Our FinTech Perspectives series, will explore the content, potential, and shortcomings as well as the areas that require further clarification in this important field of European legislation on digital transformation in the financial services sector.

Europe’s digital agenda

Within its overarching plan to Shape Europe’s Digital Future, The European Commission is determined to make the lead-up to 2030 Europe’s Digital Decade. This ambition has, aside from activities in other fields, resulted in an outpouring of legislative initiatives. The great majority of these initiatives aims to get an ever better handle on our digital reality to date. These legislative activities in more established fields of digitalization include:

• the implementation into national laws of the EU Directives on Digital Content as well on  Modernization of Consumer Protection – the former addressing B2C contracts for the supply of digital goods and services, and the latter invigorating consumer rights in e-commerce;
• the consultation on the Digital Services Act as well as on the Digital Market Act, both of which are intended to provide an up-to-date framework for the operation of internet platforms and to replace the 20 year old, veteran e-Commerce Directive;
• the presentation of a Data Governance Act as part of the Commission’s European Strategy for Data – intending to create a uniform ecosystem for the handling of all personal and non-personal data;
• the adoption of a Cyber Security Strategy that sets the framework for the protection of EU citizens and businesses against cyber threats and that promotes information systems that are both, open and secure;
• the propagation of industry specific initiatives, such as the draft Regulation on Digital Operational Resilience for the Financial Services Sector that aims to bolster trust in the technology systems of financial service providers and has proposed that significant providers of those systems come within the ambit of the financial services regulators.

For all of these, the European legislator needs to reconcile its desire to support technology and business innovation on the one side with the necessary protection for individuals and business in the EU on the other side. Getting this balance right is vital for the success of each of those initiatives. It is also a relevant foundation for additional regulations that aim to address new digital technologies that will change markets even further.

New digital technologies

These new digital technologies are in particular, in the Commission’s view, quantum computing, distributed ledger technology (DLT) and artificial intelligence (AI). Among those, quantum computing is still distant from any relevant application in practice. Accordingly, the Commission’s  Quantum Strategy focuses predominantly on research & development to promote technology advancement in this field of computing. Any legal regulation for quantum computing needs to wait until its application takes further shape. Once it materializes, it will probably require a re-write of many parts of the digital legislation as its computing power may transform current e-commerce, cyber security and blockchain systems.

DLT and AI are at a different place. They have taken off already. Among the industries affected, financial services deserve a special place. The effects of both technologies on finance are considerable. Just two examples to illustrate this point:

• DLT (and the blockchains it enables) has permitted the creation of cryptographically secure tokens which represent assets in their own right and, unlike most other digital items, may not just be a representations of something that exists already elsewhere. They can be traded and managed by its participants, without necessary intermediation by any third party institution. They can be used as means of payment or reward in any automated system, including smart contracts, enabling decentralized applications and decentralized organizations. Taken together, they create an ecosystem that differs quite significantly from anything that had been there before.

• AI performs in finance new ways of risk evaluation, prediction modelling, credit rating and quantitative trading, to name just a few examples. It ushers in a new area of asset management. On the back of (typically) machine learning enabled data analytics, it reaches conclusions and makes recommendation that are not fully predictable and still ought to be smart. These conclusions and recommendations are machine produced – and cannot directly be attributed to any human person. Their decision-making-process cannot be deciphered retroactively - as it is the result of the AI’s self-learning abilities. The opaqueness of the process and the unpredictability of the outcome will have its impact on the way we look at, among others, responsibility, liability and risk prevention in asset management and elsewhere.

The EU legislator needs to be commended for having understood the profound impact cryptoassets and AI are about to make – as well as for the attempt to create a comprehensive legal framework for them. Still, more work needs to be done. A number of open issues have to be addressed and a number of assumptions still need to be revised. We will deal with these open issues and questions in future issues of FinTech Perspectives. Some of the most relevant questions shall be flagged already here.

MiCA

The draft Regulation on Markets in Crypto-Assets (MiCA) of 24 September 2020, is part of the EU’s Financial Package which also includes a Regulation for a Pilot-Regime for DLT based Market Infrastructure. MiCA provides a legislative framework for all cryptoassets that are not regulated elsewhere – such as financial instruments under MiFID II or e-money under the E-Money Directive. It establishes varying levels of requirements for different cryptoassets, depending on the risk they create for the market overall and individual market participants in particular. The current version of the draft raises a number of questions, which we are going to explore in more detail, such as:

• Is it really appropriate to take all cryptoassets that qualify as either financial instruments or e-money under existing EU legislation out of MiCA’s scope of application? Does MiCA’s subsidiary nature correspond to the specific and somewhat unique legal challenges that are common to all blockchain based assets?
• Is there an over-regulation for cryptoasset service providers, making it unattractive to operate these activities in the EU? Will that create a competitive disadvantage vis-à-vis those countries that take a more flexible approach?
• Is the balance right between the detail of regulation for some tokens, such as stable coins, on the one side and some other tokens that are hardly specified at all, such as currency or non-fungible tokens?
• Is it justified to exempt non-fungible tokens (NFTs) from most of the relevant duties? Does this ignore the specific crypto qualities that NFTs possess?
• Can any regulation of blockchain technology be complete without addressing the system that it creates, a system that enables all sorts of decentralized applications, including decentralized finance (“DeFi”)?

AI Regulation

The draft Regulation on Artificial Intelligence of 21 April 2021, has an extremely broad scope of application, both geographically (all AI that has an impact in the EU) and in terms of the types of AI covered (all forms of machine learning and also any algorithms that use certain types of logic/statistic/etc. approaches). It prohibits some AI (such as for certain real time biometric recognitions or social scorings) and qualifies other as “high-risk AI” (covering a wider range of product components and applications, such as credit worthiness evaluations). The Regulation’s main focus is to regulate this high risk AI, imposing a wide range of transparency, diligence and documentary requirements. Among the questions that this draft regulation raises are:

• Are the comprehensive obligations imposed on AI providers putting European business in a competitive disadvantage in comparison to those in all other regions – none of which provides for such a set of stringent and comprehensive requirements?
• Is there an under-regulation with regard to most pressing legal question relating to AI: who is responsible if something goes wrong? How should and adequate liability scheme look like?
• Where to draw the lines to all the other regulations that provide for product safety of compound products that include AI?
• Does the wide geographic application make sense? Does it create a workable framework to enforce the wide ranging obligations under the Regulation?

We will pick up on those and other topics in future issues of our FinTech Perspectives.

Authored by Leopold von Gerlach and John Salmon