The Road To EU Authorisation
The challenges in applying for a license at De Nederlandsche Bank.
There have been various articles published recently regarding the application for a license at De Nederlandsche Bank (DNB). In the Financial Dagblad (FD), a Dutch financial newspaper, various companies that applied for a license at DNB due to the Brexit are complaining about the slow pace of procedures and the lack of knowledge about the FinTech industry at DNB. After submitting a license application, it takes a substantial amount of time before you get a response, and when you get a response, that response is received with numerous additional questions. The process seems endless. The discussion started in the public domain
and even the DNB felt obliged to respond to the criticism. In a recent statement by the DNB, they pushed back against their detractors.: DNB Director Frank Elderson was quoted as saying, “We work with great care and dedication every day to ensure the stability, security and the safety of our financial sector. Applications are processed as quickly as reasonably possible and within legal deadlines”.
Furthermore, in a caption from the FD article, it states that the application process in both France and Germany is just as difficult. For smaller companies, the German Bafin is seen as an impregnable fortress.
Applying for a license is not a simple process. The DNB clearly indicates this on its own website, and they recommend hiring specialized professionals that know the process and which documents are required. The process is not limited to filling in paperwork, all of the documents should clearly indicate that the company making the request for a license have a full understanding of what they are getting themselves into. The documents have to meet all the requirements and must be consistent. As would be expected in any sector, the employees involved in the license application process know their products and services through and through, but is that always enough for a successful application?
The answer to this question is a resounding no. Obviously, it’s essential that you know your products and services. However, one must also have a comprehensive understanding of a number of laws, regulations and the associated risks that come along with obtaining a license and being supervised by the DNB. Despite the fact that most of the requirements in regard to the license are similar throughout the EU, there are major differences in the strictness of each supervising organization. Indeed, the DNB is rather strict in comparison to other supervisors.
Many companies see the license, and by association the DNB, as a necessary evil. They find the DNB as a speed bump that prevents the process from being as quick as possible. They also, quite naturally, want to limit the costs related to the application. The time and financial pressures create an environment where companies hand in incomplete documents, resulting in the DNB rejecting the documents more quickly. This consequently causes irritation at FinTech companies and backlogs at the DNB.
The DNB is clearly a critical regulator, but perhaps fortunately so, as this plays a large part in the stability of the Dutch financial sector. Does the DNB limit/stop innovation? No, not really. Adyen is the prime example. While they haven’t had an easy time (they also faced challenges as a result of the critical views of the DNB) they persevered and were even able to ‘upgrade’ from a Payment Institution license into a banking license from the DNB.
So why is the DNB so strict? There are multiple reasons, but the experiences from the PSD1 process seem to be the main culprit. There are also many supervised institutions in the Netherlands that require DNB’s attention. When applying for their licenses on the basis of PSD1, many companies went through a paper application process. On paper, these applications looked sufficient, but until the DNB went on supervisory visits after the permits had been issued, they didn’t realize that they had a problem on their hands. A completely different picture emerged for many of these companies and the DNB had to put in a great deal of time and effort into restoring these businesses to a truly compliant level. The DNB is naturally keen to prevent this from happening in the future, in part to prevent the costs of supervision from rising uncontrollably.
In addition, the DNB expects foreign companies who apply for a license in the Netherlands (as a result of Brexit for instance), to have all their affairs in order. The DNB expects a professional application from a company that understands what it means to be supervised and has therefore properly documented its business operations, risks, and decision-making processes. This, unfortunately, is where things often go wrong. Many parties still see the application process as a simple question of filling in some documents. This can possibly be traced back to the approach used by the Financial Conduct Authority (FCA) in the assessment of the PSD1 permit applications. On paper, it looked nice, but in the reality of daily operations, it is more difficult.
On the contrary, the risk profile of Brexit institutions, for example, is completely different from that of the institutions supervised in the Netherlands, such as Banks, Payment Institutions and Electronic Money Institutions. The Brexit parties are not (yet) focused on the Dutch market, but much more on the British market. This is where the core of their activities/clients/ assignments/transactions are located.
The only reason to apply for a license within the EU is because of the Brexit. The passport that they are currently using from the United Kingdom will expire, and when it does, they can no longer serve the EU market.
They want to grow within the EU, but the growth within the EU will have to take place with a Dutch license and growth outside the EU, of course, will have to be achieved with a British license. In addition, they do not want to have a large office with a lot of staff in the Netherlands. Every element of the business is already efficient (read: in the UK), so from a business economics viewpoint, attracting many new employees is not desirable. And don’t forget, the only reason to apply for a license within the EU is because of the Brexit. The passport that they are currently using from the United Kingdom will expire, and when it does, they can no longer serve the EU market. Their objective is therefore not to make a real contribution to the Dutch economy, with a fully-fledged organization.
Looking to build a team within the EU to continue growth and business operations after Brexit? To receive a free consult, please contact us.
The license they want to apply for in the Netherlands (or anywhere else within the EU), is a direct result of Brexit and therefore not from product or market initiatives. In short, it is a defensive strategy. Under European regulations, the DNB requires a company to be real, with substance and day-to-day management.
Another point of friction is the working method of the newcomers. These parties are more agile, they are more ‘FinTech’, and are the challengers to the large, rigid, bureaucratic banks. They believe that the well-known management frameworks followed by the DNB, such as a COBIT, are therefore not appropriate. However, the DNB expects all supervised institutions to apply well- defined standards frameworks, particularly for ICT organizations. Even if the ICT has been outsourced to the parent company in the UK, or externally, the DNB expects the risk analyses and control measures to be based on the international standards. The use of COBIT is an important tool for the DNB to determine whether or not the institutions have their risks and control measures sufficiently in order, without the need for specific analysis for each supervised institution on the basis of their own frameworks of standards. Too often, agile working is still seen as a framework of standards, whereas it is only a process to achieve a result within the set standards. From the DNB’s point of view, these set standards must originate from an international standards framework (read: COBIT).
The use of cloud services is also seen as the modern standard for the management of continuity, availability, confidentiality and integrity risks. However, the DNB is of the opinion that ‘the cloud’ brings major risks, risks that need to be managed. In other words, cloud services are not a solution. It is seen only as a shift in the risk if no proper agreements have been made and if you do not know your outsourced provider to a sufficient degree.
There are, of course, also many good reasons to apply for a permit in the Netherlands. The Netherlands is a trading country which has a strong open economy, a good infrastructure and is easily accessible by its international airports. There are many well-trained people to be found and the financial sector is dynamic and innovative.
The process of acquiring a license as a payments company is relatively simple if you are well prepared and assisted by people who know the process. This is especially true if you compare it to a license application for an Electronic Money Institution or, in its most extensive form, a Bank. Electronic Money Institutions are still very limited in the Netherlands because you are only able to acquire this license if you also want to provide services that qualify as electronic money (or want to do so in the future). The additional requirements for an electronic money institution mainly relate to solvency requirements and the additional documentation requirements for the issuance of electronic money. The banking framework is often assumed by the DNB.
In conclusion, applying for a license in the Netherlands is not just about delivering a stack of paper. You have to be thoroughly prepared and make sure that you are assisted by experts who know what will be expected. The Netherlands is a fantastic country to do business in, so do your homework well and you will be able to conquer the EU from the Netherlands (in a controlled way and supervised manner)!
About the author:
Alex Bewier has been working in the financial sector since 2001. As an independent consultant, he specializes in Governance, Risk & Compliance. He has assisted many organizations in applying for licenses and in meeting compliance requirements.