The European Securities and Markets Authority (Esma) has found regulatory gaps across EU member states in the licensing regime for crypto-asset related activities and in the governance and risk management processes associated with both cyber security and cloud outsourcing.
The divergence in rule-making emerged from two surveys conducted by Esma since January 2018, which gathered evidence from national competent authorities (NCAs) on the treatment of fintech firms in their jurisdictions.
The surveys confirmed that, overall, NCAs do not typically distinguish between fintech and traditional business models in their decision making since they authorise a financial activity and not a technology.
The primary area where regulatory gaps and issues have been identified and where fintech firms do not fit neatly within the existing rules is related to crypto- assets, ICOs and DLT.
National rule-makers called for more clarity at the EU level with respect to the definition of financial instruments and the legal nature of crypto-assets. Esma says the responses serve to confirm its own Crypto Asset Advice that certain tokens are financial instruments and subject to the full attendant regulation, while those tokens that are not deemed financial instruments should be subject to some minimal level of regulation.
The surveys also identified the need for greater clarity around the governance and risk management processes associated with both cyber security and cloud outsourcing. Esma says recent guidelines published by top EU regulatory bodies on legislative improvements relating to ICT risk management and cyber-resilience will address many of the issues unearthed during the survey.
Based on the evidence gathered, Esma concludes that "at present most innovative business models can operate within the existing EU rules". As such, it "does not make additional recommendations for changes in EU regulation at this stage".