Regulating Fintech in Europe: Lessons from Wirecard
In its 2018 Annual Report, Wirecard, a German Fintech organisation, claimed to be “a global technology group that supports its customers and partners in accepting electronic payments from all sales channels [and in] the issuing of payment instruments”. The report also stated that “[t]he uniform platform approach and seamlessly integrated value added services such as data analytics, customers loyalty programmes and digital banking services support customers and partners of Wirecard to successfully master the challenge of digitalisation”. According to ESMA (2019), it “connected to more than 200 international payment networks (banks, payment solutions, card networks), which resulted in 34,000 customers from various industries, and offered its services in over 100 transaction currencies”.
Figure 1 Credit card payments
Source: Barba Navaretti et al. (2020).
Wirecard acted as an acquirer of payment transactions (most of them online), operating as an intermediary between merchants and their banks on the one hand, and customers, their card issuers, and their banks on the other (Figure 1). The company also provided a host of related technological services. Acquiring activities were conducted either directly, with licensed subsidiaries such as Wirecard Bank AG in Germany and Wirecard Card UK in the UK, or through licensed third-party acquirers, mostly in Asia. Technological services were offered mainly by online platforms, which, according to Wirecard’s claims, were instrumental in implementing an effective risk management of a complex network of payment transactions.
The share of revenues coming from largely unregulated payment and risk management activities was substantial, accounting for three quarters of Wirecard’s total revenues in 2018. Only a quarter of revenue was coming from acquiring and issuing businesses (which are regulated). As it turned out – mostly from a thorough investigation by the Financial Times started in 2015, and by the auditing conducted by KPMG (KPMG 2020) – a large share of Wirecard revenues and profits, especially in Asia, appeared to be forged through a network of companies indirectly controlled by Wirecard’s management, which falsified documents and money flows (McCrum, 2020). In the end, it may surface that €1.9 billion of alleged reserves, supposedly held in escrow accounts in Asia, were non-existent.
With the benefit of hindsight, it is clear that the type of activities carried out by Wirecard were standard routine payment services, and Wirecard’s default had nothing to do with the alleged technological complexity of its operations. In other words, bankruptcy did not happen because of undetected problems or mismanagement of the technology. More simply, Wirecard’s Fintech status created a screen of presumed complexity, hindering the attention of overseers and financiers, and possibly enabling a degree of complacency on the part of domestic authorities unwilling to thwart the growth of a ‘national champion’.
Despite resembling an accounting fraud of the more classical type, Wirecard’s default raised many concerns on the lack of adequate oversight of Fintech companies. The inability of authorities to detect the fraud in a prominent and well-known company is, to a significant extent, the result of regulatory loopholes. There is concern that this may leave room for future transgressions. Indeed, there was neither comprehensive and integrated oversight of Wirecard activities nor adequate vetting of its accounting practices. There was also a lack of effective oversight and enforcement of accounting and auditing practices. But what is really missing in regulation and supervision of Fintechs?
Investor and customer protection
We argue in a recent paper (Barba Navaretti et al. 2020) that to understand how different authorities can cooperate in regulating and supervising Fintech companies, it is important to distinguish between investor and customer protection.
The aim of investor protection is to guarantee that the users of funds provided by third parties offer clear, reliable, and prompt information on their choices. In the case of financial intermediaries and payment services providers, customer protection aims instead at guaranteeing the value of deposits, which is crucial because they are de facto an almost perfect substitute for cash.
In Wirecard’s case, investor protection failed in its role, and financiers will certainly incur significant losses. In contrast, customers were left almost unscathed by the default. However, even if it did not happen this time, Wirecard’s business model and its regulation and supervision left a number of loopholes which might have led to serious problems for its customers under different conditions. If the unregulated technological services provided by Wirecard to merchants, consumers, and third-party acquirers had failed, these would have suffered significant losses. For example, not being able to make or accept a payment performed using a card causes liquidity problems, which can potentially turn into solvency problems, eventually leading to financial instability. Regulatory oversight of Fintechs is therefore of the utmost importance.
The challenges of overseeing Fintech activities
Today, banks and traditional financial institutions are a ‘comfort zone’ for regulators and supervisors, which have substantial experience of how to provide protection to investors and customers, and guarantee stability. The advent of Fintech has opened up mostly unchartered territories, not only for entrepreneurs, but also for experienced supervisors and regulators (Barba Navaretti et al. 2018).
A key challenge is the large number (and type) of different players that have already emerged, and the large number that will emerge. It is useful to identify at least four types of operators engaging in the financial innovation process and classify them with their specific attitude towards financial innovation (Ehrentraud and Garcia 2020).
‘Enhancers’ are operators that perform some key technology-based activity in financial markets, often through ‘vertical unbundling’ of some of the activities performed at different vertical stages of the value chain. Enhancers often rely on new and efficiency-enhancing technologies, such as artificial intelligence (AI) and machine learning (ML). This was the case of many technological subsidiaries of Wirecard group.
‘Unbundlers’ are new specialised financial operators, entering in specific segments traditionally served by all-round financial institutions. They perform horizontal unbundling, separating services to final users that traditional financial institutions would offer as a bundle (such as payment and credit service), either entirely in-house or by outsourcing some activities (e.g. Satispay).
‘Pursuers’ are traditional financial operators that ‘catch up’ adopting new technologies, often through the acquisition of a Fintech start-up. An example of this horizontal unbundling is the acquisition by of the Fintech start-up WePay by JP Morgan Chase in 2017.
‘BigTech’ are large companies that operate platforms in non-financial markets, such as business-to-consumer platforms (an example being Amazon) or social networks (an example being Facebook). BigTech firms are known to enter financial markets, bundling financial and non-financial services on their platforms.
The very presence of these various types of operators in financial markets often makes existing regulations inadequate and supervision more complex. To overcome these problems, it is crucial to identify a set of key steps that should be addressed within a new regulatory framework.
The oversight of Fintech activities: Key steps
When regulating Fintechs, it is crucial to balance the efficiency gains of technological innovation in the financial industry with the possible additional risks created for its stakeholders (Amstad 2020). In our paper, we identified a set of key steps to this aim:
1. Avoid regulatory arbitrage. Regulators lagging behind fintech businesses developments should be avoided. This will help to ensure a level playing field between Fintech companies and traditional businesses. Regulators should also make sure that entities carrying out the same activity follow the same sets of rules (however they carry them out).
2. Understand clearly what Fintechs do and what their business models are. Regulators need to understand the source of profitability and the potential enhancing or disruptive impact of Fintech activities, as well as how they interact with other parts of financial and non-financial markets. Sandboxes (where observing Fintechs develop their ideas) are useful in this respect, as long as they do not create unhealthy links between the regulators and the regulated.
3. Combine the oversight of entities with the oversight of activities. Unbundled financial activities should be supervised independently of the form of incorporation adopted by the company and independently of the other activities that it performs in parallel. This should be done without compartmentalising the oversight of financial markets. Otherwise, loopholes may emerge for companies with a complex and intricate web of activities, such as Wirecard, under different regulatory and supervisory regimes. The proposal of the European Commission – which grants adequate oversight powers with respect to technological third-party providers also within the same group – moves precisely in this direction (European Commission 2020).
4. Master the technology used by Fintechs. At the core of Fintech expansion lies a set of relatively recent technologies that allow for better information extraction from data. It should be clear that these technologies are only tools to perform standard financial activities which, up until now, were carried out through other means. For an effective and safe deployment of AI in financial markets, supervisors and regulators must have the ability to monitor and assess the actual behaviour and functioning of these algorithms. Regtech and Suptech (i.e. the use of AI in the implementation of regulation and supervision) are interesting developments in this respect, but are unlikely to completely substitute more traditional oversight approaches.
5. Know the global picture and harmonise and coordinate internationally rules and oversight of Fintechs. Fintech players, especially those unbundling and specialising in narrow segments, have shown a natural tendency for cross-border activities. This broad geographic span of business activities calls for a coordinated action of regulators and supervisors, certainly in Europe (and, hopefully, more broadly). Coordination, information sharing agreements, and harmonisation of oversight standards is necessary worldwide (and is a necessary ingredient of Europe’s Capital Market Union).
It is common when new types of problems arise to propose new authorities to address the issue. The history of the EU is not immune to this tendency. We see no need for a new regulatory body overseeing Fintechs in Europe in order for the key steps outlined above to be carried out. The objectives of regulation are unchanged, independent on whether operations are carried out by Fintechs, traditional businesses, or a blend of the two. With respect to investor protection, Wirecard’s case calls for stronger national authorities, increased international harmonisation, coordination and cooperation, and direct and sound supervision of auditing firms. In fact, this is necessary for all listed firms. As for customer protection, effective regulation and supervision of Fintechs is only possible with a thorough understanding of their business model and of the technologies that they use. But, in both cases, European authorities should be put in the position of establishing a harmonised and coordinated framework for regulating Fintech, which will then be exercised by national authorities.
ESMA (2019), “Opinion on a proposed emergency measure by BaFin under Section 1 of Chapter V of Regulation (EU)”, No 236/2012, 70-146-19.
European Commission (2020), “Proposal for a Regulation of the European Parliament and of the Council on digital operational resilience for the financial sector and amending Regulations (EC)” No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014, 24 September.
KPMG (2020), “Report concerning the independent special investigation, Wirecard AG”, Munich, April.
Mc Crum, D (2020), “Wirecard and me”, Financial Times, 03 September.