Digital regulation - information overload

Neobanks and fintech players specialising in one or a few specific services are disrupting banking markets one by one. Prominent examples include services around payments, buy-now-pay-later, or working capital finance. Big-techs are integrating payments into their platforms, and more banking services look set to follow. Cryptocurrencies and “decentralised finance” (DeFi) are a pressure cooker laboratory for new configurations of financial services. While we do not believe that financial intermediaries will become superfluous in crypto- and DeFi-land, nor in a big tech-dominated landscape, we do think they will have to fundamentally re-think their roles and business models.

Banks will have to fundamentally re-think their business models

Rapid changes in digital markets have also invited a flurry of regulatory initiatives coming from Brussels. We are not going to discuss the regulation on cybersecurity and operational resilience in this report today; important regulatory initiatives here are the revised Directive on Security of Network and Information Systems, “NIS2”, and the Regulation on Digital Operational Resilience Act for the financial sector, “DORA”. The digital themes we want to focus on in this article are data portability and digital identity, the crypto universe and the digital euro. What these themes have in common is that they, each in their own ways, put the traditional banking business model under pressure. The challenge for banks is to focus not on the threats but on the opportunities posed by these (regulatory) changes.

By now, banks have become used to sharing account and payment data under the second Payment Services Directive (“PSD2”). Under this scheme, users can opt to “port” their payments data to third party providers, have those parties review their account data, or initiate payment on their behalf (as such, financial data portability under PSD2 is enhanced over the generic data portability enforced by the General Data Protection Regulation GDPR). A few years after PSD2 came into force in all countries, the European Banking Authority’s register today shows 178 Payment Initiation and 286 Account Information Service Provider licenses active in the EU. These are companies with dedicated licenses. In addition, banks may offer these services within the remit of their banking license.

The availability of services built on PSD2 data portability and their uptake among consumers may have developed less quickly than some had hoped. Yet the live payments data portability enabled by PSD2 has created a more-or-less standardised, API-based data exchange infrastructure among banks and third parties service providers.

The European Commission is working on multiple data-related initiatives, including AI regulation, a review of PSD2 and a Data Act. Furthermore, the Digital Markets Act (“DMA”) seeks to regulate so-called gatekeeper platforms (in practice, the big techs). The DMA also includes enhanced data portability stipulations.

Over the coming years, banks may have to open up more of their data

To summarise these multiple data-related regulatory initiatives, over the coming years banks will likely have to open up more of their data for real-time portability. At the same time, they may also find themselves on the receiving end of more real-time ported data. Banks that are willing and able to use that data to improve their services will be at an advantage compared to their peer banks. They will be better able to compete with non-bank fintech and big tech providers of banking services. At the same time, they are a more attractive potential partner to those very same non-bank providers. Thus banks face important questions about their data capabilities, and about how they want to put data to work in their organisation. Banks will also need to carefully consider how to reconcile any data ambitions with their role as trusted custodians of money and sensitive financial data.

Banks face important questions about their data capabilities

In this regard, another regulatory initiative deserves mention: the proposal to establish a European digital identity framework. The aim is to create a digital identity wallet for citizens, which holds their digital identity papers and other attributes. These can then be shared on an as-needed basis with digital services providers across the EU. As such, the wallet should become the single access key to digital markets. Given all the sensitivity and importance around this, developing digital identity solutions is likely going to be a public-private partnership. Banks are well-positioned to participate in such partnerships, given the extensive knowledge and documentation they tend to have on their clients. In any case, the regulatory initiatives around digital identity and data will in the coming years provide opportunities for those who see them and are able to reap them, while posing threats to those unable to follow.

Another area with rapid developments is the crypto-universe. No doubt helped by persistently low interest rates and high stock market valuations, interest for crypto assets among clients (both retail and wholesale) has increased over the past two years. Moreover, “decentralised finance” (DeFi) has rapidly become more popular.

Where the original aim of Bitcoin was to take out the middle man in payments, the aim of DeFi is to take out the middle man in other financial services, starting with saving, investing and borrowing. Yet with Bitcoin, things have turned out differently so far. The middle man has not disappeared, he just changed roles. Where in traditional payments, money is held in bank accounts and transferred between them via various methods, the crypto-universe saw the emergence of wallet providers and exchanges. In principle, it is possible to use cryptocurrency for payments without an intermediary. Yet in practice, many people, for now, choose to use an intermediary after all, for security or ease of use.

With Bitcoin, the middle man has not disappeared, he just changed roles

We expect similar developments in DeFi. In principle, it may be possible to use decentralised platforms to invest or borrow without the intervention of an intermediary. But the number of people willing to spend the time to do their own research, for example, vetting borrowers, and with the ability to, for instance. review smart contract code for bugs or scams, is likely limited. The majority of people may prefer to rely on a trusted intermediary to do the vetting for them. Roles of intermediaries may include offering credit assessment, contract code verification, curated portfolios, risk hedging and other aspects of asset management. Intermediaries may also help individual or corporate borrowers to obtain the best rate and conditions on DeFi markets.

The majority of people may prefer to rely on a trusted intermediary

From a regulatory perspective, a key issue is that regulation and supervision is inherently built around entities. Licenses are handed out to registered businesses, and supervision relies on registered businesses that can be supervised, visited, fined or sued when in non-compliance. An open-source DeFi platform, not owned by a particular business or person, and run on a decentralised blockchain, does not fit such an entity-based approach; it cannot be licensed, fined or shut down without going after each individual user running the software.

Regulation and supervision are inherently built around entities

While this is a fundamental problem yet to be resolved, it is not a problem for banks – or other intermediaries, wishing to become active in crypto or DeFi. Entity-based supervision works perfectly well for them. Indeed European policymakers are negotiating the “Markets in Crypto Assets” regulation (“MiCAR”), while the Basel Committee is considering the prudential treatment of crypto-assets on bank balance sheets. Getting further clarity on regulatory requirements, be they from a consumer protection, market integrity or prudential perspective, is a key prerequisite for regulated financial institutions to take further steps in the crypto- and DeFi-space.

The third thing we want to discuss here is the digital euro, the Eurosystem’s version of a retail-oriented central bank digital currency (CBDC). Only three or four years ago, CBDC was a niche topic, with most central banks only sniffing the idea from tech and abstract scholarly perspectives. That all changed when Facebook announced its Libra plans in 2019, and central banks subsequently realised that the Chinese central bank was already far advanced in developing its CBDC called DC/EP. Today, 36% of the world’s central banks, covering 74% of their population, is looking into CBDC.

The main motivations for considering CBDCs in Europe appear to be to avert threats to “monetary sovereignty”. In concrete terms, policymakers want to prevent big tech-issued and non-euro-denominated stablecoins from taking over the role of the euro in daily life, as that would impair the central bank’s ability to steer the economy with its monetary policy. Issuing their own stablecoins would also help big techs in building closed ecosystems (“walled gardens”). Yet policymakers are trying to open up such ecosystems, for example by enhanced data portability (Digital Markets Act, Data Act). They'd rather see a common, publicly issued digital euro than a few dominant platform-bound stablecoins.

Moreover, currencies and their infrastructures are seen as a tool in geostrategic positioning. The dollar is currently the uncontested 'number one' for trade and global financial markets. But an internationally available, easy to use and safe CBDC infrastructure could give other currencies an edge.

Monetary sovereignty and geostrategic autonomy are clear motivations for a digital euro. From a more narrow end-user perspective, the gains of a digital euro are less clear.

The gains of a digital euro are less clear

Digital means of payment are readily available today, though acceptance and use vary across the EU. That said, banks better follow discussions closely in the coming two years, during the ECB’s “investigation phase”. The European Commission is due to adopt a regulation in early 2023, setting out key design features. Crucial decisions are, therefore, being made in the coming 18 months, and this is also the phase determining whether the digital euro will turn out useful for banks or will instead be primarily weakening them vis-à-vis big techs incorporating the digital euro seamlessly into their ecosystems.

The three themes discussed here, data, crypto and CBDC, show how the regulatory and institutional framework is a key factor shaping banks’ perspectives. Although the regulatory initiatives described will take time to be concluded and implemented, banks would do better to prepare and be ready for them. Several of the issues raise fundamental questions about the bank business model: what role for data in banking? What role for financial intermediation when decentralised financial services take hold? And even: what role for the bank balance sheet, for money creation in a world of CBDC and non-bank issued stablecoins?

These will not be issues that separate the winners from the laggards already over the coming year. Yet these are defining questions that will shape banking over the next decade.