Joint European Supervisory Authority response

1 ESA 2022 01. 31 01 2022. Joint European Supervisory Authority response to the European Commission's February 2021 Call for Advice on digital finance and related issues: regulation and supervision of more fragmented or non-integrated value chains, platforms and bundling of various financial services, and risks of groups combining different activities Contents List of figures and text boxes .. 3. Abbreviations .. 4. Executive summary .. 6. Background and methodological approach .. 10. 1 Market developments .. 15. Fragmented or non-integrated value chains .. 15. Platforms and bundling of various financial 19. Groups combining different 27. 2 Opportunities and risks .. 33. Opportunities .. 33. 34. 3 Recommendations .. 44. 44. Insurance .. 99. Annex 1. References .. 103. Annex 2. Glossary .. 109. 2. List of figures and text boxes Figure 1: Booming public cloud services.

2 17. Figure 2: Global footprint of selected MAGs worldwide .. 28. Figure 3: The share of financial services in big tech 29. Figure 4: EU Supervisory Digital Finance Academy: A flagship project under the Technical Support Instrument .. 73. Figure 5: Focus on P2P insurance developments .. 102. Box 1: Social media impact on the provision of financial products and services .. 23. Box 2: 31. Box 3: Solvency II Group Supervision and Solvency II Review .. 83. Box 4: Intermediaries in the scope of group supervision .. 85. Box 5: The European Forum for Innovation Facilitators (EFIF) .. 95. 3. Abbreviations AI Artificial Intelligence ADR Alternative Dispute Resolution AML/CFT Anti-Money Laundering/Countering the Financing of Terrorism AMLA Anti-Money Laundering Authority AMLR Proposal for an Anti-Money Laundering Regulation, COM/2021/420 final API Application Programming Interface ASU Ancillary Services Undertaking CCD Consumer Credit directive (CCD), directive 2008/48/EC.

3 CDD Customer Due Diligence CfA Call for Advice CRD capital requirements directive , directive 2013/36/EU. CRR capital requirements Regulation, Regulation (EU) 2013/575. DFS Digital Finance Strategy DLT Distributed Ledger Technology DMA Proposal for a Digital Markets Act, COM/2020/842 final DMFSD Distance Marketing of Consumer Financial Services directive , directive 2002/65/EC. DORA Proposal for a Digital Operational Resilience Act, COM/2020/595. DPA Data Protection Authority DSA Proposal for a Digital Services Act, COM/2020/825 final EBA European Banking Authority EEA European Economic Area EFIF European Forum for Innovation Facilitators EIOPA European Insurance and Occupational Pensions Authority EMIR European Markets Infrastructure Regulation, Regulation (EU) 2012/648. ENISA European Union Agency for Cybersecurity ESA European Supervisory Authority ESG Environmental, Social, and Governance ESMA European Securities and Markets Authority EU European Union FICOD Financial Conglomerates directive , directive 2002/87/EC.

4 FinTech Financial Technology FoS Freedom to provide services GDPR General Data Protection Regulation, Regulation (EU) 2016/679. ICT Information and Communication Technology 4. IDD Insurance Distribution directive , directive 2016/97/EU. IFD Investment Firms directive , directive 2019/2034/EU. IFR Investment Firms Regulation, Regulation (EU) 2019/2033. IGT Intra-Group Transaction IHC Insurance Holding Company InsurTech Insurance Technology IORP Institutions for Occupational Retirement Provision JC Joint Committee of the ESAs KYC Know Your Customer MAG Mixed Activity Group MAIHC Mixed Activity Insurance Holding Company MCD Mortgage Credit directive , directive 2014/17/UE. MFHC Mixed Financial Holding Company MiCA Proposal for a Markets in Crypto-Assets Regulation, COM/2020/593. MiFID Markets in Financial Instruments directive , directive 2014/65/EU. ML/TF Money Laundering/Terrorist Financing MoU Memorandum of Understanding NCA National Competent Authority OECD Organisation for Economic Co-operation and Development ORSA Own risk and solvency assessment P2P Peer-to-peer PAD Payment Accounts directive , directive 2014/92/EU.

5 PEPP pan- European Personal Pension Product Regulation, Regulation (EU) 2019/1238. POG Product Oversight and Governance PRIIP Packaged Retail and Insurance-based Investment Products Regulation, Regulation (EU). 2014/1286. PSD2 Payments Services directive 2, directive 2015/2366/EU. RoE Right of Establishment ROFIEG Regulatory Obstacles to Financial Innovation Expert Group SFDR Sustainable Finance Disclosure Regulation, Regulation (EU) 2019/2088. SFTR Securities Financing Transactions Regulation, Regulation (EU) 2015/2365. 5. Executive summary In February 2021, the European Commission (Commission) published its Call for Advice on digital finance and related issues,1 among other things, requesting the European Supervisory Authorities (ESAs) to carry out an analysis of (i) the fragmentation of the financial services value chain, (ii) the growth of digital platforms, and (iii) mixed activity groups, and to set out such recommendations as appropriate in order to ensure the EU's financial services regulatory and Supervisory framework remains fit for purpose.

6 This report sets out the findings and advice of the ESAs in response to the Commission's request. It covers cross-sectoral and sector-specific market developments in the three key areas identified in the Call for Advice, and the risks and opportunities posed by digitalisation in finance. It goes on to present ten cross-sectoral and two insurance-specific recommendations for actions to ensure the EU regulatory and Supervisory framework remains fit for the digital age. In summary, these recommendations relate to: (i) the need for a holistic approach to the regulation and supervision of the financial services value chain; (ii) strengthening consumer protection in a digital context, including through enhanced disclosures, complaints handling mechanisms, mitigants to prevent mis-selling of tied/bundled products, and improved digital and financial literacy; (iii) promoting convergence in the classification of cross-border services; (iv).

7 Promoting further convergence in addressing AML/CFT risks in a digital context; (v) ensuring effective regulation and supervision of mixed activity groups; and (vi) strengthening Supervisory resources and cooperation between financial and other relevant authorities, including on a cross- border and multi-disciplinary basis; and (vii) the need for the active monitoring of the use of social media in financial services. With digitalisation, financial institutions increasingly rely on third-party providers for the provision of services through outsourcing and other arrangements, which creates specific Supervisory challenges as National Competent Authorities (NCAs) may be limited in their assessment of the risks and/or exercise of Supervisory powers on the entirety of the value chains. Concentration risks, and hence financial stability risks, may also arise in case of critical third-party providers.

8 The Digital Operational Resilience Act2 (DORA) is an important initiative that will address the information and communication technology (ICT) risks in the financial services value chain. However, DORA is not intended to address other risks that may arise from the reliance of financial institutions on third-party providers. Recommendation 1 proposes that the Commission take a holistic approach to the regulation and supervision of fragmented value chains, as further outlined under Recommendations 2, 3, 7 and 8 (including in relation to digital platforms, and mixed activity groups), and to conduct regular assessments to determine whether financial institutions exhibit dependence on certain providers that may not be captured by DORA and represent a risk to financial stability. New financial services business models may harm consumers, especially those with lower levels of financial and/or digital literacy.

9 Recommendation 2 highlights main points for attention for the 1. European Commission (2021a), Request to EBA, EIOPA and ESMA for technical advice on digital finance and related issues, Ref. Ares(2021)898555, 02 February. 2. Proposal for a regulation of the European Parliament and of the Council on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014, COM/2020/595, 24/09/2020. 6. Commission to ensure that disclosures requirements in EU law are fit for the digital age and brings forward recommendations for the review of the Distance Marketing of Consumer Financial Services Directive3, bearing in mind that the ESAs may provide more specific sectoral recommendations on those matters as part of other ongoing calls for advice from the Commission. In addition, Recommendation 2 calls on the Commission to enhance consumer protection to address risks of mis-selling (in particular for tied and bundled products) and to overcome potential weaknesses in complaints-handling processes at EU level.

10 Recommendation 3 highlights the need to prevent financial exclusion and to promote further a higher level of digital and financial literacy to help consumers make effective use of financial services provided via digital means and responsible choices that meet their expectations, raising confidence and trust in the digital financial system as well as their personal financial outlook. This could include further analysing the use of data in AI/Machine Learning models and potential bias leading to discrimination and exclusion. Digital financial services are inherently borderless, which raises questions about when the obligation to notify of cross-border provision of services' is necessary and if so, how to classify these services under the right of establishment' or freedom of services'. This in turn creates Supervisory challenges, but also difficulties for consumers in establishing which Authority is the relevant Authority in the event of a complaint or need for redress.