“What are the Wider Supervisory Implications of the Wirecard Case?” – Giorgio Barba Navaretti, Giacomo Calzolari and Alberto Franco Pozzolo

English Edition, published by The Economic Governance Support Unit (European Parliament):

“What are the Wider Supervisory Implications of the Wirecard Case?”

Executive Summary:

Although the case of Wirecard appears to be an accounting fraud of the more classical type, many lessons can be drawn for the design of Fintech regulation and supervision. To some extent, the inability of the authorities to detect such a misconduct in a prominent and well-known company is the result of regulatory loopholes, which may leave room for future transgressions. There was no comprehensive and integrated oversight of Wirecard activities, both in terms of lines of business and geography of its operations. There was neither an adequate vetting of its accounting practices, nor an effective oversight and enforcement of accounting and auditing practices. Probably this was possible also due to a generally inadequate understanding of the business model and of the technology of Wirecard. Because of its status as a high-tech Fintech company, Wirecard was left to operate under a veil of regulatory ignorance, with no effective challenge to the viability of its business model. Also, the geographical span of its operations, frequently carried out through third parties and under different regulatory and supervisory regimes, made the oversight of its activities even looser. At the same time, Wirecard could also pass the hurdle of the scrutiny of large investors and banks, which provided massive funding to its operations. The complexity of Fintech companies, their technologies and the broad span of their operations, both in terms of bundled services and geographical scope, raise concerns for both investor and customer protection, as well as for financial stability, as discussed at length in this briefing paper. In general terms, there is a growing need to balance the efficiency gains of technological innovation in the financial industry with possible additional risks for its stakeholders. Regulation and supervision must be effective but, at the same time, they must not stifle innovation in the financial industry. This briefing paper makes a number of proposals and identifies few clear “imperatives” to address “the new challenges and risks associated with the digital transformation” – one of the four key priorities of the Digital Finance Strategy for the EU recently published by the European Commission (EU Commission, 2020a-c) and to address the concerns and resolution on digital finance put forward by the European Parliament (2020):

  1. Avoid regulatory arbitrage. Cover uncharted territories when businesses are running ahead of regulators, and ensure a level playing field between Fintech companies and traditional businesses. Make sure that entities carrying the same activity follow the same sets of rules, however they carry them out (e.g., providing credit through on-line credit platforms or traditional banks).
  2. Understand clearly what Fintechs do and what their business models are. Regulators need to understand the potential enhancing or disruptive impact of Fintech activities and how they interact with other parts of financial and non-financial markets. Sandboxes – well-identified, temporary and light regulatory frameworks for new experimental products, lines of business or technologies – are useful in this respect, as far as they do not create unhealthy links between the regulators and the regulated.
  3. Combine the oversight of entities with the oversight of activities. On the one hand, unbundled financial activities should be supervised independently of the form of incorporation adopted by the company and of the other activities that it performs in parallel (According to EBA 2017, more than 30% of online payment services are unregulated). On the other hand, just focusing on regulating and supervising activities generates a significant risk of compartmentalising the oversight of financial markets. The Wirecard lesson is that a partial oversight of an entity may create substantial regulatory loopholes. These loopholes may especially emerge for companies like Wirecard, with a complex and intricate web of activities, unbundling part of their services to third parties in different countries (e.g. third-party acquirers in Asia), carrying out their operations through independent entities within the group in different lines of business, under different regulatory and supervisory regimes(e.g. Wirecard AG, the holding, considered as a technology non-financial company, and Wirecard Bank in Germany) and carrying out services for financial clients based again in many different countries (e.g. small banks or other Fintechs). Although supervisory failures in the Wirecard case were mostly in the domain of accounting enforcement and thus of investor protection, loopholes may emerge in all regulatory domains, pertaining to customer protection, investor protection and financial stability. In this respect, we do share the underlying rationale of the proposal of the European Commission (European Commission, 2020a), which grants adequate oversight powers with respect to technological third-party providers, also within the same group. This approach overcomes the problem of the identification of financial conglomerates with the right of oversight just depending on the actual risks that technology companies or activities may cause on financial intermediation.
  4. Master the technology used by Fintechs. At the core of Fintech expansion there are a set of relatively recent technologies that allow for better information extraction from data, often classified under the hat of Artificial Intelligence (AI), and the use of a massive amount of data – Bigdata – that can be effectively exploited with AI. It should be clear that technologies are only tools to perform standard financial activities that up to now were carried out with other means. Although one can never understate the impressive efficiency that AI algorithms can bring to financial markets, any hype about AI and its applications should be avoided. Most important, for a safe use of AI in financial markets, supervisors and regulators must have the ability to monitor and assess the actual behavior and functioning of these algorithms. They must develop and acquire technological competences, to avoid losing sight of the true business model of the entities supervised, as it seems to have happened in the Wirecard case. Regtech and Suptech are interesting developments in this respect, but although they will certainly complement the activity of regulation and supervision of financial markets, they cannot completely substitute more traditional approaches.
  5. Know the global picture and harmonise and coordinate internationally rules and oversight of Fintechs. Fintech players, especially those unbundling and specialising in narrow segments, have shown a natural tendency for cross-border activities. This is expected, since with specialisation firms need to tap new markets rather than new businesses. This broad span of the geography of business activities calls for a coordinated action of regulators and supervisors, certainly in Europe, hopefully more broadly. The case of Wirecard highlights how crucial this issue is. The global reach of the company was significant, with the obvious problem that in the payment systems we lack unified supervision and different national standards apply, for example, on the interoperability of enabling technologies. When a Fintech player in this business outsources part of its activities to a third-party, national supervisors have access to information about these external operators only if they are located within national boundaries. As soon as these activities take place cross-border, they become almost impossible to scrutinise in a unified way. Solutions to the issue of lack of coordination and harmonised standards are necessary, although not easy to find. The effort that is normally required is significant, but not impossible, especially in situations of crisis, as the case of Banking Union has shown. We see this process of harmonisation and coordination, in the case of Europe, as a necessary ingredient of the Capital Market Union.
  6. No need for a new regulatory agency, rather we need coordination among national competent authorities. We do not believe that there is a need for a new regulatory body overseeing Fintechs. The regulatory loopholes emerging from the Wirecard case are to a large extent independent from the fact that the business was Fintech. Certainly, IT and AI technologies increase the complexity and the intricacy of business activities and of new initiatives in unchartered areas. Also, they may induce supervisory indulgence under a veil of ignorance. Nonetheless this can happen in newly created Fintechs or also with the introduction of Fintech activities in traditional businesses. The objectives of regulation remain the same, investors’ and consumers’ protection and financial stability, whether operations are carried out by Fintechs, traditional businesses or a blend of the two. Fintech players and the Wirecard case do not provide, in our view, a compelling justification for such a new European Authority. In each of the key areas, investor protection, customer protection and financial stability, European authorities, EBA and ESMA may be put in the position of indicating harmonised and coordinated framework for Fintech across Europe, which will then be exercised by national competent authorities.