A senior official at De Nederlandsche Bank (DNB) highlights the third-party risks facing the payments industry. Meanwhile, Italy’s deputy central bank governor says PSD3 needs to fix regulatory harmonisation to truly unleash the market's disruptive potential.
Across the continent, from the UK to Lithuania, there is a sense that regulators feel the payments industry honeymoon is over.
Whereas once regulators seemed keener for the industry to grow and challenge traditional players, there now appears to be a concern that the industry is failing to take seriously its compliance obligations.
Steven Maijoor, an executive director at the DNB, echoed this in recent sentiments to the payments community.
“Payment institutions use third parties to deposit their clients’ funds for safekeeping, and here lies a risk, or at least a responsibility,” he said. “The responsibility to monitor the creditworthiness of that third party.”
Maijoor continued to state that the DNB’s thematic examination on safeguarding revealed that a number of payment institutions are “unfortunately” carrying this out inefficiently.
“What’s more, when drafting risk analyses, some payment institutions pay too little attention to the operational and financial risks of the third parties they rely on,” the central banker said.
Safeguarding has become a pertinent issue for the regulation of payments institutions in Europe.
For example, last year, the European Banking Authority (EBA) proposed that the European Commission clarify that funds held by electronic money institutions and payment institutions in safeguarding accounts are protected by the relevant deposit guarantee scheme (DGS) in the event of the bank’s failure.
Meanwhile, the UK government has also said that the current safeguarding regime is ambiguous and is using the Future Regulatory Framework Review to shore up standards.
“It goes without saying that what happened to Silicon Valley Bank was the result of poor risk management, and what happened, seriously damaged trust in the financial system,” said Maijoor. “You don’t want that, and we don’t want that, so an important part of our supervision focuses on the way you work with third parties.”
For Maijoor, this includes monitoring and mitigating the risks that come with working with third parties — be it a cloud service provider or an IT vendor. “But our supervision also focuses on the way you manage financial exposures, and certainly on how you select banks to deposit your customers’ funds.”
Maijoor also aligned himself with other regulators by criticising the payments’ industry’s failure to get up to standard on financial crime compliance.
“At De Nederlandsche Bank, we are very aware of the investments your industry has already made to guard your gate, but unfortunately, we also know that some in your sector are still lagging behind,” he said.
“That in too many cases, basic housekeeping to mitigate these important risks is still insufficiently organised. To those of you to whom this applies, we expect more from you.”
PSD3 gets closer
In another speech, Piero Cipollone, deputy governor of the Bank of Italy, shared his thoughts on what is necessary to modernise the EU’s payments regulation.
“PSD2 has been a landmark, and it has brought about greater harmonisation and competition in payment services,” he said, while speaking at Roma Tre University.
For Cipollone, however, two more issues need to be resolved for players to be able to “claim the creation of a single EU retail payments market”.
“We need to complete the job and thereby allow innovation to be as disruptive as it was meant to be in PSD2 and to embed in the regulation the dramatic changes in the technological landscape since PSD2 came into force,” he said.
The lack of full harmonisation and complete application of the rules across member states is an issue, he pointed out, adding that the payment services framework still needs to be fully aligned with other EU policies and legislation.
In particular, these are the General Data Protection Regulation, the Electronic Money Directive and the Market in Crypto-Assets Regulation.
“The cost of payment services is the second obstacle,” he said, suggesting that this can be further reduced by fostering stronger competition within and across member states, while third, the role of technological providers, including bigtechs, in the payments sector still needs to be clarified.
For Cipollone, the new technological landscape offers many opportunities to develop new payment solutions that can improve general welfare.
“Whether this potential will be realised or not depends on the way we design PSD3,” he said.
“However, because of the new technological infrastructure underlying the payment ecosystem, we cannot proceed with the same mindset that guided us in the past.”
On the contrary, regulators need to be creative and to approach the drawing board with three pillars in mind: how to solve the eternal question of whether to regulate entities, activities, or both; the fact that the whole ecosystem is evolving continuously and swiftly; and the need to promote public-private partnerships aimed at designing pro-innovation regulations.
Although Cipollone and Maijoor’s interventions are different, they show how much is up for grabs as Brussels toys with what to change in its regulatory approach to payments.
While Cipollone focuses on the need to align with current regulatory frameworks and get up to speed with technology, Maijoor’s focus sits in the present and echoes the issue that many European regulators are facing.
Many payments institutions are still in start-up mode and may not be doing enough to get themselves up to standard with compliance requirements, including money laundering mitigation or protecting customer funds.