On 12 July 2019, the European Securities and Markets Authority (ESMA) published a Report on the status of licencing regimes of Fintech firms across the European Union (Report).

For Fintech firms seeking to operate throughout the European Union (EU), navigating the complex framework of regulatory requirements across Member States is a continuing challenge.

The Report addresses one of the five action points of the European Commission’s FinTech Action Plan, namely ESMA’s mandate “to map current authorizing and licensing approaches for innovative Fintech business models in Europe”.

The Report reviewed a number of emerging challenges in the regulation of Fintech but declined to recommend further rule-making at this time.

ESMA Surveys

The Report summarises the results of two ESMA surveys which gathered evidence from national competent authorities (NCAs) on the licensing regimes of Fintech firms in their respective jurisdictions.

The first survey was conducted in January 2018 and sought to identify potential gaps and issues in the existing EU regulatory framework as well as assess how the existing national regimes diverge and, if identified, propose recommendations to adapt the EU legislation to the emerging innovations.

The second survey, launched one year later, attempted to identify the ways in which NCAs employed the concepts of ‘proportionality’ and ‘flexibility’ when licensing Fintech firms.

Report Findings

Regulatory Gaps and Issues

The primary area where regulatory gaps and issues have been identified by NCAs and where Fintech firms do not fit neatly within the existing rules is related to cryptoassets, Initial Coin Offerings (ICOs) and Distributed Ledger Technology (DLT).

In the UK, the Financial Conduct Authority (FCA) has published Consultation Paper 19/3 (CP19/3) which provides the industry and the public with guidance on cryptoassets. CP19/3 confirmed that security tokens fall within the regulatory perimeter whereas some utility tokens and exchange tokens do not. The FCA has also published Discussion Paper (DP17/3) outlining DLT’s risks and opportunities. The FCA is currently reviewing responses to DP17/3 and is expected to publish findings at the end of 2019.

The identified regulatory gaps led ESMA in the Report to reiterate ESMA’s CyptoAsset Advice that found that certain tokens are financial instruments and subject to the full attendant regulation, while those tokens that are not deemed financial instruments should be subject to some minimal level of regulation.

What that minimal level of regulation is, remains an open question. In the anti-money laundering space, the EU’s fifth Anti-Money Laundering Directive 2018/843 (MLD5) will ensure the following entities will be obligated in future to implement measures to counter money laundering and terrorist financing such as customer due diligence and transaction monitoring:

  • “providers engaged in exchange services between virtual currencies and fiat currencies” i.e. cryptocurrency exchanges; and
  • “custodian wallet providers” i.e. cryptocurrency wallet services (where the service holds its users’ private keys).

Further regulatory development in this space has been foreshadowed by Mario Draghi, the President of the European Banking Authority (EBA), in a speech to the European Parliament in February 2018.

At present however, the trading of cryptoassets by individuals continues not to be subject to a specific supervisory approach. Although we note the FCA’s recent consultation paper proposing a ban on the sale of crypto-derivatives to retail customers.

Cyber Security and Cloud Outsourcing

The Surveys also identified the need for greater clarity around the governance and risk management processes associated with both cyber security and cloud outsourcing.

In the Report, ESMA noted that these concerns are reflected in the European Supervisory Authorities (ESAs) Joint Advice(s) on the need for legislative improvements relating to Information and Communication Technology risk management requirements in the Financial Sector and the costs and benefits of a coherent cyber resilience testing framework for significant market participants and infrastructures in the financial sector.

Innovation Facilitators such as Regulatory Sandboxes

According to the Report, “innovation facilitators” play a central role in mapping approaches applied to Fintech and in identifying the areas where the legislation and licensing requirements need changes and adaptation.

Moreover, innovation facilitators, especially regulatory sandboxes, may have an impact on the licensing regime for Fintechs and may allow for divergence from standards applicable in other jurisdictions. In response to concerns about regulatory divergence, ESMA as well as the EBA and the European Insurance and Occupational Pensions Authority (EIOPA) published the Report on FinTech: Regulatory Sandboxes and Innovation Hubs in January 2019.

In the UK, the FCA was the first regulator to launch a regulatory sandbox as part of its Project Innovate which commenced in October 2014. Now with its 5th cohort, the FCA’s regulatory sandbox allows businesses, frequently innovate Fintech firms, to test propositions in a live environment with real consumers.


The surveys also identified concerns about the lack of an EU holistic crowdfunding regime, in particular for crowdfunding of instruments not classified as “Financial Instruments” under the second Markets in Financial Instruments Directive 2014/65/EU (MiFID II).

The Report notes that the regulation of crowdfunding service providers is under scrutiny by the European Parliament and the Council with a view to facilitating a level playing field for cross-border service providers.

No additional EU Rule-making required (for now)

Importantly, the results of the surveys confirmed that all NCAs do not typically distinguish between Fintech firms and other firms in the financial services industry for the purposes of authorizing and licensing activities. NCAs authorise a financial activity and not a particular technology.

Based on the evidence gathered, ESMA concluded that most innovate businesses models can operate within existing EU rules. In the Report, ESMA therefore reiterated its conclusions made in recent reports regarding cryptoassets/ICOs/DLT, cyber security and innovation facilitators, and did not put forward additional recommendations for changes in EU regulation at this stage.

ESMA will, however, remain vigilant to emerging innovations and may recommend appropriate adaptions to the EU legislative framework in the future.