"The creation of a regulatory framework built on the principle that activities that create the same risks should be governed by the same rules, with a view to ensuring adequate regulation and supervision and maintaining a level playing field."
This recommendation is intuitively attractive as well as seeming fair. The report states:
"Different types of financial service provider compete, notably incumbents and new market entrants, including BigTechs such as social networks or online market places, and small or new entrants, concentrating on tech-enabled financial services. They may be subject to markedly different standards, notably because they may be authorised in different Member States under different, entities-based EU regimes (credit institutions, payment institutions (see box on p17), 68 e-money providers, etc.), or because the relevant activity may be outside the EU regulatory perimeter, subjecting them to autonomous national regulation (if any).
The resulting divergences in regulation may constitute significant regulatory obstacles or produce regulatory gaps, thereby impacting the level playing field for providers of the same services, and imposing additional costs for compliance with multiple regimes. Therefore, market participants offering the same service or product should be regulated by rules that are truly activity-based and conceived according to the risks that the specific activities produce – in particular for end-users. That is, departing from the traditional institutions-based framework, the same regulations should apply regardless of whether the activities are led by an incumbent financial institution, BigTech or start-up (whether or not controlled by a financial institution). This principle should apply to all types of rules, including prudential rules, organizational requirements or conduct rules. The similarity of the relevant activity should be considered by taking a functional view of its effect, for instance in terms of consumer risk and, therefore, the standards of protection needed. The same activities can still be subject to differing regulatory obligations where they do not entail the same risks, whether individually or in combination. Describing the risk that an activity creates is more complex, as this requires an assessment of all consequences of that activity in its broader context. If activities, albeit the same, entail different risks, they can be subject to different rules."
This approach has been questioned in a speech by Fernando Restoy, Chairman, Financial Stability Institute, Bank for International Settlements, to the fintech working group at the European Parliament, delivered virtually earlier this month. In it, he said:
"...I believe that we need a determined policy response to the disruption created by the emergence of fintech and big techs. The aim will be to uphold primary policy goals such as financial stability, market integrity, consumer protection and fair competition. Unwarranted regulatory and supervisory asymmetries between different players, should also be eliminated, although only as far as this is compatible with overarching policy priorities.
Yet, contrary to what is often argued, I do not believe that it would be a promising strategy to move in the direction of replacing entity-based rules by an activity-based regulatory approach. Two considerations lead me to this conclusion.
First, most fintechs and big techs that are active in financial services are already subject to activity-based rules in the policy areas (such as consumer protection or AML/CFT) for which an activity-based approach is warranted.
Second, replacing entity-based by activity-based rules in other areas, such as prudential regulation, may severely jeopardise primary policy objectives, such as financial stability. In these policy areas, rules need to address risks stemming from the combination of all the activities that entities perform and they must focus, therefore, on the consolidated balance sheets.
There is, in fact, a strong case for relying more rather than less on entity-based rules to properly regulate big techs. Their unique business model calls for entity-specific safeguards, such as the ones being developed in several jurisdictions, including the European Union, in areas such as competition and operational resilience. This will help not only to safeguard primary policy objectives but also to address the competitive distortions emerging from insufficient regulation of big techs as compared with that applied to banks."
One interesting question is whether the proponents of "same activity, same risks, same rules" really intend it to be interpreted in the way that Mr Restoy has interpreted it, or whether the different sides are talking at cross purposes less than it may seem.
Omar Salem is a financial regulation lawyer at Linklaters.