Payment Accounts Directive

It is very easy for consumers to change accounts due to the account switching services, especially since the implementation of the Payment Account Directive 2014/92, which specifies the requirements for account switching services within the European Union.

As a consequence, there is also no demand worth mentioning with regard to portable account numbers. In addition, its implementation would require a huge technical effort; modifying current procedures in order to implement bank account portability would be extremely difficult, both at the operational and at the linguistic level. Moreover, implementation would require a huge financial effort.

It is misleading to compare the IBAN to the case of phone number portability, they are not equivalent nor comparable situations. Policymakers should acknowledge that despite technological development, the IBAN is a very unique mechanism. The IBAN includes, for example, the country code, two check digits, the domestic bank account number, branch identifier. In addition, the length is not the same in every country, it ranges from 16 to 30 digits.

Account number portability requires significant changes in a series of non-negligible technical and operational standards which will hamper the routing of international payments without actually solving the underlying issue. European policymakers should take into account the following arguments:

  • ​​Banks already provide consumers with swift and comprehensive assistance upon request when changing accounts, as well as relevant information concerning existing orders, existing direct debit mandates, incoming transfers and direct debits issued by the consumer.
  • a fully portable account number would necessarily have to be devoid of any features connecting it to a specific bank or country. This would be disadvantageous to both banks and consumers and puts at risk, the architecture of the IBAN, which does indeed identify the given bank and country, is structurally opposed to portability: Banks require this information for clearing purposes, for example, and consumers would have issues determining the recipient of a payment in case of a failed transaction.​

Identified Concerns

The PAD has been implemented too late in some member states, and therefore it is too early to make an assessment. In addition, ESBG would like to underline how the PAD was extremely burdensome and costly for operators did not always fulfil customer needs. In addition, customer mobility is a means to an end and should not become an end in itself.

In other words, we should remember the initial problem customer mobility is trying to solve. Reading the PAD review material, it seems that this problem is a perceived lack of competition. ESBG believes that if there was already a competition issue at the time of writing– this has well and truly been addressed not only by PAD but also: ​

  • by PSD2, which enabled service providers to offer services other than the traditional bank account, making it more attractive;
  • by digitalisation itself which has enabled many neo bank/FinTech/BigTech type financial service providers to enter the market.​

Why Policymakers Should Act

EU legislators and the European Commission should continue improving the transparency and comparability of fees related to payment accounts that are used for day-to-day payment transactions. They should also ensure that consumers have access to bank accounts with basic features. Policymakers should consider the results of numerous studies which show that a majority of consumers are quite satisfied with their accounts, instead of thinking of addressing non-existent problems linked to market inefficiency and switching.

ESBG is well aware of the current debate around customer mobility and in particular account number portability that has started again as part of the review of the Payment Accounts Directive. ESBG urges the European institutions, in particular, the European Commission to look at this topic from a broader perspective and to consider the different investments imposed on the banking sector in the area of bank accounts/payments and not treat it in the isolation of the PAD review only​​.


The Payment Accounts Directive (PAD) was adopted within the European Union in 2014 and is being implemented by EU countries with the main aim of helping the EU internal market foster payment accounts.

The European Commission is currently evaluating the objectives, and a report on the application of this Directive is to be expected soon. However, some may argue that it might be premature to already conduct a full assessment of the Directive’s impact on the market.

Complying with the above, the European Commission (i.e. DG FISMA) commisioned a study to assess whether the PAD meets its objectives (transparency of fees, ease in switching accounts and access to accounts (incl. cross-border access to accounts)). With this in mind, the study will provide an overview of the European payment accounts market and will be used to support the review of the PAD. ​



ESBG believes that European policymakers should put in place a classification that is flexible enough to accommodate for technological progress and that a transitional regime could lead to a detailed classification. EU supervisors and NCAs first need to take initiatives and provide guidance; then EU legislators should enlarge the scope through a general/high-level cryptoasset classification and finally provide regulation for areas that do not fall under EU legislation.

  • Regulatory policy should take into account the various purposes/functions of crypto-assets. Depending on the individual function/purpose of a crypto-asset, different aspects have to be considered. While e.g. payment tokens may raise questions on depositor and consumer protection as well as payment service issues, investment tokens may raise questions on investor protection.
  • From a prudential point of view, it would be better to establish categories indicating how much risk is associated with the specific crypto-asset and to link these categories to existing asset classes where possible. We agree with the Basel Committee that it makes sense to classify crypto-assets on the basis of their different functions. The three major categories are payments, securities and utility access. Within these categories, a further distinction should be made as to whether or not the crypto-asset is backed by a conventional asset. ESBG believes that the prudential treatment of crypto-assets should be designed by adapting current prudential regulatory treatment to these assets; designing a whole new framework would not be necessary.
  • Swift adoption of the MiCA regulation proposal and the proposal regulation on a pilot regime for market infrastructures based on distributed ledger technology. Policymakers are encouraged to deliver on the proposal and allow a smooth adoption and implementation of the proposed measures. ESBG would continue its contribution to the industry and public debate.​

Identified Concerns

ESBG supports the establishment of an EU regulatory framework for crypto-asset markets as a key priority, especially as some crypto-assets are currently not covered by EU legislation. Since crypto-assets are of a digital/virtual nature, policymakers need to consider the legal nature of the issuer (private vs. public), the difference between asset and technology, and the possible stabilisation mechanisms behind the cryptoasset (e.g. in case of stablecoins).​

Why Policymakers Should Act

ESBG is concerned by the abuse of retail investors’ trust and the emergence of highways circumventing policy frameworks which were carefully crafted over the last decades. A general framework for both the definition and the classification of crypto-assets should be set-up through regulatory measures in order to ensure that a scope expansion of crypto-assets is done in a harmonized manner. Regulatory measures provide a level playing field for all market participants involved.

European policymakers should try to preserve and extend to the crypto-assets market the recent advances and improvements achieved in market integrity, investor and data protection, and anti-money laundering.


Since the publication of the FinTech Action Plan in March 2018, the European Commission has been closely looking at the opportunities and challenges raised by crypto-assets and evaluating the suitability of the existing financial services regulatory framework on crypto-assets.

In January 2019, the EBA and ESMA reports pointed out that while some crypto-assets fall within the scope of EU legislation, effectively applying it to these assets is not always straightforward. Moreover, there are provisions in existing EU legislation that may inhibit the use of certain technologies, including DLT. At the same time, the EBA and ESMA have pointed out that most crypto-assets are outside the scope of EU legislation and hence are not subject to provisions on consumer and investor protection and market integrity. Finally, a number of member states have also legislated on issues related to crypto-assets which are currently not harmonised.

In September 2020, the European Commission proposed a comprehensive framework that will protect consumers and the integrity of previously unregulated markets in crypto-assets. The ‘Regulation on Markets in Crypto Assets’ (MiCA) will boost innovation while preserving financial stability and protecting investors from risks. The new rules will allow operators authorised in one Member State to provide their services across the EU (“passporting”). Safeguards include capital requirements, custody of assets, a mandatory complaint holder procedure available to investors, and rights of the investor against the issuer. Issuers of significant assetbacked crypto-assets – so-called global ‘stablecoins’ – would be subject to more stringent requirements, such as in terms of capital, investor rights and supervision.

In addition, the European Commission proposed a pilot regime for market infrastructures that wish to try to trade and settle transactions in financial instruments in crypto-asset form. The pilot regime represents a so-called ‘sandbox’ approach – or controlled environment – which allows temporary derogations from existing rules so that regulators can gain experience on the use of distributed ledger technology in market infrastructures, while ensuring that they can deal with risks to investor protection, market integrity and financial stability. The Commission is also proposing some related amendments where current legislation presents clear issues to the application of distributed ledger technology in market infrastructures

These proposals respond to most of the ESBG priorities and if adopted will ensure a level playing field that has been one of ESBG main demands for the last years.

Read full position paper from June 2019


​​​​RegTech & Innovation Facilitators

ESBG believes that improving the efficiency of reporting obligations both at national and EU level would be hugely beneficial to the deployment of RegTech solutions. 

ESBG believes that communication plays a key role, particularly when it comes to rethinking the relationship between banks (supervised entities) and supervisors. There is room for a more pro-active role of supervisors, which expresses advice and guidance ex ante, and not only ex post. 

ESBG sees innovation hubs as extremely helpful and as a commitment from supervisors to evaluate ideas in a different way (e.g. pro-active approach, ex-ante, expressing guidance). Supervisors go beyond their traditional role of watchdogs and take a step closer to becoming sources of valuable guidance for the wider interest of the banking sector. 

ESBG also believes regulatory sandboxes might be beneficial, provided they are: (a) inclusive (b) fully harmonised. For instance, when only a few players are accepted within a given regulatory sandbox, there is a risk of creating an unlevel playing field. Furthermore, the adoption of regulatory sandboxes in the EU is still too fragmented and differentiated: harmonisation is a key element when it comes to cross-border risk management.​

Identified Concerns

ESBG identifies as main barriers for new RegTech solutions to scale up in the EU single market:

  • Lack of harmonisation of EU rules
    Lack of clarity regarding the interpretation of regulatory requirements (e.g. reporting)​
    Lack of standards
    Lack of supervision for RegTech within the EU
    Frequent changes in the applicable rules

ESBG strongly believes in the principle that innovation comes from different kinds of players (FinTech startups, BigTech companies, incumbent banks). Hence, players of any size should be included in innovation hubs or regulatory sandboxes so to always maintain a level playing field. The current selection criteria of regulatory sandboxes are not always clear. If regulatory sandboxes include regulatory relief, they can threaten the level playing field and consumer protection. This results in competitive disadvantages for market participants who do not participate in the sandbox. Under no circumstances should the selection of participants in an innovation facilitator be based on the type of the entity. Innovation facilitators can only be beneficial if they remain harmonised and equally open to all actors.

Competition between national supervisors on the basis of regulatory arbitrage should be avoided. Sandboxes should not become an economic tool to attract new national market entrants.​

Why Policymakers Should Act

Regulating innovation is challenging. ESBG acknowledges the difficulties regulators might face in creating incentives for innovation. Proposals to enhance supervisory consistency could contribute to a convergence in domestic innovation policies across the EU, thereby facilitating the emergence of a single market for financial services.

Europe still remains outside the initiative of the Financial Conduct Authority’ (FCA) to create a “Global Financial Innovation Network” (GFIN officially launched in January 2019), as there are, at this stage, only a small number of European supervisors involved (Lithuania, Luxembourg, Hungary). As one of the main functions of the GFIN is to establish a network of regulators, it is indeed essential to ensure that the views of Europe can be expressed and defended. EU authorities should represent Europe in any international network, including the GFIN. Furthermore, EU financial entities should have the possibility to be part of any trials across multiple jurisdictions globally.


RegTech helps companies to identify, manage and mitigate risks. RegTech brings direct benefits to supervisors, allowing for a change in approach which is also beneficial for the banking industry. In order to be adopted effectively by the industry, RegTech needs a cultural shift. Supervisors should harmonise the regulatory framework. A pro-active dialogue between supervisors and banks could benefit not only innovation, but also governance. Innovation hubs allow supervisors to work more closely with the industry and to get a more hands-on approach to innovative projects. There are increasing cooperation and partnership opportunities among incumbent banks and FinTech start-ups to provide innovative products and services that they indeed would need to test. ESBG supports the ability to experiment within a controlled environment and test new products and services, while exploring new regulatory requirements and building up critical know-how for future regulatory requirement definitions. Moreover, establishing networks of cross-sectoral innovation hubs could prevent situations where a regulator or supervisor adopts guidelines, recommendations or opinions without taking into account relevant implications that are analysed by a supervisor from another sector.​



The cloud certification would help reduce technical, operational and security risks, and would support compliance with the EBA Outsourcing Guidelines.

It would also help the European banking industry be more competitive worldwide by quickly adopting new technologies. In any case, it is clear that a new oversight framework shall not increase the banking and financial sectors obligations and supervisions. The EBA has advised the European Commission to look at the establishment of an appropriate oversight framework for third-party service providers (TPPs), in particular in the area of cloud services. ESBG encourages and shares the need to strengthen and harmonise the current legislative framework for TPPs at both micro and macro level. ​

  • At micro level, Supervisors should have access rights, audit rights and sanctioning rights directly from the regulatory framework rather than relying only on contractual provisions in outsourcing contracts. ESBG believes that the Cloud Certification is an additional toolkit and will contribute to achieving this policy objective. ESBG encourages policymakers to increase efforts to create a CSP certification framework.
  • At macro level, ESBG also agrees with the EBA that for critical TPPs there is an urgent need for a new oversight framework that sets higher standards related to security and data protection (e.g. obligatory cybersecurity certification). The scope of oversight should aim at monitoring concentration risk, financial stability risks and ensuring cooperation with relevant authorities.

Identified Concerns

ESBG is concerned about the unbalanced power relationship between CSP (Google, Amazon, Microsoft, Alibaba, etc) and cloud service users, such as banks. It is indeed almost impossible for banks to negotiate contractual terms with the powerful CSP that are compliant with the EBA guidelines or applicable legal acts, and this situation generates compliance risk for banks as they are still responsible for the outsourcing arrangement.​

Regarding the regulatory framework, the EBA in its Outsourcing Guidelines, sets unrealistic obligations for banks (e.g. auditing rights, data localisation), as the negotiating position of European banks towards cloud service providers is fairly weak.

Why Policymakers Should Act

Industry sectors like banking urgently need for cloud services offered by big players to fall under a centralised, Europe-wide, validated and standardised EU framework that puts in place legal, technology and security requirements. ESBG has identified some of the major cloud guarantees expected from cloud service providers to comply with the authorities’ requirements and obtain trustworthy banking cloud services.

ESBG welcomes the European Commission’s approach to standardising certain mandatory and sensitive Cloud contractual clauses. Nevertheless, additional efforts are required to strengthen the financial sector’s capacity to negotiate. Beyond the standardisation of Cloud contractual clauses, a complementary approach could be considered to obtain a Trustworthy European Cloud certification for the financial sector.


There is an ongoing reflection on the level of oversight and supervision for providers supplying a public Cloud to the banking and financial sectors. The underlying idea is to ensure that CSPs deliver on a trusted European Cloud which should comply with the technical, security, legal and regulatory requirements imposed by the 2019 EBA Outsourcing Guidelines and the 2020 Guidelines on ICT and security risk management or legal acts like GDPR.


Big Data

The banking industry acknowledges that it is necessary to promote data-driven innovative services, and that data sharing can be helpful for that purpose.

If data sharing is mandated beyond PSD2, then, instead of making data available free of charge for the recipient, it would be necessary to implement a model based on mutual benefits (similar to those applied in the telecommunications industry and in the United States) under which data access should be on commercial terms to ensure the maintenance of infrastructure and further investments in innovation.

According to the model above, financial organisations would be able to share data with other licensed financial services providers whenever requested, while being compensated for the technical costs of necessary infrastructure implementation. These costs would be reasonable and would guarantee non-discrimination of smaller providers. Without this compensation model, open finance initiatives would make it costly to hold large amounts of data, which is equivalent to having large amounts of clients. There would be discrimination against the largest providers of financial services.

In the areas of standardisation and interoperability, ESBG advocates for the establishment of a sufficiently flexible and broad framework of which the requirements would be limited to elements that are truly useful in the perspective of “productive” standardisation.

Identified Concerns

ESBG agrees with the principle of data sharing. However, in sectors where data is particularly sensitive, like the financial sector, data sharing should not be mandatory. Data sharing is a complex issue which needs to be balanced against several other factors, such as:

  • ​​Defining a data taxonomy – Given the variety of data involved in the digital economy, it is essential to define a sectorial data taxonomy to make any data-sharing framework efficient and practical.
  • Protect the trust asset – Customers must have absolute confidence about the security of their data. As trust is the most valuable asset that banks have to protect, security and cybersecurity should underpin a data-driven economy.
  • Recognising the value of data – Processed data is a strategic and economic asset as well as a strong element of competitiveness for companies, that cannot be considered a public good, freely and automatically accessible to third parties, as they need financial, technical and human investments. The different stakeholders within the data sharing ecosystem need to have the right incentives to share their data.
  • ​Customer data control – Customers should keep the control over their raw data, and decide which information they share, with whom, and for which purpose.
  • Considering data rights – It is essential to consider the different rights that can protect data such as: intellectual property rights, banking secrecy, GDPR, competition law.​

Furthermore, the following three aspects would need to be carefully evaluated by the regulator concerning the application of GDPR:

  • Which categories of data should the user have the right to access (e.g. Raw data, Inferred data, Observed data);
  • Whether the supervisor allows for the use of such data and in which particular way;
    How the information required would be used.​

Upon the introduction of mandatory data sharing beyond PSD2, it needs to be recognised that implementing and maintaining data sharing mechanisms, processes and technical tools has a cost for those providing data sharing services. If institutions cannot provide infrastructure regarding commercial terms, it will not only have a negative effect on competition but also on quality and investments in terms of innovation.

As an advocate of technology neutrality, ESBG believes that the service and/or the product should always be regulated and not the technology. Though ESBG members have the possibility of accessing external data owned by BigTech companies, this usually comes at a high price. Some members have already encountered difficulties in using external data from other companies due to prohibitive prices. ESBG believes the financial sector does not need any further regulation in data sharing.


Europe is undergoing a digital transition that is changing our societies and economies at an unprecedented speed. Data is at the core of this transformation. Through the consultation on a European data strategy, the European Commission aims at making the EU a global data space, a role model and a leader for a society empowered by data. The goal is to create a European single market for data where:

  • Data can flow within the EU and across sectors, for the benefit of all;
  • European rules, in particular privacy and data protection, as well as competition law, are fully respected;
  • Rules for access and use of data are fair, practical and clear.​
  • ESBG submitted a response to the consultation in May 2020, with additional comments.​


​​​​Digital banking: unleash further innovation​

ESBG fully supports regulatory initiatives aimed at fostering the uptake of nascent technologies and business models in Europe. ESBG encourages EU regulators to prioritise the following action points:

  • Support for codes of conduct for all market participants on applications of new technologies in the financial sector
  • Enhancing legal clarity through guidance at EU level for technologies and/or use cases
  • Strengthening of existing European standardisation and specifications initiatives (e.g. in payments or in API developments)
  • Supporting further initiatives like the European Institute of Innovation and Technology partner network that helps business and entrepreneurs be at the frontier of digital innovation by providing them with technology, talent and growth support
  • Setting up and funding expert groups to define and implement nascent technology pilots.
  • Funding experimentation on certain applications of new technologies in finance at European level to encourage the emergence of EU-wide businesses that would be able to compete with comparably sized peers from other jurisdictions.
  • Cross-border coordination within the EU is fundamental to promote the scale-up of technological innovation and to prevent an unlevel playing field and regulatory arbitrage. Fragmentation (e.g. differences in regulatory requirement) is already limiting the potential of technological developments, which also affects the overall competitiveness of the EU.
  • Establishing a framework for consent management to ensure that consumers have the correct tools to share and control their personal data.

Identified Concerns

​New technologies are transforming financial services and the way they are accessed by consumers; this digital transformation is shaping the future of banking. ESBG believes that it is difficult to encourage innovation through regulation and that digitalisation efforts need to be market-driven, where the right conditions are set to ensure that European companies can become global champions, meeting the highest requirements for consumer protection and financial stability. ​

At the same time, ESBG is supportive of technology-neutral legislation that creates a level playing field and allows for offering digital services under sustainable business models that are beneficial to all stakeholders, and that will hence stimulate the digital transition.

The main obstacles to fully reaping the opportunities of innovative technologies in the European financial sector, as identified by ESBG, are the following:

  • Regulatory and supervisory fragmentation. To mitigate fragmentation, there is need for harmonisation of the European regulatory and supervisory framework, particularly in the process of electronic identification. In fact, the identification requirements of European consumers in digital channels differ vastly between member states, especially due to the different interpretation, implementation and applications of, for instance, AML-requirements and PSD2 by both legislators and supervisors. This has created a fragmented and ineffective market environment across the EU. Something that hinders European citizens and corporations. However, when harmonizing identification requirements, care must be taken not to weaken money laundering and fraud prevention.​
  • Unlevel playing field. Currently there are differences in legal requirements between established financial institutions and new market entrants providing the same or similar services. The banking sector is mandated to operate with specific requirements which other market players are able to bypass as they avoid a banking licence – although they provide the same services. Significant risks are introduced in the financial ecosystem by the ability of FinTech companies to operate in a grey area, performing activities that need to be properly supervised. The principle of equal requirements for equal activities must apply.​
  • The regulatory link between privacy, data protection, and innovation is not always optimally balanced: the financial sector fully supports regulatory and supervisory authorities in relation to the approval and implementation of rules on privacy and data protection. However, this should not restrict the industry innovation capacity. The complex legal framework of consent management between PSD2 and GDPR might constitute an obstacle. If public authorities aim at supporting innovation from companies that hold (personal data of) thousands of clients, there needs to be a common ground on the terms of where innovation can be undertaken.

Concerning the relation between regulated entities and supervisors, ESBG has observed the following challenges:

  • New digital players are born global, where their market reach goes beyond the mandate of EU financial authorities. In addition, they sometimes do not belong to a regulated industry, making their supervision complex.​
  • Supervisors lack the necessary resources and competences to implement new supervising processes, which include many technical questions and new products and services. There is also a lack of coordination between supervisors both within and across member states.
  • Regulators and supervisors therefore need to move closer to the industry, taking instead a collaborative approach.
  • All providers should be subject to the existing regulatory framework for financial services.
    Regulation shall adapt to the specific service (payments, investment advice, etc.) and not the service provider (start-up, scale-up or incumbent).

Why Policymakers Should Act​​

The EU lags behind other jurisdictions in terms of capacity and competitiveness to innovate, scale-up and compete with non-European players. European banks oftentimes face difficulties in accessing platforms and technical interfaces of BigTech companies, which are increasingly entering the financial sector. ​​​

To avoid giving a competitive advantage to non-EU companies, European regulators should properly balance consumer interest when assessing the risks of both banks and BigTech companies. Even though this also depends on financial and economic factors, ESBG believes that a less rigid and time-consuming regulatory framework could help foster the competitiveness of European firms globally.

In order to ensure a future-proof regulatory framework that does not hamper innovation, consumer protection and financial stability, the general principle of “same activity and same risks should comply same rules and supervision”, as well as the broad principle of technology neutrality, need to be respected. The EU lags behind other jurisdictions in terms of capacity and competitiveness to innovate, scale up and compete with non-European players. European banks oftentimes face difficulties in accessing platforms and technical interfaces of BigTech companies, which are increasingly entering the financial sector. ​​

Furthermore, Europe is currently facing an educational gap due to a lack of digital skills, both in terms of consumer awareness and lack of qualified workforce; this might limit the opportunities linked to harnessing the potential of technology. We strongly recommend promoting the digital literacy of citizens. Important skills for dealing with and understanding digitization and a consantly changing environment must be taught at school and beyond.


​The financial sector has historically been subject to high regulatory and supervisory requirements. Such requirements have had an overall positive impact on society and have helped the financial sector show resilience in response to the recent COVID-19 crisis. The pandemic crisis has also triggered an increase in customer demand for digital financial services, making regulatory frameworks for digitalisation even more important.

ESBG submitted a response to the European Commission consultation on digital finance in June 2020, aimed at seeking views on the possible measures needed to further enable innovative digital financial services in the EU. On 24 September 2020, the European Commission adopted a Digital Finance Package, consisting of a Digital Finance Strategy, a Retail Payments Strategy, legislative proposals for an EU regulatory framework on crypto-assets, and proposals for an EU regulatory framework on digital operational resilience. Non-European BigTech companies can also penetrate the​ European market via massive investment policies, exploiting the weakness of European positions and the absence of a major European player. By becoming digital platforms where financial products and services are distributed, acquired, advertised, etc., BigTech companies can play a significant role in the intermediation of financial products and services, without having to comply with financial regulation and rules governing incumbent financial institutions. This situation creates an imbalance in the level-playing field necessary to guaranteeing the “same activity creating the same risks should be regulated in the same way” principle.​​​

BigTech companies are already present in the market for multiple financial products and services (e.g. payments, provision of consumer and SMEs credit), and that presence is expected to continue growing. Customer data is at the heart of their business model: ​​

  • ​​c​​ustomisation and anticipation of needs are at the heart of the success of BigTech companies: for this reason, their access to granular customer data and mastery of AI is key;​Access to banking APIs is strategic;
  • many BigTech companies have the necessary authorisations to exploit the opportunities opened up by the PSD2.

Non-European BigTech companies can also penetrate the​ European market via massive investment policies, exploiting the weakness of European positions and the absence of a major European player. By becoming digital platforms where financial products and services are distributed, acquired, advertised, etc., BigTech companies can play a significant role in the intermediation of financial products and services, without having to comply with financial regulation and rules governing incumbent financial institutions. This situation creates an imbalance in the level-playing field necessary to guaranteeing the “same activity creating the same risks should be regulated in the same way” principle.​​​


​​​​Distance Marketing

ESBG believes that providing simple and shorter information to consumers will correspond more with the clients’ expectations and will have a positive effect on their well-informed decision.

Special attention needs to be paid to the information to be provided to consumers before entering into an agreement. We believe that it is necessary to assess how much detailed information is required and how it can best be provided to consumers in order to ensure that they are well-protected.

Simplification of information

The DMFSD requires service providers to give excessively detailed information to the consumer prior to entering an agreement. Consumers often ignore information which is too complex or difficult to remember and there is evidence that simpler information with fewer figures is much more effective at landing critical messages.

Reduction of information

Regarding the pre-contractual information, it is important to focus on diminishing the number of pre-contractual documents, which service providers are obliged to serve to consumers in any case. Mobile devices can only display a limited amount of information in a clear and comprehensive way.

The way the information is provided and right of withdrawal

ESBG believes that detailed contractual terms and conditions and the information referred to in Article 3(1) and Article 4 from the Directive should be provided to the consumer on paper/another durable medium after concluding the contract (as stated in Art. 5 (2)). Even though the consumer might not have had the possibility to read all of the relevant information, they would still be protected under the right of withdrawal.

The right of withdrawal is an instrument for the consumer’s protection and when it is granted to the consumer it should diminish some of the requirements for the service providers, especially in the field of the pre-contractual information that needs to be provided to consumers. If the amount of information is not diminished, there is not a substantial meaning of the right of withdrawal.

Coherence with other pieces of legislation

The provisions of the Directive are not entirely coherent with the Consumer Credit Directive, the Mortgage Credit Directive, the Payment Services Directive, the Payment Accounts Directive, the Insurance Distribution Directive, the Markets in Financial Instruments Directive, the Packaged Retail Investment and Insurance Products and Services Directive – about the information due before signing the agreement.

GDPR, E-privacy Directive, E-commerce Directive – about the consent for direct marketing and unsolicited communications

In order to achieve a coherent and easy to apply legislation in the matter of distance marketing of financial services, we would like to stress on the regulatory approach – it would be very useful if the Directive includes only the specific requirements for the distance marketing of financial services and if there is a specific product legislation, the Directive refers to the applicable parts of this specific legislation instead of repeating them.


The tendency of Member States’ goldplating practices, as observed with the DMFSD, adds costs and limits the effectiveness of the EU legislation in building the single market. The European Commission should ensure a strict implementation of this Directive, which will give consumers better visibility on their level of protection in Europe.​

Identified Concerns

Some ESBG members believe that the revision of the DMFSD is both important and necessary, as it questions the efficiency of its provisions that aim at consumer protection, compromises the service itself and contradicts one of the basic principles of the distance marketing of financial services – that the service should be easy, accessible and time saving. Nevertheless this does not mean that the way distance marketing should be done should overburden the service providers.

The Directive did not anticipate that technological disruption and new digital means have brought a diverse set of innovative distribution channels. This is the main reason why some ESBG members believe that the DMFSD should be reviewed in order to adapt the legislation to the new technology and distribution channels that have emerged from the new digital context. It should also be applied to regulation and supervision on marketing, advertising and risk reporting to the services provided by new operators as those applicable to financial institutions, when rendering the same services because the purpose thereof is to protect consumers and, therefore, they must not discriminate based on who provides/offers the product or service.

ESBG is also keen to comment on some of the issues raised in the behavioural study on the digitalisation of the marketing and distance selling of retail financial services. We do not agree with attitude surveys and research suggesting that personalisation and targeting tend to be negatively perceived by consumers. Current marketing practices allow customers to receive information about unknown products. These practices must fulfil with the relevant legislation (GDPR and e-privacy) and additionally it is important to underline that the consumers always have the right to request stop receiving this advertisement information. In particular, some ESBG members are of the opinion that the format requirements for standardising product-specific legislation is a step too far and that the obligation for clear and intelligible information in product specific regulation is already sufficient. In addition, using regulation to slow down the purchasing process for financial products and services would reduce the benefit of banks’ investments for attractive and competitive customer experiences and would lead to a deterioration in the customer experience of all customers in response to possibly excessive behaviour of a minority.​

Why Policymakers Should Act

The current DMFSD is 18 years old and there have been many developments in the banking sector since then. It is important to update the text and take into account:

  • new market players;
  • digitalisation – financial services for consumers are nowadays presented, proposed and used in a very different business environment where technologies have a major role;
  • consumers want to receive clear and manageable information in a short time;
  • it is important not to overburden the consumers with information;
  • the right of withdrawal is an instrument for the consumers protection and when it is granted to the consumer it should diminish some of the requirements for the service providers, especially in the field of the pre-contractual information that needs to be provided
  • other EU texts which have been implemented since the financial crisis and should be consistent with the Directive. It should also state which of the requirements of the specific legislation (such as CCD, MCD, PSD 2 etc.) should be kept when distance marketing is executed.

The regulation should also avoid using the references to “vulnerable consumers”. The ECJ literature generally addresses an “average consumer who is reasonably well-informed”. To ensure legal coherence, the Directive should be grounded on the “average consumer” and not on the “vulnerable consumer”.


The development of a deeper and fairer single market is one of the European Commission’s key priorities. As part of this objective, the European Commission is working to help consumers to access good quality financial services offered outside their home Member State by harmonising consumer protection rules governing distance marketing. The Distance Marketing of Financial Services Directive (DMFSD) sets out what information a consumer should receive about a financial service and its provider before concluding a distance contract. For certain financial services, it also gives the consumer a 14-day right of withdrawal. In addition, the DMFSD bans services and communications from suppliers that a consumer has neither solicited nor consented to receive.

Since its adoption in 2002, several pieces of product-specific EU legislation have been adopted in the areas of consumer credit, mortgages, payment accounts, payment services, insurance products and investment products. These acts specify, for instance, the type of information a consumer should receive about a product and its provider. The legal framework also includes general consumer protection rules on unfair commercial practices and unfair contract terms, as well as rules on the e-commerce framework, data protection and e-privacy.



Establish a single authority that receives all reporting from all financial institutions into an EU central Hub/Database. This authority would be responsible for reporting to each competent authority depending on the issue (for example, PSD2, GDPR, NIS) and the country. A comprehensive and harmonised EU-wide system of ICT and security incident reporting should be designed for all financial entities and that would lead to harmonised incident reporting also at a national level.

Create a standing mechanism to exchange incident reports among competent authorities to ensure that best practices are shared among financial players. It should be designed on two pillars: i) sharing good practices between authorities which support their supervisory powers and ii) receiving feedback from authorities to improve banks’ internal practices.

The legislator should examine the authorisation schemes based on compliance with pre-determined requirements, with the aim to speed up the processes. Concerning purely contractual considerations, a standardisation of all the main clauses is needed. In addition to the main standard contractual clauses (clause concerning audit; subcontracting clause; business continuity clause; withdrawal clause; data location clause; non-compliance case; penalties for non-compliance), ESBG would welcome a proposal for standard contractual clauses also in regard to confidentiality and the (relevant) bank secrecy act, GDPR and how to handle the potential “conflict” between GDPR and the Cloud Act (US).

The Commission’s approach to standardising certain mandatory and sensitive Cloud contractual clauses is a first and important reply. Nevertheless, this raises the question of which regulatory framework will be chosen by the Commission. If the selected standard framework is an EBA regulation, this will strengthen the financial sector’s capacity to negotiate, but it will not always be imposed on providers since they are not in the EBA’s supervision field. The most desirable outcome for ESBG would be to obtain a regulatory framework that could legally embed providers in the application of the major, mandatory Cloud clauses. The current overlapping of reporting obligations regarding cyber incidents creates negative effects for all types of institutions. ESBG therefore urges regulators to harmonise their reporting requirements and processes as a fragmented approach diverts resources away from addressing the issue. It is necessary to introduce materiality thresholds. The reporting obligation of financial institutions must be relevant and fit for purpose.

Identified Concerns

The proportionality principle must also apply here. Reporting every single incident is not productive, and financial institutions might not always have the required capacity to do so. ESBG members have experienced serious difficulties when negotiating certain outsourcing clauses related to contractual agreements with ICT third-party providers. We explore this aspect further in our position on Cloud computing.​

Why Policymakers Should Act

The number of incident reporting requirements is increasing and can also vary from country to country. For an organisation with common business infrastructure supporting operations in several countries, this means that a single incident triggers several incident reports to multiple authorities in many different countries. European regulators should reduce compliance complexity by integrating regulatory guidance, expectations and requirements.​


In recent years, cyber-attacks on the financial sector have increased in number, sophistication and severity. The increasing digitalisation of finance is set to accelerate this trend.

Dependence on ICT and data raises new challenges in terms of operational resilience. The increasing level of digitalisation coupled with the presence of high-value assets and (often sensitive) data make the financial system vulnerable to operational incidents and cyber-attacks. While it already outspends other sectors in safeguarding itself against ICT risks (both of malicious and accidental nature) finance is nonetheless estimated to be three times more at risk of cyber-attacks than any oth​er sector.

ESBG submitted a response to the European Commission consultation on a digital operational resilience framework in March 2020, and to the Financial Stability Board consultation on effective practices for cyber incident response and recovery in July 2020. The European Commission launched a public consultation on the revision of the NIS Directive. On 24 September 2020, in the context of the Digital Finance Package, the European Commission published a ‘Digital Operational Resilience Act’ (DORA), aiming to ensure that all participants in the financial system have the necessary safeguards in place to mitigate cyber-attacks and other risks. ESBG welcomes the initiative by the Commission to build a real single market for cybersecurity. ​


Electronic identification (e-ID)

The provision of interoperable e-identity tools will boost cross-border transactions, paving the road for a Single Digital Market in the EU. High acceptance rates and technical neutrality will be key in determining the success of European e-IDs. It is now time for the EU to push the harmonisation of its electronic identification regulatory and supervisory framework. In order to facilitate the process, the following initiatives should be taken:

  • Harmonise the documents required for the verification of identity (e.g. passports, utility bills, municipal records, tax documents) and their format (acceptability of electronic copies in addition to physical copies);
  • Provide further guidance or standards in support of the customer due diligence process (e.g. detailed ID elements, eligible trusted sources; risk assessment of remote identification technologies);
  • Put forward a common regulatory approach for customer identification and due diligence processes when performed remotely;
  • Adopt a high level of assurance approach for increased electronic KYC for financial services;
  • Broaden access for obliged entities to publicly held information (public databases and registers) to enable verification of customer identities;
  • Provide further guidance relating to reliance on third parties for carrying out identification and verification through digital means, including on issues relating to liability

Identified Concerns

In an increasingly digital world, where most customer interaction happens online, an e-ID can considerably smoothen the customer journey across digital channels, while safeguarding privacy and security. A harmonised e-ID framework at European level would be a key driver to achieve a digital single market and increased mobility for European citizens.

ESBG welcomes the objective to facilitate the cross-border use of electronic identification based on eIDAS, a fundamental requirement to build the Digital Single Market. ESBG believes that an optimal implementation of e-ID solutions in Europe can only be reached by directly involving the relevant industries, ensuring the participation of the private sector at par with the public sector.

However, ESBG considers the current regulatory, supervisory and technological fragmentation of crossborder electronic identities (e-ID) across member states as very disadvantageous for the EU, both in terms of operational and regulatory requirements. Additionally, the identification requirements of European consumers in digital channels differ vastly between member states, especially due to the different interpretation, implementation and applications of for instance AML-requirements and PSD2 by both legislators and supervisors. This has created a fragmented and ineffective market environment across the EU, hindering European citizens and corporations.

The provision of interoperable e-identity tools will boost cross-border transactions, paving the road for a Single Digital Market in the EU. High acceptance rates and technical neutrality will be key in determining the success of European e-IDs. Therefore, ESBG believes that it is important for the EU to empower its financial institutions with the abilities to identify customers through digital means.

Why Policymakers Should Act

At this point in time, developing a specific financial digital identity would not be ideal for consumers. Rather, we welcome broader solutions that would allow citizens to use their e-ID for different purposes. To do so, the EU should work towards a harmonised framework, first on member state level and then on union level, where consumers are able to decide which e-ID to use for identification in each daily use case and are certain that the chosen e-ID will be accepted (irrespective of the scheme being private or public-led).

Here the ESBG strongly believe banks are well-positioned to not only participate but drive the development of e-IDs, given that they have already verified their customer’s data during onboarding processes. Additionally, customers are already used to accessing their bank accounts online and would thus benefit from an e-ID created without the need to provide personal data to a third party. This, in turn, would enhance customer protection and ensure a higher level of personal data privacy.

The current availability and offer of electronic trust services in the EU is not sufficient. Additional trust services should be regulated at EU level, such as electronic identification and authentication, and provision of trusted attributes linked to a verified identity (e.g. proof-of-age, credentials, KYC). At the same time, it is important to build on already existing knowledge and best practices, rather than requiring the development of new solutions from scratch. For instance, in some parts of Europe, already existing efficient solutions and well-established routines at a national levels, should be protected and taken into account by the regulator.


Regulation EU No 910/2014 commonly known as eIDAS Regulation is an EU regulation on electronic identification and trust services for electronic transactions in the EU. It seeks to establish a single legal framework for recognizing electronic signatures and identities throughout the EU. eIDAS Regulation entered into force on 1 July 2016 making the European Union the first and only region in the world offering a viable and common framework that allows the cross-border user of trust and electronic identification services, which include electronic signatures, timestamps and web authentication services.

eIDAS foresees that if an EU Member State offers an online public service to citizens or businesses for which access is granted based on an electronic identification scheme – for example for tax declarations – then they must also recognise the eIDs of other Member States for the purposes of cross-border authentication. The regulation creates thus an internal market for electronic trust services and ensures that they will work across borders and that they have the same legal status as the traditional paper-based processes.

In other words, the eIDAS Regulation provides for a clear and predictable regulatory framework for secure and seamless electronic interactions between businesses, citizens and public authorities within the EU. This regulatory environment is provided by eIDAS, the European regulation on electronic identification and trust services for electronic identification in the internal market. The opportunities offered by eIDAS go beyond payments. Banks can offer consumer or SME-loans to customers that are on-boarded in a digital way, or they can offer investment services to customers based in other countries.​


​​​​​​Mortgage Credit

ESBG believes that providing simple and shorter information to consumers will correspond more on the client’s expectations and will have a positive effect on their well-informed decision. 

Simplification of information

MCD, like CCD, requires creditors to give excessively detailed information to the consumer prior to entering a consumer credit agreement. Nonetheless, consumers ignore information which is too complex or difficult to remember and there is evidence that simpler information with fewer figures is much more effective at landing critical messages. That information may refer to information that only reflects the specifics of the product and meets with client’s expectations for short and clear information – for example – the repayment periods, the amount of the repayment instalments and the applicable interest rate.

Reduction of information

Regarding the pre-contractual information, it is important to focus on diminishing the number of pre-contractual documents, which banks are obliged to serve to consumers in any case. This approach has not proved itself to be useful for consumers and for that reason the requirements for serving pre-contractual information and Standard European Consumer Credit Information aren’t helping in achieving the objectives of the Directive. Bearing digitalisation in mind, the required information can barely be presented in a clear and comprehensive way on mobile devices.

The reduction of information may be also observed through the role of the right of withdrawal. The right of withdrawal is an instrument for the consumer’s protection and when it is granted to the consumer it should diminish some of the requirements for the service providers, especially in the field of the pre-contractual information that needs to be provided to consumers. If the amount of information is not diminished, there is not a substantial meaning of the right of withdrawal.

Definition of foreign currency loans

ESBG would like to make a proposal to change the current definition of a foreign currency loan making cumulative and non-alternative the conditions.

This option:

  • would be simple to apply and appears fully justified to allow the development of cross-border financing, while maintaining a good level of consumer protection;
  • limits the scope of the provisions of Article 23 of the MCD to loans more likely to induce currency risk;
  • would be completely aligned with the wish of consumer protection developed by the European Commission in the MCD. Indeed, Article 23 of the MCD Directive provides, among the modalities for limiting currency risk, the right for the consumer to convert the credit agreement into an alternative currency, which shall be either:
    • the currency in which the consumer primarily receives income or holds assets from which the credit is to be repaid,
    • or the currency of the Member State in which the consumer is resident.

These two currencies (income and of place of residence) are considered by the MCD as sufficiently protective of the consumer to propose them as limiting the foreign exchange risk of a loan in a currency. The notion of foreign currency therefore seems legitimate only to apply to a currency that is different from both the currency of income and the currency of the place of residence, which correspond to the proposal of a “cumulative” definition.

Identified Concerns​

The review of the Mortgage Credit Directive is expected soon. In our opinion, there is a need for guidance from the Commission on pre-contractual information and how best to provide ‘barrier-free’ information on, for example, smartphones.

In our view, there is also a problem with cross-border loans which is not only related to the MCD, but also:

  • for the fact that those credits are secured with an immovable property and the execution of that property (if the credit is not repaid) may be done in a country different from the country where consumer is domiciled.
  • because of jurisdiction in court procedures (EU Regulations 1215/2012, 655/2014 and 1896/2006): proceedings may be brought against a consumer by the other party to the contract only in the courts of the Member State in which the consumer is domiciled. The last provision may be departed from only by an agreement which is entered into by the consumer and the creditor, both of whom are at the time of conclusion of the contract domiciled or habitually resident in the same Member State, and which confers jurisdiction on the courts of that Member State, provided that such an agreement is not contrary to the law of that Member State. This means that in order to bring a procedure against the debtor in the country of the creditor, the debtor has to have a domicile within the territory of the country. Having in mind that consumers tend to travel a lot and change domiciles easily these days, bringing a procedure against them is most of the time very difficult or even impossible, because creditors are often in a situation that they do not know where the consumer’s new domicile is. ​
  • when it comes to servicing notices for voluntary payment of the debts and judicial papers – it is almost impossible to find the debtor and serve them with such kind of documents and/or understand where their current domicile is. And this puts a lot of obstacles in terms of the debt collection processes and procedures.

Why Policymakers Should Act

Financial institutions are willing to adapt their mortgage lending process but call for adequate implementation deadlines and help with any additional IT support or other additional costs. A proportionate application of the mortgage credit directive could also be examined in more detail by a cost-benefit analysis.

In our view it is very important that during the revision the Commission assesses the consumers’ understanding of, and satisfaction with, the ESIS Art. 44a from the Directive. The effectiveness and appropriateness of the Directive should be the core focus of the Commission study.

The Commission should examine the current definition of foreign currency loans. The market is experiencing difficulties in the application of the rules and we note that due to the current definition there are cases that fall within the scope of foreign currency loans for which the consumer protection measures set out in the Directive should not be addressed or are disproportionate to actual risk for consumers.

It would be beneficial for consumers to narrow the scope, establishing that the definition will imply cumulative conditions (being residence and receiving the incomes or holding the assets in a currency other than the credit is to be repaid). As a result, the current regime excludes certain consumers from mortgage credit, while creditors would be willing to provide credit in a number of scenarios if the foreign currency loan regime were better aligned with the real risks.​


The EU Mortgage Credit Directive aims to integrate the market for mortgage credit, promote common standards across the bloc and protect consumers at an EU level through responsible lending. The 2014 MCD applies to all loans available to consumers when buying residential property. It has the following provisions:

  • an obligation for lenders to provide clear and detailed information on loan conditions to consumers;
  • an obligation for lenders to assess the creditworthiness of consumers according to common EU standards;
  • common quality standards and business conduct principles for all EU lenders;
  • the right for consumers to repay credit earlier than determined in a contract;
  • an EU passport scheme that allows credit intermediaries authorised to operate in any EU country to deliver services across the EU.
  • Since the MCD came into force, there have been numerous additions in the form of supplementary acts (both implementation and delegated) to help strengthen the original text.

The Mortgage Credit Directive ‘study’ is under preparation and will focus only on the topics listed in Articles 44 and 45 of the current directive. It will look into the effectiveness and appropriateness of the provisions on consumers and the internal market. The study will also look into digitalisation and sustainable finance (for example, the EC-funded study on green mortgages). Depending on the conclusions of the Study and the Commission’s assessment, legislative changes may be proposed. Some issues have already been identified as being particularly relevant to the review:

  • Loans in a foreign currency (Article 23)
  • Digitalisation
  • Sustainable finance