PaymentsPayment servicesCompetition

Improving customer protection, competitive equality, financial stability

10.05.2021Position paper
Christian Ossig
Ingo Beyritz


1. Review the approach to supervision: regulate banking instead of banks
2. Protect consumers and business: give due consideration to all the risks involved in payments processing 
3. Promote data sovereignty for customers: facilitate open data
4. Minimise money-laundering risks: standardise preventive measures and improve cooperation between authorities
5. Promote the diversity of services for customers: ensure fair market practices
6. Avoid regulatory arbitrage: maintain confidence in the overall system and prevent the distortion of competition 


Recognition and meticulous implementation of the principle “same services, same risks, same rules”

Payment and financial services are currently undergoing an extensive process of digital transformation, with technology firms and banks playing an instrumental role. The economic impact of this change can only be positive if there is an effective European single market in which innovation and technological competition can flourish. Provided that a functioning level playing field exists, such a change can help Europe to maintain and even expand its sovereignty in a key economic area. But this will require a single set of legal and regulatory rules throughout Europe that meticulously adheres to the principle of “same services, same risks, same rules”. We are not talking about blanket deregulation of banks or stricter, undifferentiated regulation of non-banks, but rather about targeted regulation which uses the same rules to control the risks associated with the same services, regardless of who performs them. In other words, we are in favour of risk and activity-based supervision. This will not only achieve an even higher level of financial stability, but also encourage competition that generates wealth, strengthens citizens’ trust and prevents the abuse of data and market power. 

We have identified six principles which will help to realise these economic and societal benefits:

  1. Review the approach to supervision: regulate banking instead of banks
  2. Protect consumers and businesses: give due consideration to all the risks involved in payments processing
  3. Promote data sovereignty for customers: facilitate open data
  4. Minimise money-laundering risks: standardise preventative measures and improve cooperation between authorities
  5. Promote the diversity of services for customers: ensure fair market practices
  6. Avoid regulatory arbitrage: maintain confidence in the overall system and prevent the distortion of competition

The following consideration of these six principles is intended to encourage a more detailed analysis of the various aspects involved. 


1. Review the approach to supervision: regulate banking instead of banks

Legal requirements

  • Current regulation: Articles 4, 11 and 18 of the European Capital Requirements Regulation (CRR2)
  • Responsible for revising requirements: European lawmakers (European Capital Requirements Regulation, CRR3) 
  • Timetable: European Commission proposal for adjusting the CRR expected in Q2/2021 


To observe the principle of “same services, same risks, same rules”, it would be desirable to supervise the business of banking instead of regulating entire companies in an undifferentiated manner. Regulation and supervision should focus on activities and thus be risk-based. But this principle is not respected as things stand because banking regulation targets financial institutions as a whole: in other words, it is bank-based. If more than half the activities of a group are banking operations, all units of the group are subject to banking regulation. In technology firms, by contrast, banking is typically only a secondary activity that accounts for less than half of the group’s total business. In consequence, only this licensed business unit is subject to banking regulation and corresponding supervision. As a result banks find it far more difficult than tech companies to develop technology as an activity within the group or establish new business models outside traditional banking business.

It is also difficult for banks to acquire fintechs since purchased companies become subject to the banking regulation of the group with immediate effect. This can have adverse consequences for the business development of the group and make acquisitions unattractive from the outset. For this reason, banks have to enter into partnerships instead. This ultimately undermines the role of banks in digitisation and thus weakens Europe’s digital sovereignty.

Effects of the current supervisory approach:

  • It is significantly more difficult for banks than for technology companies to develop new business models for the platform economy, for example, or to enter into new cooperation agreements. Indeed, the higher levels of financial and human resources required often make such undertakings unviable.
  • More complex requirements for banks make it more difficult to integrate external technologies and dismantle legacy systems, for example, or move towards platform structures. This inhibits the further digitisation of banks and thus of the entire financial sector. In consequence, the ability of banks to innovate and contribute to Europe’s digital sovereignty is adversely affected.
  • On top of that, the hampering or prevention of banks’ ability to innovate puts them at a competitive disadvantage compared to technology companies.

Proposed solutions

Targeted regulation is required. On the one hand, there is a need to examine whether technology companies that perform essential ancillary services for financial service providers are undersupervised and should therefore be included in supervision. Members of a banking group, on the other hand, should not be subject to banking supervision across the board and regardless of the activities they engage in. Instead, banks should be permitted to simplify technology development within the group by excluding units from banking supervision if they do not perform financial services. We consider the following steps necessary:

  • Adjust the definition of financial holding or allow exemptions from supervisory consolidation (Articles 4, and 11 and 18 of the CRR respectively).
  • Review the 50% threshold for banking operations above which the entire group is regulated as a financial holding company (Article 4 of the CRR). 
  • Allow regulatory sandboxes for the financial industry along the lines of those already operating in other industries.

The competitive environment surrounding banking and payment systems is changing rapidly. We are seeing an increasing division of labour, with services provided across companies or even sectors. To be effective, regulation must therefore focus more on processes which are especially relevant from a risk perspective and less on the providing companies in their entirety. This would make regulation more competitively neutral because the practical application of banking regulation would have less impact on non-banking business (than under the existing institutionbased instead of activity-based supervision). It would also support more targeted investment in
areas facilitating innovation and competition, such as software and personnel. 

2. Protect consumers and business: give due consideration to all the risks involved in payments processing 

Legal requirements

  • Current regulation: classification of payment service activities in Title II of the Second European Payment Services Directive (PSD2)
  • Responsible for revising requirements: European lawmakers (probably in Third European Payment Services Directive, PSD3) 
  • Timetable: European Commission report on the application and impact of PSD2 scheduled for the end of 2021, possible legislative proposals in the course of 2022


When processing payment transactions, a distinction can be made between various steps that are provided by banks, payment service providers or technology companies. Only steps classified as payment services are regulated by PSD2 and are thus subject to supervision. As a result of an increasing division of labour, however, individual steps are being outsourced to other companies.
These mainly technical services have no access to customer funds, do not fall within the scope of PSD2 and are not supervised. The problem is that these technical service providers have access to sensitive and valuable customer and payment data.

The German government recently responded as follows to a question from the Bündnis 90/Die Grünen (Green) parliamentary party about what action was needed in the area of supervising digital payment service providers (Bundestag printed matter 19/24372 of 16 November 2020):

Payment service providers (e.g. CRR credit institutions, payment institutions, e-money institutions) have been governed by a fully harmonising European legal framework for several years (e.g. PSD2, SEPA Regulation, Cross-border Payments Regulation and
Interchange Fee Regulation). According to the Retail Payments Strategy published by the European Commission on 24 September 2020, PSD2 requirements will be reviewed in the coming year. This will need to include a review of whether, and to what extent, there is a need for action on the scope of supervised payment service providers.

We share the German government’s view and our assessment is as follows:

  • A regulatory gap exists: firms that perform processing steps classified as payment services require a banking licence and their compliance with regulatory obligations is supervised. If, however, the – sometimes major – processing steps are not classified as payment services, the firms performing these elements of payments processing are not subject to comparable supervision. This leads to higher risks in the processing chain, thus posing (security) risks to other companies in the chain and ultimately to customers.
  • Data leaks caused by negligence and the misuse of customer data could have a negative impact on the efficiency and security of payments. 
  • The security and stability of the system, in which strictly supervised firms have invested heavily in recent years, must be maintained in the interests of users, the financial system as a whole and society.

Proposed solution

Risks in the processing chain caused by non-regulated companies should be analysed in detail. It is not just payments law in the narrow sense that should be considered, but also related supervisory requirements that are under review, such as those of the European Central Bank for payment systems and processes. Where risks are identified, the corresponding processing steps
should be classified as payment services. This will not prevent the division of labour and associated outsourcing to technology companies but will effectively facilitate it, since an activity and risk-based approach will enable risks to be addressed appropriately. 

3. Promote data sovereignty for customers: facilitate open data

Legal requirements

  • Current regulation: Titles II and IV of the Second European Payment Services Directive (PSD2) and the European General Data Protection Regulation
  • Responsible for revising requirements: European lawmakers dealing with open data (regulatory project needs to be clarified; possibly part of the European Commission’s payments strategy)
  • Timetable: conditional on regulatory project


Ways in which banks may use account data include

  • to provide customers with an overview of all their accounts (at the bank in question but also accounts maintained elsewhere) 
  • to make their customers tailored offers or 
  • to evaluate the data for internal purposes (such as risk management).

Account holders (consumers and businesses) can commission not just their bank but also account information service providers to use their account data (or to be more precise: payment account transaction data). Any company can become an account information service provider if it meets the relevant legal requirements and is granted authorisation to operate by the competent authority (Title II of PSD2). These requirements are considerably less stringent than those for a bank (CRR credit institution) and can also be met by technology firms, for example.

Account-holding banks must give account information service providers standardised access to account data free of charge (Title IV of PSD2). This means that banks bear the cost of developing, setting up and operating an infrastructure that enables other companies to develop new customer services and business models. These business models may be based on combining bank account data with their own customer data in order to refine the latter. Banks, by contrast, cannot normally access customer data held by third parties and process them on behalf of their customers. It is true that a bank can enter into an individual agreement with a technology
company. This requires considerable time and effort, however, especially since, unlike account data, data transmission is not standardised across Europe. There is a consequent lack of data sovereignty since consumers and businesses are not free to decide who they can authorise to use data held by other companies.

Proposed solution

Towards open data: all businesses should be obliged to grant other companies standardised access (possibly for a fee) to the customer data they hold. This should always be conditional on the mutual customer issuing a corresponding mandate for a limited period of time. The scope of the data to be transmitted will need to be defined. An open finance approach limited to the financial sector alone is not sufficient in an integrated data economy.

4. Minimise money-laundering risks: standardise preventive measures and improve cooperation between authorities

Legal requirements

  • Current regulation: European Anti-Money Laundering Directive (implemented in Germany by the German Money Laundering Act [Geldwäschegesetz])
  • Responsible for revising requirements: European and German lawmakers
  • Timetable: legislative projects scheduled for publication in Q2/2021 under the European Commission’s Anti-Money Laundering Action Plan


Banks, payment service providers and other companies in the financial sector that are subject to the European Anti-Money Laundering Directive largely have to comply with identical anti-money laundering requirements. It is up to supervisors, however, to monitor whether or not these requirements are met in practice, and there are significant differences in how competent authorities go about this task. This disparity in the intensity of supervision can be consciously exploited, posing risks to the financial sector and the economy as a whole. We see problems in the following areas:

  • Supervisory practices diverge as a result, for example, of differences in staffing levels and expertise. This applies to different competent authorities both within member states and at cross-border level.
  • National lawmakers have implemented the requirements of the directive in different ways, especially when it comes to identifying clients in group-wide processes and to identity checks.
  • The current rules stipulate that group-wide supervision of a mixed group is necessary only if the bank belonging to the group is the parent company, not if it is only part of the group. 
  • It is difficult to identify beneficial owners because transparency registers, though mandatory, are not available in practice in all member states.

Proposed solutions

Standardise legislation across Europe and strengthen the supervision of compliance with anti-money laundering rules

  • Firms offering customers comparable or even identical services should be subject to identical requirements. This should also apply if a firm is located in another member state. We therefore support the European Commission’s initiative to convert key elements of the current Anti-Money Laundering Directive into a European regulation. This full harmonisation would put an end to diverging implementation by national lawmakers.
  • Both parent and directly affiliated companies should be subject to anti-money laundering supervision if they provide financial services. This would prevent firms from circumventing anti-money laundering requirements through targeted group structuring.
  • It should be ensured that transparency registers are available in all member states (this was required even under the Fourth Anti-Money Laundering Directive; infringement proceedings may have to be initiated).

Standardise supervision

  • Supervision by authorities outside the financial sector has not proved effective. A single federal agency should be responsible for anti-money laundering supervision across all industries.
  • The German Financial Intelligence Unit (FIU) should cooperate more closely with anti-money laundering supervisors and other authorities: 
    •  This would improve the fight against money laundering by obliged entities in all industries.
    • Law enforcement authorities should have automated access to the FIU’s database.
    • The role and expertise of the FIU should be strengthened.
  • Supervision at EU level should be designed in such a way as to avoid regulatory arbitrage.

5. Promote the diversity of services for customers: ensure fair market practices

Legal requirements

  • Current regulation: EU Treaty and accompanying legislation, German Act Against Restraints of Competition (Gesetz gegen Wettbewerbsbeschränkungen)
  • Responsible for revising requirements: European and German lawmakers (competition law)
  • Timetable:
    • Germany: ongoing revision of the Act Against Restraints of Competition (government draft of 9 September 2020)
    • European Union: legislative process (probably until 2022) on the European Commission’s proposals for a Digital Services Act and Digital Markets Act


As things stand, customers are often unable to use the payment service provider of their choice on their mobile devices. The reason is that the technology firms providing end devices often do not allow these devices or the software installed on them to be used freely or impose certain conditions on their use. On top of that, two app stores dominate the software market. This restricts free competition and prevents market diversity. It also influences what software is on offer at all.

The problem is exacerbated by the fact that technology firms often use their market power to offer individual – and usually highly profitable – payment-related services. Sometimes these are also linked to further offerings such as sales finance. These usage restrictions imposed by the providers of end devices make it difficult for other market participants, such as banks, to offer
their customers payment services via their own apps. 

Proposed solutions for reforming competition law 


This issue is addressed by the September 2020 government draft of the tenth amendment to the Act Against Restraints of Competition. Of particular relevance are the envisaged rules of conduct for “companies of pre-eminent pan-market importance for competition” (Section 19a of the draft). Further requirements for platforms, digital companies and data access are planned, covering the following aspects, among others,

  • access to essential infrastructure, including competition-relevant data,
  • overarching market importance (market tipping), 
  • intermediation power and
  • injunctive measures in the event of conduct abusing a dominant position.

This reform could have a positive influence on other countries both within and outside Europe.
The European Commission has already taken up German legislation on access to important infrastructures connected with payment services, for example (Section 58a of the Payment Services Supervision Act [Zahlungsdienstaufsichtsgesetz]).

European Union 

The European Commission has issued proposals for a Digital Services Act and a Digital Markets

  • The Digital Services Act will regulate digital services and their content. The requirements of the European E-commerce Directive of 2000 will also be updated. 
  • The Digital Markets Act aims, among other things, at structural remedies for, and fair access to, big online platforms (gatekeepers). The legislation will essentially be directed at the GAFA big four, though other companies may also be affected if they exceed certain thresholds.

The proposed specific obligations for major online platforms and bans on certain of their business practices have the potential to improve the competitive situation. At the same time, it is important to modernise and harmonise the rules governing digital service providers if we are to achieve a single digital market in the EU. 

6. Avoid regulatory arbitrage: maintain confidence in the overall system and prevent the distortion of competition

Legal requirements

  • Current regulation: supervision by competent authorities under Title II of the Second European Payment Systems Directive (PSD2)
  • Responsible for revising requirements: European lawmakers (probably Third European Payment Systems Directive, PSD3) 
  • Timetable: report by the European Commission on the application and impact of PSD2 scheduled for the end of 2021; possible legislative proposals in the course of 2022


Payment services are subject to a uniform legal framework: the main legislative source, the European Payment Services Directive, envisages full harmonisation. Owing to diverging implementation in national law and differing national supervisory practices, however, there are differences in how some areas of the law are applied in practice. This is detrimental to payment service users, payment service providers and the stability of the overall system. Where, precisely, are problems to be found?

  • Under the principle of the internal market, payment service providers are free to offer their services throughout the European Union. As a result, risks can arise if legal requirements differ across member states or are interpreted differently by the competent authorities. Users of payment services, especially consumers, are not in a position to assess these risks. The attractiveness of an offer should be based on the performance and customer orientation of the payment service provider, not on advantages gained by exploiting less stringent regulatory requirements (regulatory arbitrage).
  • Payment service providers in member states where supervisors set the regulatory bar high are at a disadvantage. This creates a false incentive for businesses to locate in a member state with lower requirements. On top of that, payment service providers that operate in several member states incur high expenses because they have to comply with different national requirements. 
  • Risks arising from lower regulatory requirements can have an impact across borders on other service providers in the value chain. This endangers the overall stability of the system and can cause economic damage. 
  • This all undermines the original objectives of full harmonisation, namely to make it less complex to offer payment services across borders and to generate efficiency benefits for consumers and businesses alike.

Proposed solutions 

Applicable law

  • Detailed requirements should be formalised through full harmonisation in the form of an EU regulation establishing a single rule book (similar to the CRR) and substantive requirements set out in a directive for national implementation. 
  • The European Banking Authority should be tasked with reviewing implementation in national law (extension of the EBA Regulation). 
  • The existing restrictions on the choice of registered office (place of registered office under Article 11(3) of PSD2) should be tightened.

Supervisory practices

It would make good sense to establish a single supervisory authority along the lines of the Single
Supervisory Mechanism, i.e. a European authority to directly supervise systemically important
payment service providers and monitor national supervisors.


Contact Persons