2024 Fintech Outlook: Key EU regulatory topics to watch

Nowadays, the entire financial services industry has largely become dependent on the proper functioning of the IT infrastructure that is underpinning the provision of financial services in the digital environment. Therefore, proper resilience of financial institutions to IT risks and cyber-related threats has been and will remain one of the top regulatory and supervisory priorities in the EU in 2024.

The rules on digital operational resilience applicable to financial institutions are currently fragmented and placed in various sector specific pieces of EU financial regulation (e.g. MiFID II, CRD, PSD2 etc.) that lack proper harmonisation. Further, the scope of application of the Guidelines on outsourcing of European Supervisory Authorities (ESAs) combined with their rather non-binding character (i.e. application on a comply-or-explain basis), leave space for regulatory ambiguity in this important area which in the digital age has become a backbone of the proper functioning of the financial services industry.

The Digital Operational Resilience Act (DORA) that was created with the aim of enabling further harmonisation of EU rules on digital operational resilience in the financial sector will be probably one of the most significant regulatory reforms in recent years. Due to become operational on 17 January 2025, DORA puts new obligations on management of information communication technology (ICT) risks, ICT incidents and shortfalls, that financial institutions from almost every corner of the financial services industry will be required to comply with.

To that end, as of beginning of next year, financial institutions operating in the EU will be required to:

• Have effective internal ICT risk management framework in place that is comprised of a number of policies, procedures and processes aimed at ensuring financial institution’s resilience in the digital environment;
• Comply with new and strict requirements on identification, management and reporting of ICT risks;
• Comply with new regulatory requirements on digital operational resilience testing including (for larger entities) specific threat lead penetration testing;
• Have effective internal frameworks in place on management of ICT risks related to third parties that financial institutions rely on for the provision of ICT services (ICT third party risk management);
• Ensure that they meet new comprehensive contractual requirements when it comes to contractual arrangements with ICT third party service providers

DORA also has a broader scope of application than the existing rules on outsourcing, covering arrangements for the provision of a variety of ICT services that go way beyond arrangements for performance of activities or functions that fall under the definition of “outsourcing” under the existing framework.

Further, DORA is the very first piece of EU financial regulation that creates a supervisory framework for unregulated entities that are acting as providers of ICT-services (i.e. the entities to which financial institutions usually outsource the performance of certain activities and functions). To that end, some larger third-party service providers that provide services to a number of large financial entities in the EU (like large cloud providers) will likely be designated as critical ICT service providers and become subject to direct supervision by one of the ESAs that will have also certain direct supervisory and inspection powers in relation to them.

That being said, in 2024 DORA will be one of the most important regulatory topics for financial institutions, that will need to:

• Conduct thorough gap analysis with the aim of identifying the level of their compliance with the new rules;
• Align their internal frameworks on management of ICT risks (internal processes, documentation, procedures etc.) with the new requirements;
• Start reviewing and redrafting (i.e. renegotiating the terms) of their contractual arrangements with ICT service providers in accordance with new requirements.

With the aim of providing the industry with important clarifications on provisions of the level 1 Regulation, the EU Commission is mandated to develop a number of regulatory and implementing technical standards in the coming period. The European Supervisory Authorities (ESAs) have already published a number of draft RTS and ITS that are however yet not final and still leave some space for regulatory ambiguity that demands further clarification.

Bearing in mind the level of complexity of the new requirements, the implementation process will be everything but an easy task for the entire financial services industry. To that end, financial institutions will need to invest significant amount of time and resources to prepare for the new framework on multiple fronts at the same time: operational, technical, compliance and legal.

Whereas in some EU Member States financial institutions are already subject to more restrictive regulatory requirements on management of ICT risks (like in Germany) the significance of the DORA framework shall not be underestimated: new requirements are not to be seen as a mere “EU replication” of national requirements on IT allowing German institutions to rely on their existing frameworks in full - On the contrary, financial institutions in Germany shall use this implementation period to conduct thorough gap analysis of their existing internal processes, procedures and documentation with the aim of identifying areas that will need to be aligned with the new DORA requirements that in many parts go way beyond the existing national requirements on IT based on BaFin circulars such as BAIT, KAIT and ZAIT.

If you are interested to learn more about DORA and the key changes that the new Regulation will bring see the recording of our webinar “Exploring DORA: What the new EU regulatory framework means for your business”.

With the Bitcoin price rising to new highs in recent weeks, many in the fintech industry have started paying closer attention to the crypto-sector once again. With the EU Markets in Crypto-Assets (MiCA) Regulation edging ever closer to its go-live dates, this will be another area of the EU financial regulation that in 2024 will definitely remain at the top of the agenda for entities operating in the crypto-space in the EU.

By way of background, MiCA Regulation is aimed at becoming a backbone of the EU regulatory framework on crypto-assets, that creates:

• a common taxonomy of regulated crypto-assets that differentiates between two types of stablecoins (Asset-referenced tokens “AMTs” and e-money tokens “EMTs”) and other in-scope crypto-assets (like certain types of investment and utility tokens that are not explicitly exempted or otherwise already regulated under EU law);
• a harmonised authorisation framework for entities providing regulated crypto-asset related services in the EU, like the operators of crypto-exchanges, custodial walled providers, investment intermediaries, advisors and portfolio managers;
• offering rules applicable to issuers and offerors of regulated crypto-assets, that will need to comply with prospectus-like transparency and disclosure requirements prior to offering regulated crypto-assets to the public in the EU;
• designated stablecoin framework for AMTs and EMTs comprised of a number of operational, prudential, liquidity requirements as well as rules on maintenance and safeguarding of reserve assets aimed at ensuring proper “stability” of these two types of stablecoins.

To see more on MiCA Regulation, please see our dedicated three-part series “Navigating MiCA” that explores the new framework in detail.

Level 1 rules are about to be accompanied by a number of level 2 and level 3 acts that will specify MiCA provisions in more detail. For this purpose, the EU Commission was mandated to adopt a number of regulatory and implementing technical standards (RTS and ITS) and European Supervisory Authorities (ESAs) to develop certain level 3 guidelines on key topics. So far, the ESAs have published drafts for the vast majority of level 2 and level 3 acts (First consultation package in July 2023, the second consultation package in October 2023 and the first two acts that are part of the third consultation package in January 2024). Further, on 22 February 2024 the EU Commission has made a step further and adopted four Delegated Regulations that provide helpful clarifications on the stablecoin framework applicable to AMTs and EMTs.

The new framework will start to apply directly in all EU 27 Member States, without the need for national transposition, in two phases:

• the provisions that are part of the stablecoin framework applicable to AMTs and EMTs will start to apply as of 30 June 2024;
• the remaining provisions applicable to issuers, offerors and service providers dealing with other regulated crypto-assets will start to apply as of 30 December 2024.

Bearing in mind the above listed timeline, the deadline for adoption of all level 2 acts which is 30 June 2024 appears to be pretty ambitious goal for the EU Commission. It remains to be seen whether the Commission will be able to deliver these level 2 acts on time that will contain some desperately necessary clarifications of level 1 provisions, without which the industry will experience significant challenges while preparing for the new framework.

Despite the fact that MiCA Regulation will apply directly without the need for national transposition, it still leaves space for Member States to stipulate at national level transitional periods and grandfathering provisions that would enable easier phasing in of the new framework. To that end, Member States are allowed to grant grandfathering period of up to 18 months, to the entities that are already operating in their respective jurisdiction under existing rules before 30 December 2024. However, ESMA has expressed concerns and urged Member States to limit the duration of eventual grandfathering periods with the aim of ensuring consistent introduction of the new framework at the EU level.

In Germany, on 23 October 2023, the German Ministry of Finance (Bundesfinanzminsterium) published a Draft Act on the Digitalisation of the Financial Markets (“Finanzmarktdigitalisierungsgesetz”) that aims to enable easier introduction of the MiCA framework at national level. The Draft Act also introduce a new law, the Crypto Markets Supervision Act (“Kryptomärkteaufsichtsgesetz “KMAG”) that provides the existing crypto-businesses with an option to continue operating under their existing national license by no later than 30 December 2025.

Nevertheless, the remaining time for the implementation appears to be quite tight, especially for business that do not possess a license for operation in one of the EU Member States that already have national frameworks on crypto-assets. Therefore, crypto-businesses looking to operate in the EU post go-live dates, will need to use this timeframe wisely and start (if not already) devoting sufficient amount of time and resources to the implementation process.

2024 will also be a very important year for the payment services industry in the EU that is about to experience a quite significant and long overdue regulatory reform. By delivering on its promises made in September 2020 as part of the EU Retail Payments Strategy, the EU Commission has published on 28 June 2023 a package comprised of the legislative proposals for the Third Payment Services Directive (PSD3) and the very first Payment Services Regulation (PSR).

PSD3 & PSR

PSD3 and PSR proposals shall bring important changes to the existing payment services regulatory framework based on the Second Payment Services Directive (PSD2) that will include (among other):

• Merger of the PSD2 and the EU framework on e-money based on the Second E-Money Directive (EMD2) into one single rulebook for payment and e-money services;
• Further harmonisation of existing definitions of the scope of application of the payment and e-money services regulatory framework and relevant exclusions that will be placed now in the directly applicable PSR (leaving no space for Member States to stipulate deviations from the EU standard at national level);
• Further harmonisation of conduct and operational requirements applicable to payment and e-money institutions combined with harmonised customer protection and improved anti-fraud requirements;
• Improvement of the open banking framework and PSD2 framework on strong-customer authentication, bringing helpful clarifications for both regulated entities as well as technical service providers that are operating in the payment services sector in the EU.

To see more on the proposed changes that PSD3 and PSR will bring see our dedicated article.

As we move deeper into 2024, PSD3 and PSR proposals have started making their way through the EU legislative making process: on 14 February 2024 the European Parliament’s Economic and Monetary Affairs Committee issued a press release in which it has stated that it had adopted draft reports on PSD3 and PSR. The European Parliament is expected to vote on both of these documents during the first plenary session in April this year. The forthcoming EU elections may additionally prolong the legislative making process and move adoption of the final texts to second half of 2024, when the new EU Parliament will take its seat.

If adopted, the proposed changes under PSD3 and PSR are poised to further harmonise the EU payment services regulatory framework, primarily easing the cross-border operation of payment and e-money business that will be able to rely on more harmonised rules. Improvements of the open banking framework will also open the next chapter for the providers of open banking services as well as technology providers whose technology is underpinning the functioning of this framework.

Open Finance

Alongside these two proposals the EU Commission has also published a legislative proposal for a Regulation that shall create the very first regulatory framework on open finance, in the form of a Regulation on financial data access (FIDA Regulation).

The proposed FIDA Regulation has a very broad scope of application and will enable consent-based sharing of financial data between the regulated financial entities from almost every corner of the financial services sector (banks, insurance companies, payment institutions, investment firms etc.). Under the proposed rules, they will be able to exchange a variety of financial information (incl. information on mortgages, savings, investments, pensions etc.) aiming to enable: (i) easier and more efficient customer onboarding, (ii) better customer experience, (iii) creation of tailor made offers for customers based on the vast amount of their financial data that are currently unavailable for new service providers in the case when customer switches from one provider to another.

In addition, the proposed framework shall introduce a new type of authorised entities, the so-called financial information service providers (FISPs), that will be allowed to have access to customers’ data for the sole purpose of providing financial information service. The framework on FISPs largely aims to cover online platform providers whose business model is based on data exchange between regulated entities and customers that are looking to get information and offers from multiple regulated providers in one place (e.g. platforms enabling customers to see and compare offers from different regulated entities). To see more about the FIDA proposal, please check out our dedicated article “FIDA Regulation: A Glimpse into the Open Finance World”.

The EU Commission’s proposal to create the very first regulatory framework on open finance is a very ambitious move that can make the EU the very first jurisdiction globally where the heartbeats of the new fully data driven financial services industry will be felt. Further, this proposal will likely have a significant impact on the entire financial services industry that will need to develop technical infrastructure (at the EU level) that will enable:

• the exchange of financial information in accordance with the new rules, and,
• the use of financial information by financial institutions that shall become able to develop and offer new products and services that are designed in accordance with customers’ needs and preferences (since without this, the primary goal of the proposed framework will not be met).

That being said, it is quite noteworthy that the significance of this topic appears to be rather underestimated at the moment, probably due to the fact that the players in the payment services industry in particular are a bit more focused on the PSD3 and PSR proposals. On the other side, it is expectable that in the coming period we will witness the emergence of some new players coming predominantly from the tech space (like API providers) that will be eager to find their space in the new data driven environment and highly likely start considering to obtain the new FISP license.

On the timeline, there is still a long way to go: the proposal yet needs to be discussed as part of trialogue discussions which may, same as PSD3 and PSR proposals, be influenced by the forthcoming EU elections. Nonetheless, due to the complexity of the proposed framework, primarily from an operational and technical standpoint, financial institutions should use this time wisely and start preparing for the implementation well in advance.

This year we also expect to witness a long-awaited finalisation of the legislative proposals published as part of the EU Commission’s AML package back in 2021 that are aimed to shape the new pillars of the EU AML regulatory framework. These include:

• The AML Regulation (AMLR) the very first AML Regulation, setting out directly applicable AML/KYC requirements on obliged entities (incl. clear provisions on the scope of application and harmonised customer due diligence requirements);
• Sixth AML Directive (AMLD6) a directive largely aimed at ensuring more consistent and efficient supervision across the EU Single Market through national competent authorities;
• The AMLA Regulation, a regulation establishing the very first EU authority responsible for supervision of compliance with AML framework, the European Anti-Money Laundering Authority (AMLA);
• A proposal for a new Transfer of Funds Regulation that revises the existing Regulation (EU) 2015/847 that introduces FATF Travel Rule for crypt-transactions (this Regulation has already started to apply as of 30 December 2023).

Aiming to achieve further harmonisation of the existing AML rules, that are based on the EU AML-Directives (as implemented into national law), these proposals bring a number of important changes, that include (among other):

• Extension of the scope of application to traders in luxury goods (incl. yachts, cars, airplanes), football clubs and associations and crypto-asset service providers regulated under MiCA Regulation;
• Harmonisation of customer due diligence requirements that are placed now in soon to be directly applicable AMLR that will be further clarified through level 2 acts of the EU Commission;
• Stricter requirements on beneficial ownership checks, based on the two-component assessment (ownership and control), which both have to be analysed as part of the customer due diligence process (after a lot of discussions, the beneficial ownership threshold is set at expected 25%);
• EU wide limit on cash payments of EUR 10 000 (with the new obligation for obliged entities to identify and verify the identity of a person who carries out an occasional transaction in cash between EUR 3 000 and EUR 10 000).

The EU Council and European Parliament have reached a provisional agreement on the AML package on 18 January 2024 and the proposals are now to be officially adopted by both institutions. The new framework is expected to become operational 18-months after the official adoption and publication in the EU Official Journal of the above-mentioned legislative proposals. Alongside the developments around AMLR and AMLD6, the EU lawmakers are also making progress with the proposal for AMLA Regulation and on 22 February 2024, the members of the EU Council have agreed that the seat of AMLA will be in Frankfurt, Germany, from where this new institution shall commence its supervisory tasks by the end of 2026.

The AMLR also introduces a possibility for obliged entities to use the European Digital Identity for the purposes of customer’s identification, and verification of customer’s identity. By way of background, the Commission has proposed on 3 June 2021 a Regulation that will amend the e-IDAS Regulation and establish a framework for the European Digital Identity, a single digital wallet containing key identity information about the person that can be easily stored on mobile phones (in the form of an app). The European Digital Identity is intended to enable EU citizens and residents to store their key identity information in a digital wallet based on which they can easily (among other) open a bank account, file in tax returns, rent a car, or prove their age. In 2024, we expect to see finalisation of this Regulation as well bearing in mind the provisional agreement that the EU Council and the EU Parliament have reached on the proposal back in November 2023.

To find out more about the EU AML package check out our dedicated article “The EU AML Package: Shaping the new pillars of the future EU AML/CFT framework” from September 2021.

As the stock price of the companies that are most active in the AI space is continuing to reach astronomical highs, in 2024 the C-Level suite of the companies across the board will not be able to afford keeping this topic anywhere else other than at the top of their agenda. The financial services industry will be no exception: given that robo-advisors, digital wealth managers as well as algorithmic and high frequency trading systems that have been marking headlines in recent years already function based on some type of machine-learning systems the technology is not a complete novelty in the industry. Mindful of this, incumbent financial institutions are expected to continue exploring the ways in which AI could be deployed for the more efficient provision of financial services in the coming period.

Naturally, in this dynamic environment in which the entire industry is looking for new ways in which this new technology can be leveraged in the best way, innovative fintech companies can play a pivotal role. Securities trading, asset and wealth management as well as back office functions (like compliance, risk management etc.) are all fertile breeding grounds for the deployment of AI based systems.

But when it comes to regulation of the use of AI in the financial sector the picture is not as clear as in some other areas: the existing financial regulation in the EU is written in a rather technology-neutral way so that it can apply to a specific type of a regulated activity regardless of how the activity is being performed, in an automated or non-automated way (by taking the “substance over form” approach). With the aim of providing the industry with more clarity on this, the financial supervisory authorities in the EU, including German BaFin, French AMF and the Dutch National Bank, have been publishing some high-level guidance in which they have been largely emphasizing that financial institutions shall take risk-based approach and ensure compliance with the existing regulatory requirements when using AI systems. in 2024 we expect to see finalisation of one important piece of the EU legislation that will regulate the use of AI in particular: the EU AI Act. Announced as part of the EU Commission’s AI package in April 2021, the EU lawmakers are currently in the process of approving the Regulation that will introduce a comprehensive horizontal regulatory framework on AI in the EU. The AI Act will introduce a number of different obligations on providers, importers, distributors and users of AI systems and will apply to all sectors, public and private, including financial services.

The new regulatory framework will be of particular importance for financial institutions where they act either as a provider of AI systems (where they develop AI system with the aim of making it available on the market, or putting it into service under their own name or trademark) or as a user of AI system, where they use AI based systems whether their own proprietary systems or external systems based on a license from a third party. The AI Act differentiates between several groups of AI systems by introducing quite strict requirements for the so-called high-risk AI systems (e.g. used for assessment of creditworthiness or credit score) and transparency requirements for AI systems used for interaction with natural persons (such as chatbots). If you are interested to find out more about the use of AI in financial services and related regulatory aspects see our dedicated article: “AI in Financial Services: Embracing the new reality” as well as our special page dedicated to the AI Act.

When it comes to financial institutions, they will need to observe requirements applicable to high-risk systems in just a small number of areas (for instance when they use AI systems for the purposes of assessment of customers’ credit worthiness, staff recruiting or monitoring of staff performance. On the other hand, the use of AI systems for the provision of financial services like for instance securities trading, investment advice and portfolio management will rather be subject to compliance with some less onerous transparency requirements.

On 2 February 2024, the EU Council has approved the latest draft text that is now expected to be presented to the EU Parliament for final approval in the coming months. As the AI Act is expected to (if approved on time) be published in its final version by the end of Q2 2024 the financial services industry is moving into the next phase when it comes to AI that will be largely consist of the preparatory work for the new regulatory framework on AI that is due to become operational in full 24 months after the publication date.