Identity-Centric Bank & Finance Regulations - Europe

Like most other global regions, European countries have strict guidelines and compliance standards regulating the activities of banks and financial service providers. Specifically in today’s digital world, the European Union (EU) has been at the forefront of enacting cybersecurity and data privacy regulations, more so than the rest of the world.

In recent years, regulatory bodies like the EBA, ESMA, ESRB, EIOPA, and the European Commission have supported, proposed, and implemented Identity-centric legislation. This legislation helps to protect consumers’ digital identities while securing financial transactions and ensuring fairness and transparency throughout the markets.

In this blog, we’ll provide an overview of identity-centric regulations impacting the finance industry in Europe and the regulatory bodies that influence and oversee their implementation.

Numerous regulatory bodies oversee the financial markets in Europe. While each authority’s scope and initiatives vary, they share an overarching mission to uphold safe and orderly financial markets and protect consumers and investors. Their efforts can include a range of regulatory frameworks, tasks, and guidelines targeting financial market stability.

As financial service providers in the EU embrace digital transformation to deliver more personalized, convenient, and quicker services, these regulatory bodies continue to adapt their frameworks and recommendations to ensure consumer data safety and protection in the digital age.

European Banking Authority (EBA)

The European Banking Authority (EBA) is an independent body focused on upholding the integrity and stability of the European financial system. Specifically, they are responsible for setting and enforcing regulatory standards for the European banking sector. Part of their work is ensuring that identity management practices within banks align with regulatory standards to enhance data security and consumer trust.

European Securities and Markets Authority (ESMA)

The European Securities and Markets Authority (ESMA) is the regulatory authority governing the financial markets in the EU. On a high level, ESMA is focused on investor security, market integrity, and overall stability of the financial system. As part of their mission to safeguard investors and enhance transparency in the markets, ESMA guidelines make considerations for identity verification and authentication.

European Systemic Risk Board (ESRB)

The European Systemic Risk Board was established in 2010 and is narrowly focused on monitoring and assessing systemic risks in the EU’s financial system. They make efforts to prevent and mitigate potential security threats, helping to foster trust in the markets. In recent years, they’ve taken a greater interest in cyber risk and its potential threat to the financial system, which encompasses identity management practices.

European Insurance and Occupational Pensions Authority (EIOPA)

Lastly, the European Insurance and Occupational Pensions Authority (EIOPA) is an independent advisory body to the European Commission. They supervise the insurance and pension markets in the EU and take on various tasks to inform policies with evidence-based recommendations.

Their oversight helps to ensure stability and consumer protection, and the EIOPA has sponsored various initiatives that promote sound risk management practices and regulatory convergence within the EU, such as using identity verification to protect policyholders’ personal information.

The regulatory environment in the EU surrounding identity and access management (IAM) and cybersecurity for the financial industry is complex and layered. There are various regulatory bodies with overlapping scopes and missions, as discussed above, in addition to country-specific legislation and guidelines.

Financial service providers operating in the EU must adhere to a complex web of regulations aimed at data security in the financial sector and sub-sectors, as well as general identity-centric guidelines that apply to all companies in the EU.

Payment Services Regulation/Payment Services Directive (PSR1/PSD3)

Payment Services Regulation (PSR1) and Payment Services Directive (PSD3) are proposed pieces of legislation by the European Commission, yet not yet enshrined in law. The aim of these directives is to create a centralized payment area in Europe to facilitate faster, safer, and more secure transactions in the digital age.

These policies were proposed in June 2023, and upon making the recommendation, the European Commission noted the large growth in online payment services in recent years, which was accelerated by the pandemic and coincided with the emergence of new and more sophisticated types of fraud. Thus, the European Commission recommended these policies to ensure the EU’s financial services industry can adapt to the digital transformation efforts across the industry and the resulting risks.

Some of the proposed legislation aims to strengthen user protection and build confidence in the payments market. Specifically, this involves changes to strong customer authentication (SCA) rules. For instance, underlying account providers would only need to conduct SCA upon the first access attempt unless otherwise triggered by transaction monitoring.

A proposed extension of fraud protection measures would provide refunds for victims where IBAN/name-matching verification is lacking and in certain impersonation fraud cases.

Electronic Identification, Authentication, and Trust Services (eIDAS 2.0)

eIDAS 2.0 is an evolution of the original eIDAS regulation introduced in 2014, which is a European regulatory framework that defined the rules for decentralized identity management trust services in the region. The primary goal of eIDAS 2.0 is to support the issuance of digital wallets to all EU citizens.

This updated regulation aims to create a unified and secure digital identity system for citizens across the EU. The goal is to give users a single digital identity wallet where they can store digital identity credentials like their identification card, passport, or driver’s license, which allows them to access both online and offline services with a simple tap.

The European Digital Identity Wallet (EUDI) will streamline account verification, making it easier for EU citizens to prove their identities and access services in the private or public sector. In addition, this will give citizens more control over their data and reduce unnecessary sharing of their personal data.

eIDAS 2.0 was passed into law in May 2024, though enforcement of member states' obligation to issue wallets will not begin until 2026. Companies in the private sector have until 2027 to start accepting digital wallets.

Network Information and Security Directive (NIS2)

The Network Information and Security Directive went into effect in 2016 and marked the first piece of cybersecurity legislation imposed across the EU. NIS2 provides an update to the framework to reinforce cybersecurity resilience, expanding the scope to additional sectors to include any organizations that supply critical infrastructure in the EU. Banks and financial service providers are considered highly critical, falling into Annex I of the NIS2 Directive.

The NIS2 revisions are a response to the EU’s thorough review of the original NIS Directive. During this process, the EU recognized some shortcomings, such as inconsistent cyber resilience across Member States and a lack of understanding of the common cyber threats and challenges, among other concerns. 

Thus, NIS2 guidelines focus on enhancing cybersecurity in the EU by requiring Member States to be adequately prepared for attacks, cooperate and exchange information with other Member States, and encourage a culture of security in essential sectors.

The directive entered into force in January 2023, and Member States have until October 2024 to transpose these new standards into national law. So, it’s likely that specific details regarding these requirements will not be revealed until official legislation is in place. Failing to comply with the NIS2 Directive may result in legal penalties for the company’s executives as well as financial penalties for the organization.

Digital Operational Resilience Act (DORA)

The Digital Operational Resilience Act (DORA) entered into force in January 2023, though enforcement will not apply until January 2025. As explained by the EIOPA, DORA will help enhance the digital operational resilience of financial service providers and banks in the EU.

DORA provides rules and guidelines for each of the 21 types of financial entities in the EU to prevent and recover from operational disruptions caused by information and communication technology (ICT) incidents.

The legislation acknowledges that financial entities increasingly rely on ICT providers to deliver financial services. However, many such ICT organizations may not be subject to the same regulations as banks and financial services providers if they are not also financial entities, which can lead to system vulnerabilities. 

DORA establishes a comprehensive framework for managing ICT risks and ensuring operational resilience, including creating an internal governance framework for ICT risk management, identifying sources of ICT risk, establishing a response plan, reporting of ICT incidents, a program to stress test operational resilience to ICT incidents, and more.

Financial Data Access Framework Regulation (FiDA)

In June 2023, the EU proposed a new regulation to create a framework for Financial Data Access (FiDA). This regulation creates rules governing the access, sharing, and use of certain customer data in financial services. It is designed to complement the existing data-sharing framework set forth in the GDPR and creates the basis for open finance across the EU.

FiDA establishes new requirements for nearly all financial service providers, recognizing their role in consumer data protection. Under current guidelines, open-banking regulations only apply to payment accounts. But, under FiDA, consumers and small and medium-sized enterprises (SMEs) have the option to grant third parties access to their data stored by any financial services provider acting as a data holder.

The type of consumer data that can be shared includes mortgage credit agreements, savings, investments, crypto assets, real estate, pension rights, non-life insurance products, and data from creditworthiness assessments.

FiDA is part of the EU’s effort to accelerate Open Finance projects across Europe. So, with FiDA in place, the hope is that consumers will have more control over sharing their financial data, ushering in better innovation and data-driven financial services that are personalized to their identity.

General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is a comprehensive legal framework regulating how the personal data of EU citizens is collected and processed. It is widely regarded as the most stringent regulation on data privacy and security in the world, which was approved in 2016 and went into effect in 2018.

The scope of GDPR applies to all sites that receive visitors from the EU, not just companies based in the region. Under GDPR, companies must be transparent with users about how they use their data, including financial service providers

While there aren’t specific guidelines on how organizations should protect consumer data, each provider must diligently assess the consumer data they collect and store and what they can do to safeguard it.

To comply with GDPR, banks and other financial service providers must have a comprehensive data protection strategy in place, be transparent with customers about data usage, and minimize data storage when unnecessary.

While financial sector regulations in the EU may be fragmented between Member States and subject to oversight from multiple regulatory bodies, there are some common threads that tend to influence directives, proposals, and initiatives in the region.

In general, regulators have a shared, overarching interest in upholding the integrity of the European financial system, enhancing the resilience of financial service providers against cyber threats, and ensuring the protection of consumer data.

Many of the regulations we’ve discussed in this blog have been proposed and implemented in the past four years, so providers in the financial industry are continuously subject to emerging frameworks and guidelines. Identity sits at the center of many of these new regulations, enabling financial service providers to achieve compliance.

However, adopting an identity-centric approach with an IAM solution can help providers be more agile and flexible to meet changing compliance requirements.

To navigate the complex and constantly evolving regulatory landscape, financial service providers can benefit from implementing robust identity and access management (IAM) solutions, like that offered by the Ping Identity Platform. Put simply, IAM helps providers maintain compliance in today’s ever-evolving regulatory environment.

IAM solutions provide several features to support compliance with regulations like GDPR, DORA, FiDA, NIS2, eIDAS, and PSR/PSD3. These include granular access controls, consent management, strong user authentication mechanisms, continuous monitoring, and transparent audit trails, among other capabilities.