Questions and Answers: Digital Finance Strategy, legislative proposals on crypto-assets and digital operational resilience, Retail Payments Strategy - Hoofdinhoud

• - 

  The Digital Finance Strategy

Why do we need a Digital Finance Strategy?

As technology and business models develop, European consumers and businesses are increasingly using digital financial services for a range of different purposes. Europe is now home to many successful fintech start-ups and many other European businesses are overhauling their own models, often in cooperation with Fintech companies. Technology companies, both large and small, are increasingly diversifying into financial services. Furthermore, digital finance has helped citizens and businesses tackle the unprecedented situation created by the coronavirus pandemic. At the same time, these developments change the nature of risks to consumers and financial stability.

More broadly, digital technologies are key for relaunching and modernising the European economy across sectors. A more digital financial sector would support the economic recovery strategy to help repair the social and economic damage caused by the coronavirus pandemic.^[1] It will move Europe forward as a global digital player. This would bring significant benefits to both consumers and businesses. As part of that, Europe should promote digital finance based on European values and a sound regulation of risks.

What are the main goals of the Digital Finance Strategy?

Today's strategy covers four broad priority areas:

• - 

  Tackling fragmentation in the Digital Single Market for financial Fewer obstacles to cross-border operations would enable European consumers to access more cost-effective products and services, and would help European financial firms scale up their digital operations to increase their efficiency. To achieve these objectives, some adjustments are needed to ensure the legal framework enables the use of interoperable digital identity solutions.
• - 

  Ensuring that the EU's regulatory framework facilitates digital innovation in the interest of consumers and market efficiency. Given developments in technology, the Commission has taken a pro-active approach and proposed adjustments to the EU's financial services legislation and supervisory practices to ensure that they remain relevant in the digital age. This is precisely the reason why the Commission has today come forward with legislative initiatives on crypto-assets.
• - 

  Creating a European financial data space to promote data-driven innovation, building on the European Data Strategy. Enhanced access to data and data sharing within the financial sector will encourage the financial sector to embrace data-driven innovation. This should lead to more innovative products for consumers and businesses. At the same time, the Commission is particularly vigilant about ensuring consumers remain in charge of their data. Therefore, compliance with data protection rules, in particular the General Data Protection Regulation (GDPR) is a pre-requisite for a financial sector driven by data.
• - 

  Addressing challenges and risks associated with the digital transformation, in particular to promote resilience, data protection and appropriate prudential supervision. As part of today's package, the Commission presented a legislative proposal on digital operational resilience. Particular attention has been paid to the principle “same activity, same risk, same rules” to ensure consumer protection and to ensure a level playing field between existing financial institutions and new market entrants.

The Commission remains committed working closely with international partners. The benefits of digital finance are best harnessed if their deployment is based on international principles and standards.

How will this benefit consumers and businesses?

• - 

  Embracing digital finance would unleash European innovation and create opportunities to develop better financial products for consumers, including for people currently unable to access financial services. It unlocks new ways of channelling funding to EU businesses, in particular SMEs.
• - 

  Boosting digital finance would therefore support Europe's economic recovery strategy and the broader economic transformation. It would open up new channels to mobilise funding in support of the Green Deal and the New Industrial Strategy for Europe.
• - 

  As digital finance accelerates cross-border operations, it also has the potential to enhance financial market integration in the Banking Union and the Capital Markets Union, and thereby strengthen Europe's Economic and Monetary Union.
• - 

  Finally, a strong and vibrant European digital finance sector would strengthen Europe's ability to reinforce our open strategic autonomy in financial services and, by extension, our capacity to regulate and supervise the financial system to protect Europe's financial stability and our values.

How will the Commission roll out this strategy?

To achieve the objectives of this initiative, private stakeholders, national authorities and the EU must work closely together. Building on the Digital Finance Outreach[2] events conducted during spring 2020, the Commission encourages consumers, businesses, established financial firms, new fintech companies and their employees to engage actively. The Commission will work together with legislators and the supervisory community at both European and national level. Member States and national supervisors should continue and expand their numerous innovative initiatives, amplifying their effects beyond national markets to encompass the EU single market as a whole. Acting together, Europe can lead on digital finance, to support the economic recovery and benefit Europe's consumers and businesses.

• - 

  Legislative proposals on crypto-assets (MiCA and DLT pilot regime)

What are crypto-assets?

Crypto-assets are digital representations of values or rights, which can be transferred and stored electronically, using specific technology (known as distributed ledger technology). Crypto-assets are inextricably linked to blockchains, as they are the blocks that make up the chains themselves. Crypto-assets come in many forms and with varying rights and functions. A crypto-asset can serve as an access key to a service (often referred to as “utility tokens”), can be designed to facilitate payments (often referred to as “payments tokens”) but can also be designed as financial instruments, such as transferable securities under the Markets in Financial Instruments Directive (MiFID II).

What is the Commission proposing and why?

Some crypto-assets already fall under existing EU financial services legislation and will remain subject to that legislation. For example, some crypto-assets qualify as financial instruments and are therefore subject to EU securities markets legislation (e.g. MiFID). However, existing rules most often predate the emergence of crypto-assets and DLT. This can make it difficult to apply the financial services regulatory framework to crypto-assets and in some cases may hinder innovation and the adoption of DLT in the financial sector. The Commission is therefore today proposing a pilot regime for market infrastructures that trade and settle transactions in financial instruments in crypto-asset form. The pilot regime, which allows for derogations from existing rules, will allow regulators to gain experience on the use of distributed ledger technology in market infrastructures and for companies to test out solutions utilising DLT. The intention is to allow companies to test and learn more about how existing rules fare in practice. They can see where further changes may be needed to enable innovation. The Commission is also proposing some related amendments where current legislation presents clear issues to the application of distributed ledger technology in market infrastructures.

For other crypto-assets, the Commission is proposing a comprehensive framework that will protect consumers and the integrity of previously unregulated markets in crypto-assets. To ensure consumer protection, the scope of the proposed regulation is broad. It will cover not only entities issuing crypto-assets but also all firms providing services around these crypto-assets such as, for example, firms that keep customers' crypto-assets in custody (“custodian wallets”), entities that allow customers to buy or sell crypto-assets for fiat money or other crypto-assets (“crypto-asset exchanges”), crypto-asset trading platforms and many more. The framework also lays down requirements for the emerging category of so-called ‘stablecoins', which are divided into e-money tokens and asset-referenced tokens. These are crypto-assets seeking to retain a stable value, making them more useful for payments. Those ‘stablecoins' that are more systemic (“significant asset-referenced tokens” or “significant e-money tokens”) will be subject to enhanced rules.

Which crypto-assets and services will be regulated under the new regime?

The goal of this framework is to provide legal certainty for the regulatory treatment of all crypto-assets, whether they qualify as financial instruments or e-money under existing legislation, or were previously unregulated. The Regulation on Markets in Crypto-Assets (MICA) will cover all crypto-assets not currently covered under existing financial services legislation. This will range from utility tokens that provide access to a service, so-called ‘stablecoins' issued primarily for payments to everything in between. In the proposed regulation, these are listed as; crypto-assets, utility tokens, asset-referenced tokens and e-money tokens, with the latter two capturing the “stablecoin” universe.

‘Stablecoins' are a type of crypto-asset that can be used for payments and that claim to maintain a stable value by referencing one or several currencies, commodities or other crypto-assets, or a combination of such assets.

Today's Regulation will cover a wide range of crypto-asset service providers, such as custodian wallet providers, crypto-asset exchanges, crypto-asset trading platforms and issuers of crypto-assets.

What are the key elements of these proposals?

Crypto-assets and their underlying technology present considerable opportunities, but are also associated with considerable risks, stemming largely from the fact that most of them have remained so far unregulated.

Key elements of today's proposal include:

• - 

  Crypto-asset service providers (and notably trading platforms, exchanges and custodial wallet providers) will be required to have a physical presence in the EU and they will be subject to prior authorisation from a national competent authority before starting their activities. They will be subject to capital requirements, governance standards and an obligation to segregate their clients' assets from their own assets. These crypto-asset service providers will also be subject to IT requirements to avoid the risks of cyber thefts and hacks.
• - 

  Today's new rules will also prohibit market abuse in the secondary markets for crypto-assets previously not covered by financial services regulation. To ensure market integrity, the initiative also envisages bespoke measures to prevent market abuse, such as insider dealings and market manipulation. For instance, the crypto-asset service providers would be required to put in place surveillance and enforcement mechanisms to deter potential market abuse.
• - 

  As regards issuers of crypto-assets, today's proposal requires the publication of a white paper including all relevant information on the specific crypto-asset. Such information would include a detailed description of the issuer, the project and planned use of funds, conditions, rights, obligations and risks. Members of the issuers' management body will have to meet probity standards, and misleading market communications by crypto-asset issuers are prohibited. Compliance with all these requirements will be supervised by national competent authorities (NCAs), or the EBA in the case of asset-referenced tokens, to reduce the risk of plain fraud.
• - 

  For issuers of asset-referenced tokens, the main requirements include the obligation to be authorised, governance requirements, rules on conflict of interests, disclosure of stabilisations mechanism, investment rules and additional white paper requirements. For example, the obligation to disclose information on any potential claim, and minimum rights on such a claim.
• - 

  Issuers of e-money tokens will be subject to the regulatory requirements of the Electronic Money Directive and the rules set out in the Regulation on Markets in Crypto-Assets, which for example means that they must give a 1:1 claim to the token holders.
• - 

  Crypto-asset service providers will be subject to prudential requirements, organisational requirements, rules on safekeeping of clients' funds and rules on mandatory complaint handling procedures and conflicts of interest. In addition, there are specific requirements dependent on the type of crypto-asset service provider.
• - 

  To ensure effective supervision, Member States have to designate a competent authority as the single point of contact even if the supervision is split between several competent authorities. For issuers of significant asset-referenced tokens the supervision is carried out by the European Banking Authority. Significant e-money tokens are subject to dual supervision by national competent authorities and the EBA.

Will crypto-asset service providers benefit from the “EU passport”?

Yes, based on the authorisation in one Member State, a crypto-asset service provider will be able to operate across the EU's Single Market. The provider will therefore benefit from an “EU passport”.

How will supervision work?

Supervision will in principle fall upon the authorities of the Member State where providers are based. In case supervision is divided between several competent authorities because activities are cross-border, it will be up to the Member States concerned to designate a single point of contact.

The issuers of significant asset-referenced tokens (also known as so-called ‘stablecoins') will be supervised by the European Banking Authority, because these instruments are likely to pose significant risks for financial stability and consumer protection in many different Member States. Issuers of significant e-money tokens will be subject to dual supervision from national competent authorities and the European Banking Authority (for the additional requirements imposed due to the increased risks posed by significant e-money tokens).

Which institutions fall within the scope of the new regime?

Today's Regulation will cover crypto-asset service providers and crypto-asset issuers which have been previously unregulated under the financial services framework. Many crypto-asset service providers are, however, already regulated institutions for AML (anti-money laundering) purposes, and many wallet providers hold financial licenses (for example, licenses as electronic money providers) for other parts of their activities.

Some existing financial institutions will be allowed to carry out activities covered under this proposal, such as credit institutions and investment firms, depending on the authorisations they hold. For example, an investment firm authorised to provide advice under MiFID would also be allowed to carry out investment advice for crypto-assets.

The proposed pilot regime for distributed ledger technology market infrastructures will cover market participants which have been previously approved as either a multilateral trading facility or central securities depository, insofar as they wish to operate a distributed ledger technology market infrastructure.

Why do you not treat crypto-assets like financial instruments?

Crypto-assets take many forms. Some qualify as financial instruments (and are already regulated as such), some are backed by nothing (like Bitcoin), some provide access to a service (utility tokens) and others are backed by real world assets or currencies. Crypto-assets also differ in terms of functionality and risk. Crypto-assets that qualify as financial instruments should be regulated as such because they pose the same risks of a financial instrument. However, crypto-assets that have different functions (for example utility tokens or payment tokens), do not pose the same risks. Regulating them as financial instruments would therefore be disproportionate and would hamper innovation.

The goal of the new framework is to provide legal certainty for all crypto-assets, enabling companies to innovate within this space with full clarity about the framework applicable to them.

How will you ensure proper regulation of so-called ‘stablecoins' like Libra? Should they not be banned?

One of the guiding pillars of the European Commission's Digital Finance Strategy is to ensure that EU legislation is innovation-friendly. We also want to ensure that Europe can make the most of the possibilities that crypto-assets have to offer, while mitigating the risks to consumer protection, market integrity, financial stability, monetary policy transmission and monetary sovereignty. This is in line with international work, such as the G7 report from October 2019[3] and the consultative document from the Financial Stability Board on the regulatory issues of ‘stablecoins'.[4]

The objective of the European Commission is therefore to regulate innovation in, not out. In that respect, the Commission believes that regulating so-called ‘stablecoins' is necessary to support innovation and preserve financial stability and investor protection. The proposed Regulation on Markets in Crypto-Assets contains specific provisions for asset-referenced tokens and e-money tokens (the new terms used for so-called ‘stablecoins'). For both of these categories, the Commission proposes to set minimum rights for investors. One important right is the claim that the holder of a token would have against the issuer of the ‘stablecoin':

E-money tokens, which are defined as crypto-assets that reference a single currency, will be subject to both the requirements set out in today's proposal as well as the regulatory requirements and safeguards of the Electronic Money Directive. This means that issuers of such tokens will be required to offer a one-to-one redemption right for their tokens.

Asset-referenced tokens, which are crypto-assets that reference either multiple currencies, commodities, other crypto-assets or a combination of these, will be subject to minimum requirements set out in today's proposal. For example:

• - 

  the issuer would have to maintain adequate liquidity arrangements with the asset service providers buying and selling these tokens;
• - 

  holders would have the right to withdraw directly from the issuer in case of significant variation in value; and,
• - 

  in case the issuer stops its operations, contractual arrangements must be in place to ensure that any potential proceeds are paid out to the holders of the tokens.

What are the main features of the pilot regime for distributed ledger technology (DLT) market infrastructures?

The proposed Regulation on Distributed Ledger Technology (DLT) Market Infrastructures, also called the “pilot regime”, aims to enable market participants to operate a DLT market infrastructure (either a DLT multilateral trading facility or a DLT securities settlement system) by establishing clear and uniform operating requirements. The overall objective is to remove regulatory hurdles to the issuance, trading and post-trading of financial instruments in crypto-asset form and for regulators to gain experience on the application of DLT in market infrastructures.

The pilot regime establishes the conditions for acquiring permission to operate a DLT market infrastructure, sets limitations on the transferable securities that can be admitted to trading, and frames the cooperation between the DLT market infrastructure, competent authorities and the European Securities and Markets Authority. Permission to operate the pilot is temporary and will be periodically reviewed by supervisors. It will be subject to strict requirements, so that market operators who no longer meet the relevant criteria can no longer run the pilot.

Today's Regulation mandates the European Securities and Markets Authority to carry out a review on the application of the pilot regime three years after its entry into force.

How do you address money-laundering risks?

Crypto-assets are already covered by EU anti-money laundering legislation since the 5^th Anti-Money Laundering Directive (AMLD 5) became applicable on 10 January 2020. AMLD 5 focuses on the gateways between fiat money and crypto-assets, requiring them to register as “obliged entities” for anti-money laundering (AML) purposes. Since the adoption of AMLD5, international standards developed by the Financial Action Task Force (FATF)[5] recommend including additional crypto-asset service providers within the scope of AMLD.

Today's proposals cover more crypto-asset service providers than those entities included in AMLD5. Today's proposals will put in place considerable requirements on these service providers in order to protect consumers, market integrity and financial stability. They take into account the international recommendations of the FATF and cover all of the service providers listed in these standards, even though they do not directly address AML/CFT issues raised by crypto-assets and crypto-asset service providers. Additional AML requirements will follow from future proposals to overhaul the EU AML framework in 2021.

What are the main benefits of today's measures?

• - 

  Regulation on Markets in Crypto-Assets

The proposal on Markets in Crypto-Assets will ensure consumer and investor protection, financial stability and will provide legal certainty for innovative businesses that seek to develop products and solutions based on crypto-assets and the underlying technology.

The proposal will also bring necessary legal clarity to European companies in order to enable them to develop innovative products and services that make use of crypto-assets and the underlying technology. A harmonised EU approach lowers the complexity of applicable rules and reduces fragmentation within Europe. The EU passport allows both issuers and crypto-asset service providers to offer their services across Europe, once authorised in a Member State.

Crypto-assets and the underlying technology also improve efficiency within the financial sector, enabling for example more efficient payments systems or cheaper, less burdensome and more inclusive ways of financing small and medium-sized companies.

• - 

  Digital Ledger Technologies (DLT) Market Infrastructures

The pilot regime on DLT market infrastructures will allow companies and supervisors to understand how to use DLT in market infrastructures. It would also help to identify potential obstacles to the full application of distributed ledger technology within market infrastructures.

What about international standards and the rules in other jurisdictions?

The Commission has been actively engaged in international fora discussing crypto-assets since this topic was first put on the global agenda. The Commission has participated and supported the outcome of various global work strands by the G7, the Financial Stability Board (FSB) and the FATF recommendations[6]. Today's proposals take into account the outcome of the G7 report on stablecoins[7] and the ongoing work from the FSB on so-called ‘stablecoins'.

Today's proposals are among the more comprehensive dedicated frameworks for crypto-assets. They were inspired by domestic frameworks that have been put in place by some EU Member States. At global level, most other jurisdictions either apply existing financial rules, or try to cover parts of the crypto-asset market by bringing into scope certain crypto-asset service providers.

Why is this proposal coming now?

Making Europe ready for the digital age is one of the top priorities for the Commission.

President von der Leyen tasked Executive Vice-President Dombrovskis to ensure a common approach with Member States on crypto-assets. The objective of an EU framework on crypto-assets is to establish the right market conditions for crypto-assets to develop and to ensure that the EU can make the most of the opportunities they offer while mitigating the risks they introduce. Such a framework also provides legal certainty for all types of crypto-assets. Furthermore, the market for so-called ‘stablecoins' is rapidly evolving. Companies or networks with large pre-existing customer bases often back these coins. This increases the likelihood of their widespread use in the EU. Depending on how these are structured, they may or may not fit within existing regulatory frameworks, hence the need for new regulation to ensure appropriate rules are in place to protect consumers and financial stability regardless of the form a ‘stablecoin' arrangement may take.

What are the next steps?

The proposal will be subject to the agreement with the co-legislators, the European Parliament and the Council.

• - 

  Legislative proposals on digital operational resilience (DORA)

What is digital operational resilience?

Digital operational resilience is the capacity of firms to ensure that they can withstand all types of Information Communication Technologies (ICT)-related disruptions and threats. Financial firms hold abundant and varied amounts of personal and financial data (e.g. bank accounts details, investment details, insurance data, etc.). The ever-increasing dependency of the financial sector on software and digital processes means that ICT risks are inherent in finance. Financial firms have therefore become targets of cyberattacks, which result in serious financial and reputational damage to clients and firms. National financial supervisors across the EU, as well as the European Supervisory Authorities, agree that financial entities need to be equipped with fully-fledged and modern capabilities to reap the full benefits of the digital transformation. The Commission has today proposed that all financial services firms respect strict standards to limit the immediate impact and further propagation of ICT-related incidents.

How is EU legislation currently addressing digital operational resilience for the financial sector?

Current EU rules on managing ICT risks vary significantly between financial services sectors, and developed at differing moments over the past decade. They only partly address ICT risks, with a few exceptions (e.g. payments and post-trading services), often only as a matter of secondary concern. National requirements and supervisory guidance may fill the gaps, though not necessarily in a consistent manner. Even though financial firms operate in a highly interconnected financial and digital ecosystem, as highlighted by the European Supervisory Authorities, requirements on firms to address ICT risk are fragmented and inconsistent across the financial sector.[8]

What is the Commission proposing and why?

Today's proposal for a Digital Operational Resilience Act (DORA) is designed to consolidate and upgrade ICT risk requirements throughout the financial sector to ensure that all participants of the financial system are subject to a common set of standards to mitigate ICT risks for their operations.

Today's proposal will bring legal clarity on the applicable ICT risk provisions, especially in case of cross-border financial entities. It will reduce regulatory complexity and lower the financial and administrative burdens resulting from diverse rules that apply to financial entities across the EU. Today's proposal will, for the first time, bring rules addressing ICT risk in finance together into one single legislative act. This should fill in the gaps and address current inconsistencies in sectoral legislation. The proposal will put in place dedicated ICT risk management capabilities, reporting of major ICT-related incidents, digital operational resilience testing, management by financial entities of ICT third-party risk, oversight of critical ICT third-party service providers, as well as information sharing among financial entities.

Financial entities are not equally exposed to ICT risk. Risks depend on the size, functions and business profile of the firms. Therefore, requirements will be applied in a proportionate manner to ensure that, while the new rules cover all financial entities, they are at the same time tailored to the risks and needs of specific entities, as well as to their size and business profiles. The proposal covers a broad range of financial entities - from credit institutions and investment funds to crypto-asset service providers - in order to ensure that ICT risks are managed in a homogenous and coherent way.

What are the key elements of the proposal?

Today's proposal covers:

• - 

  ICT risk management: these requirements revolve around specific capabilities and functions in ICT risk management, such as identification, protection and prevention, detection, response and recovery, learning and evolving and communication. Financial entities would be required to:

• - 

  Set-up and maintain resilient ICT systems and tools that minimise ICT risk,
• - 

  Identify on a continuous basis all sources of ICT risk,
• - 

  Set-up protection and prevention measures,
• - 

  Promptly detect anomalous activities, and
• - 

  Put in place dedicated and comprehensive business continuity policies and disaster and recovery plans, as an integral part of the operational business continuity policy.
• - 

  ICT-related incident reporting: Financial entities will be required to establish and implement a management process to monitor, classify and report major ICT-related incidents to competent authorities. National competent authorities will have to provide details of ICT-related incidents to other institutions or authorities (e.g. the single points of contact under the Directive on Security of Networks and Information Systems, NIS Directive). National authorities would also have to give firms feedback and guidance.
• - 

  Digital operational resilience testing: The capabilities and functions included in the ICT risk management framework need to be periodically tested to check that firms are able to identify weaknesses, deficiencies or gaps, and to address problems. This will be achieved through a set of testing tools that will be deployed by financial entities depending on their size, business and risk profile.
• - 

  ICT third-party risk: Financial firms increasingly depend on non-financial technology firms for their ICT services. The proposal is designed to ensure a sound monitoring of ICT third-party risk. Key contractual aspects will be harmonised to ensure that financial firms monitor ICT third-party risk. The proposal will subject critical ICT third-party service providers to a Union Oversight Framework to ensure supervisory convergence.
• - 

  Information sharing: the proposal will allow financial entities to set-up arrangements to exchange amongst themselves cyber threat information and intelligence.

How do you streamline the reporting of ICT incidents?

All financial entities covered by this proposal would be required to report major ICT incidents to national competent authorities. This will enable financial supervisors to better assess the frequency, nature, significance and impact of all major ICT-related disruptions. Financial entities will benefit from harmonised ICT-related reporting content and templates. The transmission of relevant information on major ICT-related incidents to the ESAs and the ECB will enable a better overview of the magnitude of cyber threats at EU level.

As ICT disruptions occurring in finance may propagate throughout the Single Market and to other economic sectors, relevant information will be reported to national authorities designated as single points of contact under the NIS Directive[9]. While the proposal does not require a centralisation at EU level of ICT-related incident reporting, it prepares the ground for such a mechanism. The European Supervisory Authorities (ESAs), the European Centre Bank (ECB) and the European Union Agency for Cybersecurity (ENISA) are mandated to assess and report on the feasibility of establishing a single EU Hub for major ICT-related incident reporting by financial entities.

Will financial entities share cyber threat information and intelligence?

Today's proposal encourages information sharing among financial entities on cyber threat information and intelligence (including indicators on procedures and cyber security alerts). This would increase the financial sector's awareness over ICT risk vulnerabilities and the tools to tackle risks. In the same vein, it would enhance the financial entities' capacity to prevent cyber threats.

Who checks how ICT-related services are provided? What is the Oversight Framework of ICT third-party service providers?

The financial ecosystem is highly dependent on the use of ICT-related services. Such services are increasingly provided by technology firms outside the financial sector. At present, financial supervisors lack specific powers to address ICT risks arising at the level of ICT third-party providers. To fill the existing gap the proposal sets harmonised rules subjecting critical ICT third-party service providers to an Oversight Framework at EU level. The European Supervisory Authorities (ESAs) will operate as Lead Overseers, and the national supervisors as enforcers. The ESAs will have the right to access documents and to carry out inspections. They will also have the power to address recommendations and instructions, to require remedial measures, or to oppose arrangements affecting the stability of the financial entity, or the financial system. Compliance with substantive recommendations laid down by the Lead Overseers should be achieved mainly through the enforcement powers of national financial supervisors, including the possibility for third party providers to be fined.

Who decides whether an ICT third-party service provider is critical?

The Oversight Framework will set up a designation mechanism of critical ICT third-party service providers, taking into account the dimension and nature of the financial sector's reliance on services provided by ICT third-parties. Concretely, the designation will be based on a set of quantitative and qualitative criteria setting out the parameters as a basis for inclusion into the Oversight. The proposal will also foresee a voluntary opt-in for ICT third-party service providers that have not been designated on the basis of future criteria.

How does this initiative interact with other EU frameworks?

The proposal is consistent with other EU legislative acts, notably the Network and Information Security (NIS) Directive and the European Critical Infrastructure (ECI) Directive.

What are the next steps?

The proposal will be subject to the agreement with the co-legislators, the European Parliament and the Council.

• - 

  The Retail Payments Strategy

Why do we need a Retail Payments strategy?

The ability of EU citizens and businesses to pay or transfer money efficiently and in a secure manner is critical for the well-functioning of Europe's economy. The coronavirus crisis has highlighted the importance of technology and digitalisation in the area of finance and payments. The constant evolution in technology has significantly increased the frequency of online payments.

The EU's Payments Services Directive 2^[10] (PSD2) set out rules to ensure that payments are secure and efficient. Payments can now be executed within seconds in some cases, based on instant payment technology. Banks are no longer the only entities that provide payment services nowadays: “FinTechs” and large internet platforms are increasingly playing an important role. Despite these developments, domestic payment solutions are not available to consumers in other Member States, as is the case for mobile payment apps, for instance.

The Commission has today presented a strategy to develop the EU's payments market so that it can fully reap the benefits of innovation and the opportunities of digitalisation. This strategy aims to make instant payments and EU-wide payment solutions more accessible and cost effective for citizens and businesses across Europe. At the same time, consumer protection and safe payment solutions remain at the centre of this strategy.

How will this strategy benefit EU citizens and businesses?

The Commission aims to make retail payments more convenient, secure, and cost-efficient, particularly in cross-border situations. This will facilitate economic activity, especially by reducing delays and costs for businesses when receiving payments. It will also make it easier for consumers to meet their payment obligations, pay in shops everywhere, make e-commerce transactions safely and conveniently or send money, even in cross-border situations, within Europe and beyond.

Why do we need more integration in the retail payments market?

The EU's retail payments market is still very much fragmented along national borders, as most payment services offered in domestic markets do not work cross-border in Europe. This is especially the case for instant domestic payment solutions (e.g. Swish in Sweden and Bizum in Spain) and mobile payment applications. In a Digital Single Market, fragmentation along national borders no longer corresponds to the needs or expectations of European citizens and businesses. Currently, when paying in shops abroad or through e-commerce, consumers often have no choice other than to use services provided by the main international card schemes or by large internet platforms. This makes Europe too dependent on large and global players.

Why are you focusing on instant payments? What is their value added?

Instant payment systems allow customers to transfer funds in real time and around the clock, every day of the year, irrespective of the opening hours of their payment service provider. Funds are made available to a beneficiary in a matter of seconds. Instant payments are therefore very efficient and allow for a quick “recycling” of money flows: beneficiaries get paid more quickly and can pay others more quickly. Moreover, instant payments can also be used in circumstances that until now have been reserved for more traditional payment methods, such as through payment cards or cash. At the same time, instant payments may present some risks in terms of fraud, money laundering, banks runs, etc. However, such risks are largely mitigated under the existing legislation and supervisory framework. The Commission stands ready to adopt additional measures in the future, if needed be.

Why is the Commission supportive of initiatives such as the European Payments Initiative (EPI)?

The Commission supports initiatives that have the widest scale at European level and that work cross-border, so that the maximum number of citizens and businesses benefit from innovation. The European Payments Initiative (EPI), which was announced in July by 16 European banks, aims at offering payment solutions that can be used cross-border in Europe. This is fully consistent with the objectives of our Retail Payments Strategy. At the same time, the Commission would welcome any other market initiative aiming to achieve similar objectives and with a similar European ambition, provided that European competition rules are complied with.

Does the Commission intend to mandate acceptance of cash or eradicate it?

Cash (banknotes and coins) still plays an important role as a means of payment in society. In the euro area, euro banknotes and coins are the only legal tender pursuant to Article 128 TFEU and to Council Regulation (EC) No 974/98 of 3 May 1998, as well as the Commission Recommendation of 22 March 2010 on the scope and effects of legal tender of euro banknotes and coins. With cash, face-to-face transactions can happen in real time, without the need for any technical infrastructure or intermediary. The Commission considers that cash should remain both accessible and widely accepted. This is without prejudice to legislation limiting the use of cash on tax evasion, money laundering or terrorist financing grounds.

Will the Commission go beyond the Payment Services Directive 2 (PSD2) ‘open banking'?

PSD2 has enabled the emergence of new business models based on the sharing of payment account data (‘Open Banking'), such as payment initiation and account information services. It has also improved the general level of the security of payment transactions through the implementation of strong customer authentication. It is a worldwide reference for open banking and secure transactions. The experience gathered from the full implementation of PSD2 will inform the Commission's work on a broader framework for open finance, as set out in the Digital Finance Strategy.

Will the Commission further facilitate contactless payments?

While the Commission is aware of the importance of contactless payments during the coronavirus crisis, the Commission does not consider it appropriate - at this stage - to raise the legal maximum amounts (per transaction and cumulatively) of contactless payments that are exempt from strong customer authentication. There is a risk that this could lead to an increase in fraud. The impact of any increase in the limits would therefore have to be carefully assessed before any decision could be taken. The Commission will however examine, in close consultation with both stakeholders and Member States, the technical conditions that could enable consumers to set their own individual contactless limit, within the maximum legal limit of €50.

Why is direct participation in payment systems by non-bank regulated entities important?

As banks and non-bank regulated entities compete in the provision of payment services, they need access to payment systems to execute payment transactions. Currently the access conditions to payment systems are different for banks and non-banks. The latter do not enjoy direct access to certain payment systems, such as those of systemically important nature. They can only access them indirectly through banks. This creates an uneven level playing field between competitors. The Commission will address this issue in the framework of the forthcoming revision of the Settlement Finality Directive.

How will the Commission contribute to the global efforts to improve international cross-border payments?

The Commission proposes several measures that are consistent with global efforts and recent work by the Financial Stability Board and the Committee on Payments and Market Infrastructures. These include, for instance, establishing links between payment systems of different countries, or making greater use of international standards for messaging systems, thereby improving transparency and efficiency, which could ultimately have a significant impact on cost. International cooperation is key given the interconnectedness of the financial systems and the economies.

Why is the Commission proposing measures to improve remittances?

Remittances are low-value, person-to-person transfers that are usually sent by migrants back to their countries of origin. They are a lifeline for millions of families around the globe. These flows are expected to decrease by as much as 20% because of the coronavirus crisis. This in turn could have a significant impact on low and middle-income economies. As remittances are cross-border payments, the measures proposed in today's strategy to improve the efficiency of the payments system should also benefit remittances. In addition, some specific measures are foreseen for remittances, such as supporting developing countries to adopt similar approaches to the Single Euro Payments Area in Europe or promoting access to payment accounts and encouraging the use of digital channels to transfer money.

[1]European Commission, “Europe's moment: Repair and prepare for the next generation”, 27 May 2020, https://ec.europa.eu/commission/presscorner/detail/en/ip_20_940

[2] https://ec.europa.eu/info/publications/digital-finance-outreach-2020_en

[3] https://www.bis.org/cpmi/publ/d187.pdf

[4] https://www.fsb.org/wp-content/uploads/P140420-1.pdf

[5] https://www.fatf-gafi.org/media/fatf/documents/recommendations/pdfs/FATF%20Recommendations%202012.pdf

[6] https://www.fatf-gafi.org/publications/fatfrecommendations/documents/12-month-review-virtual-assets-vasps.html

[7] https://www.bis.org/cpmi/publ/d187.pdf

[8] Joint Advice of the European Supervisory Authorities to the European Commission on the need for legislative improvements relating to ICT risk management requirements in the EU financial sector, JC 2019 26 (2019).

[9] https://ec.europa.eu/digital-single-market/en/network-and-information-security-nis-directive

[10] https://ec.europa.eu/info/law/payment-services-psd-2-directive-eu-2015-2366_en