The European Banking Authority (EBA) was established in the wake of the Financial Crisis of 2008/2009 and came into being on 1st January 2011.1 At the time, the authority took over the tasks and responsibilities from the previous Committee of European Banking Supervisors (CEBS) but also received additional objectives and tasks, including to contribute to the protection of consumers of financial services in the EU. The EBA started to fulfil these objectives from 2012 onwards, so the year 2022/23 is an opportune point in time to take stock of what the EBA has achieved in the first 10 years and identify remaining challenges.
To that end, this article starts with a short overview of the objectives and tasks of the EBA, explains the instruments available to the authority to fulfil them, and sketches its legal scope of action. The article continues with a summary of some selected requirements that the EBA has produced during that decade aimed at protecting consumers, and concludes with a glimpse into what the next couple of years are likely to bring for the EBA.
The EBA is an independent authority and accountable to the EU co-legislators, i.e. EU Parliament and EU Council. It has as its highest governing body the EBA Board of Supervisors, which comprise the governors, executive directors or other senior management of the 27 national supervisory authorities in the EU, who vote on the EBA’s output through majority voting.
The objectives of the EBA are set out in the first Article of the EBA Regulation. Article 1(5) mandates the EBA to protect the public interest by contributing to the short, medium and long-term stability and effectiveness of the financial system, for the Union economy, its citizens and businesses. And further down in the same article, the EBA is inter alia required to contribute to (i) improving the functioning of the internal market, including in particular, a sound, effective and consistent level of regulation and supervision; (ii) ensuring the taking of credit and other risks are appropriately supervised and regulated; and (iii) enhancing customer and consumer protection.
Further down, in Article 9, the EBA Regulation specifies that the EBA is required to take a leading role in promoting transparency, simplicity and fairness in the market for consumer financial products or services across the internal market and then confers a number of tasks through which the EBA is meant to achieve its objective: by collecting, analysing and reporting on consumer trends; reviewing and coordinating financial literacy and education initiatives by the competent authorities; developing training standards for the industry; and contributing to the development of common disclosure rules.
On 1st January 2020, Article 9 of the EBA Regulation was amended by the EU Commission and the EU co-legislators, to give the EBA additional consumer protection tasks. These are for the EBA to “carry out thematic reviews”, to “coordinate national mystery shopping activities, if applicable”, and to “develop retail risk indicators”. As these mandates were added to the EBA’s remit without making available to the EBA additional resources, the EBA managed to deliver on these mandates only in early 2023.
The EBA Regulation has made available to the authority different types of legal instruments through which the EBA is to fulfil its objectives and tasks, but which differ in terms of purpose, legal status, and possible addressees. For example, technical standards are an instrument that the EBA can address to financial institutions and/or to national competent authorities (NCAs) and that is directly applicable EU Law and thus does not require any national implementation or transposition.
However, the EBA can issue this particular instrument only if it has been empowered to do so by the EU Commission and the EU co-legislators through an explicit mandate articulated in an EU Directive or EU Regulation. Technical standards tend to take between 12 and 18 months to develop and include a public consultation of usually 3 months. Once the development is completed, the EBA submits the ‘draft’ standards to the EU Commission, which will check that the EBA has stayed within its mandate, and then ‘adopts’ the standards, with the EU co-legislators having a scrutiny right during that process. Once the scrutiny period has passed, the standards will be published in the Official Journal of the EU as an ‘EU Delegated Regulation’ and enter into force 20 days after publication.
Guidelines, by contrast, are not directly applicable EU law but require NCAs to implement them into their respective national regulatory and/or supervisory frameworks. NCAs have the option not to comply with Guidelines and have to notify the EBA whether they will do so. The EBA summarises these notifications in what is referred to as a “compliance table” that it published alongside the Guidelines. Unlike technical standards, the EBA can issue guidelines on its own initiative and has frequently done so to fulfil its consumer protection mandate (see further below for details). The application dates of the Guidelines are set by the EBA, specific to each set of Guidelines and taking into account inter alia the time it takes for financial institutions to make the necessary system and process changes.
Other instruments available to the EBA include opinions addressed to NCAs and/or to the EU institutions, warnings addressed to consumers, binding and non-binding mediation between NCAs about the interpretation of EU law, questions and answers (Q&A), and temporary prohibitions of the sale of particular financial products. While the latter of these instruments is potentially a very powerful tool to prevent consumers from experiencing detriment, the EU co-legislators have made the prohibition power available to the EBA for one financial product, which are structured deposits. SDs are deposits that are repayable at par at maturity and are linked to an underlying asset. However, in the low interest rate environment that has been prevalent in most EU Member States until very recently, issuances of SDs across the EU have been very low and the need for the EBA to use this power has therefore been non-existent. This power of the EBA’s will be extended to crypto assets from 2024/25 under the incoming Markets in Crypto Assets (MICA) Regulation but does not apply to any of the other products in the EBA’s consumer protection remit.
The EBA can apply these instruments to the financial products and services, financial institutions and national competent authorities (CAs) that are subject to the EU Directives or EU Regulations that have been brought into the EBA’s scope of action under Articles 1 and 4 of the EBA Regulation. At the time of writing this article, the products and services in the EBA’s scope of action consist of payment accounts (under the EU Payment Accounts Directive, PAD), deposits, incl. structured deposits (under the EU Deposit Guarantee Scheme Directive, DGSD, as well as the EU Packaged Retail Investment and Insurance Based Products Regulation, PRIIPS, and the Markets for Financial Instruments Directive and Regulation, MiFID2/MiFIR), payment services (PSD2), electronic money (EMD), residential mortgages (MCD), and, since January 2022, also consumer credit (CCD).
Since the creation of the EBA, the authority has issued a very large number of technical standards, guidelines, opinions, consumer warnings and reports in pursuit of its consumer protection mandate.2 Across these many different outputs, the subject matter has varied greatly also. It is therefore infeasible to present this output in any comprehensive way within the confines of the short article on hand. A small sample of the output will need to suffice instead, focusing on those instruments that were more noteworthy than others.
For example, in 2013, the EBA issued its first ever warning on virtual currencies (VCs). At a time when ever more opportunities were offered to consumers to withdraw cash in fiat currency by using VCs such as Bitcoin, and as ever more shops allowed consumers to pay with VCs, the EBA warned consumers that this product is not covered under any EU law and that consumers are therefore not protected should anything go wrong.3 It was noteworthy that the EBA was the first public authority in the world to issue a warning of this kind and, to maximise its reach and impact, translated it into all official EU languages. As the EU Commission and EU co-legislators started discussing a potential EU law to govern these new innovations, that would subsequently be known as the MICA Regulation, that is due to enter into force in 2024/25, the EBA re-published the warning in 2018, 2020, and spring 2022 to remind consumers that, while any such law is not yet legally in force, no protection is afforded to consumers, who continue to be exposed to the same risks.
In 2014, the EBA issued on its own initiative, and jointly with the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA), Guidelines on complains handling.4 In so doing, the three authorities created an identical set of requirements on how financial institutions are required to set up and manage complaints handling processes and that, thus, apply in a uniform way to hundreds of thousands of FIs across the banking, insurance and investment sectors. This particular instrument is noteworthy because, for those entities that sell products from more than one sector, including credit institutions, a uniform set of requirements significantly reduces compliance costs compared to an alternative whereby the requirements diverge across the three sectors.
In 2015, in turn, the EBA issued five instruments in support of the MCD, including one set of Technical Standards on the minimum amount of professional indemnity insurance, and two sets of Guidelines on own initiative: one on creditworthiness assessments of mortgage applicants5 and the other on arrears and foreclosure.6 The EBA considered that the provisions in the MCD itself were a helpful and significant step forward to protect consumers in these two crucial areas. However, on close inspection, the EBA was of the additional view that the relevant provisions were not yet sufficiently detailed to ensure consistent supervisory approaches by NCAs and high-quality consumer outcomes across EU Member States.
While many stakeholders did not consider these two areas to be a particularly urgent issue given the low-interest rate environment prevalent at the time, the EBA regarded these Guidelines as highly important to reduce the detriment that was bound to materialise once higher interest rates would return. The EBA’s judgement subsequently turned out to be incisive when, from mid-2022, interest rates across the EU rose again, and sharply so, and the degree of compliance with these Guidelines became an important consumer protection concern for the EBA.
Shortly after the EBA concluded its work in support of the MCD, the EBA issued two other sets of Guidelines, with a view to address two key drivers of the mis-selling of retail banking products in the EU. The first one was a set of Guidelines setting out how financial institutions are required to design, document, approve and monitor remuneration policies and practices of their sales staff.7 In so doing, they introduced a framework for financial institutions to implement remuneration policies and practices that would improve links between incentives and the fair treatment of consumers, reduce the risk of mis-selling and reduce the resultant conduct costs for firms. The Guidelines were publicly consulted in 2015, issued in 2016 and entered into force in 2018.
The second set of Guidelines was aimed at addressing the unsuitable design and bringing-to-market of retail banking products, which the EBA had identified as another key driver of mis-selling and conduct failure. The resultant EBA Guidelines on Product Oversight and Governance (POG) set out requirements for the design, marketing and life-cycle maintenance of products, including that they are designed to meet the interests, objectives and characteristics of consumers within a specified target market; that products are tested before launch; and that action is taken if problems arise.8 The guidelines are only four pages long, were published in 2015 and entered into force in 2017.
Both of these Guidelines are unusual for the EBA in that they were issued not in support of a particular EU Directive but, instead, they apply to all Directives in the EBA’s scope of action. This may seem an obvious approach for a supervisory authority to take. However, for the EBA, the task is not so straight forward, because, unlike the investment and insurance sectors where the selling of all products in a given sector is governed through a single EU Directive (MIFID2/MIFIR and the Insurance Distribution Directive, IDD, respectively), there is no single Directive in place in the retail banking sector. So, if the EBA wants to address issues it had identified as common across different products, such as the lack of product oversight and governance or inappropriate remuneration of sales staff, the EBA has to check in each of these Directives if it has a sufficient legal basis to issue the requirements.
In the case of the two aforementioned Guidelines this was the case. But in the case of another issue, the detriment arising to consumers as a result of inappropriate cross-selling practices, of financial institutions, the EBA, in coordination with ESMA and EIOPA, had to conclude that the legal basis is insufficient to issue guidelines, due to several divergences across the many EU Directives in its scope.9 The EBA therefore eventually decided to discontinue the initiative and articulated separately the divergences that would have to be resolved in those Directives before this consumer issue could be addressed.10
The two sets of Guidelines are distinct for yet another reason: between 2019 and 2021, the EBA increasingly shifted its focus, from regulatory convergence, i.e. the common writing of rules, to supervisory convergence, i.e. the consistent supervision of those rules. For its mandate to protect consumers, the EBA chose the two sets of Guidelines to contribute to this shift in focus. The authority carried out a supervisory convergence exercise by NCAs in 12 EU jurisdictions approaching a sample of 70 or so financial institutions with a set of questions about the way these institutions had implemented the Guidelines.
The EBA published the lessons learned and good practices in the form of two reports. In the case of the POG Guidelines, for example, the EBA found inter alia that, while FIs had implemented internal processes in relation to POG, this was often not done in a way that put the focus on ensuring that consumers’ needs are met.11 And in the case of the Guidelines on remuneration of sales staff, the EBA found inter alia that large FIs are better at compliance due to regulatory spill-overs from other, prudential requirements, that many FIs focus more on prudential than consumer protection requirements, and that not always are control functions able to provide critical comments.12
Finally, the Guidelines on POG were also the first set of Guidelines of the three ESAs ever to have been challenged in front of the Court of Justice of the European Union (ECJ). In November 2017, the Fédération bancaire française (FBF) brought an action before the French Conseil d’État seeking the annulment of the announcement by the French banking supervisor, the Autorité de Contrôle Prudential et de Résolution (ACPR), that it complied with the EBA’s POG Guidelines. As the case concerned EBA guidelines, the Conseil d’État referred a number of questions to the European Court of Justice (ECJ).
The ECJ rejected the challenge of the FBF and supported the EBA’s ability to issue guidelines, to reduce the prudential impact of misconduct for financial institutions, and to protect consumers from banking products that are not fit for purpose. The Court also confirmed that, while EBA guidelines are not legally binding, supervisory authorities and financial institutions must make every effort to comply with them, that supervisory authorities have to give reasons if they intend not to comply, and that national courts are expected to take EBA guidelines into consideration when resolving cases. The ECJ judgement allows the EBA to continue to establish high quality standards for the banking sector and EU citizens.
The ‘pure’ consumer protection output summarised above aside, the EBA issued also a large number of other instruments that had beneficial impacts on consumers but that fulfilled primarily other objectives. Such was the case, for example, for the Technical Standards, Guidelines, Opinions and 230 Q&As the EBA published between 2015 and 2022 to enhance security requirements for payment services in the EU under PSD2. While consumers of course benefitted from the significant reductions in fraudulent payment transactions as a result of these requirements (of between 40-60% for payment cards alone), these requirements were primarily aimed at enhancing the operational resilience of payment service providers and at fostering confidence of businesses and payment service users in the EU payments market, at a time when the market underwent significant innovations, including through the ‘open banking’ concept introduced by the PSD2.
In order to respond to the more recent hikes in interest rates experienced across EU Member States, the EBA will carry out in 2023 a peer review of the aforementioned Guidelines on arrears and foreclosure under the MCD, to assess the extent to which these Guidelines, as supervised by NCAs, achieve their stated objectives of reducing detriment to consumers.
Following intensive preparatory work in 2021 and 2022 on mystery shopping (MS),13 the EBA also estimates to publish in 2023 the results of its first pilot exercise on MS, in fulfilment of the new mandate it had received in 2020. Furthermore, 2023 will see the EBA fulfilling its other new mandates, by publishing the results of its first thematic review on the transparency and levels of fees and charges of retail banking products. The thematic review is one of the many actions the EBA has taken in order to address issues it had identified in its biennial Consumer Trends Reports.14
The EBA will also define and publish its first set of retail risk indicators, which aim at measuring, to the extent possible, the extent to which consumers are exposed to detriment, and will also develop consumer protection mandates conferred on the EBA as a result of the incoming MICA Regulation, including technical standards on complaints handling for crypto asset providers and the implementation of its temporary prohibition powers. The EBA also stands ready to fulfil other mandates potentially conferred on it under other forthcoming sectoral EU law, such as the revised CCD or the revised MCD.
Finally, jointly with ESMA and EIOPA, the EBA will also further intensify its consumer education work, by publishing a report on good practices through which NCAs can carry out national education initiatives on the topic of fraud, scams and cyber risks. And later in 2023, the EBA will develop practical tools for consumers to deal with the recent increases in interest rates and living costs more generally. n
Consumer protection – Retail banking products – Single market – EBA.
