Five European Central Bank recommendations to fintechs

The European Central Bank (ECB) wants to clearly draw the playing field boundary lines for the fintech revolution. With this aim, they have just released a non-legally binding guide in which they explain the criteria they use when granting eurozone banking licenses to these new entities, which bring together technology and financial services. Their prerequisites and recommendations also pertain to already established banks that open fintech subsidiaries, as well as financial service providers that decide to expand into new services more closely resembling traditional banking.

In coordination with national banking authorities like the Bank of Spain, the guide, which asserts to be “technology-neutral and seeks neither to support nor to discourage the entrance of fintech banks as market participants” outlines the five key aspects that the ECB considers when deciding to grant a license.

1. The profile of the executive management team

The European Directive 2013/36,  which toughened the bank industry's capital requirements and supervisory conditions, determined that executive management teams of entities with an ECB license must demonstrate a range of financial knowledge, both practical as well as theoretical. The ECB's guide goes a step further now with fintech companies by recommending that their executives have accredited IT (information technology) skills and qualifications.

Specifically, the institution headquartered in Frankfurt indicates that having a “Chief Information Technology Officer” with a place on the company's executive board is a point in favor.

2. The shareholders profile

The EU’s Directive 2013/36 isn’t limited to bank executives: it also mandates that any majority shareholder of a bank should be proficient in technical and management skills related to financial services. Fintechs, of course, must also comply with this requirement, with some specific features detailed in the ECB guide.

Fintechs don't typically have, by definition, a permanent set of stakeholders. Founders, seed capital, venture capital, business angels ... all play a part in the project, which continues to grow while the players change. Consequently, the ECB states that it will look at those shareholders with a stake of more than 10% in the fintech, or, if shareholders are very dispersed, at the top twenty shareholders.

The ECB stipulates that it will also take into account if the fintech’s business plan forecasts growth rates above what the initial shareholders can assume, as well as their approach to identifying sources of additional necessary financing.

3. Credit risk management

Fintechs have a problem with credit risk management: normally decisions in this area are made with historical credit data that fintechs simply don't have. Nor is it a simple or quick task to build an internal ‘credit-scoring’ model without this data.

Fintechs, therefore, tend to resort to sub-contracting credit-scoring services, and they look for alternative methodologies to control their level of risk when making loans. The ECB warns that, in conjunction with national financial regulatory entities, it will watch these processes, monitoring the type of data used and the professional teams each fintech dedicates to credit rating.

4. Management of cybersecurity and data protection

The ECB warns that fintechs may be more vulnerable to cyberattacks because they are more likely to subcontract parts of their operations than traditional players: the more participants involved in a process, the more vulnerable and less controlled. In view of this risk, when granting licenses, the central bank will consider the presence of in-house expert cybersecurity personnel and specific protection and contingency plans.

Additionally, in line with the new European data protection regulation, which goes into effect on May 25th, the ECB will appraise the fintech’s policies on data confidentiality, integrity, and availability.

5. An exit plan ... just in case

Lastly, one of the most striking recommendations in the guide is the preparation of an exit plan that only needs to be presented to the supervisory bodies if they ask for it after reviewing the business plan.

The objective of the exit plan is simply to establish how the fintech would cease its business operations of its own volition “in an orderly and solvent manner, without harming consumers, causing disruption to the financial system, or requiring regulatory intervention.” The ECB recommends that this plan be shaped around the assumption of three years of recurring business activity, calculating sufficient capital to cover both this period as well as the time to execute the exit plan; a kind of corporate euthanasia that should be triggered upon reaching previously defined financial criteria.