Report calls on EU to take charge of FinTech and RegTech
Chris Hamblin, Editor, London, 17 December 2019
A group of experts on regulatory obstacles to financial innovation has produced thirty recommendations for the technology-enabled provision of financial services in the EU. These span such subjects as the prevention of money laundering, the protection of consumers from sharp practice, the sharing of data, governance and operational resilience in the financial sector.
The recommendations cover all segments of the financial sector, all types of novel technologies and a wide range of business cases. The report groups them into four categories.
- The need to adapt regulations to respond to new risks caused by the use of innovative technologies such as artificial intelligence and distributed ledger technology and take up emerging opportunities with respect to RegTech or SupTech(Recommendations 1-12).
- The need to remove regulatory fragmentation and ensure a level playing field between incumbents and new market entrants, both FinTech start-ups and BigTech firms, across the entire EU (Recommendations 13-24).
- The necessity to reconcile the regulation of personal and non-personal data with the opportunities and risks offered by FinTech (Recommendation 25-28).
- The need to consider the effect that FinTech might have from the perspective of financial inclusion and the ethical use of data (Recommendations 1 and 29-30).
A truckload of new regulations
The 30 recommendations are as follows. They all involve the EU centralising its grip on national laws, practices and/or regulators.
Recommendation 1 – Explainability and interpretability of AI and associated technologies. The EU should come up with new rules, perhaps sector-specific or 'horizontal' ones, in this area.
Recommendation 2 – Firms’ internal IT governance. The EU should require financial firms to build adequate levels of IT governance and technological expertise at the appropriate level of management, which might include their boards.
Recommendation 3 – Supervisors’ understanding of technology. Here the researchers are under the impression that national regulators require approval from the EU before they can attempt to understand the use of technology in financial services, its associated risks and opportunities. They therefore call on the EU to grant them this permission.
Recommendation 4 – Cyber resilience. The powers-that-be should develop a coherent and proportionate cyber resilience testing 'framework' (a catch-all word that the EU uses to mean 'thing') for the financial sector.
Recommendation 5 – Outsourcing guidelines and certification or licensing. The EU should regularly monitor the extent to which financial institutions outsource 'critical services.' It should assess the IT they use to deal with concentration risks, operational risks and systemic risk, keeping an eye on outsourcing guidelines and how well they hold up in the face of technological developments, new risks and new market conditions. In the end, it should think of imposing a certification or licensing regime for (presumably unregulated) 'third parties' that provide technological services to regulated entities.
Recommendation 6 – Distributed financial networks. The EU should clear up the regulatory landscape in this area. It should apply the established terms and concepts of existing regulation (the report cites such acronyms as SFD, FCD, CSDR, EMIR, MiFID, the SIPS Regulation and AMLD) in view of the shift from bilateral relationships to a multilateral environment where functions can be attributed simultaneously to several parties. It should also say how firms should deal with problems relating to operational resilience and higher exposure to cyber risks (especially with regard to private key management) or systemic network failures.
Recommendation 7 – Crypto-assets. The EU, international standard-setters and other relevant authorities should step up its efforts to assess the adequacy and suitability of existing rules in this area, looking at the absence of a global taxonomy in respect of crypto-assets, related risks such as money laundering, terrorist financing and tax evasion, governance and operational resilience, how to protect clients' assets (segregation has a part to play here), redemption rules, disclosure requirements, systemic matters, the prudential consequences of crypto-assets, and pegging and foreign exchange conversion mechanisms.
Recommendation 8 – Commercial law of crypto-assets. EU legislation is required here.
Recommendation 9 – RegTech and SupTech. The EU should develop and implement a comprehensive and ambitious agenda to support the adoption of these things by the financial sector.
Recommendation 10 – The EU-wide standardisation of legal terminology and the classification of 'actors,' services, products and processes. This must take place.
Recommendation 11 – Human-and machine-readable legal and regulatory language. The EU should formulate some kind of strategy to help itself catch up with the UK's Financial Conduct Authority and impose its supremacy in this area.
Recommendation 12 – Regulatory clearing. The report likes the idea of regulatory clearing houses, i.e. arrangements capable of:
- centralising (presumably this refers to an EU-wide centralisation) the automated dissemination of rules to regulated entities;
- receiving incident and reporting information from regulated entities; and
- collecting data from the markets.