Simont Braun strengthens Financial Services and FinTech capabilities with top hires

Simont Braun boosts the capabilities of its Fintech and Financial Services practices by welcoming Partner Joan Carette and Senior Associate Jean-Christophe Vercauteren. These strong additions to the firm enhance our Digital Finance Team’s position on top of the Belgian market.

The highly respected Joan Carette joins our Fintech and Financial Services team as a partner next to Catherine Houssa and Philippe De Prez, where she will reinforce our regulation and FinTech skills and allow to improve our focus on the Tech aspect of our expertise.

Joan Carette has 20 years of experience in FinTech, payments, e-money, AML and more generally banking and financial services and the prudential supervision of financial institutions. She worked as a regulator in the prudential supervision department of the FSMA, and in Belgian and international law firms for over 15 years.

Clients admire her “very flexible, pragmatic approach,” as well as her “deep knowledge of financial regulation.” (Chambers & Partners)

FinTech, Payments and Financial Services play key roles in our economy and require to combine strong legal knowledge with tech-savviness and proactivity. In this context, I am delighted to join the strongest Digital Finance Team on the Belgian legal market. Together, we will be able to offer the best possible guidance to our clients,” says Joan Carette.

Jean-Christophe Vercauteren has solid regulatory expertise in FinTech, payment services and e-money, AML and more generally banking and financial services. He gathered experience as a lawyer in Belgian and international business law firms, and as a legal counsel in a Belgian bank.

I could not think of a more stimulating environment than Simont Braun’s Digital Finance Team to further develop my expertise. Being part of the pioneer FinTech law firm in Belgium will be a daily motivation, and I am happy to contribute to broadening its capabilities,” says Jean-Christophe.

We are proud to welcome top talents like Joan and Jean-Christophe in the team. With them on board, our Digital Finance Team strengthens both its financial services and tech capabilities,” adds Philippe De Prez, partner in FinTech and Financial Services.

***

Simont Braun’s pioneer Digital Finance Team is one of the best and most-qualified teams in Belgium. “The firm has proven itself as one of the very leading players in the market, having advised on groundbreaking projects involving areas such as alternative lending, micro-savings, robo-advisory, blockchain, ICOs and virtual currencies.” Simont Braun is the only law firm ranked in Band 1 in Belgium in FinTech by Chambers & Partners. The firm is also ranked Tier 1 in FinTech by the Legal 500, and Tier 1 in Financial Services Regulatory by IFLR 1000.

Covid-19 & Banks: Emergency Response and Sound Management

The health crisis caused by Covid-19 and the economic and social consequences it has for banks oblige these financial institutions to inform their regulator of the specific measures, both internal and external, that they implement to address the situation.

Business Continuity – Regulatory Context

Given their essential role in the economic and financial system, banks are legally required to pay particular attention to the risks that are associated with a potential halt or slowdown of their activities.

This is an illustration of the banks’ more general obligation to have at all times adequate measures to ensure the maintenance or rapid restoration of their critical functions (Article 21, § 1st, 9°, of the Banking Act of 24 April 2014). This requirement results from the need for credit institutions to have a sound and prudent management in place.

  1. Contingency Plan

This obligation of continuity is reflected in the contingency, business continuity and recovery plan. This plan must be established by all banks on an annual basis under the responsibility of their Board of Directors. The contingency plan must demonstrate (and convince the supervisors) that the banks have the capacity to limit the operational, financial and legal consequences that would result from a disaster (we usually think of a fire at the head office, but also a severe computer bug, a terrorist attack or, in this case, a health crisis), or result from a prolonged unavailability of its resources leading to difficulties in ensuring the institution’s operations or, in the most serious cases, forcing the institution to interrupt its activities.

As risks are likely to change and evolve, credit institutions must of course regularly test their contingency plans to be able, in a given context, to document and analyse the shortcomings or errors that emerge during testing, and then update their plans accordingly.

  1. Preliminary risk analysis

The development and drafting of this contingency plan require banks to have first carried out a detailed analysis of their exposure to serious business disruptions and to have assessed how to address them, both quantitatively and qualitatively. It is the only manner for banks to be able to define their priorities and objectives should an incident occur.

The spectrum of risks that can hinder or even prevent the continuity of an institution’s activities is obviously very broad and depends above all on the activities carried out by the bank. The risks incurred by a private bank differ, at least in part, from those incurred by a bank whose main activity consists in granting mortgage loans to private individuals or by an institution specialising in export financing.

Covid-19: Emergency and continuity measures

The Covid-19 crisis is a severe test of the banks’ obligation of continuity and the accompanying duty of vigilance.

It is the duty of each bank to urgently establish and maintain, throughout the Covid-19 crisis, the necessary measures to ensure the continuity of their activities while protecting their staff and complying with the government measures.

The scenario of a health crisis of this magnitude and its important economic consequences was unlikely to be included in the banks’ contingency plans. Nevertheless, in theory, credit institutions must have appropriate tools to face it.

In practical terms, and without going into the details of each institution’s particularities, the following emergency measures are examples of what banks can do to deal with the current crisis – from a regulatory standpoint:

  • Raising staff awareness and implementing concrete measures to avoid the spread of the virus (teleworking, shift of teams, reduced flex-office, closure of branches, etc.);
  • Implementing reliable alternatives for customer communication;
  • Increasing IT capacity to cope with remote working;
  • Coordinating critical processes, resources as well as critical staff and their back-ups;
  • Reinforced assessment by the compliance of cyber-attack scenarios and implementation by IT of the measures internally (monitoring of operations) and externally (communication to customers). Risks of fraud such as phishing, identity theft, etc. increase in times of crisis;
  • Additional requirements for subcontractors performing critical functions (outsourcing). This is the case, for example, if customer data is stored in the cloud;
  • Setting up of a crisis committee that assesses the situation on a daily basis;
  • Communication of the measures implemented to the Board of Directors and possible convening of the risk committee and/or an exceptional audit committee;
  • Regular reporting to the competent financial supervisors (e.g. the National Bank of Belgium) on the implemented measures;
  • Assessment and possible adaptation of the emergency plan. This assessment is normally made on an annual basis, but it should also be carried out when the emergency plan is to be implemented.

Conclusion

Banks are subject to very burdensome and stringent regulatory requirements. These include the detailed assessment of their risks and the implementation of necessary measures to address the risks identified. This obligation is complex because the regulator requires a risk-based approach that is both concrete and detailed. However, it is in days like these, when a concrete risk arises that the full usefulness of these regulatory requirements becomes apparent. Afterwards, useful lessons will most probably be learned as to the effectiveness of the current regulatory framework in this respect, and possible modifications can be proposed.

***

For any question or request for assistance, please contact Catherine Houssa or Philippe De Prez:
Catherine Houssacho@simontbraun.eu
Philippe De Prezphde@simontbraun.eu

Simont Braun assists AION in building the new next generation Challenger Bank

Brussels, 10 March 2020  |  Simont Braun successfully assisted AION in building an entirely digital and mobile bank, making it the first of its kind next generation Challenger Bank in Belgium. AION has officially launched its services on 3 March 2020.

AION is the former Banca Monte Pasci Belgio and was purchased by the American fund Warburg Pincus in 2018 in order to transform it into a fully digital financial services provider. AION offers an unrivalled broad spectrum of financial products and services, and beyond banking services, benefitting from an impressive technology and IT support.

Simont Braun’s team has been involved for over a year in developing the new digital products and services in close and successful collaboration with AION’s team,” comments Philippe De Prez, Partner at Simont Braun in Digital Finance and Financial services. “We had the pleasure to collaborate with a very motivated and talented group of people at AION, all working towards an ambitious goal. It has been an intense ride during which we often explored innovative solutions which were so far not available on the Belgian market. This is a space where our team is at its very best. We would like to sincerely thank our clients for this great opportunity to both assist and learn.”

Simont Braun’s Digital Finance Team advised AION on the compliance of their services and products with the applicable regulation, was involved in numerous contract drafting, screen-by-screen compliance analysis and negotiations with the regulator.

The Simont Braun team was led by partner Philippe De Prez, with the assistance of partners Catherine Houssa and Axel Maeterlinck, counsel Thomas Derval, and associates Sander Van Loock, Charlotte De Thaye, Amine Chafik and David-Alexandre Sauvage.

For any question, please contact Nelly Chammas (Marketing & Communication Manager).

Simont Braun assists TransferWise with their arrival in Belgium

Simont Braun successfully assisted TransferWise, the global technology company that moves money internationally, in obtaining a licence as a payment institution in Belgium. TransferWise officially launched its Brussels operations in October 2019.

TransferWise is an international money platform. The company decided to establish as a payment institution in Belgium to continue serving their European customers as before, even in the event of a no-deal Brexit.

In this framework, Simont Braun’s Digital Finance Team assisted TransferWise with their licence application procedure before the National Bank of Belgium and the incorporation of their Belgian corporate entity. Simont Braun also advised the FinTech company on connected financial regulatory, corporate and labour law matters.

Our Digital Finance Team is happy to have contributed to this significant step in TransferWise’s development strategy in Europe. This licence is also the achievement of a fine-tuned collaboration, both with TransferWise and the National Bank of Belgium,” says Philippe De Prez, Partner.

The Simont Braun team was led by partners Philippe De Prez and Catherine Houssa (Digital Finance), with the assistance of partner Axel Maeterlinck (Corporate M&A).

From left to right: Philippe De Prez (Partner at Simont Braun), Catherine Houssa (Partner at Simont Braun), Gordon Youngson (Head of legal Europe at TransferWise), Axel Maeterlinck (Partner at Simont Braun), and Anna Doyle (EU Compliance lead at TransferWise).

Our Digital Finance Team interviewed on the latest FinTech Trends

Catherine Houssa, Partner in our Digital Finance Team, was interviewed on the latest FinTech trends by La Libre Belgique in a special edition dedicated to the take-off of tech in Brussels.

An opportunity to also highlight the advantages of Brussels as a set-up point for FinTechs willing to reach all of Europe.

The full article is available here.

Our Digital Finance Team has authored the Belgian chapter of Chambers’ FinTech Global Guide 2019

Our Digital Finance Team has authored the Belgian chapter of the FinTech Global Guide 2019 released by Chambers & Partners, providing practical insight on key FinTech topics, such as Payments, Open Banking, Robo-advisory and InsurTech. The guide is available here: http://bit.ly/2UfuBxy

 

Our Digital Finance Team hosted the Vlerick FinTech Bootcamp

Yesterday, Simont Braun’s Digital Finance Team hosted the Vlerick FinTech Bootcamp. Philippe De Prez highlighted the impact of regulation on FinTech ventures and the students had the chance to hear 8 FinTechs pitching: Ibanity, DigiTribe, Accountable, POM, Itsme Belgian Mobile ID, 0smosis and GAMBIT.

Thank you to Bjorn Cumps from Vlerick Business School and FinTech Belgium for their trust.

2019, the year of truth for open banking (RTS – SCA)

Introduction

In the world of Payments and FinTech, PSD2 has been a hot topic for several years now. Last year was already a crucial year with the transposition deadline of this directive scheduled for 13 January 2018. This transposition gave rise to significant (and by now very well-known) changes such as the introduction of regulation on Account Information Services Providers (AISPs) and Payment Initiation Services Provers (PISPs), commonly referred to as Third Party Payment Service Providers (TPPs)[1].

The most important promise of PSD2, i.e. the instalment of an actual ‘open banking’ payment culture in Europe, was, however, not yet realised by this 2018 implementation.

By ‘open banking’ is meant the (forced) sharing of payment account data by so-called account servicing payment service providers (ASPSPs) with other service providers such as TPPs. These ASPSPs are very often banks[2] who will be obliged -without any contractual relationship- to open up their account data, for (usually) FinTech companies to build services around them.

This open banking principle will only go live with the entry into force of the Regulated Technical Standards 2018/389 of 27 November 2017 on Strong Customer Authentication (RTS SCA), scheduled for 14 September 2019.

Prepare for Open Banking

Prior to the entry into force of the RTS SCA, all ASPSPs (basically the banks) need to develop and implement technical solutions that will allow this open banking to take place in a secure and controlled manner. According to the RTS SCA, this should be done by putting in place a so-called ‘dedicated interface’ (which is, in practice, an Application Programming Interface or ‘API’), although also a fall back solution (or ‘contingency mechanism’) must be foreseen, whereby the TPPs can access the data through the interface used for the authentication of and the communication with the ASPSP’s payment service users. In other words: in case the API provided by a bank does not work properly, the TPPs could still access the data through the web-banking service this bank uses itself with its customers. This last technique is often referred to as ‘screen-scraping’ which is rather controversial since many banks claim this screen-scraping to pose significant security risks, as it implies that their clients need to share their security credentials (login and password) with third parties (TPPs).

The screen-scraping contingency mechanism, as proposed in the RTS, does, however, impose that measures are in place so that banks know at all times who is accessing the data (i.e. either their own customer or a TPP on behalf of this customer). This is opposed to the classic/contested way of screen-scraping where banks were under the impression that a client was logging in to their web-banking service, while in reality a TPP was accessing the data with the client’s consent (and passwords).

14 March 2019 – Intermediary deadline

Banks that want to avoid this screen-scraping technique, even only as a fall back solution, are however given a way out by the RTS SCA. But they will need to hurry.

According to article 33(6) of the RTS SCA, ASPSPs such as banks can be exempted from having to provide a contingency mechanism (screen scraping solution) under the condition that their dedicated interface solution (API) is available for testing by TPPs no later than 6 months before the entry into force of the RTS SCA, this means that banks should have their API ready for testing by 14 March 2019.

Industry experts believe this 14 March deadline to be too short for most banks to have a performing API in place since this implies also the provision of testing facilities and technical documents for the TPPs and the supervisors. As a result, those institutions will also have to deliver a screen-scraping based fall back solution (with identification function) by September 2019, which risks to slow them down even more in their API development.

The RTS aren’t technical enough…

Regulatory Technical Standards (RTS) are level 2 legislative measures as opposed to the PSD2 itself which is a level 1 legislative act in accordance with the Lamfalussy regulatory process for financial services[3].  Level 1 legislation such as the PSD2 is supposed only to set out general framework principles that need further technical implementation (through the level 2 RTS).

Part of the problem here is that the RTS SCA only cover so-called legal-technical aspects and do not impose any operational-technical standards. Chapter V on common and secure open standards of communication of the RTS SCA provides general requirements for communication and set out theoretical requirements for the common and secure open standards of communication. In practice, however, all of this is still very high level from a pure operational-technical point of view.

The RTS only impose certain requirements and finalities on the dedicated interface and the contingency matters without indicating how these results should be obtained. Although it is logic for a legislator not to impose industry standards, this could in practice, without further guidance, lead to as many different interfaces and systems as there are banks in Europe. Certain organisations such as ‘Open Banking’ in the UK and the ‘Berlin Group’ on the continent are trying to work out some sort of harmonisation throughout the sector, but do not involve all market participants which certainly poses a threat in terms of competition. There is also a concern that individual member states / supervisors will handle things differently and be either more or either less pragmatic in assessing whether certain requirements are met. Such an approach is potentially harmful since financial services are very often offered on a cross-border basis and industry players will want to avoid local adaptations to their systems.

Many questions remain unsolved

Next to this, many other questions remain unsolved. What will happen with those banks that do not have an API (and potentially also no fall back solution) in place by 14 September 2019? They will for sure be in breach of the law, but how will supervisors handle this concretely?

What about the large numbers of very small (often private) banks throughout Europe that are also subject to these rules and are facing high investment and development costs to put technical solutions in place, that are similar to those of large retail banks? We see that in this respect, the market has started developing a tendency towards the pooling of smaller players, but a lot remains unclear.

As generally known, the PSD2 rules (and thus also the open banking principle) only concern payment accounts. The Luxembourg based CJEU recently ruled that saving accounts do not qualify as payment accounts and therefore data related to such accounts does not fall under the open banking rules[4]. Banks and TPPs could still contractually decide to open this up to other data (for example on saving and security accounts). However, this could lead to situations where certain data shared through the same API falls under the PSD2 liability scheme (i.e. payment account data), while other data is not covered by this protection (i.e. data on saving and security accounts).

Conclusion

An interesting year lies ahead of us, but it is clear that all market participants (banks, TPPs but also supervisors) struggle with the implementation of the open banking principles. Nowadays, financial institutions are all focussing on the near future Brexit obstacle, but will soon be forced to shift, or at least divide their attention in order to tackle this highly topical issue.

*      *      *

For more information, please contact Simont Braun’s Digital Finance Team (digitalfinance@simontbraun.eu).

 

[1] Please click here the for more information on these acronyms.

[2] Please also note that FinTech companies such as payment and e-money institutions can be subject to this.

[3] This process is entailed to provide more convergence in the national implementations and should lead to more consistent interpretation. It has been applied for major financial regulations such as MiFID, the Prospectus Regulation, Market Abuse Directive etc.

[4] Bundeskammer für Arbeiter und Angestellte v ING-DiBa Direktbank Austria Niederlassung der ING-DiBa AG (Case C 191/17) (4 October 2018)