Removing regulatory inconsistencies
Conduct a ‘fitness check’ of existing financial services legislation to adjust to the digital market reality and ensure consistency
In the context of the ‘fitness check’ proposed, create a platform for discussion with European Commission’s DGs to ensure consistency and that the initial aims are reached.
Ensure the Digital Single Market balances competition and innovation with trust and security.
Safeguard the right balance between data protection requirements and profiling for fraud prevention and creditworthiness assessment.
Removing regulatory inconsistencies
While it is recognised that financial services regulation has played an important role in the stabilisation of financial markets, development of the internal market, and implementation of consumer protection, it is also a fact that overlapping, conflicting and redundant regulation has been issued in several areas. What is more, the current regulatory framework has not yet properly or fully addressed the development made possible by digitalisation. As a result, a number of inconsistencies have been observed which are potential obstacles to the Digital Single Market becoming a reality.
Thus, the existing legislative framework should be fully assessed and updated where needed to ensure that it is still fit for the purpose of the new digital reality. The quality and coherence of financial services legislation will in this way be improved without reducing the obligations contained in the aforementioned principles.
The next few years will see a large volume of lower-level regulation (level 2) finalised in the financial sector. This work involves national and European financial supervisors and will introduce a large amount of new and more detailed regulation into the financial sector. Lower-level regulations encounter the risk to introduce new obstacles to developing genuine digital services and enhancing Digital Single Market in the financial sector. Any new requirements should be thoroughly thought through so as to meet the needs of the digital environment. A change in approach to the digital single market by authorities is clearly needed in order to embrace the new digital reality.
Some inconsistencies are listed below, and whilst not exhaustive, they should serve as an indication of the necessity for a more encompassing consistency check to be conducted in the near future.
Anti-Money Laundering Directive (AMLD) vs. e-Identification Regulation (E-IDAS)
• In order to prevent money laundering, banks have an obligation to check the identity of their clients (Know Your Customer (KYC) obligations) as required by the Anti-Money Laundering Directive (AMLD). The obligations, as recently reviewed by the new AML Directive adopted this year (2015), still favour the physical presence of the customer for identification purposes. This could contradict the current objectives of the Digital Single Market to build a smooth access to online products and services for customers whenever and wherever they wish. For example, some banks proposing online products were obliged to request that a copy of the customer’s ID card be given to a national Post Office before they could contact the client. Technologies allowing for Digital on-boarding should also be considered as equivalent and valid identification methods.
• We indeed observe inconsistencies within recently adopted EU legislation notably between the eIDAS Regulation 910/2014 and the 4th AMLD recently adopted. eIDAS regulation clearly presents e-identification and e-signature as a new opportunity to facilitate the establishment of non-face-to-face business relationships. The 4th AML Directive, which is currently being transposed into national law, holds that entering into relationships with customers not physically present in a bank branch is inherently considered high risk15. The result is that banks, when selling digital services to new customers, must observe a more thorough KYC procedure than otherwise mandated. This may mean that customers need to provide physical copies of ID or other documentation before being able to close a deal. Such an intermediary step naturally eliminates much of the inherent advantage of digitalisation, namely, accessibility and quick and easy communication. In essence, this is a conflict between the old standard of banking being something customers do at their bank branch and the new standard being something done online. There is also a conflict between a move towards faster processing and more easily accessible banking products on the one side and the effort to combat money laundering and terrorist financing on the other.
• Furthermore, a reliable and consistent cross-border identification system would help digitalisation efforts and cross-border provision.
“If we want the European digital sector to thrive we should focus more on promoting a cultural change than on regulatory intervention”
Member of the European Parliament
Consumer protection & security vs. New Payment Services Directive (PSD 2)
• The first Payment Services Directive (PSD) adopted in 2009 provided the legal framework for the creation of an EU-wide single market for payments. The EU institutions have recently reviewed the Directive to help develop further an EU-wide internal market for electronic payments via the adoption of the Payment Services Directive 2 (PSD2). A balance has been sought between sometimes conflicting objectives such as innovation, user security, market integration, data protection, competition and consumer protection.
• The new Payment Services Directive (PSD2) stipulates that the “account servicing payment service providers” (namely banks) shall make possible for “payment initiation service providers” (third-party payment providers) to rely on the authentication procedures provided by banks to initiate a specific payment on behalf of the payer. It means that third-party payment providers will have access to client accounts and customer data information via the banks’ infrastructure. The challenge is to ensure security and privacy for both banks and consumers will be affected in this new scenario. Indeed, the structure behind the functioning of certain payment initiation services/third-party payment providers potentially calls into question the banks’ measures to keep online banking secure, and per se, puts at risk existing anti-money laundering and fraud prevention measures already in place. A clear liability framework, as well as appropriate technical standards, should be implemented to face fraud incidents and data protection. (See EBF Blueprint chapters on Digital Payments and better access.)
“You can’t use 18th century law for a digital world.”
Vice- President Digital Single Market, European Commission
Fight against cybercrimes vs. Network and Information Security Directive (NIS) / Draft General Data Protection Regulation (GDPR)
• The Network and Information Security Directive (NIS) currently under negotiation must build on currently existing business practices with regard to security incidents’ reporting. Indeed, the banking sector has already efficient monitoring and reporting structures at national level (e.g. Computer Emergency Respond Teams (CERTs), national central banks’ cybercrime centres). For this reason, it seems appropriate that for the implementation of the NIS Directive the above existing structures be taken into account when defining the reporting authority.
• The current negotiations regarding the NIS Directive envisage a “national derogation clause” which could allow a Member State to define, within the same sectoral “critical market operators”, which entity is under the scope or not of the Directive. Should this provision be adopted, a level playing field should be ensured by EU-wide common derogation criteria in order to identify which entity is in or out of the scope of the Directive.
• The Internet Service Providers (ISPs) and the Information and Communications Technology (ICT) providers must be included in the scope of the Directive as critical infrastructures. Indeed, the banking industry depends heavily on these ISPs and ICT providers who know the banks’ products and systems best, and who can react and report more efficiently.
• Finally, within the proposed NIS Directive and the General Data Protection Regulation (GDPR) negotiations, the banking sector might have to report to various competent authorities. For instance, if the “major incident” includes personal information, banks would have to report to the data protection national authority and to the NIS national competent authority. This double reporting is unnecessary and is onerous for banks.
• Regarding cybersecurity, banks’ priority project for exchange of data on fraudsters and mules could be blocked due to insufficient legal grounds. As mentioned in the EBF Blueprint’s chapter on cybersecurity, the current Data Protection Directive and the future General Data Protection Regulation are restricting the direct sharing of indicators of compromises (IOCs) with personal information between banks. Banks would advocate a more proactive and efficient way to process data to share incidents between banks. There are already organised financial industry fora which share IOCs. Nevertheless, the sharing could and should be improved by allowing these fora to exchange IOCs with personal information. What is more, banks wish to have a one-stop-shop mechanism when notification is required as, currently, banks have to notify several authorities at the same time. Aggregation of incidents, at a single point of contact, when they are occurring in several countries within the EU and outside, needs to be fast and efficient from the legal point of view.
“We’ve seen improvements but when you add it all together the result has not revolutionised true change in the way people make everyday transactions.”
Managing Director at Global Financial Institutions and FIS
Fraud prevention and creditworthiness assessment vs. Draft General Data Protection Regulation (GDPR)
• The legislation in force, such as the Consumer Credit Directive16 or the new Mortgage Credit Directive17, the Capital Requirements Directive18 and the 4th Anti-Money Laundering Directive19, impose the use of data on banks when conducting a creditworthiness assessment for risk analysis and for identification purposes (Know Your Customer). In order to satisfy the regulatory requirements linked to fraud prevention, anti-money laundering and the conduct of an objective creditworthiness assessment of applicant borrowers for thorough and safe lending practices, banks collect several kinds of data from their customers. National legislation often provides in extensive detail the kind of data that needs to be collected. Profiling is therefore a crucial tool for banks to prevent fraud and money-laundering or to support the development of “tailor-made” products or services for customers. Profiling, then, should not be perceived as simply negative. Rather, it is a measure based on a balance of interests: preventing criminal actions and building consumers’ trust in the digital economy as well as developing e-commerce.
• Currently, a number of provisions in the draft texts of the EU institutions on the General Data Protection Regulation (GDPR), under negotiation, limit profiling and data processing implying that a large part of the data collected by banks will be difficult if not impossible to use. The result is, these provisions may contradict current requirements such as the abovementioned legislation and the new Payment Services Directive (PSD2) adopted by the EU institutions in June 201520.
• For instance, the prevention of fraud and credit worthiness assessment are not covered by article 5 on ‘Principles relating to personal data processing’ or by article 6 on ‘lawfulness of processing’ of the draft General Data Protection Regulation (GDPR). At the same time the new Payment Services Directive (PSD2) recognises in its article 84.1 a) on ‘data protection’ the prevention of payment fraud and allows the “processing of personal data by payment systems and payment service providers when this is necessary to safeguard the prevention, investigation and detection of payment fraud”. The question may also arise why this cannot be extended to the prevention of other types of fraud.
The current article 20 on profiling regarding automatic processing within the Council’s General approach agreed in June 201521, grants a right for the data subject “not to be subject to a decision based solely on automatic processing, including profiling, which produces legal effects concerning him or her or significantly affecting him or her”. Such a right to manual processing may limit the scope of digitalisation for certain financial products and could prohibit or restrict risk assessment as part of lending practices.
These provisions may also be an obstacle to the development of data analytics (see EBF Blueprint chapter on data value chain/big data) whereas data analytics could improve customer experience, cybersecurity, fraud prevention and more generally the fight against over-indebtedness in the conduct of the creditworthiness assessment.
• In the context of building a Digital Single Market, it is also important that the forthcoming General Data Protection Regulation and any other data protection legislation do not hinder the transfer of personal data intra-bank. This should apply even when the branches between which the transfer takes place, are located in different Member States. The same goes for transfer of data between a front office in one Member State and a back office in another. This also means that processing, storing, etc. of data should be regulated in the same way regardless of the Member State in which the receiver and the sender of data are located respectively.
“I believe that we must make much better use of the great opportunities offered by digital technologies, which know no borders. To do so, we will need to have the courage to break down national silos.”
President of the European Commission
Different national consumer protection and contractual laws across the 28 Member States
• As expressly stressed in the Digital Single Market (DSM) Communication22, one of the reasons why consumers and companies do not engage more in cross-border e-commerce is because the national consumer protection and contract laws differ throughout the 28 Member States and companies need to act in accordance with the host countries’ national consumer protection laws. This is also true for the retail financial services markets, still very fragmented. This is mainly owing to the different consumer/investor protection rules, despite the EU initiatives on consumer & mortgage credit or payment accounts. Despite banks’ willingness to develop cross-border activities, they have had to invest huge amounts to ensure they comply with the national legislation on a daily basis (especially as national legislation is subject to regular review). In this instance, the resources invested for compliance purposes are not invested in the development of innovative solutions. This situation prevents consumers from benefitting from the most competitive and innovative online offers.
• A number of recently passed directives such as Consumer Credit Directive (CCD)23, Mortgage Credit Directive (MCD)24 and Payment Accounts Directive (PAD)25 all have elements of consumer protection, without a particular focus on digital banking. It is therefore possible, that these new directives do not adequately provide for banks moving ever closer towards digital platforms and services. To determine whether there are actual barriers to digitalisation requires in-depth analysis. Differing national implementation of these directives must also be considered, as these differences can cause barriers to both digitalisation and cross-border provision of services.
• For instance, the CCD article 16 obliges creditors to provide adequate explanations to the consumer on the proposed credit agreements and any ancillary service. This means that there is a risk that certain Member States implement the provision in such a way as to hinder digital banking. For example, requiring the explanation to be given face-to-face, in writing or some other way that is incompatible with digital banking.