BNPL, Credit Innovation and the Woolard Report

Some key takeaways for Fintech strategists from the FCA-comissioned Woolard report, a policy material with the potential to influence upcoming regulatory stances on BNPL and credit innovation. 

The final report of the FCA-commissioned review of change and innovation in the unsecured credit market (“The Woolard Review”) has the potential to influence upcoming policy discussions about credit innovation well beyond the borders of the United Kingdom. Chistopher Woolard´s 68-pages report makes 25 recommendations, some of which are of particular interest for fintech firms invested in Buy-Now-Pay-Later (BNPL) products and in general for firms which business models are adjacent to consumer credit or point-of-sale finance. While a careful read of the report is highly advisable for fintech CEOs and their policy and legal teams, here are some aspects of the report that can become of critical importance for future policy discussions and regulatory initiatives in and outside of the Anglo-Saxon context:

1. BNPL is consumer credit and will be regulated as such: This is not an entirely novel idea of the Woolard report. But this commonsense notion that seems to be well established in the British policy discussion does not seem to be that widely accepted everywhere. My perception is that fintech product teams and fintech strategists seem to think of BNPL as a type of product that can be designed to appear sufficiently different from credit as to be able to skirt most of its regulation. However, a good read of the Woolard report suggests no sensible policy discussion on BNPL will contemplate a significantly different regulatory framework from the one applicable to consumer credit products and point-of-sale finance. In that sense, the right way to address this challenge is not to assume that BNPL will be subject to a radically new regulatory framework but instead to advocate for an update of consumer credit regulation that addresses the novel characteristics of BNPL and the differences between the latter and more traditional brick-and-mortar point of sale offerings. Numerals 3 and 15 below propose some areas on which to focus this advocacy.

2.  0% APR claims or very short instalment plans may not be enough to avoid regulatory oversight: One of the most salient recommendations of the report pertains to “Unregulated BNPL products”. This term refers to certain credit products that are typically excluded from the scope of credit law by virtue of their short tenor or interest-free nature. The report highlights the fact that even non-interest-bearing products can be potentially harmful for consumers that perceive them as mere payment methods a-la Google Pay instead of the complex financing solutions that some of them actually are. After listing some of the potential harms that even 0% BNPL schemes may bring about, including the potential conflicts of interest that I elaborate upon in numeral 9 below,  the report makes the clear suggestion that even these typically exempted products should fall under the scope of oversight of regulatory bodies. I think it is safe to assume that the policy discussions elsewhere will reach a similar conclusion, so the policy teams of fintech firms should prepare for honest and intense discussions about the right regulation to address the consumer risks that are brought about by 0% BNPL or other typically “unregulated” products.

 

3. Rent-your-tech-products remain out of the radar, but caution is advised: Despite the fact that the report spends a few pages elaborating on the need to bring certain novel products into the scope of regulation, there is no express mention of Rent-your-tech offerings. This may be explained by the fact that these products seem to be much less pervasive in the UK than in Germany, for example, where Grover appears to have become a real alternative to Klarna or more traditional point-of-sale financing, securing partnerships with major tech retailers like Saturn. While this omission seems to be good news for firms like Fat Llama and Grover, the renewed emphasis on consumer protection outcomes that is proposed in the report shows that policy makers will not be blind to how similar their products are to credit and/or leasing in terms of the risks they bring about for consumers, including overindebtedness. It is certainly too soon to tell how the regulation for these products will look like, but it is unwise for rent-your-tech firms to simply assume that their products are not going to be under the scope of credit law or leasing regulation. Perhaps the right path to take is to prepare for that policy discussion in advance and proactively set a position on how a tailor-made regulatory framework that accounts for the nuances of rent-your-tech could look like. Close monitoring of the policy discussions in order to determine the right timing for such a proposal is a good idea, but nothing speaks against starting to draft that whitepaper/position paper right now.

 

4. Affordability assessments will remain critical, but be ready for discussions around forbearance and hardship policies: While the report continues to emphasize the importance of ensuring that unsecured credit customers are able to afford the products they are offered (which is not a standard that all BNPL firms seem to meet) it goes beyond affordability and suggests that future regulation should take a good look at standardizing the forbearance practices of market incumbents. That policy stance could translate into a set of rules that give much less latitude to lenders when it comes to (a) deciding which customers are eligible for forbearance, (b) what type of support should be given to borrowers whose financial situation has changed so dramatically as to make them unable to pay their dues under the credit agreement and (c) what circumstances should trigger this special treatment. When it comes to affordability, it is critical that fintech firms insist on a technology neutral and outcome-based regulatory framework that gives enough room for designing truly online/mobile user experiences. On this particular point, it is important that policy teams insist on the lessons learned from Australia, where the Securities and Investment commission (ASIC) practically ruled out online lending by setting an overly rigid set of rules governing the minimum documentation that online lenders need to revise in the course of their affordability assessments.  Finally, when it comes to forbearance, it would be wise for consumer lenders to proactively propose a standard set of hardship policies as a self-regulatory initiative. There is a good chance that such an initiative would put them in a better position for a future policy discussion. 

5. “Credit Scoring” practices (Including AI automated decisions) will be under renewed scrutiny: Given the emphasis on affordability, it is important that lenders take an honest look at how they are making credit decisions, especially in their most innovative products. Practices such as lending small amounts to every first applicant without a proper affordability test as a means to evaluate the applicant’s willingness and capability to repay need to be urgently discontinued, for example. This might also be the case for statistical models powered by AI that make automated decisions without incorporating robust affordability features. In general, a takeaway from the Woolard report seems to be that automated credit decisions that are made without careful regard to customers’ ability to repay increase the risk of over-indebtedness and are therefore undesirable from a public policy standpoint. In my view, this discussion about affordability and innovative credit decisions has not taken place vibrantly enough in the boardrooms of lenders and BNPL providers.

 

6.  Relending may be subject to further limits: Many lenders, specially BNPL firms, tend to be extremely lax in their relending practices, issuing repeat loans to customers without much regard for the risk of overindebtedness. This risk is particularly high in jurisdictions where BNPL firms are not obliged to report loan delinquency or customers in arrears to information databases, which leaves the door open for individuals in financial trouble to obtain further credit from other inadvertent BNPL firms. A good read of the Woolard report suggests that BNPL firms should expect affordability-based limits  similar to the ones adopted by the polish legislator (hopefully less draconian) to apply to their relending practices in the near future. At the risk of sounding repetitive, my suggestion here would be that the industry itself takes the initiative with a self-regulatory proposal that is sensible enough to inform the upcoming policy discussions.

 

7. Open Banking Data may play an even more important role in the future: While the privacy community tends to see a lot of tensions between the ideals of open banking and the privacy of account-holders, the Woolard report suggests that policy makers and regulators should look at open-banking data as a tool for alternative lenders (specially online-first lenders) for carrying out adequate creditworthiness assessments and affordability tests. Fintech firms should welcome a renewed regulatory commitment to remove “barriers to widespread use of Open banking data” and should continue to stress the importance of  banks’ compliance with the open banking rules enshrined in relevant legal materials such as PSD2. On this particular point, my intuition is that some strategic litigation or proactive regulatory whistleblowing might be needed to ensure that banks -finally- comply with open-banking rules.

 

8. High-cost credit might be a necessary evil to secure increased access to credit: Instead of attempting to root out high-cost offerings from the credit market, the report suggests that regulatory interventions might see better outcomes by focusing “on actions to generate a more dynamic market around alternatives to high-cost credit and ensuring those consumers who are improving their creditworthiness can evidence this and be rewarded with more options and lower prices.”.  What this means in practice is that regulation might shift away from the goal of diminishing the supply of high-cost credit and instead focus on increasing the menu of substitute products. For lenders, this means that high-cost credit does not necessarily need to disappear from their product range, but it may face more intense lower-cost competition incentivized by legislative action or regulatory interventions in the future.

 

9. Who is your client? The retailer or the consumer? Regulators and policy makers are no longer blind to the fact that the classic conflict of interest that applies to more traditional point-of-sale finance is potentially amplified in the case of modern BNPL firms, especially those who offer low-cost or 0% products bundled with acquiring services which main source of revenue are fees charged to retailers. In that sense, lenders should expect increased regulatory scrutiny to the arrangements that they make with retailers and should reconsider any claims and commitments that could result in irresponsible lending. A common example of these arrangements are contractual stipulations wherein the lender is bound by the retailer to maintain a minimum lead-to-sale conversion rate that forces it to relax its creditworthiness assessments and issue loans to consumers who might not afford to repay them. Ultimately, this point circles back to the issue of affordability and forbearance, so it is critical for fintech executives and compliance teams to have honest discussions with their sales teams and account managers to determine whether their commercial arrangements with merchants/retailers stand in the way of responsible lending practices.

 

10. One-click-BNPL claims should be used with caution:  Every fintech strategist that I have ever met tends to fantasize with a certain mythological animal that we can call “the one-click-loan”. Twisto, a Czech BNPL provider, presents its product as a “market leading 1-click BNPL solution”, for example. While these claims have tremendous resonance with investors, the Woolard report tends to suggest that they may be incompatible with sustainable lending principles and potentially subject to increased regulatory scrutiny. It would be very wise for BNPL execs to consider the possibility of moving away from these claims in favor of more nuanced convenience USPs. In my mind, this can be done without relinquishing their commitment to creating frictionless (and even paper-less) user experiences. As policy-makers start to take a look at the potential consumer risks related to BNPL, diligent investors should also read between lines and start shying away from investing in ventures whose claims may be perceived by regulators and policy-makers as overt confessions of irresponsible lending.

 
11. Expect your low-and-grow/ credit history building claims to be tested in the near future: Many lenders tend to justify their high-cost offerings by suggesting that these products allow individuals who are not eligible for lower-cost (prime or near-prime) products to have some access to credit that allows them to rebuild or improve their credit histories. The Woolard report tends to suggest that policy-makers are already aware of the fact that these so-called low-and-grow claims are not always honest. Therefore, fintech firms should be ready for regulatory interventions that make them unable to make use of this “credit-history-building” claims to attract new customers if they are unable to prove that they are effective in helping customers to transition to cheaper forms of credit.

 

12. The credit information industry is in desperate need of renovation and innovation: Credit information is one of the spaces that remains mostly untouched by fintech challengers. Somewhat paradoxically, the Woolard report seems to suggest that this is an industry ripe for innovation and disruption due to the legacy infrastructures of Credit Reference Agencies and Traditional Lenders.  Here is a direct quote from Woolard that refers to the difficulties that CRAs and lenders experienced while trying to comply with temporary COVID-19 forbearance rules: “Reference Agencies (CRAs) were unable to quickly provide a consistent approach to reporting short-term forbearance that has no long-term negative impact on credit files. This raises wider questions about the ability of the credit information market to operate at pace and deliver change in the interests of firms and consumers.”. Observed from any angle, this sounds like a great opportunity and a great problem for a fintech founder to address.

 

13. Good news: Price caps for consumer credit might finally become product-specific: This sounds rather obvious: Sufficiently different credit products should have sufficiently different pricing caps. The Spanish case, however, shows that this is not widely shared wisdom. In fact, the outdated usury legislation in Spain has resulted in a Supreme Tribunal doctrine according to which all consumer credit offerings are de-facto under the same pricing cap. In a line of decisions dating back decades (some of which I have been very critical of in this piece) the Supreme Tribunal simply overlooks the fact that subprime and near-prime credit should be subject to differentiated pricing caps and makes an even more deleterious mistake: It applies this one-size-fits-all formula rather inconsistently, leaving lenders in uncertainty about what the all-encompassing cap for consumer credit actually is. The legal uncertainty in Spain has put lenders and consumers at the mercy of unscrupulous litigators who are replacing the sorely needed policy discussion to update the usury law with cheap lawsuits at scale. Some of them tend do it with extremely vulgar showmanship, presenting themselves as consumer protection heroes, like the individual in this video:

 

The good news is that more sophisticated policy materials such as the Woolard report tend to see the utmost care that needs to be exercised while regulating credit pricing in order to strike a proper balance between consumer protection and access to credit. Here is Woolard on the matter: “Regulation of credit often raises questions around balancing consumer protection against limiting access to credit. This is particularly true of pricing interventions. Careful and complex analysis is vital to understand the impact of any intervention on consumers who may lose access as a result. This will vary between different products. (…) In this context, looking to set a price cap across the whole of consumer credit, which some European nations do, would present significant challenges to assessing the impact on access. To apply across all credit without having a major impact on access, it would need to be set so high as to have little impact on most products. Alternatively, it could be set in a way that did create a low cap (for example, as done in the Netherlands) but the potential effects of this on access and business models would need significant consideration. For example, credit card penetration is about four times lower in the Netherlands than the UK".

 

14. Digital design guidelines for consumer credit products may be on their way and they will accelerate change in legal and compliance functions: Regulatory interventions that reflect directly on UX design are not a new thing. However, the recent experience in Sweden suggests that policy-makers are willing to take this to the next level by regulating specific elements of website design: In particular, the Swedish E-Commerce Payments Bill prevents online retail platforms from presenting credit options before debit options. The report points out that “As a result, BNPL offer(s) can’t be presented as the ‘first choice’ ahead of the lowest cost direct payment option”. The Woolard report seems to suggest that this trend should materialize in a set of digital design guidelines for consumer credit products that fosters transparency and prevents undesirable outcomes such as consumer over indebtedness. In preparation for this type of regulatory intervention, fintech firms and lenders should evaluate the readiness of their legal and compliance functions to adopt compliance-by-design methodologies. The notion of compliance assurance as the role of some in-house policeman who checks for compliance every so often is rapidly becoming obsolete. A unified second line of defense where product counsels work in tight coordination with compliance officers seems like the only way to adapt to the credit regulation of the future. Compliance-as-a-service offerings can be bundled with BNPL solutions and offered to potential clients in order to ensure that they are able to comply.

 

15. Be ready to resist the preposterous idea of putting online retailers (your clients) in the scope of credit brokerage regulation: Some policy-makers seem to have adopted the idea that online retailers who offer BNPL payment options to their customers need to be regulated in the same way as credit brokers, which could potentially create an obligation for retailers to obtain a regulatory authorization/license. To be fair, this is probably a good idea in the context of more traditional point-of-sale finance, where the staff of brick-and-mortar retailers typically takes a preponderant role in offering (and sometimes negotiating) the credit terms offered to potential borrowers.  But given the more limited role that online retailers play in presenting and negotiating BNPL terms, which in most occasions is limited to integrating with BNPL solution providers via APIs and displaying the BNPL buttons in their checkout pages, it is disproportionate to suggest that they should be deemed to be credit brokers.  When discussing this matter, the Woolard report seems to suggest that regulating retailers is the right way to ensure that credit offers are presented correctly. Fintech firms should be ready to reject this policy stance by pointing out the inefficiency in making online retailers responsible for pre-contractual information and potentially forcing them to obtain broker licenses/authorizations. The fact of the matter is that BNPL firms are in a better position to bear this responsibility by creating user interfaces that are both consumer-protective and fully embeddable in online retailer´s marketplaces.  Sensible regulation on this matter that targets BNPL firms exclusively should be entirely sufficient. 

 

All in all, the Woolard report is a fantastic piece that shows the sophistication of the policy discussion around consumer credit in the UK and should serve (and probably will) as an example for policy-makers in other jurisdictions. If I were the Klarna CEO or any other fintech executive heavily invested in BNPL strategies I would read every line of it.

 

Special thanks to my colleague Zoltan Nemeth for his comments on a preliminary draft of this piece.

 Disclaimer: The opinions expressed by the author in this post are strictly personal and do not reflect the official position of Delivery Hero SE, its management or any of its subsidiaries. Any threatened law-suits, hate-mail or angry rebuttals in response to this piece are ideally to be addressed to the author directly in the comments. :)

Los Jueces y las Tasas de Interés

Una lectura crítica de las sentencias del Tribunal Supremo Español sobre los límites aplicables a las tasas de interés en el crédito al consumo, a propósito del caso Wizink.

Originalmente publicada en Linkedin.

Dado el ambiente de polarización en el que vivimos y con el fin de evitar suspicacias sobre mis inclinaciones políticas, quiero empezar diciendo que el rol de los jueces como árbitros de las relaciones entre los actores del sistema financiero es muy importante.

A finales de los noventa, por ejemplo, la Corte Constitucional Colombiana usó sus poderes de revisión de constitucionalidad para excluir del ordenamiento jurídico Colombiano una serie de leyes cuyo efecto práctico era el aumento desproporcionado del costo del crédito de los deudores hipotecarios. Entrar en detalle requeriría un texto inaceptablemente largo para los estándares del internet, así que para los propósitos de esta nota me limitaré a decir que en los noventas, la ley Colombiana ordenaba revisar periódicamente las obligaciones dinerarias de los deudores hipotecarios con referencia a las tasas de interés del mercado financiero. Así las cosas, un aumento en las tasas de interés implicaba un aumento del valor real en pesos colombianos de las obligaciones dinerarias de los deudores hipotecarios en favor de los bancos. Pues bien, justo cuando las coyunturas macroeconómicas dispararon las tasas de interés y la gente en las calles se quejaba de que había pagado tres o cuatro veces el valor de sus casas a los bancos, la corte constitucional emitió un par de sentencias que declararon inexequibles los apartes problematicos de las normas en comento.

Al márgen de las críticas que recibió en su momento la corte constitucional colombiana y las acusaciones de activismo judicial que llovieron desde muchos sectores (muchas formuladas por respetados economistas) la historia tiende a mirar dichas sentencias con simpatía. Se trató pues de decisiones que forzaron al gobierno y al legislativo a proponer una pronta solución a lo que se percibía como una profunda crisis social en ciernes. Vistas desde cierta óptica, dichas decisiones son un buen ejemplo del rol que pueden jugar los jueces, cuando todo lo demás falla, para corregir injusticias causadas por las ausencia o las falencias de la regulación financiera.

Escribo todo este preámbulo para advertir que no vengo a acusar al Tribunal Supremo del poder judicial de España de "activismo judicial". Por el contrario, escribo convencido de que la sentencia 149/2020 del Tribunal Supremo era una decisión que muchos estábamos esperando por lo menos desde noviembre de 2015, fecha en la que el Tribunal Supremo se había pronunciado por última vez sobre las tasas de interés aplicables al crédito al consumo. El segundo caveat es que escribo estas líneas después de 8 años de trabajar como responsable de los asuntos legales y los programas de cumplimiento de dos compañías de crédito al consumo, de manera que no puedo hacer mucho para desactivar esta otra suspicacia aparte de admitir que he seguido la discusión de política pública sobre las tasas de interés (si es que hay tal cosa en España en el momento) principalmente desde la óptica de los acreedores.

Quiero proponer entonces que tanto la sentencia de 2015 como esta última de Marzo de 2020 son malas decisiones no porque crea que el Tribunal Supremo debió quedarse callado al respecto, sino porque revisados sus fundamentos con detenimiento, hay por lo menos tres críticas importantes por hacer:

• La primera crítica no es nueva, pero vale la pena repetirla y formularla claramente con fines de completitud: El Tribunal Supremo Español defiende una interpretación incompleta de la ley de Usura. Basta con remitirnos a las consideraciones del tribunal en la sentencia de Noviembre de 2015 para entender el problema. Escribía el tribunal en aquella ocasión: "A partir de los primeros años cuarenta, la jurisprudencia de esta Sala volvió a la línea jurisprudencial inmediatamente posterior a la promulgación de la Ley de Represión de la Usura, en el sentido de no exigir que, para que un préstamo pudiera considerarse usurario, concurrieran todos los requisitos objetivos y subjetivos previstos en el art. 1 de la ley. Por tanto, y en lo que al caso objeto del recurso interesa, para que la operación crediticia pueda ser considerada usuraria, basta con que se den los requisitos previstos en el primer inciso del art. 1 de la ley, esto es, « que se estipule un interés notablemente superior al normal del dinero y manifiestamente desproporcionado con las circunstancias del caso », sin que sea exigible que, acumuladamente, se exija « que ha sido aceptado por el prestatario a causa de su situación angustiosa, de su inexperiencia o de lo limitado de sus facultades mentales»". El problema es que el art. 1 de la Ley de Represión de la Usura establece que la nulidad por usura aplicará para un "(...) préstamo en que se estipule un interés notablemente superior al normal del dinero y manifiestamente desproporcionado con las circunstancias del caso o en condiciones tales que resulte aquél leonino, habiendo motivos para estimar que ha sido aceptado por el prestatario a causa de su situación angustiosa, de su inexperiencia o de lo limitado de sus facultades mentales."De manera que estamos ante una cierta preferencia hermenéutica: El Tribunal ha mantenido ya desde algún tiempo que los requisitos subjetivos del Art. 1 de la ley de represión de la Usura, a saber: La aceptación de un préstamo a causa de situaciones angustiosas, inexperiencia o limitación en las facultades mentales del prestatario, se pueden obviar para efectos del exámen de usura. Como si no hicieran parte de la lex lata. Y al márgen de lo que podamos pensar sobre esa interpretación (que es una interpretacion defensible, como lo expresa Javier Hermida en este comentario) lo grave es que el juzgador no se toma el trabajo de explicarnos las consideraciones que la justifican. No sabemos si se trata de una consideración en equidad o si el Tribunal Supremo ha hecho alguna consideración atinente a la constitucionalidad de una u otra interpretación. No sabemos cual es la carpintería hermenéutica que lo lleva a rechazar la tal vez más plausible interpretación acumulativa. El tribunal nos dice la respuesta y nos dice que esa ha sido su doctrina desde los cuarenta, pero no nos explica cómo ha llegado a ella, lo que es (aunque nos guste la conclusión) por lo menos decepcionante viniendo del máximo órgano del poder judicial Español. Es tan decepcionante que me haría muy feliz que alguien con acceso a las bases de datos correctas desempolvara una sentencia de los cuarenta que ofrezca más luces al respecto, si es que existe.

•  Por otra parte, la sentencia 149/2020 que resuelve el caso Wizink es una verdadera regresión en términos de seguridad jurídica si se le compara con la sentencia de 2015. En ésta última el tribunal había establecido una subregla según la cual, para determinar la existencia de un interés usurario, el interés pactado en un contrato de crédito debe compararse con el interés "normal" del dinero, que a su vez puede establecerse acudiendo a las estadísticas del banco de España. Dicho exámen, sostenía el Tribunal, debe hacerse atendiendo las circunstancias del caso, admitiéndose la posibilidad de que un determinado acreedor justifique un interés que se desvíe del "interés normal" probando las circunstancias o las características del producto de crédito que ameriten el interés en exceso. Muy razonable: El Tribunal no fijó una tasa máxima sino que se remitió a las estadísticas del Banco de España como el punto de referencia de normalidad y puso la carga de la prueba en los hombros de los acreedores, a quienes les corresponde acreditar en cada caso las circunstancias que ameritan un interés superior al normal. Además, en aquella ocasión el interés pactado en el contrato de crédito sujeto a revisión excedía en más de dos veces el interés normal, así que decidir a favor del consumidor parecía la decisión más justa. Pues bien, en la reciente Sentencia de 4 de Marzo de 2020, el Tribunal parece cambiar de opinión sobre las estadísticas del Banco de España: Ya no se trata de estadísticas que aporten luces sobre el interés normal del dinero en todos los casos sino que, a pesar de que representan el promedio de las operaciones en el mercado (como lo explicó el propio Tribunal en 2015) pueden estas ser "ya muy elevadas" per se. Estamos entonces (si no ante una contradicción) ante una decisión que leída con detenimiento implica un cambio doctrinal importante: El promedio de los intereses que las entidades reguladas pactan en sus contratos (tal como lo consigna periódicamente el banco de España) no es más un indicador del interés normal del dinero que los proveedores de crédito al consumo puedan usar como punto de referencia seguro para fijar sus precios, sino que en algunos casos (El tribunal no nos dice cuales) este promedio puede resultar ya muy elevado per se y por ende muy cercano a la usura. (6 puntos porcentuales muy cercano, como lo constató el banco Wizink en esta ocasión, por ejemplo). Espero que mi queja se haga un poco más clara: Propongo que este tipo de vaivenes doctrinales son realmente perniciosos para la seguridad jurídica que requieren los actores del sistema financiero

•  En el caso Wizink el tribunal supremo ha decidido, como por fíat, que una TAE del 20% es una tasa "ya muy elevada". Esta crítica es ligeramente diferente a la anterior y es a mi juicio la más importante de las tres: El máximo organo del poder judicial de España ha decido que el interés promedio de las operaciones de crédito revolving en 2018 era ya muy elevado sin decirnos cómo llega a semejante conclusión. Al márgen de la reacción visceral que nos cause una TAE del 20% y haciendo a un lado el hecho de que las estadísticas del banco de España son artificialmente bajas porque excluyen las operaciones de las entidades no reguladas, lo cierto es que estamos ante una decisión que puede tener un impacto gigantesco en el acceso al crédito de los Españoles porque pone en tela de juicio la existencia de un mercado de crédito subprime. Sin embargo, esta decisión ha sido tomada por el tribunal de cierre como por decreto. En el texto de la sentencia no consta, por ejemplo, que el tribunal haya hecho uso de los medios de los que dispondría un juzgador de su influencia para hacer una evaluación informada sobre el promedio de las tasas de interés del mercado. En tratándose de un recurso de casación, no estoy seguro de que el tribunal estuviera facultado para decretar más pruebas, pero uno podría suponer que las consideraciones de un perito economista u otro experto independiente habrían sido valiosas para motivar la sentencia. Y en este punto quisiera evitar con todas mis fuerzas que esta crítica suene como una oda más a la sabiduría del mercado, pero en ausencia de un argumento cogente que lleve a la conclusión de que una TAE que promedia los 20 puntos porcentuales es ya muy elevada, la decisión del Tribunal es a todas luces arbitraria. Populista, tal vez. Y aunque la escuela del realismo jurídico ya nos enseñó que los jueces pueden ser populistas y que frecuentemente lo son, es realmente problemático cuando sus decisiones suenan infundadamente populistas.

Evacuada la crítica, que he tratado de formular de forma tal que no suene a diatriba de abogado de bancos, me parece importante decir lo siguiente: Al márgen de las aprehensiones que uno tenga sobre la jurisprudencia en comento, es claro que la raíz del problema es la ausencia de una ley de usura actualizada para la España del siglo 21. Aunque a mi juicio el Tribunal ha sucumbido a un impulso populista que parece desproporcionado en ausencia de una crisis como la que motivó las decisiones de la Corte Constitucional Colombiana de finales de los noventas, la experiencia sugiere que cuando los jueces se ven abocados a este tipo de populismo, lo hacen motivados por el yerro o inacción del legislativo y/o del ejecutivo.

Hay un montón de discusiones importantísimas de política pública que se han quedado en el aire: ¿Cual debería ser el límite para las tasas de interés del Crédito al Consumo otorgado en España?¿Es una buena idea prohibir los llamados créditos subprime? ¿Si se permiten estos créditos, bajo qué precauciones deberían otorgarse para salvaguardar los derechos e intereses de los consumidores?

Propongo, para finalizar con autocrítica, que los llamados a proponer respuestas sensatas para esas preguntas de política pública y así una solución ponderada para este lío somos nosotros, en la industria. Es urgente que lideremos un grupo de trabajo multisectorial (que incluya especialmente a las asociaciones de protección al consumidor) para buscar algunos consensos que legitimen una propuesta autoregulatoria que tenga vocación de informar una iniciativa legislativa. Estoy seguro de que algunos preferirán seguir navegando la incertidumbre de forma oportunista, pero dada la erosión que esta última decisión del Supremo va a producir en el desempeño de los portafolios de crédito de toda la industria, me parece que la única opción viable a largo plazo es participar en la discusión. Liderarla, si es necesario. La incertidumbre que ha creado el Tribunal Supremo no le conviene a nadie excepto a algunos litigantes que la han convertido en negocio.

Importante: Las opiniones expresadas en este comentario son las opiniones personales del autor. No constituyen la posición oficial de Mash.


Tweet

About Privacy 2030: The Posthumous manifesto of the Patriarch of Privacy Intelligentsia

       Originally published in Linkedin.

One of the issues with contemporary legal education, specially legal education in countries which legal systems enjoy certain prestige, is a tendency (let’s call it a positivist tendency) to look down on policy discussions. Duncan Kennedy, one of the founders of the Critical Legal Studies movement, offered some interesting insights about this issue in his brilliant critique to legal education: 

“(…)in most law schools, it turns out that the tougher, less policy-oriented teachers are the more popular. The softies seem to get less matter across, they let things wander, and one begins to worry that their niceness is at the expense of a metaphysical quality called “rigor,” thought to be essential to success on bar exams and in the grown-up world of practice”.

When discussing the policy underpinnings of GDPR, for example, I have been accused by highly esteemed colleagues of something even worse: Of being very interested or even “very good” at the “philosophical questions”. Anyone who has gone to law-school knows that there is not an ounce of compliment in such a statement. 

Now, the reason I start this write-up with an apparent digression from the theme that I promised in the title is because Butarelli´s manifesto is very important in one very critical manner: It uplifts the status of policy discussions. It shows how critically important policy discussions are for legal practitioners and virtually anybody who works in the tech industry in the year 2019. No legal practitioner working in anything related to technology has a claim to be a well-informed legal practitioner if he/she has not read Privacy 2030 (Yes: Even if you practice at the so-called Magic Circle). I would argue that a similar statement applies to tech CEOs and I would submit that even if you are a cynical CTO secretly hiding enormous stockpiles of personal data in a removable hard-drive somewhere, you should read Privacy 2030 if only because it provides first-hand insights on how the enemy thinks. Let’s make no mistake: This is it. This is give or take the definitive compendium of all the aspirations, latent-dystopias and anxieties that give meaning to Data protection Law and Privacy Law in the European Union. 

In order to keep this write-up succinct, I will refrain from examining the main themes of the six chapters of the manifesto. Instead, I will suggest a few more reasons why we should celebrate Privacy 2030 and I will propose an incipient critique. Let’s start with the first: The manifesto seems innovative in bringing about a policy aspect that is still foreign to the typical ESG discussions that one may encounter nowadays in the context of technology, a space where companies that are not hardware manufacturers tend to be perceived as greener and where that item of the due-dilligence checklist is rapidly ticked-off. I will quote directly from the Manifesto:

“The religion of data maximisation, notwithstanding its questionable compatibility with EU law, now appears unsustainable also from an environmental perspective (…)”

So, while the manifesto does not abound in hard evidence for the premise that data maximization has a tangible effect on climate change, the author offers some interesting suggestions about the places where that question might lead us: A “Digital Green New Deal”, perhaps. And this bring us to one more reason why the manifesto is an important read in the times that we live: Given how ambitiously idealistic it reads, it shows that even in our time it is possible to be both an unrestrained titan of humanism and a world-class technocrat. It occurs to me that Butarelli was one of the last fellow liberals. This is a slight digression but: If specimens of this endangered species are to be found only as a byproduct of the European project, I am tempted to think that we have one more critical reason to preserve it. I will write no more hagiography because there is enough posthumous praise circulating at the moment, but this is one of those men whose hagiography does not strike me as particularly annoying. We need many more Butarellis in the generations to come. 

Back to the subject that occupies us, the manifesto is also interesting in the sense that it proposes some last-resort measures that need to be on the table if we are to make sure that certain technologies are harnessed for the good: 

“Impose a moratorium on dangerous technologies, like facial recognition and killer drones, and pivot deployment and export of surveillance away from human manipulation and toward European digital champions for sustainable development and the promotion of human rights.”

Moratoriums sound somewhat radical, just like Alexandria Ocasio Cortez’ suggestion of sitting Facebook out of the 2020 elections if they don’t assume responsibility for the way their business affects democracy. But even if one thinks (as I tend to do) that corporations should not be put in a position to decide what is truthful enough for people to read, these last resort measures seem necessary to ensure that all stakeholders take the policy discussions at hand very seriously.

One final reason for giving the manifesto a good read: There is a very brief afterword by Shoshana Zuboff, whose work was first introduced to me by the always acute Tim Walters from the Content Advisory at a conference (yes, one can actually learn new stuff at conferences). Her afterword is not a particularly compelling piece but it does work as a privacy-contextual introduction to Zuboff´s notion of Surveillance capitalism, which has been portrayed as some sort of unwitting marxism by Evgeny Morozov in this great review.

And now to the incipient critique:

The manifesto tends to follow the typical discursive recipe of the contemporary policy discussions about privacy in the EU: It devotes many words to listing and describing a good number of latent dystopias, of extremely undesirable states-of-affairs that we must urgently prevent by means of regulation or state action. On the other hand, it devotes much fewer words and exactly one page to propose a “10-point plan for sustainable privacy". Let me try to be fair: manifestos do not need to offer all the answers and Privacy 2030 does propose some brighter views on technology, but still, its decided effort to unearth, expose and imagine all potential risks and pitfalls of technological advances is dangerously close to a Neo-luddite impulse of sorts: A tendency to believe that technology is mostly and mainly a source of latent dystopias.

Now, precisely because technology is not just a source of dystopias but also an important instrument for progress, it would be wise to look at it with much more sympathy. Zuboff´s afterword is right in calling-out the lobbyist talking points for what they are: Regulation will not necessarily stifle innovation. But there is good evidence that bad regulation will. In order to have a civil discussion about the future of privacy and the regulation of technology, it would be a good idea to start by recognizing that not every bit of optimism is corporate propaganda and that skepticism about the role that regulation can play in solving some of the problems listed in the manifesto is not always an exercise of techno-solutionism.

Privacy 2030 is a very important read, but I want to insist on this: A hysteric perception of technology and the world we live in will most certainly lead us to a kind of policy discourse so desperate to rule out latent dystopias that it prevents us from seizing the tangible opportunities in the present. I would echo Zuboff´s invitation: Let’s make sure that we fight all the fires together, but let’s make sure we leave some room for the flame of progress.

You can download the manifesto directly from the IAAP resource center here.

Disclaimer: The opinions expressed by the author in this article are strictly personal and do not reflect the official position of the Mash Group or any of its directors or employees. Any threatened law-suits, hate-mail or angry rebuttals in response to this write-up are ideally to be addressed to the author directly, in the comments. :)

About the EBA guidelines on Loan Origination and monitoring

The European Banking authority (EBA) is about to issue a set of guidelines on loan origination and monitoring with a very broad scope of application. In fact, Numeral 12 of the draft signals EBA’s intention to make all the rules in Section 5 (all rules pertaining to Loan Origination Procedures) applicable, inter-alia, to all creditors as defined in literal (b) of the Consumer Credit Directive. Put simply, that would entail that any natural or legal person who grants or promises to grant consumer credit in the course of his/her trade, business or profession in the European Union would be subject to the rules governing loan origination procedures as set out in the guidelines.

I tend to think that such a broad scope of application raises the question of whether the EBA is exceeding its mandate under regulation No. 1093/2010, but at first glance that seems to be a rather complex matter that merits its own write-up and that could well be the subject of lively discussion amongst esteemed colleagues in the near future. Given that this new set of guidelines will also apply to Fintech firms in the credit space, I would like to focus on what I see as the substantive aspect of the matter: What do these guidelines mean for consumer credit providers who rely on automated decisions/processes for loan origination? I confess I am skeptical: I have argued in the past that the EBA did no favors to Fintech and open banking by issuing a set of regulatory technical standards that are not technologically neutral nor business-model neutral and that seem to cater directly to the talking points of certain actors who have little incentives to embrace the open-banking ethos of the PSD2.


Susanne Grohé from Aderhold (One of Europe´s most Fintech-savvy law-firms) hinted at one of the major shortcomings of the guidelines by suggesting that they appear to follow the premise that the use of technology in loan origination is merely a risk factor, dismissing the fact that technology has contributed and can further contribute to building more robust loan origination processes. I concur: The EBA displayed that sort of tech-adverse tendency in the RTS on Strong customer authentication and I believe it made that mistake again with this new set of guidelines. In this note, I would like to contribute to that discussion by pointing out some very specific rules proposed by the draft guidelines that are particularly problematic for consumer credit providers that heavily rely on automation in their loan origination processes. Let´s take a look:

Rule Number	Tenor	Why is it problematic?
85	Institutions and creditors should have a sufficiently comprehensive view of the borrower’s financial position, including an accurate and up-to-date comprehensive view of all the borrower’s credit commitments (single customer view)	This rule is problematic on two counts: It is rather vague in the sense that it does not specify whether the comprehensive view in question must also include all borrower’s credit commitments with third parties, for example. If the latter is the correct interpretation, then the rule is even more problematic because it somehow assumes that consumer credit providers across the European Union are able to access some kind of database of outstanding credit commitments that is updated in real time by all consumer credit providers as they issue new credit to their borrowers. Such a database is a good idea perhaps, but it has not yet come to exist, so it is not reasonable to require consumer credit providers to be aware of all the credit commitments of a potential loan applicant with a good degree of certainty .
100	Institutions and creditors should apply metrics and parameters to have an accurate single customer view that enables the assessment of the borrower’s ability to service and repay all its financial commitments.	This rule significantly worsens the problem that I mentioned immediately above. Not only does it presuppose an omniscient single customer view but it goes to the extent of requiring creditors to have a proper assessment of the borrower’s ability to service all its financial commitments. Again, consumer credit providers would only be able to comply with this rule if they had access to some kind of omniscient database that would enable a view of all financial commitments of all potential applicants at any given time. That is in the realm of science fiction at the moment. Arguably, the consumer credit provider could request this information directly from loan applicants, but it is very optimistic (to say the least) to think that consumer credit providers will be able to build accurate affordability analyses based exclusively on information provided by loan applicants who have a vested interested in getting a positive credit decision. Even if we assume zero cases of bad faith credit applications (where loan applicants hide any outstanding financial commitments, for example) the question is: How are consumer credit providers supposed to verify the information provided by the applicants? Should they make use of the omniscient database that seems to exist only in the imagination of the drafters?
182	The decision to approve or decline the loan application (credit decision), should be taken by the relevant credit decision-making body in accordance with the policies and proceduresand governance arrangements as set out in Section 4.3.	This rule seems to be oblivious to the fact that many consumer credit providers automate their credit decisions. In fact, this rule is so anachronistic that it seems to betray a sort of deeply rooted belief that credit decisions can only be made by some kind of hyper-enlightened credit committee that takes a look at every applicant’s paperwork and issues sentences with unimpeachable wisdom. Even worse, this rule seems to betray the assumption that committees take better decisions than, say, adequately programmed machines. This is one of the rules where the tech-adverse (or should we say tech-oblivious?) attitude pointed out by Susanne is particularly clear.
183	Credit decision should be well documented, provide a record of views and reservations, especially any dissenting views, of the credit decision-making body members’. In case of a decision to approve the loan application, the credit decision should contain the information on the key features of a loan being offered to the borrower, including information on the amortisation, price, covenants and required collaterals. Such credit decision should be also the basis of the loan agreement.	Once again, this rule is baffling because it double downs on the problem that I mentioned immediately above. The underlying assumption that all credit decisions are made (or should be made) by human members of collegiate decision-making bodies is even clearer in this wording.

So, how did the EBA fare this time? I suppose it is not entirely fair to judge them merely on the merits of the first draft of the guidelines, but the consultation paper seems to betray the same brick-and-mortar worldview that permeated the Regulatory Technical standards for SCA. Let’s remember that the European Commission did ask them in the past to amend their RTS on SCA to ensure that non-compliance by banks did not prevent AISPs and PISPs from offering their services to end-users.

This brick-and-mortar worldview is pervasive in these guidelines for loan origination and is clearly palpable in some of the rules that I listed above, which seem to be drafted with insufficient awareness of the current state of affairs of the very phenomenon they intend to regulate. If one is to regulate credit decisions in the 21st century, it is important to bear in mind that many (if not most) consumer credit providers automate their credit decisions and that AI will play a very important role in loan origination in the near future. More importantly, any regulatory effort in the 21st century should take into account that artificial intelligence might just be a powerful tool to overcome decision biases and to achieve economies of scale in many realms. Financial inclusion by means of access to credit, for example, will be much harder to scale up if regulation doubles-down on the strange notion that there must be a human revising every single credit decision in order to ensure its conformity with any standard, be it a responsible lending standard or a credit policy.

I submit that these draft guidelines are pernicious in one very critical way: They anchor the loan origination process in the past by conceiving it as the by-product of some kind of microcosm where the only right decisions are made by committees of the wise.

Disclaimer: The opinions expressed by the author in this article are strictly personal and do not reflect the official position of the Mash Group or any of its directors or employees. Any threatened law-suits, hate-mail or angry rebuttals in response to this write-up are ideally to be addressed to the author directly, in the comments. :)

Account Information Services as KYC enablers

How can Account Information services enable smoother Non-face-to-face KYC processes?

 

A few weeks ago in this write-up I proposed some ideas on how AML Law can evolve to enable financial service providers to innovate their customer on-boarding experiences. One of my suggestions was that the AML Law of the future should abandon exhaustive lists of mandatory KYC measures that circle around specific technologies and instead lay out the minimum elements for an adequate AML risk assessment while allowing financial service providers to devise and implement KYC routines that effectively address any identified risks.

That piece was a very long chunk of text by internet standards, so this time I will try to keep it succinct and focus on a very interesting set of regulated services contemplated in PSD2 that are particularly well-suited for building seamless KYC routines in the context of online/Non-face-to-face financial services. I am referring specifically about Account Information Services (AIS), defined in Art. 4 (16) of the PSD2 as follows:

"An online service to provide consolidated information on one or more payment accounts held by the payment service user with either another payment service provider or with more than one payment service provider;" 

What I propose is that AIS can be used by financial service providers to build the kind of enhanced due-diligence measures that are required by AML Law whenever an AML risk assessment shows high risk indicators such as business relations or transactions that take place fully online (or non-face-to-face). A hypothetical enhanced-due diligence measure that relies on AIS in the context of online consumer credit, for example, could be outlined as follows:

1. Credit applicant is prompted to fill in an online credit application form that is deliberately designed to gather information that could be later on verified by means of AIS. This information could well be: IBAN numbers, exact names of account owners, name of banking institutions, etc.
2. Once the Credit applicant has filled-in the online credit application form, the Consumer Credit Provider obtains his/her consent to work with a licensed Account Information Service Provider (AISP) in order to gather information from the applicant's account(s) disclosed in the form.
3. Once the AISP gathers the account information and passes it on to the Consumer Credit Provider, the latter cross-checks the information gathered directly from the account and the information that was provided by the customer in the online application form. This can be done automatically, without the need of human interaction. If there is a good match between the information provided by the customer and the information collected by means of AIS, then the enhanced due-diligence measure can be deemed to be fulfilled.

Here is a flow-chart of how that routine could look like:

Now, the kind of routine I described above is not a silver bullet for all types of transactions and should probably be accompanied by some sort of complementary ID verification, but if we look at the history of enhanced due-diligence measures that were accepted as valid for NF2F transactions in the AML Law of most jurisdictions, it becomes apparent that this routine is in some ways a superior analog to the once ubiquitous "Cent-Transfer" or "Penny-testing" routine which, in the European context was widely accepted as mimicking one of the examples in Art. 13. 2 (c) of the third AML directive:

"(...) ensuring that the first payment of the operations is carried out through an account opened in the customer's name with a credit institution."

This so-called "cent-transfer routine "typically consisted on prompting a prospective customer of financial services to make a very small payment to the account of a financial services provider in order to ensure that the first payment (and the subsequent transactions that took place in the course of the relationship) were done, whenever necessary, through an account opened in the customer's name with a bank that, in turn, had an obligation to carry out KYC routines on the prospective customer and probably had done so before opening the account from which the first payment is initiated.

In my mind, it is easy to see that the routine I briefly described above as the AIS KYC routine is ultimately not so different from the "cent-transfer" routine. In fact, assuming that the AISP collected the account information in compliance with the Secure Customer Authentication standard enshrined in the regulatory framework of PSD2, it is clear that the AIS routine would allow a financial services provider to corroborate with a good level of certainty the ownership of the payment accounts of its prospective customers and to safely initiate a business relation insofar as the verified payment account serves as the basis for the new "non-face-to-face" relation with the customer in question. (In the case of credit, for example, the consumer credit provider can simply refuse to disburse any loans to accounts that are not adequately verified by means of AIS).

Again: This is no silver bullet. In non-face-to-face contexts there is always the risk of impersonation but this routine seems solid enough especially if accompanied by a proper AML risk assessment and by an adequate system and methodology for transaction monitoring. I should say that my team has not yet been successful in getting the approval for this kind of routine as a compliant NF2F KYC routine by the Spanish AML Authority (after two years of well written submissions with detailed explanations on the processes and technologies involved) but I tend to think that now that the PSD2 is here, companies like Kontomatik, Figo and Perfios that have built significant expertise and reliable APIs for the provision of account information have one more interesting application for their technology: In the the very near future they might just be perceived as key enablers of seamless and compliance-enabling NF2F KYC routines.

Tweet

Towards the KYC routines of the 21st century

Some thoughts on how AML Law can enable innovation in the realm of financial services.

 

Great user experiences are critical for the success of digital businesses in all industries. A 2017 study by Gartner ventures the following prediction:

“By 2022, digital businesses with great customer experience during identity corroboration will earn 20% more revenue than comparable businesses with poor customer experience.”

And then there's Fintech. Wherever you look in the realm of Fintech, you will see businesses that are built around what we could call "User Experience USPs". These come in all shapes and forms but tend to revolve around ideas of convenience, speed and ease-of-use: Revolut offers the possibility to "open a current account in minutes", Vivus promises to give you a loan "fast, with no guarantors and without paperwork", N26 seems ready to enable you to "Take control of your finances (...) With just one app" and Monzo claims that by using their app you can "Pay people in Seconds".



This apparent laser-focus on UX can be explained by many factors. The most cynical of observers may suggest that it is merely explained by considerations of the marketing kind: Fintech entrepreneurs and marketers seem to be in a consensus that adopting a bank-bashing narrative is good for the business. In the core of that narrative is the idea that Fintech should be defined and portrayed as an evolution of banking, if not in outright opposition to traditional brick-and-mortar banks which are perceived as the home of excruciating user experiences.

While there is a kernel of truth in that train of thought, my view is that the obsession within Fintech is mostly explained by basic unit economics: Since the beginning, anyone in Fintech (at least anyone that was doing anything other than Payments) shared an intuition that later became a data-driven realization: Acquiring customers for digital financial services is very expensive. In fact, after slightly more than six years of working very closely with product teams in Fintech I can comfortably assert (without feeling extremely compelled to raise too many caveats) that product teams in Fintech tend to be obsessed with the idea of building funnels and lead-cycles that are all about ensuring that those extremely expensive leads are not lost on the way. This is so very much the case that any product counsel or compliance officer in Fintech who does not have a good grasp of marketing basics and UX design is in serious trouble (but this is a topic for another occasion).

So Fintech is particularly interesting because it seems to care very deeply about user-experiences yet (unlike many other "digital industries") its creative efforts to build cutting-edge user experiences are heavily constrained. One of those constraints, perhaps the most stringent of them all, is Anti-Money-Laundering Law in its most basic form: Statutory requirements/ Regulatory guidelines for customer identification/ KYC. This constraint is aggravated by the fact that most Fintech transactions occur via the internet, which puts them under the dreaded category of "Non-Face-to-Face transactions" (NF2F), the kind of transactions that require more robust KYC routines because they are considered to pose a higher risk of Money-Laundering/Terrorism Financing according to the discourse of AML Law.




If we are to believe that Gartner's predictions will hold true for Fintech and if we share the view that the evolution of financial services involves a shift to a paradigm of customer-centrism and great user experiences, it is critical to revisit AML Law to ensure that it achieves its very laudable aspirations (In terms of the 5th EU AML Directive: "To prevent the use of the financial system for the purposes of money laundering or terrorist financing") without creating unnecessary legal constraints for the industries which prosperity depends precisely on building cutting-edge user experiences.

I submit that this is an extremely important public policy discussion for the future of financial services and I would like to use the lines below to propose some preliminary thoughts and ideas that I hope would contribute to that discussion:

1. AML Law for the 21st century must fully embrace Risk-Based approaches and abandon taxative lists of pre-approved KYC measures

The fourth EU AML directive (AMLD4) was a very good step in that direction because it abandoned the temptation of proposing taxative lists of compulsory customer due-diligence measures and seemed to favor a full-blown risk-based approach. In contrast, the third AML directive (its predecessor) enshrined a list of due-dilligence measures that were a priori sanctioned as sufficient for non-face-to-face-transactions, namely: 

“(a) ensuring that the customer's identity is established by additional documents, data or information;
(b) supplementary measures to verify or certify the documents supplied, or requiring confirmatory certification by a credit or financial institution covered by this Directive;
(c) ensuring that the first payment of the operations is carried out through an account opened in the customer's name with a credit institution."

Granted, the derogated article 13.2 of AMLD3 explicitly stated that the items on the list above are mere examples of measures that could compensate for the higher risk of money-laundering posed by non-face-to-face transactions, but it seems that the legislators in many European Member States read that list as an invitation to create their very own country-specific lists of mandatory KYC measures. This was certainly the case of Poland (though their new AML act does not contain the list anymore) but perhaps more alarmingly, is still the case in Spain where obliged entities must carry out at least one of the following measures for non-face-to-face transactions in accordance with Art. 21 of the regulation that implements the Spanish AML act (the translations to english are mine):

“a) To verify the identity of the customer in accordance with the Law on electronic signatures.
b) Ensuring that the identity of the customer is verified by means of a copy of the identity document (…) insofar said copy was issued by a notary public. (The literal expression in the Spanish regulation is “Fedatario Público”).
c) Ensuring that the first cash flow of the transaction is routed from an account in the name of the same customer with an entity that is domiciled in Spain, the European Union or equivalent third party countries”. (This is what in some Fintech circles is called the cent-transfer or penny testing KYC routine).
d) Ensuring that the identity of the customer is verified by any other secure proceedings previously authorized by the executive service of the Comission for the Prevention of Money Laundering.”

This particular provision in Spanish AML regulation is an example of a half-hearted risk-based approach. In general, obliged entities can decide which KYC measures to apply to their customers by consulting only their AML risk assessments, but when it comes to non-face-to-face transactions, they need to apply at least one of the measures that the regulator has sanctioned a priori. The obvious problem with this policy stance is also perfectly exemplified by the provision above: The Spanish legislator seems to have decided, in its infinite wisdom and foresight, that asking customers for electronic signatures or notary certifications is a sensible idea in the year 2019. Granted, the Spanish regulation has given the executive branch some discretion to approve new KYC measures for NF2F transactions that are not included in the list, but it is mid-February 2019 and the use of this discretion has not given us much more than a rather cumbersome KYC routine based on video-conferences. (Because video-conferencing is so cutting edge, right?).


In sum, I would propose that fully embracing the risk-based approach (which seems to be the current stance in EU Law) is the right way to go: The role of the regulator in this ideal scenario should be to lay out the minimum elements of a sound AML risk assessment and then give the innovators some freedom to devise KYC routines that effectively address any identified risks, be it for transactions that occur inside a bank branch or through the internet.

2. Tech-Neutrality is very important: ID-cards and state-issued documents are technologies

As recently as August last year, the Polish AML Authority (GIIF) issued a binding guideline where it stated (using nicer words) that obliged entities are free to adopt risk-based KYC measures but, in the case of NF2F transactions, they should always implement KYC routines that encompass at least one verification that is based on a document that attests identity “within the meaning of generally applicable laws (…) For example your ID or driver's license”.

It is not my intention to single out the Polish AML regime and/or GIIF which, in my view, are friendlier to UX innovation that most. The point is that there are very similar provisions/regulatory guidelines in the KYC rules of virtually every jurisdiction, so there seems to be some kind of obsession with one set of technologies: State-issued cards and paper documents. I submit that this is far from a technology-neutral policy stance and that the AML Law of the 21st century should stop running in circles around these rather outdated technologies as the only enablers of reliable identification.

3. Non-Mandatory State-sanctioned digital ID/KYC solutions are most welcome (India’s Aadhaar and Russia’s SNILs are good examples)

The Aadhaar system in India has been controversial from the privacy perspective, but it hints at some interesting possibilities for the future of AML Law. At its core, Aadhaar is a 12-digit number issued by the Unique Identification Authority of India to all Indian residents. These numbers are linked to the demographic and biometric information of Indian residents who can also choose to link their mobile phone number. Perhaps the most interesting aspect of Aadhaar from the AML perspective is that Indian AML Law and the regulatory guidelines of the Reserve Bank of India allow for the possibility of a KYC routine wherein the potential customer of a financial services provider simply discloses his/her Aadhaar number to the latter, who is able to use the Aadhaar infrastructure to send a One-Time-Pin (OTP) to the mobile phone linked to the Aadhaar number in question. Immediately afterwards, the financial services provider can prompt the potential customer to type in the OTP into an Aadhaar widget in its website, for example. If the OTP provided by the potential customer is a match, the KYC routine is completed.


As usual, there are some caveats: The Aadhaar OTP KYC may only be used for transactions involving very small amounts and must be followed by a full blown paper-document-based due diligence within one year, but it still looks like a step in the right direction.

Another good example comes from Russia, where the SNILs database allows for an equally convenient onboarding experience wherein financial service providers can simply cross-check the information provided by potential customers with the information in the SNILs database. A match between the data provided by the potential customer and the data in the database (as linked to the potential customer's SNILS number) would constitute a sufficient KYC routine under Russian Law.

How incredibly simple is this? How about allowing Financial Service Providers to use these very convenient routines for all customers who have been adequately assessed as low risk customers from the AML perspective?

4. It might be a good idea to focus the scope of application of AML Law on transaction typologies instead of “Obliged Entities”

AML Law is typically formulated in such a way that its scope of application is mostly a question of whether the purveyor of goods/services falls into a category of “Obliged entities” which is predetermined by statute. This is typically called “subjective scope of application” in legal praxis. What that means is that in order to determine whether AML applies in a given scenario the first question is whether an “obliged entity” is involved in the transaction.

Article 2 of AMLD4 , for example, states the following:

“This Directive shall apply to the following obliged entities:
1. (1) credit institutions;
2. (2) financial institutions;
3. (3) the following natural or legal persons acting in the exercise of their professional activities:
(a) auditors, external accountants and tax advisors;
(b) notaries and other independent legal professionals, where they participate, whether by acting on behalf of and for their client in any financial or real estate transaction, or by assisting in the (...)”

Now, this approach is very helpful for the purpose of delimiting who is subject to AML Law (and who is not) but it tends to suggest that all transactions carried out by any entity included in the list is subject to the whole corpus of AML Law including, inter-alia, KYC requirements. I am somewhat convinced that this is misguided: Do we really think that all transactions carried out by consumer credit providers (for example) must be subject to KYC? How about consumer credit transactions that are non-interest-bearing or involve incredibly small amounts that make smurfing impossibly costly or inefficient? Granted, most AML legislation sets de minimis thresholds that exempt certain small amount transactions from KYC requirements, but a more conscientious emphasis on the typology of exceptions or (even better) a possibility to omit KYC altogether for transactions that pose very little AML risk (as demonstrated by a sound risk assessment) would be an interesting possibility to explore.

5. Enforcement, enforcement, enforcement

I think it is worth repeating, for the record, that KYC rules are critically important for AML Law to fulfill its very laudable purpose. If that is the case, it is of the essence to renew the regulatory commitment towards the enforcement of these rules. This is, in my experience, particularly true in Fintech. Some of the spaces and verticals within Fintech that are not overseen by a “specialized financial regulator” (such as a central bank, a financial supervision authority or similar) seem to be afflicted by a case of cognitive dissonance: Market incumbents (or at least their compliance teams) know that AML Law and KYC rules exist and that they -probably- apply to their businesses, but some act as if KYC was only a real concern for banks or more traditional brick-and-mortar financial institutions.


This cognitive dissonance has a very simple explanation, in my view: a lack of effective enforcement of AML Law or the credible threat of same. It is rather painful for me as a legal and compliance professional to admit this, but I am convinced that there are verticals within Fintech where a businessman with a good commercial acumen might reasonably decide that it is irrational for his/her business to bear the costs of implementing fully-compliant KYC practices. In these verticals you will frequently hear senior marketers or salespeople uttering a data-driven version of the dreaded “none-of-the-competitors-is-doing-it” fallacy, except that in these spaces that flawed logic is enabled by what seems like regulatory inaction.

This tendency towards inaction can in turn be explained by many reasons, the most obvious one is the same reason that explains insufficient enforcement in all realms: the state apparatus does not have enough resources to ubiquitously enforce AML Law in all cases. But a lack of effective enforcement creates regulatory limbos where the only one specialized regulator with competence over AML simply relinquishes its role vis-à-vis a cluster of market incumbents and fails to send a message that should be heard loud and clear by everyone: AML Law is binding and it must inform your compliance program.

So, at the risk of sounding trite, I phrase my last suggestion as follows: The KYC rules of the future should be enforced in all verticals and for all types of obliged entities. Regulators should strive for a clear enforcement strategy aimed at Fintech that clarifies which regulatory body is responsible for supervising each vertical and leaves no doubt about the fact that the enforcement efforts need to go beyond supervising the practices of a single type of obliged entity. For the jurisdictions where financial supervisors are genuinely lacking resources to have a good oversight of AML programs across the whole financial system, a good start would be to double-down on mandatory AML audit requirements, for instance. A reputable auditor’s report which cost is borne by the obliged entities (submitted every year, perhaps) might go a long way to ensure that costlier enforcement action (such as on-site inspections or dawn-raids) are used only when strictly necessary.

I am sure that there are healthy and vibrant AML policy discussions in the AML community about some of these issues, so I offer these suggestions not as the certainties of a self-proclaimed authority on the matter but as a sort of message from the trenches. My hope as a legal and compliance professional in this space is that Fintech becomes an assiduous participant in policy discussions. There is very little to be gained from an apathetic stance towards regulation. Fintech has a lot to contribute.

Disclaimer: The opinions expressed by the author in this post are strictly personal and do not reflect the official position of the Kreditech Group. Any threatened law-suits, hate-mail or angry rebuttals in response to this are ideally to be addressed to the author directly, in the comments. :)

Tweet