Guest Blog
How Liveness Detection prevents identity fraud. 2

Protiviti Guest Blog: Applying for a PSD2 License – Navigating the Complex Environment of Innovation and Regulation

Did you know that the term FinTech was probably first used in the 1980s? Peter Knight, the editor of a business newsletter, used the term to describe a bot that had altered his mailbox, which he was pretty upset about (source: Word Spy). 

While there are currently many, slightly different, definitions around, the Oxford Advanced Learner’s Dictionary believes FinTech to be “computer programs and other technology used to provide banking and financial services”. 

Talking to a colleague the other day, he said he did not quite have a feel for the FinTech industry, because “I just don’t exactly grasp what it is.” That might be true for many of us — we all have our interpretation and definition for what FinTech is, and more interestingly, could be. Walking on the big FinTech fairs, like Money2020, you can get overwhelmed by the sheer amount of companies, big and small, working on technology that promises to improve, alter, or turn-up-side-down the financial aspect of our lives. Considering that FinTech is everything described above, the one thing we can be sure of is that within this industry there is a great diversity in the type of company, the application of their products and services, and the way of innovating. 

Regulators try to keep up with the fast pace of change in this industry. One of the biggest recent developments in the regulatory environment is the implementation of PSD2 — the follow-up legislation of the former Payment Services Directive. PSD2 is often perceived as an enabler — making it possible for the wide array of FinTech companies to gain access to consumer payment data and use those data to build their products and services on, providing endless innovation possibilities. We have to keep in mind that payment data is one of the most sensitive types of consumer data and, because of that, is heavily regulated.

How do FinTech companies navigate this complex environment where regulation and innovation intertwine? 

There is an interesting development dance going on between regulator and market, to answer this question. 

Protiviti has supported several clients in their quest for a PSD2 license and auditing licensed companies. Their businesses, as well as their ways of obtaining and/or maintaining that license, differ, but they do have one thing in common — trying to find a balance between what they believe is expected from the regulator, what is feasible in practice, and what is required to grow their business. 

During these PSD2 interactions with our clients, the regulators, and our internal auditing activities we have identified the following top 5 findings of what we believe are (currently) the most important. We are sharing these insights as learning points for the “FinTech” community and to create a better understanding, so the industry can keep the focus on innovation. 

The proportionality principle 

Whether you are a bank with 10.000 employees or a start-up with 10, the same regulation applies. How do you deal with this? And when is good, good enough? How do you apply the principles on which regulation is based without ‘overdoing’ it and staying true to the nature of your business? This is not a one-off static decision but requires being constantly aware of the regulatory environment concerning your business environment (and growth!) and reconciling the two. With every change, keep asking yourself what this means for your business, how should you respond? And what are the consequences of those choices? Tips that can help to stay on top:

  • Stay in close contact with your regulator. Discuss what you do and why you do it, including your interpretation of the regulation, translated to your business. 
  • Rethink your governance. Make sure you have a solid second and third line of defense. Solid means someone (or multiple someone’s, depending on the size of your business) that can relate to your business, stand next to it but at the same time act independently, distance themselves, and ask the right (challenging) questions. This can be done internally, or outsourced, depending on your size and business model. Such a structure will allow you to generate insights that are as objective as possible, not clouded by business dilemmas, hence both improving your business as well as your compliance success. 


Align your risk assessments to your business activities 

We often notice that companies regard obtaining a PDS2 license as a checklist exercise — check the boxes and produce a set of documents. This often means that particular items, such as customer due diligence (CDD) and transaction monitoring receive the most attention. This is not to say that those topics are not important, on the contrary, but taking this out of the context of the actual business processes might cause a disbalance of effort and risk rating. Performing risk assessments are already part of your day-to-day business life.

“What happens if I choose X”, “Will that bring me closer to my goals?”, “What is the chance of something happening that will give me a headache?”, “Is there anything I can do to prevent that?”. A proper risk assessment will help you ask and answer these questions in a structured way, enabling you to act and take precautionary measures if and when necessary. Have you, for example, considered your outsourcing, succession planning and key staff risks, just to name a few? It is important to first visualize your business as a whole – assessing risks associated with different compliance topics (e.g. CDD) will be automatically part of that exercise. 

Platform changes vs. compliance impact 

Despite all the differences, the one thing FinTechs generally have in common is the constant drive to innovate and improve. In that process, being compliant is often seen as a must, and not necessarily as an integrated part of their core business. When applying for a license your company is “vetted” on how compliant you are. Don’t make the mistake of viewing this as a one-time exercise. Especially in the financial community, compliance-related topics and regulations are a major part of your product and service delivery. Embed compliance as a part of your day-to-day business – not just because you have to but because it will help you. For example, imagine that you recently released a great update to your platform and your customers are excited about the extended functionality. Then you discover a big data breach, compromising your promise to your customers that you would keep their data safe (and a privacy compliance breach at the same time). Implementing solid controls will help you prevent this; not just for big releases but also for the smaller incremental change.

Do what you said you would do 

In the process of obtaining a license, it is completely understandable that you will present the best version of yourself to the regulator. Do however keep the bigger picture and longer-term in mind. Knowing how your processes work, including where you might have potential gaps, is important. Not only for obtaining and maintaining your license, but also to seize opportunities where they arise. An external advisor, someone who knows the application procedure, can help you prioritize — What gaps should be fixed before you apply for a license? What solutions can stay ‘in development’ for now and how to discuss that with the regulator? Afterwards, make sure to embed regular review/testing activities — What actions are still open? What do we need to improve on? What are the risks associated with these actions?

The regulator does not know everything

As a final remark: the FinTech community, its participants, and regulator are evolving, and no one knows it all. Regulation is often seen as a disabler or obstacle to innovation. At the same time, and PSD2 is a great example, it can also accelerate the development and application of new technology. We believe that you have to recognize each other’s perspectives and ambitions and collaborate to harmonize those. 


How Protiviti Can Help 

At Protiviti we will continue to monitor these developments and share what we learn. Thanks to our expertise and position we aim to be a bridge between regulators and market participants. To be part of that innovative cycle, on the crossing of innovation and regulation, of practice and theory. Are you triggered by the content of this article and want to discuss, you are welcome to join us in our interactive round tables or other events (go to our events page). Of course, if you have any other questions, please feel free to reach out! 

Authors: Eva Noordhoek and Michiel Kos, Protiviti, FinTech Financial Services

Read more about Protiviti here

Share this Article
Related Insights
Dutch FinTech Map 2022
Make sure your company is on the map! Are you a member, or active in the Netherlands? Provide your details to be featured!
Amsterdam Fintech Week
Amsterdam FinTech Week is back on 9-16 September, fully in-person and online. Be a sponsor, co-organizer, or just participate at the summit or one of the countless side events.
AMLD5 Guide
A source for consulting PSD2 legislation coupled with commentary, tips & tricks, applicability, in collaboration with our member law firms.

How likely are you to recommend Holland FinTech?