way, buyers could immediately and easily know if a provider is GDPR or PCI-DSS compliant. The EU could help providers in creating and updating these. Currently there is a strong focus on national data storage, so international providers often do not meet the basic requirements of exclusive/local storage and nobody knows where the data is physically stored. There should be an obligation that data for special purpose (e.g. financial services) is only stored and processed in physical storage and on physical devices in the EU member states.
Yes([ID56])
Non-disclosure agreements and data transfer prohibition to another third party or legislation area - in case it is not an exclusive EU service (regarding all levels of possible data access).
DLT offers new opportunities in any sector in terms of transparency, traceability, and community building (peer-to-peer exchange). However, DLT is also at a very pre-mature stage (see also the ECB’s special report ‘Technological innovation: Distributed Ledger Technology (DLT) – challenges and opportunities for financial market infrastructures’). As DLT is a general-purpose technology (comparable with other data base management systems), it is not client-specific. Envisaged pracital opportunities: • Crowd Funding • Trade Finance (Documentary and Guarantees) • Syndicated Loans • (Reverse) Factoring
Box 1 on page 12 of the EC consultation document says that: ‘DLT has the potential to … reducing counterparty and operational risk’. Counterparty risk is always linked to a potential default of the counterparty in the future, which depends on the financial condition of a firm, but not on the technology underlying a message exchange. Therefore misunderstanding may be the largest danger in the current discussion about DLT (and FinTech in general). Interoperability is still a subject that is little discussed and which generates uncertainties for a possible long-term choice. We expect several DLTs to coexist in the long run, so interoperability will be key. A main challenge is to establish one single standard for DLT. Interoperability, standards and governance, personal data protection and digital identity management are necessary to ensure fair and secure access to data stored on a distributed ledger. Cooperation by financial intermediaries, regulators and other market participants is necessary to solve issues of infrastructure cost, conflict of interest and regulation to provide for standardized, scalable processes (i.e. typical requirements for establishing new industry platforms). As currently all DLT implementations are proprietary solutions without interoperability due to missing standards, DLT is not mature for a large-scale implementation and/or for systemically critical financial infrastructures. Different DLT technologies or implementations, interfaces, data standards and SmartContract functionalities could lead to large overhead, malfunctions, limited data exchange and limited business purpose and therefore to a fragmented and limited market which will either starve or be leap-frogged by US and/or Chinese standards/platforms. Several challenges remain for an implementation involving lots of clients: • Appropriation by the customer of this new trust approach. • Liability management to be defined. • Governance: • Integration in the internal banking ecosystem.
• No/different legal frameworks for General Terms and Conditions/B2C-B2B-Contracting in general and in the digital world, esp. regarding SmartContract (“Code as Contract”) • Different Data Protection Laws (EU and national versions) for personal data exchange especially cross-border (they serve as basis for contract initiation and crime prevention) • No Data Standards (ISO20022 could serve as basis) • No standard definitions for common contracts (terms and conditions, payment, digital signatures/authentication/identification, collaterals/access to company, etc.) • That basic regulatory rules and bodies of law are constructed for paper processes and the written form - this should be re-framed to digital texts and automatic procedures like DLT. As a technology for messaging and data storage, DLT does not require any special treatment. Already today, electronic communication systems are used to exchange messages within contractual relations (from SEPA payments to confirmation of derivate financial instruments). As ‘Smart Contracts’ are simply computer code or ‘scripts’, they do not require any extension of existing law, which already covers electronic communication as part of contractual agreements. Nevertheless, contract laws are different across Europe and even more so internationally. Therefore, harmonisation of European law – e.g. in the case of the planned Securities Law Legislation – is appreciated. We think that confidentiality, personal data protection (GDPR), enforceability of the smart contract and of the digitalisation of documents represent the main obstacles. Given the capabilities of the technology, we expect regulators to open up the possibility of its being used for functions traditionally held by other actors (e.g. CSDs could be replaced by DLT-based systems). Nevertheless, when laws are not technologically neutral it could be necessary to revise them in order to erase this lack of neutrality.
Yes([ID56])
• Current banking secrecy laws impede outsourcing of services including the processing of customer data to companies not located within the EU • Outsourcing standard models such as ITIL or ISO2700x are applied in general, but national law and/or regulations have to be considered • No legal framework for mandatory protection measures (SAS 70, ISA 402 baed ICS, etc. are considered insufficient esp. for Non-EU outsourcings) • Stringent data protection rules make outsourcing in general problematic.
No([ID57])
Further action is needed in the following fields: • European outsourcing/data protection/general terms and conditions regulations which apply to all EU countries by default • No national goldplating should be allowed
There are technological developments with potential for increased efficiency: from personal assistants such as Siri or Alexa to Robotic Process Automation. All those technological developments are market-driven and will be implemented if there is a benefit in doing so. In addition to our answer to question 1.1., we would like to provide the following practical examples: Centralized Services for Law Enforcement and Criminal Prosecution Services: • Centralized access for criminal, social security and fiscal authority records check • Centralized monitoring and watchlist-check services to combat AML/CTF, financial sanctions, tax evasion (FATCA, CRS) and external fraud schemes
We consider a level playing field among all financial services providers as being key (same activities – same regulation). As all regulation should be technology neutral, no regulation of technological innovations is needed, as long as different regulations are consistent. One example can be taken from the various current developments in the field of data: • Concerning personal data: the current GDPR and parts of PSD2 restrict the processing of personal data to contractual relations, mandates given by the customer, and/or explicit consent of the customer to the use of data by a data controller. • In parallel Access to Accounts (XS2A) according to PDS2 and portability of data according to the GDPR Art. 20 open up contractual relations concerning data processing between a customer and her/his bank to third parties without a contractual relationship between the third party and the bank. • The Commission adopted the ‘Building the European Data Economy’ on 10 January 2017 with a focus on machine-generated data, but without a clear separation as all customer data in a bank is processed by ‘machines’ (from mobile banking by smart phones to data centres). Synchronisation can be done during consultation and discussion of new initiatives. In general, it could be easier to follow the GDPR approach (Regulation and not a Directive) to have a competitive market; in particular, guidelines provided by the WP29 can be a good approach to provide rules that allow FinTech to act within the same provisions. Another particular example is the interaction of AnaCredit and IFRS9: Overlapping regulation, reporting and supervisory requirements from partly different institutions and legal backgrounds, e.g. AnaCredit (renegotiation but not forborn) and IFRS9 (modification and derecognition) should be replaced by a single set of rules. Such an overlap as for “renegotiation” and “modification and derecognition” for the same content (ie to prove that changes to the loan contract over full maturity are not driven by grossly deteriorated borrower rating/standing) including setup of data entry and recording devices are extremely costly.
The Commission should always apply the principle of ‘same activities, same rules and same supervision’. FinTech has reduced barriers to entry in financial services markets, but remaining barriers need to be addressed. One possibility would be an EU innovation lab for new, disruptive technologies and digital infrastructure standards/certifications, under the condition of clear and consistent rules for all participants.
Yes([ID56])
See question 3.2.1, especially for matters of financial stability and efficiency. The same activity should be subject to the same rules. E.g. crowdfunding and other shadow banking entities that pic out bits and pieces of the value chain of traditional financial intermediation should be subject to the same rules. Otherwise incentive problems of the US-subprime lending-type will emerge and similarly impact market functioning and efficiency.
Concerning licensing requirements, the existing legislation and regulation define what a ‘bank’ or a ‘payment institute’ are. Any kind of ‘shadow banking’ contradicts the approach of a level playing field. Any ‘non-bank licensing’ (page 8 of the CP) for lending or other financial services distorts the level playing field, including the risk of a new kind of ‘sub-prime crisis’, and would weaken those banks which are sustainable pillars of the economy.
Yes([ID56])
In order to maintain/achieve fair competition among all market participants a regulatory level playing field is key. If the EU should introduce new licensing categories for FinTech activities with harmonised and proportionate regulatory and supervisory requirements, including passporting of such activities across the EU Single Market, we ask to specify in which specific areas this should happen and what role the ESAs should play in this.
Yes([ID56])
In our view, defining minimum standards for innovative technologies, including in the field of cybersecurity, are necessary. A licencing system could be considered as part of a regulatory framework, as well as appropriate auditing. In supporting more proportionality the Commission should look at the entire financial services value chain and not focus on non-bank FinTechs specifically. The Commission should always apply the principle of ‘same activities, same rules and same supervision’. FinTechs as they are part of the shadow banking sector should be subject to the same rules as regulated banks for their pieces of the bank value chain
Yes([ID56])
Data Protection laws prohibit personal data to be exchanged between legal entities (including entities within one group of companies) and across border. Initiatives to change this situation necessarily need the definition of use-cases where this principle may be exempted by specific law. For international (cross-border) transactions – such as payments, trade finance, securities settlement, etc. – it is condition sine qua non that transaction messages can flow freely, but this flow is defined in the contract between a customer and her/his bank. Nevertheless, with the PSD2 the freedom of contract, including the right of an entity not to enter into a relationship with a third party, has been restricted. Therefore, an asymmetric situation will be enforced by regulation, as customers have to give their consent to a third party, but banks must not. It will be a key success factor for the Digital Single Market to be based on the fundamental principles of market economy and basic features of contract law. Any restriction of these general principles to enforce a single rule concerning access to data will undermine the basis of the Single Market. To ensure data safety, storage of data outside the EU should not be allowed (for the safety precautions that were discussed with regard to storing SWIFT data in the EU).
No([ID57])
We think that the ultimate goal for a regulatory approach must be to maintain a level playing field for all FinTech providers (same activity – same rules). These three principles should be broadened by the principles of safety, security, privacy and subsidiarity in regulation in general.
Please see our answers to questions 2.12 and 3.10. As any regulation should be technology neutral, the Commission and European Supervisory Authorities should coordinate a common understanding that ‘technology’ should not be regulated but left to the market to develop market-driven innovations. The ESAs should understand technological developments. Financial services are based on technology to a high degree and data protection. IT security and cyber resilience are key for the stability of the financial system. Financing of startups and micro companies is a risky venture where the duality of personal/individual borrower-type (qualitative) and quantitative hard facts are in a particular interplay in the estimation of credit risk. Current EU regulation (CRR etc) more or less hinders banks from providing this type of finance which is crucial for many FinTechs. In Europe (different from the US), banks did play a role in venture capital formation, and this should be enabled again as a prerequisite for a viable FinTech sector.
Yes([ID56])
Due to the European and National Governance Approach (higher taxation and lower private prosperity lead to private innovation resource scarcity and public authority driven/funded innovations) European and international relevant and sustainable innovations need • European governance, funding and servicing • Non-discriminatory/same rules for all market participants (FinTechs, traditional FIs, financial service markets stakeholders, …)
Yes([ID56])
We think that use cases should be specified and analyzed, and suggestions how to adapt data protection law in that respect should be made accordingly. However, it is important that any offer for regulatory sandboxes should only be made in line with harmonized rules for all participants. • Organization: Nomination process through local authorities; participating teams should not too big to ensure exchange and discussion; physical meetings due to better relationship management; different EU countries as meeting place. • Topics: current issues of national or EU parties invited; future challenges and how to handle them; insights from experts to selected topics • Method: use modern, interactive and solution orientated methods and techniques (design-thinking, prototyping, …) A ‘European Innovation Platform’ as a common hub for discussion and support of a strong European economy can be helpful, but should not interfere with existing European initiatives.
Yes([ID56])
We refer to our answer to question 3.9. It remains unproved whether sandboxes can provide better results compared to market-driven innovation. National approaches are not helpful in a multinational and global financial industry. As all players in the European financial system are competing in the global economy with major international banks and internet juggernauts – such as Google, Amazon, Alibala, Tencent, etc. – any limitation for the competitiveness of European banks should be avoided. Regulatory sandbox approaches should particularly be provided via common standards/platforms for DLT (blockchain) applications. We would like to also stress that: • No new regulation is required at the moment, both because current legislation already addresses some aspects and because it is too early to define some other aspects that are still under development; • If, however, regulation were to be undertaken, it should adhere strictly to previously indicated principles; • Any regulation should ensure a level playing field that does not, on the one hand, hinder start-ups or, on the other, penalize financial institutions; • Any positive measures aimed to foster FinTech at any level (funding, tax reduction, training, ideas sharing, etc.) are welcome as well as guidelines that could help to clarify or give examples of what can be done and how (as opposed to what cannot be done).
Yes([ID56])
Any European Authority (EBA, etc.) or proven neutral organization (e.g. SWIFT).
Treatment of software investment: The accounting treatment of software as an intangible asset causes it to be fully deducted from the Core Equity Tier 1 (CET1) when calculating the capital requirements. This is perceived as a significant disincentive for investments in innovation and a major factor of unfair competition. Indeed, there is evidence of different regulatory treatment of software in some jurisdictions, including the United States where capitalized computer software can be recorded as "other assets" and subject to regular risk rating and not deducted. Consequently, this removes any artificial hurdle to banks investing in digital, creating value for the economy as a whole and leading worldwide innovation in the area. A change to the CRR is therefore justified. Accordingly, we propose the following Amendment to the CRR: “Article 4 Definitions: (115) “intangible assets” has the same meaning as under the applicable accounting framework and includes goodwill, with the exception of software for the purpose of Article 36.”
No([ID57])
Please see our answers to the previous questions.
Yes([ID56])
Different, proprietary solutions are also based on different, proprietary standards which are locking in / limit cooperation possibilities and are expensive. In the digital world only global standards prevail (and therefore, EU standards should be open and enforced as a competitive approach to US / Chinese standards) Furthermore, technical standards should not be regulated but should be market-led. Standardisation and outsourcing do not interfere from our point of view.
ISO 20022 is a good example for international standardisation driven by industry developments. Taking this into account, a free market-driven development is the best way to achieve interoperability – especially in an interconnected network market such as financial services.
Yes([ID56])
International standardisation processes are working very well. For blockchain technologies, the ISO/TC 307 international technical committee for the development of blockchain standards was recently set up. The committee also involves 16 ISO member bodies, including Germany, the United Kingdom, France, Estonia, Canada, Australia, the United States, Japan and South Korea. No measures at EU level are needed to promote the use of technology, including open source. Every harmonized approach will help to generate a European wide comparable offer and a single market over all countries. Open source is the basis for fast growth as it attracts many different developers/solution designers and entrepreneurs to build upon – also from Non-EU countries. Know how within any open source project is shared around the world. This allows smaller organizations (e.g. FinTechs), but also bigger organizations like traditional banks, to develop a solid business model, keep experts with know how in the EU and foster the development of competitive services that can be offered globally. Standards by other big players (e.g. US, China, …) that are proprietary, not really open and have a negative impact to business models of European organizations may lose their importance if EU fosters open source. From a security point of view Open Source is also the basis that there are no backdoors in products and services used by European organizations.
FinTech will be part of the future banking process. Threat actors try to attack the weakest link first. Smaller FinTechs may not have sufficient funds for important security investments. Therefore, there is a high risk that smaller FinTechs do not have mature security processes (e.g. secure software development and secure coding, secure deployment process…). This could be a new attack vector that will be used by criminals. Fraudulent schemes will grow significantly, as the numerous new FinTechs will arise on the market (esp. due to PSD 2) and the difficulty to understand / complex technical business models will confuse customers who will suffer from digital criminal attacks.
In our view, ‘free flow of data in the Digital Single Market’ means applying the principles of a free market economy and freedom of contract to the issue of data provided and/or processed in a contractual relationship between a client and a financial institution. For international (cross-border) transactions – such as payments, trade finance, securities settlement, etc. – it is, of course, condition sine qua non that transaction messages can flow freely, but this flow is defined in the contract between a customer and her/his bank. Nevertheless, with the PSD2 the freedom of contract, including the right of an entity not to enter into a relationship with a third party, has been restricted. Therefore, an asymmetric situation will be enforced by regulation (i.e. PSD2), as customers have to give their consent to a third party, but banks must not. A compensation could help to a more efficient use of data and more acceptance to allow data usage. But compensation can be done in different ways - also by lowering prices for consumer products/services or free offers/services. This can facilitate the access to FI products for consumers and reduce prices by supporting data driven analytic development at the same time. It is important however to establish that the compensation cannot be an 'out' for the unlawfully acting data processor, but an agreement between the two parties.
The use of the DLT can improve the auditability and reliability of data. The implementation of DLT solutions requires data standardization that can provide some added value to the sector. The question of governance remains, i.e. which entities run those distributed databases? In the case of ‘Bitcoin’ the original peer-to-peer approach collapsed over time and today a limited number of opaque and interlinked ‘mining pools’ are in control of the majority of resources and data storage. Current developments such as Ripple’s InterLedger Protocoll or R3’s Corda framework implement ‘permissioned’ versions of DLT within closed groups of identified users (such as banks) and can limit access to defined parties. Also, some of these new protocols offer the possibility to encrypt transaction data, allowing for a strict confidentiality of the transactions between parties. These developments can be seen as advanced protocols for synchronisation of (existing) ledgers inside different financial service providers without the need for later reconciliation and without separation of clearing (of messages) and settlement (of funds). In a scenario of an international/EU-wide network of banks using DLT (closed ledger version) a more efficient banking network without clearing institutions can take place. Prerequisite for efficient and financial stability-supporting DLT solutions is, however, the establishment of platform solutions and solving pending legal prerequisites. DLT is not yet common industry knowledge. But, DLT alone is not sufficient, it must be enhanced with other technologies (eIdentity, eSignature, Authentication/Authorization, Smart Contracts, etc.). Currently there’s no alternative technology solution which shows similar potential (cloud solutions are mostly proprietary technology and therefore limited).
No([ID57])
The implementation of ‘permissioned’ versions of DLT within closed groups of identified users (such as banks) can be enhanced by existing digital identity frameworks. This requires more development work in the future. This being said, there is currently no real e-identity available for customer registration (retail or corporate) and digital identity frameworks are not sufficiently developed. In parallel, some proposals have been made to use DLT itself for digital identity management (e.g. by the companies ‘Blockchain Helix’, ‘FranceConnect’). Although those proposals seem to have benefit e.g. for KYC, none of them is at a mature stage today.
‘Permissionless blockchains’ as used by Bitcoin or Ethereum store all data in clear readable format, and everybody is able to retrieve and read all stored data. Current developments such as Ripple’s InterLedger Protocoll or R3’s Corda framework implement ‘permissioned’ versions of DLT within closed groups of identified users (such as banks) and can limit access to defined parties. Also, some of these new protocols offer the possibility to encrypt transaction data, allowing for a strict confidentiality of the transactions between parties. It could be interesting to further explore the potential of using DLT to store and share informational on KYC-AML. There are already some FinTechs offering this service through DLT. But implications with personal data protection still have to be better understood due to the nature of DLT itself, e.g. the fact the data is in a clear and readable format or how to comply with the ‘right to be forgotten’ required by GDPR.
As risk profiling is a core competency of banks – and in particular of banks serving SMEs – technology for scoring and credit risk management has been used for many years. SMEs are informational opaque borrowers. Regulation in many countries provides for low reporting requirements for these small firms. CRR and other regulation requires banks to come up with their own risk assessment; external scorings may only be added respectively need to be evaluated bank-internally. Allowing a larger role for “external” scorings in SME lending may be supportive. Data exchange as described is certainly (up to a certain level) helpful in establishing risk profiles, but clear rules have to be established which data are to be collected, from which source, for which timespans and what rights data subjects have at which time in the process. The more attributes and history of data is available and the more relevant information is shared between state authorities (social security, tax, finance, law enforcement, courts, etc.), within industries (blacklists with other banks) and between other industries (telecommunication, insurance, etc.), the more secure the risk profile could become.
Banks holding any data on SMEs, including clients’ credit and financial data, have to keep such data secure and secret. It can only be used for the purposes of lending and for the contractual relationship between banks and their clients. Any sharing of such confidential data requires an explicit mandate by the client and would be done according to freedom of contract. For state authorities there should be a standardized small (reasonable) fee. For market competitors, clear rules must be established. Once data exchange is regulated, cost effects let the market decide. Fundamental rights should not be left alone to the market. By offering these services as a product, the service can be used by all parties of the market though risks may arise with uncontrolled forwarding of data.
• The uncompromised infrastructure principle, i.e. end-to-end evaluation of infrastructure security checks/detection requirements (from end-user device over internet connection to service-provider infrastructure and onward to outsourcing-/business-partners). • Each infrastructure line and point should be protected directly via root-checks/malware-checks/etc. and indirectly via behavioral analysis/etc. • Qualification of acting security managers should be proven (e.g. international certifications – CISSP, CISM, CRISC) – they should speak the same “security” language • Security principles (security by default, security by design) • Secure software development • Cyber threat intelligence
Financial service information sharing platforms (paid) already provide specific information to subscribed financial service providers. Most paid reports and feeds are customised to the needs of the requestor. Sharing is on the one side not permitted (from a legal point of view), could contain confidential data and on the other side is not meaningful for the receiver due to the different business models. Cert.at operates an information sharing platform based on MISP (Malware information sharing platform). Organizations and public authorities share information about malware and their indicators. MISP users benefit from the collaborative knowledge about existing malware or threats. The aim of this trusted platform is to help improving the counter-measures used against targeted attacks and set-up preventive actions and detection. Cert.at in Austria already informs the financial sector in case of nationwide or sector specific cyber threats. For adequate responses to cyber threats an EU level cross border information sharing is essential. The adoption of the Directive on security of network and information systems (NIS Directive) is one of many examples towards a more secure European online environment. There are also initiaitves of the ECB and EBA to harmonize and streamline cyber security issues. Hereby t is important to avoid redundandcies. In some EU member countries sharing of IP addresses of possible threat actors is still not allowed or the process to get allowance takes too long. Therefore the EU has just to use already available formats (TAXI & STIX) - inventing special formats just for the EU-area would be counter-productive - and adjust the regulatory requirements to allow the exchange of cyber threat intelligence (CTI) information.
Every provider of financial services should be obliged to perform risk-based cybersecurity testing which should include: • Risk assessment with threat modelling of the test objects • For cybersecurity penetration and resilience testing a minimum EU standard should be defined • Regular vulnerability scans of the infrastructure • Penetration testing especially for Internet facing Web applications by an accredited independent provider. (Whitebox for critical applications) • Source code audits for critical code parts • SAST and DAST scanning during development and test (Optional but mandatory for critical applications) • Incident response training • ENISA Cyber Europe should be extended • Participating in EU wide Cyber exercises should the coupled with incentives for the organization by the regulator
Banks have been ‘heavy users’ of information technology for decades and have always implemented technology for the benefit of their customers. For a given technology, use depends on a cost-benefit assessment, which each bank has to perform in its own individual context. All future developments are always uncertain and depend on ‘trial and error’ in the market.
 
 
an organisation or a company(organisation-replying-as)
 
ANASF - Associazione nazionale consulenti finanziari
 
No(no-transparency-register)
 
Industry association([ID9])
 
10 to 50 employees([ID6])
 
 
Italy([ID36])
 
Investment advice([ID8])
 
Yes, I agree to my response being published under the name I indicate (name of your organisation/company/public authority or your name if your reply as an individual)(yes-contributions-publication)
 
Yes([ID56])
This way of reasoning is too generic and therefore biased. First and foremost, we must bear in mind that neither all customers are Internet-savvy, nor all customers would like to forsake human contact. If we consider investment services and, in particular, investment advice, a distinction is needed. On the one hand, investment advice is a complete professional service aimed at effectively meeting investors’ needs, objectives and characteristics. On the other hand, automated financial tools shall be understood as tools for basic and generic advice, which may enable investors – particularly, less experienced and less knowledgeable investors – to access a wide range of information and understand their need for effective personal recommendations. That is to say, automated tools may be helpful in the first stage of the advisory process, but in later stages they shall be complemented with a thoroughly personalised service and the interaction of a human advisor. This form of semi-automation (robo-for-advisors) is more likely to shape the future and meets investors’ needs: i.e., a process whereby investors input all of the relevant details by means of automated devices, and then they refer to a human advisor. Accordingly, we do not agree with this statement of the Consultation document: “The combined use of artificial intelligence with big data analytics (e.g. robo-advice) has the potential to improve services and to significantly lower the price of financial advice.”. This supposed benefit hinges upon the idea that automated advice is always a low cost alternative to human advice, but this may be not the case: for instance, online platforms need to acquire customers and this may require huge investments in marketing and advertising, whereby these distribution costs are significantly passed down to clients. Furthermore, costs shall not be the only issue to be considered, because also the quality of the service shall be taken into account: in particular, automation without human interaction does not convey any form of financial education (information in itself may be meaningless, inasmuch as there is no human advisor to explain it) and does not make it possible to correct customer’s behavioural mistakes, which are the main cause of negative returns on investments.
Yes([ID56])
Reliability of the algorithms is a key issue: overconfidence in the use of artificial intelligence (and its underpinning algorithmic infrastructure) may lead to an inflated standardisation of consumer profiling and, consequently, to herding and pro-cyclical investment behaviour (p. 7 of the Consultation Document). Indeed, it is unlikely that an algorithm (e.g. Excel) based on a given number of variables may really meet the needs of all European citizens. Moreover, the algorithms underlying automated devices require fully-fledged controls and reviews to avoid that they become “black boxes” with no form of supervision: for instance, algorithms may be devised to favour the distribution of products which entail more revenues for distribution platforms, at the expense of customer protection. Considering these dangers, the future shall not lie in the hands of robo-advisors: semi-automation (robo-for-advisors) is more likely to shape the future and meets investors’ needs.
The answer lies within the core principle of technological neutrality (pp. 3-4 of the Consultation Document): the same activity shall be subject to the same regulation irrespective of the way the service is delivered, thereby conveying the same result from the point of view of customer protection. To achieve an effective level playing field, the same regulatory requirements (MiFID, IDD directives and all the other relevant provisions concerning the collection of information and disclosure requirements) shall apply to all distribution channels (vis-à-vis, phone or automated solutions).
We identify these risks for consumer protection: • herding and pro-cyclical investment behaviour (see our answer to 1.3); • in the long run, excessive automation may hinder the opportunity to access human financial advice at all, thereby sacrificing human sensitivity. To avoid an Orwellian world, automated tools shall rather be conceived as a complement to human advice; • mistakes in information collection in an automated environment, thereby raising the issue of liability allocation in case of economic damage (p. 7 of the Consultation document); • automated devices may entice investors to rush into inputting data without properly reading pre-contractual information, thereby paving the way for potential infringements of privacy law and the sale of unsuitable products and services (in particular, the user may be enticed to complete by trial the automated procedure to access a specific product, without an effective evaluation of the suitability of the choice). It is evident that haste does not support thoughtful choices; • the likelihood of inconsistent self-profiling by the customer in order to buy specific financial products, regardless of their actual suitability; • misleading web-advertisements for the promotion of automated services; • the likelihood of systemic violation of the ethical principal of “free will”, due to a “formal” way of reasoning that which might prevail in the future, exclusively based on cost issues; • personal data used for other purposes. The input of personal data may be requested by the platforms for their business, as a consequence of specific agreements/links with other market participants particularly interested in the profiles of all registered users.
Yes([ID56])
Yes, different national regulatory regimes may impact in that they may create different incentives and/or obstacles, thereby hindering the development of a single market. To overcome this problem, we need harmonised European rules inspired by the key principle of investor protection.
 
No, self-regulatory initiatives are not sufficient. Customer protection requires adequate and complete regulation by competent authorities as this is the case with insurance, banking and investment services. In Italy there have already been some important regulatory developments: in 2013 the national financial authority (Consob) adopted a Regulation (Resolution no. 18592 of 26 June 2013), significantly amended in 2016, concerning fund-raising by means of online platforms; in November 2016 the Bank of Italy adopted specific provisions concerning social lending (lending based crowdfunding).
The reasoning exposed in 1.2. applies: technology must be considered as a support (and not a substitute) for human activities. An important example of how these technologies are changing the provision of insurance services is black box insurance: cars are fitted with a black box device, recording driving data, which may improve overall standards by rewarding safe driving with cheaper insurance premiums. Considering the challenges, the widespread use of new technologies in insurance services shall always be associated with complete personal data protection. We also agree with the Consultation document when it recognises that commercial price discrimination, as a result of the use of these tools, shall be “based on objective and tangible criteria to be properly supervised”.
 
 
 
As explained in 1.2, automated tools may foster efficiency in the first stage of the advisory process, but in later stages they shall be complemented with a personalised service and the interaction of a human advisor (robo-for-advisors). Conversely, the most promising use cases of FinTech may refer to compliance issues: disclosure and reporting to customers, money laundering analyses and, more generally, RegTech (cf. 2.4).
 
We consider one of the three core principles underpinning the Commission’s stance on FinTech, i.e. EU policies should be integrity-enhancing: technologies applied to financial services should benefit both consumers and businesses without creating unwarranted risks. A potential negative impact on employment should be included among these risks: EU and national institutions should act to avoid adverse implications in terms of employment as a result of the development of FinTech solutions (this reasoning might apply, more generally, to all economic activities). We also restate our reasoning exposed in 1.9: technology must be considered as a support (and not a substitute) for human activities, especially in the case of high-value services, in particular investment advice.
As a preliminary remark, we believe that RegTech represents an effective example of integration between human and automated activities. RegTech may be used to comply with recording, reporting and contractual requirements, thereby deflating administrative burdens and the use of paper-based documents. In this sense, RegTech may provide benefits for customers, investors, financial intermediaries and financial advisors. For instance, we can consider the case of Italy: pursuant to Article 109, Consob Regulation no. 16190/2007, financial advisors shall be responsible for record-keeping obligations. Specifically, they are required to keep, for at least five years, a copy of: a) the contracts they have promoted; b) other documents signed by the customers; c) the correspondence with the persons on whose behalf financial advisors have acted. In this sense, Article 109 neither envisages nor denies the possibility to keep the aforementioned documents in a non-paper-based durable medium: in order to grasp the benefits of technological development and reduce administrative burdens, European and national legislation should explicitly acknowledge this possibility, also for financial advisors acting on behalf of financial intermediaries.
On the one hand, cloud computing services may provide effective RegTech solutions. On the other hand, the potential risks of these new technologies (cybersecurity, need for privacy …) need to be carefully assessed in order to envisage the necessary regulatory requirements.
 
 
 
As explained in 2.5., this new technological development needs to be carefully assessed in order to evaluate its compliance with the minimum requirements for financial service providers.
 
 
 
We agree with the analysis exposed in the Consultation document: DTL solutions are new technologies that need to be carefully assessed to evaluate their potential risks with regard to effective interoperability, personal data protection, legal recognition of data and jurisdictional issues (for instance, the law applicable to distributed ledgers incorporated in non EU-Member States). It is also important to avoid overconfidence in new technological solutions and preserve human sensitiveness, in order to safeguard trust in financial markets in cases of technological malfunctioning.
As a general remark, we do not agree with the idea that, concerning DLT solutions, “regulatory action is premature” (p. 12 of the Consultation document): this would seem to be like “closing the stable door after the horse has bolted”. We also believe that competent authorities should develop specific skills to effectively supervise the deployment of DLT solutions in the financial sector.
 
 
 
 
 
 
 
 
 
 
Yes([ID56])
Yes, the EU should introduce new licensing categories for FinTech activities. Regulatory harmonisation is also essential. A specific area of focus should be the legal framework for the cooperation between “traditional regulated firms” and FinTech firms which do not directly provide financial services, but rather offer technological tools for regulated firms (pp. 15-16 of the Consultation document).
 
 
 
 
Yes([ID56])
Yes, they are.
 
 
 
Yes([ID56])
We believe that regular forums with all stakeholders from all Member States (representatives of financial institutions, financial advisors, consumers …) may represent an effective way of enhancing the understanding of FinTech by supervisors with particular regard to potential benefits and risks.
 
 
 
 
 
 
 
 
 
 
 
 
We agree with the line of reasoning exposed in the Consultation document (pp. 18-19): technological developments may threaten existing business models, profitability and capital positions of incumbent firms. In this sense, EU and national institutions should act in order to avoid systemic and disruptive effects of FinTech solutions, in particular, adverse implications in terms of financial stability and unemployment and, more generally, the loss of human sensitiveness and trust in financial markets.
As a general principle, service users should always be informed and aware of the ways their data are processed and used. It is necessary to preserve the explicit possibility to exercise the fundamental rights concerning the “right to be forgotten” and the “right to erasure” which are based, pursuant to EU legislation (cf. Regulation EU n. 2016/679), based on explicit consent and denial. We are quite sceptical when it comes to the possibility of a “fair compensation”.
As a general remark, we emphasise the need to ensure data portability to foster competition and customer protection: customers should be aware of the data they have disclosed to financial intermediaries and FinTech firms and, at the same time, the right to data portability should be clearly recognised.
 
 
As explained in 2.9, although DLT solutions are still in early stage of development, we do not agree with the idea that “regulatory action is premature”. Also in the case of personal data protection it is necessary to avoid to close the stable door after the horse has bolted. To overcome these challenges, a regulatory framework is needed and competent authorities should develop specific supervisory skills. Relevant legislation shall explicitly establish the fundamental right to protection of personal data (and their use) for the citizen (cf. 4.1).
 
 
 
 
 
This Consultation document omits any sociological analysis on Millennials (i.e. the demographic cohort of people born in the period ranging from the early 1980s to the early 2000s) and Post-Millennials, who are familiar with automated tools but may lack proper financial education to discern between the provision of mere information and investment advice and to acknowledge the value of human advice. In this sense, Millennials’ and Post-Millennials’ familiarity with new technologies, integrated with the support of human advisors, may help foster their level of financial education.
 
 
 
an organisation or a company(organisation-replying-as)
 
Research Center for Private Law, Faculty of Law, University of Lisbon
 
No(no-transparency-register)
 
Academic institution([ID4])
 
10 to 50 employees([ID6])
 
 
Portugal([ID44])
 
Not applicable([ID181])
 
Yes, I agree to my response being published under the name I indicate (name of your organisation/company/public authority or your name if your reply as an individual)(yes-contributions-publication)
 
 
 
 
 
 
 
Yes([ID56])
In Portugal the national regulatory regime for crowdfunding is impacting very dramatically and negatively on the implementation and development of crowdfunding as an alternative source of financing growing and innovative companies (crowdinvesting). The Portuguese legal framework on crowdfunding is composed by the Law 102/2015 (RJFC) and the Regulation of the Securities Market Commission (CMVM) containing provisions on equity and lending crowdfunding. Despite this comprehensive set of rules, none of the provisions relating to crowdinvesting has yet come into force, since their applicability is dependent on the approval of a sanctioning framework which was not approved so far. As a consequence of this very unusual situation all market players are suspended for almost two years, waiting for the applicability of a complete set of rules already known in Portugal but not yet applicable. In the same manner, the CMVM as supervisory authority concerning crowdinvesting is not being able to welcome initiatives non-compliant with the legal framework already known but simultaneously is impeded to approve any initiative under the RJFC, since the framework is not applicable. On the other hand, the material scope of RJFC, in what crowdinvesting concerns, is also very unclear, thus apparently overlaps with the capital markets legislation which transposes MIFID in relation to the distribution of securities and other financial instruments through public offerings and the provision of some investment services. This so because MIFID and the Portuguese legislation transposing MIFID have a media-neutral approach concerning the process used to make offers on securities and financial instruments or to provide investment services, and therefore is applicable to offers and intermediation operated through the internet or by any other means. Article 2 of the RJFC defines crowdfunding. Concerning the definition, to avoid the overlapping with MIFID legislation it is of the essence to restrict the material scope of application of RJFC. This is a very important conclusion to assure the technology-neutrality and to ensure a level playing field among all players involved. The offer of equity financing instruments through the Internet, provided that implies the offer of securities or financial instruments as defined in Annex I C of MIFID and the provision of investment services listed in Annex 1 A, needs always to comply with the legislation applicable to the capital markets. Only if an offer is made without the performance of investment services or if the offer does not respect to securities or financial instruments, the framework on crowdfunding should apply, but this conclusion is not clear under the RJFC. On the other hand, RJFC does not define its geographical scope of application, but since the reasons for investor protection underlying its rules are identical to those of the Securities Code, we believe that the rules set forth in article 3/1 of the Securities Code are applicable. This means that the national bespoke regime should be applicable provided that situations, activities and the acts to which it refers have a relevant connection to the Portuguese Territory. This construction poses serious problems of practicability concerning the specific reality of crowdfunding. For instance, should the Portuguese framework be applicable on limits of the investments, even if the crowdfunding campaign in pitched in a platform authorized in other Member State, if the campaign is advertised through a social network in Portugal? The law is not clear on the subject, allowing restrictive understandings that would necessarily jeopardize cross border flows of financing through crowdfunding. But in this respect is important to underline, once again, that when the activities to be developed fall within the material scope of the application of capital market legislation that transposes MiFID these provisions cannot be ruled out. It is clear, therefore, the applicability of Passporting under MIFID, which grants investment firms authorised and supervised by the competent authorities of another Member State the freedom to provide investment services and activities within the EU. This aspect seems essential, since different regulatory approaches on crowdfunding, in addition to leading to regulatory arbitrage with negative impact on competition between business seeking financing and platforms, could jeopardize one of the key advantages for business seeking funding, which is the access to transnational flows of funding. Nonetheless the issue is not clear under RJFC which led the CMVM to sustain the understanding that under RJCF the platforms are not able to Passposting even when MIFID compliant.
In this respect, the CIDP unconditionally backs the conclusion inserted in paragraph 19 of ESMA’s response to the public consultation that particular consideration should be given to the possible development of a specific crowdfunding EU-level regime, which would ensure investors across the EU are equally protected and would enable crowdfunding platforms to operate cross-border based on a common regulatory framework. In the present context of disparity of regulation in the different Member States and the different approaches among regulatory and supervisory boards only a EU-level regime can avoid regulatory arbitrage and foster cross boarder activity implied by the capital markets union.
The issue of investor protection, especially the retail investor, is in the view of the CIDP absolutely critical to the credibility and development of crowdfunding as a real alternative of business financing. Therefore, self-regulatory initiatives (as promoted by some industry associations and individual platforms) are welcomed but in our opinion should not be seen as sufficient to accomplish those goals. It is important to underline that crowdinvesting poses to investors the typical threats and risks of oppression, liquidity and loss of capital of investments made in companies and projects of high growth and high risk, but unlike business angels or venture capitalists the investors from the crowd (generally speaking) have no knowledge and expertise to foresee and mitigate those risks through due diligences and contractual arrangements. It is therefore essential to impose mandatory information duties, eventually inspired by the information duties contained in MIFID II or even the KID under the PRIPPs Regulation. Nonetheless, the option to ground investor protection almost completely on an informative document is outdated, since empirical data points to the inefficiency of this methodology. It seems possible to consider, alternatively or complementarily, on the imposition of financial education duties to platforms, possibly based on simulations (gamming); using the appropriateness and suitability tests under MIFID II; the imposition of channels of communication to foster the wisdom of the crowd; or even the progressive access websites inspired by the French legal framework. Particular consideration should be also given to the possible development of due diligence minimum standards to the platforms, as suggested by the FCA in the Interim feedback to the call for input to the post-implementation review of the FCA’s crowdfunding rules. On the other hand, the imposition of investment limits, inspired in the US legislation, incorporates paternalism totally extraneous to the European legal systems. In addition to being discriminatory and counterproductive, it deprives people of lowest resources to the possibility of profiting from possible good investments.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
an organisation or a company(organisation-replying-as)
 
European Federation of Financial Advisers and Financial Intermediaries (FECIF)
 
Yes(yes-transparency-register)
22169245489-60
Trade union([ID13])
 
50 to 500 employees([ID7])
 
 
Belgium([ID22])
 
Insurance([ID7])
Investment advice([ID8])
Pension provision([ID173])
 
Yes, I agree to my response being published under the name I indicate (name of your organisation/company/public authority or your name if your reply as an individual)(yes-contributions-publication)
We see two main areas of FinTech impacting our activity, both so-called Robo-Advisors and RegTech. Generally speaking, we believe that FinTech can be a force for good, bringing more choice, lower costs and potentially useful innovations for consumers as well as for advisors. However, it is important that regulation maintains a level playing field (as is clearly the intention of the consultation), not unduly protecting incumbents but not giving a free rein to untested new entrants either. Due to the deployment of technological innovations (i.e. RegTech) advisors and intermediaries are put in a position that allows them to handle and process information more swiftly, and to comply with regulatory requirements via automated systems. Decreasing administrative expenses will not only lead to increasing profit margins within the industry (making it more competitive and resilient overall), but also facilitates the provision of services at a lower price point, eventually increasing the availability and affordability of insurance products and services on a retail level.
Yes([ID56])
Automated advice is being pushed, but investors are reluctant to take it at face value. In fact, what is often described as Robo-Advice is actually Robo-Investing, and does not cover the essence of advice, i.e. financial planning and helping customers identify their long-term goals and needs. Automated systems have been very successful (and useful) in areas where consumers know explicitly what they need/want, such as car insurance or travel insurance. It is easy to automate choice, and this has been done successfully first by telephone platforms then Internet-based ones over the past twenty years. Where choice is difficult, the stakes are high and the time horizon is very far away in the future, things are much more problematic, as the research in behavioural economics has demonstrated. In these circumstances, consumers require face-to-face interaction with an advisor they trust before they can make a decision and act on it. On a separate note, RegTech approaches to simplify and streamline compliance approaches such as anti-money laundering, fighting the financing of terrorism or ensuring that consumers are able to make informed choices are welcome. They can be a strong way to ease the burden on advisors and intermediaries, as this burden is becoming unbearable.
Yes([ID56])
Likewise, we believe it is important not to exclude advisors from the loop, as they will not be efficiently replaced by robo-advisors. On the contrary, it is the combination of FinTech tools and face-to-face interaction that will prove powerful.
Same: do not exclude the advisor from the loop. The answer lies within the core principle of technological neutrality (pp. 3-4 of the Consultation Document): the same activity shall be subject to the same regulation irrespective of the way the service is delivered, thereby conveying the same result from the point of view of customer protection. To achieve an effective level playing field, the same regulatory requirements (MiFID, IDD and all the other relevant provisions concerning the collection of information and disclosure requirements) shall apply to all distribution channels (vis-à-vis, phone or automated solutions).
Here again, the more artificial intelligence is used to guide the choices of customers (In effect manipulating them), the more it will be important for them to discuss these choices with advisors. Moreover, we want to highlight that the use of artificial intelligence can in some cases create serious issues when clients make unadvised choices. In this context we want to refer to a recent survey conducted by AEGON (“What’s the new sustainable income rate in retirement?” January 2017) on this topic. The use of Fintechs could potentially lead to wrongly advised clients and therefore accentuate a situation of mis-selling in Europe. Hence, in times of digital solutions, we want to stress to the European Commission the need to ensure that consumers are sufficiently protected when using Fintechs. Being well informed by getting the right advice is mandatory when using Fintech solutions. We identify these risks for consumer protection: • herding and pro-cyclical investment behaviour (see our answer to 1.3); • consumers may no longer be given the opportunity to access any human financial advice. In the long run, excessive automation may hinder the opportunity to access human financial advice at all, thereby sacrificing human sensitivity. To avoid an Orwellian world, automated tools shall rather be conceived as a complement to human advice; • mistakes in information collection in an automated environment, thereby raising the issue of liability allocation in case of economic damage (p. 7 of the Consultation document); • automated devices may entice investors to rush into inputting data without properly reading pre-contractual information, thereby paving the way for potential infringements of privacy law and the sale of unsuitable products and services (in particular, the user may be enticed to complete by trial the automated procedure to access a specific product, without an effective evaluation of the suitability of the choice). It is evident that haste does not support thoughtful choices; • misleading web-advertisements for the promotion of automated services; • personal data used for other purposes. The input of personal data may be requested by the platforms for their business, as a consequence of specific agreements/links with other market participants particularly interested in the profiles of all registered users. The data collection of these platforms often does not comply with the provisions on privacy.
Yes([ID56])
We are welcoming the national regulatory regimes for crowdfunding in Europe as for instance the regulation on crowdfunding in Germany of 2015 (Kleinanlegerschutzgesetz). These regulations are protecting investors and users of crowd funding platforms. In the past years, the use of crowd funding, and especially crowd investing platforms, has led to the significant loss of money for some investors. Users of these platforms had been ill-informed about the real risks concerning their investment in many cases. Therefore, the efforts of the national regulators to adapt the regulatory framework to the reality of crowdfunding platforms are in our point of view a positive development. As for instance in Germany, the regulator limited the risk for each investment in a crowd-investment platform and stated that every investor can only invest up to 1.000 EURO in a crowd investment platform, without further advice. The users of any crowd investment platform can only invest up to 10.000 if he can prove that he possesses at least up to 100.000 EURO. Investors should be well advised when investing their money in crowd investment platforms. The essential role of a financial advisor should be strengthened by the European Commission in this context.
 
No, self-regulatory initiatives are not sufficient. Customer protection requires adequate and complete regulation by competent authorities as this is the case with insurance, banking and investment services. In Italy there have already been some important regulatory developments: in 2013 the national financial authority (Consob) adopted a Regulation (Resolution no. 18592 of 26 June 2013), significantly amended in 2016, concerning fund-raising by means of online platforms; in November 2016 the Bank of Italy adopted specific provisions concerning social lending (lending-based crowdfunding).
The reasoning exposed in 1.1. applies: technology must be considered as a support (and not a substitute) to human activities. An important example of how these technologies are changing the provision of insurance services is black box insurance: cars are fitted with a black box device, recording driving data, which may improve overall standards by rewarding safe driving with cheaper insurance premiums. Considering the challenges, the widespread use of new technologies in insurance services shall always be associated with complete personal data protection. We also agree with the Consultation document when it recognises that commercial price discrimination, as a result of the use of these tools, shall be “based on objective and tangible criteria to be properly supervised”.
 
Within certain national markets technological innovations (that don’t necessarily fall into the FinTech-spectrum per se) are mobilized for the purpose of price discrimination. A number of major health care providers in Germany (AOK, TKK, DKV) have recently launched eHealth-applications in concert with the subsidization of “quantified-self-hardware”. Customers intending to purchase sports watches and fitness trackers will receive incentives of up to 250 EUR. Particularly active members with a willingness to document and share their logged activities with their health care provider often receive additional annual kick-backs in the form of bonuses. Although the possibilities for wide spread price discrimination on the basis of physical fitness and personal activity patterns (monitored through sensor analytics) are limited due to legal hurdles, certain health care providers (TKK) have already announced their intention to further expand on the aforementioned, already existing bonus programmes.
Past efforts within the banking sector (i.e. the introduction of IBANs) have led to a harmonization of certain payment standards within the EU and the Euro-zone, making it easier for corporate and private clients alike to transfer money across national borders. Major problems arise as soon as larger amounts of money are being transferred from Euro into foreign currency. Cross-border non-Euro transfers are usually monopolized and carried out by retail banks, and as such subject to heavy charges. New providers (e.g. Transferwise) have succeeded in drastically reducing the cost for this particular service, while simultaneously lowering processing time. Incurring bank charges for the transfer of 1.000 EUR into GBP can easily exceed 20 EUR, whilst the process might take up to five days to complete before the money is finally deposited. Alternative payment services usually deposit the money within 1-3 days, charging only a fraction of the price (around 5 EUR per 1.000 EUR).
(see 1.2 above) Automated Investment (so-called robo-for-advisors) can be a powerful tool to improve the service provided by some advisors, focusing on financial planning and advice and assembling cheaper and simpler solutions than those provided by traditional providers. RegTech also has the power to simplify client on-boarding and regulatory reporting. However, this is a moving target as the regulatory burden keeps growing faster than RegTech can potentially reduce it…
Stabilise regulation and compliance so that automation has a chance to simplify processes.
Same skills as ever: focusing on the needs of clients. While technological innovation might certainly initiate shifts and restructuring within certain segments of the market (i.e. when it comes to employment chances for low skilled administrative labourers), the overall effects of Fin/InsurTech on the investment and insurance sector have the potential to actually strengthen the existing industry. The insurance sector might especially benefit from multiplied channels of communication via apps and online-portals, with increasing awareness in sections of the market that were previously not susceptible to ‘traditional’ forms of advice and acquisition. Increasing awareness for risks, as well as fitting insurance products to hedge potential hazards, taps into untouched market segments. This technology-induced mobilization of ‘virgin’ client potential simultaneously increases the need of intermediaries to act as qualified advisors in the process of product selection. While being confused by the abundancy of information provided on the internet, the majority of clients still value face-to-face counseling with their advisors. In this regard, it is paramount to maintain and strengthen the central role played by insurance advisors and intermediaries in the process of provide the customer with a product that fits both their financial needs and their personal risk situation. In this scheme, Fin/InsurTech innovation plays an important role in mobilizing previously barren customer potential, while the selection process must still be carried out by sufficiently qualified intermediaries and advisors. Let us consider one of the three core principles underpinning the Commission’s stance on FinTech, i.e. EU policies should be integrity-enhancing: technologies applied to financial services should benefit both consumers and businesses without creating unwarranted risks. A potential negative impact on employment should be included among these risks: EU and national institutions should act to avoid adverse implications in terms of employment as a result of the development of FinTech solutions (this reasoning might apply, more generally, to all economic activities). We also restate our reasoning exposed in 1.9: technology must be considered as a support (and not a substitute) to human activities, especially in the case of high-value services, in particular investment advice.
As a preliminary remark, we believe that RegTech represents an effective example of integration between human and automated activities. RegTech may be used to comply with recording, reporting and contractual requirements, thereby deflating administrative burdens and the use of paper-based documents. In this sense, RegTech may provide benefits for customers, investors, financial intermediaries and financial advisors. For instance, we can consider the case of Italy: pursuant to Article 109, Consob Regulation no. 16190/2007, financial advisors shall be responsible for record-keeping obligations. Specifically, they are required to keep, for at least five years, a copy of: a) the contracts they have promoted; b) other documents signed by the customers; c) the correspondence with the persons on whose behalf financial advisors have acted. In this sense, Article 109 neither envisages nor denies the possibility to keep the aforementioned documents in a non-paper-based durable medium: in order to grasp the benefits of technological development and reduce administrative burdens, European and national legislation should explicitly acknowledge this possibility, also for financial advisors acting on behalf of financial intermediaries.
On the one hand, cloud computing services may provide effective RegTech solutions. On the other hand, the potential risks of these new technologies (cybersecurity, need for privacy …) need to be carefully assessed in order to envisage the necessary regulatory requirements.
 
 
 
With the large number of data breaches that go unreported (or are only reported years after the facts) by some of the largest providers of cloud services, it seems we have to be very careful, as this would have dire consequences if it applied to critical financial data. On the other hand, it should not be used as an excuse to protect incumbents.
 
 
 
We agree with the analysis exposed in the Consultation document: DTL solutions are new technologies that need to be carefully assessed to evaluate their potential risks with regard to effective interoperability, personal data protection, legal recognition of data and jurisdictional issues (for instance, the law applicable to distributed ledgers incorporated in non EU-Member States). It is also important to avoid overconfidence in new technological solutions and preserve human sensitiveness, in order to safeguard trust in financial markets in cases of technological malfunctioning.
As a general remark, we do not agree with the idea that, concerning DLT solutions, “regulatory action is premature” (p. 12 of the Consultation document): this would seem to be like “closing the stable door after the horse has bolted”. We also believe that competent authorities should develop specific skills to effectively supervise the deployment of DLT solutions in the financial sector.
 
 
 
 
 
FinTech solutions will further highlight the need for legislation to be more consistent (and even more importantly more consistently applied and enforced) across the EU. We would also point out that regulation is very much adapted to the specific situation of very large players (both in terms of the systemic risk they pose and the resource they have) and is not adapted to smaller players, whether they are IFAs or FinTech new entrants.
The principle of subsidiarity needs to guide any form of necessary and proportional regulation: due to the heterogeneous structure of the respective national markets it must be regarded as opportune to initiate policy measures on a national level first. EU regulators should however assume a supporting role in that regard, i.e.: (I) by means of capacity building via the development of an open-ended long-term strategy for a European FinTech cluster (c.f. 3.9); (II) via the provision of (potentially unsolicited) policy advice to national regulators; (III) or through the sharing of best practices with, and the facilitating coordination among, national policy hubs.
 
 
See above. FECIF has submitted multiple examples in an e-mail to Stephen Ryan at the European Commission on 20 April 2017. Among other examples: • Term life insurance not available in Belgium locally, and could not be sourced from UK providers either; • Similar situation for direct life annuity in France, could not be sourced locally nor cross-border; • Ongoing regular premium life policies that must be discontinued when policyholders move across borders in Europe (e.g. from Belgium to Germany), or support additional taxes (e.g. from Germany to Belgium); • Requirements by Spanish regulators of extra reporting when funds are distributed outside Spain; • Requirements by Polish regulators that Asset Managers keep track of Ultimate Beneficial Owners, even when the purchase is made via a platform.
Yes([ID56])
While staying faithful to the principle of subsidiarity (c.f. 3.2) the EU must promote the harmonization of licensing-standards and categories for FinTech-based activities across Europe. Such an initiative must be guided by the objective of clarifying the prevalent division of labour between ‘primary’ (expertise-based) and ‘secondary’ (self-advised) sources of information. Well trained professional advisors and intermediaries (primary sector, expertise based) operate from within a well-established and thoroughly regulated business model, which ensures the proper provision of high-quality advice to their customers. Secondary, self-advised sources of information, often promoted in the realm of FinTech-innovation, are highly useful tools for supplementing the services of qualified and well-trained intermediaries and advisors. They can, however, only act as said supplement, but never as a substitute to expertise-based services. Any form or licensing on the national/European level must take this complex relation into account, and treat the FinTech-model as complementary to the existing insurance/investment industry, eventually subjecting the former to the same rules, regulations, and standards as the latter (pp. 15-16 of the Consultation document).
 
 
Yes([ID56])
Yes, the specific situation of financial services must be taken into account. On the one hand, Finance in general is a system that is based on mutual trust; it will never work if there is a breach of confidence in the system, so extra care must be taken compared to consumer goods activities generally. On the other hand, some confidentiality and bank secrecy laws in different member states make it difficult to use data, even when it would be unequivocally in the direct consumer’s interest.
Yes([ID56])
The principle of neutrality is an important principle to guide the regulatory approach to Fintech activities. In our point of view, a level playing field is mandatory for the functioning of the internal market. Traditional financial intermediaries should not be disadvantaged but to the contrary, the role, should be strengthened as an important mediator between the insurance companies and the use of anonymous new technologies and solutions.
Each member state should be allowed to let the free market flourish. The European Commission should ensure the freedom of the internal market. Relaxing regulations in this context should not lead to less protection for users or disadvantage competitors providing the same solutions in the market.
 
 
Yes([ID56])
Due to varying regulatory frameworks, heterogeneous market conditions, and diverging investment/insurance cultures, impulses for innovation are best set and located on the national level. In the long run it is in fact desirable to bundle Fin/InsurTech-expertise on a European scale, for example by means of an “Innovation Academy” with clearly defined aims and objectives. It is, however, important to recognize the already existing initiatives in various member states (i.e. the recently launched FinTech-council in Germany). Under these circumstances the Commission should be mainly concerned with harmonizing the various strands of innovation which filter through from the respective national markets, for example by means of communicating best-practice-advices on a regular basis. A standing structure in the form of a rigid “Innovation Academy” could have counter-productive effects at this point, as it might hamper innovative impulses already forming on a national level.
 
 
 
 
 
 
 
 
 
 
 
 
We agree with the line of reasoning exposed in the Consultation document (pp. 18-19): technological developments may threaten existing business models, and the profitability and capital positions of incumbent firms. In this sense, the EU and national institutions should act in order to avoid systemic and disruptive effects of FinTech solutions, in particular, adverse implications in terms of financial stability and unemployment and, more generally, the loss of human sensitiveness and trust in financial markets.
It is of paramount importance that individuals retain ownership of their own data, and that these are not used without their explicit consent. This is a general principle, but for reasons of trust identified above, we believe it is of particular importance in Financial Services. It is even more so for independent intermediaries, when information that is shared with the advisor in a relationship based on trust could be misappropriated by providers.
As a general remark, we emphasise the need to ensure data portability to foster competition and customer protection: customers should be aware of the data they have disclosed to financial intermediaries and FinTech firms and, at the same time, the right to data portability should be clearly recognised.
 
 
As explained in 2.9, although DLT solutions are still in early stage of development, we do not agree with the idea that “regulatory action is premature”. Also, in the case of personal data protection, it is necessary to avoid closing the stable door after the horse has bolted. To overcome these challenges, a regulatory framework is needed and competent authorities should develop specific supervisory skills.
 
 
see above (4.1)
 
 
This Consultation document omits any sociological analysis of Millennials (i.e. the demographic cohort of people born in the period ranging from the early 1980s to the early 2000s) and Post-Millennials, who are familiar with automated tools but may lack proper guidance to discern between the provision of mere information as against investment advice - and to acknowledge the value of human advice. In this sense, Millennials’ and Post-Millennials’ familiarity with new technologies, integrated with the support of human advisors, may help foster their level of financial education.
 
 
 
an organisation or a company(organisation-replying-as)
 
Global Legal Entity Identifier Foundation (GLEIF)
 
Yes(yes-transparency-register)
Globa6214521205
Other([ID14])
Swiss not-for-profit foundation Swiss not-for-profit foundation
10 to 50 employees([ID6])
 
 
Germany([ID31])
 
Other([ID180])
GLEIF manages a network of partners globally to provide trusted services and open, reliable data for unique legal entity identification. In the EU, these partners are located in Czech Republic, Croatia, France, Finland, Germany, Italy, Luxembourg, Netherlands, Poland, Spain, Slovakia and the UK. Additional partners are located in USA, Turkey, Russia, Norway, Japan, Nigeria, Republic of Korea, China, Argentina, Mauritius, India, Saudi Arabia and Australia.
Yes, I agree to my response being published under the name I indicate (name of your organisation/company/public authority or your name if your reply as an individual)(yes-contributions-publication)
GLEIF will not provide a response for this question.
Don’t know / no opinion / not relevant([ID58])
 
Don’t know / no opinion / not relevant([ID58])
GLEIF will not provide a response for this question.
GLEIF will not provide a response for this question.
GLEIF will not provide a response for this question.
Don’t know / no opinion / not relevant([ID58])
GLEIF will not provide a response for this question.
GLEIF will not provide a response for this question.
GLEIF will not provide a response for this question.
GLEIF will not provide a response for this question.
Don’t know / no opinion / not relevant([ID58])
GLEIF will not provide a response for this question.
GLEIF will not provide a response for this question.
FinTechs bring automation to the financial industry and thus reduce the cost for manual labor. Based on global standards, automated processes can be interoperated across multiple companies and achieve synergies. For example, a globally accepted digital identity for legal entities can make party authentication way faster and easier and allows real-time communication.
Global standards for FinTech innovation, such as a globally accepted digital certificates for legal entities, should be supported to facilitate development and implementation of the most promising use cases.
GLEIF will not provide a response for this question.
GLEIF will not provide a response for this question.
GLEIF will not provide a response for this question.
Don’t know / no opinion / not relevant([ID58])
GLEIF will not provide a response for this question.
Don’t know / no opinion / not relevant([ID58])
GLEIF will not provide a response for this question.
Don’t know / no opinion / not relevant([ID58])
GLEIF will not provide a response for this question.
Distributed Ledger Technology (DLT) could be used for the management of digital identities based on already existing global standards, such as the Legal Entity Identifier (LEI). Other possible applications are the storage of trades and their status to support easy and transparent reporting.
To create meaningful DLT solutions which are non-proprietary and can be used globally, it is paramount that global standards for data formats are used. Equally important is the implementation of a digital identity based on already existing global standards, such as the Legal Entity Identifier (LEI).
GLEIF will not provide a response for this question.
Don’t know / no opinion / not relevant([ID58])
GLEIF will not provide a response for this question.
Don’t know / no opinion / not relevant([ID58])
GLEIF will not provide a response for this question.
The use of open and for free available, reliably validated reference data for legal entities could help financial service providers to reduce operations costs by eliminating the necessity to validate counter party or customer reference data on their own.
GLEIF will not provide a response for this question.
Making use of existing standards helps innovation and avoids the necessity for FinTechs to reinvent the wheel for already existing technology and tools. One example is the Legal Entity Identifier (LEI) based on the ISO 17442 standard to unambiguously identify financial market participants as legal entities. Another example are digital certificates for authentication based on the ITU X.509/ISO/IEC 9594-8:2005.
Don’t know / no opinion / not relevant([ID58])
 
GLEIF will not provide a response for this question.
Don’t know / no opinion / not relevant([ID58])
 
Don’t know / no opinion / not relevant([ID58])
 
Don’t know / no opinion / not relevant([ID58])
GLEIF will not provide a response for this question.
Don’t know / no opinion / not relevant([ID58])
GLEIF will not provide a response for this question.
GLEIF will not provide a response for this question.
Don’t know / no opinion / not relevant([ID58])
GLEIF will not provide a response for this question.
Don’t know / no opinion / not relevant([ID58])
 
Don’t know / no opinion / not relevant([ID58])
GLEIF will not provide a response for this question.
Don’t know / no opinion / not relevant([ID58])
 
GLEIF will not provide a response for this question.
Don’t know / no opinion / not relevant([ID58])
GLEIF will not provide a response for this question.
Yes([ID56])
Yes, the creation of a standard for a globally accepted digital identity could be supported to foster innovation and interoperability for FinTechs in the EU.
EU or global level standards could facility the efficiency and interoperability of FinTech solutions in the area of digital identity. The integration of existing standards such as the Legal Entity Identifier (LEI, ISO 17442) and digital certificates for authentication based on the ITU X.509/ISO/IEC 9594-8:2005 could be addressed. The definitions and rules for reference data of both standards are very similar. This could create a globally accepted digital identity for financial market participants based on existing and accepted standards.
Yes([ID56])
Yes. Open source libraries and solutions can help the proper application of standard and ensure interoperability between organizations.
GLEIF will not provide a response for this question.
GLEIF will not provide a response for this question.
DLT solutions ensure immutable transactions and thus trust in data. At the same time, some DLT solutions support permissions for different roles to allow for a variety of financial use cases. A globally accepted digital identity can help to make DLT solutions even more reliable, as discussed above.
No([ID57])
Digital identity frameworks are not yet sufficiently developed to be used with DLT or other technical solutions in financial services. A solution to this could be embedding the Legal Entity Identifier (LEI, ISO 17442) into digital certificates for authentication based on the ITU X.509/ISO/IEC 9594-8:2005. This way a cryptographically safe digital ID system would be connected with a globally accepted, life time number legal entities.
GLEIF will not provide a response for this question.
GLEIF will not provide a response for this question.
GLEIF will not provide a response for this question.
GLEIF will not provide a response for this question.
GLEIF will not provide a response for this question.
GLEIF will not provide a response for this question.
GLEIF will not provide a response for this question.
Don’t know / no opinion / not relevant([ID58])
GLEIF will not provide a response for this question.
 
an organisation or a company(organisation-replying-as)
 
ANEC
 
Yes(yes-transparency-register)
507800799-30
Consumer organisation([ID8])
 
less than 10 employees([ID4])
 
 
Belgium([ID22])
 
Other([ID180])
consumer protection
Yes, I agree to my response being published under the name I indicate (name of your organisation/company/public authority or your name if your reply as an individual)(yes-contributions-publication)
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Yes([ID56])
Yes, currently limited representation of persons from academia, crypto-currency industry or those that have financial crime prevention, crypto-currency and investigation knowledge. A hub would be supportive in knowledge transfer. Training programs should be implemented for DLT tech / understanding for those in: o Financial institutions o Security of data and legacy system integration o Compliance roles o Investigation roles o Consumers Some universities have developed programs for corporate compliance and DLT investigations – these courses are undertaken by students and professionals (law enforcement, industry).
Yes([ID56])
 
 
 
 
 
 
 
 
Standardisation and interoperability are essential to ensure reliable services for consumers. Issues such as Application Programming Interface (API) to communicate with third parties and identity management would benefit from harmonisation. Most P2P / DLT technology offers a degree of anonymity for consumers and participants though transaction activity is transparent. Sharing of information between entities needs to be further developed to protect consumers and institutions alike. The European Standardisation Organisations should act as platform to elaborate and gather consensus on FinTech standards but more input from FinTech specialists is required. ANEC welcomes the intention of the European Commission to include Fintech among the topics of the 2017 ICT Rolling plan for European standardization. Standards should ensure data security, privacy and data minimization.
 
We wonder what would be the incentives for developers and innovators and how could commercial providers be incentivised to promote open source. The impact of licensing and regulation should be considered.
 
 
Whilst other solutions are available, DLT offer a reliable method to provide an immutable dataset – whether for transactions or to show decisions made that are not changeable by any stakeholder.
No([ID57])
No, this remains one of the most crucial element to be dealt with for mainstream services both for consumers and those that are audited and require demonstrable identity checks for consumers and counterparties.
The possibility of an intermediary that would act as a verification partner for identity and therefore hold personal data should be considered. However the question would be who could be trusted to confirm the identity of a person. Usually this undertaking would be from government entities/public services.
 
 
• Minimum standard of training of staff in financial institutions to prevent money laundering and rejection of lawful transactions. • Investigation techniques not developed • Framework for crypto-currencies not developed • Training material not in public domain • Understanding of main breaches within the main types of crypto-currencies (Ethereum DAO incident) should be undertaken to increase consumer protection.
 
 
 
 
 
 
an organisation or a company(organisation-replying-as)
 
ADVISORY COMMITTEE OF THE CNMV (INDEPENDENT OPINIONS FROM THOSE OF THE CNMV)
 
No(no-transparency-register)
 
Other([ID14])
The CNMV's Advisory Committee has been set by the Spanish Securities Market Law as the consultative body of the CNMV. This Committee is composed by market participants (members of secondary markets, issuers, retail investors, intermediaries, the collective investment industry, etc) and its opinions are independent from those of the CNMV.
10 to 50 employees([ID6])
 
 
Spain([ID48])
 
Accounting([ID4])
Asset management([ID6])
Banking([ID8])
Financial market infrastructure (e.g. CCP, CSD, stock exchange)([ID6])
Insurance([ID7])
Regulator([ID174])
Trading platform([ID179])
 
Yes, I agree to my response being published under the name I indicate (name of your organisation/company/public authority or your name if your reply as an individual)(yes-contributions-publication)
Not applicable. The areas where we may see more FinTech solutions may, among others, include financial advice, consumer credit, insurance (including Know Your Customer (KYC) profiling, credit scoring) and payments as such solutions may help financial institutions to predict more accurately the behavior and the specific needs of their customers and facilitate access to certain services for people and firms that initially could not afford it.
Yes([ID56])
It is expected that automated financial advice reaches more consumers, firms, investors in different areas of financial institutions at a greater speed since: (i) automated financial advice may help to improve services and lower prices, enabling access to financial advice and services to firms that previously could not afford it, (ii) such digital solutions may also reduce the need for geographical proximity, promoting access to cross-border services and investments and (iii) such solutions would enable financial institutions to predict more accurately the specific needs of their consumers and thus end up with better tailored products. It is also worth highlighting that the financial automated advice developed by banks is usually of a “hybrid” nature which includes some human intervention. These “hybrid” models are better adopted for user needs.
 
Not applicable
Not applicable.
Most of the artificial intelligence benefits assume, among others, that the following measures to prevent the related risks/challenges would be implemented: (i) appropriate interoperability and standarisation, (ii) adequate level of cybersecurity will be ensured to avoid data hacking and manipulation of the underlying algorithm, (iii) appropriate mechanisms will be applied to ensure that consumers fully understand the information about the products and the services provided to them or about the methodology used and further clarification is offered when necessary, (iv) safeguards will be developed to avoid pro-cyclical investment behavior and “herding risk” if a significant volume of consumers end up transacting in the same way in relation to the same financial products and services, (v) transparency measures and accredited data source validation controls will be applied to detect and mitigate potential discriminatory effects and (vi) existing data protection and privacy requirements are fulfilled.
 
National regulatory regimes have been developed recently and have increased confidence in the industry due to the new regulated status of the crowdfunding activity and the legal certainty achieved. As a result, national regulatory frameworks are fostering the crowdfunding sector itself while promoting appropriate consumer/investor protection. Although national regimes are overall consistent in their approach, divergences in the specific design and implementation of regulatory frameworks (tailored to local markets) could create obstacles to the development of cross-border activities and lead to market fragmentation. Critical components of those national regimes include, among others: (i) the need of a prior local authorization, a minimum share capital and/or an adequate liability insurance or other equivalent guarantee; (ii) the fulfillment of disclosure obligations (including stringent requirements to disclose detailed information on specific investment opportunities and the overall investing proposition); and (iii) the implementation of internal organizational rules (such as conflict of interest and conduct of business).
The Commission can support further development of FinTech solutions in the field of non-bank financing by means of monitoring and promoting regular cooperation between European Authorities, Member States and Supervisory National Authorities, the industry and the consumers with the aim of: (i) fostering pan-European standards and certifications to create interoperable systems and promoting the use of electronic identification and trust services for checking the identity of customers; (ii) ensuring innovation and a level playing field, so that the same rules are applied to traditionally sold products and services as those sold digitally; and (iii) reducing regulatory barriers when seeking to expand abroad facilitating exchange of data between credit registers, while preserving data protection and privacy regulations.
Investment through these fund-raisers and platforms is essentially insecure since, notwithstanding the diligence that it should be required, the platform as intermediary does not guarantee at any time the solvency nor the viability of the developer. Since it is not possible to remove those risks, transparency is a relevant tool to mitigate and manage such risks. In this sense, information obligations applicable to these platforms, have special relevance to ensure that any investment decision is made in a duly reasoned manner. The investor/customer should therefore receive clear and not misleading information about its rights, obligations and risks; the procedures and means through which investment in projects is carried out (shares or other securities, participation in loans etc); the measures taken to avoid conflicts of interest; the procedures and means for the submission of claims etc. In addition to the minimum regulatory transparency requirements, self-regulatory initiatives (as upheld by some industry associations and individual platforms) will be extremely useful to foster best practices and good conduct of business (for instance, the European Crowdfunding Network has published some guiding principles -a Brussels-based professional network promoting adequate transparency, (self) regulation and governance- as its Code of Conduct). Furthermore, according to some national regimes, internal regulations related to organizational rules, conflict of interest, or conduct of business should be implemented by individual platforms.
a) Car insurance/telematics applications: New technological developments (such as telematics) allows the transfer of vehicle data in real time and enables a better understanding of the behavior of the driver, allowing a more tailored advice to be provided by car insurers. For example, the information from the vehicles allows car insurers offer a wider range of products adapted to the consumers´ needs. This includes policies based on the time that the insured party drives ("pay as you drive") or in the form in which the drivers drive ("pay how you drive"). For some consumers, like young and careful drivers who lack of experience, this could mean access to a cheaper insurance. In addition to the adjustment of the premium to the insured's profile, this technology allows (under certain circumstances) the provision of additional roadside assistance services (such as the location of the vehicle in the event of breakdown, accident or theft). b) Home insurance/smart meters: The insurance companies are constantly expanding their sources of data and analysis for the creation of increasingly sophisticated risk-prediction models which helps the improvement and the accuracy of the risk profile of a property. The more data, the better predictions and increased availability of tailored insurance policies. This information which allows the better understanding of the actual behavior of the client can likewise be used to better understand the related risk and customize the applicable premium in a much more accurate way. Another benefit of the new technological advances is the decrease in the regularity and significance of claims and the possibility of adopting appropriate prevention measures to reduce risks (devices that detect leakage of water, fire, or the presence of strangers in the property and that can carry out preventive actions in real time can reduce the damage). c) Health insurance/wearable technology: Nowadays people can have a better understanding and control over their health and well-being than ever thanks to the use of health applications and wearable technology (as it allows monitoring everything from the way people sleep to the levels of exercise patterns). The use of this new technology may be especially relevant for health insurers as it allows insurers offer control programs regarding chronic diseases and monitor the health of individuals by providing them with health and lifestyle tips. Thus, consumers can be more aware of preventive measures that should be taken to reduce the risks associated with chronic diseases and control any applicable/related costs. In the long term, the increased involvement of consumers, and their understanding of their own health and well-being as a result of the use of such devices and programs could lead to more healthy lifestyles, greater longevity and a more optimal use of medicines as well as the deployment of medical staff. The main challenges are: i. Consolidation of the technology at a reasonable cost. Technology is not consolidated and the cost of the technology is still too high. Additionally, in order to make this development possible is necessary the collaboration of consumers (as if they do not share their personal data they could be excluded from the applicable group or segment). ii. Open, standardized, interoperable data communication platforms. European institutions should ensure a regulatory framework for the development of a digital platform interoperable, standardized and secure, solid for safeguarding the free choice of the consumer, the independent entrepreneurship initiative and the competition and innovation for all services. Additionally, it is important to ensure the necessary balance between the protection of consumer data and the access to information by the industry in such a way that the consumers can benefit from all the advantages that arise from new technologies and from data analysis techniques.
 
Insurance companies have traditionally grouped categories with homogeneous risk in order to determine the applicable price or insurance premium. So far, there is no evidence that further insurance segmentation may be unavailable for certain groups of insured persons (if not quite the contrary, in the auto insurance "pay as/how you drive" models, have been directed precisely to very young drivers in order to offer lower premiums in relation to an homogeneous category that makes prices initially higher). Therefore, we do not believe that a more detailed pricing will lead to a reduction of the group of risks. Rather, based on the principle that those with homogeneous risks must pay homogeneous prices, one more granular segmentation should facilitate greater availability of data sets for analysis and the ability to manage a more balanced portfolio and a more prudent subscription. On the contrary, we consider that data used on a large scale basis has the potential to increase the offers available to consumers, allowing increased segmentation, reliable prices, as well as ways in which consumers can reduce their risk in order to improve its premium.
Not applicable.
Not applicable.
Not applicable.
As a result of the development of FinTech solutions it is expected that new skills will be needed to handle the new processes, such as, expertise in algorithms, decision-making processes based on Big Data analytics, machine learning, digital marketing, cybersecurity etc.
RegTech may be defined as the use of new technologies to solve regulatory and compliance requirements more effectively and efficiently. The main benefit from RegTech solutions is the potential significant reduction in costs and efforts, as well as to allow the provision of more accurate and granular information to the supervisory bodies, in real time, enhancing the control of systemic risk. On the other hand, they provide further agility upon regulatory changes since they are designed to dynamically adapt to new requirements. Ultimately, these solutions can be an improvement in the interaction with the supervisor, both in the communication of the regulator to the company and the reporting from the company to the regulator. The RegTech underlying technologies are very diverse. As a common point, RegTech solutions are based on the cloud, since it is the only way to provide the agility and flexibility needed. From there, all the technologies that enable the management and the efficient analysis of information are likely to be part of RegTech solutions such as: - Applications in the cloud: to accommodate common compliance functions in a single platform, achieving greater efficiencies in compliance processes. - Deep learning (automatic learning), robotics, artificial intelligence and Big Data: automated analysis of information creates enormous potential when applied to compliance questions. The algorithms can organize and analyze large sets of data. - Cryptography: it allows a more secure, faster, more effective and efficient way of data exchanging not only with other financial institutions and customers but also with supervisors. - Biometrics: it is currently allowing great improvements in efficiency and safety through the process of automation of customer identification required under the "Know Your Customer (KYC)" rules. - Blockchain: decentralized accounting books will in the future allow development of platforms operations, payment systems, and more efficient mechanisms of exchange of information among financial institutions and between the latter and the regulators. - (API) Application Programming Interfaces: promote interoperability by ensuring that different software programs can communicate with each other. These interfaces could, for example, allow to automate the process of reporting to regulators. With regards to the main challenges, the "Regtech" market is globally still in its preliminary stage and much more at the regional level, with large swings in technological changes which impede the birth of widely used solutions that may be subject to standardization, making it difficult to choose the applicable specific compliance solutions. The situation described makes necessary a coordinated work in the industry and a joint collaborative effort with supervisors to establish clear standards to apply "Regtech" in the phase of development of the product in such a way as to guarantee its proper functioning onwards. The dialogue and the involvement of regulators together with the industry is therefore key.
Not applicable (removing barriers to the data flow among the EU is a key regulatory issue.
 
The communication “Building a European Data Economy” is a relevant milestone in such direction).
 
The commercially available cloud solutions indeed meet the requirements as banks have to make sure that the proposed cloud solutions are compliant with the supervisory requirements (otherwise the bank should refuse to adopt the relevant cloud solution).
 
 
Distributed Ledger Technology (DLT) refers to records or ledgers of transactions maintained by a shared network of participants (or nodes) and not by a centralized entity. DLT is still at an early stage and practical applications are limited both in number and scope. The most known DLT application has been the so-called Bitcoins (ledger of transactions for virtual currencies). Recently some market participants are considering the likelihood to extend this technology to traditional financial services, moving from an open system where everyone may contribute to the validation process (permissionless system) to a permissioned system, with authorised market participants. Some examples of DLT applications which are likely to offer practical and readily applicable opportunities to enhance access to finance for SMEs, among others, may include: a) Automated international payments within territories which are not part of the Single Euro Payments Area (non-SEPA). This would increase their liquidity, it would reduce their banking costs and their commercial uncertainty. b) Automated post-trade processes (clearing, liquidation, custody and settlement). c) Gaining access to syndicated lending through automated syndicate formation, underwriting and fund disbursement.
First of all, the main challenge stems from the technical issues. It is necessary to assure the reliability of this new technology in very different scenarios coping with millions of transactions every day. In this sense, the main challenges are related to: - Interoperability: DLT-based systems will need to be able to interoperate with each other and with legacy systems. - Network effect: stakeholders should be convinced that it is well worth moving from current systems to DLT. - Scalability: unproven ability to operate on a large scale. - Cybersecurity and privacy issues: DLT networks should be designed to ensure compliance with the existing cybersecurity and data protection and privacy regulations. Once the technology is proved as reliable and secure, then issues related to governance and standardization will be relevant. DLT to be used in financial markets should be a permissioned system where only authorized participants may have access. Therefore market participants should implement appropriate governance frameworks, including provisions on liability, rules to approved/reject participants, correction mechanisms or applicable law in case of disputes, etc. Who is going to take responsibilities from DLT networks? How responsibilities will be shared in these decentralized infrastructures? Obviously, we believe that current market infrastructures will have an important role to be played even in these decentralized models for the sake of the financial stability as it is currently the case. A central point of standards definition will also be relevant in order to allow different DLT structures to be interoperable in order to avoid fragmented market solutions from scratch. Last but not least, it is worth highlighting the following legal issues: private data protection, anti-money laundering activities, market abuse, finality, notary and registration functions, systemic risks issues, central bank money settlements etc. as some of the many legal issues to be analyzed and potentially adapted before DLT is widely used in the post-trading activities.
DLT could bring relevant benefits to securities markets, particularly most efficient post-trade processes (such as clearing and settlement activities) and reduced costs. The existing regulatory framework provides important safeguards for the well-functioning of financial markets and in principle it seems that it does not represent an obstacle to the use of DLT in the short term. Furthermore, since technology is still evolving and practical applications are limited both in number and scope, at this stage, it is premature to assess the changes that the technology could bring and the regulatory response that may be needed. Depending on the DLT evolution, some requirements may become less relevant, while additional requirements may be needed to prevent certain risks or to regulate new roles, such as the provision and maintenance of DLT infrastructure and protocols, the coding and management of smart contracts, the creation and storage of private keys. Therefore and depending on the evolution of the technical issues and the overcoming of the challenges described in Question 2.8 above, many legal issues may be needed to be tackled before any DLT solution might be implemented in the post-trading field. In fact, it will depend on each potential application to the extent to which specific EU or domestic legislative pieces should be changed in order to allow the implementation of this new technology. For instance, should DLT be applied for the shareholders voting, the Shareholders Rights Directive as well as national corporate laws may need to be adapted to the legal requirements of this new technology. If we talk about potential use of DLT in “Delivery versus Payment” (DvP) settlements, the Settlement Finality Directive (SFD) as well as the Central Securities Depositories Regulation (CSDR) should be adapted. In addition, the definition of central bank money might also need to be adapted. To conclude, heavy and deep adaptations of both EU and national legal frameworks may necessarily be adapted in the event DLT were used in the post-trading industry. Notwithstanding the foregoing and although not technically an obstacle, it is considered key that supervisors become able to effectively supervise these new investment services provision channels and tools. This will certainly require intensive personnel training and/or hiring, as well as additional IT capacities. Gaining effective neutrality will certainly require that supervisors be able to check whether rules are complied with in this new complex technological scenario.
 
Not applicable (according to the current system when outsourcing services, the legal and regulatory requirements that only apply to the company normally are imposed contractually to the provider since the liability regarding the non-fulfillment of such requirements is borne by the company itself and not by the provider).
Yes([ID56])
Regulation defines the roles and responsibilities of banks and outsourcing providers. “Outsourcing” per se does not generate a risk, but is part of the risk management of every bank concerning operational risk and IT security. Under existing outsourcing requirements, banks are required by national supervisors to have internal controls in place which achieve effective identification, monitoring and reporting of risk in terms of data protection, business continuity, etc. This includes not only undertaking initial and ongoing due diligence of the cloud service providers, but also of those service providers within the supply chain. According to the Spanish laws (Royal Decree 84/2015, inspired by European Banking Authority –EBA– Guidelines), outsourcing of activities shall comply with several requirements related with responsibilities and policies to be previously approved. Not all the activities could therefore be outsourced and any related liability shall always be borne by the delegating entity. This framework seems satisfactory.
Not applicable.
In line with the principles of technology-neutrality (same rules should be applied to traditionally–sold products and services as those sold digitally, to ensure level-playing field), proportionality (rules should be suitable for different business models, size, systemic significance, complexity and cross-border activity), and integrity (to ensure transparency, privacy and security for investors/consumers), rather than a new legislation or a new wide-ranging policy package on FinTech, the EU should adopt a watchful policy response, monitoring and coordinating efforts between different stakeholders promoting and sharing best national and European practices, and introducing, when necessary, regulatory amendments to harmonize framework to promote expansion abroad lowering barriers, to prevent new emerging risks, to regulate new roles or functions, etc. a) Accordingly and by way of example, with respect to crowdfunding, given its dynamism and its predominantly local nature, it will be important to monitor the development of the sector and the effectiveness, and degree of convergence of national regulatory frameworks, to promote a cross-border expansion. Sometimes divergences partly stem from the lack of a local common definition of what types of services constitute "crowdfunding". For instance, with respect to Investment-based crowdfunding, some Member States consider that platforms must be authorised under their bespoke regimes to operate as crowdfunding platforms irrespective of the fact that they may have a MiFID passport. Other Member States consider that a MiFID-authorised investment firm should be allowed to carry out crowdfunding activities in other Member States through its passport. Regarding Lending–based crowdfunding, in the absence of EU legislation, neither crowd-lending nor credit intermediation are among activities that enjoy EU passporting rights. In the absence of an EU passport, if platforms want to provide services in host Member States, they may need to obtain authorisation from the local authorities. Platforms authorised as payment institutions could use their EU passport to provide services in host Member States. However, as the Payment Services Directive covers only the payment side of the crowd-lending activity, such a platform would likely require, for instance a credit brokerage license and/or an authorisation under a bespoke regime in that Member State. b) Regarding DLT, the existing regulatory framework provides important safeguards for the well-functioning of financial markets and does not represent an obstacle to the use of DLT in the short term. Furthermore, since technology is still evolving and practical applications are limited both in number and scope, at this stage, it is premature to assess the changes that the technology could bring and the regulatory response that may be needed. Depending on the DLT evolution, some requirements may become less relevant, while additional requirements may be needed to prevent certain risks or to regulate new roles such as the provision and maintenance of DLT infrastructure and protocols, the coding and management of smart contracts, the creation and storage of private keys. c) Amendments to the Capital requirement Regulation (CRR): 1. The banking industry faces the digital challenges in competition with emerging technological players that do not have to face the heavy regulatory burden imposed on the banking sector and are free of prudential regulation altogether. The current regulatory capital framework for credit institutions does not recognize the value of software for capital purposes. The fact that every euro that an EU bank invests in an IT development needs to be backed with one euro of the most expensive category of funding is perceived as a significant disincentive for investments in innovation and a major factor of unfair competition. Investments in software should be excluded from the general regime for intangible assets in CRR and hence should not be deducted from capital resource to allow the unprecedented pace of change needed for digital transformation. 2. Remuneration rules: It is necessary a level playing field between players, but non-bank are not subject to CRR/CRD IV. If a bank needs digitally skilled employees they need to change the remuneration profile in a radical manner as is not adjusted to Fintech environment. This is a barrier for them to join a bank. Exclusions or waivers of requirements for these professionals that are not risk takers should be stated.
Yes([ID56])
Active involvement of supervisors and regulators with the industry is extremely desirable at National, European and International level to promote FinTech innovation through different ways: - fostering interoperability and standardized protocols, certification mechanisms as well as accredited scientific procedures and testing controls to verify the accuracy and reliability of the analytics (since increasing certainty from a technological perspective may increase in turn investors/consumers´ trust); - promoting the use of electronic identification and trust services (for checking the identity of customers to enhance digital products and services); - monitoring technological evolution (to assess whether legal or regulatory barriers should be removed -for instance, facilitating exchange of data flows etc-, or new roles/functions should be regulated).
We are witnessing a boom in new technologies related to financial products and services. As a result, national regulatory regimes have recently been developed to foster confidence in the industry while promoting appropriate consumer/investor protection. Although national regimes are overall consistent in their approach, divergences in the specific design and implementation of regulatory frameworks (tailored to local markets) could create obstacles to the development of cross-border activities and lead to market fragmentation. As already outlined above (see Question 3.1) with respect to Investment-based crowdfunding, some Member States consider that platforms must be authorised under their bespoke regimes to operate as crowdfunding platforms irrespective of the fact that they may have a MiFID passport. Other Member States consider that a MiFID-authorised investment firm should be allowed to carry out crowdfunding activities in other Member States through its passport. Regarding Lending–based crowdfunding, in the absence of EU legislation, neither crowd-lending nor credit intermediation are among activities that enjoy EU passporting rights. In the absence of an EU passport, if platforms want to provide services in host Member States, they may need to obtain authorisation from the local authorities. Platforms authorised as payment institutions could use their EU passport to provide services in host Member States. However, as the Payment Services Directive covers only the payment side of the crowd-lending activity, such a platform would likely require, for instance a credit brokerage license and/or an authorisation under a bespoke regime in that Member State. These differences can create significant costs and risks for firms which wish to do business with consumers located in another Member State. Therefore, harmonization across EU financial supervisory regulation and the creation of an EU passport could be recommendable.
Yes([ID56])
National regimes may diverge in the specific design and implementation of regulatory licensing requirements for new services and products (such as crowdfunding, automated financial advice etc) slowing down cross-border expansion. To promote better access to financial services across EU, based on the technology neutrality principle, the EU authorities (particularly the European Supervisory Authorities-ESAs) may consider different measures, such as: (i) promoting harmonization of national regimes; (ii) issuing guidelines regarding how certain new activities fit under the existing regulatory regimes; and (iii) investigating the potential need for new licensing regimes allowing to operate across Europe.
Yes([ID56])
Although the regulatory framework shall be technology neutral (this is, the same activity should be subject to the same rules) it must also be applied in a proportionate manner (reflecting the business model, size, systemic significance as well as the complexity and cross-border activity of the regulated entities). Thus, the Commission should ensure that this proportionality principle is applied when necessary. Apparently, there seems to be consensus on the fact that the main area in which the Commission should intervene should be data protection/cybersecurity.
 
Free flow of data plays a critical role in the provision of cloud-based services which lead to cloud based data analytics. Data localisation restrictions may hamper the free movement of data and the freedom to provide services, reducing the quality and competitiveness of the services. Of course, the right to the protection of personal data must be ensured and should be taken into account. Consistent and homogenous application of the rules for the protection of the fundamental rights and freedoms of natural persons with regard to the processing of personal data should be ensured throughout the European Union.
Yes([ID56])
Yes, these principles of technology-neutrality (same rules should be applied to traditionally–sold products and services as those sold digitally, to ensure level-playing field), proportionality (rules should be suitable for different business models, size, systemic significance, complexity and cross-border activity), and integrity (to ensure transparency, privacy and security for investors/consumers) should guide the regulatory approach to the FinTech activities.
The Commission and the European Supervisory Authorities could coordinate with national supervisors (i) the study and analysis of the conclusions obtained or to be obtained from national sandboxes experiences and (ii) the implementation of cross-border hubs and sandboxes.
 
At the same time, the European Supervisory Authorities - ESAs could consider supporting national supervisors of FinTech by improving the understanding of FinTech through regular forums with all stakeholders and enhance supervisory convergence.
Yes([ID56])
The setting-up/supporting by the Commission of this kind of "Innovation Academy" could be a useful tool to support innovation in financial services within the Single Market, sharing practices and discussing regulatory and supervisory concerns. These programs could be organized through different specialized workshops (i.e., Big Data, DLT, Crowdfunding, etc.) made up of multidisciplinary teams (industry experts, competent authorities and consumer organizations). Each of the specialized workshops should identify the existing risks/challenges under each of the areas and design thinking processes. Questions should be addressed by experts in a roundtable format for an in-depth exploration of the applicable solutions to each of the FinTech areas. By these means, the Commission would get direct feedback of the main participants/representatives of each of the FinTech areas to support innovation in financial services within the Single Market.
 
Not applicable (since the regulatory sandboxes have been recently implemented and are still evolving it is premature to fully assess the changes that the technology could bring and the regulatory response that may be needed. Therefore, once the EU has had the chance of analyzing the evolution and development of recently implemented regulatory sandbox approaches in the MS and the results of the forums with stakeholders, it will be in a position to determine whether and how to harmonize different approaches. The European sandboxes could be run by the European authorities supported by the MS in different FinTech areas).
 
 
Depending on the evolution and the results of the development of already implemented measures in the MS, it may be determined whether there is a need for the development of further additional measures to support innovative firms or their supervisors.
 
Not applicable (development of technical standards and interoperability is quite relevant to expand FinTech in the EU. This work on improving the development of technical standards and interoperability for FinTech has already started, particularly in the area of payments with the aim of giving data access for payment initiation services under the revised Payment Services Directive).
 
 
Not applicable (EU or global level standards could facilitate the efficiency and interoperability of FinTech solutions in areas such as DLT, peer-to-peer payments, mobile wallets, banking applications and card applications. The most effective approach to develop these standards could be through unrestricted participation in standard-setting -transparent procedures and access should be granted on fair, reasonable and non-discriminatory terms-).
 
Not applicable (the EU institutions should promote an open source model where libraries of open source solutions are available to developers and innovators to develop new products and services on the basis of standards which the industry and the regulators deem convenient in order to warrant the interoperability of such new products and services).
FinTech can certainly have an impact on the safety and soundness of incumbent firms, which could risk to be disintermediated in the services that incumbents offer to final customers. However, FinTech also represent an opportunity for incumbent firms to develop new partnerships which can create efficiencies in terms of cost reduction, better capital allocation and customer acquisition.
Not applicable.
DLT is still at an early stage, however it may enhance the collection, storing and sharing of data using cryptography tools, contributing to more efficient reporting, compliance, Know Your Customer (KYC) and Anti-Money Laundering processes. In fact, with a DLT record application, multiple market participants may access a single accurate and verifiable ledger source in real time, increasing the traceability of transactions.
 
Not applicable (existing “Know Your Customer” (KYC) requirements and customer authentication processes are very manually intensive, and require significant resources from banks to ensure regulatory compliance. In addition, the current manually intensive procedures can be inconvenient for customers and lead to undesirable user experiences. In this connection, an attempt is made, through the performance of proof-of-concept work on a DLT network, to implement a digital identity management platform that could automate some of the KYC requirements and the customer authentication process).
The key challenges when designing DLT solutions, include data protection, confidentiality and cybersecurity. The distributed and shared nature of DLT has direct implications on the management of data stored in. Additionally, there is the territoriality question that affects data as well. Information in the ledger is decentralized and this means that there is an inherent cross-border data flow that can be against existing regulations. A relevant characteristic of securities markets is the privacy of some information. In that respect certain solutions to address privacy concerns are being developed, such as the use of private keys and encryption to ensure that only the two parties involved in a transaction have access to the details of such transaction. However it could be more difficult to solve issues related to traceability, where the identity of a market participant, may be inferred from its trading patterns recorded in the system.
Big Data technologies may allow better and more accurate information to be acquired from SMEs that may contribute to better assessment of credit risk and financial risk. In particular, on the capital market, the availability of information on companies, especially SMEs, is an important factor for potential investors on investment opportunities. Using customer feedback, posts, reviews, discussions on social media and other input can support risk weighted scoring of customers and make results closer to reality instead of only statistical evaluation and history driven approaches.
Not applicable
Not applicable.
Not applicable
The banking regulatory context itself already highlights the methods for identifying the most efficient penetration tests, in particular identifying them through analysis of ICT (Information Communication Technology) risks. The possibility of European coordination is highly complex where specific technological and technical aspects exist which make it difficult to have a valid penetration test for everyone. The current regulations already address the methods for conducting the tests.
Not applicable.
 
 
 
an organisation or a company(organisation-replying-as)
 
ESBG
 
Yes(yes-transparency-register)
8765978796-80
Industry association([ID9])
 
10 to 50 employees([ID6])
 
 
Belgium([ID22])
 
Banking([ID8])
 
Yes, I agree to my response being published under the name I indicate (name of your organisation/company/public authority or your name if your reply as an individual)(yes-contributions-publication)
Financial institution who provide a comprehensive range of services make use of many existing FinTech solutions covering the different layers (back-end, middle, front-end and customer experi-ence). They usually do so through partnerships with other FinTech firms and start-ups to provide better customer experience, security, quality, or to lower operational costs
Yes([ID56])
The above choice does not allow to respond at the level of granularity thet is required. Please take into accoun the elaboration hereafter: Investments in robo-advisors have been increasing strongly since 2014, and by 2020 the market is expected to grow by 200%. Therefore, automated financial advice is expected to ultimately lead to a growth in the number of customers reached by banks via digital tools. The objective of robo-advisors is to both reduce costs and reach new customer segments that prefer to interact through digital channels.
Yes([ID56])
The above choice does not allow to respond at the level of granularity thet is required. Please take into accoun the elaboration hereafter: There are two main types of algorithms behind the notion of “robo-advisers”: a. “Profiling algorithms”, which are used to obtain a particular profile from the client through the information obtained from knowledge and experience, investment objectives, investment horizon, etc. This process sometimes includes the suitability tests that MiFID regulates, in or-der to obtain the adequate information and profile clients appropriately. b. “Quantitative management algorithms”, which are used to take decisions regarding in-vestment in a certain type of asset or portfolio management. These algorithms take into con-sideration quantitative data which determines the quality of the investment made and will ul-timately lead to profit differentials. Having established the above categorization, one may remark that in order to provide a minimum set of standards to the robo-advice sector, as well as to enhance consumer protection, some sort of supervision of “profiling algorithms” would be required. Currently, many robo-advisory solutions base their profiling decisions on a very limited set of variables, and no suitability tests are under-taken, whilst customers are not able to perceive which measures each robo-adviser takes. There-fore, in order to avoid that clients perceive the same level of risk and quality of advice by robo-advisers taking different consumer protection measures, it is proposed that “profiling algorithms” should be both supervised and rigorously compliant with MiFID II rules (for which supervision might also be needed). Thus, the benefits that the mobilization of artificial intelligence by financial service providers will bring will not be constrained by adverse reactions of an uninformed public or over-zealous legisla-tors. A range of actions from financial service providers could usually complement the approach described above and assuage such concerns upfront: • When deploying artificial intelligence, financial service providers should ensure that both the systems and the ways in which they are used integrate the values for which they stand. • Artificial intelligence should be deployed responsibly, notably ensuring that: - Systems are tested sufficiently according to purpose-designed procedures in order for their output to be in line with each bank’s values; - To meet expectations of fairness, the algorithms used remain interpretable, i.e. both banks’ staff and customers (on request) must be able to understand how systems deal with input and why a certain output is produced; - Customer feedback is scrupulously taken into account, in particular in case of dissatisfac-tion, including by providing access to staff. • Financial service providers should abide by their responsibility and liability policies and obliga-tions to the same extent, whether artificial intelligence is, or not, involved in an outcome that causes responsibility and liability to be assigned and claimed. • The security and integrity of customers should be assured through the artificial intelligence systems and processes deployed. • A continued dialogue should be instigated between financial service providers and regulators and supervisors, for the former to contribute their ever growing experience with technology, ethical management, and legal implications and potential requirements not only to sectoral but also to public debate and further research. In all instances regulation should remain technology-neutral.
When deciding what information should be included in algorithms used for the provision of auto-mated advice, two objectives should be taken into account: to know a user better, and to ensure compliance with existing regulation. Therefore, the information required (clients’ knowledge and experience of the investment field; financial situation including their ability to bear losses; and their investment objectives, including their risk tolerance) should be obviously included in the al-gorithms in order to provide advice adjusted to the clients’ risk profile. These represent the minimum set of requirements in terms of the information that should be in-cluded in the “profiling algorithms”. Imposing additional information requirements could restrict the ability to innovate of these services and lead to common approaches that could exclude part of the target market.
The application of artificial intelligence and big data analytics does not as such generate new “con-sumer protection challenges/risks”, these have just to be considered in a different context. Exam-ples are (non-exhaustively): in case of dissatisfaction or dispute with the outcome of an artificial intelligence process, will there be access to a human person? Can AI be explained in a manner that makes customers comfortable, without impeding neither the desired efficiency nor further innova-tion? How can customers be assured that the “right” data and information has been processed for decisions that impact them? With the increase in cyber criminality, is it safe to make more deci-sions dependent on software and digitized information? How to ensure that the artificial intelli-gence software is developed and used according to the objectives and requirements set by the fi-nancial service provider that uses it? Generally, what is being done to avoid (accidental, intention-al, or even criminal) bias in artificial intelligence outcomes? Can liability and responsibility be as-signed in an artificial intelligence process within the existing legal and supervisory framework? More specifically, such challenges and risks include: • Lack of consumer awareness, cultural barriers or behavioral biases, which may imply consum-ers not being comfortable receiving advice from an automated tool, particularly in some juris-dictions or amongst some groups of consumers, as well as consumers’ limited access to infor-mation and/or limited ability to process the information. • Legal barriers: legal disputes arising due to unclear allocation of liability in cases of flaws in the functioning of the tool due to errors, hacking or manipulation of the algorithm, and in relation to legal requirements related to data protection, AML-CFT and FATCA/Common Reporting Standards (CRS), some form of physical communication between the customer and the finan-cial advisor is expected. For example, the GDPR regulates data processing in profiling and the need for human assessment for data transfer to non-EU countries and contains much wider rights for data subjects (customers) to request the deletion of data. The right balance must be found between these rights and the development of sophisticated tools for automated financial advice. • Regulatory barriers: uncertainty about the impact of recent regulatory reforms (MiFID, IDD, MCD, PRIIPs) and how financial entities should apply them to automated advice business models. • Digital skills. Risks can materialize when customers lack basic financial education or IT skills, as the use of automated tools especially requires a certain level of know-how as no human ad-visor is guiding the user through a questionnaire. • Un-level playing field: different barriers for different entities offering very similar services, de-pending on the sector of the market or on the regulated status of the entity. For example, new entrants to FinTech activities may be able to enter the market with relative ease as the entry barriers are low and the technology is easily accessible. Whilst, for traditional financial institu-tions, obstacles can be created as they have to observe stricter regulation (e.g. Basel require-ments). • Black swan events: when markets fall, seemingly uncorrelated events can become highly corre-lated. Improbable events are becoming more likely to happen lately, traditional market theories and models are lately being tested. Thus, there is a risk in basing assumptions only on “normal distributions” or classical models, which could lead automated financial advice tools to react in the same manner and create financial bubbles quicker than ever. • The definition of advice: it varies across different sectors, which creates uncertainty and can be a barrier to the provision of holistic financial advice across banking (MCD), securities (MiFID) and pensions and insurance (IDD) products. The provision of information should be clearly distinguished from the provision of advice to avoid uncertainty, in particular we suggest: (i) distinguishing between consumer-facing tools and advisor-facing tools, only the former being considered as automated advice, (ii) clarifying then a recommendation/general information turns into “advice”, (iii) distinguishing between partly automated processes and other automat-ed tools, and (iv) establishing equal supervisory requirements to automated advice than to ad-vice provided by a human adviser. At this point in time – also acknowledging that the General data Protection Regulation provides customers with additional protection - there is no ground to recommend what would only be a hasty amendment to existing legislation.
Yes([ID56])
The above choice does not allow to respond at the level of granularity thet is required. Please take into accoun the elaboration hereafter: Crowdfunding has not been subjected to regulation in all Member States so far. The current frag-mentation and disparity of applicable national laws, where they exist, result in cross-border compe-tition that is subject to different applicable legislations. In an EU with free circulation of services, there shouldn’t be any talk of local distortions. In terms of the components of national regulatory regimes, the following issues are identified as critical: • Incompatibility with payments initiation or information aggregation services. When payment services providers (initiators or aggregators) provide crowdfunding or crowd lending services, in practice they actually hold similar risks to credit intermediaries and other financial entities. Therefore, both types of activities should be incompatible in all national regimes. • Consumer protection. Currently only credit financial entities have to comply with national transparency and consumer protection rules. Not complying with issues such as responsible lending or pre-contractual information adds risks to consumers’ access to finance. • Supervision of risk and product advertising. Currently national competent authorities do not supervise and enforce the compliance of rules concerning the advertising of risks and product governance requirements. This Question actually begs an observation: why should crowdfunding be subject to any lex spe-cialis (maybe with an exception with respect to thresholds), compared to traditional deposit taking, funding and lending activities?
As highlighted in the Question immediately above, one cannot but be wary at the thought of a policy maker seeking to privilege the development of certain players, to the detriment of exercising its responsibilities with respect to the creation and maintenance of a level playing field. The pro-motion of the development of FinTech solutions cannot come at the expense of additional risks to consumers in terms of consumer protection, financial stability and market integrity. Therefore, the development of non-bank financing necessarily must comply with a basic regulatory framework, in addition to complying with all requirements applied to banks whenever the same services are of-fered through originally non-banking entities. In particular with respect to crowdfunding platforms, rules for at least the following aspects should be implemented for the sake of consumers’ and investors’ safety: requirements for registration as a crowdfunding platform in national registries, rules on onboarding requirements, procedures for the collection of NPLs and failed projects, and a framework for partnerships between these platforms and other entities participating in crowdfunding projects. For example in France, public authorities adapted the regulatory framework in 2014 to accompany the development of participative financing in an environment protecting contributors (donors, lenders or investors). A label was created to identify the platforms which respect the new rules. According to the nature of the proposed financing, participative financing platforms have to regis-ter or not with a regulatory status depending on the type of activity and financing (loans, gift, sub-scription of financial securities,…). The “ACPR” (the regulatory authorities for banking and insur-ances) are able check at any time the compliance of an intermediary in participative financing.
Fund-raisers and platforms should be subject to the same transparency requirements (ceteris pari-bus, i.e. on a risk-based equivalence) applying to incumbent providers for the same activities, in the same markets. In order to avoid risks arising from information asymmetry situations, the basic regulatory framework governing crowdfunding platforms must set a series of disclosure infor-mation to be published, including risk factors, procedures and policies, as well as fraud and AML/FT reporting. Self-regulatory initiatives in which only part of the market participates will all but endanger the level-playing field that must be ensured by regulators in the EU internal market. The same activity must meet the same requirements independently of who provides de service. Therefore, the level of transparency required from new players in the FinTech sector must equal those currently re-quired from established financial entities. These rules have been set up for different reasons and responded to different problems. Allowing the same problems to arise through the action of differ-ent players will only worsen the integrity of the financial sector.
Examples of sensor data analytics and other technologies which are changing the provision of in-surance and other financial services include: • Sensors at electronic devices at home to predict home insurance risks; • Intelligent cars gathering over 1.000 variables (“auto-insurance”); • Sensors in cars to make auto-insurance prices vary according to the kilometers or hours driven; • Smart watches or smartphones collecting health data through sensors allowing for a better pric-ing of health insurance. To date, sensor data analytics have not yet radically changed the way insurance is provided, alt-hough it is expected to happen in the future. For instance, in the area of life insurance, work is currently being performed on the monitoring of the policy holder through devices (i.e. smartphones) in order to keep track of their health habits and thus better understand the related risks. The outcome of this development would be to personalize insurance products by adapting the premium according to the detected risks, hence speeding up the subscription process. The challenges to the widespread use of new technologies in insurance services are: • Legacy systems are not still capable of managing the huge amount of data required by these Big Data techniques and sensor data analytics; • Lack of insurance-related knowledge and understanding by consumers; • In our opinion, the greatest challenge of using sensor data analytics is the need for security measures to process personal data, in particular health data.
Yes([ID56])
The above choice does not allow to respond at the level of granularity thet is required. Please take into accoun the elaboration hereafter: The value of data nowadays mainly comes from the benefits it provides to both market partici-pants of all types and society as a whole. An increase in the use of data by financial entities has had the effect of higher availability of their products and services for clients, and customer pricing has improved significantly too. As a result of that, customers whose affordability was previously considered low (due to e.g. lack of data, data mismanagement or assignment of wrong default val-ues) can now afford the prices offered to them, as suppliers are able to determine more tailor-made prices, along with more personalized products and services. More granular segmentation allows more accurate pricing and avoids overly penalizing a number of customers due to risk pooling in relation to some products. This is especially relevant for retail banking services and the insurance sector. In conclusion, it should thus be clear that the ultimate beneficiaries of Big Data processes is the society as a whole, as both customers and financial entities benefit from it. Hence, ceteris paribus Big Data does not change the market principle that not all financial prod-ucts and services are suitable for all consumers, and that access to and pricing of these products and services are also a function of an understanding of a consumer’s requirements and capabilities. This principle actually is enforced by legislators for a number of products/services, e.g. lender as-set quality (placing an emphasis on credit worthiness of borrowers) or determination of risk appe-tite when investing (MiFID) or the fraud score in the risk-based-analysis used in PSD2. Big Data – when properly applied and often incremented by human intervention - assists in enhancing that understanding, with the aim of delivering “the right product/service” at the right price”. This may in instances lead to the conclusion that a given product/service is not suitable for a giv-en consumer, or only at a risk premium, a conclusion which would often have been reached – yet less efficiently – under a “traditional” model. In any case, if discrimination exists, it is in the form of “positive discrimination” in the sense that it tends to offer better coverage to certain risk groups or to reduce insurance premiums as a result of a better knowledge of the customers (e.g. by using devices in cars that allow to determine the risk of accident depending on the driving pattern of the insured).
N.A.
Digitization in the financial sector began many years ago (e.g. the dematerialization of trading in-struments), yet it is not complete. Digitization – which involves the mobilization of financial tech-nology - is pursued to achieve greater efficiency, better service, and meet customers’ changing ex-pectations: • A high level of digitization has been achieved in the infrastructure area with sustained efforts and investment in straight through processing, yet these infrastructures (once generally cooper-atively owned and operated, now at times outsourced to third party processors or even com-petitors) are ripe for a new round of investment, in order in particular to fully support transac-tion immediacy. • A fair level of digitization has also been achieved in back office areas, yet here again these are ripe for re-investment, in order to i.a. migrate platforms to new technology, efficiently acclima-tize new types of interfaces, and more critically, deploy processes that take full advantage of data mining, and cope efficiently with an increased regulatory compliance burden. A 2012 re-port highlights the significant opportunity that exists to increase the levels of automation in banks’ back offices, by preventing customers from using paper, digitising work flows, automat-ing or supporting decision making, and using IT solutions to manage residual operations that must be carried out manually (e.g., using software for resource planning). Productivity and cus-tomer service improvements of more than 50% are said to be achievable. • The customer-facing area is probably the one where the impact of digitization is the more visi-ble. For many years, banks have leveraged digital channels in order to “outsource” routine tasks (essentially transaction initiation, statement consultation and cash withdrawals) to cus-tomers. With wide access to mobile functionalities, the trend initiated with PC banking accel-erates and customer visits to bank branches become the exception. As (according to a large in-ternational bank) branches and associated staff costs make up about 65% of the total retail cost base of a larger bank, the existence of a number of branches and the reassessment of a number of staff functions are on the agenda. Specific, non-exhaustive recent examples of digitization include: • Bots (robo-advice): They are currently used for providing help and advice in relation to basic products and services offered online. Also, for example, they can attend to new cli-ents via Facebook, answer their questions regarding the opening of online accounts or basic information regarding those accounts. These bots allow to reduce considerably the cost of call centers, for instance, and also reduce the need for advisers to be present in commercial front-end offices. • Big Data: It is one of the technological advances that allows to save costs by automatizing compliance, reporting or AML processes. • DLT: It is sometimes portrayed as the most promising technological innovation in finance, with a huge potential (to be validated, though) to lower costs for payments, settlement and clearing. In terms of collaboration with other market players, DLT is the innovation where it will most be needed. No DLT system will be possible without global and far-reaching collaboration. • E-Identification: The inclusion of biometric features has added relevant potential to the management of the onboarding of new clients, where physical presence may be reduced significantly
As highlighted several times in the response to this consultation, policy makers and legislators hold responsibility for creating an enabling environment for the deployment of technology and the har-nessing of efficiency by market participants – the latter of course holding responsibility for decid-ing which technology they implement, where, how and when, and which efficiency they pursue (again: where, how, and when). Innovative technologies such as DLT will require support from policy makers and regulators in order to fully ensure their success, a support which may take the form of either guidelines, stand-ards, or legislation. Most measures in support of innovation will need to prioritize cybersecurity assurance for the market and the whole financial sector. Data protection and privacy-related is-sues, especially regarding the liability of new actors (e.g. robots), will also be central to the future of the market integrity. It must however be stressed that the main role of EU policy makers and legislators in the field of innovation should not be to issue constraining legislation – which would limit innovation to a nar-row spectrum of opportunities - but to ensure that innovative solutions always fully comply with the existing regulatory framework, so that the technological disruption in the financial sector does not produce negative effects for both consumers, investors and the market itself. Finally, citing a recent speech by ECB Vice-President Vitor Constancio, “what we need is a coher-ent and well-supervised regulatory perimeter for non-banks that are engaged in bank-like activities to avoid regulatory arbitrage. At times when risks legitimately shift towards the non-bank sector, heightened vigilance is required to avoid that such risks spill back and compromise the soundness of credit institutions and of the financial system as a whole.” The said enabling environment comprises in particular: • A stable, harmoniously transposed across the EU and coherent with other legislation, e-identity framework, which allows and motivates market participants to develop and operate convenient and secure e-identity solutions, interoperable where required with solutions de-ployed by national authorities, and interoperable across Member States. • A much increased and then sustained effort to foster cybersecurity across all dimensions, pre-vention, detection, and remedy. • A stable, harmoniously transposed across the EU and coherent with other legislation data pro-tection framework (i.e.: the GDPR, with the necessary clarifications). • A supervisory framework for cloud that provides legal certainty to the usage of cloud service providers cross border, and harmonization of the supervisory requirements applicable to banks in this respect.
Research shows that whilst a relatively small share (up to 12%, see below) of jobs are under a threat of complete automation (over 70% risk) and thus elimination, a substantial share of jobs (up to 35%) has a high content of automatable tasks (between 50% and 70%). The latter jobs are thus unlikely to be substituted entirely (at least in the short to medium term), yet they will be substan-tially transformed, and their holders need to be trained and evidence adaptation capabilities. Given the polarization effects of digitization, European Union authorities should contemplate as-suming a more coercive approach in digital skills education and retraining, in order to prevent the digital gap between Member States to widen further. A process similar to the approval of Member States’ annual budgets could be implemented with respect to digital skills education and retraining programs, also enticing Member States to deploy parallel measures to ensure that such skills re-main thereafter in the European Union. This approach would also trigger the development of a common methodology for evaluating needs and assessing results. Finally, although as stated in the Commission’s 10 June 2016 Communication on « A new skills agenda for Europe »: “success depends on the commitment and expertise of many players: national governments, regions, local authorities, businesses and employers, workers and civil society, and people themselves”, the essential role of national and regional governments should never be played down. The onus is on them to demonstrate to society, on a day to day basis, the importance of being “digital-capable”, by forcefully migrating to e-government, thus also contributing to sustain-ing the business case for infrastructure deployment (including e.g. broadband communications, very low cost IoT networks), which can then be profitably re-used by economic actors. In short, policy makers need to become digital market makers — creators of a digital economy that provides its citizens, enterprises, and economic sectors with the competitive advantage essential to thrive in an increasingly global market. It must be regretted that so far, too few European governments have embarked on this journey. More specifically, public authorities – in particular where they promote a digital market - hold re-sponsibility for publicly acknowledging that digitization has as corollary a shift in job profiles, thus allowing for a more serene dialogue between employers and employees, including a more open and timely exchange on needs for continuous training and retraining. Job laws may need adjustment in order to allow for the services made possible by digitization to be provided. For example, job laws may prevent bank (including Central Bank) staff to work 24/7 and thus support the operation of instant payment systems. Indeed, skills hold a strategic importance for growth, innovation and social cohesion and the com-plexity of jobs is increasing across all sectors and occupations. In the financial sector, digital and STEM-related skills are increasingly demanded and this may require the replacement of current skills that will no more be needed by others that provide a much higher added value. According to the European Parliament’s Draft Report on a new skills agenda for Europe, by 2025, 49% of all job openings in the EU will require high-level qualifications, 40 % – medium-level qualifications, while only 11 % – low-level or no qualifications. However, currently, almost 23 % of the popula-tion aged 20-64 have a low level of education. This is going to be a key strategic issue for the com-ing years. In terms of the role EU policy makers and regulators can adopt regarding the skills agenda, it must be recognized that public and private investment in vocational education and lifelong learning are necessary in order to ensure that the EU workforce, including the “digital workforce” working in non-standard forms of employment, is equipped with the right skills for the digital economy. Spe-cifically in the financial sector, the following skills may be required in the near future: • Programming and web development • Software & app development • Big Data and data analytics (including sensor data analytics and IoT) • Artificial Intelligence • Machine learning • API programming • Cybersecurity • Distributed ledger technologies • Robotics • Digital design • Digital marketing
It is required to first clarify that the differences between traditional compliance and regulatory so-lutions and RegTech solutions, which are: (i) agility – cluttered and intertwined data sets can be de-coupled and organized through ETL (Extract, Transfer Load) technologies; (ii) speed – reports can be configured and generated quickly; (iii) integration – short timeframes to get solutions up and running; (iv) analytics – RegTech uses analytic tools to intelligently mine existing Big Data data sets and unlock their true potential e.g. using the same data for multiple purposes; and (v) cloud – data is remotely maintained, managed and backed up. Regarding the areas in which RegTech solutions are most promising: • Legislation/regulation gap analysis/compliance automation • Compliance and conduct analytics • Management Information and regulatory reporting tools • Activity monitoring, employee surveillance (behavioral assessments and monitoring, voice and electronic communication screening) • Risk data warehouses and case management • Fraud prevention: real-time transaction monitoring in order to address certain anti-money laundering (AML) and counter-terrorist financing (CTF) regulations • Identity verification, so that due diligence (CDD) is fulfilled by using methods like the know your customer (KYC) processes. A range of challenges have to be addressed to facilitate the development and implementation of RegTech. Policymakers should continuously reassess the impact of technological developments on data security and privacy, ensuring that regulations strike an appropriate balance between protect-ing privacy and security, and effective data use. • Data protection and privacy: removing the existing legal and regulatory impediments to the sharing and use of data for regulatory purposes should be a priority. Inconsistencies of interpre-tation should be removed and clarity achieved among regulators and industry on how to man-age the extent and impact of any such requirements that cannot be removed. • IT infrastructures: The requirements imposed on financial entities are not necessarily con-sistent or compatible across regulations; definitions, granularity requirements, formats, and the like vary from regulation to regulation, even within the same jurisdiction. Ad-hoc information requests often pose additional challenges. • Identity verification: Current regulations on the prevention of money laundering and terrorism financing should be assessed to allow ex-post validation of alternative online identity verifica-tion mechanisms (biometrics, video call, third-party verification). Regulation needs to be digi-tal-friendly, i.e. without requiring physical signatures and other physical elements in the KYC process. • AML: There is a need for more industry collaboration on analytics to identify and report suspi-cious transactions for AML/CTF and sanctions compliance, and for an improvement in pattern recognition across institutions. • Reporting: Responding to the regulators with qualitative reports and large data sets can be la-bor-intensive, inefficient and prone to error when regulators use online portals requiring forms to be filled in manually, or when they encourage the design of data collections “as if they were reported using paper forms” such as pdf documents. Updating online reporting portals and se-cure data transfer mechanisms would significantly increase efficiency in the process both for regulators and FIs. Financial services organizations would benefit from availability of standard-ized communication mechanisms (data formats and definitions, APIs, protocols) across differ-ent legislative and regulatory requirements. A single, streamlined communication protocol would increase the consistency of the reports, enhance the comparability across different standards, regulations and legislation, and reduce the efforts and costs associated with regula-tory compliance.
As highlighted several times in the response to this consultation, the legislation and supervision applicable to the use of cloud services are currently the purview of national authorities, which leads to different legal frameworks across the European Union. This has multiple implications: banks may be constrained in contracting a cloud service provider located in another Member State (this is also an issue for banks active in several Member States), banks may be at a competitive disadvantage vis à vis both other incumbents located in Member States with less stringent regula-tion, and vis-à-vis newcomers
Yes([ID56])
There is hence urgency for legal certainty and harmonization in using cloud service providers cross-border, and for clarity and harmonization of the supervisory requirements applicable to banks in this respect. • Cybersecurity is by far the first and most important priority with regards to the use of cloud computing services, and the aspect raising the largest and most critical risks. Cyber-attacks are a constant threat nowadays, and the security measures provided by cloud computing services providers (CSP) must stand up to the necessary level of security standards. However, experi-ence has showed that CSPs’ security measures are still not as developed as financial sector companies expect and need them to be. This issue has slowed down the adoption of cloud so-lutions by financial entities. • The existence of still very few credible CSPs leads to a considerable concentration risk, with regards to cybersecurity risks especially. These risks will be further enhanced in the following years as an increasing amount of financial entities are expected to transfer their data towards cloud infrastructures, where the most valuable data behind their business models may reside (e.g. AI algorithms), generating large incentives for cyber crooks to act against CSPs’ infra-structures. • Another reason slowing down the adoption of cloud solutions is the reputational risk financial entities face due to the difficulty for CSPs of ensuring a compliant and secure protection of the information they store (with effect on personal data protection and privacy rules). • The lack of harmonization in regulatory approaches across different jurisdictions and the lack of clarity in supervisory expectations hinder the compliance with rules regarding the use, man-agement and storage of customer information, and increase uncertainty in relation to the crite-ria for the approval of cloud projects.
No([ID57])
The above choice does not allow to respond at the level of granularity thet is required. Please take into accoun the elaboration hereafter: As already stated, the adoption of cloud solutions by financial entities comes hand-in-hand with CSPs’ ability to deliver all the security measures required by the former. Currently a significant improvement can be regarded in this respect, but it still remains necessary to ensure that all CSPs comply with minimum cybersecurity requirements. The following critical requirements that are hardly ensured by CSPs can be identified: • A secure infrastructure of keys and encryption, ensuring multiple encryption of data with keys stored in the financial entities’ infrastructure. • Traceability of all data stored in cloud infrastructures. • Certified security mechanisms. • Compliance with data protection and privacy rules.
Yes([ID56])
Banks and other financial entities acting as cloud service consumers need assurance that all con-tract terms are fulfilled by CSPs. However, two main challenges arise when negotiating contract arrangements with CSP: (i) CSPs are not always able to comply with specific contract terms in practice (e.g. user’ and supervisor’s right to audit), and (ii) CSP are not always willing to include non-regulated issues into contractual arrangements. Hence, and particularly due to the former is-sue, a common supervisory framework should be developed so as to facilitate compliance with a commonly understood set of minimum requirements to operate in Europe, translated into a core of minimum contractual arrangements to be included in all contractual relationships between CSPs and their users, namely: • That all data stored in CSPs’ infrastructures are located, treated and processed in the EEA zone, including when cloud computing services are subcontracted. • That CSPs allow their users to undertake every operational or technological controls required by internal policies and processes, as well as every requirement regulators may ask in the fu-ture. • That all data stored in CSPs is encrypted. • That CSPs comply with all data protection and privacy rules. • That CSPs obtain and maintain every certification required by specific regulator or body gov-erning cloud computing services. • That CSPs ensure cloud users to undertake continuous monitoring activities whenever neces-sary, as well as virtual or ongoing audit. • That CSPs must report any IT or cybersecurity incident, in particular when the data breach could be identified as that pertaining to a specific client, to both their clients and their supervi-sors, and that they will ensure that incident reporting deadlines are met by their clients. • That CSPs have a business continuity plan for every client, so as to ensure the latter are able to switch providers whenever they deem necessary. • That users of cloud computing services hold the right to extract data anytime.
Should “access to finance for enterprises” be understood as easing financing through a reduction in the complexity of the processes required, then in theory distributed ledger technology could con-tribute through applications in digital identity, reference data, and trade finance (including e-invoicing). This however should not be read as DLT being the sole solution – its potential being dependent on a range of questions, issues and barriers (see response to next question). It needs to be clear that DLT applications are not yet fully technologically advanced and most of them are currently proofs of concepts. Nonetheless, due to recent developments, the following areas can be expected to undergo significant efficiency improvements due to the application of DLT systems: • Enhanced possibilities for instant settlement allows for additional alternatives for instant and cross-border payments, and the elimination of the risk that a counterparty fails to deliver the asset, because all elements are in a shared database. • DLT solutions for trade finance and the trading of short-term debt, allowing for a stand-ardization of the transaction process with traceable records and shortening the settlement to hours, which could also be helpful with respect to derivatives and letters of credit. • Creating a record of individual digital identifications on a DLT could include traditional identity factors such as address, copy of ID or phone numbers, but also biometric records or records verified by third parties such as university certificates or government authorities. Fur-thermore, AML and KYC processes may be enhanced through DLT solutions. • Finally, other opportunities for the application of DLT solutions may arise in relation to legal inheritance and proof of ownership. Finally, it is worth mentioning that most of these innovations may also be achieved through tech-nical developments over existent technologies, and not necessarily through DLT systems.
The main challenges for the implementation of DLT solutions are scalability, asset representation, certainty with respect to the enforceability of smart contracts, standardization, and interoperabil-ity. Furthermore, market manipulation can arise by parties unduly exploiting the information rec-orded in DLT, for example, recent trades or inventory levels of other participants, to front-run competitors or manipulate prices. Uncontrolled malicious behavior, in permissionless systems es-pecially, increases the risk of illicit activities. Additionally, the possibility that different users rely on inconsistent versions of the data will increase misconduct risks, because of network latency or the validation of conflicting forks. DLT can also add to market volatility, as smart contracts can embed automated triggers, exacerbating one-directional market reaction in times of stress (system-ic risks). Shorter settlement timeframes can have negative unintended consequences, and increase interconnectedness between market participants can be harmful for the industry. Finally it is still impossible to exclude that future technologies will be able to decrypt publicly available data in a shared ledger, thus posing threats and increasing cybersecurity risks. The multiple proofs-of-concept and pilots currently underway only begin to assess the extent of these barriers, and how they could be overcome. Significant more time is required to arrive at firm conclusions in this respect, prior to productisation at scale. Additionally, several challenges remain for an implementation involving large numbers of counter-parties (e.g. customers): • Customer understanding, acceptance and implementation of this new trust approach; • Necessity to define liability management; • Necessity to define the governance: o of the underlying blockchain for public blockchains o of the consortium for permissioned blockchains o of the systems issues • Integration into the internal banking ecosystem: each business line must identify and deal with the disruption of its approaches. As an illustration, clear governance arrangements are critical for the swift update of protocols. Set-tlement finality needs to be defined by a clear point in time in the validation process, with a specif-ic golden copy of records held by a system operator to provide transfer of legal title. Emergency situations need to be handled by specific governing bodies with which public authorities can inter-act with in the interests of society. Open industry standards can help lower implementation and integration costs and ensure consistent expectations about how information from DLT-based ar-rangements is structured and accessed. Building APIs (not open, with access only provided to cer-tified industry participants) in common, industry-standard languages, and enhancing software de-velopment kits lowers the barriers for organizations. Regarding integration into the banking ecosystem, the complexity of DLT systems and their co-existence with current so-called “legacy systems” can increase operational risks and market frag-mentation. Interoperability across DLT arrangements or between DLT arrangements and legacy systems is likely to be an important factor in determining the extent of DLT adoption. Standards-based APIs and interoperability protocols can be the necessary bridge between emerging and exist-ing systems. Designers of DLT arrangements must determine how errors and known fraudulent account take-overs are handled and resolved, as information history, shared in common ledgers of multiple participants is difficult to alter. In order to deliver a fully DLT-based system for example, for settlement, there will need to be a way in which to settle the cash leg on the DLT using, for instance, central bank money. This should therefore be facilitated by central banks by keeping a digital form of central bank money on a DLT.
As a technology for messaging and data storage, DLT does not require any special treatment. Al-ready today, electronic communication systems are used to exchange messages within contractual relations (e.g. from SEPA payments to confirmation of derivative financial instruments). As ‘smart contracts’ are in effect computer code or “scripts”, they do not require any extension of existing law, which already covers electronic communication as part of contractual agreements. As the banking services to which this technology could be applied are not clearly defined yet, the potential obstacles are difficult to specify at this stage. In its report, ESMA “believes that it is premature to fully appreciate the changes that the technology could bring and the regulatory re-sponse that may be needed, given that the technology is still evolving and practical applications are limited both in number and scope”. Given the capabilities of the technology, regulators will probably open up the possibility of it being used for functions traditionally held by some actors (e.g. Central Securities Depositories could be replaced by DLT-based systems). Those legislations (or parts thereof) which at present are not technologically neutral would need to be revised in order to erase this deficiency with respect to the required neutrality. It should be highlighted that is particularly important to design blockchains based on the regulatory framework on data and privacy. The regulatory or supervisory obstacles very much depend on the area of application considered. In clearing and settlement, one may point to the need for interoperability of a ledger with existing market infrastructures for the short/medium term, the need for a central bank fiat currency for delivery vs payment (DvP) scenarios, the requirement under the Settlement Finality Directive to deal with “designated” members only, diverse licensing and holding requirements under MiFID, CRDIV, EMIR, and CSDR, notwithstanding a string of local requirements. Regarding smart con-tracts, clarification would be required with respect to their legal enforceability (notwithstanding other questions, see response to Question immediately above). It should be stressed that not all of the above are barriers, but requirements that may render a the-oretically attractive solution less efficient or just non-effective. Potential regulatory obstacles identified at this stage are: • The determination of the law applicable can raise concerns when adopting a global DLT sys-tems due to a high degree of decentralization and because of the geographical dispersion of dif-ferent jurisdictions and judicial systems. • The liability of the respective parties, including with respect to rules to approve or reject au-thorized participants or the set-up of correction mechanisms. • Some types of DLT systems (e.g. public or permissionless systems) would require to establish a sort of license to operate in DLT systems, under which the legal nature of DLT processes would be acquired. That is, it should be necessary to acquire some type of charter or license to provide services or conduct activities that involve the holding and transferring of assets on be-half of household and businesses. • It needs to be determined what legal basis and evidentiary status will smart contracts and en-crypted hashes have. • Legal analysis must be done to understand how ownership of digital tokens on a distributed ledger fit into the current legal framework and what gaps need to be filled by contractual agreements or new laws and regulations. • EU competent authorities may need to provide guidance on the application of existing law to any new intermediary or process arising from DLT systems, such as AML and KYC processes. Potential supervisory obstacles identified at this stage are: • DLT infrastructures will need to be supervised by EU competent authorities, but they are sub-stantially more complex to supervise than other central market infrastructures. Support from public authorities should come with a supervisory action plan, including an increase in both human and financial resources devoted to these supervisory tasks. • DLT applications can enhance regulatory reporting by giving permission of access to shared ledgers to regulators. However, diverse regulations would need to be adapted to that new reali-ty. • DLT systems will introduce new functions or roles, for example, the provision and mainte-nance of DLT infrastructure and protocols, or the coding and management of smart contracts. Regulators will need to decide whether and how they want to regulate those functions, consid-ering potential risks.
Yes([ID56])
Even though the current framework is not necessarily an obstacle per se to outsourcing, it remains true that should those rules only apply to incumbents the latter are at a disadvantage. Furthermore, the supervisory requirements applicable notably to cross-border outsourcing within the EU should be harmonized in order for market participants to fully reap the outsourcing potential. In this re-spect, for DLT, such supervisory barrier adds on to other obstacles and barriers highlighted above. Also, data protection rules currently remain the most complicated legal hurdle, as for every process that is outsourced personal data may be necessary, which leads to the fact that every outsourced activity may be connected to transfer of data and therefore liability. Finally, it should be considered that the requirement for substitutable alternative services can reduce the competitiveness of providers’ solutions, as outsourcing entities are conditioned by that substitutability.
Yes([ID56])
ESBG understands that the core principle is that the outsourcer is selected by the outsourcing fi-nancial service provider, the latter remaining responsible and accountable notably from a supervi-sory perspective. This principle need not be revised. The existing regulations CRD IV and CRD, delegated acts (e.g. Internal Models), MiFID and the CEBS Guidelines on Outsourcing (2016) are sufficient. However, certain national authorities could introduce specific mechanisms to act against outsourcers, as currently the supervisory per-spective fully relies on the liability of the outsourcing financial service provider. The European Central Bank (ECB) is in charge of the supervision of the banking activities out-sourced by banks. In this sense, the ECB has initiated a thematic review to take stock of bank´s outsourced activities and scrutinize how they are managing the associated risk (in particular IT risks). Certain national authorities could though introduce specific mechanisms to act against out-sourcers, as currently the supervisory perspective fully relies on the liability of the outsourcing fi-nancial service provider.
There are many technological developments with a potential for increased efficiency, from person-al assistants such as Siri or Alexa to Robotic Process Automation. All these technological devel-opments are market-driven and will be implemented if banks see a benefit in doing so.
Note: the limitation of the input that is allowed by teh Commission's template for this critical section is most inconvenient and a barrier to an open dialogue Adjustment of EU and/or Member State legislation and/or supervisory practices is required as a matter of priority in the following areas: In addition to input repeatedly provided with respect to E-identification and AML, Cybersecurity, Data and Cloud, the following items are of imporatnce: e. Alternative lending and investment services - In the light of the market development in terms of alternative lending and investment services, issues of customer and investor protection emerge again. These point to a requirement for the harmonisation of investment and lending licenses, and supervision thereof, to ensure a level playing field between incumbents and newcomers, and between EU players and non-EU play-ers. - Legislation furthermore needs to enable supervisory authorities of end user Member States with pan-EU powers in order to avoid lengthy discussions with financial services authorities of host member states when urgent measures to protect investors are required. f. Capital requirements and resolution. To promote financial stability, it should be considered to set similar capital requirements associated with operational risks for FinTech companies as those for credit institutions, in order to ensure they can be held accountable by customers for improper business practices, unsuitable processes, business incidents, system failures, internal and external fraud, etc. Even though activities and services offered by both credit institutions and FinTech companies have an operational risk, the current regulations only stipulate the as-sociated capital requirements for the former, for financial credit institutions and for payment institutions. For example in Spain, such risks (improper business practices, unsuitable process-es, fraud, etc.) accounted for 9% of the RWAs (about €152 billion) in the banking sector in 2015. Additionally, a further assessment should be made on the potential adverse effects for the real economy and the financial system of a newcomer potential failure facing a traditional liquidation process that could, in effect, end up in a sudden interruption of its critical func-tions. g. Consumer protection. It is our understanding that while there are no European regulations applying to FinTech newcomers on consumer protection, Member States should apply the same regulations on marketing, advertising and risk reporting to the services provided by new operators as those applicable to credit institutions, when rendering the same services because the purpose thereof is to protect customers and, therefore, they must not discriminate based on who provides/offers the product or service. h. Supervising and monitoring regulatory compliance. - The same supervisor should be responsible for the same activities. The opposite case would result in varying levels of requirements and different competences for setting new obligations. - Moreover, compliance must be monitored in the same way for the same activities. This con-cerns, in particular, compliance with regulations on prevention of money laundering, data pro-tection and consumer and user protection. i. Other CRD/CRR requirements. Rules regarding governance arrangements, remuneration or internal control management have placed strict rules on credit institutions, while none of them apply to non-bank financing entities and other new entrants to the FinTech sector. While not all those requirements should apply to them due to a criteria of systemic risks, it should be noted that they pose a real threat to the level-playing field that must be ensured by regulators.
In many respects the title of this section (i.e.: “Making the single market more competitive by low-ering barriers to entry”) is both discomforting and misleading: - Discomforting because it could suggest that the existing, significant European Union competi-tion law framework and case law is ineffective, and/or not enforced appropriately. A thorough analysis of currently perceived situations of (alleged) imperfect competition should be per-formed prior to thinking about any FinTech-motivated change to that framework. - Discomforting again because it could suggest that FinTech-specific legislation could be a re-sponse, a thought which would go against the principle of technological neutrality (a principle just endorsed again in the European Parliament’s Resolution on FinTech – May 2017). This is not to imply that proportionality should be discarded, provided it does not trigger any discrimi-nation. - Misleading because it could suggest that barriers to entry are the bigger issue, whilst the key issue is enabling all players in the market (both incumbents and new entrants) to harness a range of technologies as and when they require. Significant barriers exist in this respect – see response to Question 3.1 above. In addition financial service markets are characterized by a high level of compliance obligations, which should apply equally to incumbents and new en-trants. - Misleading because it could suggest that the single market is operating in a vacuum – whereas the digital world knows no geographical borders, and the main issue is represented by large players (both market participants, and providers of infrastructure and other services to market participants) from outside the single market.
Yes([ID56])
The current wait and see approach needs to be reconsidered. Adaptation to reality by regulators must necessarily be faster, maybe through standards and guidelines. The possibility for industry organizations to develop and agree guidelines – which would then be validated by EU regulators - should also be contemplated.
Again there should be no misconception that any FinTech “lex specialis” treatment would be re-quired. The same principles applying to legislation and supervision before the advent of “FinTech” should continue to apply. In particular the principle that a service regulated in a Member State could be passported to other Member States – under due supervision of the host Member State, and within a harmonized legal framework – should continue to apply. When doing so, any “pass-porting imbalance” that would grant more possibilities to passported institutions/companies than to those residing in a given Member State (as happens at present in some Member States) should be avoided. Considering FinTech firms as different entities can lead to misjudgment in terms of defining a regulatory approach to FinTech activities. It needs to be asserted that FinTech can be provided by either wholesale banks, retail banks, savings banks, insurers, pension funds, financial advisors or new entities focusing on a specific activity in the supply chain that characterizes the financial sec-tor. Therefore it should not be considered that FinTech firms in general have a problem with scal-ing up, but that there is regulatory uncertainty regarding the provision of FinTech-based services, independently of the type of entity offering them.
No([ID57])
 
No([ID57])
 
Yes([ID56])
As to 3.4: A distinction should continue to be made between firms providing financial services to end cus-tomers, for which notably consumer protection and financial stability issues arise, and firms providing services to such providers to end customers. The relationship between the latter and the former is where required defined in legislation or other regulatory requirements (e.g. with respect to outsourcing). The case for further, specific licensing for FinTech activities in the provision of financial services to end customers does not seem to exist – acknowledging that in particular the revised Payment Services Directive created such new categories. It is in particular crucial to avoid providing different licenses to entities providing the same ser-vices as those under banking licenses. The principles that should apply are still the same, i.e. level playing field and technological neutrality. The essence of the question is whether a newcomer pro-vides a wholly new, unique service (that has never been provided before), or just provides (what albeit may well be a very innovative version) of an existing service, based on new technology, and/or delivered through a new channel, and/or aimed at a specific customer segment. Activities such as robo-advisory, P2P lending, or social trading should first be assessed through such a lens, whilst of course ensuring that existing legislation enables legal certainty and consumer protection. At this point, the case for a specific, pan-European registration and supervision of FinTech firms (how would they be defined, how static would that definition be?) does not exist. With respect to passporting, please see response to Question 3.3. As to 3.5: No general purpose response can be given. This would need to be assessed on a case by case basis. The existing regulatory framework already contains a wide range of exceptions and waivers which have been justified on the grounds of proportionality – these should not be extended. The adaptation of the regulatory framework through initiatives coming from the Commission in relation to the FinTech sector should meet two goals: flexibility and proportionality. This is, measures should come soon in the form of guidelines, standards, recommendations, experimenta-tion programmes (regulatory sandboxes), instead of through directives and regulations as has been the experience at EU level until now. However, it will be of utmost important to let the FinTech wave ride calmly through the finance and banking oceans, and not let it flood the cities established during the last decades, as these provide citizens a wide range of basic necessary services and have been made even more resilient during recent years. Not only the cities themselves, but the organi-zation of the continents adjacent to the banking and finance oceans need to be properly adminis-tered, so that the FinTech wave does not cause floods in our countries, in which case citizens would clearly end up being the most damaged side. As to 3.6: Restrictions on data localization or data movement only indirectly impact cross-border financial transactions as they could prevent the localization of data processing in the more efficient Member State, or access to more efficient data analytics capabilities in a certain Member State. Such restrictions should be lifted, on one side at the time of the implementation of the GDPR, on the other by harmonizing supervisory requirements for financial service providers throughout the EU.
Yes([ID56])
These principles are appropriate to guide the regulatory approach – provided that “FinTech” activ-ities are not considered in isolation, and that these principles apply transversally to both incum-bents and new entrants, and FinTech and non-FinTech activities. As already stated, proportionality will be a key feature of the approach to regulation of FinTech activities, and the integrity of the financial markets must necessarily be ensured at all times and through every means possible. However, the concept of technology neutrality should be clarified, as it cannot come at the expense of lower security measures in relation to new technological de-velopments. Rules should not apply differently to the same services when these are provided through diverse technological means, but minimum security requirements are not equally im-portant in different technologies.
Regulatory sandboxes should be facilitated or created, yet competition between national supervi-sors on the basis of regulatory arbitrage should be avoided at all costs. The objective of a regulato-ry sandbox should unambiguously be to establish a customized regulatory environment to allow both newcomers and incumbents to pilot on a small scale, and it should be stressed that the sand-box is not lowering regulatory standards, as consumer protection is paramount. Accelerators are private initiatives and it is unrealistic to establish the EU as a whole as an innova-tion hub. However, national regulatory sandboxes do actually provide an efficient gateway for both new entrants and incumbents in the FinTech sector, by providing not only advice in relation to regulatory requirements they will need to comply with, but also as a testing facility under closer but lighter regulatory scrutiny. In order to avoid regulatory arbitrage opportunities arising from national regimes establishing regulatory sandboxes, it will be necessary to set up a legal framework with minimum criteria to be complied with under experimentation platforms.
Yes([ID56])
As the ESAs are expected to be and should be responsible for setting the standards, guidelines and recommendations necessary not only with regards to regulatory sandboxes but for the whole FinTech sector, it will be of utmost importance that they are able to gather sufficient technological expertise in the upcoming years, in order for the EU to provide an adequate regulatory response to innovation applied to the FinTech sector. Moreover, other agencies such as ENISA should also be able to collect the necessary resources in order to deliver the work the sector will need from them.
No([ID57])
 
Yes([ID56])
As already highlighted above, first and foremost the principle that a regulatory sandbox is a customized regulatory environment to allow both newcomers and incumbents to pilot on a small scale, and is not lowering regulatory standards, as consumer protection is paramount, should be endorsed by national supervisors. This would seem a more efficient approach than establishing a “European” sandbox. A regulation would not be able to identify differences in national regulatory regimes governing specific FinTech aspects, thus the development of European guidelines, high-level principles or recommendations setting best practices could be helpful for defining a European framework for experimentation. The challenge of a European regulatory sandbox is that one of their main objectives is to provide advice to startups and fintechs, especially with regards to the compliance with regulatory and su-pervisory requirements in place. Adding to that, regulatory and supervisory requirements are still quite different under each national regime. Therefore, a European regulatory sandbox would hardly be able to provide proper assistance to fintechs interested in operating on a single country. How-ever, as the question states, a European regulatory sandbox could properly assist fintechs intending to operate cross-border, so that it could provide advice, as well as a testing facility, to the cross-border element of their activities.
No([ID57])
 
As stressed earlier in this response, a fundamental requirement (not only with respect to promoting innovation) is to prevent inconsistencies between existing European legislations, or new ones be-ing introduced. In addition, in order to increase the Union’s competitiveness, a change to the treatment of soft-ware investment is recommended. The accounting treatment of software as an intangible asset causes it to be fully deducted from the Core Equity Tier 1 (CET1) when calculating capital re-quirements. This is perceived as a significant disincentive for investments in innovation and a ma-jor factor of unfair competition. Indeed, there is evidence of different regulatory treatment of software in some jurisdictions, including the United States where capitalized computer software can be recorded as “other assets” and subject to regular risk rating, and not be deducted. Conse-quently, a revision of software accounting treatment would remove any artificial hurdle for banks to invest in digitalization, creating value for the economy as a whole and leading worldwide inno-vation in this area. A change to the CRR is therefore fully justified. Accordingly the following amendment to the CRR is being proposed: “Article 4 Definitions (115): “intangible assets” has the same meaning as under the applicable ac-counting framework, and includes goodwill, with the exception of software for the purpose of Art. 36”.
Yes([ID56])
In the domain of innovation, regulators and supervisors have to accept and acknowledge that technical standardization and interoperability are less and less the purview of traditional standardi-zation bodies, and are increasingly developed by market participants, as part of their research and proof-of-concept processes. Of course this change raises a number of questions, including e.g. with respect to intellectual property, licensing, and competition. It would seem that there is sufficient legislation and case law to deal with such issues.
No([ID57])
As stressed earlier in this response, the main obstacle at this point in time with respect to out-sourcing opportunities would seem to be the stance taken by some national supervisors, and not any standardization or interoperability issue. Furthermore, EU regulators need to step into the financial industry in order to set more concrete standards relating to cybersecurity issues, ICT reporting mechanisms and especially the interpreta-tion of existing regulation, such as the GDPR. Therefore, the development of technical standards and interoperability mechanisms should in all instances complement current rules
Please see the response to Question 3.12.
No([ID57])
The development of open source models is useful in the areas of scientific research and public administration, and open source is increasingly a feature of a number of core developments in the domain of innovation. However, when considering the private sector and the banking and finance areas in particular, it needs to be ascertained that data protection rules and cybersecurity require-ments are fully met. Finally one stands to be convinced that European institutions would be better placed to operate open source model libraries.
Indeed incumbents are encumbered by a net of regulatory and supervisory obligations, which taken in isolation may appear justified at a given point in time, but which combination makes it very difficult to attain in a balanced way the objectives of consumer protection, financial stability, in-novation, and single market. In particular, the Commission initiatives leaning on “ramping price regulation” (e.g. SEPA Regulation, Card Interchange Regulation, Payments Account Directive, revised Payments Services Directive), which in part impose on incumbents the provision of ser-vices without the possibility to recoup the costs of these services, are not helpful in a context where one would wish to promote innovation, which requires research and development, and trials and proofs-of concept, i.e. initiatives which do not behold a guaranteed positive outcome. In short, any intrusion of the legislator in the business model of incumbents cannot but have a nega-tive impact on the innovation policy – often promoted by the same legislator. Here again, coher-ence should be the first ambition.
Whilst ESBG considers that the free flow of data is important in the context of the development of the Digital Single Market, ESBG would side with the EDPS (European Data Protection Super-visor) in considering as problematic any disposition “introducing the idea that people can pay with their data the same way as they do with money ”. In the same vein, the suggestion to provide “fair compensation when their data is processed by service providers for commercial purposes that go beyond their direct relationship” conflicts with Art. 8 of the Charter of Fundamental Rights and Art. 16 TFEU. The EDPS is right to emphasize that “fundamental rights such as the right to the protection of personal data cannot be reduced to simple consumer interests, and personal data cannot be considered as a mere commodity”. Indeed, the broad definition of personal data in the GDPR could suggest that also data “processed…beyond their direct relationship” is personal data and: who would define what is “beyond a direct relationship”?), the GDPR conditions for valid consent would challenge such consent given against “fair remuneration” (and: who would define what is “fair”?). To highlight the inconsistency of the proposition of “fair compensation” with the philosophy of the GDPR, it must be underlined that the data subject has the right to withdraw his/her consent at any time. Thus, a data subject could receive fair compensation, and then with-draw his/her consent. In ESBG’s view, “free flow of data in the Digital Single Market” should mean applying the princi-ples of a free market economy and freedom of contract to the issue of data provided and/or pro-cessed in a contractual relationship between a client and a financial institution (this relationship including the requisite prior customer information). Banks have always been a custodian of their clients’ data and processed such data mainly in a contractual context or to comply with legal obli-gations. This can include checks for AML/CTF in payments, or credit scoring in loans and mort-gages as legitimate parts of processing in the context of a contractual relationship.
A range of technological solutions are available for storing and sharing financial data. The selec-tion of a certain technological solution is first and foremost function of a set of criteria, such as the scope of the financial data concerned, the relationship between the provider(s) of such data and the intended audience, the required level of security, integrity and confidentiality, the amounts of data to be stored, the number of consultations requests, … There are at this moment a fair amount of open questions with respect to distributed ledger technology (DLT), including governance, standards, capacity, reliability, costs… Until such moment where more is known from the many pilots and proofs-of-concept currently underway, it will difficult to opine whether DLT can be considered as a potential candidate for the storage and sharing of financial data. As the Bank of Canada has concluded in a recent statement, after a one-year experimentation peri-od of its payments’ modernizing roadmap, “Could DLT underpin an entire wholesale payment system? The answer is maybe one day, but there remain many hurdles to overcome. The bottom line is that a stand-alone DLT wholesale system is unlikely to match the efficiency and net benefits of a centralized system. In fact, at its heart, there exists a fundamental inconsistency or tension between a centralized wholesale interbank payment system, as we have now, and the decentralization inherent in DLT. At the end of the day, interbank systems must be safe, secure, efficient and resilient, and they must meet all international standards. DLT-based platforms are just not there yet.” Even though we recognize that the statement relates only to wholesale payments, it really needs to be taken into account. Among the reasons for the lack of reliability, scalability is a central problem. Ledgers that add transactional histories on top of one another may challenge storage capacity over time, and the complete reliability will depend upon the design choice, such as the choice of consensus algorithm and the standardization of protocols across DLT systems.
No([ID57])
Digital identity frameworks are in the process of developing. The key issue for the Digital Single Market will be to ensure that as rapidly as possible the questions surrounding the implementation of the eIDAS Regulation, the transposition of the revised AML Directive and the implementation of the GDPR are resolved, and that the private sector is assured to be able to access and use the eIDAS framework in the same way as the public sector.
The key challenge with regard to personal data protection when using DLT is that, in principle, information stored on a chain is visible to all the parties who have permission to access that chain. Whilst is it possible to limit the number of counterparties who can access a chain (permission-based system), such a construction would be in contradiction with any “library-type” intent. DLT raises many data protection issues, as it still cannot assure that confidentiality and data pri-vacy can be fully ensured. This is especially important in permission-less systems, but even permis-sioned ones cannot ensure it yet. Replication of a whole ledger recording transactions among a range of users poses risks to data privacy. Public ledgers provide no possibility to modify previous transactions (a key property of a DLT system is that it displays the entire transaction history on a chain), then excluding the right to be forgotten. The ability of DLT designers to anonymize ledger entries is going to be an important point, though it currently is a technical challenge; without it, it could be a serious legal hurdle. Moreover, the ability to maintain the secret nature of private keys and achieve the desired security properties of public key encryption is a complex and challenging undertaking, and the success of the protection of keys and cryptographic data will depend upon the strength of protocols and con-sensus agreements for key generation, storage, distribution, revocation, and destruction. Finally, participants will have to agree on the extent of information that is shared and whether the complete set of information will still need to be entrusted to a central institution (e.g. clearing houses).
Information systems and technology-based solutions have the potential to do for risk profiling of SMEs (and other users) exactly what they do in many other contexts, i.e. (compared to a non-digital environment) assist decision-makers in processing more rapidly vastly greater amounts of information and data and making a range of recommendations from which to choose. Whether a digitalized risk-profiling represents an “improvement” will be greatly depending on the information and data processed, on how these are processed, on the objectives and criteria given to the systems to produce recommendations, and lastly on the quality of the communication and understanding between the parties (i.e. respectively assessors and assesses).
If SMEs comply with applicable in most Member States, and if authorities enforce such legislation, then SME financial data has to be published and is (generally) accessible to the public, including alternative funding providers. It is up to the latter to devise (a) business model(s), processes and systems through which they gather sufficient information to make credit decisions on their intend-ed targets. It should be stressed that alternative funding providers should always be subject to su-pervision and regulation, in order to ensure a fair level competition, and prevent any financial in-stability (“bubbles”) to erupt. In this respect it is useful to refer to a recent report of the FSB and CGFS, which i.a. concludes that whilst “FinTech credit platform’s heavy digitalization of processes and specialized focus may lower transaction and entail convenience for end users [and] also increase access to credit and in-vestments for underserved segments of the population or the business sector […] there are a num-ber of potential vulnerabilities that might impede the future growth of the industry […] the finan-cial performance of platforms could be substantially buffeted by swings in investor confidence …] financial risk in platforms may be higher than at banks due to greater credit risk appetite, untested risk processes and relatively greater exposure to cyber-risks”.
Whereas cybersecurity is an issue that has recently captured the attention of supervisors and regu-lators, it does not, as such, warrant any “additional (minimum) requirements” for financial service providers and market infrastructures. Indeed, an ample regulatory and supervisory framework is already in place which compels financial service providers and market infrastructures to ascertain that they are guarded against a wide range of risks and threats. It is both the strategic and opera-tional responsibility of each financial service provider and market infrastructure to ensure that it has both the technical, procedural and human resources in place to prevent, detect, and remedy rapidly also any cyber-attack. Of course, cyber-security calls notably for new skills, and new pro-cedures, which the institutions and infrastructures concerned develop, also in coordination with their supervisors, and which the latter duly audit. As highlighted in the response to Question 3.1, instead of devising additional requirements, there are a precise range of actions that are expected from European and national authorities in order to assist financial institutions and infrastructures in preventing and detecting cyber threats. These actions should be introduced without any further ado. Cybersecurity must be prioritized as the main risk arising from technological innovations. Data is being spread among many more databases and infrastructures and cyberattacks have recently taken a step forward in terms of frequency and complexity. In particular, the following measures should be taken: - Harmonization of formats, procedures and periods for security (IT) incident reporting to avoid overlap and redundancy in reporting to multiple competent authorities (NIS Directive, PSD2, Data protection regulation, Single Supervisory Mechanism SSM). A one-stop-shop mechanism based on the principle of “one incident, one report, one authority”. - Clarification of the definition and criteria to determine the major incident to be reported. - Common and homogeneous criteria to understand the level of significance and severity of a security incident.
As highlighted several times in 2016 during the Commission’s “Bankers’ Roundtable” process, financial institutions require that the work they perform to prevent, detect and remedy cyber threats and attacks gains in effectiveness through the sharing of critical information between peers and with public authorities, both at national and cross border level. To that end they urgently need assurance that such sharing does not infringe their obligations under the General Data Protection Regulation, and that such sharing will not be frowned upon by competition authorities. The former issue could be effectively addressed by interaction between the European Data Protection Board, EBA and the ECB in the context of the Single Supervision Mechanism. Lack of harmonization and standardization of cybersecurity requirements has held the manage-ment of cyber risks reduced to individual entities or small groups of banks. However, incident re-porting and exchange of information between industry participants is necessary to develop an inte-gral cybersecurity strategy. In order to achieve that, it will be necessary to: • Establish a constant dialogue between the European Central Bank in the context of the Single Supervisory Mechanism (ECB/SSM) and the relevant stakeholders (banks, banking associa-tions, etc.) on methodologies/processes for incident reporting and cyber risk assessment. • Establish a mechanism able to extract and distribute to banks best practices, deriving from incident reporting, in order to support incident and fraud prevention and early warning.
National authorities and the ECB are already conducting resilience testing in financial services. Such tests should certainly be continued, and we do not see any further need for coordination. A contrario it would be very useful to exchange (between selected parties) findings and lessons from such tests.
Banks have been “heavy users” of information technology for decades and have always imple-mented technology for the benefit of their customers. For a given technology, use depends on a cost-benefit assessment, which each bank has to perform in its own individual context. A specific example could be Augmented Reality (AR), which may not be ready to be adopted by the mainstream at present, yet could affect consumers’ access to finance in different ways. As di-verse initiatives have shown in the banking sector, AR can be used, for example, to allow custom-ers to find their nearest branch or ATM as well as locate offers and deals when walking into a shopping mall or down the streets. Also, thanks to better data visualization traders needing to make important data-driven decisions quickly will be better positioned to view, analyses and ma-nipulate large quantities of complex data faster through more intuitive AR interfaces. Likewise, headsets using AR can be used to layer complex data sets that enable traders to visualize and make decisions collaboratively with clients. Additionally, customers who aren’t able to visit a branch – or don’t want to – will eventually be able to have meetings with bank staff in the comfort of their own homes or offices, as AR can enable realistic person-to-person interactions that will feel like both parties are in the same location. Not only is this experience better for the customer but, with-out the need to invest in physical branches, could also reduce costs for banks.
Don’t know / no opinion / not relevant([ID58])
 
 
an organisation or a company(organisation-replying-as)
 
Confederation of Danish Enterprise
 
Yes(yes-transparency-register)
0330934426-12
Industry association([ID9])
 
50 to 500 employees([ID7])
 
 
Denmark([ID27])
 
Accounting([ID4])
Auditing([ID7])
Crowdfunding([ID7])
Payment service([ID9])
Technology provider([ID178])
 
Yes, I agree to my response being published under the name I indicate (name of your organisation/company/public authority or your name if your reply as an individual)(yes-contributions-publication)
The majority of our members are SMEs. We are seeing an increasing interest in alternative sources of finance, amongst them different FinTech solutions, from our members. We would like our members to have a big variety of FinTech solutions to choose from, in order to make it possible for them to access the right kind if finance at different points in their lifecycle.
Don’t know / no opinion / not relevant([ID58])
 
Don’t know / no opinion / not relevant([ID58])
 
 
 
Yes([ID56])
National regimes to crowdfunding fragments the market. It creates barriers to the cross-border activity of crowdfunding platforms and complicates the legislative environment for new platforms. Furthermore it also creates a fragmentation in the protection of consumers/investors, as the regimes differ. Today cross-border crowdfunding is limited, but for it to pick up the Commissions should ensure, that the national regimes do not create unnecessary barriers. One way to ensure the functioning of the internal market is to establish a passporting right for FinTech firms, including crowdfunding platforms. This will however only solve part of the problem. If the national regimes develop in very different ways, it will create an unleveled playing field, as platforms established in less regulated members states can passport themselves into more regulated members states. The Commission should monitor the development, and if deemed necessary consider a European legislative instrument or guidelines.
The Confederation of Danish Enterprise recommends the Commission to continue the effort on sharing of best practices between member states and especially keeping the dialoge between banking associations and SME association open. The high-level principles on feedback from banks is a good beginning, but it could be further developed with regards to the banks referral of rejected SMEs to alternative financing suppliers. In Denmark we are working on establishing a platform where SMEs can find all authorized suppliers of alternative finance. Such once-stop-shops should be encouraged in all member states, and once the market is more mature at EU level.
It is important that fund-raisers and platforms are transparent. The self-regulatory approach seems to be appropriate, as it is able to adapt to teh fast changing environment.
 
Don’t know / no opinion / not relevant([ID58])
 
 
For our members access to affordable finance is essential. FinTech contributes to this goal, as it gives the companies alternatives to traditional and in some cases expensive bank lending.
Digital transformation and deployment of cloud services by FSIs has been constrained as FSIs have sought approval from regulatory to migrate legacy systems or adopt new services, and by the different approaches taken by national regulatory authorities that regional banks must work with. A common EU-wide approach to cloud service deployment among regulatory authorities would overcome the current fragmentation of national guidelines, and bring much needed certainty and speed to the cloud adoption process in the financial sector. Ultimately it would bring down operational costs and increase efficiency for financial services institutions (FSIs). We are therefore encouraged that the European Banking Authority (EBA) has published a consultation paper on 17 May with “draft recommendations on outsourcing to cloud-service providers”. We are encouraged that the European Parliament’s recent report on FinTech highlights the benefits that cloud computing can have for consumers and providers of financial services, and stresses the need for the deployment of “clear and comprehensive European rules or guidelines and for a common approach to the use of cloud computing across NCAs”. We believe that a similarly positive statement from the European Commission about the use of cloud services in the financial sector could also help provide momentum to the ongoing EBA work and encourage a more appropriate pace of digital transformation in this sector. Particularly in the case of distributed ledger technology, the EU should promote open source developments in order to facilitate collaboration and a wider adoption of the technology on the market.
Digital literacy is vital, also in connection to FinTech. Especially it will be importnat to educate a workforce which is able to understand both the technicalities of the digital developments, as well as the financial technicalities and risks.
A first step towards RegTech is that all compliance reporting etc. should be possible digitally, and the application of the OnceOnly principle throughout would lead to a big reduction in administrative burdens.
A variety of factors, both from the regulatory and supervisory aspect, affect financial services firms from using cloud computing services, including the lack of clarity on the regulations position, the migration process and security of data. FSIs will often be unwilling to use cloud computing services unless the regulator has issued clear guidance on its use. These would provide clarity on how FSIs can address compliance, security and performance standards when engaging a cloud service provider (CSP), so that FSIs (and, ultimately, their end customers) can fully benefit from the potential of the technology while maintaining a safe, stable and secure financial environment. To accompany the guidelines, the regulator should encourage adopting a best practice ‘checklist’ for FSIs when working with CPS. Also, any guidance issued must be harmonized at EU level. According to the Queen Mary 2016 Study on “Use by Banks of Cloud Computing: An Empirical Study” , despite outsourcing/cloud guidance having been issued by for example, the Netherlands, Spain, Greece and Finland, there are similar but different rules everywhere. If fragmented approaches continue, this poses a risk to the development of innovative financial technologies and clashes with the goal of building a Digital Single Market in Europe.
Yes([ID56])
A European initiative on the free-flow of data, outlawing data localization restrictions is necessary for financial services firms and all other firms to take full advantage of cloud.
Yes([ID56])
Commercially available cloud solutions are available that meet minimum requirements FSIs need to comply with, and can help with ensuring smooth compliance with financial regulation and beyond (for e.g. privacy regulations). FSIs that use cloud computing services also have certainty that their systems are running the very latest versions of software, avoiding “version lag”, where systems may be operating one or two software releases behind the most current versions, and FSIs may thus be exposed to a higher risk of security threats or vulnerability issues. By using cloud computing services, FSIs can exploit far greater computing power, achieve greater availability and resilience of data, and improve levels of security even as they reduce their IT costs compared to on premise delivery models.   Further on security, certification is an important benchmark used by Financial Regulators in measuring security standards. There is currently no single recognised industry certification specifically for Cloud Services. However, ISO 27001 is generally considered the most appropriate certification given the high benchmark that CSPs must meet to achieve and maintain it. Other CSP certifications, whilst not specifically relevant to FIs, can be indicative of industry best practice and should also be taken into consideration (for example ISO 27018).
No([ID57])
In this fast developing environment it is essential that the freedom of contract is kept.
 
 
 
Don’t know / no opinion / not relevant([ID58])
 
Don’t know / no opinion / not relevant([ID58])
 
 
In relation to adoption of cloud, the largest barriers are: • Lack of clarity from the supervisor: European FSIs and the technology services they use operate across borders in the EU, while the supervision of the use of cloud services by European banks is a national responsibility. While some Member States provide detailed guidance in this area, others are not engaged at all on such issues. Unless the supervisor offers detailed specific guidance, banks will remain reluctant to use cloud services to support core business functions and analytics. • Right to access/ audit: Under the EU Markets in Financial Instruments Directive (MIFID), financial institutions have to enable “effective access to data” for national supervisors for audit purposes – and in cases of serious regulatory breaches. It is often unclear to national supervisors, however, whether this means strictly physical access or not and the default supervisory position is a preference data to be stored on the bank’s premises. • Data localisation requirements: These restrictions are present for banks in some EU Member States (Germany, Luxembourg) but not in others (Netherlands) resulting in fewer service options and higher costs where they are present. We believe that harmonised EU guidelines for the financial sector on how to migrate to and use cloud computing services can go a long way to overcoming these barriers, and facilitate the implementation of cloud computing solutions in the financial sector. In our view, a Commission-backed legislative measure on removing data localisation restrictions is necessary to overcome the divergent interpretations of "effective access"
One important factor to increasing uptake of FinTech is to increase the awareness of the new solutions. This could for instance be done by encouraging/supporting the cooperation between banks and FinTech companies, both by referral schemes and by letting FinTechs help banks innovate. We furthermore recommend the use of saddboxes for innovative FinTech firms.
Don’t know / no opinion / not relevant([ID58])
 
The financial regulation is already heavy and as the member states develop new bespoke regulation for for instance crowdfunding, the market becomes fragmented.
Yes([ID56])
EU licensing and passporting would benefit all categories of FinTech, however the most urgent area to address is crowdfunding. A role could be forseen for ESA in order to ensure uniform implementation and enforcement.
Yes([ID56])
The existing regulatory framework for financial services was not designed with the new small and innovative FinTech companies in mind. The Commission should consider if targeted revisions of the regulatory framework could make it more fit for this new reality. In this context it is important to underline, that we do not support a broad brush SME or FinTech exemption, but rather would recommend use of the "think small first" principle.
Yes([ID56])
Data localization mandates present a major obstacle. They take many forms, including regulations, administrative requirements, procurement policies, and regulatory guidance. They also include, for example, laws based on national security requirements (e.g. for classified data), company record laws, and archival requirements (requiring storage of records in a specific institution inside a country). Many are sector-based, and notably apply to the financial services sector. The main origin of such data localization mandates in the financial sector seem to be the outsourcing rules for financial institutions, included in financial legislation, notably MiFID, or guidance by regulators (e.g. EBA’s 2006 Outsourcing guidelines), which mandate audit- and “effective access”-rights to regulators. Whether the meaning of “effective access” is restricted to physical access only has been a question of great importance. More effective than changing financial regulation, would be the removal of unjustified data localization requirements, as it would send a clear signal to both the financial sector and regulators. We therefore support the free-flow of data legislative initiative announced by the Commission in the DSM mid-term review. Another important factor that needs to be taken into account when considering the free flow of data are the local laws used by law enforcement authorities (LEAs) to access data. Some customers are concerned that storing data in another country could subject their data to law enforcement access in that country. In this regard, data flows are inhibited by the lack of certainty about foreign law enforcement capabilities, not only by localization requirements put in place for law enforcement reasons in the customer’s home country.
Yes([ID56])
 
Sharing of best practices should continue, especially with regards to the approaches to regulatory sandboxes
Don’t know / no opinion / not relevant([ID58])
 
Don’t know / no opinion / not relevant([ID58])
 
No([ID57])
 
Yes([ID56])
 
 
Don’t know / no opinion / not relevant([ID58])
 
Don’t know / no opinion / not relevant([ID58])
 
 
Yes([ID56])
The EU should indeed promote open source models and encourage the development of libraries of open source solutions. Many market players are offering open source solutions, alongside non-open source solutions.
Diversifying the risk of investing in new business models and SMEs further between banks and other sources of finance is positive, for the banks as well as for the economy as a whole. A large number of incumbent firms are today collaborating with FinTech firms to offer innovative services to their customers, gain market share, as well as to reduce development and operating costs.
Removing data localisation restrictions within the EU Digital Single Market would stimulate innovation in the financial sector. Moving on to other issues, such as data access, re-use, and ownership, as with the technologies used to analyze and re-use data, the data market itself is nascent but it is already characterized by tremendous innovation in business models. In any case, data sharing should be subject to the owner’s explicit permission and the conditions for access should be agreed in the contracts. In cases where the data generating company is misusing its dominant position, the Commission should apply the existing competition rules.
 
Don’t know / no opinion / not relevant([ID58])
 
 
 
 
 
 
 
As mentioned before national and over time European one-stop-shops/platforms where SMEs can find all authorized alternative finance providers combined with a more effective referral agreement with banks, who have rejected loan applications from SMEs, could significantly mitigate information barriers and improve access to finance for SMEs.
Don’t know / no opinion / not relevant([ID58])
 
 
an organisation or a company(organisation-replying-as)
 
Software and Information Industry Association (SIIA)
 
Yes(yes-transparency-register)
SIIA Transparency Registry ID Number: 502425118410-86
Industry association([ID9])
 
10 to 50 employees([ID6])
 
 
Other country([ID53])
United States
Credit rating agency([ID4])
Technology provider([ID178])
Not applicable([ID181])
 
Yes, I agree to my response being published under the name I indicate (name of your organisation/company/public authority or your name if your reply as an individual)(yes-contributions-publication)
 
Yes([ID56])
The April 2017 GAO Report entitled “Financial Technology: Information on Subsectors and Regulatory Oversight” is a useful resource in the U.S. context. The report notes that there is “no universal definition of “fintech.” Moreover, it is difficult to quantify the size of the industry, in part because traditional financial firms also provide “fintech” services. The GAO report focused on four “subsectors associated with fintech: Marketplace lenders; Mobile payments; Digital wealth management platforms (sometimes known as “robo advisors;” and, Distributed Ledger Technology. There is clearly a growth in the number of companies in the United States offering new small business financing, student loan refinancing, mobile wallets, and platforms to connect investors and start-ups. The GAO notes also: “Some fintech products and services offer the potential to expand access to financial services to individuals previously underserved by traditional financial institutions.” The January 23, 2017 Citi GPS report entitled “Digital Disruption – Revisited: What FinTech VC Investments Tell us About a Changing Industry” provides information on trends in this area. Broadly, the report describes global developments and provides information on the situation in China, the United States and Europe, which exhibit different tendencies. See below for Citi’s top-line conclusions. “Our conclusion: the rise of the Chinese dragons reflects a unique combination over the past decade of incredibly rapid digitization and the simultaneous rise of the Chinese mass middle class, along with poorly prepared incumbent financial institutions facing off against entrepreneurial e-commerce and social media ecosystems. It is no surprise to us that China accounted for over 50% of total FinTech investments globally in the first nine months of 2016 (9M 2016) and was the only major region where FinTech investments increased in 2016 — in fact doubling in China in the first nine months of 2016 versus the same period in 2015. In this report we also take a look at how different the FinTech evolution has been in the West: (1) the U.S. pivoted to InsurTech in 2016; and (2) two of the largest U.S. FinTech VC funding rounds in 2016 were in the health insurance space. Big data, the Internet of Things (Iota), and wearable devices, among other trends, will help insurance companies use FinTech to be more creative and customized. So far the InsurTech focus is more about improving distribution efficiency and user experience, as with much B2C FinTech in general.” Europe accounted for only 10% of global FinTech investment in 2015/2016. However, as Citi points out, this is not a surprise because Europe has a smaller VC market than in the United States or China. But, European banks are increasingly interested in FinTech led by BBVA and Banco Santander. Europe may become stronger in B2B FinTech applications with AI applications becoming increasingly significant. EU policymakers might be particularly interested in the interview starting on page 78 with Johan Lundberg, Swedish Founding Partner and CEO of NFT Ventures. NFT Ventures is a VC firm investing exclusively in in FinTech start-ups in the Northern European Region. Lundberg expects new customers as a result of increased mobile telephone use. He cites regulations and lack of knowledge as the biggest hurdles, albeit not insurmountable. Lundberg says that it takes longer to change consumer (and business) behavior in the finance space and that “patience” (often two to four years) is required before FinTech startups achieve significant market shares.
No([ID57])
There are legitimate public policy reasons for ensuring that consumers are protected and that there is a competitive and non-discriminatory marketplace that fosters innovation. However, these goals should be accomplished in a technologically neutral way. SIIA’s views on these subjects can be found in this Issue Brief on Artificial Intelligence and the Future of Work and another Issue Brief on Algorithmic Fairness. There are analysts that posit that really smart AI-based machines have the potential to create sustained technological unemployment. Others suggest that this is not the case. See, for instance, this May 8, 2017 ITIF report entitled: “False Alarmism: Technological Disruption and the U.S. Labor Market, 1850, 2015.” The overwhelming number of analysts who study these issues agree, however, that in the short-term policymakers should provide additional resources to educational and training programs. It might also be worthwhile for policymakers to consider supporting efficient human-machine collaborations for workplace applications. These are recommendations that are likely applicable to both the United States and the European Union. Johan Lundberg says, for instance, that one reason that European banks have not done more with their vast holdings of data is that they simply do not have the data scientists on staff to make use of the data. The SIIA AI Issue Brief discusses U.S. developments in transportation (the rise of autonomous vehicles), speech recognition, and health care. Clearly, regulators in those sectors need to keep up with AI-driven change in those areas. However, appropriate regulation for each sector affected by AI is the best approach. The same is true of finance. Algorithmic fairness is a particularly sensitive issue in the finance area. For instance, policymakers have an interest in ensuring non-discriminatory access to credit. It is worthwhile noting in this context that many companies are doing innovative work to expand access to credit using data. For example, one SIIA member company relies on public and institutional data such as educational history and professional licensing, property asset and ownership data such as home ownership and court-sourced items such as foreclosures, evictions, bankruptcies, and tax liens to create an alternative credit score called Risk View. (Note: Policymakers should be aware that there can be a tension between privacy rules such as the “right to be forgotten” and the continued utility of databases – less reliable data could impede the ability to innovate and provide new services to underserved populations.) For a broader discussion of issues surrounding the use of alternative data and modeling techniques in the credit process, see SIIA’s submission to the Consumer Financial Protection Bureau (CFPB). There can be real advantages for underserved groups. For example, one study found that a credit model using only traditional credit bureau data led to a 74% approval rate with a 3% default rate... (Full answer attached in additional information)
 
The primary risk is that there could be discriminatory outcomes as a result of the use of AI and big data analytics. While controversial in the United States, policymakers can avail themselves of disparate impact analysis (relies on outcomes, not intent) to detect and then address discrimination. Policymakers should be alert, however, to the opportunities, not just the risks associated with AI and big data analytics. McKinsey estimates, for instance, that sometime between 2030 and 2050, autonomous vehicles will become the primary means of transportation and could reduce accidents by up to 90%. Clearly, new legal constructs will be needed, but they should be flexible to allow for potentially positive AI outcomes. With respect to robo-advice in the financial sector, policymakers should provide for the same regulatory framework as they do for advice delivered by persons. They should be open to the possibility that robo-advisors could provide access to higher quality financial advice for non-high net worth individuals than is currently the case. The GAO report notes (page 33), for instance, that some traditional firms may be require minimum investment amounts of $250,000 or more. Some digital platforms require a minimum of as little as $500. Risks associated specifically with robo-advisors include insufficient or incomplete information from customers; inaccurate or inappropriate assumptions; and, data protection. The important thing is that robo-advisors are deployed by companies and those firms should abide by same rules on, for example, conflicts of interest as companies that use physical person advisors.
Don’t know / no opinion / not relevant([ID58])
 
1) Adopt a technologically neutral stance. Regulators should focus on the activity in question, not the technology used to conduct the activity. 2) Spread knowledge of FinTech through the EU. 3) Consider regulatory sandboxes in the EU along the lines of the UK Financial Conduct Authority FCA sandbox. 4) Encourage privacy and cybersecurity best practices. 5) Promote the free flow of data within the EU. The European Center for International Political Economic (ECIPE) released this December 2016 report entitled “Unleashing Internal Data Flows in the EU: An Economic Assessment of Data Localisation Measures in the EU Member States.” Many of the restrictions ECIPE identifies are in the accounting area, which could impede the development of EU-wide Fintech services. 6) Make reasonable inter-operability mechanisms available to companies so that they can engage in cross-border data flows from the EU to jurisdictions outside the EU. 7) Include Fintech services in future trade agreements, for instance should Transatlantic Trade and Investment Partnership (TTIP) negotiations resume, Fintech products and services should be included.
 
Sensor data analytics is part of the ongoing Internet of Things revolution – see this SIIA White Paper on “Empowering the Internet of Things: Benefits, Solutions and Recommendations for Policymakers.” The Citi report notes that in the United States, a lot of the VC investment in FinTech has moved to “InsurTech.” This Master’s in Data Science report estimates that by 2020, over 25% of U.S. auto insurance premium revenue will be generated via “telematics,” ie sensors. There are challenges as the Data Science report acknowledges such as the lack of sufficient rich transactional data (eg credit card transactions), low consistency data, lack of cash to invest in IT, lack of data scientists, and how to address privacy concerns.
Yes([ID56])
SIIA’s views on this topic are articulated in the July 22, 2016 “SIIA Comments on Artificial Intelligence Request for Information from the Office of Science and Technology Policy.” Price discrimination practices may well be in existence in the AI context. However, although the debate between advocates and opponents of differential pricing is legitimate, the debate should focus on the normative issues, not the technology. “It is not about the AI [or big data], but about the pricing practice. Any public policy response should be about the practice and not the underlying technology.”
 
 
Regulation should reflect risk and societal benefits. Banks should be encouraged to establish partnerships with FinTech companies. In addition, the Commission should encourage further adoption of cloud computing. The Atlantic Council report: “Into the Clouds: European SMEs and the Digital Age” provides policy recommendations SIIA supports. They relevant recommendations are: 1. promoting policies that reinforce the global nature of the cloud; 2. enhancing the business-to-business (B2B) and business administration aspects of cloud computing adoption; 3. setting policies aimed at building operational and legal trust in Europe’s cloud environment; 4. incentivizing public sector procurement and e-governance as instruments to promote SME cloud adoption; 5. increasing awareness-raising and training on cloud computing among EU SMEs.
It is difficult to forecast what the employment effect of implementing FinTech solutions will be. For a discussion of the these issues, see the SIIA Issue Brief on “Artificial Intelligence and the Future of Work.” It is possible that lower production costs could allow companies to expand output to meet new demand. James Bessen argued that this happened when ATMs were introduced in an April 27, 2015 Atlantic article entitled “Scarce Skills, not Scarce Jobs.” Bessen links to a U.S. Logistics “Roadmap,” which argues that people with the right skills, not jobs, will be scarce. Johan Lundberg argues that one reason banks in Europe have been slow to adopt FitTech solutions is that they lack data scientists. This is consistent with this World Economic Forum (WEF) Future of Jobs report. The WEF expects that Business and Financial Services employment growth will be flat during the 2015-2020 period. Within the Financial Services & Investors category, WEF says that employment will undergo a “significant shift” with “major job growth for Computer and Mathematical Roles such as data analysts, information security analysts and database and network professionals.” This tracks with the expectation that FinTech applications will grow significantly in the financial sector in the coming years.
The Chamber of Digital Commerce December 2016 White Paper on “Smart Contracts: 12 Use Cases for Business & Beyond” is worth reviewing in this context. The use cases involve the following activities. • Digital Identity • Records • Securities • Trade Finance • Derivatives • Financial Data Recording • Mortgages • Land Title Recording • Supply Chain • Auto Insurance • Clinical Trials • Cancel Research As the Chamber says: “Regulators will likely be more interested in regulating the functions and impact of any new technology itself, as was the case with transactions moving to purely electronic form.” However, there may be unique regulatory challenges stemming from the technology itself. Such challenges could include encryption, how books and records should be maintained, what constitutes “possession” of a contract, what kind of data regulators should be able to access and how and when they will see it. Within the EU, Estonia is the lead Member State in terms of using Digital Identity technology through its Digital ID Card. The EU should maintain the rule that Member States have to recognize other Member State Digital IDs in order to promote adoption of this technology. Another example of innovation in the EU in this space is a recent report saying that the “U.K. Land Registry Looks to Register Property on Blockchain.” If this is successful, transactions will be registered instantaneously and securely.
The December 2016 European Center for International Political Economy (ECIPE) report provides examples of data localisation measures that in many cases could prevent financial services firms from using cloud computing services. For a more general analysis of the challenges facing SMEs, including FitTech companies, in Europe from adopting cloud computing solutions, see again the Atlantic Council report: “Into the Clouds: European SMEs and the Digital Age.” Policy recommendations include promoting policies that reinforce the global nature of the cloud; policies restoring legal and operational trust; developing cyberinsurance markets; awareness and training; building out B2B and the business administration aspects of cloud computing; incentivizing public sector and e-governance as instruments to promote SME cloud adoption; and, building on the Privacy Shield to restore trust in transatlantic data relations.
Yes([ID56])
The EU should have free data flows within the EU and make interoperability instruments available to companies that wish to transfer data outside the EU.
Don’t know / no opinion / not relevant([ID58])
 
Don’t know / no opinion / not relevant([ID58])
 
Distributed Ledger Technology (DLT) is still more of potential, than current, use. The GAO reports (page 43) that industry stakeholders have identified international money transfers, private trades in the equity market, and insurance claims processing and management as potential DLT uses. DLT can also be used for “smart contracts,” which automate different kinds of transactions. The World Economic Forum (WEF) released an August 2016 report which says that companies invested $1.4 billion in DLT projects during the 2013-2016 period, which is an indication of the technology’s potential.
According to the GAO report (page 45), there are operational risks including security risks. GAO links to two relatively recent additional reports on potential risks that the Commission may wish to consult for its purposes. See below. Financial Industry Regulatory Authority, Distributed Ledger Technology: Implications of Blockchain for the Securities Industry (January 2017). Financial Stability Oversight Council, 2016 Annual Report (Washington, D.C.: June 21, 2016). DLT hold great promise, but more testing and development is needed. One example of DLT in use that the Commission may wish to review is the Nasdaq blockchain which has been used to enable trades. Nasdaq’s Vice President of blockchain, Fredrik Voss says that Nasdaq is primarily interested in three blockchain applications: “the post-trade plumbing on capital markets, regulatory transparency, and the relationship between issuers and the investors of an asset.”
 
Don’t know / no opinion / not relevant([ID58])
 
Don’t know / no opinion / not relevant([ID58])
 
 
 
 
Don’t know / no opinion / not relevant([ID58])
 
 
Don’t know / no opinion / not relevant([ID58])
 
Don’t know / no opinion / not relevant([ID58])
 
Yes([ID56])
The Commission should review carefully the European Center for International Political Economy (ECIPE) study: “Unleashing Internal Data Flows in the EU.” In this context, the banking and accounting data localization rules should be reviewed to see whether they hinder the development of FinTech in Europe.
Yes([ID56])
SIIA is a long-standing proponent of technological neutrality when regulations are considered. In terms of a general approach to regulation of FinTech, as the GAO report notes, in the United States the regulation of marketplace lenders, mobile payments, digital wealth management platforms, and distributed ledger technology depends on the extent to which they provide a regulated service. SIIA recommends determining whether the specific application of FinTech encompasses an activity already regulated. If yes, existing laws and regulations should be adequate to regulate the activity. If not, new regulations might be needed, but we do not expect this will be needed for the majority of FinTech applications.
 
Don’t know / no opinion / not relevant([ID58])
 
Don’t know / no opinion / not relevant([ID58])
 
Don’t know / no opinion / not relevant([ID58])
 
Yes([ID56])
SIIA does not take a position on who should run a FinTech sandbox, but we do encourage the Commission to consider a cross-border regulatory FinTech sandbox.
 
Don’t know / no opinion / not relevant([ID58])
 
Don’t know / no opinion / not relevant([ID58])
 
A permissive environment for cloud computing, including cross-border data flows, would facilitate the efficiency and interoperability of FinTech solutions.
Don’t know / no opinion / not relevant([ID58])
 
It is too early to say what the effect of FinTech will be on incumbent firms. It is worthwhile noting, however, that the Citi report suggests that established banks in the EU will be important FinTech adopters.
As discussed earlier, the free flow of data is absolutely essential for the development of a Digital Single Market in financial services. With respect to the compensation question, SIIA urges regulatory caution. The reality is that data “markets” are not very developed, with the exception of some easily managed data handled by “data brokers.” The value from data often stems from the algorithms and uses for data which firms develop. It is possible that more fungible “commoditized” data markets will emerge in the future. These markets should be monitored by policymakers. To the extent that they encourage innovation, it might be worthwhile considering supporting such markets.
One of the major benefits of DLT is that it could increase transparency among financial market participants and be more reliable than current mechanisms. But scaling this up will take some time, although perhaps less time than often understood. This Bain & Company report looked at how using seven different technologies within a 3-5 year period, including DLT, could affect a prototypical German insurer and thus by extension the global insurance industry. DLT has the potential to reduce processing times for claims processing considerably.
Yes([ID56])
Digital identify frameworks are possible as, for example, Estonia shows. See this piece on the Estonian example and the quote from a satisfied user of the Estonian system. Financial transactions, almost 100% is happening online. My last time to the bank was five years ago. In that time I’ve got a home loan, I’ve leased a car, I am making all my payments every month online. Note that SIIA considers that law enforcement authorities, upon obtaining a warrant, have a legitimate right to know who is associated with a given digital transaction. For example, in the recent ransomware hacking scandal, hackers demanded to be paid in Bitcoin. As the NYT reports, this is because although Bitcoin transactions are recorded in the blockchain, unless a real-world identity is associated with a Bitcoin address, it can be difficult to pursue suspected criminals.
The FINRA report: “Distributed Ledger Technology: Implications of Blockchain for the Securities Industry” has an excellent discussion on this subject starting on page 16. Financial privacy laws in the United States are complex and rigorous. The fundamental challenge is that customer information and transaction records are shared by all parties on the network. As FINRA notes: “Even where the data is encrypted, it may be vulnerable to being exposed or accessed by undesired parties on the network.” The challenges can be overcome, however, if companies ask themselves the following kinds of questions. -- When participating in a DLT network, what procedures and security measures will the brokerdealer need to adopt to ensure compliance with customer data privacy related rules and requirements? -- What restrictions will be placed on network participants’ access to such information? -- What security measures and protocols need to be considered to ensure data privacy and to ensure that PII is not compromised or stolen? -- As noted in the previous section, to the extent PII is shared on the network, how would broker-dealers ensure compliance with Regulation S-P and other privacy-related rules and regulations? -- What disclosures will be made to customers regarding the privacy of their information? -- In the event the DLT network facilitates transactions and information sharing with entities in foreign jurisdictions, how would broker-dealers ensure compliance with foreign privacy requirements and potential conflicts in related requirements across different jurisdictions?
This 2015 OECD report on “New Approaches to SME and Entrepreneurship Financing: Broadening the Range of Instruments” is worth reviewing. There is an interesting discussion on crowdfunding for SMEs in the report. Crowdfunding is a very small percentage of SME financing in both the United States and Europe, but there is potential for it to grow – see page 59.
 
 
 
 
 
Don’t know / no opinion / not relevant([ID58])
 
an organisation or a company(organisation-replying-as)
 
Data Science Laboratory, University of Pavia
 
No(no-transparency-register)
 
Academic institution([ID4])
 
more than 5000 employees([ID9])
 
 
Italy([ID36])
 
Other([ID180])
Academic Professor of data science in economics and finance
Yes, I agree to my response being published under the name I indicate (name of your organisation/company/public authority or your name if your reply as an individual)(yes-contributions-publication)
Our data science laboratory at the University of Pavia is primarily involved in research on FinTech applications in several areas, as long as they are concerned with big data, artificial intelligence, machine learning and, more generally, data science methods. We are particularly focused on financial network methods, where we have several highly cited publications. I would like to see more FinTech solutions in P2P lending, asset management advisory (robo-advisory), insurtech and regtech. In all cases I hope these solutions improve the degree of transparency for consumers, making a good use of the increased amount of data (big data) which can be leveraged by Fintechs. I attach to this opinion a position paper written by myself with a collaborator of mine at the data science laboratory that exemplifies this point, in the specific context of P2P lending.
Yes([ID56])
Yes, the combination of increased internet access and enhanced user-friendly applications is increasing the accessibility of financial services. If data are correctly employed by Fintechs, their services will well match user needs. To this aim regulators at the EU level should define appropriate standards to evaluate the performance of Fintech Services. For example, in P2P lending a good standard can be described by a reasonable level of default predictive accuracy; in advisory asset management (or robo-advisory) a reasonable level of risk-profile matching. In the attached position paper I exemplify how this can be done, on a real test data set.
Yes([ID56])
Yes, but supervision should be at a "second level" in the sense that instead of checking the compliance of the code and or of the used data, which would somehow limit the autonomy and the degree of innovation of fintechs, AI and machine learning algorithms should be evaluated in terms of their actual results on real data, evaluating their predictive performance (eg in P2P lending) or their risk-profile matching (in advisory asset management or robo-advisory). I exemplify this point in the attached position paper. I do not agree with the view that algorithms cannot be checked, as codes cannot. Instead, algorithms should be evaluated as they are in mainstream banking (eg in terms of backtesting as detailed in the Basel regulation and CRRD directives). This to provide a regulation that is "technology-neutral" and does not favor Fintech solutions over incumbent banks (including smaller cooperative and retail banks, which well serve the needs of many consumers and SMEs)
It depends on the service. In P2P lending the service should include detailed information on the risk profile of the different position; on the observed default rate per rating class; and on the overall accuracy of the employed scoring algorithm in terms of predictive performance (Mean squared error of the predictions, AUROC or misclassification errors: see the attached position paper for details). In asset management advisory similar information on the risk profile of the position, plus a measure of the "average" matching between the risk profile of the customers and the actual portfolios (In our data science laboratory we are working on this kind of measure as well)
The main challenges and risks are concerned with a) cybersecurity; b) information risk, in the sense that the algorithm may not represent information in a way that leads to a fully informed choice by the investor/lender. For a), which is less related to our core field of research, operational risk management practices should be recommended and enforced; for b) see my previous comment, algorithms should be checked in terms of their "second level" characteristics: predictive performance and risk profile matching
Don’t know / no opinion / not relevant([ID58])
 
By providing a regulatory framework which is minimal, to foster their development but, at the same time, is effective in mitigating cyber risks and information risks. To this aim, and in view of a regulation which is technology neutral, and does not favor fintechs over incumbent banks, and that is proportional, second level controls on the algorithms should be introduced, checking their predictive performance and/or profile matching properties with precise statistical backtesting indicators (see our attached position paper for some suggestions)
No self-regulatory initiatives are not sufficient, as there are informational asymmetries. For example, P2P disintermediate risks, and therefore, may increase volumes at the expense of "derisking" positions. Supervisors, or independent bodies appointed by them, should check the correctness of the algortithms not in terms of their coding but of their actual performance (predictive performance or risk profile matching): see the attached position paper for details.
Yes, insurance is becoming very flexible, for example with instant insurance being provided depending on sensor data that reveal what we are doing and where we are. The challenges are several, but the main ones relate to risks are cybersecurity and informational risks. Which can be tackled, as previously described, with sound practices of operational risk management and of second level controls on the outputs of the algorithms.
Don’t know / no opinion / not relevant([ID58])
 
Using network data, obtained from social networks but especially from transactional payments data, to improve predictions of credit risk and/or of asset management prices. DLT technology can help in this direction, automatically providing transaction data which can be properly analyse, with network models, to improve statistical predictions.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Because of the increasing convergence between asset management, banking and insurance cause by fintech evolution, an integrated legislation that reduces the compliance burden, and improve proportionalty, would be desirable.
Establish common principles at the EU level, possibly common across the different industries (banking, insurance, asset management) and apply them operationally within national sandboxes
Yes([ID56])
Through sandboxes, at the national level, that encourage active learning on both sides: of the fintechs and of the regulators
Divergent regulations across the EU. In general, it is not true that fintechs are not regulated at the moment. They are partially regulated as classical banking or payment or finance applications, however in ways that diverge between countries and activity field. It would be optimal to harmonise such micro regulations, which are often a barrier, between different service fields and across member states. Also care should be paid in fiscal incentives or de facto disincentives to fintech, such as favorable taxation that applies to incumbents and not to fintechs.
Yes([ID56])
Yes, as fintechs cannot easily be confined within national borders. ESAs may play a role in pan-Eu registration and supervision, possibly with the help of independent bodies and/or academic advisors to check correctness of the algorithms of the fintechs, in terms of their actual performance (as in the attached position paper)
Don’t know / no opinion / not relevant([ID58])
 
Don’t know / no opinion / not relevant([ID58])
 
Yes([ID56])
 
Sandboxes and possibly accelerators are desirable, at the national level. Innovation hubs should be devloped at the larger EU level, also leveraging collaboration with the academia
Yes([ID56])
ESAs can operate at the EU level and on a principle based level. Supervisors can act at the national level too.
Yes([ID56])
They should be organised with an open call for competences, to make sure that all potential expertises are gathered. Then with some preliminary workshops, at the EU level, to kick-off activities and see how experts interact together. Then with the finalisation of a panel of experts, on tha basis of the demonstrated ACTUAL expertise during the workshops (and not only on the self certified expertise) which can operate for a given period of time (eg two years).
Yes([ID56])
 
No([ID57])
 
Involve academic partners to launch a financial education programme aimed at training possible fintech developers and also to raise awareness of the users on fintech services and applications and on transparency use cases.
Don’t know / no opinion / not relevant([ID58])
 
Don’t know / no opinion / not relevant([ID58])
 
 
Don’t know / no opinion / not relevant([ID58])
 
FinTechs can constitute a formidable challenge to incumbents, stimulating them to provide services better tailoted to user needs,
Very important. Service users should be compensated with more transparency, for example they should know how their scoring/rating is calculated, in P2P lending, and how their risk profile class is determined, in asset management, in a clear and simple way. See e.g. the attached position paper for details.
It could provide an "automatic" tool to transactional network data generation, which may then be analysed with network models, to improve predictions of risk and of credit risk in particular.
Don’t know / no opinion / not relevant([ID58])
 
 
Very much, if they are properly implemented they can capture transactional network data between individuals and or companies which are a formidable data source to make accurate credit risk and performance predictions
By providing them greater transparency, for example on how their scoring/rating is calculated, in a "shared" way.
Requirements similar to those contained in operational risk management practices of banks.
 
 
Widespread use of transactional data, possibly encouraged by the development of DLT technologies
 
 
an organisation or a company(organisation-replying-as)
 
Labex Refi - Axe Fintechs and Regulation: Prof. Dominique Guégan and Dr. Bertrand Hassani
 
No(no-transparency-register)
 
Academic institution([ID4])
 
more than 5000 employees([ID9])
 
 
France([ID30])
 
Financial market infrastructure (e.g. CCP, CSD, stock exchange)([ID6])
Regulator([ID174])
Other([ID180])
Academic Research on Financial Regulation
Yes, I agree to my response being published under the name I indicate (name of your organisation/company/public authority or your name if your reply as an individual)(yes-contributions-publication)
 
Don’t know / no opinion / not relevant([ID58])
 
Yes([ID56])
A clear oversight of A.I is required, but to be able to achieve such a task the appropriate control framework should be created, i.e. a sandbox or a virtual environment allowing to test the algorithms and the infrastructures in real conditions before they are actually used on the market, a stress test process and appropriate on-going risk measures and metrics.
This question depends on what is the service and considering all techs companies similar might lead to inappropriate suggestions.
The conduct risk associated to the use of big data analytics and artificial intelligence is not negligible, and present at multiple levels (use, data, model risk….). For instance, in terms of mis-advising (who is responsible if you decide to use an open system without asking any one’s advice; is it the company’s accountability or the user). Regarding the use of unstructured data, the question of data ownership is central. Finally, the model risk associated to the underlying methodologies can be dramatic as we are talking about dynamic methodologies, and therefore the model risk governance is far more complicated to implement. Only strong regulatory, supervisory and legal framework can help overcoming any future issues.
Don’t know / no opinion / not relevant([ID58])
 
We would recommend the Commission to provide a robust framework to support further development of Fintechs solutions to avoid failures that could be detrimental to customers. Besides, they have to adapt their regulatory framework to avoid money laundering issues, conduct risk issues etc. Besides they need to ensure that the framework provided is homogeneous across European countries.
 
 
Don’t know / no opinion / not relevant([ID58])
 
 
 
The use of these technologies and their long term implications are not trivial, therefore it is really important that the EU ensure that these are understood and no “buzz”/ “I want to be the first on the market at all cost” attitude are allowed. Caution should be a principle as, as soon as the market micro-structure is impacted, changes are for more complicated to undertake.
Change management will be key as well as the inclusion of the largest number of people in this evolution. The formation of the actors will be a key point: deep knowledge of all the deep learning methodology is an initial entry to implement Fintech solutions.
 
This question is more a legal question related to the cyber security of the clouds, however, a priori, cloud computing services are not necessary riskier than others as once again, the main issue will come from how the transition to these technologies is handled. In any case, we would recommend the EU to create a certification/ norm to ensure that minimum requirements are met.
Don’t know / no opinion / not relevant([ID58])
 
Yes([ID56])
Most efficient solutions on the cloud market have been the results of huge investments over the past 2 decades, therefore we believe that, as of today whatever the standard issued by the EU, this one should be based on what can be provided by market leaders. We believe that reaching the same level of robustness in a few months/ years would be really complicated.
Yes([ID56])
 
DLT need to be precisely defined: it includes blockchain and all the distributed ledgers are not blockchain, thus it is complicated to have a correct approach for these two different approaches. We can distinguish also, public blockchain for private blockchain (ftp://mse.univ-paris1.fr/pub/mse/CES2017/17020.pdf) Nevertheless the distributed ledgers can provide facility for securized transferts, (transaction but also all kinds of notarial deeds, diploma, etc) and velocity. At present, the use of the private blockchain can be categorized into three categories: (i) Applications for the transfer of assets (monetary use, but not only: securities, votes, Industrial patents, connected objects, security of diplomas, stocks, bonds, etc.); (Ii) Applications of the blockchain as a register: this ensures better traceability of products and assets; (Iii) Smart contracts: These are stand-alone programs that automatically execute the terms and conditions of a contract without requiring human intervention once started.
The main challenges are a perfect knowledge of the technology used, its technical nature, its limits, how to use it .and the risks associated.
In the "private" case, the blockchain replaces the centralized "trusted third parties" (bank trades, notaries, cadastres, etc.) by distributed computer systems. It is necessary to analyse and to control the risks, the security, and the cost. What are the economic, legal, governance or ecological boundaries, and also all the questions around taxation, territoriality, property (to be identified and argued).
Yes([ID56])
As of today, the problem is that the framework is not adapted as Fintechs are quickly created. The right question to be asked is what would result from a failure of these outsource solution in term of business continuity. Consequently, the construction of this framework should be carefully undertaken.
No([ID57])
There should be a licence for TPPs provided by local regulator to authorise them to operate because their operations will directly impact both banks activities and their customers, generating by the way a systemic risk.
 
We would recommend increasing the coordination of all regulatory agencies to make sure that Fintechs cannot benefit from regulatory arbitrage opportunities to operate on the single market. Uniformisation between national and European practices is the only way to avoid potential arbitrage opportunities.
 
Yes([ID56])
The supervisory activity is key to ensure the success of the Fintech evolution and to avoid creating a new systemic risk.
For instance if we consider the legislation around Bitcoin which is managed by a public Blockchain, the divergence of legislation between US, some countries of Europe, India, Brazil and other South American countries, Manilla, etc . create difficulty or opportunity for providing services. Can we restrict the reflection only to Europe on this subject as soon as the banks are implemented around the world, and the smart contracts, for instance can be developed in any subsidiary company?
Yes([ID56])
As for question 3.1, we would recommend increasing the coordination of all regulatory agencies to make sure that Fintechs cannot benefit from regulatory arbitrage opportunities to operate on the single market.
Yes([ID56])
We are at the beginning of a market evolution, therefore the transition should be handle smoothly and the change management carefully. We will see failures, it is actually a requirement for improvement, however we need to ensure that these failures are not dramatic and are not systemic.
Yes([ID56])
The data should be used with respect of the will of the data owner. However, we do not have yet the ultimate answer to that question. We believe that is the issue European lawyers should tackle first.
Yes([ID56])
Yes, but these are not sufficient, homogeneity is key too.
We believe that a department within the ECB should be created to coordinate the various initiatives, and centralise findings and information.
Don’t know / no opinion / not relevant([ID58])
 
Yes([ID56])
This was our proposal 2 years ago to the European Central Bank – SSM. This is a necessary condition as soon as non-aligned people are listened to. Indeed, these people have the state of mind of what led to Fintechs and therefore are more inclined to offer appropriate solutions.
Yes([ID56])
Indeed, the biggest current weakness in Europe is the lack of convergence and coordination (though we obviously acknowledge the fact that it is not easy to reach), therefore the more harmonisation, communication and coordination, the better.
Yes([ID56])
 
 
No([ID57])
It is a bit early as the legal framework on the topic is still embryonic, besides some law and regulation might be contradictory, e.g. right to be forgotten vs PSD2 with respect to data transmission and usage is some countries.
Don’t know / no opinion / not relevant([ID58])
 
 
Yes([ID56])
Community supported/ open source systems are as of today the most efficient (R, Linux, etc.), as they are the most up-to-date regarding robustness, security, or integration of advanced methodologies. Consequently we would recommend relying on them as much as possible bearing in mind that all strategies have their limitations.
 
One may think that customers would be naturally compensated by being offered better (more secure, more appropriate, etc.) services, therefore any another compensation might be considered redundant. However, in the case these data are used to improve other people’s services and not directly their own, we might want them to be compensated a way or another. Therefore, the various situations should be carefully considered.
The cryptography which underlines the DLT is known for its security creating blockchain with their time stamp. Nevertheless it exists different ways to use it and it is the reason why it is necessary to differentiate the different DLT we have in mind. It is not the same to work with a public blockchain or with a private one. These systems are not undefinitely secure, all depending on who “controls” and who “codes”. Bugs may also exist in these approaches. Quantum computing will probably be the next step to support improving the reliability of these systems, but is not yet fully operational.
No([ID57])
The digital identity is an important question. Working with a Blockchain approach every one can have several private keys. Therefore, the question is how to be sure, when we use a digital key, that it is the true/right person who uses it. For the moment, it seems that we need almost two different pieces of secure information to validate the identity of the person who uses the system. Thus the answer to this question is opened.
First it is important that the person in charge of the personal data protection knows exactly all the risks associated to the system. For the moment, it is a very small community of developers who have the “deep” knowledge, but everyone wants to play which this technology. We think that the knowledge of this technology is still in its infancy by most of the users and it will be necessary to validate the exact knowledge of the persons having the responsibility to use the DLT. For most people, it is a black box and they do not imagine and/or understand the limites and the risks associated to it.
Key words here are data and information, using non-structured data could lead to better risk profiling of SMEs (for example trip advisor for restaurant and hotels, or public tax authority data for any company, among others), so systems allowing to gather these types of data dynamically (real-time) would mechanically support a more appropriate profiling of SMEs.
We would recommend opting for a reciprocity principle in which what benefit from one should be transferred to the other, as the data holder should be rewarded to securely hold and transfer these data.
The question of cyber security is very complicated to deal with as what is considered secured today, might not be tomorrow as attacks (types and patterns) have a tendency to evolve faster than the controls and the mitigants implemented. Most systems considered secured have just not been properly attacked yet, due to the opportunist character of most attacks and the lack of research involved, but it does not mean that it will not happen in the future. We would recommend bearing in mind that systems are only secured up to a certain extent.
 
Scenarios and stress tests should be systematically implemented to ensure system resilience (up to a certain extent) and security. The question is to imagine robust stress scenarii.
 
Don’t know / no opinion / not relevant([ID58])
 
 
an organisation or a company(organisation-replying-as)
 
Dutch Banking Association
 
Yes(yes-transparency-register)
51894741860-19
Industry association([ID9])
 
50 to 500 employees([ID7])
 
 
The Netherlands([ID51])
 
Banking([ID8])
 
Yes, I agree to my response being published under the name I indicate (name of your organisation/company/public authority or your name if your reply as an individual)(yes-contributions-publication)
It is important to provide customers with more choice and better conditions by facilitating digital Fintech solutions for retail financial services. We see that customers are increasingly interacting with banks in a digital, at times even a digital-only way. As such, being able to offer financial services in a digital way has become the new baseline. We experience that both banks and non-banks are developing new and innovative customer services that will increase competition and consumer choice. Most Dutch banks are also developing their FinTech solutions and collaborating with FinTechs on the market. Digitalization in retail banking will increase accessibility and convenience for clients. FinTechs see the niche and specialize in it, which means they are able to bring a solution to the market quickly. For the longer term, relevant FinTech applications are data analytics, AI, DLT, machine learning and robotics.
Yes([ID56])
Yes, we believe that those services are, in general, better adapted to user needs. It is not the automation in itself that contributes to fore-mentioned personalization proactivity, but the underlying algorithms that are able to identify specific client characteristics. FinTech offering these services are launched and attracting customers. Incumbents are slowly launching such advisory services as well. They differ, however, as to what exactly is automated (risk profiling, asset allocation, asset selection, portfolio monitoring, rebalancing, …). The services are clearly digital, but the use of AI is still limited. Peaks is a good example that reaches out to more/new groups of costumers, but doesn’t show evidence yet in its current phase of development.
No([ID57])
At the moment we do not think this is needed. We believe that only in exceptional/extreme scenarios enhanced oversight is needed. We think transparency of markets is first line of defense against imperfect systems and markets and even for fraudulent Al systems. We see a (known and obvious) downside to implement enhanced oversight and regulation: it will most likely slow down developments in this area. We believe that the type of oversight that is in place for IT systems applied by banks today are sufficient to address the risks embedded in Al solutions. A known risk is algorithmic bias. Models cannot look beyond the data they have been trained on, so whenever the training data is skewed or too narrow (and this is often the case), the model output will be biased too. One should be aware that a model, how intelligent the output may seem, is a mere representation of reality. A model can help users grasp certain elements of reality (a prediction, a categorization) but don't necessarily show the complete picture. That is why a human in the loop is essential: we are, unlike machines, able to take into account context and use general knowledge to put AI-drawn conclusions into perspective. I can imagine new roles emerging that evolve around checking model output from a human point of view.
This is a question that cannot be answered beforehand and differs for each case. In contrast to 'traditional' linear regression analyses, unsupervised machine learning techniques (which are more and more often central to AI) don't involve specifying the relevant variables beforehand. The self-learning algorithm will determine autonomously which variables contribute to a certain output (prediction or categorization). Any information requirements should be proportional, depended on the amount of money, risk profile. This should, and in many cases is already, defined by local regulation on investment advice, i.e. suitability test and KYC requirements.
A mix of different measure is already in place. Of course companies active in the EU will have to comply with to the GDPR from May 2018, but we believe it would be beneficial for both individuals and society if companies also formulate their own (ethical) guidelines when it comes to AI. In addition, explainability of model output remains a challenge. Deep Learning, a subset of machine learning that attracts a lot of attention nowadays, is not only known to be effective in learning from big volumes of data but is also known for being a 'black box'. Reconstruction on how certain model output was achieved is still a subject that requires further research. Also see our answer on question 1.3.
Yes([ID56])
The number of crowdfunding platforms has rapidly increased to more than one hundred over four years time, covering about € 300 mln. According to the Crowdfunding Register of the Dutch Authority for Financial Markets (‘AFM’), 13 platforms hold an AFM permit, meaning that the vast majority holds an exemption. Unfortunately, many platforms communicate on a very minimal level about financial risks, where the risks are often significant. The consultation document seems to suggest that there are only two permit categories: a temporary or a permanent permit. In the (Dutch) practice, we see that the market needs a growth-model, where regulation is being adapted to the specific event in place (test phase, client scale up, offering particular services).
The Commission could create a ‘level playing field’ for banks an alternative players when it comes to the “duty of care” and “know your customer”. This level playing field would beneficial for Fintech startups as well, because partnerships between startups and incumbent banks can act faster.
Fund raisers - Clear description of activity, risk and competition - State of the development - Ratio’s expressing the health/status of the company/initiative Platforms - Success rates achieved by the platform regarding funded initiatives - The business success of funded initiatives - Failed project and how failed projects will be handled and are handled (case study) - Transparency of fee structures Self regulation: Financial services legislation at both EU and national levels should be sufficiently innovation-friendly and safeguard a sufficient level of consumer protection, so that a level playing field between actors can be achieved and maintained. We expect that self-regulatory initiatives will prove to be insufficient to obtain an adequate level of transparency and consumer protection for the fund raising/crowd funding industry. Taking into account the ease at which fundraising platforms can attract loans and investments from consumers (online) on a cross border basis (even from outside the EU) on one side and the material losses retail consumers could incur on the other side, standardized consumer protection and transparency requirements should be warranted.
Internet of Things will also result in opportunities and challenges for financial services other than insurance services. A wide variety of (sensor)data will be generated by a wide variety of machines. For example energy companies are looking into remotely identifying machines which use more energy than necessary (e.g. old refrigerators and vacuum cleaners). As a service financials could work together with energy companies to identify such energy (and cost) saving opportunities and provide combined advice with respect to energy efficient replacements and financing of new energy saving machines.
Don’t know / no opinion / not relevant([ID58])
We are not aware of such practices, therefore not applicable.
EuropeOne: a European borderless bank. Peaks: investing in low amounts and automated; a mobile only investment App for millennials. Bunq: a startup bank focused on app based services. An example of other technical applications that offer new services, are tools to help parents make their (young) children acquainted with (digital) money in a world where cash payments in bills and coins are getting obsolete very quickly.
Banks are increasingly facing a variety of technology driven developments, which are changing client expectations and offering opportunities to banks to improve services. These days many business sectors, and therefore also banks, are facing so-called disruptive technologies, which are technologies that can be so powerful that they change entire sectors. These disruptive technologies usually concern the digitalization of existing processes and their uses in new areas. Partnering with FinTech companies can be a way for banks to quickly test innovative initiatives and thereby improving the time to market. Partnering with FinTechs is also required as banks cannot develop all new technologies in house. From the banks’ perspective the following disruptive technologies, among others, are relevant: Advanced analytics: The term advanced analytics refers to techniques used to predict outcomes and find new correlations on the basis of large datasets, or big data. Banks can use advanced analytics internally, for example for portfolio risk management and for marketing purposes, such as reputation management and monitoring product launches. DLT: Distributed ledgers are a type of database that is spread across multiple sites, countries or institutions, and is typically public for all participants, whose activities are encrypted. Records are stored one after the other in a continuous ledger, rather than sorted into blocks, but they can only be added when the participants reach a quorum. DLT offers the financial sector many potential benefits, particularly in the form of cost savings, but also because fewer intermediate parties are involved in transactions and because of the greater transparency and safety with regards to data and transactions.Mobile: The expectation is that the mobile channel is going to be one of the primary channels for Internet banking, online payments and mobile payments in stores. Internet banking is already taking place on a large scale using mobile telephones and tablets, and Commerce (online payments on a mobile carrier) is growing rapidly. Artificial Intelligence (AI): Banks offer various applications ranging from digital (robo) advisers, to answering client questions on the website, to advanced trading algorithms and fully automated, algorithm-based credit approvals. Internet of Things: The ‘Internet of Things’ (IoT) is a network of physical objects equipped with electronics, software, sensors and network connectivity with which these objects can exchange and collect data. The IoT for consumer applications is dominated by issues relating to privacy and security. It allows banks to help clients through, for example, the use of bank identification for the online identification at other organizations such as government bodies or web shops, or through the safe authorization of payments via the IoT. Cloud computing: The use of cloud solutions at banks currently varies from so-called private clouds (cloud solutions whereby the servers are used exclusively by the bank in question) to full use of the IT infrastructure to a public cloud solution. The possibility of being able to use the required IT infrastructure much more quickly, as well as the scalability, flexibility, and cost savings, are the main sources of motivation for banks to switch to cloud computing. Biometrics: Biometric applications at banks usually concern authentication or authorization by means of human characteristics such as fingerprints, iris scans, voice recognition or even face recognition. Biometrics can be used to make it easier for clients to interact with the bank, for example by simple authorization of the payment or faster authentication (‘I am who I say I am’). Robotics: Robotics is not only used when automating and improving current systems and processes, but also to improve the client experience. In addition to simple activities such as greeting clients, robotics enables client wishes and needs to be registered, and the best responses or solutions to be offered more quickly.
• As an overarching barrier which requires serious improvement we identify the diverging manner in which individual EU Member States apply harmonized EU laws relevant to financial services, use of data and innovation. This is a key problem, as this effectively results in 27 separate markets for financial services. Examples are known of, successful Dutch FinTech companies leaving the Netherlands and move to larger markets such as Germany in order to grow to the next stage. • Make sure that financial service providers can work within the EU in a regulatory level playing field that leaves room for innovation. We still see differences in Member States regulation on Anti Money Laundering, banking secrecy, e-signature, language requirements etc. Local regulations are often rule-based and prescriptive, preventing innovative solutions. Also, we see gold-plating making a uniform product proposition difficult. We suggest that the Commission will further harmonize relevant EU regulations via maximum harmonization and/or – principle based - regulations, thereby preventing gold-plating and leaving room to financial service providers to come up with innovative solutions. • With respect to security, key issues need to be addressed at European level. These include risks resulting from open data. Clear principles are required with respect to the roles and responsibilities of each individual participant in a chain. FinTechs, when licensed, of course need to comply with applicable requirements on business solidity and security in an identical manner as other licensed financial institutions in the same license category. The innovative use of technology warrants additional attention with respect to the risks relating thereto and the mitigation thereof. The latter also applies to unlicensed FinTechs. Security is a key point of attention for fintechs. When partnering with FinTechs, a problem we experience is the lack of common minimal security standards. We are therefore required to perform detailed due diligence and analysis to assess the risks and security level of each individual FinTech. Standardisation/common security reqirements (if feasible) would reduce these efforts and facilitate collaborations between incumbents and FinTechs. We need to ensure that any issues occurring at the ‘weakest link’ do not result in systemic risks • The EU can facilitate the development & implementation of use cases for new technology in different ways: - Adjusting the regulatory environment to digital reality by ensuring that future and current legislation & regulation is technology neutral rather than technology-specific. E.g. having regulations with regard to privacy or outsourcing is fine, but stating that all use of cloud technology must be treated as an outsourcing is not proportionate: when assessing the risk related to applying a technology for a specific business process, it is not the technology that determines the risk but the business process; - Stimulating regulators to take an active role in assessing and developing use cases by being involved (e.g. by joining projects, if only as an observer); - Ensuring that regulators are willing and able to take a more pro-active role when new technology is considered, e.g. by entering into discussions with subjects about how legislation is to be interpreted (something that for instance the Dutch DPA (‘Autoriteit Persoonsgevens’) is currently not willing to do); - Further barriers the EC can help break down include promoting and facilitating collaboration between incumbents and licensed and unlicensed FinTechs. This could be done by lowering/updating the requirements on outsourcing to FinTechs and creating clarity on license requirements of FinTechs, in particular with respect to the applicability of intermediary/brokerage licenses (see our answer to question 2.10 and 2.11 for more detail). Facilitating data transfers and making more flexible rules on personal data better suited for the digital reality. - Stimulate the development of purely European cloud providers; - Harmonize the regulations re outsourcing of financial processes/underlying technology throughout the EU. Currently the requirements vary not only by country, but also by type of financial institution (EU regulations contain different requirements for different types of FI’s); - Standardization efforts, which are key for market take up, competition and interworking. When needed enforcement of the use of standards (like in the telco industry in the 1990s), with the aim to speed up and promote market development, without killing the upsides for initiatives that take risks; Remark: see attachment 2
Automation and innovation do not necessarily mean a reduction on employment. Digitalization will create demand for new skills and competences on general coding, machine and deep learning, data science, Blockchain, and (Cyber) security. An important factor which needs to be addressed at EU levels as well as in each individual EU Member State, is education. In order to become a nexus of innovation, the European labor force needs to become far more digitally skilled. The end goal should be a substantial increase of the percentage of digitally skilled persons and IT specialists leaving European universities and colleges with a diploma and a robust digital skill set each year. Focus on digital skills should start at elementary school for each child in the EU and continue through the complete education program, irrespective of the level. Financial institutions, but this applies to all employers in the EU are facing serious difficulties attracting a workforce with the right Digital/IT skill set. We expect that the global demand for highly skilled IT professionals will only grow in the coming decades. Apart from legislation, an important factor which needs to be addressed at the highest EU levels as well as in each individual EU Member State, is education. In order to become a nexus of innovation, the European labor force needs to become far more digitally skilled. The end goal should be a substantial increase of the percentage of digitally skilled persons and IT specialists leaving European universities and colleges with a diploma and a robust digital skill set each year. Focus on digital skills should start at elementary school for each child in the EU and continue through the complete education program, irrespective of the level.
RegTech has the potential to transform the way financial institutions manage the regulatory environment. RegTech can lead to considerable benefits for financial institutions and supervisors by allowing new technologies to be used to address regulatory and compliance requirements more transparently and efficiently and in real time. The most promising use cases we know are: • Combining regulation and cognitive solutions • Electronic identification and verification • Smart transaction monitoring • RoboAdvisor based risk assessment • The application of data analytics and so-called “big data.” These techniques can be used to reduce compliance risks in areas such as anti-money laundering. Big data techniques can identify potentially high risk customers (possibly in combination with biometrics to identify a client in a digital environment and/or authenticate a high risk transaction); make reporting information more accessible and easily searchable to regulators; improve internal culture and behavior by better identifying actions that could lead to compliance violations or incur reputational risks to the institution; and in combining big data with artificial intelligence, allow firms to reduce market risk through more precise modeling and forecasting of market trends and sentiments. • DLT/Blockchain (e.g. Recording and storing information, Aggregating data, Performing operations on data, Sharing information with other entities, Ensuring data integrity) Challenges are to build solutions that fit the regulators and the regulated financial service providers. It will be beneficial for auditors, incumbents and RegTech startups to collaborate closer to target the needs better. EU could promote standardization and promote standardized information. Financial institutions as well as the ESA’s and national competent authorities need to build up experience and expertise in these matters and use these technologies or otherwise ensure they are involved in initiatives relating to the development and implementation thereof, in order to adequately assess risks resulting from application of these technologies and the suitability of these technologies for compliance objectives. Another challenge is unfamiliarity with the mechanics of the blockchain/DLT and/or a lack of clarity of the characteristics that will be attributed/programmed therein. Therefore uncertainty exists with respect to the manner in which compliance goals can be achieved using DLT, the escalations which occur when compliance cannot be achieved and the actions we should take to address such non-compliance/non-conformity. Ownership of the blockchain and responsibility for the block chain are also serious challenges. Who will be responsible in case of fraud and who will be liable? To which party should a consumer turn to get compensation/redress? The above questions also arise to some extent when using Big Data and AI solutions for compliance purposes. Financial institutions need to build up experience and expertise in these matters.
Also with reference to our answer to question 2.2 In The Netherlands, the use of cloud computing is constrained due to the Dutch Central Bank Circular that states that all cloud computing initiatives must be treated as an outsourcing. This policy is too broad, as it means that also for processes that wouldn’t be considered to be an outsourcing in case other technology than cloud computing would be used, are now subject to outsourcing requirements. In our view, the outsourcing regulation itself adequately determines when delegation of a process is outsourcing or not, thus ensuring that adequate control measures are put in place in all scenarios. Another key factor slowing down cloud adoption in Europe is the lack of harmonization in regulatory approaches across different jurisdictions. The variation in approach to cloud computing in financial services by various national regulators creates inefficiencies, particularly for banks operating with a global presence and global customers. The uncertainty created by the variation in approach reduces the appeal of the EU as a place to do business. This is not unique to the incumbent banking industry, New FinTech start-ups, and neo-digital challenger banks, many of whom are cloud native, will experience barriers to growth as a result of the lack of harmonization across the EU. Finally, harmonizing approaches to the cloud across jurisdictions will also help to facilitate the adoption of cloud at a global level which creates efficiencies and encourages growth. In order to support and facilitate a responsible adoption of cloud computing within the banking industry, the European Commission should focus on efforts that support the creation of a clear and consistent regulatory framework at an EU and Global level, and guarantee a proportionate risk-based approach to due diligence and contracts between the Cloud Servicing Providers (CSPs) and the banking sector in respect of Cloud Computing in Financial Services. The above issue may be mitigated by EU legislation resulting in harmonisation and minimum requirements applicable to such CSP’s, and perhaps an EU passport/license, which takes into account the specific characteristics of cloud services. The latter would also be beneficial to CSP’s as they could roll out their business with EU financial institutions pan-European, while having to deal with only one regulatory regime and one home regulator. In general, cloud service providers are unwilling to accept instruction rights for financial institutions that may require the CSP to change the manner in which it provides its services, as they offer standard services to all their clients. Also, in general, CSP’s are unwilling to agree to always enable financial institutions to meet the laws and regulations applicable to such institutions. Also, some large CSP’s are unwilling to agree to direct audit rights for financial institutions and these institutions may only exercise such through review of SOC2 type 2/ISAE 3402 type 2 audit reports issued by the CSP’s auditor.
Yes([ID56])
The Commission should continue its positive work under its Free Flow of Data Initiative to remove unnecessary data localization requirements, except where necessary for legitimate public interest reasons. Not all banks experience issues with suppliers/providers to incorporate the EU model clauses in their contracts. However, some see that getting assurance statements/reports is still challenging and not standardized yet, it takes a lot of effort and time to get them and the level of quality differs per provider. Cloud computing is a technology, not a specific business process. As stated in the three core principles, the EU should ensure that legislation is technology-neutral. This implies that any regulations for FI’s specifically focused on cloud computing must be withdrawn (see answer on 2.5.1). On the other hand, it could help if generic obligations were created that apply to cloud service providers that provide cloud services to FI’s (.e.g. comparable to how the Global Data Protection Regulation now contains obligations not only for data controllers but also for data processors).
Yes([ID56])
Key requirements (apart from best practices applicable to any business critical/important contracts) come from outsourcing requirements and privacy legislations. More and more, public cloud providers understand the specific demands from FI’s re cloud computing and to a certain extent are able to cater for them. Public cloud providers sometimes meet the minimum requirements; some are more advanced in this than others but it is never easy to ensure all requirements are met. Note: the bigger the cloud provider, the harder it seems to be. The market for some specific cloud services, like IaaS and PaaS, is highly concentrated, and risks being dominated by a few very large and powerful suppliers in the near future. Individual EU financial institutions (even the largest ones) have very little room to negotiate amendments to the standard contracts provided by these large Cloud Service Providers (“CSP’s”). In general, large CSP’s are not willing to make any changes to their standard contracts and terms, especially to accommodate the requirements as explained in our answer to question 2.5. Rules applicable to EU financial institutions should take this into account. Either the requirements applicable to EU financial institutions should reflect that there is little room for negotiation, or the EU should take action to demand that CSP’s will take a more flexible approach, when contracting with EU financial institutions or regulate the large CSP’s that expose European financial institutions to a substantial concentration risk to make sure these comply with the relevant requirements. Complex supply chains such as a SaaS solution built on another provider’s infrastructure/platform also make securing rights to have access / to interview personnel (for each party of the supply chain) challenging in negotiations. Effective identification, monitoring and reporting of risk is thus more challenging in many cloud environments given the lack of visibility over the whole supply chain of the technology stack. This challenge is further driven by an ambiguity concerning how far auditing rights should be exercised throughout the supply chain. Without clarity concerning what is required to comply with regulatory requirements, banks may either look to secure rights extensively all the way down the supply chain, or may, on the other hand, be forced to take on additional risk in not securing extensive audit rights. The challenge for cloud providers is compounded by the large number of customers and by the standardized offering which leads to a high level of complexity when giving individual customers the right to audit. As a result, effective identification, monitoring and reporting of risk is more difficult in many cloud environments given the lack of visibility in the whole supply chain of the technology stack. Besides the CSPs’ operative responsibility around service provisioning, banks as data controllers are liable for the data stored and processed. As such, cloud service consumers need assurance that all contract terms are fulfilled. However, some CSPs are not always able to comply with specific contract terms, such as the right to audit. Hence, a common regulation agreement should be developed so as to facilitate compliance with a commonly understood set of minimum requirements to operate in Europe.
Yes([ID56])
Right to audit and right to examine. On request. It is not up to the cloud solution provider (who generally provides the contract) which contractual obligations are applicable to it. This must either be determined by the FI, or, see answer at 2.5.2, by EU regulations. There is room for improvement since we see that some providers/supplier only incorporate clauses after an explicit request and not in their standard offer / supply contract.
DLT applications in several areas could positively impact enterprises’ access to finance, including SMEs; International payments, Trade finance and Digital Identity. A good example of a DLT application is the Digital Trade Chain (DTC). Seven major European banks are partnering on a new Blockchain-based trade finance platform, with a tentative plan to launch sometime in the second half of 2017. Those backing the platform’s development are looking to establish a secure place to manage open account trade transactions for both domestic and international commerce. DTC utilizes a permissioned ledger, with authorized parties allowed to submit transactions on the platform. The aim of the platform is to make domestic and cross-border commerce easier for European small and medium-size (SME) businesses by harnessing the power of digital distributed ledger technology. The DLT can provide a single source of information where SMEs can share their financial data (obviously complying with existing regulation, starting from GDPR) in order to help the financial institutions to better assess their credit risk. This could make easier for SMEs access to some banking services and especially financing services. It could materialize via “Smart Contracts” - contractual clauses to be fully self-executed, self-enforcing, or both, used in highly standardized operations. In trade-finance and in invoice prepayments there are interesting applications supporting companies and SMEs.
Each use case has different requirements in terms of confidentiality, privacy and scalability. One challenge lies in how to balance these requirement respective to current technological capabilities, which are of course expected to improve as the technology matures. On a similar note, we can already observe a certain fragmentation in the market which may lead to interoperability difficulties between DLT systems. Should a large number of solutions be developed that independently address different needs, interoperability becomes an even greater concern. On a similar note, interoperability with legacy systems is another aspect that needs to be further explored and can provide difficulties. However, due to the potential of cost mutualization in implementing DLT solutions, legacy systems would be easier to replace altogether.
The main obstacle stems from the lack of an official regulatory framework to guarantee the enforceability of smart contract from a legally binding perspective. Even if such a framework were to be developed at an European level, local interpretation may pose further issues. Indeed, developing such a framework is especially difficult due to a number of reasons: • Unclear where liability rests in case of malfunctions • The possibility of having no central authority administering the network on which the smart contracts are executed • Some transactions within the smart contract may affect external elements / third parties (e.g.: intellectual property rights) • Applicable jurisdiction / fragmentation Considering the fact that there is no such thing as ‘the Blockchain’, because of the different types of Blockchain possible, it can be stated in general terms that there are two problems in supervising. 1) In principle, Blockchain do not recognize jurisdictional boundaries and therefore the question arises whether the supervising authorities could intervene effectively when necessary? 2) In principle, transactions on Blockchain are immutable/irrevocable: This would become troublesome for consequence management. E.g. what if a judicial authority could determine a transaction to be ‘void’ how the old situation could be recovered when transactions are irrevocable. 3) Any other specific issues to be considered are: - Privacy issues on personal data processed and which cannot be deleted from the blocks and thus will be public for as long as the Blockchain is in operation. - Who is to be held liable for transactions conducted on the Blockchain? All participants on the distributed ledger? Only a part of these? And if that is clear, how are you able to identify a client? Beyond pure financial regulation, broader legal issues, such as corporate law, contract law, insolvency law or competition law, may impact on the deployment of DLT. In particular we believe that with further development of the technology, the following regulatory issues might need to be addressed by regulators: - Legal framework regarding the legal nature of blockchains and distributed ledgers in general, including territoriality (jurisdiction issues and applicable law) and liability (responsibility when something goes wrong) - Legal framework for the recognition of blockchains as immutable, tamper-proof sources of truth regarding the information stored on it. Related to this, legal framework for the use of blockchains as single sources of trusted identity as well. Harmonized regulation about data protection and definition of identity in the case of legal persons will be needed as a previous step. - Regulation on how the right to erasure (“right to be forgotten”) shall be interpreted, because the tamper-proof feature of the blockchain collides with this right recognised by European regulation on personal data protection. - Legal framework about the legal validity of documents stored in the blockchain as a proof of possession or existence. - Legal framework about the legal validity of financial instruments issued on the blockchain. - Legal framework for smart contracts in general, settlement finality and in international commerce in particular, including real-world enforceability, territoriality and liability. - Legal framework about the treatment of shared information in blockchains from the perspective of cross-border flow of data, and data protection in general. Clarification on whether encrypted data is considered personal data is needed. Portability of personal data from one processing place to another. - Legal framework regarding the use of the blockchain as a valid ruling register for the IoT. - Regulatory reporting information standards definition on the DLT. Guidance on which regulator has an access to what type of data stored on the ledger and in which situation. - Clarifications on the who should run the permission based DLT in the financial sector and who should control the access rights to the network. (e.g. a supra-national organization on a non-profit basis)
Yes([ID56])
Yes. At a certain level current outsourcing regulations codify ‘common sense’ requirements for such contracts. That is fine, but the way it is currently done is that the regulations are fragmented over countries and types of FI’s (see answer on 2.2.), creating ambiguity re regulations when multiple regulations apply. In addition, international intra-group outsourcing within financial institutions creates an even more complex regulatory landscape, e.g. when several foreign entities outsource a function to a central organization of the same FI, who in turn outsources it to an external service provider. This may lead to different local requirements being applicable to a centralized service, leading to significant inefficiencies for the FI’s, but in setting up the service and operationally. In addition, not all commercially available cloud solutions have come to an agreement on the right to examine with the Regulatory Authority, Dutch Central Bank (‘DNB’).
Yes([ID56])
Current regulations/requirements are sufficient, in the sense that there is no need for more/additional requirements. As stated above harmonization of outsourcing & privacy regulations would help a lot. The ‘first’ entity (in a chain of outsourcing entities), usually a customer-facing entity, is responsible for its own chain of outsourced activities. Another important aspect is that EU legislation has not completely harmonised the intermediary/broker function. As a consequence, IT service providers and FinTechs may easily qualify as (licensed) intermediary in the Netherlands, when performing their activities under an outsourcing agreement. This means they may require a license. In order to promote cooperation between (unlicensed) FinTechs and licensed banks/financial institutions, diverging national rules, should be reduced to a minimum. In addition, clear EU level guidance specifying the circumstances in which a IT service provider or FinTech has to be considered as an intermediary/broker (and should be in scope of national Member State license requirements) would be beneficial. If the threshold for applicability of license requirements is set too low (e.g. a FinTech only transfers a consumers contact details and some general information on the product the consumer intends to purchase), this will substantially frustrate innovation. This should not be left up to the individual Member States.
Blockchain can provide a lot of use cases bringing efficiencies for financial service providers (and potentially also for a number of other industries). Currently the use cases more tested are relevant to Capital markets, Trade Services, Digital Identity/KYC and cross-border payments. Although not new, a relevant example is the use of API’s. Robot Process Automation could also reduce operating costs.
Currently, differences in local requirements regarding AML/CDD, e-signature, consumer protection, tax legislation, data protection/privacy (e.g. banking secrecy) make a centralized product approach difficult as local involvement or presence, either by an existing branch office, subsidiary or by establishing a branch office, in fact is still required. This limits innovation within these products and services and hampers the establishment of an EU single market. For individual retail customers and SME’s we face these obstacles most pressingly in the area of: (i) customer on-boarding and the corresponding KYC and CDD; and (ii) requirements for handwritten signatures in the case of some product purchases. Solutions for these obstacles can lie in e.g. European wide acceptance of videoconference identification/verification or acceptance of derived customer identification via new possibilities under PSD2 and digital signatures for authentication of transactions. We would also like to point out that some important prudential requirements are more punitive with respect to the provision of digital services as opposed to non-digital services. In particular, we find it unjustified that the liquidity requirements in the LCR Delegated Act impose a more stringent outflow requirement on ‘internet access only’ customer (deposit) accounts, implying substantially higher costs for a bank that is offering this product. From a prudential perspective there is very limited evidence that higher outflow percentages can occur as this is based on a limited data set. Also applying such a rule does not look justified, as it seems to be based primarily on a regulatory assumption that customers’ funds can be withdrawn quickly, whilst in our current electronic era facilitating customer access is a generic feature for all customers. Finally we would advocate for an amendment to the CRR. “Article 4 Definitions (115) now reads: “intangible assets” has the same meaning as under the applicable accounting framework and includes goodwill, with the exception of software for the purpose of Article 36 b)”. The banking industry faces digital challenges in competition with emerging technological players that do not have to face the heavy regulatory burden imposed on the banking sector and are free of prudential regulation altogether. The current regulatory capital framework for credit institutions does not recognize the value of software for capital purposes. The fact that every euro that an EU bank invests in an IT development needs to be backed is perceived as a significant disincentive for investments in innovation and a major factor of unfair competition. We believe the investments in software should carry the same economic and financial rationale, regardless of the industry. Whilst this may not be sufficient, it sets the basis for the solution to the issue in the banking field. Evidence clearly indicates that software has value even in the case of liquidation of a bank. Software has become a core asset for the banks business models around the world. However, there is evidence of different regulatory treatment of software in some jurisdictions, including US where capitalized computer software can be recorded as an "other asset" and subject to regular risk rating and not deducted, therefore removing any artificial hurdle to banks investing in digital, creating value for the economy as a whole and leading worldwide innovation in the area. Furthermore, the European Commission issued decisions on equivalence of the regulatory regimes of third countries to those applied in the EU. Capital regimes of third countries that do not require capital deduction for software has not been considered as an element of relevant discrepancy or inconsistency for the European Commission, neither for the Basel Committee under its Regulatory Consistency Assessment Programme. It lets us believe that the non-deductibility of software therefore does not raise an issue. PSD II also results in issues which have not yet been addressed adequately. For example due to article 66/67 PSD II, it is unclear whether banks can require PSP’s to agree to technical terms/conditions for use of API’s and access to client data. In addition, due to article 94 PSDII explicit consent is required for the use of client data in each instance, this frustrates innovation. We are aware of the pressure from the FinTech industry to undo this.
FinTech innovation plays a pivotal role in the “customer journey”. From a customer point of view the digitalization of financial services is without any doubt beneficial as it increases transparency and reduces costs. The EC must find a way to mitigate the backward-looking effect of laws and regulation. Digitalization should be embraced and obstacles of local or European regulation that hamper digitalization (e.g. the requirement of physical identification and signature) should be removed. The fragmented regulatory landscape can be overcome by further harmonizing regulations (e.g. AML, data protection, tax, consumer protection) by implementing maximum harmonization and/or regulations. We suggest that the EC further harmonizes relevant EU regulations by e.g. (i) preventing local add-ons and/or gold-plating and (ii) leaving room for financial service providers to opt for innovative solutions. In order to ensure that trust is safeguarded across the industry it is important to assess which consumer protection levels apply. If specified consumer protection is in order this should be implemented on the basis of a level playing field between banks and non-banks. The same rules should apply for the same businesses. We deem it important that consumer protection is designed in such a way that it does not hamper the customer experience, but can be made an integral part of it. To ensure a stable market environment it is important for service providers and regulators to work closely together. We believe innovation requires sufficient room for partnerships between incumbents and FinTechs. EC initiatives should be aimed at facilitating these collaborations. Furthermore, divergences between the applicable regulatory regimes in the different EU Member States need to be drastically reduced. The Financial Digital Single Market needs serious work. With respect to the national regulatory authorities, we applaud the initiatives taken by the Dutch and UK authorities, to facilitate innovation. We do not have a clear view on the initiatives in other EU Member States. In order to accelerate these initiatives, the European Commission could play an important role by facilitating the exchange of best practices and know how between national competent regulatory authorities, and keeping track of all the different initiatives to identify blind spots and overlap. We do not believe that promoting innovation through a top down EU approach, e.g. a EU regulatory sandbox will be effective. Structuring such a solution will likely take too much time. Furthermore, a one size fits all approach (e.g. by aggregating the requirements of each of the individual national regulatory sandboxes to come to a general standard) may not suit the needs in individual Member States. There is a lot of uncertainty as to whether certain FinTech initiatives can be considered to be compliant with financial services legislation which has an inhibitory effect. A proactive approach of regulators could bring more certainty and thereby stimulate the deployment of FinTech initiatives. A level playing field should be ensured. It might help to have regulators exchange best practices, or publish opinions similarly to the article 29 Working Party. Another inhibitory factor is market size being limited to the market of a Member State. FinTech startups are more likely to thrive in big markets with a lot of potential customers. Therefore, enabling cross-border provision of FinTech services will stimulate innovation through FinTech.
Yes([ID56])
The reason that the cross-border provision of retail financial services is rather difficult is because there are still too many differences between Member States in many other areas. These disparities create uncertainty and therefore lack of trust for the unknown provider. We note that the lack of a uniform set of rules across the EU (mainly as a result of local deviations to EU law and/or gold-plating) harms consumer trust to shop across the border for financial products. Without trust in a regulatory level-playing field for financial services with consumers, cross-border shopping will not increase. Also and for example, if foreign entrants in a local market are discriminated, this places them at a disadvantage and may lead to less cross-border market entry, including online entry. In this context it is important that ‘Goldplating’ is avoided. Furthermore, we note that at this stage it is difficult to fully assess the impact the recently implemented EU legislative measures (Mortgage Credit Directive, Consumer Credit Directive, Payment Account Directive, Payment Services Directive, Interchange Fee Regulation, Data Protection Regulation, Network and Information Security Directive, SEPA Regulation (IBAN) and Anti Money Laundering Directive) in the retail financial services market. Finally, Banks and Fintech Start-ups/non-banking Fintech are seeking to test out new technologies, solutions and business models but are constrained by the existing regulatory framework which does not allow low-risk and low-scale experimentation to take place under less stringent rules. This issue limits competition and may stifle innovation in financial services. Consumers, in turn, are hindered from enjoying certain improved value propositions from their trusted banks. Regulators could help by exploring how to gear up in order to support innovation across its activities, working with industry and wider stakeholders. The authorities must provide Fintech start-ups and banks which innovate with leaner and faster authorization processes. A first step on this journey is to consider the creation of an EU framework for experimentation as safe spaces where regulated and non-regulated actors can test innovations in a controlled environment. It will provide a safe place for firms notably to test whether their new products are complying with certain requirements and the legislative environment is adapted to the digital reality. Furthermore, supervisors can pilot the overall digital transformation by helping new entrants within the process and enabling speed of launch. The analysis of the impact should be eased significantly and allows supervisors to continuously assess the safety and robustness of the financial services ecosystem. This regulatory framework for experimentation will allow the regulators to assess new products at an earlier phase and potentially amend legislation rapidly when beneficial to consumers.
Like banks, Fintech start-up and non-banking Fintech should be able to develop services available across the EU without incurring costs and slowing down the processes of adaptation of the services to each individual country. The current regulatory framework for banks sometimes proves to be too rigid to fit in specific business developments. A clear definition of activities that are considered cross-border provision of services would be very helpful. Developments in the area of the electronic provision of services are going faster than regulation. In particular we notice a grey area between (or overlap of) cross-border provision of services and provision of services by way of a local establishment (branch office). A multichannel (or hybrid) approach both by a physical presence and digitally/online in some cases provides the best solution for a customer friendly approach, but it can require both a cross-border notification and a branch office notification. However, such a hybrid approach sometimes raises supervisory authorities’ eyebrows. If a product marketed cross border by Group company A, with support of a branch of Group entity B, some supervisory authorities fear confusion for the client and prefer an “either/or” option. This may not always be possible and may form an impediment for the development (or at least offering) of new products or services. Institutions would be helped by either a less stringent approach by supervisory authorities and/or a regulatory framework that leaves room for such hybrid models.
Yes([ID56])
We do not believe it would be beneficial to introduce new categories of financial services licenses specifically for FinTechs. The regulatory landscape in its current form is already highly detailed/granular and difficult to navigate. Adding new licensing categories will further reduce comprehensibility. We advocate for an equal level playing field for all market parties. We support the idea that the authorities engage in (informal) conversations, an open dialogue, with current and new market parties in order for them to better understand the legal framework in which they may act. It is also important that the authorities share their views pursuant to the conversations with the public. Finally, in our opinion, it is crucial that the national and international authorities closely coordinate their policies.
Yes([ID56])
FinTech Cooperation In the cooperation between new and established parties, the operational risks of outsourcing are a potential risk to the sector. Complex technology services are regularly outsourced to a third party. Customer data and processes can be involved. Licensed services are subject to supervision also when these are outsourced to BigTechs or FinTechs. Parties should be aware of this. Supervisors should make sure that there is no uneven level playing field between the various parties with respect to the DNB cloud circular. Banks impose the same rules on FinTechs as to other suppliers which should mitigate operational risks. However, FinTechs that have a B2C model require stricter supervision. The (system) risks of small starting FinTech players seem limited at this moment, but to maintain the trust of the public in FinTech / Financial sector, supervision on FinTech players is important. We have seen issues with respect to FinTech in, among others, the US (Lending Club) and Sweden (Trustbuddy). Data privacy The supervisor may pay more attention to the protection of customer data in the supervision of new market parties. The NVB is also curious know what the role BigTechs is in providing access to devices. Contribution to the public community Banks contribute to public goals in various areas. This includes anti-money laundering and terrorist financing, anti-fraud prevention, sanctioning legislation against bad regimes or individuals. Banks also provide non-governmental data for income tax. We are interested to know how new market parties deliver services, how costs are shared and to what extent a level playing field is guaranteed between existing and new parties. Systemic risk In the long run, the impact of FinTech and BigTech on the robustness and return of the financial sector as a whole is an important factor. Maintaining public trust in the financial sector should not be under pressure due to possible shortcomings of FinTechs and / or BigTechs which could be prevented by the same level of supervision.. Consumer awareness and data privacy deserve extra attention. Transparency towards customers is very important in this respect. Together with the Dutch authorities we do not feel that proportionality in the supervision of FinTech in the area of security and privacy is necessary. We do understand the principle of proportionality for the supervision of this new young and fast-growing sector, however we feel that this should not be a reason to lose sight of the level playing field. To the extent that there is a lighter regime for the FinTech sector, we believe that a clear and well-motivated framework with realistic boundaries needs to be developed. Decisions that grant limited custom permits or temporary exemptions (for experiments) should be published in order to inform all market parties. This should also be the case for - within the limits of competition law - formal or informal decisions with respect to questions from market parties regarding innovation. Regulatory framework See last paragraph of answer 3.2.2. on regulatory framework.
Don’t know / no opinion / not relevant([ID58])
We are not sure what is meant by ‘implementing free flow of data’? Due to the General Data Protection Regulation (GDPR) there are not so many obstacles anymore. The GDPR intends to strengthen and unify data protection for all individuals within the EU. It also addresses the export of personal data outside the EU. The primary objectives of the GDPR are to give citizens and residents back control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. A free flow of data will be supported by the right to data portability, provided by Article 20 of the GDPR. A person shall be able to transfer his personal data from one electronic processing system to and into another, without being prevented from doing so by the data controller. In addition, the data must be provided by the controller in a structured and commonly used standardized electronic format. According to the financial rules on outsourcing for many EU countries, financial institutions must notify the supervisor and obtain their approval to launch cloud projects. This notification and approval has to be done on a case by case basis. It implies an indirect constraint to the free flow of data and, thus, to a faster innovation and a more agile cloud adoption. There is a need to harmonize EU financial supervisors’ criteria when approving cloud projects.
Yes([ID56])
We consider that the three principles are appropriate, but probably not sufficient. Technological neutrality is clearly desirable and facilitates the self-selection of the best technologies by market forces, although it is not sufficient to guarantee a level playing field. Proportionality is needed as a risk-based approach that takes into account specific activity risks, and not whole company risks by default. Integrity and competition are in the benefit of all stakeholders, and should always be promoted. Stringent prudential, security, investor and consumer protection regulation are an inherent part of the regulatory framework in which banks have to operate and which has been reinforced in recent years. New entrants are less burdened by regulatory requirements and they tend to choose the optimum legal structure to avoid the heavy regulatory burden of the financial sector. Similarly, they are not subject to the same levels of scrutiny from supervisors and authorities. The implications of this for policy objectives concerning consumer/investor protection, fraud and financial crime, and financial stability must therefore be considered. Finding a proper balance, and future-proofing it, will be one of the main (and on-going) challenges for policymakers, regulators and supervisors for the years ahead: how to encourage the development of financial technology and to bring dynamism and competition into the financial sector both for incumbents and new entrants without leaving the financial sector open to new risks or significant failures and thereby endangering financial stability, with possible loss of public confidence, or creating an uneven regulatory framework. Customers and investors’ trust will be gained if they are confident that the same level of protection is available no matter which entity – banks or non-banks alike – is providing the financial services. From a supplier’s perspective, the concern is that a loss of trust by consumers in one area of the industry, whether that be a Fintech startup or a large incumbent, hurts the sector as a whole. With equal rights must come equal responsibilities. Cybersecurity is a good example of this principle. A failure by any single market participants hurts the reputation and damages trusts in the industry as a whole. Policy makers should consider the importance of ensuring that an internationally recognized standard is applied and supervised across all market participants. Regulatory guidance so as to avoid the “reinvention of the wheel” should be provided to avoid ending up with many different standards and further fragmentation. In a nutshell, the concept of “same services, same rules, same supervision”. Remarks: see attachment 3.
We feel that the development of practices and initiatives should take place primarily on a national level, however the European Commission and the ESA’s can play an important role (i) in enhancing the exchange of best practices and know how between the different competent national supervisory authorities and (ii) in promoting the issuing of consistent guidance with respect to innovation/FinTechs in the different Member States. We expect there would be merit in pooling expertise on specific topics/technologies. We expect this would have more benefit if this would be addressed jointly at the level of the competent national supervisory authorities (e.g. virtual expert pools on AI, DLT etc.).
Yes([ID56])
Pooling of expertise would improve and accelerate growth of knowledge/skills and make the behavior of ESA’s more consistent.
Yes([ID56])
An “Innovation Academy” set up by the European Commission, coordinated by the ESAs and supported by financial (and non-financial) associations, could help to train subject matter experts with common background, able to spread the Fintech’s culture of innovation and to promote the development of innovative solutions. These programs could be organized as follow: - Organization: Nomination process through local authorities; participating teams not too large to ensure exchange and discussion; - Physical meetings due to better relationship management; different EU countries as meeting place - Topics: current issues of national or EU parties invited; future challenges and how to handle them; insights from experts to - Selected topics - Method: use modern, interactive and solution orientated methods and techniques (design-thinking, prototyping)
No([ID57])
We expect this would have more benefit if this would be addressed jointly at the level of the competent national supervisory authorities. It’s necessary that all regulatory sandboxes in the EU work together and align with each other. We believe national approaches are not helpful in a multinational and global financial industry. The main risk of a national approach might be to create a fragmentation with different approaches among the EU Member States, with the final result that neither financial institutions nor consumers can benefit from these initiatives. The development of exchange of good practices and the establishment of European guidelines or high-level guiding principles at EU level to harmonize regulatory sandbox approaches in the Member States could contribute to a convergence in domestic innovation policies across the EU, thereby facilitating the emergence of a single market for financial services.
No([ID57])
 
See question 3.10.1
No([ID57])
Although some standards seem to be appreciated e.g. Sepa and PSD II, there are a lot of technical standards, which may rather cause confusion instead of clarity. However, designating a certain standard with a mandatory or other legal qualification will sooner hamper innovation than promote it. Perhaps a registry of standards will provide some clarity.
No([ID57])
See 3.12.1
More effort is needed on amongst others: API's, XBRL
Yes([ID56])
Good to have promotion from the EU institutions with respect to an open source model. We also believe that is beneficiary to promote commercial developments of/on top of open source libraries.
We see limited impact from the startups with the aim to compete directly. We see winning combination in startup + incumbent companies, due to mutual benefits. The incumbents companies have the customer basis and reputable brands, whereas the startups have agility and creativity. Uncertain factor in these developments is the Big Techs.
The free flow of data is an important factor for successful innovation in financial services and the creation of a Digital Single Market for financial services. However, in our view taking down diverging national practices and undoing diverging national interpretations of EU legislation is a far more important factor. The question whether services users should be entitled to fair compensation when their data is processed is fundamental and warrants more attention and background/guidance for interpretation than provided in the scope of this consultation.
The previous generation standards focused mainly on standardizing the format of messages that are being exchanged among market participants. DLTs include derivation of a set of shared facts into the standard, thereby eliminating certain kinds of mistakes and therefore lowering the need and costs of reconciliation and (manual) correction procedures. This focus on guaranteeing that parties agree on a shared set of facts can prove a very reliable way for storing and sharing valuable information.
Yes([ID56])
Digital identities are currently being addressed by the Dutch National Blockchain Coalition. From a technical perspective, DLTs are completely different compared to most other financial service technologies. For a DLT to leverage existing digital identity frameworks, it requires an identity provider to attest the identity of parties in a very specific way. In general this would mean identity providers / frameworks need to adapt or extend their technical offering to be compatible with specific DLT solutions. For most other technological solutions in financial services it could be said that financial services can adapt to the implementation details of the identity framework. Advice, directions and standardization for a framework would be beneficial for all stakeholders. The EU can lead this effort.
Compatibility of functionality and data protection rules (1) Regarding this question, it’s useful to separate DLTs in two streams: those that implement an everybody-knows-all information sharing policy and those that implement some way of selective broadcasting. In the first case, data is globally visible for all participants of a particular DLT, so it’s not protected and therefore this flavor can be seen as fundamentally incompatible with privacy legislation (eg GDPR) Encryption may solve this problem, but it’s uncertain whether this will actually be possible for all use cases. DLTs that implement some way of selective broadcasting do not have this problem. (2) Regardless of the DLT flavor, current DLT solutions offer full availability historical transactions. This may or may not have a technical reason. For example, Ethereum has not implemented deletion of historical transactions yet, but no fundamental reason exists that would prevent such behavior to be implemented in the future. In Corda, this potentially poses a bigger challenge, since historical states may be required to prove validity of future transactions, while personal data protection rules might disallow a party to retain certain information that is part of such states, effectively rendering it useless for the purpose of transaction validation. Data Storage A big issue is the location of the data stores. A list of trusted entities can potentially solve this issue. a.o. organizations banks can act as trusted entities. Customers should have freedom of choice to find a suitable trusted entity, based on quality and functionality.
The benefit of more efficient information exchange should be considered for the entire duration of the relationship between SME and the party needing the information. Search costs are only a small part of this. Moreover risk profiling of SMEs is combining public and private data sources. Access to cloud bases SME administration systems is essential and it is up to the SME to grant such access.
Enriching data is a business model in itself and enhances transparency of the financial state of the SME. The risks from this potentially vast distribution of company data to a myriad of parties needs strict governance to protect SMEs. A bottom-up approach on the basis of the companies’ financial data should be the starting point.
The key point of departure ought to be the development of an equal level playing field. This means that ‘new players’ ought to meet the same requirements as existing financial service providers and market infrastructures. We have noticed a lack of oversight on FinTechs to determine their level of security and to identify insecure providers. The level of security, from our perspective, is extremely diverse which means there is a lot of work to be done to bring all of these players to an acceptable level. Therefore a level playing field is key, also in monitoring and supervision.
Information sharing from public authorities is limited. Reciprocity is a necessary element of information sharing, where both the public and the private sector exchange information whenever possible. Whilst we understand that during specific investigations, particular elements of cases cannot be shared, there also appear to be situations where there might be other factors at play to prevent information sharing. Trust is a fundamental aspect to facilitate and enhance information sharing. The team to share with must be known, otherwise no trust will be given to team members. Trust can exist between individuals or intrinsically between groups who have similar purpose or experiences. Predictability about what is being done with the information is key. Just sharing information would lead to more noise in the system, and would even help the bad guys, the haystack just grows and the needle gets harder and harder to find. Identifying a shared interest or a common purpose is another crucial element. All parties participating in the information sharing must have a shared interest in doing so. Only when a common purpose can be defined (such as stopping a specific threat actor for instance) success can be guaranteed. Another challenge is the volume of information shared and the different ways in which it is shared. The ability to share and subsequently digest the information in an effective way is therefore a work in progress. Fragmentation is still a worrisome factor in information sharing. Information can only be effectively shared electronically between systems. And most parties do not have Cyber Threat Intel systems based on standards like TAXII yet.
From a maturity perspective, the point of departure should be the assumption that criminals are able to enter the systems of the organization. The focus therefore ought to be on assessing how a business might be damaged when the unwanted visitors execute unwanted code. This is key and demonstrates the necessity to go beyond prevention and also invest in monitoring, detection as well as response and recovery. This implies testing is very context specific. It also implies that the focus upfront should be on learning and improving the threat analysis skills of the companies being tested. Improving the baseline is more important than setting a fictional baseline. EU coordination is only relevant to sustain a level playing field. These exercises are valuable but also require investment of resources such as money and time. Another element to consider is to test the entire chain of a transaction, to determine the resilience of the different parties involved. Very important aspect to consider here is the significant shortage of competent professionals to do the test and the analysis. A roadmap should definitely ensure the needed investment on education is carried out prior to introducing more testing. The EU can play a role in helping to increase the number of professionals in this field.
Most issues are sufficiently covered in this consultation.
Don’t know / no opinion / not relevant([ID58])
 
an organisation or a company(organisation-replying-as)
 
Barclays
 
Yes(yes-transparency-register)
72390466359-39
Company, SME, micro-enterprise, sole trader([ID6])
 
more than 5000 employees([ID9])
 
 
United Kingdom([ID52])
 
Banking([ID8])
 
Yes, I agree to my response being published under the name I indicate (name of your organisation/company/public authority or your name if your reply as an individual)(yes-contributions-publication)
 Barclays’ Accelerator programme allows us to enter into a process of reasonable length to understand Fintech start-ups proposition and work with them to develop their company and product so that we might be able to integrate their services.  Financial Technological innovations are more and more developed by banks with open processes that include customers, suppliers, outsourcers and start-ups.  It is worth pointing out that banks do a lot of fintech themselves, in the meaning of developing innovative, technology based financial solutions and services.  We see concrete benefits to enhance specific key business areas, products and/or services by leveraging: - solutions focused on cost reduction via improvement to processes or replacement of platforms/ IT solutions with either new business models or technologies; ; - solutions enabling banks to attract and on-board new customers, to improve customers’ relationship or to increase the offer of new and innovative products/services - risk management; - cybercecurity (e.g. fraud detection and data protection); - regulatory (regtech). - current processing solutions in the payments or securities space. Allowing the testing of new technologies such as Distributed ledgers is of paramount importance.  Banks also have a lot to offer to Fintech startups, in particular, specific financial expertise (risk assessment, evaluation and management), scalability owing to their large customer base, as well as many years of experience in providing clients with regulatory-driven high levels of operational security. All of this is in addition to the substantial financing solutions offered by banks. The complementary strengths and weaknesses of both banks and Fintech startups mean that both will often do better by cooperating rather than by competing.
Yes([ID56])
 Innovation in artificial intelligence and big data analytics is driving the development of sophisticated forms of automated financial advice, including robo-advisors.  Robo-advice has already had a significant impact on the wealth management industry. It allows to significantly lower the price of financial advice, while offering consumers a wide range of choice in terms of services and customization capabilities. Therefore, robo-advice allows to reach the mass-affluent market that has traditionally been underserved.  More broadly digital tools, when combined with human advisors, can provide new and scalable means to bridge the increasing advice gap.  Controls are important to ensure quality of advice. The provenance of the advice should always be clear (and if the respondent is human or machine or both).
No([ID57])
 We do not believe that enhanced oversight of artificial intelligence is needed at this stage, and would consider that regulating outcomes as the best approach in this area and in line with the principle of technology neutrality.  Financial institutions and other providers of automated financial advice tools already put in place a number of measures to ensure that the use of artificial intelligence and its underlying algorithm deliver financial advice that is well calibrated and tested before it is used in the market.  This includes the close involvement of human advisors in the design and oversight of automated advice tools, to ensure that the algorithm delivers the expected outcome.  Under the General Data Protection Regulation, financial institutions are required to satisfy accountability and transparency requirements and therefore the use of artificial intelligence will be subject to privacy impact assessment and oversight.  The reliability of algorithms could be further ensured by supervisors through the use of simulations to monitor the artificial intelligence system and control of methods and information used in the training of the machine.  This would also require a greater consideration of digital skills in the selection of staff among regulators and supervisory authorities to review financial institutions’ technological architecture.  We would welcome a standard definition of quality of outcome measurement as well as process controls that ensure human SME-knowledge has control on the outcome.
 We do not believe that enhanced oversight of artificial intelligence is needed at this stage, and would consider that regulating outcomes as the best approach in this area and in line with the principle of technology neutrality.  Financial institutions and other providers of automated financial advice tools already put in place a number of measures to ensure that the use of artificial intelligence and its underlying algorithm deliver financial advice that is well calibrated and tested before it is used in the market.  This includes the close involvement of human advisors in the design and oversight of automated advice tools, to ensure that the algorithm delivers the expected outcome.  Under the General Data Protection Regulation, financial institutions are required to satisfy accountability and transparency requirements and therefore the use of artificial intelligence will be subject to privacy impact assessment and oversight.  The reliability of algorithms could be further ensured by supervisors through the use of simulations to monitor the artificial intelligence system and control of methods and information used in the training of the machine.  This would also require a greater consideration of digital skills in the selection of staff among regulators and supervisory authorities to review financial institutions’ technological architecture.  We would welcome a standard definition of quality of outcome measurement as well as process controls that ensure human SME-knowledge has control on the outcome.
 Transparency into underlying investments is critical. Controls must be in place to ensure the quality of information that is delivered to clients is both accurate and timely.  We expect constant development in this space for the foreseeable future as technology moves from initial development to maturity. Therefore, we believe it is more appropriate for regulators to focus on outcomes, rather than algorithms, in order to ensure customers are protected and treated fairly.  We believe it is too early to consider new regulatory measures as several existing EU legislations, including the General Data Protection Regulation (when it becomes enforceable in May 2018) and MiFID II, are already expected to mitigate potential consumer protection risks that could be linked to the lack of transparency, misuse of data, suitability assessments and consumers being ‘locked-in’.  We would support a certification of cognitive engines, the monitoring of training activities and the monitoring use of applications to ensure liability of each actor involved in the given service (e.g. cognitive engine provider, system integrator that trained the machine, company offering the service, user himself).  Any new channels for sourcing data could potentially increase cyber risks by effectively broadening the network. However, banks have demonstrated a robust and sustained commitment to ensuring the protection of customer information and integrity of financial systems and networks. Greater concern is around any requirements to allow open access to data or data sharing with third parties that may not have equivalent protections or are not subject to the same strict requirements around data security.  Recital 47 of GDPR has specific provisions in relation to profiling for prevention of fraud and tax evasion, but explicitly expanding this to include cybersecurity and defence of financial services and payment systems would improve the ability of the implementation of AI solutions in the Security arena.
Don’t know / no opinion / not relevant([ID58])
 
 
 
 
 
 
 The use and application of Distributed Ledger Technology and ‘smart contracts’ can potentially enhance specific business areas within banks as well as the IT core banking system.  For example, Barclays processed the world’s first live trade finance transaction via blockchain in September 2016. The transaction facilitated the export of goods using distributed ledger technology developed by our partner Wave, a graduate of the Barclays Accelerator programme. The platform uses distributed ledger technology to ensure that all parties can see, transfer title and transmit shipping documents and other original trade documentation through a secure, decentralised network, eliminating many of the current inefficiencies in international trade and reducing the time taken for transactions to complete from 10+ days to just over four hours.  ISDA’s new initiative on the standardisation of data and processes for derivatives smart contracts, as announced at ISDA’s 2017 AGM. Note that Barclays publicly demonstrated a proof-of-concept in April 2016 comprising the negotiation of ISDA smart legal agreements on Barclays’ prototype user interface and the execution of the corresponding smart contract code on R3’s prototype Corda distributed ledger platform.
 Some of the most promising use cases of Fintech, that are being developed in partnership with other market players, to reduce costs and improve processes are: - Digitalisation of processes that facilitate the interaction with customers - Cloud computing, the aim of which is cost reduction, flexibility and scalability to respond faster to customer requests through a better use of IT resources - AI/Big data use can tailor financial products and services to meet consumers’ needs as well as facilitate better risk management and regulatory compliance. - Financial services robotics process automation can help reduce costs and increase quality through scalable solutions - Distributed Ledger Technology (DLT) has the potential to reshape financial services infrastructure. DLT may facilitate transfer of assets between parties without depending on a trusted intermediary to provide centralization of data or workflows. - Standardisation of business logic - Utility settlement token to support instantaneous settlement of trades - Cryptography to establish secure communication for financial services
 A one-size-fits-all regulatory approach is not conducive to technology innovation. Any new regulatory framework should be flexible, graduated and principle-based. Oversight should be tight to scale and the risks presented.  The European Commission and Member States have a role to play in promoting interoperability as a public policy goal, helping to map new priorities and fostering companies’ technology contributions to standardisation. The market-led approach has achieved enormous success and this models needs to be preserved, including in the global context.  A careful assessment is, however, needed in order to avoid conflicting standardisation and varying interpretations on for instance big data, cloud and cyber security and ensure that standardisation does not introduce systemic weakness into an environment or market.  Development of regulator accepted industry standards for cloud computing which align to other areas of regulation (such as GDPR, PSD, NIS) would provide a strong joined-up narrative. It's sub optimal to leave individual Fintech/FIs/NBFIs to interpret the high-level guidance which currently exists at the national level.  It would be useful if the EU took a leadership role in developing standards and security requirements, and in defining the rules for items like segregation of access, network security, data protection, incident response, portability across providers, etc..
 Whilst the digitization and automation in the banking industry will reduce costs it will not necessarily lead to an overall reduction in employment. FinTech and bank collaboration and the implementation of FinTech solutions can create new market opportunities and subsequently create new jobs.  However, financial firms face the challenge to re-skill existing employees, in particular with respect to digital skills. We also expect that employees with specific competences on ICT, data science, technology, engineering, cybersecurity and mathematics will be required.
 RegTech has the potential to transform the way financial institutions manage the regulatory environment, allowing them to be more efficient and dynamic in their response to new requirements and expectations.  We believe that the most promising use cases of technologies for compliance purposes are: - Identifications of clients and legal persons (including ultimate beneficial owners) for the purpose of Know-Your-Customer (KYC) requirements - Real-time transaction reporting to regulators including for anti-money laundering/ counter-terrorism financing purposes - Fraud prevention - Automation of compliance reporting - Matching relevant regulation to internal policy and/or standard to furthermore understand the control impact