On 17 July 2019 the General Inspector of Financial Information (GIIF) published Poland’s first AML/CFT National Risk Assessment. This document of nearly 450 pages was prepared pursuant to the new Anti Money Laundering and Counter Financing of Terrorism Act, which introduced regulations requiring GIIF to prepare a national assessment and update it periodically.
The EU reform of the payment services sector is now entering the last straightaway. One of the key changes launched by adoption of the revised Payment Services Directive (PSD2) was introduction of new types of payment services which require access to the user’s payment account using a type of interface defined in the regulations. The duties connected with such access rest on the providers operating the accounts, which have a choice between creating a dedicated “application programming interface” (API) or upgrading their existing user interface system. Both solutions are to a certain extent linked with the earlier known and controversial method of screen scraping.
What is screen scraping?
Screen scraping is automated harvesting by a computer program of data presented in visual form, usually not adapted for machine reading. The data obtained in this way may derive from various sources, such as websites displayed by a browser, computer programs, or mobile applications.
When hackers exploited vulnerability due to software not being updated at a US credit agency, important data of millions of customers in the US, Canada, and the UK were leaked. The US federal authorities have launched an investigation that could lead to millions in fines. Bosses at the firm were questioned in a congressional hearing and the agency is facing the largest class action in US history. This sounds like the plot of a financial thriller, but the Equifax case did in fact happen and is a lesson for the future.
Apart from disrupting business activity, causing financial losses, and damaging a firm’s image, hacking can also lead to severe fines for failing to comply with personal data protection or cybersecurity regulations. Businesses which are victims of cybercrime might also be liable towards customers and employees for loss or leaking of important data. Compensatory liability is also possible under Polish law in cases of this kind, and may affect anyone. Cybersecurity reports show that approximately three quarters of businesses have experienced a cybersecurity incident of some kind, and these statistics are unlikely to fall in the near future. Former FBI director Robert Mueller summed up this situation well, saying “I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again”.
A proposal presented in May by the Ministry of Entrepreneurship and Technology for amendments to the Commercial Companies Code provides for a new type of capital company – Prosta Spółka Akcyjna (PSA). This legislative proposal has been criticised for an excessive amount of regulation and complexity of the provisions, and also has been welcomed for achieving the principal goal of the initiative, which is making the legal environment suitable for start-ups. This article discusses the section of the amendment that deals directly with new technologies.
While the new data protection regulation provides for severe administrative penalties for failure to comply, it is well known that whether a penalty is effective is determined not by its severity but by its inevitability. Even though the personal data protection authority has been given broad powers, it does not have adequate means of exercising them. A solution could be a private enforcement mechanism within the regulation, whereby any person whose data has been breached can independently seek a judicial remedy.
Private enforcement is being used more and more as an addition to the public law mechanism for the enforcement of regulatory provisions. This solution has been introduced recently in compensatory liability cases for breach of competition law. A solution of this kind is also possible under the GDPR.
Reports released by the Cambridge Centre for Alternative Finance leave no doubt that Europe has fallen a long way behind the United States and Asian countries in development of modern financial services. This is especially noticeable in crowdfunding. In Asia Pacific countries, this method generates more than USD 200 billion per year, but only some USD 8 billion in Europe. The proposed crowdfunding regulation is intended to change this by harmonising European laws and introducing a European passport for service providers operating crowdfunding platforms.