FinTech Legal Developments
Arie van den Bergen
Making a ‘license to operate’ for FinTech companies easy by providing practical and hands-on legal and regulatory advice | Lawyer
Welcome to the Fintech Legal Developments June 2024 newsletter. This newsletter is hosted by the FinTech Legal Professionals Group. This is a network of internationally active lawyers who specialise in FinTech and currently includes legal professionals from Estonia, Guatemala, Hungary, Italy, Liechtenstein, Luxembourg, The Netherlands, Panama, Romania, Switzerland, Turkey, Ukraine, the United Arab Emirates and the United Kingdom.??
The purpose of the FinTech Legal Professionals Group is:
? to share information and knowledge on legal developments relevant to FinTech companies.
? to connect with other lawyers who are active in the FinTech industry.
? to acquire and handle cases together.
Below are relevant FinTech legal developments in some of the key jurisdictions. If you want to keep abreast of FinTech legal developments, please subscribe to our monthly newsletter here. You can also sign up for the FinTech Legal Professionals group here.
Hannes Arnold Andreea Vlantoiu Juan José Porres B. Arunoday Ganguly Peter Ruggle Jose Vega Giovanni Imbergamo Nadia Manzari G?khan Ugur BAGCI Balázs Dr. Kissz?ll?si-Szánthód Daria Fartushnaya Abou Bangoura James Borley
In this newsletter:
Artificial Intelligence
Digital Identity
IT/Security
Payments
Artificial Intelligence
AI in the Financial Industry in Switzerland
With the launch of Open AI’s ChatGPT in late 2022, AI has also become a hot topic in Switzerland, especially given advances in generative AI and large language models (LLMs), the underlying technology for ChatGPT. Swiss financial institutions are increasingly relying on AI in various areas.
FINMA survey on the use of AI in banking and asset management
A survey by the Swiss supervisory authority FINMA on the use of AI in banking and asset management found that half of the institutions surveyed were already using AI or planned to use it in some way by 2022:
??all institutions used AI in their front office (e.g. marketing), for process optimization, document processing, IT or HR management.
??other application areas include compliance and conduct (e.g. KYC), financial risk management and system monitoring.
Examples are:
?? AI algorithms used in asset management to analyze market trends and optimize portfolios.
?? Risk management by predictive analytics to proactively identify and mitigate risks.
FINMA approach to AI
FINMA generally takes a proactive approach to AI and has set up a specialized unit to monitor the growing use of AI in Swiss financial markets. In 2023, it set out several expectations and guidelines for regulators on the use of AI, focusing on governance/accountability, robustness/reliability, transparency/explainability and non-discrimination. FINMA shall be able to properly address these challenges.
What AI means for financial institutions
AI offers many opportunities for financial institutions:
?? AI lets organizations accelerate and automate manual and time-consuming tasks like market research.
?? AI can quickly analyze large volumes of data to identify trends and help forecast future performance, letting investors chart investment growth.
?? AI can evaluate potential risk, such as harvesting personal data in insurance to determine coverage and premiums.
?? AI can be used for cybersecurity purposes, in particular by identifying fraudulent transactions through monitoring purchase behavior, comparing it to historical data and flagging anomalous activity.
What AI means for banking
For banks, AI and ML can improve the overall customer experience:
?? The rise of online banking (i.e., contactless banking) minimizes the need for in-person interactions, but the shift to virtual can create more endpoint vulnerabilities (e.g., smartphones, desktops, and mobile devices).
?? AI can automate many basic banking activities like payments, deposits, transfers and customer service requests.
?? AI can handle application processes for credit cards and loans, including acceptance and rejection, providing near-instant?responses.
The future of AI in Switzerland
?? Switzerland does not have specific laws regulating AI. In the past, Switzerland tended to take a relaxed and deregulatory approach to AI, arguing that existing laws were sufficient to cover the risks involved.
?? In November 2023, Switzerland changed its approach and decided to explore regulatory approaches that were consistent with EU law and the Council of Europe's Convention on Artificial Intelligence.
?? Financial service providers in Switzerland therefore must carefully consider regulatory aspects in their decisions and continuously adapt to their changes.
?? Please contact Peter Ruggle if you need more information on the use of AI in the Financial Industry in Switzerland.
Digital Identity
European Digital Identity Wallet
On 20 May 2024, the revised eIDAS Regulation ('eIDAS 2.0') has entered into force. eIDAS 2.0 revises the existing eIDAS Regulation and creates a European Digital Identity Wallet.
What is eIDAS 2.0?
?? According to eIDAS 2.0, each Member State must offer at least one digital identity wallet to its citizens, residents, and businesses which will be recognized throughout Europe.
?? The wallet must be interoperable with every other national wallet and accept the same digital documents (mobile driving licences, university diplomas etc.) and your digital ID (your date of birth, nationality etc.).
?? The wallet can be used for identification, authentication, e-signature etc.
Registration requirement
? If a party intends to rely upon European Digital Identity Wallets for the provision of public or private services by means of digital interaction, it must register in the Member State where it is established.
? The conformity of European Digital Identity Wallets and the electronic identification scheme shall be certified by conformity assessment bodies designated by the Member States.
? Certification shall be valid for up to five years, provided that a vulnerability assessment is carried out every two years. Where a vulnerability is identified and not remedied in a timely manner, certification shall be cancelled.
? Member States must inform the Commission without undue delay of European Digital Identity Wallets that have been provided or if a?certification is cancelled and must state the reasons for the cancellation.
Integrity incidents
Member states are required to suspend the provision and use of European Digital Identity Wallets without undue delay if the wallets or the electronic identification scheme under which they are provided are breached or partly compromised in a manner that affects their reliability or the reliability of other European Digital Identity Wallets.
Opportunities for fintech companies
?? The identification and e-signature provided by the new European Digital Identity Wallet create new opportunities for fintech companies, such as online customer authentication, contracting and legal declarations.
?? Member States who require electronic identification and authentication for access to online services provided by a public sector body, are required to accept European Digital Identity Wallets.
?? Private relying parties (except for certain SMEs) providing services who are required by EU or national law to use strong user authentication (SCA) for online identification must also accept European Digital Identity Wallets, but only upon the voluntary request of the user.
领英推荐
When will eIDAS 2.0 apply?
?? Parties offering a digital identity wallets have 36 months to implement eIDAS 2.0.
??Member States are required to provide at least one European Digital Identity Wallet within 24 months of the date of entry into force of the implementing acts.
It will be interesting to see how the digital identity services will evolve over time.
?? Please contact Balázs Dr. Kissz?ll?si-Szánthó if you need more information on eIDAS 2.0.
IT/Security
Lunch webinar on the practical implementation of DORA for Fintech companies
On 12 June 12-13 PM CET, Finnick and Betoola will organise a webinar on the partical steps for fintech companies to comply with the Digital Operational Resilience Act (DORA), which comes into effect on 17 January 2025. Kirill Smirenko and Arie van den Bergen will be covering the following aspects:
?? The main requirements of DORA
?? How to prepare a fintech company for DORA compliance
?? IT aspects of DORA compliance.
European regulators have repeatedly urged financial institutions to start preparing for the implementation of DORA. Non-compliance with DORA may result in enforcement actions from regulators and reputational damage. Be ahead of the game and know how to avoid this from happening. Register at https://lnkd.in/egpU-88G to reserve your spot and invite your colleagues and friends who may be interested by sharing the event.
?? Please contact Arie van den Bergen if you need more information on the lunch webinar.
Payments
EBA publishes report on virtual IBANs
The European Banking Authority (EBA) recently published a comprehensive report on virtual IBANs, following an assessment of market practices for virtual IBANs (vIBANs) in EU member states. Some of the key items are discussed below.
What are virtual IBANs?
There is currently no legal definition of vIBANs at EU level. Common characteristics of vIBANs are:
?? A vIBAN is an identifier that has the same format and functionality as a regular IBAN, and is linked to a payment account (the ‘master account’)
?? The master account to which the vIBAN is linked has its own IBAN (different from the vIBAN), and, depending on the use case, can be opened either:
?? in the name of the end user of the vIBAN; or
?? in the name of another entity which allocates the vIBANs to the end users.
?? A vIBAN is used to reroute all incoming payments made towards the vIBAN to the master account
??In some cases, vIBANs can also be used for making payments from the master account towards third parties
Benefits of virtual IBANs
The main potential benefits of vIBANs, as perceived by market participants, are:
?? facilitating payment reconciliation
?? offering consumers and businesses an easier way to obtain a local IBAN, to overcome issues stemming from IBAN discrimination
?? facilitating centralisation of payments within a group
?? reducing the complexity and costs related to opening and managing separate bank accounts
?? reduced currency conversion fees for sending and receiving payments in more than one currency
Risks and Challenges
Based on the EBA’s analysis of 6 different use cases, the main risks and challenges of the use of vIBANs are:
Unlevel playing field and regulatory arbitrage
National regulators have divergent interpretations of what IBANs are and how they are regulated. Some of the questions in this respect are:
? Does the vIBAN qualify as a separate payment account, different from the master account?
? Where should reporting of suspicious transactions or fraud reporting under PSD2 take place if the master account and vIBANs are held in different countries?
? Do the SEPA Regulation and the ISO IBAN standard apply to vIBANs?
? Does the ‘confirmation of payee’ service under the Instant Payment Regulation apply?
? Can vIBANs be issued by branch offices when the master account is held and serviced from another member state?
AML/CFT risks
If vIBANs are offered to the end users by another PSP than the PSP providing the master account, this may lead to the following ML/FT risks:
?? The lack of visibility for the PSP providing the master account and issuing the vIBANs about the identity of the end users
?? Challenges for the PSP providing the master account and issuing the vIBANS in monitoring their business relationships and their customers’ transactions
?? Lack of visibility for the counterpart PSP involved in a funds transfer about the identity of the end users of the vIBANs
Other risks
Some of the other risks identified by EBA are:
?? Inappropriate disclosure of pre-contractual information, which may lead to consumers not understanding the vIBAN services
?? Unclarity to consumers which deposit guarantee scheme (DGS) protects their deposits
EBA Recommendations
In view of the risks identified, EBA provides the following recommendations:
For Financial Institutions
?? Develop comprehensive risk management frameworks specifically for vIBANs
?? Inform customers about the benefits and risks of using vIBANs
?? Invest in secure and scalable technology solutions to support vIBANs.
For Regulators
?? Provide clear guidelines and standards for the issuance and use of vIBANs
?? Enhance supervisory practices to ensure compliance with AML/CFT regulations
Conclusion
vIBANs not only offer substantial benefits to fintech companies, but also come with substantial risks. Fintech companies offering vIBANs to their clients should carefully review the EBA report and ensure that the risks stemming from vIBANs are properly identified and managed.
?? Please contact Arie van den Bergen if you need more information on the EBA report on virtual IBANs.
Do you like this newsletter and want to stay up-to-date with FinTech legal developments? Please subscribe to the newsletter here or sign up for the FinTech Legal Professionals group here. ??
#fintech #regulatory #compliance #regulatorycompliance #artificialintelligence #aiact #digitalidentity #ewallet #it #security #dora #operationalresilience #payments #ibans #psd2 #aml #cft