Balancing the need for regulation with allowing innovative ideas to flourish is tough, and nowhere more so than in finance. That’s precisely why the UK’s progressive approach to regulating fintech companies stands out in Europe and the wider world. From virtual currency and cybercrime to the second Payment Services Directive and protection of customers’ best interests, founder and director of Ramparts EU law firm, Peter Howit; Locke Lorde global head of cards & payments Robert Courtneidge, Judith Rinearson, partner at Bryan Cave; and Jane Jee, Of Counsel at Bryan Cave, share their insights on five key regulatory hotspots facing payments and fintech companies, as part of The Bancorp’s Finetics™ Studio series.
1. Regulating new payment technology
For startups that want to be regulated, the process itself can be daunting, expensive and confusing. Especially in the cases where the relevant legislation was written before smartphones existed, let alone biometrics or cryptocurrency. The founder and director of Ramparts EU law firm, Peter Howitt, says: “The challenge operators face is that if some of the concepts themselves are fundamentally a bit anarchic, it can be expensive and hard work to try and understand where your services fit in the regulatory environment. “The concept of e-money itself is something that does not make a lot of sense, for example. When you add to that virtual currency, which really does look like what you would call e-money but is not e-money, it gets even more confusing,” he elaborates.
In the UK, the FCA has taken a proactive approach with the launch of things like Project Innovate and its regulatory sandbox - but the landscape remains tricky to negotiate.
Locke Lorde global head of cards & payments Robert Courtneidge says that while many new players initially enjoy relatively light touch financial services regulation, once they reach a critical mass and become more established, their activities come under far greater scrutiny from consumers, the media, government and financial regulators.
“If such reassurance cannot be found, there is a strong temptation to deliver the same strict levels of regulation that apply to banks, which could ultimately deter banking competition and diversity,” says Courtneidge. ”The challenge facing non-banks, as well as alternative banks, is to build the kind of trust that convinces consumers and, more importantly, regulators, that heavy restrictions are unnecessary. In an age where the smallest error or incident goes viral over social media within minutes, this is no easy task.”
2. Virtual currencies: where are the biggest opportunities and pitfalls?
Virtual currencies in particular continue to stoke hot debate from a regulatory point of view. For some, the concept unlocks one of the biggest opportunities ever created in financial services; for others, it’s a lawless landscape without accountability. Meanwhile, events like the Paris terrorist attacks in late 2015 reignited government concerns about virtual currencies. The European legal framework is now being adapted to take into account the fear that virtual currencies could be used with criminal/terrorist intent.
Nevertheless, the promise is great. As Courtneidge outlines, new blockchain-based payment networks have been developed that aim to provide a worldwide settlement framework which grants faster, cheaper and secured cross-border payments. Virtual currencies allow for domestic and international payments that can be settled directly without the need of third parties. Another advantage is that transactions in blockchain-based networks take place at almost zero cost and are confirmed within seconds or, at maximum, a few minutes.
“This opens up a number of opportunities in the money remittance space, providing a faster and cheap service for consumers, particularly relevant to developing countries,” says Courtneidge. However, he says one major area of concern is consumer protection, as there are no safety nets such as deposit guarantee funds available to alleviate losses. He also says that extending prudential supervision to virtual currencies will be difficult, if not impossible, so most regulators are now pondering how to regulate the points of contact between virtual currencies and fiat money.
“Virtual currency is something that throws up so many interesting questions about what and how to regulate,” says Howitt. “I’m keen to be part of solving how you marry currently unregulated funds or assets with regulated ones. I suspect it is easier than people think; it just takes a bit of a drive to do it in a way where you protect consumers.”
3. PSD 2 - What are the key challenges and opportunities for Europe?
The Payment Services Directive 2 (PSD2) is widely seen as a great piece of payments legislation for the industry, and has game-changing potential.
“The Payment Services Directive (PSD1) focused on non-bank service providers,” says Judith Rinearson, partner at Bryan Cave. “What is interesting is that PSD2 will have a significant impact on banks that is why we are hearing so much more about it.”
At a high level, the directive means banks are going to have to give access to their customer accounts to new payment service providers where a customer requests this. Furthermore banks will have to give accounts to money services businesses, or else objectively explain why they won’t do so to the Payment Services Regulator (PSR), which ultimately decides if that reason is good enough. Jane Jee, Of Counsel at Bryan Cave, points out that while this sounds like a simple requirement, in practice this will require banks to look at their current underwriting criteria, re-assess risk , provide new training for people accepting accounts, and create a new process for those that have been approved and disapproved.
“It forces banks to carry out more thorough risk assessments ,” says Jee. “This is coming at a point where they were told to de-risk and their reaction to that was to not grant or withdraw accounts from money services businesses. That reaction will no longer meet regulatory standards”
While the directive is going to be painful for the banks, for startups it’s a paradigm-shifting opportunity that their counterparts in the US will be envious of. Says Judith Rinearson, partner at Bryan Cave, “The same zero tolerance attitude to bank risk happened in the US and money service are very envious of their colleagues on this side of the pond,” she adds. “It could have a ripple effect and a lot of US companies are keeping their fingers crossed that it will.”
4. How will the role of the European Banking Authority (EBA) impact payment innovation in the future?
This bring us neatly to the topic of the EBA, an independent EU authority charged with ensuring effective and consistent regulation and supervision across the European banking sector. Under that remit comes helping to harmonise rules for financial institutions across the jurisdiction. There are questions, however, about whether it is equipped to do that task – as far as that task is possible in the first place.
Peter Howitt is concerned the EBA is being asked to do a number of things that it may not be sufficiently resourced to do, for example, in issues involving Anti-Money Laundering (AML).
“The EBA is trying to co-ordinate between states that reached different conclusions, and is then trying to smooth things out,” says Howitt. “That is a lot of work and you need a lot of resources.”
Another concern is that some of the guidance the EBA will produce will be at such a high level that there will be not be enough detail for national authorities to practically implement.
“It is likely that under PSD2 we’ll see national initiatives cutting across what the EBA has suggested,” says Jee. “PSD2 was supposed to solve the issue of different national authorities taking different views and this objective may be undermined in practice. . On the other hand the EBA may adopt some of the standards proposed by national authorities such as the Open Banking Standard recommended by the Open Data Working Group in the UK ”
However this is resolved, there is also likely to be a positive effect on payment innovation due to the EBA’s focus on security and consumer protection, which will be paramount to the success of future payment systems.
Courtneidge points to EBA guidelines requiring payment service providers to provide assistance and guidance to their customers in relation to the secure use of internet payment services. In particular, they will have to initiate customer awareness programmes to ensure that their users understand risks and best practices in internet payments.
5. Cybercrime – what’s the right approach?
Meanwhile, the threat facing both established and emerging finance companies alike is cybercrime. Constantly evolving, this is something financial institutions - or indeed any business that touches money - needs to take seriously.
Courtneidge points out that the cost of cybercrime to a business can range from a minor inconvenience to reputation damage, loss of customer data and fines. While most businesses now fully appreciate the potential severity that can arise from a cyber-attack, some still take a lacklustre approach to implementing good risk management – including educating staff on cyber-risks.
Amid the introduction of the General Data Protection Regulation, Data Protection Directive and EU/US Privacy Shield, the onus is on these businesses to insulate themselves from attack, protect consumers’ data, and enforce stricter security rules.
“Helping staff understand the part they play in keeping information secure is an essential first step, and educating staff on how to detect and deter common threats like phishing and social engineering can prove invaluable in helping to defend an organisation,” says Courtneidge. “Furthermore, Chapter 5 of PSD2 will bring in the new Network and Information Security Directive requiring registration on a national and EU basis of cyber-attacks in order to enable greater visibility of attacks facilitating a better response to them.”
The opinions, findings, or perspectives expressed in this content are those of the author and do not reflect the official policy or position of The Bancorp, Inc., its affiliates, or its or their employees.