The rise of financial technology (fintech) is rapidly changing the financial services industry, in the U.S., in the U.K. and elsewhere. But with the rise of fintech also has come increasing regulation. Among the regulatory regimes applicable to fintech sector is the EU’s Payment Services Directive (PSD), designed among other things to provide certain consumer protections. A Revised Payment Services Directive (PSD2) came into force on January 13, 2018. In the following guest post, Karen Boto, a Legal Director at Clyde & Co law firm, takes a look at PSD2 and considers that insurance challenges the revised regulatory regime presents. A version of this article was previously published as a Clyde & Co client alert. I would like to thank Karen for allowing me to publish her article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Karen’s article.

**************************

In recent years the financial technology (fintech) sector has become one of the fastest growing sectors in the UK. From alternative crowdfunding, cardless payment processing, peer-to-peer expedited lending, social trading networks to financial robo advisers, the fintech industry has introduced innovation to financial transactions where banks have been slower to expand.

With fintech start-ups challenging the traditional banks, by offering cheaper and quicker digital online services, consumers now have more choice than ever when it comes to managing their personal finances.

The recent introduction of new European regulations has also strengthened the industry’s position.

In addition to the EU’s General Data Protection Regulation (GDPR), which allows citizens to control the use of personally identifiable data, the Revised Payment Services Directive (PSD2) creates opportunities by requiring financial institutions to share consumer information with third parties, when they are directed to do so.

These new changes, coupled with the continued rapid pace of technology advancement, could soon propel us into a new era of “Open Banking”.

What is PSD2? 

PSD2 came into force in January 2018. Whilst the primary purpose of PSD2 is to increase efficiency in the payments industry, by promoting greater transparency for international payments and eradicating hidden fees, PSD2 has the ability to transform how consumers spend their money in future.

PSD2 encourages competition in the financial services sector, by allowing greater participation in certain areas by non-banks, such as fintech companies, for the first time. As well as creating further opportunities for existing third party providers, PSD2 paves the way for the creation of many more.

In particular, PSD2 has identified a new type of third party provider in the form of Payment Initiation Service Providers (PISPs).

PISPs are businesses that initiate online payments (via, for example, in-app one click options) on behalf of the user, offering an alternative to the use of a credit or debit card or online banking. In other words, PISPs operate so that merchants can communicate directly with the bank, side-stepping the middleman and delivering a seamless and secure customer experience.

Perhaps of more significance, PSD2 has also identified a further category of third party providers: Account Information Service Providers (AISPs).

With the customer’s express permission, PSD2 forces financial institutions to share their account information, including payment history, spending habits and details of the companies frequently used by the customer, with authorised AISPs, who will aggregate financial information (from different sources) in one place.

AISPs can then convert the data into intelligence, allowing them to design and build applications and services to benefit the customer, such as 360 degree data dashboards, budgeting and price comparison apps.

PSD2, therefore, aims to provide a more open platform where consumers can start to embrace a modular and digital approach to banking.

Whilst the extended scope of PSD2 arguably opens the doors to fintech “disruptors”, who will no doubt look to offer consumers more convenient and flexible ways to manage their finances, it also presents opportunities for traditional banks. More recently we have seen fintechs also taking on roles as “facilitators” within the financial services industry.

With Open Banking creeping in and further regulations potentially being introduced soon, which aim to make digital life more human centric, this is likely to encourage more synergies between fintech companies and banks to ensure that they remain current and competitive.

The insurance challenges

All financial services companies, from large financial institutions to nimble fintech start-ups, are currently getting to grips with the opportunities and challenges that PSD2 creates.

Furthermore, new authorised third parties will be regulated by the Financial Conduct Authority (FCA), or an equivalent European regulator, and will appear on the FCA’s Register and/or the Open Banking Directory. It will, however, take time for all of the new providers to gain authorisation, and a transitional period will mean that some businesses do not have to be authorised until the end of 2019.

Firms will also be required to meet various necessary technical standards in order to operate under this regulation. This may lead to an increase in the demand for bespoke insurance cover.

Indeed, under PSD2, one of the Regulatory Technical Standards that must be complied with states that PISPs and AISPs will be obliged to purchase mandatory insurance cover which must satisfy the PSD2 guidelines laid down by the European Banking Authority.

The questions surrounding the scope and level of insurance that fintech businesses require is a topic that has provoked some debate within the insurance market. As with any emerging sectors, it will be largely governed by risks exposures.

However, as the majority of fintech companies are in their infancy, currently there is a lack of historical data around the litigation and regulatory landscape.  Furthermore, depending on the exact nature of the businesses, the exposures may differ considerably.

The risks

Fintech companies face a threat of liability from various sources. With some of the new business models emerging, the exposures of technology services and financial services are much more closely related than ever before.

Investors

Due to capital requirements, financing structures, and the rapid rate at which fintech businesses tend to expand, claims may arise at the start-up phase, or indeed continuously throughout that growth phase, including:

  • mis-representations made in private placement memorandums/Offering Prospectuses; and
  • merger and acquisition related litigation.

A fintech company can have the same growth in two years as a bank in 20 years.

Furthermore, because fintechs are typically trying to achieve something that has not been achieved before, the potential for failure is higher. Risks may therefore include:

  • inappropriate or inadequate pricing of the credit risk, leading to a lack of liquidity should investors want to exit their investment; and
  • bankruptcy and creditor claims.

Competitors / Intellectual property

In this fast moving environment, where being the first to the market is key, fintech companies may find themselves facing intellectual property claims, such as accusations from competitors asserting theft of trade secrets.

Employment related disputes 

Based on the need to attract and retain talent, employment related disputes may arise ranging from claims connected to poaching the small pool of skilled workers through to failure to hire/promote, discrimination claims, wrongful termination and so on.

Clients

For fintech companies servicing the financial industry, through the provision of professional advice, the potential for liability claims increases. Claims may arise from customers seeking compensation if a product fails and/or the advice given turns out to be inappropriate

Technology failure

There are, of course, a number of operational exposures to any fintech company. The most obvious being where there is a problem with functionality, such as a software flaw or server downtime, leading to the unavailability of an online platform. Such problems can cause huge disruption and immediate large losses.

 

Data breaches

Another concern for fintech companies concerns data breaches. Firms need to understand their responsibilities to protect their customers’ information. They must have knowledge of the sensitive information they hold, where it is held and, more importantly, how it is protected. They will be required to have solid systems in place to minimise loss and harm.

Computer crime/extortionists

The increase in social engineering and ransomware attacks create a more complex risk environment for any industry. By their online nature, fintech companies will have a greater demand for stronger cyber security. They will also need to ensure that their employees fully understand the nature and impact of financial crimes

Business Interruption

Whether it be as a result of a technical failure or a cyber/data breach, interruption may be caused to a business, if, for example, the platform or network upon which it operates is suspended. Such loss will typically be quantified by considering the detrimental change in a company’s profit and loss during the period of interruption, measured against projected levels.

Regulation

There is the additional complexity of regulatory risks, particularly for fintech companies regulated by the FCA. Firms will need to invest in comprehensive compliance and management systems. The financial and reputational risk of enforcement action to any business is severe.

Managerial liability (D&O)

As with any company, those with day to day control of the business, its policies, procedures and corporate governance, may find themselves on the receiving end of a claim from, for example, a disgruntled shareholder or creditor, the company itself or insolvency practitioners, for alleged wrongful acts.

Conclusions

As the fintech sector continues to develop rapidly, so too does the risk landscape. As such, there is a growing opportunity for insurers to support this emerging market.

Until recently, the insurance industry has struggled to provide cover for those in the fintech sector. This is due to the fact that the activities of financial service providers and technology companies have traditionally been underwritten by completely different divisions.

Whilst specific combined policies are now starting to be underwritten to cater for this market, which tend to offer protection against the significant risk of professional and managerial liability, regulatory actions, financial crimes, data/security breaches and technology failures, they are few and far between and this is an area to watch with interest.

Although fintech companies can obtain separate lines of coverage to protect against the wide spectrum of risks they face, this has the potential to result in conflicting language, coverage gaps and dual insurance issues. Accordingly, whilst underwriters may need to approach fintech companies with caution (particularly start-ups), there are ample opportunities for insurers to benefit if they remain agile and willing to assist with the challenges that this growing industry faces.

Karen  Boto

2 October 2018