But in its Discussion Paper on the EBA’s approach to financial technology the Authority is equally concerned that FinTech 'may change the risk profile of credit institutions as existing risks that are currently deemed to be immaterial may be amplified through the use of FinTech, prompting credit institutions to review their risk management frameworks and strategies.'
The EBA says a significant increase in overall operational risk has been witnessed in the last few years, including higher conduct risk, increased cybersecurity issues and digital fraud issues, and increased outsourcing risk. 'At the same time new or previously immaterial risks, such as the risk of mismanagement of personal data / lack of data privacy, seem to be amplified by the lack of expertise of human resources and the inadequacy of technology infrastructures.'
Therefore, the Authority opines, 'the potential rewards and opportunities that credit institutions aim to achieve by engaging with FinTech do not come without potential risks, which will need to be thoroughly and comprehensively assessed.'
Nor is the EBA ignorant of the competitive pressure credit institutions may face stemming from other operators entering their traditional markets. 'Business risk appears to remain one of the most important risks to manage as FinTech development may lead to further pressure on margins and related market shares for existing credit institutions which have bigger, less flexible and more expensive infrastructures.'
It points out that alternative lending platforms such as peer-to-peer lending can put pressure on the interest income from loans of existing credit institutions while new entrants offering commoditised products and services at lower costs, such as money transfers and brokerage, can reduce the fees and commission income of established players.
In addition, the EBA cautions, profitability could be affected by weaker customer ties due to improved efficiency and customer choice, leading to decreased opportunities for cross-selling products and services. 'Furthermore, the risk of investors moving away from incumbent credit institutions increases the solvency risk level. Changes in customer loyalties could also influence the stability of institutions’ funding.'
The EBA also says that given the growing digitisation of the financial ecosystem and the increasing reliance of credit institutions on interconnected IT systems, cybersecurity related risks are particularly relevant in the context of FinTech.
'As the FinTech developments entail the sharing of data across a wider set of parties with greater speed and increased automation in executing transactions, challenges around protecting data and the integrity of systems are likely to arise.
'Cybersecurity breaches can cause operational, legal and reputational issues and financial losses for institutions, and they can also undermine longer term confidence in new solutions, leading to lower adoption rates. Furthermore, the increasing interconnectedness between financial institutions and other service providers may create a risk of contagion within the financial sector as a whole.'
At the same time, the EBA believes, FinTech innovations may potentially pose a threat to financial stability due to, for example, disintermediation of regulated institutions or activities or the deep IT interdependencies between market players and market infrastructure, which could cause an IT risk event to escalate into a systemic crisis.
'Although the ultimate effect on established market participants and the provision of financial services is not yet fully known, the rapid pace and broad reach of FinTech developments indicate that further work on this area is required,' it concludes.
In preparing the latest Dicussion Paper the EBA undertook a FinTech mapping exercise last Spring, with 'competent authorities' in 22 Member States and 2 EEA States - the first time such an exercise has been conducted at EU level. They provided estimates on the current number and expected growth of FinTech firms in their respective jurisdictions and detailed information on a sample of FinTech firms.
The information obtained through this survey suggests that there are over 1 500 FinTech firms in the EU falling within the precise definition used by the EBA. But, it says, the true number is likely to be significantly higher because that estimate was based on informed by the data provided by the competent authorities in relation to firms falling outside their regulatory remits on a 'best efforts' basis.
More specific information was obtained in respect of a sample of 282 FinTech firms categorised into four clusters - credit, deposit, and capital raising services (Cluster A); payments, clearing and settlement services (Cluster B); investment services/investment management services (Cluster C); other financial-related activities (Cluster D).
Of the 228 firms, 18 per cent are payment institutions under the PSD, 11 per cent are investment firms under MiFID, 9 per cent are credit institutions under the CRD and 6.5 per cent are electronic money institutions under the EMD. A third (31 per cent) are not subject to a regulatory regime under EU or national law, 9 per cent are subject to a national registration regime and 5 per cent are subject to a national authorisation regime. The regulatory status of 8 per cent of the FinTech firms could not be identified. No firms in the sample were classified as credit intermediaries under the MCD.
The EBA notes that as some FinTech firms are subject to national authorisation or registration regimes 'there may be potential for divergences in the treatment of FinTech firms across the EU,' which might suggest a need for further investigation. In addition, the high percentage of FinTech firms not subject to any regulatory regime could suggest a need for further analysis of the activities of such firms.
The mapping survey identified two sandboxing regimes, four innovation hubs and seven 'similar approaches'. The EBA says these all appear to have varying features, suggesting the need for further analysis. It says it also raises the question of whether the means used to achieve the aim of sandboxing regimes, including the waiving of particular requirements and the eligibility of particular entities to be included in the sandbox, are in line with existing EU directives and regulations.'
The Authority says that in view of its consumer protection objective, the data suggests there may be merit in investigating the scope and nature of consumer protection requirements to ensure that consumers are sufficiently protected when using financial services offered by firms outside the traditional financial services sector.
In addition, recognising that it is not uncommon for financial institutions to use third party service providers, including for the provision of financial innovations, as business models change there may be some benefit in investigating arrangements governing the outsourcing by financial institutions of key services to ensure that robust governance arrangements are in place to mitigate outsourcing risk.
The Discussion Paper concludes that there is merit in the EBA conducting follow-up work on authorisation and sandboxing regimes; prudential risks for credit institutions, payment institutions and electronic money institutions; the impact of FinTech on the business models of these institutions; consumer protection and retail conduct of business issues; the impact of FinTech on the resolution of financial firms; and the impact of FinTech on anti-money laundering and countering the financing of terrorism.
The deadline for the submission of comments on the paper (EBA/DP/2017/02) is 6th November this year. After a three-month consultation period the EBA will assess the responses with a view to deciding what further steps to take during 2018.