On 12 July, the European and Securities Markets Authority (ESMA) published its Report on the licensing of FinTech business models (the Report) as part of the European Commission’s wider FinTech Action Plan. While ESMA concluded in its report that it was not necessary to put forward any recommendations to the European Commission to adapt the current financial services legislative framework to address innovative business models in the FinTech industry, the Report did set out some of the key challenges National Competent Authorities (NCAs) are facing in regulating FinTech firms.

ESMA prepared the Report using the results from two surveys sent to NCAs. The first (carried out in January 2018) focused on collecting information from NCAs about the number and nature of regulated and unregulated FinTech firms, how the business models of these FinTech firms fit within the existing rules and whether NCAs considered any regulatory action at national level necessary to accommodate such business models. The second (carried out in January 2019) was conducted to update ESMA’s knowledge about the FinTech market and clarify how the principles of proportionality and flexibility within financial services legislation were applied in relation to FinTech firms.

Which firms were in scope of the Report?

In the surveys to NCAs, the following Financial Stability Board (FSB) definition of “FinTech” was used:

“technology-enabled innovation in financial services that could result in new business models, applications, processes or products with an associated material effect on the provision of financial services”.

In line with ESMA’s mandate, the FinTech firms within scope of the surveys were limited to those firms that provided:

  • clearing and settlement functions;
  • capital raising;
  • investment management and investor services; or
  • market support.

Firms that provided functions relating to deposits, lending, insurance or payments were excluded from scope (as these firms were within the remit of the European Insurance and Occupational Pensions Authority (EIOPA) and European Banking Authority (EBA)).

Using this definition of a FinTech firm, NCAs reported that the large majority provide investment management and investor services (around 70%), with less than 1% providing clearing and settlement services. In terms of types of innovative models, online platforms made up just under half (43.9%) of FinTech firms, followed by cloud computing (22.9%) and application programme interfaces (17.3%).

What are the key themes from the Report?

No changes to legislation recommended

The key conclusion of the Report was that aside from crypto-assets, ICOs and DLT, there were currently no regulatory gaps in the relevant EU legislation. This conclusion was line with the conclusions from EIOPA and EBA on the same point.

Most NCAs reported to ESMA that the current framework provided sufficient flexibility when authorising or licensing FinTech firms, and there has not been a need to develop a specific licensing regime for innovative business models. NCAs authorise financial activities and not the underlying technology.

There is divergence among NCAs on what constitutes a “FinTech” firm

Although a standardised definition (from the FSB) was used to formulate the surveys, the Report noted that there was divergence among NCAs around which firms to include. Some NCAs would include within the scope of FinTech firms any existing firms carrying on FinTech activities, while other NCAs would exclude such incumbent entities from the scope. Further, as unregulated FinTech firms are outside the perimeter, it was difficult for NCAs to report on the total number of FinTech firms in each jurisdiction. The figure for the total number of unregulated FinTech firms was reported as 328 (excluding the UK), although this was likely understated. (The UK estimated its combined total of regulated and unregulated FinTech firms to be over 1600.)

Regulation of platforms may be overly onerous

A key theme arising throughout the Report was the recognition that some of the licensing requirements for small-scale trading platforms were disproportionately onerous for new entrants, with limited flexibility to apply the requirements in a proportionate way. The capital requirements and specific compliance rules on multi-lateral trading facility (MTFs) in particular were highlighted as potential barriers to innovative entrants. ESMA noted that the licensing requirements for such small-scale platforms may need to be analysed from a proportionality standpoint.

Regulatory sandboxes and innovation facilitators continue to play an important function

The Report noted the role that regulatory sandboxes and innovation facilitators had an improving level of engagement of FinTech firms with their NCAs. Sandboxes provide an opportunity for FinTech firms to better understand regulatory expectations, and enable NCAs to increase their understanding of the risks and challenges posed by FinTech firms. The FCA’s regulatory sandbox was called out in particular as a device which can influence the regulation and business model of FinTech firms.

Crypto-assets continue to cause concerns

Although crypto-assets, ICOs and DLT were expressly carved out of the surveys completed by NCAs, the Report noted that “the relevance and importance of crypto-assets, ICO and DLT issues was deemed of such urgency” that NCAs nevertheless submitted comments on the licensing of such activities. As we have previously highlighted, the regulatory regime surrounding crypto-assets remains uncertain, and ESMA confirmed in this report that they are continuing to seek supervisory convergence on this topic.

FinTech in the wider context of cyber-security and risk management

The Report also noted that NCAs had referred to cyber-security risks when considering FinTech business models, and had requested prescriptive provisions dealing with these risks at an EU level. ESMA noted that there were two recently published Joint Advices considering these risks: one on the need for legislative improvements relating to ICT risk management requirements in the EU financial sector (the ICT Risk Management Advice), and one on the costs and benefits of developing a coherent cyber resilience testing framework for significant market participants and infrastructures within the whole EU financial sector (the Cyber Resilience Testing Framework Advice).

The ICT Risk Management Advice set out sector specific legislative changes to support risk management, as the ESAs considered that there was currently a lack of specific references to ICT and cyber-security risk. It was also noted that efforts should be made towards harmonisation of terminology, templates and reporting timeframes across different financial services sectors, as there were currently inconsistencies.

The Cyber Resilience Testing Framework Advice concluded that the benefits of establishing a cyber-resilience testing framework outweighed the costs, and considered that the European Commission should set out an explicit legal basis for the development and implementation of a coherent framework across the sectors under the remit of all three ESAs, with the ESAs also being granted an explicit mandate to develop sector specific guidance. Longer term, the ESAs also considered that it might be appropriate to establish co-ordinated cyber-resilience testing exercises for the most “systemic, critical and relevant” entities.