EU Banking Authority reports on fintech banking and payments licensing regimes across Europe

9 min read

On 18 July 2019 the European Banking Authority (EBA) published a report on the EU regulatory perimeter, national regulatory status and EU national regulators' (NCAs') authorisation approaches for fintech firms conducting banking and payment services in the EU market under Capital Requirements Directive IV (CRDIV), Payment Services Directive 2 (PSD2) and Electronic Money Directive 2 (EMD2).

As with ESMA's similar recent report1 of 12 July 2019, the EBA is delivering on its action points in the European Commission's FinTech Action Plan2 to map current EU authorisation and licensing approaches for innovative fintech business models.

The EBA report highlights a move by fintech firms away from non-regulated to regulated activities since the EBA's 2017 FinTech Discussion Paper3 – with payment initiation services and account information services now subject to PSD2 – and also the provision of unregulated services by a growing proportion of fintech firms.

Crowdfunding and cryptoasset activities are referenced in relation to their separate EU workstreams, crystallising in the proposed EU Regulation on crowdfunding service providers4 and the EBA's January 2019 cryptoassets report5.


EU NCA surveys

The EBA surveyed NCAs on the three areas of (i) national developments impacting the regulatory perimeter, (ii) national regulatory status, and (iii) authorisation approaches involving the application of proportionality and flexibility in licensing practices – with NCA responses up to date as of 22 March 2019.


Fintechs: national developments impacting the regulatory perimeter

Very little national Member State legislative activity has served to extend the regulatory perimeter of NCAs within the EBA's remit. Only Malta reported the adoption of national rules impacting the regulatory perimeter relating to fintech firms, impacting cryptoassets in the form of its Virtual Financial Asset Act of 1 November 20186. The EBA will continue to monitor this area.


As regards crowdfunding, the EBA notes that the draft EU Regulation on crowdfunding service providers currently being considered by the European Parliament and the Council is aimed at levelling the playing field for those crowdfunding service providers operating cross-border. But the EBA proposes additionally introducing harmonised consumer protection and anti-money laundering and counter-terrorism financing (AML/CFT) rules for all crowdfunding service providers, regardless of whether their activities are cross-border or domestic, for consumer protection and EU AML/CFT control purposes.


Fintechs: national regulatory status

The EBA surveys aimed to gain a better understanding of the type and nature of the growing proportion of unregulated fintech activities and services, so as to assess any potential gaps in the regulatory perimeter.

Responses included regtech firms using machine learning and big data analysis, platform-based marketplace services, intermediation services, comparison services, and apps and software supporting or underlying compliance, identity verification, mobile wallets and payments.

Cryptoasset and crowdfunding activities apart, the EBA concludes that these activities are broadly ancillary in nature or relate to non-financial business areas which fall outside the regulatory perimeter. The EBA will continue to monitor this area. Fintech authorisation approaches under CRDIV, PSD2 and EMD2 NCAs' feedback suggested their broad use of proportionality and flexibility via risk-based approaches to fintech authorisation – with their assessments calibrated to take account of fintech applicants' size and complexity, organisational structure, nature, scale and complexity of services provided, and risks and turnover envisaged.

Examples of PSD2 proportionality and flexibility principles as applied to fintech firms

Principles of proportionality and flexibility are set out in PSD2 and also specified in the EBA’s PSD2 Guidelines on authorisation and registration7, regarding e.g. governance arrangements. In addition, 19 NCAs reported having published their own guidance on the authorisation process, with 4 NCAs in the process of finalising theirs.

The EBA reports on NCAs' PSD2 supervisory practices in relation to the Member State option under Article 32 for smaller payment institutions, the exemption for the providers of account information services offering only that payment service, and specification of different levels of capital requirements depending on particular services provided.

Examples cited in the report relate to NCA's application to fintechs of a proportionate approach to the requirements for internal controls, including the Compliance function or AML processes, the assessment of shareholders, and the outsourcing of some functions. Several NCAs permitted outsourcing of internal control functions including Compliance, while another reported that the greater use by fintechs of outsourcing and cloud services than traditional institutions led them to focus on the outsourcing risks of fintech applicants.

The EBA flags that its new Guidelines on outsourcing arrangements will apply from 30 September 2019 and that firms are expected to be compliant8.

One NCA reported that it lowers prudential requirements for fintechs under certain thresholds. Another required firms with highly automated processes and few personnel to specify only the framework of the process without having to provide further details of those employees in charge of its control mechanisms. A third explained that, in the case of money remittance services provided through a very limited network of 2 agents, the requirement for an in-house internal auditor might not apply. In relation to AML, an NCA required money remittance providers simply to incorporate AML provisions into their internal policies, while mandating institutions operating payment accounts or issuing payment instruments to set up more sophisticated systems to record access to payment accounts and transactions made on the accounts (including failed sign-ins).

CRDIV diverging authorisation conditions, restrictions and limitations increasingly applied to fintechs

The EBA also asked NCAs about any conditions, limitations and restrictions which they attach to fintech licensing, prompted by the absence of specific guidance in the EU legal framework and the reliance on national law for this purpose. Its survey results show 16 NCAs imposing varying pre- and post- authorisation conditions and metrics on licences granted to fintechs e.g. changes to applicants' legal structure or constitutive documents, or limits on their deposit-taking or loans. In light of these different approaches – and concerned about ensuring a level playing field – the EBA proposes developing guidelines for a common assessment methodology for NCAs granting CRDIV authorisations.

The EBA has already developed regulatory technical standards on the information to be provided by CRDIV applicants, the requirements applicable to shareholders and the obstacles that may prevent the effective exercise of supervisory functions, as well as implementing technical standards on standard forms and procedures for the provision of information9. Both sets of standards have been submitted to the European Commission for endorsement and are not yet in force. The European Central Bank (ECB) and various non-Banking Union countries also reported having published their own guidance on the CRDIV authorisation process, with some NCAs publishing additional fintech-specific guidance. Examples of growing areas of scrutiny picked up in the EBA report include:

  • CRDIV Article 10 Programme of Operations: This requires applications for authorisation to include a programme of operations setting out the type of business envisaged and the structural organisation of the credit institution. The ECB reported its own high level of scrutiny of those submitted with applications involving novel or highly complex activities. The ECB also reported uncertainty over fintech credit institutions' business projections and capital requirements due to difficulties in forecasting the number of customers, level of sales and future level of external funding. Because of this, the ECB encourages fintech bank applicants to prepare an exit plan in order to identify how they can cease business operations on their own initiative, in an orderly and solvent manner without harming consumers, causing disruption to the financial system or requiring regulatory intervention. The ECB also requires fintech applicants with highly innovative technology to have specific controls in place to address the related risks.
  • CRDIV Article 12 Initial Capital: The ECB views the start-up phase of an innovative fintech credit institution as posing a greater risk of financial loss, and assesses whether the applicant can demonstrate that it is able to hold in reserve sufficient capital to cover start-up losses in the first three years of activity and, where applicable, the costs associated with the possible execution of an exit plan. CRDIV provides for a national option allowing Member States to authorise categories of credit institutions whose initial capital is less than EUR 5 million and above EUR 1 million. NCAs using this option do not distinguish between traditional and innovative fintech business models but two NCAs reported having authorised fintech credit institutions under it (including a digital-only retail bank).


Fintech marketplace activities: challenges posed by innovative business models to the current EU framework

The EBA views deposit marketplace activities (i.e. platforms enabling customers to place deposits with credit institutions at various interest rates across Europe) and the current growth of other innovative forms of fintech marketplace activities and the expansion of these business models to areas such as non-performing loans, as posing a challenge to the regulatory perimeter. Accordingly, the EBA will be monitoring the appropriate level of regulation in relation to fintech marketplace-related activities.


What does this mean for market participants?

The EBA does not consider it necessary to propose any specific recommendations at this stage. While CRDIV and PSD2 principles of proportionality and flexibility are applied in the same way by NCAs regardless of business model or delivery mechanism, the EBA will nonetheless continue to monitor whether PSD2- and EMD2-regulated fintech applicants are fast-tracked in any way. It will also assess in relation to fintech applicants EU Member States’ implementation of the national option relating to CRDIV Article 12(4) allowing EUR 1 million in lower initial capital, which its NCA survey results show has already been used for 6 credit institution applications across the EU.


Click here to download PDF.


1 and EBA's 18 July report at
2 and EBA March 2018 FinTech Roadmap at


This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2019 White & Case LLP