On 7 February 2022, the European Supervisory Authorities (ESAs), comprising of the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA), published their Joint Advice to the European Commission on Digital Finance. The joint advice was prepared in response to the European Commission’s (Commission) request for technical advice that was issued to the ESAs in February 2021 (please see our blog). It sets out sets out the ESAs’ findings and advice in response to the Commission’s request.

The ESAs note that with digitalisation, financial institutions increasingly rely on third-party providers for the provision of services through outsourcing and other arrangements, which creates specific supervisory challenges. In addition, they further note the growing digitalisation of financial services activities has contributed to the fragmentation of the value chain for financial services. This in turn incentivises firms to pursue new forms of cooperation in the form of ‘mixed activity groups’ (MAGs) that offer customers both financial and non-financial services; a business model which is more and more often adopted by BigTechs, which already have a relatively strong presence in the payments sector. Finally, the ESAs note that the entry of BigTechs into financial services may create concentration risks and raise level playing field issues relative to incumbent financial groups, because the existing prudential and consolidation frameworks were not designed with these developments in mind. In order to tackle the challenges ahead, the ESAs put forward 10 general recommendations; the one of particular interest in the context of the evolving role of BigTech in the financial services sector is Recommendation 7, which suggests a need to bring MAGs within sectoral prudential and consolidation supervision rules.

The ESAs recommendations:

Recommendation 1: Need to consider a holistic approach to the regulation/supervision of fragmented value chains. This includes:

  • Recommendation to consider potential issues in relation to the reliance by financial institutions on third-party providers that may not be addressed by the existing and upcoming rules (Recommendation 1a). The ESAs recommend that the Commission assess and subsequently address where necessary the non-information and communication technology risks that may arise from the use of third-party providers by financial institutions and the growing intertwined relationships between technology companies and financial institutions.
  • Recommendation to consider an adequate minimum approach towards outsourcing in insurance and pensions sectoral rules (Recommendation 1b). To this end, the Commission is advised to consider an adequate minimum approach towards outsourcing in insurance and pensions sectoral rules, including the need to incorporate general and proportionate outsourcing rules in the Insurance Distribution Directive clarifying the responsibility of insurance intermediaries when outsourcing is used.
  • Recommendation to consider the need to define clear requirements for financial entities to have internal structured information on all arrangements with third-party providers in the insurance and pensions sector (Recommendation 1c). This should involve the Commission considering the need to define clear requirements for financial entities to have internal structured information on all arrangements with third-party providers in the insurance and pensions sector, if not yet covered by DORA (the proposed Regulation on Digital Operational Resilience in the EU financial services sector) so as to have adequate information on third parties used to allow a risk-based supervision.
  • Recommendation to widen the scope of existing tools, when the value chain is fragmented and value chain and/or the business model of the insurance undertaking is materially exposed to a third party while group supervision is not applicable (Recommendation 1d).

Recommendation 2: Update current disclosure requirements in EU law as relevant to make them fit for the digital age and enhance consumer protection and conduct of business rules to address risks of mis-selling and overcome potential weaknesses in complaints-handling processes. In particular, this includes:

  • Recommendation to update current disclosure requirements in EU law and make them fit for the digital age to allow consumers to make informed decisions about products and services (Recommendation 2a). To this end, the Commission is advised to pay particular attention to specific points in any future review of the disclosure requirements in various legislation, such as the presentation and format of the disclosures, the definition of ‘durable medium’, the timing of disclosures, the use of behavioural insights and the need to explore the benefits of open data.
  • Recommendation to enhance the level of consumer protection and conduct of business rules to address risks of (cross) mis-selling and overcoming potential weaknesses in complaints-handling processes regarding the provision of financial services in a digital context (Recommendation 2b). To this end, the Commission is advised to address the risk of (cross) mis-selling in particular for tied or bundled products by considering a package of remedies, to give further consideration to the existing Product Oversight and Governance (POG) rules to address any risks of (cross)-mis-selling practices, to prohibit the use of pre-ticked boxes by default and finally address the inconsistencies in relation to cross-selling practices across existing legislative instruments for the three sectors in scope.

Recommendation 3: Prevent financial exclusion and promote a higher level of digital and financial literacy. Specifically, this includes preventing financial exclusion and promoting further a higher level of digital and financial literacy to help consumers make effective use of digital financial services and responsible choices that meet their expectations, raising confidence and trust in the digital financial system as well as their personal financial outlook.

Recommendation 4: Address the lack of convergence in classifying cross-border services in a digital context. This should include providing further guidance on the definition of cross-border services in a digital context and strengthen cross-border supervisory coordination.

Recommendation 5: Strengthen skills and resources at supervisors. This includes strengthening supervisory skills and resources to effectively monitor financial firms’ digital transformations.

Recommendation 6: Support a convergent approach to money laundering/terrorist financing (ML/TF) risks in a digital context. To this end, the ESAs recommend that the Commission undertakes a set of actions with a view to supporting greater convergence in the identification and mitigation of ML/TF risks in a digital context (for example: mandating the future anti-money laundering/countering the financing of terrorism (AML/CFT) authority to issue guidelines on outsourcing and governance arrangements for customer due diligence (CDD) purposes, clarifying the application of the data protection framework in the CDD and wider AML/CFT compliance context, requiring ESAs to issue a thematic review of ML/TF risk management in the digital finance context, which identifies best practices).

Recommendation 7: Ensure the sufficient coverage of MAGs by sectoral prudential consolidation/group structured supervision rules. This includes:

  • Recommendation to revise the definitions dealing with the entities to be included in the scope of prudential consolidation (Recommendation 7a). This includes the need to revise some of the definitions used in the Capital Requirements Directive IV and Capital Requirements Regulation (CRD/CRR) and in Solvency II (e.g. ‘ancillary services undertaking’).
  • Recommendation to consider the revision of existing consolidation rules (through adapting the CRR/CRD, the Investment Firm Regulation and Solvency II) and the creation of bespoke consolidation rules to ensure that the specific nature and inherent risks of MAGs carrying out financial services are adequately captured (Recommendation 7b). In this context, the ESAs note that some MAGs, including BigTechs, do not have entities within their groups to which existing consolidation rules under the CRD/CRR/Solvency II would apply. At the same time such MAGs may carry out via subsidiary companies a range of financial services, including payments and lending services. Therefore, in order to effectively mitigate prudential risks and risks of regulatory arbitrage and to protect the level playing field having regard to banking and other groups already subject to consolidated supervision, the ESAs see a need to consider whether new bespoke consolidation rules should be developed for these new types of MAGs.
  • Recommendation to consider the creation of a structured regulatory and supervisory framework to extend to MAGs involved in financial services (Recommendation 7c). To this end, the ESAs should be mandated to consider the merits of a new framework that would ensure that there is appropriate group-wide supervision of key risks (especially where consolidation rules are not identified appropriately), notably in relation to governance, intra-group transactions and risk concentration. This framework would apply from the moment the MAG’s share in financial services reaches a defined critical level.

Recommendation 8: Consider possible ways to enhance cooperation between financial and other relevant authorities. This includes a recommendation to consider possible ways to enhance cooperation between financial and other relevant authorities, building on existing cooperation models, in particular: (i) to maintain awareness of policy developments happening across relevant sectors; (ii) to better identify and monitor market developments and emerging risks on a horizontal basis; and (iii) in the context of the growing platformisation of financial services and the development of MAGs.

Recommendation 9 for the ESAs: Address cross-border supervisory coordination challenges. In this context the ESAs should consider possible ways to enhance cooperation between home and host authorities (e.g. complementary notification requirements for cross-border activities and/or supervisory forums for enhanced information exchange, processes and measures to be adopted where a firm possibly infringes rules, and with third country authorities).

Recommendation 10 for the ESAs: Actively monitor the use of social media in financial services and assess whether regulatory action may be warranted as part of forthcoming work. In this context, the ESAs note that the use of social media in relation to financial services continues to evolve at a rapid pace, especially in securities markets where ESMA has observed an increasing use of social media by individuals and firms to promote financial services and products and by (retail) investors to seek investment and trading ideas. While those practices partly fall under existing rules already, for example the revised Markets in Financial Instruments Directive and the Market Abuse Regulation, there may be a need to consider further specific issues raised by the growing interconnectedness between social media and the provision of financial services.

In addition to the ten general recommendations cited above, the ESAs put forward two bespoke recommendations addressed to the insurance sector.

In terms of next steps, the ESAs advice has been transferred to the Commission. It is now up to it to review the recommendations and decide what follow up steps to take, including possible legislative action.