Regulating Fintech in Europe: Lessons from the Collapse of Wirecard

Giorgio Barba Navaretti, Professor of Economics at the University of Milan, Scientific Director of the Centro Studi Luca d’Agliano and CEPR Research Fellow, Giacomo Calzolari, Professor of Economics, EUI Florence, Bologna University and Research Fellow CEPR, and Alberto Pozzolo, Professor of Economics at Roma Tre University. Originally published at VoxEU.

The default of Wirecard highlights several problems in the regulation and supervision of Fintech companies, with regulatory holes in investor protection, customer protection, and financial stability. This column argues that since Fintech companies can be very complex, their oversight requires understanding their business model and combining regulation and supervision based on both entities and activities. The global reach of Fintechs also calls for better coordination at the European level and beyond, but the authors do not see the need for new regulatory body to oversee Fintechs in Europe.

In its 2018 Annual Report, Wirecard, a German Fintech organisation, claimed to be “a global technology group that supports its customers and partners in accepting electronic payments from all sales channels [and in] the issuing of payment instruments”. The report also stated that “[t]he uniform platform approach and seamlessly integrated value added services such as data analytics, customers loyalty programmes and digital banking services support customers and partners of Wirecard to successfully master the challenge of digitalisation”. According to ESMA (2019), it “connected to more than 200 international payment networks (banks, payment solutions, card networks), which resulted in 34,000 customers from various industries, and offered its services in over 100 transaction currencies”.

Figure 1 Credit card payments

Source: Barba Navaretti et al. (2020).

Wirecard acted as an acquirer of payment transactions (most of them online), operating as an intermediary between merchants and their banks on the one hand, and customers, their card issuers, and their banks on the other (Figure 1). The company also provided a host of related technological services. Acquiring activities were conducted either directly, with licensed subsidiaries such as Wirecard Bank AG in Germany and Wirecard Card UK in the UK, or through licensed third-party acquirers, mostly in Asia. Technological services were offered mainly by online platforms, which, according to Wirecard’s claims, were instrumental in implementing an effective risk management of a complex network of payment transactions.

The share of revenues coming from largely unregulated payment and risk management activities was substantial, accounting for three quarters of Wirecard’s total revenues in 2018. Only a quarter of revenue was coming from acquiring and issuing businesses (which are regulated). As it turned out – mostly from a thorough investigation by the Financial Times started in 2015, and by the auditing conducted by KPMG (KPMG 2020) – a large share of Wirecard revenues and profits, especially in Asia, appeared to be forged through a network of companies indirectly controlled by Wirecard’s management, which falsified documents and money flows (McCrum, 2020). In the end, it may surface that €1.9 billion of alleged reserves, supposedly held in escrow accounts in Asia, were non-existent.

With the benefit of hindsight, it is clear that the type of activities carried out by Wirecard were standard routine payment services, and Wirecard’s default had nothing to do with the alleged technological complexity of its operations. In other words, bankruptcy did not happen because of undetected problems or mismanagement of the technology. More simply, Wirecard’s Fintech status created a screen of presumed complexity, hindering the attention of overseers and financiers, and possibly enabling a degree of complacency on the part of domestic authorities unwilling to thwart the growth of a ‘national champion’.

Despite resembling an accounting fraud of the more classical type, Wirecard’s default raised many concerns on the lack of adequate oversight of Fintech companies. The inability of authorities to detect the fraud in a prominent and well-known company is, to a significant extent, the result of regulatory loopholes. There is concern that this may leave room for future transgressions. Indeed, there was neither comprehensive and integrated oversight of Wirecard activities nor adequate vetting of its accounting practices. There was also a lack of effective oversight and enforcement of accounting and auditing practices. But what is really missing in regulation and supervision of Fintechs?

Investor and Customer Protection

We argue in a recent paper (Barba Navaretti et al. 2020) that to understand how different authorities can cooperate in regulating and supervising Fintech companies, it is important to distinguish between investor and customer protection.

The aim of investor protection is to guarantee that the users of funds provided by third parties offer clear, reliable, and prompt information on their choices. In the case of financial intermediaries and payment services providers, customer protection aims instead at guaranteeing the value of deposits, which is crucial because they are de facto an almost perfect substitute for cash.

In Wirecard’s case, investor protection failed in its role, and financiers will certainly incur significant losses. In contrast, customers were left almost unscathed by the default. However, even if it did not happen this time, Wirecard’s business model and its regulation and supervision left a number of loopholes which might have led to serious problems for its customers under different conditions. If the unregulated technological services provided by Wirecard to merchants, consumers, and third-party acquirers had failed, these would have suffered significant losses. For example, not being able to make or accept a payment performed using a card causes liquidity problems, which can potentially turn into solvency problems, eventually leading to financial instability. Regulatory oversight of Fintechs is therefore of the utmost importance.

The Challenges of Overseeing Fintech Activities

Today, banks and traditional financial institutions are a ‘comfort zone’ for regulators and supervisors, which have substantial experience of how to provide protection to investors and customers, and guarantee stability. The advent of Fintech has opened up mostly unchartered territories, not only for entrepreneurs, but also for experienced supervisors and regulators (Barba Navaretti et al. 2018).

A key challenge is the large number (and type) of different players that have already emerged, and the large number that will emerge. It is useful to identify at least four types of operators engaging in the financial innovation process and classify them with their specific attitude towards financial innovation (Ehrentraud and Garcia 2020).

‘Enhancers’ are operators that perform some key technology-based activity in financial markets, often through ‘vertical unbundling’ of some of the activities performed at different vertical stages of the value chain. Enhancers often rely on new and efficiency-enhancing technologies, such as artificial intelligence (AI) and machine learning (ML). This was the case of many technological subsidiaries of Wirecard group.

‘Unbundlers’ are new specialised financial operators, entering in specific segments traditionally served by all-round financial institutions. They perform horizontal unbundling, separating services to final users that traditional financial institutions would offer as a bundle (such as payment and credit service), either entirely in-house or by outsourcing some activities (e.g. Satispay).

‘Pursuers’ are traditional financial operators that ‘catch up’ adopting new technologies, often through the acquisition of a Fintech start-up. An example of this horizontal unbundling is the acquisition by of the Fintech start-up WePay by JP Morgan Chase in 2017.

‘BigTech’ are large companies that operate platforms in non-financial markets, such as business-to-consumer platforms (an example being Amazon) or social networks (an example being Facebook). BigTech firms are known to enter financial markets, bundling financial and non-financial services on their platforms.

The very presence of these various types of operators in financial markets often makes existing regulations inadequate and supervision more complex. To overcome these problems, it is crucial to identify a set of key steps that should be addressed within a new regulatory framework.

The Oversight of Fintech Activities: Key Steps

When regulating Fintechs, it is crucial to balance the efficiency gains of technological innovation in the financial industry with the possible additional risks created for its stakeholders (Amstad 2020). In our paper, we identified a set of key steps to this aim:

1. Avoid regulatory arbitrage. Regulators lagging behind fintech businesses developments should be avoided. This will help to ensure a level playing field between Fintech companies and traditional businesses. Regulators should also make sure that entities carrying out the same activity follow the same sets of rules (however they carry them out).

2. Understand clearly what Fintechs do and what their business models are. Regulators need to understand the source of profitability and the potential enhancing or disruptive impact of Fintech activities, as well as how they interact with other parts of financial and non-financial markets. Sandboxes (where observing Fintechs develop their ideas) are useful in this respect, as long as they do not create unhealthy links between the regulators and the regulated.

3. Combine the oversight of entities with the oversight of activities. Unbundled financial activities should be supervised independently of the form of incorporation adopted by the company and independently of the other activities that it performs in parallel. This should be done without compartmentalising the oversight of financial markets. Otherwise, loopholes may emerge for companies with a complex and intricate web of activities, such as Wirecard, under different regulatory and supervisory regimes. The proposal of the European Commission – which grants adequate oversight powers with respect to technological third-party providers also within the same group – moves precisely in this direction (European Commission 2020).

4. Master the technology used by Fintechs. At the core of Fintech expansion lies a set of relatively recent technologies that allow for better information extraction from data. It should be clear that these technologies are only tools to perform standard financial activities which, up until now, were carried out through other means. For an effective and safe deployment of AI in financial markets, supervisors and regulators must have the ability to monitor and assess the actual behaviour and functioning of these algorithms. Regtech and Suptech (i.e. the use of AI in the implementation of regulation and supervision) are interesting developments in this respect, but are unlikely to completely substitute more traditional oversight approaches.

5. Know the global picture and harmonise and coordinate internationally rules and oversight of Fintechs. Fintech players, especially those unbundling and specialising in narrow segments, have shown a natural tendency for cross-border activities. This broad geographic span of business activities calls for a coordinated action of regulators and supervisors, certainly in Europe (and, hopefully, more broadly). Coordination, information sharing agreements, and harmonisation of oversight standards is necessary worldwide (and is a necessary ingredient of Europe’s Capital Market Union).

It is common when new types of problems arise to propose new authorities to address the issue. The history of the EU is not immune to this tendency. We see no need for a new regulatory body overseeing Fintechs in Europe in order for the key steps outlined above to be carried out. The objectives of regulation are unchanged, independent on whether operations are carried out by Fintechs, traditional businesses, or a blend of the two. With respect to investor protection, Wirecard’s case calls for stronger national authorities, increased international harmonisation, coordination and cooperation, and direct and sound supervision of auditing firms. In fact, this is necessary for all listed firms. As for customer protection, effective regulation and supervision of Fintechs is only possible with a thorough understanding of their business model and of the technologies that they use. But, in both cases, European authorities should be put in the position of establishing a harmonised and coordinated framework for regulating Fintech, which will then be exercised by national authorities.

References available at the original.

Print Friendly, PDF & Email
This entry was posted in Banking industry, Europe, Guest Post, Payment system, Regulations and regulators, Ridiculously obvious scams on by .

About Lambert Strether

Readers, I have had a correspondent characterize my views as realistic cynical. Let me briefly explain them. I believe in universal programs that provide concrete material benefits, especially to the working class. Medicare for All is the prime example, but tuition-free college and a Post Office Bank also fall under this heading. So do a Jobs Guarantee and a Debt Jubilee. Clearly, neither liberal Democrats nor conservative Republicans can deliver on such programs, because the two are different flavors of neoliberalism (“Because markets”). I don’t much care about the “ism” that delivers the benefits, although whichever one does have to put common humanity first, as opposed to markets. Could be a second FDR saving capitalism, democratic socialism leashing and collaring it, or communism razing it. I don’t much care, as long as the benefits are delivered. To me, the key issue — and this is why Medicare for All is always first with me — is the tens of thousands of excess “deaths from despair,” as described by the Case-Deaton study, and other recent studies. That enormous body count makes Medicare for All, at the very least, a moral and strategic imperative. And that level of suffering and organic damage makes the concerns of identity politics — even the worthy fight to help the refugees Bush, Obama, and Clinton’s wars created — bright shiny objects by comparison. Hence my frustration with the news flow — currently in my view the swirling intersection of two, separate Shock Doctrine campaigns, one by the Administration, and the other by out-of-power liberals and their allies in the State and in the press — a news flow that constantly forces me to focus on matters that I regard as of secondary importance to the excess deaths. What kind of political economy is it that halts or even reverses the increases in life expectancy that civilized societies have achieved? I am also very hopeful that the continuing destruction of both party establishments will open the space for voices supporting programs similar to those I have listed; let’s call such voices “the left.” Volatility creates opportunity, especially if the Democrat establishment, which puts markets first and opposes all such programs, isn’t allowed to get back into the saddle. Eyes on the prize! I love the tactical level, and secretly love even the horse race, since I’ve been blogging about it daily for fourteen years, but everything I write has this perspective at the back of it.


  1. notabanker

    Regulatory scope cannot compensate for lack of moral hazard. Perhaps when executives go to prison for wrecking the economy whilst looting for personal benefit, the need for increased regulatory oversight may diminish.

    1. tegnost

      Re moral hazard…as I read this I kept thinking MERS and how it was technology smoothing out the securitization process for the banksters, while leaving customers unprotected, and when exposed the bankster were all “but tech! Everybody knows those people owe! In the meantime they foreclosed on their customers even though no legal chain of title could be produced, but no big deal because banks were made whole, with some added in for bonuses. This is alluded to in this passage…

      “In Wirecard’s case, investor protection failed in its role, and financiers will certainly incur significant losses. In contrast, customers were left almost unscathed by the default. However, even if it did not happen this time, Wirecard’s business model and its regulation and supervision left a number of loopholes which might have led to serious problems for its customers under different conditions. If the unregulated technological services provided by Wirecard to merchants, consumers, and third-party acquirers had failed, these would have suffered significant losses. ”

      The difference of course being that with MERS investors were made whole and customers fleeced, maybe one of the big concerns was that in this case it’s the other way around. Can’t have that.

    2. vlade

      In Germany it’s much more likely that executives end in court – there’s a court proceeding against Wirecard CEO, and his right man (and person most people suspect was the driver behind most of this) has dissapeared, and is rumored to be hiding in Belarus (there’s actually a reward 100k EUR for his capture, don’t know when was the last time FBI put a price on a former executive’s head). Germany’s right now prosecuting former VW CEO, and tust me, you don’t get much higher in the German corporate hierarchy than that.

      The main problem is actually regulatory capture – you could see it when BaFin was furiously batting Wirecard’s corner on the short selling, ignoring any arguments that were not Wirecards. So while it’s quite possible that some Wirecard’s executives will end in jail, it’s extremely unlikely that any of their regulators will, even if it was fundamentally them who enabled it.

  2. PlutoniumKun

    I think that on point 1 the most important thing regulators must be able to do is to say ‘no’ to any proposal. Every national regulator is under an implied pressure to promote jobs in their domestic economy, not to mention increase its own workload and importance. There is also a cultural issue within many regulatory authorities in that they see their role as mitigating and overseeing operations, not preventing their establishment in the first place (I’ve encountered this issue in other regulatory fields).

    This, of course, encourages regulatory arbitrage as fintech companies try to identify weak links internationally. Brexit has made this worse in Europe as various capitals try to grab the juicer spoils from London. The previous head of the Irish Central Bank was strong enough to refuse to grant licenses to a number of operators seeking to base in Dublin, despite pressures from politicians to say yes. But it takes a strong minded and very independent regulator to do that.

  3. TomDority

    The ability to commit control fraud is exponetialy increased due to the implementation of AI – AI are heuristics designed for an end state or end goal – how that goal or end state is achieved is slanted in the interests of the business platform – For instance, a mortgage servicing platform will be using AI to achieve more fees and higher collection rates.
    Considering AI has coded most law and made all the conections to FASB and SEC regs and everything else in the realm of justice and law (etc) — In my opinion…. AI has been enabled to practice law… except it is not liscensed to practice…. Dollars are digital, AI is digital…Citizens United gives voice to dollars … therefore AI has voice to practice law….. should Citizens United be overturned for the descision having been not fully understood to mean that AI is now practicing law – without liscence????

  4. Jeremy Grimm

    What is the point of worry over key steps in oversight of fintech activities if there is no will to regulate fintech? Why is it “crucial to balance the efficiency gains of technological innovation in the financial industry with the possible additional risks created for its stakeholders”? I believe the ‘innovation’ in the financial industry, ‘technological’ and otherwise has many times proven little more than ‘innovation’ in new forms of uncontrolled, unregulated, unpunished fraud. All the key steps and understandings of fintech are worthless if — as I believe — the regulators wholly belong to the interests they supposedly regulate.

    The conclusion: “authorities should be put in the position of establishing a harmonised and coordinated framework for regulating Fintech, which will then be exercised by national authorities.” I think the authors forgot to tack on the word ‘smart’ in its list of attributes for the regulatory framework and maybe add in attributes of ‘innovative’ and ‘disrupting’ somewhere.

  5. Susan the other

    This throwback to the wild west was interesting. These suggested regulations for control of the various kinds of fintech are long overdue. We are always too trusting until we get burned. Then we resort to mutual protection, now commonly by national sovereign regs. Just last night on the BBbS they were raving about the wonderful new nobel winning theory of auctions. Simultaneous information available to everyone (on the internet no doubt) to choose the best price – for anything. Jesus-god, as if that is what anyone ever wanted to do; “I long to waste my time on all that stupid crap!” And obviously even to a toad, this avoids national-sovereign regs. I keep wondering when it is going to dawn on all these gonifs that money is a social construct. It was not invented as a bargaining chip in the race to the bottom, which this “auction” in fact is – all over again. Sovereign money is a contract. Where is all the new and enlightened “contract science”? We need it ASAP. And the greedy neoliberal money complex is trying with all its gaslighting magic to deny this reality; to find a defendable degree of freedom wherein they can operate at will. And scoop out a hidden profit. So too, where is “profit science”?

    1. Jeremy Grimm

      Where are Glass-Steagall and other straight forward brakes on financial insanity and fraud? Where are our laws and where are our regulators?

  6. Londoneer

    The word “Fintech” doesn’t help us here. We should remember that this word and those like it emerged primarily to drive sales of Wired magazine and its ilk. In reality, all banks are “Fintech” businesses in the sense that they apply technology to the business of providing financial services. We don’t need new regulation for “Fintech”, we need financial regulators to regulate such companies properly and with rigour. And perhaps those regulators could apply a bit more scepticism when they read Wired magazine and its ilk.

    (By the way I have no bone to pick with Wired magazine, it’s often interesting but I use it as a colourful example of the general “tech publishing” sector in this post.)

    1. Halcyon (formerly AnonyMouse)

      Agreed. I remember listening to Trashfuture (political economy of tech from a leftie perspective) on both Wirecard and Greensill Capital (reverse factoring) making the point that “fintech” gives cover for things that would previously have been regulated like banks to circumvent those regulations and act in a very different way.

      Because regulations that apply to banks and financiers can be subverted if you’re not considered to be a bank… just as many other “technology” companies essentially exist to do this sort of regulatory arbitrage and attempt to get around existing rules.

      When you look at the “fintech” press material, i.e. we’re going to “democratize finance!” and so forth, it just sets off a great many alarm bells that if we allow ourselves to be deluded by the bright lights of tech and not recognise the parallels between what these folks are doing and what banks, hedge funds, and other financiers have done, we will be screwed once again when the bubble bursts, particularly if these organisations have managed to invegle themselves into critical infrastructure and can then argue they are “Too Big To Fail” once more

Comments are closed.