Will Banks shift some Product Oversight obligations to Fintechs after PSD2?

AAEAAQAAAAAAAAl9AAAAJDA4ZDk4MmNjLTNhMTYtNDQ0MS1hZTUxLWNjN2Q2NzBkODQ5Zg

The European Banking Authority (EBA) has developed Guidelines (GL 18) that deal with the establishment   of   product   oversight   and    governance arrangements in regulated service providers.  The Guidelines apply to both “Distributors” and “Manufacturers” of financial products.   These oversight and governance arrangements must become an integral part of the internal control systems of regulated providers.

All of the main types of mass-market financial products are captured by the Guidelines.  Mortgages, Unsecured Credit, Deposits, Payment Accounts, Payment instruments, Bankers’ Drafts and Electronic Money are all within scope.   All the significant types of mass-market providers are in scope: Credit Institutions, Payment Institutions and Electronic Money Institutions. Consumers are explicitly in scope of the Guidelines, but the EBA has invited Competent Authorities in EU Member States to consider extending the same protections to micro-enterprises and SMEs.  These Product Oversight and Governance arrangements will be in force from January 3rd, 2017.

A Distributor is described by the Guidelines as a firm that “offers and/or sells the product to consumers; this includes business units of manufacturers that are not involved in the designing the product but are responsible for bringing   the product to the market”. 

A Manufacturer is described by the Guidelines as a firm that “designs (i.e. creates, develops, combines or significantly changes) products to be offered to consumers or who is involved de facto in the design of the product”.   From January 2017, established will have Manufacturer status for many hundreds of products being used by their customers.

PSD2 in Plain English (Payments Landscape
for Non-Specialists) (Volume 1)

What sort of “Overlay” Services might we see from ’s after PSD2 and will the Fintechs be classed as “Distributors” or “Manufacturers”?   We will probably see Consumer services (either PISP or AISP) that integrate with social media. Venmo in the US is a good example but social media giants like Facebook could also fill this role. Venmo uses the Card networks in the US but the SEPA platform could be very attractive after PSD2. 

Services like these can be classed as “Manufacturing” i.e. Venmo or Facebook “designs (i.e. creates, develops, combines or significantly changes) products to be offered to consumers or who is involved de facto in the design of the product”.  This new type of API-enabled product manufacturing seems also likely to evolve in the SME market segment.  If a firm like Xero integrates a PISP and/or AISP service into the Cloud Accounting solution for its EU clients, it is also creating, developing, combining and significantly changing financial products to be offered to SME customers.   In API Economy, Facebook, Venmo and Zero will be Manufacturers of composable and API-enabled financial solutions, not mere Distributors of bank accounts.   The product  oversight and governance arrangements required by EBA will land squarely on these newly regulated providers.

The Manufacturer is required to establish, implement and review effective product oversight  and governance arrangements. The arrangements should aim, when products are being designed and brought to the market, (i) to ensure that the interests, objectives and characteristics of consumers are taken into account, (ii) to avoid potential consumer detriment and (iii) to minimise conflicts of interest. 

The Fintech as Manufacturer will be required by EBA Guidelines on Internal Governance (GL 44) to have in place a well-documented new product approval policy (“NPAP‟), approved by the management body, which addresses the development of new markets, products and services and significant changes to existing ones. The NPAP should cover every consideration to be taken into account before deciding to enter new markets, deal in new products, launch a new service or make significant changes to existing products or   services.  The Fintech’s NPAP should set out the main issues to be addressed before a decision is made. These should include regulatory compliance, pricing models, impacts on risk profile, capital adequacy and profitability, availability of adequate resources and adequate internal tools and expertise to understand and monitor the associated risks. The decision to launch a new activity should clearly state the individuals responsible for it. A new activity should not be undertaken until adequate resources to understand and manage the associated risks are available.  All actions taken by the Manufacturer in relation to the product oversight and governance arrangements should be duly documented; kept for audit purposes and made available to the Competent Authorities upon request.

Will all of the red-tape that lands on a large and broad Bank land on a small and narrow Fintech?  The intention is that it should not.  The EBA’s GL18 requires that product oversight and governance arrangements should be proportionate to the nature, scale and complexity of the relevant business of the Manufacturer. The implementation/application of the arrangements should have regard to the level of potential risk for the consumer and complexity of the product.

What does this mean in practical terms for the API-enabled Fintech?  EBA Guidelines 25, 26 and 28 of GL44 probably sets out this hurdle.  While a Bank will need to have a Risk Control team that is comprehensive and independent, a Fintech will certainly need a staff member with this specific responsibility.   This person should provide relevant independent information, analyses and expert judgement on risk exposures, and advice on proposals and risk decisions made as to whether they are consistent with the Fintech’s risk tolerance/appetite.  This Fintech employee is explicitly permitted by EBA Guidelines to also have a Compliance role, if the nature, scale and complexity of the Fintech business allows.   While a broad and large bank will need a permanent and effective Compliance Team, in smaller and less complex institutions this function may be combined with or assisted by the risk control or support functions (e.g. HR, legal, etc.).

In crude conclusion, banks can avoid a lot of Product Manufacturer oversight overheads if they scale back on the size of their “own brand” applications suite. If a bank shrinks to a smaller core of own-brand products and services, it can engage with the market on less important products through API Developers.  The new players that emerge to use PSD2 APIs in composable financial services will be designated “Manufacturers” within the regulatory regime. 

Of course, these new players are introducing potential rival brands into the consciousness and activities of banks’ existing clients. However, the threats being posed by these potential rivals are limited if these new Manufacturers do not hold a Credit Institution license.  A Payment Institution or eMoney Institution cannot offer credit nor take deposits.    In the API Economy, banks could find that they can grow their balance sheets by being loosely coupled to these new overlay services through APIs.  This growth could come without the product oversight and governance overheads that arises when a bank grows by selling directly under its own brand.


[linkedinbadge URL=”https://www.linkedin.com/in/paulrohan” connections=”off” mode=”icon” liname=”Paul Rohan”] , the author of this post, is also author of “PSD2 in Plain English”.

PSD2 in Plain English (Payments Landscape
for Non-Specialists) (Volume 1)