PAYMENTS & FINTECH LAWYER4

On 23 March 2017 the European Commission published a consultation document on its policy approach towards technological innovation in financial services (‘Consultation’). The Consultation sets out three core principles of technological neutrality, proportionality and integrity and presents a broad and open discussion about whether current EU regulatory frameworks foster technological innovation; responses must be submitted by 15 June 2017. In this article, John Casanova, Max Savoie and Vishnu Shankar of Sidley Austin LLP detail the contents of the Consultation and explore the Commission’s thinking, before discussing related data privacy issues and concluding by assessing how Brexit has and will continue to affect the Commission’s thinking in this area.

The overall message is one of encouraging innovation, competition and growth in the FinTech sector. However, the Consultation is littered with suggestions that the Commission is not afraid to extend the regulatory framework further into the FinTech sector - particularly where it sees this as necessary for data privacy and security, consumer protection or financial integrity and stability. In this light, the Consultation should be seen as much as a potential framework for future regulation as a call to promote the role of FinTech in the EU.

The Consultation discusses a broad array of applications of new technologies to financial services, including payment services. This discussion is structured under four overarching policy objectives against which the opportunities and risks of various FinTech activities are considered:

1. fostering access to financial services for consumers and businesses;

2. bringing down operational costs and increasing efficiency for the industry;

3. making the single market more competitive by lowering barriers to entry; and

4. balancing the benefits of increased data sharing and transparency against data security and privacy risks.

This article explores the Commission’s thinking on certain substantive FinTech areas under these stated objectives, including access to payment accounts, distributed ledger technology and the use of technologies for compliance purposes. We then discuss data privacy issues arising from the growth of FinTech

and conclude by assessing how Brexit has and will continue to affect the Commission’s thinking in this area.

Interoperability and standardisation: PSD2 and beyondThe Consultation emphasises the importance of interoperability of systems and applications in the delivery and management of financial services. The Commission argues that such interoperability depends upon strong standards that allow technology and financial services providers to develop product and service offerings that can integrate and interact with the broader financial infrastructure. The Commission also states that it and the European Supervisory Authorities “stand ready to provide further support in bringing the key players together to make tangible progress with the development of common standards and interoperability.”

The Commission cites reforms under the revised Payment Services Directive (‘PSD2’) as a key example of how the European legislator is already starting to shape the regulatory framework for payment services around these principles.

PSD2, which EU Member States are required to implement into national law by 13 January 2018, brings certain so-called ‘third party providers’ within the scope of the EU regulatory framework for payment services. These soon-to-be-regulated third party providers include firms that provide payment service users with the means to access information about their accounts with other payment service providers such as banks

(‘account information service providers’) and firms that enable users to initiate payments from such accounts (‘payment initiation service providers’). PSD2 requires the account servicing payment service provider to grant access to such third party providers on objective and non-discriminatory terms and includes provisions (at Articles 66(5) and 67(4)) that suggest that an account servicing payment service provider may not be permitted to restrict access to third party providers that refuse to sign up to its terms and conditions or otherwise enter into a formal contractual relationship with it. Further, regulatory technical standards under PSD2 prescribe certain rules regarding how account servicing payment service providers should interact with such third party providers.

The Consultation suggests that the Commission may seek to extend such regulatory measures for ensuring interoperability and standardisation to other areas where it perceives that market entrants in the FinTech space face barriers to access as a result of the existing market practices of incumbents, including restrictions on accessing proprietary data. This would be in line with the Commission’s stated objectives of promoting competition and innovation. It is difficult to predict at this stage which areas the Commission will see as warranting such regulatory intervention. However, we can expect the Commission to watch the development of the FinTech market through this lens and to consider carefully any representations made by FinTech firms regarding barriers to market access.

The European Commission consults on its approach to FinTech

EU

A Cecile Park Media Publication | May 2017 5

Distributed ledger technology: Act now or watch and wait?Another area of focus in the Consultation is distributed ledger technology or ‘DLT.’ The Commission does not attempt to provide a formal definition of DLT but describes it as ‘a type of database that is spread across multiple sites, countries or institutions, and is typically public for all participants, whose activities are encrypted.’ By comparison, the UK Financial Conduct Authority (‘FCA’), which issued a discussion paper on DLT in April 2017, describes DLT as ‘a set of technological solutions that enables a single, sequenced, standardised and cryptographically-secured record of activity to be safely distributed to, and acted upon by, a network of varied participants.’ In this regard, DLT contrasts with a traditional centralised ledger system that is owned and operated by a single administrator.

DLT has a number of uses including in transactions, asset holdings and identity data, and even self-enforcing smart contracts. Blockchain, which is the technology behind Bitcoin and other cryptocurrencies, is a type of DLT through which records are collated into ‘blocks’ and linked using a cryptographic signature.

The Commission is broadly positive about the role DLT systems could play in increasing efficiency by improving processes and “making resource-intensive back-office functions redundant.” It predicts that “[i]n the longer run, DLT systems could also disintermediate many market players, further reducing transaction costs.”

In particular, the Consultation highlights the potential for DLT to disintermediate certain payment processes. The Commission suggests that in the area of international (non-SEPA) payments, DLT could speed up both transfer and settlement, which it argues would reduce liquidity and operational costs by obviating the need for correspondent banking.

The Consultation also discusses how DLT could improve financial and regulatory reporting. The Commission’s thinking here is that DLT may support automated reporting both to investors and regulatory authorities with increased reliability and at reduced cost. This forms part of a wider discussion on the use of technologies for compliance purposes (see the ‘RegTech’ section below).

However, as with other FinTech developments discussed in the Consultation, the Commission emphasises that DLT presents a number of risks. These include:

• technological, operational and regulatory challenges in terms of scalability, interoperability, standards and governance;

• data privacy and digital identity management issues in terms of ensuring fair and secure access to data stored on a distributed ledger;

• jurisdictional issues as regards the law applicable to distributed ledgers;

• liability issues as regards the ultimate responsibility for events taking place on the ledger;

• the question of legal recognition that distributed ledger data is true and

accurate, and ‘has legal value’; and• financial stability risks if and when

DLT becomes more widespread.

The key policy question here is how far legislators and regulators will be willing to ‘watch and wait’ to see how the market develops before intervening to prescribe some form of tailored legal framework for the use of DLT in the financial sector. This is likely to depend, at least in part, on whether firms using the technology are proactive in developing risk management tools and contractual frameworks that address the concerns listed above.

RegTech: A promising start but not a silver bulletThe Consultation specifically invites comment on the use of technologies for compliance purposes or so-called ‘RegTech.’ The Commission does not give specific examples but is generally positive about such developments, stating that they have the potential to reduce regulatory compliance costs and provide an opportunity for regulators to access data more easily and to ‘customise the compliance requirements.’The automation of AML and sanctions screenings is already a common use of RegTech. Regulated firms across a number of markets, including payment services, use such automated screening processes in support of their ‘know your customer’ or ‘KYC’ processes when on-boarding new clients or as part of ongoing transaction monitoring. The automation of such processes is generally supported by regulators. For example, the FCA Guide to Financial Crime cites automated transaction monitoring processes as an appropriate

John Casanova Partner jcasanova@sidley.com

Max Savoie Associate

Vishnu Shankar Associate

Sidley Austin LLP, London

PAYMENTS & FINTECH LAWYER6

tool for larger regulated firms. However, automated compliance processes and other RegTech solutions are unlikely (in the near to medium term at least) to ensure compliance with such requirements on their own. Escalation procedures and human-led risk assessments and spot checks of automated processes are still essential and for AML will become even more important once EU Member States have transposed the Fourth EU Money Laundering Directive (or ‘4MLD’), which they are required to do by 26 June 2017. This is because 4MLD removes certain exclusions and exemptions under its predecessor and generally requires firms to take a more robust risk based approach to customer due diligence. Demonstrating a reasoned human thought process in assessing and escalating AML concerns is likely to be seen by regulators as a key part of implementing the changes required under the new Directive.

It also remains to be seen whether regulators will treat RegTech solutions for other areas of compliance, such as reporting and conduct of business obligations, with the same enthusiasm as they have for KYC and transaction monitoring. Although there may be some commonalities across these areas, firms will need to be mindful of the different risks and supervisory approaches across different compliance requirements when designing, implementing and operating RegTech solutions.

FinTech in the data economy: managing privacy and security issuesThe Consultation considers that enhanced data sharing and transparency in the FinTech ecosystem are essential if the promise of FinTech is to be fully realised. It also acknowledges that such data sharing and transparency may, in turn, raise concerns regarding privacy, data management policies, data standardisation, data sharing, and systems resilience. The flurry of recent EU legislative developments regarding privacy and

data security - notably, the General Data Protection Regulation (‘GDPR’), Security of Network and Information Systems Directive (‘NIS Directive’) and the draft ePrivacy Regulation - are likely to mean that these issues will continue to be at the heart of the FinTech policy debate for the foreseeable future.

The Consultation highlights a number of promising data-driven FinTech developments:

• Artificial intelligence and big data analytics. These can broaden and improve access to financial services (e.g., through robo-advice) for individuals in the EU by lowering costs and ensuring financial advice is tailored to individuals. Automated processes (e.g., behavioural profiling) can, however, raise consumer protection and privacy concerns, because they can generate adverse legal and economic outcomes. For example, automated credit algorithms may deny credit for individuals based on erroneous and opaque considerations leaving them with only limited remedies. Perhaps unsurprisingly then, the GDPR contains restrictions regarding profiling and the automated processing of personal data, of which FinTech firms will need to be mindful as they go about designing technology and businesses.

• Social media and automated matching platforms. Crowd-based activities and social media can improve access to funding for small and medium-sized FinTech enterprises by connecting borrowers and lenders through matching platforms, as the Consultation notes. Big data analytics, by providing credit scoring information, for example, can also improve informational efficiency and reduce information asymmetry, thereby allowing firms and individuals to access each other where they may have been previously inaccessible. Still, as the Consultation acknowledges, crowdfunding raises questions about how personal data is collected and used. Investors and

lenders may need to comply with notice and consent requirements before individuals’ personal data can be used within the FinTech ecosystem.

• Sensor data analytics and the Internet of Things (‘IoT’). The Consultation considers that the combination of new sensor technologies and big data analytics can be transformative for the financial services sector, notably the insurance sector. For example, data collected from sensors in everyday devices (such as cars, and other devices within the so-called IoT1) could allow insurance premiums to be tailored for individuals, and insurance products to cover bespoke, previously un-insurable, risks. These new sources of data could also help lower entry barriers for FinTech businesses by reducing their dependence on data held within data silos of legacy financial services firms. Nonetheless, by its very nature, data collected through the IoT because ‘they touch people’s daily lives, reduc[e] their space for privacy’ raises privacy concerns. Concerns may include ‘can individuals effectively consent to data collection by third party devices within their close personal proximity?’ and ‘can such everyday devices be kept secure from proliferating cyber threats?’

• Cloud computing. The outsourcing of data processing and cloud-based storage can, as the Consultation acknowledges, give FinTech firms, particularly startups, ‘substantial flexibility’ in terms of scaling their business solutions, and allow for more efficient use of their (often limited) capital. Still, cloud computing within FinTech raises cyber security, compliance and operational concerns. This is particularly so for regulated FinTech entities which, despite outsourcing IT functions to third parties, will need to nonetheless ensure proper oversight over, and continue to retain responsibility for, such IT functions.

• Cryptography. Developments in cryptography (notably in DLT models) may improve security and reliability in the storing and sharing of data,

EU

continued

Image: Natalia Crespo / Moment / Getty Images

A Cecile Park Media Publication | May 2017 7

particularly when data is ported between various service providers (ensuring data portability is also a GDPR requirement). Cryptography and other security enabling technologies will be critical for FinTech firms, not the least because of the emphasis on cyber security in the GDPR and NIS Directive.

Privacy and security will need to be considered by FinTech firms from the design phase of new products and services, well before their go-to-market phase. The GDPR’s emphasis on ‘privacy by design,’ backed up by the threat of significant fines and aggressive regulatory enforcement, means that privacy professionals will have a seat on the FinTech high table for the foreseeable future. Overall, the Consultation is not only a cheerleader for data sharing and transparency within FinTech, but also a call to arms in respect of privacy and security issues.

How does Brexit affect EU FinTech policy?A formal and open discussion at EU level on FinTech is arguably long overdue and the Consultation is most likely a culmination of ideas that have been kicked around in Brussels for some time. However, the ‘facts on the ground’ and the tone and timing of the Consultation suggest that Brexit is a significant factor in the Commission’s thinking.

The UK has been highly successful in attracting FinTech firms over the last decade, particularly in the areas of online lending and payment services. The UK’s relatively liberal corporate law and financial regulatory frameworks, as well as the network benefits of London as a financial hub and the skilled human capital the City attracts, have made the UK a promising destination for would-be FinTech firms. Fledgling startups with low sunk costs but limited capital resources have also had a relatively high level of success in finding investors and access to finance in the UK, which has helped spur growth in the sector.

Against this background, the Consultation is arguably a call for the EU27 to compete with the UK for FinTech business after Brexit. For example, the Commission talks of a ‘thriving and globally competitive European financial sector’ and sets the Consultation within the context of ‘ensuring the EU economy, industry and citizens take full advantage of digitisation.’ The concurrent Commission and FCA consultations regarding DLT are an obvious example of the potential for regulatory competition in this area.

The Commission’s pitch is likely to be supported by other EU institutions. The rapporteur leading on FinTech issues in the European Parliament is reported to have claimed that the EU27 could displace the UK as the world’s top FinTech hub by lowering barriers for firms inside the single market as London finds itself excluded. As an exiting member of the EU, the UK’s influence in shaping the direction of EU policy on FinTech is likely to be greatly diminished and there are reports that UK officials have been largely excluded from the discussions behind the Consultation. However, policies which severely restrict UK FinTech firms from accessing the EU Single Market are unlikely to benefit the EU27 as any positive displacement effect for the bloc could be outweighed by the loss of network benefits that would result from cutting off UK firms and the knowledge and experience they could bring to the rest of Europe. Moreover, once engaged in a more substantive debate on how best to regulate certain areas of FinTech, the European legislator and the various interest groups represented within the EU’s institutions may be tempted to extend existing regulatory regimes in a manner that could ultimately hinder rather than help the competitiveness of the EU’s FinTech market.

How this plays out will naturally depend on the extent of transitional arrangements between the EU and the UK and the terms of any future EU-UK free trade agreement, particularly for

market participants that operate on a cross-border basis within the existing regulatory perimeter (e.g. payment institutions that rely on EU passporting rights)2. However, it stands to reason that both UK and EU policymakers will be keeping a close eye on the Brexit negotiations as they develop their respective frameworks for FinTech.

Conclusion: Building a framework on shifting sandsThe Consultation provides some insight into the Commission’s current thinking on FinTech and is a good opportunity for firms with an interest in this area to engage with the EU legislator on the institution’s role in FinTech developments. The Consultation is likely to be the first step along the way to a substantive EU policy framework in this area and could lead to changes to existing regulatory frameworks or even to the development of new regulatory regimes for certain FinTech activities. Promoting competition and market access for perceived innovators and managing the risks that accompany such developments, particularly data privacy and security, are likely to be central pillars in any EU regulatory reforms in this area.

In the payments sector, PSD2 provides an initial framework for the use of FinTech solutions for users to access their payment accounts and the Commission may decide to adopt a similar approach to promoting competition and innovation in other parts of the sector. Other developments such as the use of DLT and RegTech, and the plethora of other data driven FinTech initiatives, are likely to be monitored closely by the Commission and other legislative and regulatory authorities.

Industry participants would also do well to remember that this policy initiative is not developing in a vacuum. Market developments and the EU’s Brexit negotiations with the UK are likely to have a significant bearing on where this initial Consultation leads the EU in the years ahead.

The views expressed in this article are those of the authors alone and do not necessarily reflect the views of Sidley Austin LLP or its clients. 1. Curiously, the Consultation does not directly refer to the ‘Internet of Things,’ though

this term is extensively used by the European Commission, notably in its recent Communication ‘Building a European Data Economy’ (January 2017).

2. See further Brexit and UK Payments in Brexit: Likely Legal Consequences (Cecile Park Media, July 2016).

Against this background, the Consultation is arguably a call for the EU27 to compete with the UK for FinTech business after Brexit.