5 th January 2016 EBF_018621

Transcription

1 EBF_ th January 2016 The European Banking Federation is the voice of the European banking sector, uniting 32 national banking associations in Europe that together represent some 4,500 banks - large and small, wholesale and retail, local and international - employing about 2.5 million people. EBF members represent banks that make available loans to the European economy in excess of 20 trillion and that securely handle more than 300 million payment transactions per day. Launched in 1960, the EBF is committed to creating a single market for financial services in the European Union and to supporting policies that foster economic growth. Website: EBF comments on the Commission public consultation on regulatory environment for platforms, online intermediaries, data and cloud computing and the collaborative economy Digitisation is changing many industries across the world, introducing new opportunities for innovation and competition and transforming the way we, as individuals and companies, operate. Banking is no different. While banking has been on a path towards digitisation for many years (starting with payments, several decades ago), it is the ubiquity of internet access and increased in speed, automation of technology that produces faster, smaller and cheaper technology such as smartphones and tablet computers that have dramatically accelerated the pace of innovation and change. European banks are key actors in the digital revolution, re-shaping their traditional banking activities to meet customer needs in terms of speed, availability and transparency. To do this, banks are employing innovative tools through close partnerships with other established Fintechs and innovative start-ups. Digital innovation is enabling banks to extend the value of the services they offer, to better integrate various processes and to offer tailor-made services. Regulation is another major driver of change, both enabling innovation and delineating what is possible for new products, processes and services. While not intended to stifle or create barriers to innovation, it can nonetheless constrain both the scope and speed of innovation as an unintended consequence. Innovation in mobile and digital services and new forms of customer communications have been significant. However, there is an inevitable dynamic and creative tension, between what is expected or enforced in legislation and regulation, and the speed of innovation. We encourage the Commission to focus on ensuring that regulation is fit for purpose and keeps pace with technological developments balancing the needs of customers, innovators, and investors, with overarching policy ambitions such as enabling innovation, consumer protection, financial stability and the prevention of financial crime. European Banking Federation aisbl 56 Avenue des Arts, B-1000 Brussels Phone: Website: - EU Transparency register ID number:

2 REGULATORY ENVIRONMENT FOR PLAFTORMS, DATA AND CLOUD COMPUTING The digital agenda ignores frontiers. In this respect, EU players are at substantial disadvantage compared to their US counterparts partly due to differences in regulations. For instance, it must be noted that certain data localisation and data privacy restrictions do not apply to the latter as US players can store personal data on clouds on a worldwide basis without the need to anonymise data with tokenization techniques. Obviously, such as situation will not positively contribute to the overall digital development of the EU industries not to their competitiveness in terms of the digital aspect of their services. EU industries which rely on data processing performed on a large scale and on a daily basis such as the banking industry need to operate in a stable, predictable, and well-balanced legislative space which enables an effective and - at the same time - responsible use of new digital technologies. While it is clear that the ambitious aims of the digital agenda and the means to achieve them should be made in full accordance with the EU regulatory environment - especially in areas of data protection such an environment should not impose unnecessary burden on industries that need to compete with US players enjoy less restrictions. For instance, it should be noted that, in many aspects, data location restrictions present a serious obstacle to business as they practically affect the effectiveness of data flows as well as impose a number of technical and organizational constraints on companies that are not necessarily best practices. EU stakeholders also face major restrictions on the processing of personal data: one of the main benefits of going digital is the possibility for companies to offer tailor made services, anticipate customers needs in a seamless way based on their digital behaviour. The new General Data Protection Regulation (GDPR) is very likely to prevent European players from making use of the full benefits of digitalization as well as limit their ability to meet their customers expectations. DATA 1. Data is playing an increasingly important role in the digital economy enabling innovation, creating new business opportunities, bringing benefits to consumers and driving economic growth. It is therefore important to ensure that an appropriate, fair and consistent regulatory approach is developed. 2. At present, the use and processing of personal data is governed by the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. However, having in mind the long-time perspective, it must be remembered that recently an agreement was reached between the Commission, Council and the European Parliament on the Data Protection Reform Package. Forming part of it, the General Data Protection Regulation (GDPR) will undoubtedly rewrite the data protection regulatory framework in all EU Member States. As it is often underlined, the new data protection regime set out in the GDPR aims at enhancing the level of personal data protection by Page 2 of 5

3 updating and modernizing the rules set out in the currently applicable Directive 95/46/EC in accordance with the demands of the 21 st century digital economy. In that context it should be underlined that the GDPR is thought to be one of the key elements of the Digital Single Market, as it also aims at improving business opportunities. Having in mind the above, it must be remembered that the aim of enhancing the level of individuals personal data protection should not jeopardize another important objective that of improving the business opportunities for companies operating in the Digital Single Market environment. Although at this stage it is difficult to fully assess the impact of the GDPR on businesses (the Data Protection Reform Package still waits for final and formal adoption by the Council and the European Parliament; moreover the GDPR will apply 2 years after its formal adoption by the Council and the Parliament), it is very important to understand that the GDPR will impose a number of significant obligations on banks, which in some aspects may prove to be an obstacle to the full use of the digital economy. 3. Businesses innovating in the digital economy would benefit from a risk-based approach to regulation, with controls proportionate to the operation or transfer in question. Unfortunately, the new regulatory framework will be more restrictive and will involve greater compliance costs, increased red tape and consequent delays in bringing new products to market. We therefore attach an annex to this submission setting out some of the relevant changes of relevance to the digital economy that the GDPR will make to data protection rules. 4. We would emphasise the importance of ensuring that the GDPR strikes the right balance between appropriate consumer protection and enabling businesses in the digital economy to operate and innovate. 5. It is becoming common for businesses to use data hubs and cloud services to store data, as well as using service providers from around the world. This can be a simple outsourcing arrangement or a means to centralising the data of multinational institutions. These solutions provide benefits such as enhanced security and improved data integrity, quality and access. 6. Chapter V of the GDPR places limitations and controls on the transfer of data outside of the EU. Such transfers can take place on the basis of the Commission s adequacy decision or by way of appropriate safeguards (including binding corporate rules) or can fall under the scope of specific derogations. The inclusion of binding corporate rules in the GDPR as well as other safeguards has been helpful for many types of data transfers outside of the EU. However, it should be noticed that, in some situations, Chapter V of the GDPR is likely to increase the difficulties faced by Companies involved in transferring data in order to comply with requests from third country courts of Regulatory Authorities. Page 3 of 5

4 7. In addition, the recent decision of the European Court of Justice invalidating the Safe Harbor framework has created significant uncertainty for firms in the EU. Those relying on Safe Harbor to permit certain data transfers to the USA are clearly affected, needing to find an alternative basis for transfers outside of the EEA. However, even firms relying on other mechanisms, such as model contracts, are impacted due to the implied risk that these too could be struck down at some point. Therefore, we urge the Commission to settle an international Safe Harbour agreement with those countries that share common values such as the US, in order to allow data transfers in a legal and secure way. 8. Data breaches are becoming an important matter when dealing with personal data or economic data losses. It is highly important that the new General Data Protection Regulation enables private and public companies to share incident information in a proactive and reactive way. The financial sector has demonstrated its capacity to share information in a secure manner in order to prevent fraud but the new GDPR is bound to disable the right to share certain personal information such as an IP address of a botnet created to foment a phishing campaign. SECURITY OF ONLINE INTERMEDIARIES The backbone of e-commerce is payments: without trust in payment methods, consumers and merchants are simply not ready to make or accept online payments and hence, purchase and sell goods and services. The pivotal importance of trust and security in payments should be considered when new payment products, services and providers are introduced into the market. In this respect, the greater the number of parties involved in a payment transaction, the bigger the opportunity risk of social engineering and phishing attacks, unless the appropriate controls are in place. Legislation should support and encourage innovation and open up avenues for new services aimed at increasing consumer convenience, while, at the same time, ensuring an adequate level of security, consumer protection and the required trust. It makes sense to open markets when innovative products and services are being offered by new players, provided: Everyone is subject to the same rules and liability regime; and The security level of payments is not weakened by alternate policy aims. The revised Payment Services Directive (PSD2) allows Third Party Providers (TPPs) to act as intermediaries in payment services. TPPs can initiate payments on behalf of customers or aggregate payment account data from several accounts. It is important to ensure that this type of service does not become a weak link in a transaction chain for a number of reasons. Not only to protect the consumer, but to also protect the integrity of other payment service providers. In the case of massive fraud, consumers would Page 4 of 5

5 rapidly lose faith in all payment methods, be they offered by banks or by payment institutions. The new requirements laid down by PSD2 are complex. The European Banking Authority (EBA) has been given the task of creating Regulatory Technical Standards (RTS) to facilitate this new ecosystem. The industry will work positively and constructively with the EBA to ensure these RTS establish an environment that is safe and secure for customers and also conducive to innovation and competition. To ensure adequate security and consumer protection we feel particular attention will need to be given to, for example, the issue concerning whether customers should share their credentials with any third party. The PSD2 text is not completely clear on the requirements here: on the one it hand it seems to suggest customers can share their personal credentials (e.g. username and password) with TPPs; on the other, it suggests it is the responsibility of account servicing payment service providers (ASPSPs, e.g. banks) to keep these credentials safe. Pascale-Marie BRIEN Senior Policy Adviser Page 5 of 5