The Commission said that work being undertaken in the payment services market across the EU "is an interesting test case" for a broader 'open banking' system.
Under the second Payment Services Directive (PSD2) banks, building societies and other account holding institutions are obliged to enable third party 'account information service providers' (AISPs) and 'payment initiation service providers' (PISPs) to access the payment account data they hold on customers, at those customers' request, to allow the businesses to provide the customers with their services.
The PSD2 reforms, which came into effect in January, are designed to promote the development of innovative new fintech services and broaden competition in the payments market.
A potential technical solution to compliance under PSD2 is the use of application programming interfaces (APIs) to link the systems operated by the account holding institutions with those of the third parties. In the UK, standardised APIs are at the heart of plans for a new Open Banking system.
The Commission suggested work being done to enable third party access rights to be exercised under PSD2 could be developed to enable similar levels of access to a wider range of financial accounts in future.
"The development of standardised application programming interfaces would create a level playing field to enable new and improved services in a truly open environment, while maintaining high standards of protection of personal data and consumer protection," the Commission said.
"The Commission encourages and will support joint efforts by market players to develop, by mid-2019, standardised application programming interfaces that are compliant with the Payment Services Directive and the General Data Protection Regulation as a basis for a European open banking eco-system covering payment and other accounts," it said.
The Commission's proposals on Open Banking were set out in a new EU fintech action plan (18-page / 552KB PDF). The contents of that finalised action plan are similar to those set out in a draft version that was leaked earlier this year.
In its action plan, the Commission expressed the view that "the case for broad legislative or regulatory action or reform at EU level at this stage is limited", but it did put forward plans for new EU laws on crowdfunding. It also outlined further "targeted initiatives" to support "digitalisation of the financial sector".
The removal of obstacles to the adoption of cloud computing services by financial services businesses is one of the objectives that the Commission set out. In this respect, it suggested new cloud outsourcing guidelines could be developed.
The Commission acknowledged that there is already existing and planned guidance in this area from individual regulators in the EU financial services market, including cloud outsourcing guidance produced by the European Banking Authority (EBA) late last year. However, it said that "the issue deserves attention beyond the scope of these existing initiatives".
"Additional certainty could be achieved if supervisory expectations were expressed" in new formal guidelines developed by the three European supervisory authorities (ESAs) together, the Commission said. Those thee bodies are the EBA, the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA).
The Commission also called for the development of new "cross-sectoral self-regulatory codes of conduct to facilitate switching between cloud service providers".
Financial services and technology law expert Yvonne Dunn of Pinsent Masons, the law firm behind Out-Law.com, said: “The Commission’s comments about the benefits of further regulatory guidance around cloud are welcome. Although the EBA’s recent guidance addressed some areas, our recent discussions with banks subsequent to publication of our joint report on banking and cloud with the BBA indicate that there are still frictions when financial services organisations try to migrate to cloud. Therefore more guidance which goes beyond general statements and gives specific views on what is acceptable to meet regulatory standards would be helpful.”
Further initiatives contained in the new action plan included a range of measures aimed at improving cyber resilience in the fintech market, steps to explore the potential of blockchain technology, and work that could lead to the development of a standardised approach to regulatory sandboxes for fintech innovations in the EU.
The Commission also said that it "is necessary" for an assessment to be undertaken into "the suitability of the current EU regulatory framework with regard to initial coin offerings and crypto-assets". It said "international coordination and consistency" on the topic was "essential".
"In the course of 2018, the Commission will continue monitoring the developments of crypto-assets and initial coin offerings with the ESAs, the European Central Bank and the FSB (the Financial Stability Board) as well as other international standard setters," the Commission said. "Based on the assessment of risks, opportunities and the suitability of the applicable regulatory framework, the Commission will assess whether regulatory action at EU level is required."