Search News & Insights
Putting the Reg into Tech
Fintech as a concept can be viewed as having two intertwined and converging strands - traditional financial services companies using technology to improve and deliver their services to their customers, and technology companies providing financial services directly to their own customers. Each poses different challenges.
Traditional financial services providers often straggle with legacy systems and processes that are inflexible and expensive to adapt, while technology companies, which are used to moving quickly, find themselves in an unfamiliar, heavily regulated environment, learning to work with regulators who take time to consider innovations and do not subscribe to an ‘80 / 20 rule'.
Regtech has also emerged recently as a focus area within the fintech space, and can be described as the application of technology in managing regulatory requirements. Examples include utilising vendor and customised software tools to track the multiplicity of regulatory obligations that exist in financial services, or indeed any business operating in a regulated or partially regulated environment, such as the use by asset managers of technology to pre-check trades against investment restrictions.
The benefits or otherwise of the EU are currently being hotly debated across the Irish Sea. Without getting into the broader debate, there is a broad range of EU financial services legislation which has, in our view, encouraged innovation and has given, and continues to represent, opportunities for Irish financial services and technology companies.
Take, for example, the Payment Services Directive (PSD), enacted in 2009, which targeted the creation of non-bank payment service providers across the EU. Through the use of the EU passport it allows firms established and regulated in one member state, such as Ireland, to provide those services not only across the entire EU, but also into the other European Economic Area countries such as Iceland, Norway and Liechtenstein. Under the passport it is not necessary to establish a branch, as services can be provided remotely on a services basis.
The internet is, of course, ideally suited to the provision of services remotely and the EU’s passporting regime allows consumers to avail of cross-border financial products and services such as investment funds, insurance and money transfer, and to pay for a multitude of products and services using a variety of payment providers by leveraging fintech solutions.
Non-traditional payment providers, are also significant players in the area, particularly in the provision of solutions for paying for goods and services purchased via the internet.
To ensure continuing high levels of consumer protection, European legislators have recently updated the PSD. Due to be implemented in January 2018, PSD 2 will encourage the creation of the newly regulated services of payment initiation and account information services.
Payment initiators allow payments to be made by debiting an account, thereby allowing users to pay online without the need for a credit or debit card. Account information services will allow a consumer to have a single view of various accounts across different institutions. This latter service is likely to be a particular challenge for traditional banks, as it will require them to make their customer account systems accessible to new regulated third parties.
Data protection rules are also due to be enhanced with the introduction of the EU General Data Protection Regulation (GDPR), which will come into force in May 2018. The evolving data protection regime poses structuring and security challenges for those involved in financial services, in particular where there is convergence with technologies such as online and cloud, and recent cases in Europe have emphasised that the focus in developing products and services needs to be on the rights of the consumer.
The GDPR reinforces this individual rightsbased focus, with some of the key changes to apply under the GDPR including the expansion of EU data protection rules to non-EU based data controllers who have EU-based customers, more specific consent provisions and a one-stop-shop from a regulatory perspective which will provide clarity for consumers (data subjects) as to the appropriate regulatory authority with which they will should deal. Sanctions for non-compliance and enforcement will also be increased.
One of the clearest impacts of the increase in the availability and recognition of fintech has been the increasing focus by regulators, not just in the EU but globally, on the importance of cyber security. The European Banking Authority - which is a form of EU-wide bank regulator - issued guidelines on the security of internet payments in June of 2015, designed to improve the security of online payments. Locally, the Central Bank of Ireland has also recently focused its supervisory rules on IT security and has written to all firms outlining what is expected in the area. It is following through with themed inspections of selected firms, testing their approach to cyber security.
This increased focus from regulators will also be supported by legislative change. PSD 2 contains new legal obligations for strong customer authentication for all payment transactions. The concept of strong customer authentication is based on knowledge (something only the user knows), possession (something only the consumer has) and inherence (something the user is). This is designed to provide the highest level of consumer protection against identity theft online, in which 'knowledge' may be a traditional password or code, ‘possession’ could be in the form of a code card or similar device that generates transaction-specific credentials (solutions that are currently offered by some institutions), and 'inherence' could cover an iris scan or a fingerprint.
The interplay between new mles, such as these under PSD 2, and enhancements to existing requirements, such as through the GDPR, will play into how fintech product and service offerings develop into the future.
Anti-money laundering and tenorist financing rules are designed to ensure that all customers, and persons behind them, are identified and financial transactions are property traceable. Online transactions, where there is no physical meeting with a customer, present an increased risk that the financial system will be abused by criminals or terrorists. Existing rules will be enhanced from June 2017. Firms will have to prepare more detailed risk assessments of their businesses from a money laundering / tenorist financing perspective, although the new rules also more clearly permit non-traditional methods of identification and verification, seeking a balance between facilitating commerce and restricting criminals and tenorists. As a result, identification and verification by the usual passport or driver's licence with copy utility bills might be gathered using new technology, or could be supplemented or replaced by alternative means of identification.
Regulators are moving to rely more heavily on data mining to supervise firms more efficiently and effectively. This has led to an ever-increasing amount of information being reported to regulators. Producing, managing and reporting large volumes of data requires a robust technical solution. This can be a challenge for regulated firms, but also represents an opportunity for software providers, and there has been a significant increase in firms providing reporting solutions for financial institutions. In many cases the data requested originates from an EU-wide requirement, or an SEC rule in the US, resulting in technical solutions that are scalable and exportable.
The constant changes in the regulatory environment present both challenges and opportunities for firms operating in the financial services space, whether traditional financial institutions or new disruptive technology firms. However, those changes also present opportunities, and technology firms in particular have an enormous opportunity to help meet these challenges with innovative technical solutions.
Ireland as an existing fintech hub is wellplaced to expand on these opportunities through continuing innovation. To capitalise on these opportunities, firms need to understand the new rules and regulatory requirements well, and to engage with the right partners to develop solutions that meet the needs of individual customers, but which are also scalable.
This article first appeared in Business & Finance on Wednesday, 1 June 2016.
Watch Matheson partner Joe Beashel explain why he got involved in the FinTech Ireland 2016 launch event.