A Digital Euro: what does it mean for savings and retail banks?

Since its inception, ESBG has been taking an active role in Digital Euro-related discussions and overall, ESBG welcomes the Digital Euro from the viewpoint that having digital money issued by the central bank would provide an anchor of stability for the monetary system.

We also believe that the Digital Euro would strengthen the monetary sovereignty of the euro area. However, we predict that the introduction of a Digital Euro could also have some major unintended consequences impacting savings and retail banks if not addressed properly.
Our position paper, issued in March 2023, reflects on the effect of the Digital Euro on retail and saving banks, we highlight three areas where the introduction of the Digital Euro could have a negative impact on our members.
Firstly, the Digital Euro can severely affect our balance sheet activities – the core business for savings and retails banks. Detailed work is still needed to identify a suitable model for distributing, storing and exchanging digital currencies that balances the needs of maintaining the effectiveness of monetary policy transmission mechanisms, customer service and regulatory compliance. Otherwise, and if the Digital Euro becomes “too successful”, the deposit outflow could reduce the balance sheets of banks and eventually their capabilities to finance the economy – as a result, possibilities for consumer finance, mortgages and SME financing will be reduced and the potential impact on banks’ liquidity positions is very relevant.
Secondly, lots of obligations and requirements will be put on savings and retail banks as envisioned institutions for the distribution of the Digital Euro, whilst a sustainable long-term business model is questionable.
Finally, cashless payments in the euro area are flourishing and are showing healthy growth rates. Under a push from regulators, banks are already heavily investing in payment solutions (notably based on instant payments) that address the need for European sovereignty in payments. These new solutions under development will need to find their place in the already competitive payments mix – adding yet another competing payment product by positioning the Digital Euro as such is a game changer. At any rate a level playing field needs to be present.
Therefore, although supportive of the Digital Euro, we are of the opinion that many legitimate and reasonable questions still need to be answered and a successful implementation needs to properly address the above concerns. In order to achieve this, we argue for significantly lower maximum caps on holdings. For the distributors of the Digital Euro, a long-term sustainable business model will be required. And if the Digital Euro will be positioned as a retail payments product, it should not use its privileged position as a public-money funded product by mandatory acceptance requirements that distort the competitive retail payments market.


The very real challenge of cybersecurity and how to face it


Digital Finance and Innovation

Criminals do not rob banks gun in hand and wearing masks anymore, in the way old films show, but they still break into banks. How? Hiding behind their computer screens and covering their digital tracks.

By Janine Barten

Cyber-attack risks increased over the past years, resulting in cybersecurity and digital operational resilience being a top priority for banks all over the globe. Most banks are prone to cyberattacks now customers are relying more and more on digital channels and electronic banking to perform their daily transactions. The risks that the banking sector faces are multiplied by the large number of users involved – and the lack of control banks have over the behavior of these users. That is why financial institutions are significantly investing in cybersecurity strategies, to remain one step ahead of cybercriminals.

The gap between cybersecurity and business needs

Despite all the security measures taken, banks continue to face certain challenges to protect their systems, their customers and their data, and their financial holdings. Ransomware and phishing attacks remain a common issue and are also getting more disruptive. Cybersecurity awareness is improving, however, especially as more ransomware attacks get publicized in the media. But as time progresses, the level of complexity increases. IT systems and software are getting increasingly interconnected and more complex in general – and so must be the cybersecurity measures that are put in place to protect banks and their customers.

One of the main issues is bridging the gap between cybersecurity and business needs. Good cybersecurity means adapting to the business needs. Philipp Schaefer, Cyber Risk Expert and Peter Mikeska, Cyber Security Expert at Erste Bank Group, highlighted the organisational challenges banks are dealing with: “As savings banks find themselves in an environment of ever-increasing cyber threats, the heterogenic nature of how saving banks are organised provides challenges for a sound response to sudden cyber challenges. Swift communication lines among saving banks and towards their ICT are key for identifying threats quickly and allow partner banks to benefit from individual discoveries immediately”, the experts said in a written statement.

“In addition, as costs for protective and anticipatory measures towards cyber threats increase, a unified approach towards cyber threats and its communication becomes necessary to allow the individual savings bank to keep its cost at bay while also benefitting from a state-of-the-art level of know-how and protection”, the statement continued. “However, this doesn’t come without caveats, as savings banks would need to surrender some of their direct control over part of their business to a centralised entity consolidating the ICT efforts, making it both a challenge and chance for the savings banks.” The shortage of cybersecurity professionals to handle all these aspects remains a considerable challenge as well.

Initiatives on European level

“You no longer need armies and missiles to cause mass damage. You can paralyse industrial plants, city administrations and hospitals – all you need is your laptop. You can disrupt entire elections with a smartphone and an internet connection”. These are the words of Ursula von der Leyen, President of the European Commission, used in her State of the Union Address in September 2021 to underline the growing importance of cybersecurity and call for stronger measures to address cyber threats.

Similar to banks, the European Union is also taking steps in the field of cybersecurity. Following up on its path to the digital decade to deliver on the Union’s digital transformation by 2030, the Cybersecurity Act entered into force in 2021, defining the tasks of the European Union Agency for Cybersecurity (ENISA), the European watchdog for cybersecurity.

In May 2022, the Council and the Parliament reached provisional agreement on the revision of the Directive on Security of Network and Information Systems, better known as the NIS2 Directive, to further improve the resilience and incident response capacities of both the public and private sector. Political agreement was also reached on the Digital Operational Resilience Act (DORA), the lex specialis of the NIS2 Directive for the financial sector. Banks, stock exchanges, clearinghouses, as well as FinTechs, will have to respect strict standards to prevent and limit the impact of ICT-related incidents.

Additionally, the Commission published the proposal for the Cyber Resilience Act in September 2022, which aims at establishing common cybersecurity standards for digital products and associated services that are placed on the European market.

The road ahead: Education and innovation

All these regulatory initiatives can certainly set requirements to be put on actors like banks, however, at the end of the day, the weakest links are usually humans – be they bank employees or bank customers. Continuous education is required to keep them aware of possible cyber threats.

On that note, CaixaBank offers their customers and employees extensive cybersecurity awareness programs and content in matters relating to cybersecurity through their Security space, a section on their website specifically dedicated to a secure online experience for customers. The website contains tips and advice on how to use products and services securely and reliably. Next to initiatives like the CaixaBankProtect News newsletter, CaixaBank has also set up a podcast featuring fraud victims, in which they touch upon a variety of topics such as fraudulent messages, how to manage passwords, secure online shopping, and antivirus software for your mobile phone.

Technological initiatives are important as well, as Philipp Schaefer and Peter Mikeska explain: “Focal point at Erste for online banking and communication with the customer is the platform George. Here, all data flows are monitored and permanently analysed towards anomalies. Should threats be discovered, an immediate response is initiated by blocking harmful actions and the affected customer will be contacted and informed. In case of a significant uprise of a threat, each customer entering our platform will be briefed and needs to confirm the message to proceed. The smartphone application of George can also discover if harmful code from other applications tries to gain access. Lastly, multifactor authorisation protects our customers from further threats.”

Despite the cyber threat constantly being present, there is also room for optimism. The fast development of cyber threats and both European and national regulation to address those threats will push banks to innovation. In addition, strong cybersecurity measures could lead to increased consumer trust. As Ursula von der Leyen stated in her State of Union Address: “We should not just be satisfied to address the cyber threat, but also strive to become a leader in cybersecurity”.

Criminals will always be on the watch out for the weakest link. WSBI-ESBG members stand ready to counter this challenge and enhance the security of both their customers and the society at large.

Janine Barten is WSBI-ESBG adviser with expertise on digital finance and innovation.

Meet the Innovation and Payments Team

A shortened version of this article awas published in WSBI-ESBG’s Financial News and Views December 2022 Edition on PAGE 5

Click to access the Article

ESBG provides input on technical negotiations of the Artificial Intelligence Act

In Q4 of 2022, ESBG staff was invited to three stakeholder info sessions on the technical negotiations on the Artificial Intelligence Act, organized by the offices of MEP Voss (EPP, LIBE Shadow/JURI Opinion), MEP Clune (EPP, LIBE Shadow), and MEP Maydell (EPP, ITRE Opinion). During these info sessions, stakeholders were updated about the articles discussed during the technical meetings that took place in the Parliament and invited to provide concrete input on concrete issues.

The definition of AI remains a highly debated issue. According to ESBG members, the proposed definition is currently too broad. ESBG members argued for a narrow scope, since a scope that is too broad could potentially include more traditional software systems that should not fall under the scope of the proposal The definition of AI needs to take into account the different levels of autonomy and explainability of the system, as well as the level of control and human participation. Furthermore, it must contain the ability to learn and reason as central element.
Stakeholders were also asked for concrete examples of overlap with other pieces of legislation, also of sector-specific legislation. ESBG pointed out a number of articles where overlap with other legislation, notably the GDPR exists. There has also been discussion on the high-risk classification, extraterritorial applications, cooperation mechanisms, and access to data. Therefore, ESBG provided input on those matters as well.


Crypto-asset Activities: WSBI-ESBG calls for a more consistent regulatory approach

The Financial Stability Board (FSB) which is an international body that monitors and makes recommendations about the global financial system published a proposed framework for International Regulation of Crypto-asset Activities on 11 October 2022. The said framework sets out a) the key issues and challenges in developing a comprehensive and consistent regulatory approach that captures all types of crypto-asset activities that could rise to financial stability risks; b) policy initiatives at the jurisdictional and international levels; c) the FSB’s proposed approach for establishing a comprehensive framework.

The FSB  reports that crypto-assets and markets must be subject to effective regulation and oversight commensurate with the risks they pose. Crypto-asset markets are fast evolving and could reach a point where they represent a threat to global financial stability due to their scale, structural vulnerabilities and increasing interconnectedness with the traditional financial system.

WSBI-ESBG, for its part, welcomed the initiative of addressing the above-mentioned crucial issues and replied to the call for feedback on this consultative document on a proposed framework for International Regulation of Crypto-asset Activities, in particular calling for a more measured regulatory approach between the several players (i.e.; financial institutions, issuers, and providers of crypto assets) and for consistency between regulations and requirements applicable to traditional finance and crypto-based finance.

Finally, members underlined the importance of having a clear and dynamic regulatory approach to avoid confusion on the categorization of crypto-assets (i.e.; stablecoins, global stablecoins, digital assets), and the need for a higher consistency between local and international regulations.


WSBI-ESGB members call for aligned approach between regulatory bodies on Cyber incident reporting

On 17 October 2022, the Financial Stability Board (FSB) published a consultative document on Achieving Greater Convergence in Cyber Incident Reporting (CIR). In parallel, the FSB invited feedback on this document. Back in 2021, the FSB already published a report on CIR. The report set out three ways the FSB would take work forward to achieve greater convergence in cyber incident reporting: developing best practices, creating common terminologies for CIR, and identifying common types of information to be shared across jurisdictions and sectors.

To inform on its work, the FSB conducted a survey amongst FSB members to identify the most common reporting objectives and types of reporting performed; understanding the practical issues financial authorities and financial institutions have in collecting or using incident information; identifying the information items authorities collect to meet the common reporting objectives, including a review of existing incident reporting templates; and exploring the mechanisms for financial authorities to share incident information across borders and sectors.

Drawing on the survey findings, the FSB has set out recommendations to address impediments to achieving greater convergence in CIR with a view to promote better practices. This work also helped to inform refinements to the Cyber Lexicon, which resulted in the addition of four terms and revision of three definitions. The FSB also reviewed financial authorities’ incident reporting templates and identified commonalities in the information collected. Leveraging on this work, the FSB presented a concept for a format for incident reporting exchange (FIRE) to promote convergence, address operational challenges arising from reporting to multiple authorities and foster better communication.

In the face of the above mentioned initiative, WSBI-ESBG replied to the call for feedback on this consultative document on cyber incident reporting, in particular calling for a harmonised reporting approach between different regulatory bodies, processes, and data requests. In terms of promoting greater convergence in CIR, financial authorities could offer tools and platforms that minimize operational issues for reporting of incidents.
Finally, members underlined the importance of having clear definitions to avoid confusion and to differentiate between the terms ‘cyber incident’ and the subcategory thereof of ‘cybersecurity incident’.


Call for clarification on the Artificial Intelligence Liability Directive

On 28 September, the European Commission published its proposal for the Artificial Intelligence Liability Directive which  complements and modernises the EU civil liability framework by introducing for the first time rules specific to damages caused by AI systems. 

The purpose is to lay down uniform rules in case of damages caused by AI systems and to establish broader protection for victims. The Directive is applicable to both individuals and businesses. The new rules will, for instance, make it easier to obtain compensation if someone has been discriminated against in a recruitment process involving AI technology.

It is proposed that five years after the entry into force of the AI Liability Directive, the Commission will assess the need for no-fault liability rules for AI-related claims if necessary.

Consequently, on 3 October, the Commission enabled relevant stakeholders to provide feedback on the proposed AI Liability Directive. All feedback to be received will be summarised by the Commission and presented to the Parliament and Council with the aim of feeding into the legislative debate.

As part of its mandate, ESBG replied to the Commission’s call for feedback on 2 December. In its response, ESBG supports the protection of consumers as well as adapting liability rules to the digital age, thereby setting out a framework for excellence and trust in AI.

However, ESBG understands from the proposed Directive that the presumption of a causal link in the case of fault is mainly a matter of “non-compliance of due diligence duties”. In this context, ESBG calls for clarification on what could be considered as non-compliance of due diligence duties. In particular, ESBG questions whether the presence of bias or discrimination could be considered a noncompliance of due diligence duties. Furthermore, clarification is necessary on what tools are available to providers and users of AI systems to refute the causal link.

Finally, as the AILD is a directive, members stress the importance to take the cultural and legal differences between member states into account when implementing. Different application across member states can lead to regulatory arbitrage where firms choose where to be domiciled according to the member states legislative application. Therefore, the directive should be aligned with the Rome I Regulation and the Rome II Regulation regarding the conflict of laws on the law applicable to non-contractual obligations.


Call for clear scope of applicability of the Cyber Resilience Act

On 14 November, ESBG submitted its input to the European Commission’s call for feedback on the proposed Cyber Resilience Act, which was published in September. All feedback received will be summarised by the Commission and presented to the European Parliament and Council with the aim of feeding into the legislative debate.

On 15 September, the Commission published a proposal for a Cyber Resilience Act, which aims to protect consumers and businesses from products with inadequate security features. The Cyber Resilience Act introduces mandatory cybersecurity requirements for products with digital elements. It will ensure that digital products, such as wireless and wired products and software, are more secure for consumers across the EU. In addition to increasing the responsibility of manufacturers by obliging them to provide security support and software updates to address identified vulnerabilities, it will enable consumers to have sufficient information about the cybersecurity of the products they buy and use.

In the position paper, ESBG members welcome the Commission proposal and support the goal of only having secure software on the internal market. However, members believe that the Cyber Resilience Act leaves too much room for interpretation regarding its scope of applicability and therefore proposes that the Commission should make a clear scope-statement that would dissolve any uncertainty whether the software developed, operated, or marketed by financial institutions is in scope of this Act.

In addition, there are vertical initiatives that already regulate the cyber-resilience of hardware and software products used by certain sectors. This is the case of the Digital Operational Resilience Act (DORA) for the financial sector, a regulatory framework specifically designed and developed to ensure the digital operational resilience of the financial sector. Extending the scope of the Cyber Resilience Act to products manufactured by credit institutions may place additional burdens onto banks, on top of the already existing tight regulatory corset.


ESBG keeps a close eye on prudential treatment of crypto assets

On 30 September 2022, ESBG responded to the second public consultation of the Basel Committee on Banking Supervision (BCBS) on the prudential treatment of banks' crypto asset exposures, which is built on the proposals in the first consultation issued in June 2021.

The basic structure of the proposal in the first consultation is maintained, with crypto assets divided into two broad groups: Group 1 includes those that are eligible for treatment under the existing Basel Framework with some modifications. Group 2, on the other hand, includes unbacked crypto asset and stable coins with ineffective stabilisation mechanisms, which are subject to a new conservative prudential treatment.

In the response to the second consultation in 2022, we advocated for the removal of the technological risk add-on from the proposed prudential framework.

The first reason for this would be the principle of technological neutrality. The regulation should focus on regulating the services but not the applicable technology in order not to prevent the adoption of a specific technology and to neither prefer nor prejudice a specific business model or service provider. Secondly, technological risk already exists in all asset classes. If persistent technological risks are detected, the supervisor could require actions for their mitigation or apply a Pillar 2 Requirement (P2R) surcharge. Finally, a common surcharge of capital would reduce institutions’ incentives to mitigate inherent risk.


OCTOBER 2022 | TOPICS: Prudential, Supervision and Resolution | Public Consultation | Crypto Assests | Basel Framework | Technology Neutrality


Digital euro: ESBG’s response to the European Commission targeted consultation

ESBG stated the need to further assess exactly what gaps in the payments system could be filled by the introduction of a digital euro, and to analyse how the existing solutions could be adjusted to enhance their value to the customer. This in its response to the European Commission targeted consultation on June 15. We highlighted the financial education challenges ahead, which will be key to address in order to continue building the customers’ confidence in the financial sector.

The response also stated that ESBG and its members are in favour of limits to individual holdings of digital euro – ideally in the form of €1,500 cap. It elaborated that a higher limit might cause a deposit outflow that would not be manageable for most banking business models in the EU and would likely force banks to de-leverage massively. The negative impact of this on balance sheet would be particularly severe for savings and retail banks that currently have little to no access to market funding. The deposit outflow would not only impact liquidity, but also the volume of credit provision of deposit-intense banks, which in the past kept the lending stable even in crisis times.

For a digital euro to be successful, it must provide a user-friendly onboarding process and it should be secure, easy to access and use, and adapted to the public. It would also require the acceptance of both the consumers and merchants. Finally, However, any measure aimed at introducing mandatory acceptance – and any eventual exemption – should be carefully assessed and designed at EU level to avoid affecting the level playing field between different means of payment and crowd-out the existing solutions.


ESBG welcomes horizontal cybersecurity requirements for digital products

The European Commission launched a public consultation in March to gather views from a wide range of stakeholders to help shaping the Cyber Resilience Act, a regulation on horizontal cybersecurity requirements for digital products and ancillary services. As a response to this public consultation on the Cyber Resilience Act, ESBG submitted its position to the European Commission on 18 May. The ESBG position focuses on the following aspects: I) Cybersecurity of digital products and the users of digital products; II) Improving the cybersecurity of digital products; and III) Stakeholder impact of potential regulatory measures.

Digital products and ancillary services create opportunities for EU economies and societies but they also lead to new challenges because when everything is connected a cybersecurity incident can affect an entire system, and thus disrupt economic and social activities. The initiative for a Cyber Resilience Act aims to address market needs and protect consumers from insecure products by introducing common cybersecurity rules for manufacturers and vendors of tangible and intangible digital products and ancillary services.

On the whole, ESBG welcomes the European Commission’s Cyber Resilience Act as the level of risk of cybersecurity incidents affecting digital products has increased during the last five years. The overall level of cybersecurity of digital products marketed in the European Union could be improved. Subjecting certain products marketed in the Union to cybersecurity requirements would be effective (e.g. hardware or software products subject to higher cybersecurity risks).

Moreover, ESBG members believe that leaving it to hardware manufacturers and software developers to demonstrate compliance with security requirements is insufficient. It would be more valuable to have the opinion of a third party based on a control framework.

All feedback received will be taken into account as the Commission further develops and fine-tunes this initiative, that is tentatively scheduled for the third quarter of 2022. Input will help the Commission analyse cybersecurity-related problems associated with the digital products markets, explore possible ways forward and assess the impact of different types of interventions.