During his State of the Union 2017 address on 13 September, European Commission President Juncker announced proposals to revamp the EU’s framework on cybersecurity and introduce additional measures on cybersecurity certification. While the Commission’s proposals are certainly timely, with the (what appears to be) continual threat of cyberattacks in Europe, it is arguable whether they will have the desired impact – considering the likely lengthy legislative process and the quickly evolving nature of cyberattacks.
What is more, it could be argued that the Commission has not sufficiently considered the particular needs of the financial sector when devising its cybersecurity strategy. Part of the problem for the Commission is that regulating emerging technology is no longer the same as regulating the technology sector, as technological innovation is ubiquitous across all sectors. In fact, concerns have been raised by the financial sector about whether the Commission’s proposed ePrivacy Regulation, a piece of ‘technology regulation’ which governs the privacy of electronic communications and complements (and in conflicting situations prevails over) the General Data Protection Regulation (GDPR), could have an impact on how companies process electronic communications data, for example incoming or outgoing malicious traffic in the context of cyber security.
The Commission has, however, already begun to regulate the use of technology in the financial sector in other ways. Motivated largely by the rise in the number of terrorist attacks in Europe, the European Commission proposed a number of targeted amendments to the Fourth Anti Money Laundering Directive (‘4AMLD’), including bringing ‘virtual currency exchange platforms’ (i.e. providers of exchange services that trade virtual currencies for fiat currencies, including wallet providers) within the scope of the 4AMLD. The Commission argued that “there is a risk that virtual currency transfers may be used by terrorist organisations to conceal their financial movements due to their anonymity” and that therefore “it is necessary to allow authorities to gain access to the necessary information (i.e. identities) in case of money laundering or terrorism financing.”
Virtual currencies, including new financial technologies (‘Fintech’) in a wider sense i.e. blockchain, robo-advice and innovative payments, are not regulated more generally at EU level and this proposed amendment therefore represents the first step towards specifically legislating these technologies. Anti-money-laundering (AML) strategies may provide some measure of defence against cybercrime for a number of reasons.
Firstly, as the Commission noted, virtual currencies themselves are susceptible precisely because they do not have the same level of AML controls imposed on them. In its report on the assessment of the risks of money laundering and terrorist financing affecting the internal market, the Commission stated that virtual currencies “appear to be significantly exposed to [such] risks” due to the “intrinsic limitation on identification and monitoring possibilities” and therefore that the current legislative framework at EU level “remains inadequate”.
Secondly, AML controls have shown themselves to be potentially effective at minimising the impact of cybercrime and reportedly helped minimise the harm resulting from the high-profile SWIFT-related hacks in 2016.
Thirdly, similar technologies also carry the possibility of improving AML, as well as making compliance with AML legislation more efficient for companies. Indeed, the European Supervisory Authorities (ESAs) are currently drafting an opinion on harmonising the use of Fintech solutions for AML purposes by financial institutions and national regulators in the EU.
While the Commission has been keen to regulate virtual currencies (relatively low hanging fruit considering their chequered reputation and links to illicit activities and terrorist financing), it has been much more hesitant when it comes to regulating the financial technology underlying these currencies, such as DLT or blockchain.
Having fallen behind the US and China when it comes to championing ‘unicorn’ start-ups (i.e. privately held start-up companies with a current valuation of US$1 billion or more), the EU tends to view Fintech as something which may help to enhance its role as a global player in financial services, as well as increase efficiency and strengthen financial integration. Wary that any such regulation may hamper innovation and cause undesired red tape for start-ups, the Commission set up a Fintech Task Force in 2016 to carry out this assessment.
Following its assessment, it is anticipated that the Commission will now unveil its plans in early 2018. Although the form of these plans is still unclear, the Commission will reportedly deal with a wide spectrum of Fintech related technologies, such as blockchain, robo-advice and crowdfunding. In addition, the Commission is expected to assess the impact of Fintech on existing legislation and consider whether amendments are necessary, as it has already done with the 4AMLD.
Close observers have suggested that the Commission will take as soft an approach as possible, continuing its attempt to encourage innovation through the likes of regulatory sandboxes, and legislating only where strictly necessary. However, the EU does not legislate in a bubble and a rise in terrorist attacks, cybersecurity breaches and public scepticism about Fintech could swing the tide of political momentum in favour of tight/tighter regulation.
Much like recent EU legislation on data protection has enshrined the principle of ‘data protection by design’ (i.e. each new service or business process that makes use of personal data must take the protection of such data into consideration), perhaps we will see a progression towards ‘anti-money laundering by design’, whereby companies experimenting with such technologieswould be encouraged to consider the associated AML implications and applications, as well as highlight the potential difficulties and advantages to regulators. This could help companies to reduce their risk of cyberattacks and facilitate compliance with AML legislation, as well as ensure that regulators produce legislation which takes into account the specificities of the financial sector.