A comprehensive package
The EU’s digital finance strategy has materialized, building upon extensive feedback from stakeholders and forming part of a comprehensive digital finance package released yesterday (September 24, 2020) by the European Commission.
LHoFT had the opportunity to co-organize the Luxembourg leg of the outreach which preceded the publication of this package, and our CEO Zubairi represented the local ecosystem’s perspective during the closing conference of said outreach. We would like to thank our counterparts in the European Commission for their collaborative engagement and the hard work that went into drafting an overarching digital finance package with a view on delivering for all stakeholders.
The Commission’s swift delivery on the digital finance package highlights the EU’s commitment to leading the world in providing a legal framework surrounding the adoption of digital innovation in financial services. In a nutshell, the different proposals contained in the package aim to create legal certainty and EU-wide definitions of novel concepts in finance and to introduce proportionate rules and regulation where appropriate in order to mitigate foreseeable risks. The EU explicitly recognizes the role of digital finance in delivering better products and services for consumers, in helping channel funding to SMEs and in support of important policy objectives such as the Green Deal and the New Industrial Strategy for Europe and in accelerating cross border integration of financial markets. It is rewarding to see that this shared recognition is the driving force between our work and that of our EU counterparts.
The Commission is aiming for a 2024 deadline to see many of the proposed changes across the finish line, with important interim milestones foreseen in the meanwhile – e.g. a pending EU strategy on supervisory data to be presented in 2021. Continued involvement of national authorities, businesses and civil society representatives is called for, which of course starts with an in-depth review of the proposed measures.
Seeing how the digital finance strategy and the associated package were only published yesterday and seeing how the proposed regulations and communications total several hundred pages, we are in the early innings of reviewing this comprehensive and ambitious body of text.
Nevertheless, based on a preliminary and non-exhaustive first reading, I will attempt to highlight some crucial elements of the strategy and its components below.
Elements of a strategy
The communication itself sets out the Commission’s vision and priorities in drafting the different proposals contained in the package.
The Commission’s strategy echoes many of the points we regularly make in this column and which we strive to promote with our partners, namely, that digital finance enables better financial products and services, fosters financial inclusion, facilitates funding for SMEs and ultimately, works to support the broader economic recovery and transformation that is called for not only in the wake of COVID-19 but also to address the challenges associated with climate change and ESG questions in general. The Commission also strives to strengthen what it calls Europe’s “open strategic autonomy in financial services” via adoption of a comprehensive set of rules and regulations and more indirectly but just as importantly, via reduction of the fragmentation within the single market. This is particularly pertinent to the payments space, as I discussed in this June blog post.
Eliminating fragmentation means making it easier for innovators to scale their products and services across the EU, reducing costs and delays, which in turn helps generate investment. At the same time, the Commission acknowledges that “faster, more open and collaborative innovation cycles call for regular examination of and adjustments to EU financial services legislation and supervisory practices, to ensure that they support digital innovation and remain appropriate and relevant in evolving market environments”. LHoFT actively supports the above.
Another priority area delineated by the Commission is the creation of a “European financial data space”, effectively moving from “open banking” to “open finance”. The creation of a “single market for data” is highlighted as a broader policy priority which feeds into financial innovation.
In order for “open finance” to become a reality, it is crucial to facilitate on-boarding via the use of interoperable digital identity solutions. This in turn requires improving upon the eIDAS regulation and harmonizing rules relating to technical requirements, AML/CFT and customer due diligence. Extending passporting to new areas of financial innovation, such as crowdfunding, and moving towards a “EU sandbox” and the establishment of a dedicated digital finance platform together with EFIF, constitute additional steps in the right direction.
A dedicated framework for DLT infrastructure and crypto assets
Particular emphasis is placed on financial markets infrastructure based on digital ledger technology (DLT) and on the regulation of markets in crypto assets. To this end, a new regulation is proposed, and a pilot regime is laid out. These initiatives are motivated not least by a desire to create legal certainty. As the Commission explains, it is acting to address “wide recognition that the application of existing rules to crypto-assets and DLT-based business models can raise complex legal and supervisory questions”. The proposed pilot regime for DLT-based market infrastructure includes important limitations on the size and nature of “DLT transferable securities that can be admitted to trading on, or recorded by, DLT market infrastructures”, delineated in article 3. These limitations doubtlessly aim to limit potential fallout from unforeseen risks or improper implementation of DLT infrastructure, which is prudent given the critical contribution of financial markets infrastructure to the functioning of the economy at large.
When it comes to crypto-assets per se rather than infrastructure; the proposed regulation differentiates between utility tokens, asset-referenced tokens and crypto-assets referencing a single currency. Particular emphasis is placed on the regulation of asset-referenced tokens (e.g. “stablecoins”), as these are viewed as presenting significant systemic risks to financial markets. This conclusion was already reached in a April 2020 FSB consultative document. Given these risks and challenges, the Commission writes, issuers of stablecoins and similar asset-referenced tokens “should therefore be subject to more stringent requirements than issuers of other crypto-assets”.
Notably, prior authorization is required for stablecoin offerings and for their admission to trading unless the issuer is a credit institution (bank) already authorized under Directive 2013/36/EU. The proposed regulation specifies that “a competent authority should refuse authorisation where the prospective issuer of asset-referenced tokens’ business model may pose a serious threat to financial stability, monetary policy transmission and monetary sovereignty” and while supervision remains – at base level – a matter for national authorities, EU level concertation is already baked in: “the EBA, ESMA, and, where applicable, the ECB and the national central banks should provide the competent authority with a non-binding opinion on the prospective issuer’s application”. Furthermore, issuers of “significant” asset-referenced tokens and e-money tokens – the significance threshold remains to be defined – will also be subject to supervision by “colleges” consisting of, among others, representatives from the relevant national supervisors, the EBA, ESMA, and the ECB. The establishment of such “colleges” echoes those already in place for banks with cross-border operations. Issuers of asset-referenced tokens will also be subject to capital requirements.
The Commission regulations makes a point of distinguishing between crypto-assets referencing a single currency and e-money; with the latter providing a legally backed claim on the underlying fiat money per Directive 2009/110/EC. The Commission wants to avoid “regulatory arbitrage” in this space and thus proposes that only credit institutions and electronic money institutions may issue such “e-money tokens”.
Across the board, crypto asset white papers are required to inform prospective customers / investors of product characteristics and risks. Exceptions are made for assets that are offered for free, those addressed solely at qualified investors (per legal definition), those offered below “an adequate aggregate threshold over a period of 12 months” and for those offered “to a small number of persons, or that are unique and not fungible with other crypto-assets”. All in all, the Commission proposal places a great deal of emphasis on consumer protection and ensuring full disclosure of information. To this end additional protections are introduced, such as a right of withdrawal within a defined timeframe following acquisition of certain crypto assets.
While crypto asset service providers are to be supervised by national, rather than EU, authorities, ESMA and EBA are tasked with jointly publishing guidelines on systems and security protocols relating to crypto-assets, and EMA is tasked with creating a register of crypto-asset providers in the EU in order to promote full transparency.
Digital operational resilience for the financial sector
As I recently wrote in these columns, cybersecurity is everyone’s business and cybersecurity goes hand in hand with IT/ICT risks. In its proposed regulation promoting digital operational resilience in the financial sector, the Commission states that “digitalisation and operational resilience in the financial sector are two sides of the same coin.” The Commission furthermore highlights that “there has been only some limited or incomplete focus on ICT risks in the context of the operational risk coverage” in the financial sector.
Filling these gaps has become ever more pressing as we emerge from the COVID-19-induced economic shock with a renewed emphasis on digitalization, and as the Commission writes, coordinated efforts are called for:
“Action at Member State level, however, only has a limited effect given cross-border nature of ICT risks. Moreover, the uncoordinated national initiatives have resulted in overlaps, inconsistencies, duplicative requirements, high administrative and compliance costs – especially for cross-border financial entities – or in ICT risks remaining undetected and hence unaddressed. This situation fragments the single market, undermines the stability and integrity of the EU financial sector, and jeopardises the protection of consumers and investors.”
The aim of the proposed regulation is to remedy these shortcomings via a multi-pronged approach:
“This framework […] will enhance and streamline the financial entities’ conduct of ICT risk management, establish a thorough testing of ICT systems, increase supervisors’ awareness of cyber risks and ICT-related incidents faced by financial entities, as well as introduce powers for financial supervisors to oversee risks stemming from financial entities’ dependency on ICT third-party service providers. The proposal will create a consistent incident reporting mechanism that will help reduce administrative burdens for financial entities, and strengthen supervisory effectiveness.”
For some background on what the currently proposed regulation aims to build upon, consider the following quote from my September 11 column:
“In recent years, significant strides have been made towards the creation of a comprehensive supra- / international framework for the implementation and supervision of IT network risks, including but not limited to cyber risks, notably via the 2016 NIS directive which has since been transposed into national law across the EU, though with significant variability, as discussed here by Wavestone. For instance, some countries directly transposed security measures for essential information systems into law, whereas others rely on ISO/IEC 27001 certification.”
The Commission, by proposing new regulation, has no intention to do away with the NIS directive’s acquis:
“The initiative would maintain the benefits associated with the horizontal framework on cybersecurity (e.g. the Directive on Security of Networks and Information Systems, NIS Directive) by keeping the financial sector within its scope. The financial sector would remain closely associated to the NIS cooperation body and financial supervisors would be able to exchange relevant information within the existing NIS ecosystem”
Below we highlight a non-exhaustive list of key aspects of the proposed regulation:
- Governance related requirements: “management body will be required to maintain a crucial, active role in steering the ICT risk management framework and shall pursue the respect of a string cyber hygiene. The full responsibility of the management body in managing financial entity’s ICT risk”
- Risk management requirements relate to international best practice, set-up and maintenance of resilient systems and continuous evaluation of anomalous activities.
- Incident reporting: to be streamlined, sharing between companies and authorities encouraged
- Resilience testing according to proportionate requirements.
- Third party risk to be monitored and minimum aspects defined. The Commission references the 2017 recommendations on outsourcing to cloud service providers as precedent in this area, all the while highlighting that the financial sector’s dependence on a limited number of ICT providers is not adequately addressed by existing EU legislation. Articles 25 through 27 of the present proposal specifically deal with considerations and procedures which financial entities need to undertake in order to assess and mitigate against the risk of over-reliance on a single or a few ICT providers whose services cannot easily be substituted.
The Commission package on digital finance and its accompanying digital finance strategy are an important endorsement of the transformative potential which digital finance and financial innovation represent for the EU’s economy. By seeking to establish legal certainty around crypto assets, proposing a pilot regime for DLT financial markets infrastructure and further enshrining ICT and cyber risk management in all levels of financial operational risk management, the package lays the foundation for a modernized European legal framework in lockstep with the dynamics of private sector innovation.
We look forward to supporting these reforms & to provide additional feedback and analysis over time.
Author: Jérôme Verony – LHoFT Research and Strategy Associate