.svg)
Throughout the year, VIXIO has produced 23 detailed regulatory and impact analyses, as well as hundreds of supplementary insight articles. This piece will look back at two notable and ongoing events: Brexit changes and the effect on payment service providers (PSPs) of reforms at the Federal Financial Supervisory Authority (BaFin), Germany’s financial regulator.
This piece will relook at how these issues developed in 2021, and will seek to understand how these issues are likely to affect PSPs in 2022 and beyond.
Lack of Brexit clarity
One of the most notable series of events that occurred in 2021 were the regulatory changes between the EU and UK around Brexit, which although they began several years ago, have mostly culminated in the last 12 months. These changes have been characterised by mutual distrust, with each side seeking competitive advantages that have continued to provide some uncertainty in the regulatory environment for PSPs, which is likely to continue for years to come.
For example, on December 24, 2020, both sides concluded the UK-EU Trade and Cooperation Agreement, which meant the loss of passporting rights for UK financial institutions into the EU, without any provision for a future provisional agreement on this matter. Some EU member states, such as Portugal, Spain and Italy, did provide transitional relief for UK firms, enabling them to continue providing services while complying with the host-country rules, although the maximum relief time was six months after the transition period. This was despite the UK chancellor allowing passporting to continue for EU firms into the UK via the temporary permissions regime, although this is the case only up to the end of 2023. This change meant PSPs licensed in the UK had to seek a licence in an EU member state if they wanted to continue doing business in the bloc.
However, agreement does not always mean the end to uncertainty. For example, on June 29, 2021, the EU agreed to treat UK data protection rules as adequate to the EU’s, continuing the flow of information to move unimpeded between the two unions for the next four years. However, this agreement was unlike any other data adequacy agreement the EU has struck, as analysis from VIXIO has shown the European Commission reserves the right to reverse this decision if it believes that the UK is no longer properly complying with the General Data Protection Regulation (GDPR), either partially or completely (note 285). This means that if the UK government tries to diverge from both new and existing EU directives and regulations on data protection and governance, as it wants to do, it could mean the end of data sharing between UK- and EU-based PSPs.
Diverging for a competitive advantage
Leaving the EU on January 31, 2020 precipitated a wave of consultations, responses and papers on how the UK might diverge from current EU rules, something that is likely to affect all payment firms that do business in the UK. VIXIO’s Horizon Scanning tool has collected around 250 unique updates from the UK alone since January 2021. In the last 12 months, the UK authorities have released the following key consultations and reform proposals affecting the payments sector:
- A Payments Landscape Review
- A Review of the UK’s AML/CFT Regulatory and Supervisory Regime
- Reforming Competition and Consumer Policy
- A new Consumer Duty
- Kalifa Review of UK Fintech
- Data: A new direction
The drive for many of these reviews has typically been to tailor the UK regulatory environment to be more innovative and competitive, while enhancing consumer protection. In Data: A new direction, for example, Oliver Dowden, the UK's Secretary of State for Digital, Culture, Media and Sport at the time of publication, said he would like to see current UK data rules replaced by a light-touch data regime. Other proposals include a desire to strike data adequacy deals with other countries, notably the United States, which does not have a data adequacy deal with the EU, “reducing barriers to responsible innovation”, such as giving more clarity to definitions for data protection legislation, relaxing the scope of what information websites may collect from visitors without their consent such as analytical cookies, and making it easy for currently compliant organisations to remain compliant, come the new rules.
Future disputes
Although on the surface these proposals represent significant change, in practice, UK regulators will not want to lose adequacy with the EU unnecessarily. Instead, as can be seen from clarifying definitions and relaxing the scope of website cookies, UK authorities are seeking to diverge gently to not provoke a response from the EU.
However, given the EU’s desire for dynamic alignment, where the UK would adopt new EU rules to remain equivalent, something the UK government absolutely does not want, disputes around adequacy rules are likely to eventually emerge, which would generate significant uncertainty for PSPs in Europe. Disputes may even end up in the same situation as passporting rights, where no agreement is reached, raising barriers to entry for firms suddenly in need of a licence or barring PSPs from markets entirely.
Additionally, the less agreement there is between the EU and UK, the more of an incentive there will be for either side to diverge their respective regulations. And the longer that situation persists, the harder it will be to reach regulatory equivalence, without one side giving way. For PSPs in the EU and UK, regulatory disagreement is likely to continue for years to come as each side tries to one-up the other, both politically and competitively. PSPs should, therefore, be aware of how to smoothly manage a transition from regulations in important markets becoming more divergent.
The transformation of BaFin
As well as the continued uncertainties of Brexit, reforms to BaFin in light of the Wirecard scandal have created a harsher regulatory environment, particularly for new entrants, in Germany.
Although the catalyst for much of the reforms originated from the German payment processor Wirecard filing for insolvency on June 25, 2020, the core issues stemmed from the regulator not keeping up with the pace of innovation. Felix Hufeld, the head of BaFin at the time, later told members of the German parliament in July 2020 that “the agency’s ability to act was limited because Wirecard was classified as a technology company rather than a financial services provider, and so was not fully under BaFin’s purview”. This narrow interpretation of the authority’s regulatory perimeter meant that a large part of Wirecard’s operations were carried out without supervisory oversight.
The reforms
Reform to BaFin has come in multiple forms, notably the Law for Financial Market Integrity (FISG), which came into force on July 1, 2021. The law imposes new requirements on institutions outsourcing parts of their activities, which was previously outside BaFin’s scope and can be a considerable part of a PSP’s operations.
The reforms can be considered comprehensive, requiring PSPs to set up an internal register documenting outsourcing arrangements, or appointing an authorised agent for outsourcing firms from a non-EEA country. BaFin may also issue orders directly to the outsourcing firms of a PSP and can impose administrative fines and sanctions on outsourcing companies themselves if these requirements are not met. These requirements were noted by the European Central Bank (ECB) as going beyond both Directive 2013/36/EU and the spirit of the guidance on outsourcing arrangements (EBA/GL/2019/02).
Amendments have also been made to the Commercial Code (Handelsgesetzbuch – HGB), creating new audit requirements for financial firms to comply with, such as establishing an audit committee by no later than January 1, 2022, which was previously a discretionary matter for the firm’s supervisory board. BaFin may now perform ad hoc and special audits, as well as having direct powers to intervene not only with PSPs but at their respective firms used for outsourcing.
Additionally, the reforms addressed issues with culture failings within BaFin, such as accusations of BaFin employees performing insider trading, leadership and decision-making issues, and poor and non-consistent treatment of whistleblowers. BaFin will also receive additional staff to carry out these new duties.
Some of these issues are already being addressed by BaFin, with the appointment of Mark Branson, a non-German head of the organisation, who previously served as head of Switzerland’s Financial Market Supervisory Authority (FINMA).
Preventing Wirecard from happening again
Together, these reforms allow BaFin to intervene faster, more decisively and target substantially more firms in the payments services market. Combined with the political desire for “cases like Wirecard to be prevented from happening again”, this will mean a significantly harsher environment for PSPs, particularly existing and potential new entrants, as BaFin will want to make sure these new firms do not have a high chance of failing. Existing firms will also have to re-evaluate arrangements with their outsourcers, which have turned from being a clever way to escape regulatory compliance in their processes, to becoming a regulatory danger in themselves.
Already, the effects are being felt by firms, such as challenger bank N26, which BaFin sanctioned on October 5, 2021 for risk management shortcomings as a result of growing too quickly. The authority has appointed a special commissioner to oversee the implementation of the new measures and in the meantime has limited N26 to acquire a maximum of 50,000 new customers per month, as well as restrictions on its loan book. This restriction will apply in every jurisdiction N26 operates in for the firm.
BaFin also imposed an administrative fine of €4.25m in June 2021 on N26 for failing to submit a large number of suspicious transaction reports. In sanctioning N26 in October, BaFin aims to force the firm to reallocate more resources to anti-money laundering, in particular, strengthening the customer identification process. Yet with many PSPs and payments-related firms like N26 reliant on expansionist models of growth, such an approach is likely to damage the international competitiveness of PSPs in Germany, either through overcautiousness from the compliance team to expand, or through direct sanctions from BaFin.
Conclusion
In conclusion, changes from Brexit as well as regulatory overreaction in cases like BaFin following the Wirecard scandal show there is significantly less certainty about the regulatory environment than PSPs would ideally desire. Even with the prospect of COVID-19 changing the regulatory landscape, PSPs must contend with adequacy agreements for important commercial markets that can be revoked by one party, as well as a harsher domestic regulatory environment that could turn a competitive advantage into a liability without much warning. In particular, the key takeaway from this analysis is that these significant regulatory changes can still happen in mature, developed markets with well-functioning institutions, stable political systems and growing economies.
