Digital identities and cloud services as part of the new digital finance package

On 24 September, the European Commission published a digital finance package, composed of a digital finance strategy, a proposed regulation on cyber-resilience and two proposals on crypto-assets and Distributed Ledger Technologies (DLT).

Eurosmart had contributed to the consultation on a digital finance strategy to underline the need for trustworthy digital financial identities. This newly published strategy builds on the answers gathered during the consultation. It describes future actions to be undertaken to foster the use of digital identities in the financial sector, including a better harmonisation of the anti-money laundering requirements. The new framework will also build on the revised eIDAS.

In addition, the proposal on cyber-resilience in the financial sector tackles the issue of critical ICT third-party service providers, such as cloud services. This could point towards favouring cloud service providers established in the EU.

Please find below the links to the documents and a briefing on the main take-aways from these documents.

Objective of the digital finance strategy

The aim of the digital finance strategy is to ensure that the regulatory framework facilitates digital innovation, such as DLT or AI. It should also guarantee that such technologies are in line with EU values.

The document underlines that digital finance has been instrumental in times of COVID 19. For instance, “online identity verification has enabled consumers to open accounts and use multiple financial services at a distance”.

Ultimately, the strategy aims to have strong European market players driving digital finance.

Enabling EU-wide interoperable use of digital identities

By 2024, the EU should adopt measure to foster the use of digital identities to access financial services quickly and easily. Such a framework should enable the re-use of customer data, subject to informed consent.

First, the anti-money laundering and terrorism financing rules will be better harmonised. The European Banking Authority, jointly with the other European Supervisory Authorities, is developing guidelines to bring convergence on the elements related to identification and verification needed for on-boarding purposes. These guidelines should be finalised by Q3 2021.

Secondly, the European Commission will engage with the European Data Protection Board (EDPB) to clarify all data protection aspects in the context of reusing ‘on-boarding’ information for other purposes (e.g. ‘on-boarding’ with another provider, access to other non-banking services).

Thirdly, the European Commission will further define and harmonise customer due diligence (CDD) requirements to facilitate the use of innovative technologies without having to comply with different requirements/processes depending on the Member State. For instance, the European Commission could define what ID documents are needed to establish a person’s identity and clarify which technologies can be used to check ID remotely.

The Commission review of anti-money laundering rules will also aim to propose:

· improving and clarifying access to data to enhance financial service providers’ ability to authenticate the identity of the customer;

· further specifying, by means of technical standards, aspects relating to detailed identification and authentication elements for on-boarding purposes;

· further developing, by means of technical standards, reliance on third parties to meet CDD requirements, including issues associated with liability, transparency and ethical use. These technical standards would build on the European Banking Authority guidelines.

The revised eIDAS will be another pillar of this new framework. The revised text would extend its application to the private sector and provide a framework supporting an EU-wide system for managing digital identities. The Commission intends to build on this revised eIDAS to integrate further elements, for instance to ensure that digital identities can be used for “on-boarding” with another financial institution. These elements could include investor suitability or customer credit profile.

Facilitating the use of DLT

By 2024, the EU should put in place a comprehensive framework enabling the uptake of distributed ledger technology (DLT) and crypto-assets in the financial sector. It should also address the risks associated with these technologies. Therefore, the European Commission published two legislative proposals on DLT as part of the digital finance package.

The European Commission will aim to integrate DLT and Internet of Things in the sustainable finance taxonomy by 2021 to encourage the development of low or zero emission technologies.

Strengthening digital resilience in the financial sector

As part of this digital finance package, the Commission published a proposal for a regulation on the digital operational resilience of the finance sector. This text was conceived as a complement to the NIS Directive 2016/1148. It brings further harmonisation and more stringent security requirements compared to the NIS Directive.

The proposed regulation lays down an obligation for financial entities to have in place governance and control frameworks to ensure management of all ICT risks. This includes an obligation to monitor arrangements concluded with ICT third party services providers (including cloud services).

Among other security requirements, financial entities shall implement policies and protocols for strong authentication mechanisms, based on relevant standards and dedicated controls systems to prevent access to cryptographic keys whereby data is encrypted. Financial entities are also subject to an obligation to test all critical ICT systems at least yearly, for instance via penetration testing.

Strong oversight of critical third-party ICT providers

Interestingly, this proposed regulation established an oversight framework for critical third-party ICT providers to the financial sector, such as cloud service providers. This means that national competent authorities shall be informed of all relevant arrangements made with ICT third-party service providers.

Article 28(9) of the proposed regulation stipulates that “[f]inancial entities shall not make use of an ICT third-party service provider established in a third country that would be designated as critical pursuant to point (a) of paragraph 1 if it were established in the Union.” This could mean that cloud service providers shall be established in the EU to provide services to the financial sector.

Moreover, the strategy mentions the project to launch a European cloud services marketplace, which would facilitate access to alternative cloud service provides, including in the financial sector.

The document also refers to the cybersecurity certification scheme for cloud services (pursuant to the Cyber Act), which will support trust in cloud use.

Next steps:

The legislative proposals will follow the ordinary legislative procedure, whereby the European Parliament and the Council will examine the texts.

Q4 2020: proposal for a revised eIDAS

2021: revision of the anti-money laundering and terrorism financing rules

If you have any questions on this issue, please do not hesitate to contact Camille Dornier - Policy Manager: camille.dornier@eurosmart.com