As part of this , Delano asked nine financial experts about the regulatory topics at the top of their list of priorities for the next 18 months. , CEO of Finologee, sat down with us to share the regulatory issues that are on his radar.
“I think the most challenging regulation that the financial industry is currently facing and that will have a huge impact is definitely Dora, the Digital Operational Resilience Act,” said Mulheims. “Players in the financial industry have already been subject to regulation such as outsourcing regulation. There have been quite a few, like the EBA [European Banking Authority] guidelines on outsourcing arrangements, which applies to banks, and indirectly to suppliers, and so on. The CSSF [Financial Sector Supervisory Commission] has put this into Luxembourg law, where they extended the scope a little bit, but they haven’t extended it to the whole financial industry.”
“That’s where Dora comes in, because it partly covers the same topics, but it goes beyond,” said Muleims, both in terms of the scope and the matters it covers. “Now there’s pretty much every entity in the financial industry in Luxembourg that’s also in scope of Dora.”
And in terms of the matters it covers, “it’s not only outsourcing, per se--so, if other companies are doing, let’s say, part of the job of a bank or another financial industry [player]--but it applies also to, for instance, software providers.”
There are plenty of questions we have to ask and plenty of elements we have to be careful about.
“So if I, as a bank, or even me, at Finologee--because we are regulated as a support PFS [professional of the financial sector]--if we buy a software, we have to be, from now on, in general terms, more careful,” he said. “We need to check who’s providing the software? What are the guarantees that go with it? How can we monitor the quality? What is there in terms of security, and so on? There are plenty of questions we have to ask and plenty of elements we have to be careful about.”
“That’s only one example. There are several other elements in the Dora regulation that are, I believe, a very good thing that they come. But on the other side, it will be a burden and a hurdle for many players--especially the smaller ones--that haven’t been facing this kind of regulation until now.”
PSD3/PSR: “an evolution, not a revolution”
The Payment Services Directive 3 (PSD3)/Payment Services Regulation (PSR)--will see an update in the coming months. But this, said Mulheims, is more of “an evolution and not a revolution.” It will enhance and apply updates “with regards to the mandatory access to accounts that banks have to provide to third-party providers.”
Say, for instance, you want to buy something on Amazon and you want to pay directly from your bank account. “There’s an option to trigger this payment directly from your bank account. Amazon can make a request to the bank; as a user, you have to authorise this with your bank and then the payment gets executed.”
“There’s some updates that are going to happen, and there, we’re looking 18 to 24 months ahead. It’s still in draft status, so it’s not stable yet.”
Data sharing with Fida
The last point that Mulheims highlighted that can have “quite an important impact” is the Financial Industry Data Access framework, or Fida. This was published in June 2023--at the same time as the draft PSD3 regulation. “It has a very similar goal, but it has almost the same impact, I’d say, on non-bank financial institutions as PSD2 and 3 have.”
This means that “insurance companies, for instance, but also investment firms and many other players in the financial industry will have to open up their ‘vaults,’ to a certain extent, with regards to data. They will have to provide an option for their clients to share the data that is stored by the insurance company, for instance.”
Read also
Say a client has a car insurance policy with one company and wishes to share some data points with a separate insurance company. The client “can authorise the first one to share the data with the second one,” and it will be mandatory for the first company to open up the data points and to grant access.
“Here, we’re also in draft status, so it’s not final yet,” added Mulheims. “There has been a lot of questions and also criticism, let’s say, on the other end.”
“When we talk about payments, with PSD2 and PSD3, banks have been equipped for many years already with an environment where they had direct access to their payment infrastructure. It’s not always a fully live infrastructure, but it is meant for data sharing, because payments happen between one bank and another.”
“Now, when we talk about data sharing between one insurance company and another, their systems typically haven’t been designed that way. If they already have something like a customer care portal, where you can manage your policies and so on, many insurance companies have done the job and have linked their systems to an online access gateway, or portal, for their clients. Then, it might be possible to rather easily open up the data and then start sharing it with another company.”
Wider impact of Fida
But there are companies that haven’t done so, such as investment firms or smaller companies that only have five or 10 clients. “They are operating using Excel, and you cannot use Excel to share data in the way that is meant” in Fida.
“This will lead, I believe, to a lot of questioning and a lot of enhancements and improvements that these players will have to [implement], and the impact will be much wider than just requiring them to open up the access to the data. It will have an impact on the very core of the operations of these players, when they will have to question the way that they use software--or don’t use software today--and how they design the systems for tomorrow.”
This is especially important in Luxembourg, where there’s “a huge wealth management industry.” “Luxembourg is very good at managing high-net worth individuals’ assets,” he said. But because there are fewer high-net worth clients when compared to retail consumers, “systems may not be as modern or state-of-the-art as with consumer-focused players.”
.