The European Banking Authority (" EBA ") has recently published a report analyzing the main risks and opportunities for seven applications of innovative technologies in the financial services sector currently used in Europe ( available here, " report ") The Report aims to "raise awareness, within the supervisory community and industry, of the current and potential applications of FinTech, [and] to provide a balanced analysis of potential associated prudential risks and opportunities that may arise ".  This article discusses some of the main legal issues that should be prioritized, if you intend to introduce, increase or change the use of any of these FinTech applications.
Applications considered in the report
The EBA considers the operational pros and cons of each application of FinTech listed below in its report:
- Biometric authentication for mobile apps through fingerprint recognition
- Use of robo-advisors to provide advice on automated investments  Use of big data and machine learning to support credit scoring
- Use of distributed ledger technology (DLT) and smart contracts in commercial finance
- Use of DLT to simplify customer due diligence and KYC processes
- Mobile payments and portfolios using NFC (Near Field Communication) technology
- ] Outsourcing of core banking and public cloud payment systems.
The EBA states that these applications have been selected because they are all currently in use across the financial services sector (but with varying degrees of integration across Europe). Do you believe that they represent a strong mix of present and almost present cases of FinTech in the retail and non-retail banking market
What legal issues should you consider?
If you are interested in trying to introduce, or increase or modify the use of these applications, we recommend that you consider the following main legal issues.
Given the recent focus on data protection, with the introduction of the GDPR, it will come as no surprise that data protection is a key concern when introducing innovative technologies into financial services. You should consider in particular:
- What legal basis of processing are you entrusting yourself with? If you are processing sensitive personal data, you will need additional legal reasons to process this information lawfully. This could apply, for example, if you use biometric data to perform customer authentication depending on whether the data is processed through your technology solution or locally on the customer's device.
- Have sufficient processing information been provided to all individuals of who personal data is being processed? Where there is no direct relationship with an individual, it may be more difficult to ensure that it provides them with sufficient correct treatment information (usually a privacy notice) when acting as a data controller. For example, if you collect data from a customer social media feed for your friends or contacts for credit evaluation purposes, how do you provide these third parties with information about your processing activities?
- Did you perform an impact assessment on data protection (" DPIA ")? A DPIA is needed when data processing can pose a high risk for customers' rights and freedoms, particularly when new technologies are introduced. This should describe the nature and extent of the proposed processing, assess whether it is proportionate to your goals and assess whether any additional protections could be put in place to achieve the same goals while protecting people better. If you run a DPIA and the result is that processing could pose a high risk to people, then you should consult the data protection authority, the Information Commissioner's Office.
- Have you incorporated privacy into the technological solution? The concept of privacy for design and data minimization (that is, processing the minimum amount of personal data necessary to achieve your goal) is crucial to understanding who is in the financial services sector, since there is a historical tendency to store more data than required and for a longer period than necessary – both to protect against legal claims and for the use of legacy IT systems.
- If you receive a request from an individual to exercise their rights, would you be able to execute the request? How easy would it be? For example, you should ensure that you can isolate personal data about an individual in your systems to process it independently of other data.
IT outsourcing and security  Although it is important for any technological outsourcing, it is essential that the financial services entities ensure that the technology acquired is solid and fit for purpose, whether it focuses on finance retail or trade. In particular, you should be assured of:
- Having the protection of appropriate business continuity agreements, service levels and, where appropriate, a related service credit scheme.
- Comply with SYSC 8 if you are a relevant authorized enterprise that engages in material outsourcing that could cause service interruptions in the event of a breakdown or otherwise pose serious doubts about the continued satisfaction of the company's limit conditions or on compliance with the relevant FCA or PRA principles or rules.
- To have the security standards of the appropriate information within its contracts, including the binding of security agreements to a recognized industry standard (such as PCI DSS) if possible, with benchmarking and provisions for continuous improvement in the contract and with adequate audit rights.
Consideration should also be given to the draft ABE guidelines on outsourcing (here), which are open for consultation until 24 September 2018, its recommendations on outsourcing to the public cloud (here), and the same guide of the FCA (our summary here).
Customer equity and transparency
As technology solutions become more complex, it becomes increasingly important that you understand the impact of any technology on customers, especially if you offer financial services to consumers. For example, you need to understand the criteria your algorithm can use to provide advice on automated investments or make decisions about your credit score.
You need to make sure that your technology solution can not discriminate against certain consumers, as set out in the Equality Act 2010, or if you are regulated, do so according to the TCF Principles of the FCA.