On 31 January 2022, the European Supervisory Authorities (ESAs) set out their response to the European Commission’s call for advice on digital finance and other related issues, including the fragmentation of the financial services value chain, the growth of digital platforms and mixed activity groups (MAGs).

Setting out the findings of an analysis of cross-sector market developments and risks and opportunities posed by digitalisation in finance, the ESAs present several recommendations for actions to ensure the EU regulatory and supervisory framework remains fit for the digital age.

Most notably, the recommendations include a further strengthening of the envisaged oversight of third-party service providers and a potential expansion of the prudential consolidation rules. If the European legislator follows the recommendations, various operators of digital platforms, BigTech and other MAGs could become subject to additional financial regulatory requirements and supervision.

BigTech, MAGs and disintegrated value chains

In recent years, BigTechs have steadily expanded their presence in the financial services sector. Most of them follow a platform business model focused on digital ecosystems with interconnected offerings covering a variety of industries, including, among others, payments, wealth management, insurance and lending. Groups combining financial and non-financial services under one roof have recently been designated as MAGs, which may but do not also have to be BigTechs. MAGs benefit from revenue diversification, new data sources, less friction and a more powerful lock-up of customers in their own ecosystems.

As in almost every other sector, technology is breaking up previously integrated value chains for financial services, as incumbents and new markets entrants introduce new business models. The relevance of technology firms for the financial service value chain is increasing rapidly, ranging from insurance services to payments and banking. The widespread outsourcing in financial services to technology firms is one significant example for this phenomenon. Another would be the new ecosystem in payments and account information services having emerged due to the revised payment services directive (PSD2).

ESAs’ recommendations on the regulation and supervision of MAGs

The recommendations of the ESAs on the regulatory coverage and supervision of MAGs, while highly anticipated, are relatively vague and lack concrete risk analysis with specific recommendations for action. They are divided into three aspects, focusing on the scope of prudential consolidation, review of existing consolidation rules and a new structured regulatory framework.

Scope of prudential consolidation

The ESAs recommend revising the definitions dealing with the entities to be included in the current scope of prudential consolidation, in particular with regard to the definition of „financial holding company“ and „ancillary services undertaking“ – a request already issued by the EBA in 2017 and recently taken up by the Commission with regard to the revision of the CRR, due to the current limitations in those definitions. The ESAs note that the existing framework does not enable the authorities to request consolidation of all relevant non-financial entities of BigTech companies and other MAGs. Further, the ESAs take issue with the 50 per cent threshold that a parent company must exceed with respect to financial services it provides, which is key for the classification as a financial holding company. In addition, the ESAs recommend considering cross-sectoral (vis-à-vis insurance and investment firms) consistency of the definitions.

In essence, the ESAs aim to ensure that all non-regulated entities providing essential digital activities to banking or insurance groups are scoped within the perimeter of prudential consolidation, equating technical and digital services to the financial sector with other financial services, and considering not only the relative, but also the absolute volume of the services in scope of prudential consolidation.

It comes without saying that this recommendation is very broad and requires a substantially more detailed analysis to enable an adequate and proportionate revision of the definitions, in particular with regard to any absolute threshold for the in-scope activities.

Review of consolidation rules

The ESAs also recommend revision of existing consolidation rules, and creating bespoke consolidation rules for MAGs carrying out financial services. The ESAs present this recommendation as an addition to the revision of the definitions of the existing consolidation rules. They refer to the upcoming review of relevant sectoral measures, notably the revised Payment Services Directive, and recommend that the Commission consider (1) the intersection of any new consolidation rules and clear indicators to establish when and how the consolidation rules apply; (2) the possibility of requiring the establishment of intermediate parent undertakings and/or of restructuring MAGs, eg for unconsolidated financial activities above a defined threshold; (3) enhancing the importance of existing risk management tools; and (4) the availability and scope of crisis management tools such as early intervention powers, recovery plans, and resolution tools.

With respect to the reasons for such extension of consolidation rules, the ESAs list „the specific nature and inherent risks of MAGs carrying out financial services“, as well as „risks of regulatory arbitrage“ and the protection of „the level playing field having regard to banking and other groups already subject to consolidated supervision“. At least with regard to the first two reasons, one would have wished for concrete examples and more scientific evidence. It remains unclear whether the ESAs actually consider additional consolidation rules to be a desirable regulatory measure.

Regarding consolidation under Solvency II, EIOPA concludes that there are already existing tools to capture non-financial affiliates under prudential consolidation, in particular the own risk and solvability assessment at group and solo level, and will consider drafting guidelines to ensure a convergent application of this tool to technological and digital services.

New structured regulatory and supervisory framework for MAGs

The ESAs also recommend to consider the creation of a new structured regulatory and supervisory framework to extend to MAGs involved in financial services where MAGs’ involvement in financial services reaches a defined critical level. The ESAs argue that the Financial Conglomerates Directive (FICOD) generally does not apply to MAGs due to their typical focus on payment and credit-related financial services and core engagement in non-financial services. Still, FICOD should provide a source for inspiration in the development of any new structured cooperation arrangements between supervisors of MAGs according to the ESAs. They propose that such new regulatory regime should cover governance requirements, intra-group transactions and risk concentrations, and capital adequacy.

The ESAs even suggest to consider introducing a supplementary supervisory framework – a structured group-wide supervision instead of an activity-based/sectoral supervision – addressing the group in its entirety for the largest MAGs involved in financial services, not just the entities providing or contributing to financial services.

ESAs’ recommendations on the supervision of fragmented value chains

The ESAs highlight the fact that, with digitalisation, financial firms are increasingly relying on third-party service providers through outsourcing or other types of arrangements. While the ESAs recognise that operational risks associated with the outsourcing of information and communications technology (ICT) services are being addressed by the proposed Digital Operational Resilience Act (DORA), the ESAs recommend carrying out a gap analysis after the application of DORA, considering that third-party dependencies continue to evolve and certain risks and service providers may not be covered by DORA.

For example, the ESAs refer to consumer protection risks related to the use of digital platforms where customers may not have a clear understanding of the functionalities and role of the platform or the complaint handling mechanisms. More broadly, the ESAs address risks in relation to data and the risk of an uneven playing field between MAGs and financial institutions.

Further, the ESAs are concerned that some providers of relevance to the financial sector may fall outside the oversight framework established by DORA, because those providers either do not provide ICT services or do not qualify as critical. On the other hand, the ESAs recognise that the type of ICT services falling within the scope of DORA is inherently broad.

However, the ESAs do not draw specific conclusions from those observations and focus their recommendations on the proposed gap analysis between the existing and upcoming rules in view of the continuously evolving reliance on third-party service providers by financial entities. Accordingly, the recommendations of the ESAs to address the growing fragmentation of value chains beyond DORA remain vague. On the other hand, the recommendations illustrate the urgency with which the ESAs view the need to comprehensively cover relevant third-party service providers under a regulatory and supervisory framework and the readiness to close any loopholes that might remain under DORA.

Following the legislative proposal of the European Commission on AML/CFT in July 2021, the ESAs recommend mandating that the future Anti-Money Laundering Authority issues guidelines on outsourcing and governance arrangements for customer due diligence (CDD) purposes. This is in line with the objectives of the AML/CFT legislative package to regulate the performance of CDD or related tasks by third parties more stringently.

Outlook

The ESAs recommendations on prudential consolidation of MAGs lack a clear determination of the preferred measure (or the combination of preferred measures). However, the recommendation on prudential consolidation reveals that the ESAs are prepared to advocate for a financial regulatory framework which would cover MAGs more broadly instead of focussing on their financial services sector entities.

Generally, the recommendations on the oversight of third-party service providers and a potential expansion of the prudential consolidation rules do not amount to a comprehensive action plan. Therefore, further analyses by the Commission in the upcoming legislative procedures, such as the CRR III and CRD VI proposal which have been published on 27 October 2021, or the Directive of distance marketing of consumer financial services, which is also under review, will provide some indication as to which of the ESAs recommendations become concrete legislation.

We will further discuss this topic during our 3rd Digital Financial Services Forum on “Regulating the tech in fintech”. The forum will take place on Thursday, 28 April 2022 between 10.00h and 13.30h CEST in a virtual format - you can register here.