A group of experts on regulatory obstacles to financial innovation has produced thirty recommendations for the technology-enabled provision of financial services in the EU. These span such subjects as the prevention of money laundering, the protection of consumers from sharp practice, the sharing of data, governance and operational resilience in the financial sector.

Recommendation 13: Activity and risk-based regulation. The EU should insist that "the same activity creating the same risks should be regulated by the same rules."
Recommendation 14 – EU-level facilitation, including ‘the sandbox.’ This is another area in which the report calls on the EU to duplicate British efforts.
Recommendation 15 – Uniform regulation. This recommendation needs no explanation.
Recommendation 16 – Fully harmonised KYC processes and requirements. Again, strict centralisation is de rigeur, this time with know-your-customer processes and rules.
Recommendation 17 – Convergence in the use of innovative technologies for CDD purposes. CDD, or customer due diligence, is another term for KYC. The word 'convergence' has exactly the meaning that one might expect.
Recommendation 18 – Clarifying the capacity to re-use CDD data. The EU should "clarify the rights of data subjects to permit the use of data provided for CDD purposes and the outcome of identity verification for further identified purposes." This (although the body of the report does nothing to elaborate) implies that the report writers would like banks to insist on using CDD data for other things as a condition for providing their customers with their services in the first place. This could be the beginning of a slippery slope for HNWs' data privacy.
Recommendation 19 – Digital identity verification. Centralisation is once again on the menu.
Recommendation 20 – End default paper requirement. The EU ought to remove financial laws that require firms to provide documentats, by default, to consumers in hard copy. This should be without prejudice to the right of consumers to ask for information on paper.
Recommendation 21 – Participation in clearing and settlement systems. The EU should think of revising the Settlement Finality Directive to allow for the participation in clearing and settlement and payment systems of any type of regulated financial institution, on the basis of appropriate risk-based criteria.
Recommendation 22 – Access to platforms. The EU should introduce rules to ensure that large, vertically integrated platforms do not discriminate unfairly against downstream services that compete against their own similar services.
Recommendation 23 – Framework for P2P insurance. The EU should think of ruling the roost here.
Recommendation 24 – Proportionate restrictions on non-core business. Here the report is opaque.Recommendation 25 – The GDPR and new applications of technology. The EU should issue guidelines regarding the way in which the General Data Protection Regulation might affect the innovative use of technology in financial services, including the use of DLT/Blockchain (in particular how it might satisfy the requirement for erasure using encryption) and artificial intelligence (in particular regarding consent).
Recommendation 26 – Regulatory dialogues. The organs of the EU like to talk to each other.
Recommendation 27 – Access to and processing of non-personal data. More laws should be drawn up, alongside the obligatory EU-level supervision and enforcement mechanism.
Recommendation 28 – Data sharing. The EU ought to introduce rules to ensure that a user of digitally enabled products or services might share the data that the providers have gleaned about them with other market participants of their choice. These rules might insist on the use of standardised sharing interfaces.
Recommendation 29 – Financial inclusion and exclusion. This only concerns poor people.
Recommendation 30 – Ethical use of data. The report helpfully suggests a slew of new EU rules to govern this, while expressing the quaint idea that the rule-framers will be 'assisting' financial institutions by producing them.

Money laundering

One refrain that throbs throughout the report concerns the need for top-level EU co-ordination when it comes to KYC/CDD controls.

Neither the fourth nor the fifth EU Money Laundering Directive go into any detail about the application of CDD. As a result, EU countries’ laws vary, for instance in terms of acceptable documents for verifying people's identities, the form of those documents (digital/paper) and thresholds above which CDD ought to apply to occasional transactions. The report is particularly concerned about:

• differences between the documents to be used for verifying identities (e.g. passports, utility bills, civic registrations, tax documents) and the formats thereof (electronic copies or physical copies);
• differences in the rules that govern remote customer on-boarding (e.g. requirements to do with information and video chat);
• differences between countries' rules that govern firms' reliance on third parties for CDD (e.g. time restrictions on the use of non-face-to-face identification).

Article 26 of the fourth directive allows financial institutions to rely on third parties to do some of their CDD. However, when enshrining the directive in their laws, some countries limited the use of "third-party reliance," as the report calls it. Some of them insisted on third parties complying with the same requirements as those applicable domestically; some said that an initial identification carried out by a third party should not be older than a certain number of months - in one case 24.

The report is therefore very keen on CDD software being compatible across borders. Only then, it argues, can technological innovation reach its full beneficial potential.