Legal Aspects of “White-Label” Banking in the European, Polish and German Law

: Offering “White-label” products and services is a well-developed business sector in the European market. At present, this market concept is also increasingly being applied to ﬁnancial services, as part of a bank–FinTech cooperation. A question arises, however, as to the proper place for such models within the complex system of European ﬁnancial law. This article reviews the “White-label” frameworks currently operating in the banking sector and the corresponding regulations of the European Union law, based on their application in German and Polish legal system. Purposive, grammatical, and comparative law methods were used to study the content of legal acts. As a result, the principles of two primary models of White-label banking were established. The ﬁrst model is based on a bank acting only as an outsourcing service provider. In the second model, a bank also operates on the basis of a license it was granted. Both models have a common legal origin in European Union law, but local variations exist depending on the legal system of a given Member State.


Introduction
The concept of White-label services originates from retailers selling goods or services with their own branding and logo while the products are manufactured by third parties (Tardi 2021). Initially, this concept was applied to less complicated solutions, although with the passage of time it became commonplace in relation to electronic economy solutions. More recently, it found its application within the development of financial services. Its first application can be observed within the European Union common market. It is referred to as "White-label banking", "bank in the box", "bank out of a box", or "banking as a platform". An attractive feature of this solution is the possibility for a FinTech to acquire a standardized package of banking services that can be adjusted according to its needs. White-label banking is also referred to as "Banking as a Service" (BaaS), which is similar to the concept of Software as a Service (SaaS).
In the case of financial services, strict legal regulation-which is primarily aimed at protecting the interests of financial services users-may represent a barrier to the development of the White-label concept. Thus, it seems important to examine whether the current regulations, in particular the acquis communautaire, are not an obstacle to the functioning of the White-label models in relation to banking services. It may also be important to identify barriers to the development of BaaS by the national legal systems of the Member States.

Literature Review
With reference to the literature on the subject, the concept of Open Banking is relatively well-developed concerning financial services. The idea of Open Banking covers innovations resulting from the second payment services directive (PSD2), that is a payment initiation service (PIS) and an account information service (AIS), as well as a wider type of financial service provided by FinTechs, such as BaaS. At the same time, the phrase BaaS is also used to describe the PIS and AIS (also PSD2) cloud-based models for providing services.

of 11
The term "Open Banking As a Service" (Farrow 2020) is used for this purpose. The law of the European Union is based on the so-called technological neutrality principle. The law stipulates the legal requirements in relation to the services provided, rather than the technical method applied. The method may, however, cause certain legal challenges to be addressed, especially with respect to the use of blockchain technology (Wang et al. 2020). The entry into force of the PSD2 directive also caused the creation of special open banking platforms, for example CBI Globe-Global Open Banking Ecosystem originating in Italy (Passi 2018). The idea of Open Banking materializes through the gradual opening of banks' own infrastructure to external entities. It is indicated that Commerzbank, for example, provides external entities with over 100 functionalities, e.g., in the field of accounts, cards, payments, securities (Berentzen et al. 2021). At the same time, banks show a certain delay in implementing the concept of open banking, which may also cause an effect in the reluctance of users to share their banking data (Wossidlo and Rochau 2021). New entrants will try to earn revenue from improving on the interaction between banks and end users (Bär and Mortimer-Schutts 2020). The idea of Open Banking also points to barriers faced by non-banking entities wishing to provide financial services. An example may be the limitations of non-banking entities in accessing payment systems, in particular the so-called designated payment systems (Górka 2016).
The "opening" of banking has had an impact on facilitating access to financial services and financial inclusion (Kokkinis and Miglionico 2020). This applies also to services provided within banking as a service model, which enables the provision of financial services by entities outside of the traditional banking sector.
With regard to BaaS, it is indicated that the provision of services based on the concept of banking as a platform has become possible primarily due to the digital transformation of the sector (Naimi-Sadigh et al. 2021). Contrary to the innovation that has taken place in the form of the possibility of service provisions by TPP (payment initiation and account information services), the idea of White-label banking was not introduced "top-down" by adopting a directive similar to PSD2. The development of White-label banking is rather a bottom-up concept, although it is possible that such services will sooner or later be regulated separately. The added value of this article is one of the first analyses of the White-label banking model in legal and broader economic literature.

Methodology and Limitations
The main goal of this article is to verify the current legal basis for the functioning of two models of White-label banking: the model based solely on outsourcing and the model where banking services are provided with a license from a bank or a payment service provider. The study shows that both of these models are based on the law of the European Union. In the case of the analyzed national regulations in force in Germany and Poland, it was found that there are certain differences which do not necessarily affect the legality of the model itself.
The methodology of the article seeks to examine some of the existing models of Whitelabel banking functioning across the European Union and determine their embedding within the existing EU regulations. Due to the variety of acquis communautaire, some of the legal acts are directly applicable in the legal systems of the EU member states (e.g., regulations). Other acts need transposition into the national law (e.g., directives, and other acts of soft-law). In the latter case, the examination of EU law may be insufficient and thus a verification of the respective national legal system should be undertaken. The purpose of the article is to determine the theoretical and legal conception of White-label banking. As a consequence, the scope of the examination of practical cases is non-exhaustive and limited to some of the most representative White-label banking models. The juridical examination takes into consideration German and Polish national law as examples of the transposition of the EU-law.
The "BaaS" or "White-label banking" expression shall be applicable not only to the provision of such services by banks, but also other licensed entities, such as electronic money institutions (IEMI) and payment institutions (PI). For practical reasons, in this article, references to White-label banking or BaaS as services rendered by banks also refer to similar services provided on the basis of an EMI or PI license, to the extent permitted for EMI and PI by law.

Three Basic Models of Bank-FinTech Integration
In general, there are three models of bank-FinTech integration: (1) the "full" integration model; (2) the model in which the bank is "lending" its banking license to the FinTech; and (3) when the FinTech is operating under its own license as a bank/payment institution/electronic money institution and the bank is acting as an outsourcing service provider. The latter two models correspond to the common name of White-label banking.
There is also an extensive area of banking activity and relevant regulation, also known as Open Banking. This idea is based on "open" access to bank accounts for FinTechs-in Europe-according to Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market (PSD2). The access, however, does not require the bank's consent which is the fundamental difference to a bank-in-a box model described in this article. The PSD2 Third Party Access solutions were developed in response to market needs. Before the PSD2 and standardization TPP, access to bank account data was often gained via so called "screen scraping". This process was based on accessing the account by TPP with the use of client's confidential credentials, without the consent of the bank, as opposed to a "direct feed" (gaining access on the basis of a contract with the bank).

"Full Integration" Model
The first model is to fully integrate the FinTech into the systems of the bank (via an acquisition of the business of the FinTech, e.g., by merger, contribution in kind, acquisition of part of the enterprise). The services of the FinTech are "acquired" and provided as services of the bank. The bank performs all its activities essentially by itself and assumes responsibility for proper service levels and potential client losses. The services provided are branded as the bank's services. In this model the bank is providing its services with little change to its pre-existing business model. Such a framework does not necessitate the use of third-party resources to provide the FinTech services. Therefore, it is not considered to be a variation of the White-label banking model.

"License Lending" Model
The second possibility is to "lend" the license of the bank to the FinTech. Regarding the services provided in this model, the FinTech acts as an outsourcing services provider to the bank. The bank simultaneously enters into a relationship with the client through the FinTech, acting as an intermediary (agent). In terms of contractual obligations, this model is based on an outsourcing agreement between the bank and the FinTech, an intermediary agreement between the bank and the FinTech, and a banking service agreement between the bank and the client. The banking services agreement with the client is concluded through the FinTech acting as an Intermediary. See Figure 1.
There are already businesses in existence which use this BaaS concept. One good example may be the Solarisbank AG, which is being called a technology company with a German banking license. Solarisbank offers Banking as a Service products on the German market. It provides a payment solution: Samsung Pay, which is advertised as a "comprehensive mobile payment solution in the market with an integrated installment product (Splitpay) and a novel KYC process" (How Solarisbank and Visa Enable Samsung Pay in Germany 2021). Additionally, in cooperation with SMAVA, Solarisbank offers consumer credits in Germany (Kredit2Day online beantragen 2021). The services outsourced by Solarisbank to SMAVA are implementation, control, and monitoring of the entire credit process, in particular: (a) data processing, servicing, the provision of loan application documents, the query of data stored with credit agencies, preliminary loan decisions, the conclusion of the loan agreement on behalf of the service bank, the dunning process, and the safekeeping of the contractual documents; (b) a credit check at SCHUFA Holding AG; (c) implementation of the reminder process for defaulting borrowers (the choice of the time and content of the text reminders of defaulting borrowers). There are already businesses in existence which use this BaaS concept. One good example may be the Solarisbank AG, which is being called a technology company with a German banking license. Solarisbank offers Banking as a Service products on the German market. It provides a payment solution: Samsung Pay, which is advertised as a "comprehensive mobile payment solution in the market with an integrated installment product (Splitpay) and a novel KYC process" (How Solarisbank and Visa Enable Samsung Pay in Germany 2021). Additionally, in cooperation with SMAVA, Solarisbank offers consumer credits in Germany (Kredit2Day online beantragen 2021). The services outsourced by Solarisbank to SMAVA are implementation, control, and monitoring of the entire credit process, in particular: (a) data processing, servicing, the provision of loan application documents, the query of data stored with credit agencies, preliminary loan decisions, the conclusion of the loan agreement on behalf of the service bank, the dunning process, and the safekeeping of the contractual documents; (b) a credit check at SCHUFA Holding AG; (c) implementation of the reminder process for defaulting borrowers (the choice of the time and content of the text reminders of defaulting borrowers).
Another White-label Solarisbank product is "HeyCash". It is the brand of the consumer credit product offered by Solaris in cooperation with a German-seated company Verivox (SolarisBank Kredit 2021). Yet another example is FinTech Vivid which has established a subsidiary in Germany. Vivid is working together with Solarisbank by providing accounts and payment services. Vivid is a provider of a mobile applications and a website www.vivid.money (Vivid Europe 2021).
By enabling the use of the Vivid App, Vivid provides its own services: (a) access to a bank account (but the bank account is opened with Solarisbank); (b) access to a debit card (but the debit card is issued by Solarisbank); (c) access to a foreign currency account (but the FX account is opened with Solarisbank); (d) possible further services provided by Vivid.
Solarisbank provides its various services in relation to the bank-in-the-box model in cooperation with Tomorrow GmbH which is a limited liability company headquartered in Germany (Tomorrow 2021). Another White-label Solarisbank product is "HeyCash". It is the brand of the consumer credit product offered by Solaris in cooperation with a German-seated company Verivox (SolarisBank Kredit 2021). Yet another example is FinTech Vivid which has established a subsidiary in Germany. Vivid is working together with Solarisbank by providing accounts and payment services. Vivid is a provider of a mobile applications and a website www.vivid.money (Vivid Europe 2021).
By enabling the use of the Vivid App, Vivid provides its own services: (a) access to a bank account (but the bank account is opened with Solarisbank); (b) access to a debit card (but the debit card is issued by Solarisbank); (c) access to a foreign currency account (but the FX account is opened with Solarisbank); (d) possible further services provided by Vivid.
Solarisbank provides its various services in relation to the bank-in-the-box model in cooperation with Tomorrow GmbH which is a limited liability company headquartered in Germany (Tomorrow 2021).
Another company which adopted the bank-in-the-box model is Treezor. Treezor has a license as an Electronic Money Institution in France ). Treezor has developed two models of cooperation: "glending" the EMI license, or acting solely as a technical services provider (see the next point for explanation).
Treezor cooperates with ZELF-Latvia to offer virtual cards for consumers in France and Spain (Zelf and Treezor signed a partnership in 2020, (Treezor 2020)). It works with Lydia to offer consumer credit cards in France, the UK, Spain, Ireland, Portugal (Lydia 2021), and with Finom to offer business debit cards in Holland (FINOM 2021).

Bank Acting as an Outsourcing Services Provider
The third model of bank-FinTech cooperation is based on the concept of a bank (also electronic money/payment institution) acting as an outsourcing services provider for a FinTech. The bank is not "using" its banking license to provide such services. On the contrary, the model requires the Fintech to have its own relevant license. It may be a license to act as a credit institution, payment institution or electronic money institution, depending on the services offered. In this model, the FinTech is the direct counterparty to the client in providing licensed services. It assumes liability on behalf of the client for its services, and is responsible for business obligations toward the client. It is also required to perform all the necessary AML (anti-money laundering) obligations, in particular, to identify the client and the beneficial owner. See Figure 2.
Lydia to offer consumer credit cards in France, the UK, Spain, Ireland, Portugal (Lydia 2021), and with Finom to offer business debit cards in Holland (FINOM 2021).

Bank Acting as an Outsourcing Services Provider
The third model of bank-FinTech cooperation is based on the concept of a bank (also electronic money/payment institution) acting as an outsourcing services provider for a FinTech. The bank is not "using" its banking license to provide such services. On the contrary, the model requires the Fintech to have its own relevant license. It may be a license to act as a credit institution, payment institution or electronic money institution, depending on the services offered. In this model, the FinTech is the direct counterparty to the client in providing licensed services. It assumes liability on behalf of the client for its services, and is responsible for business obligations toward the client. It is also required to perform all the necessary AML (anti-money laundering) obligations, in particular, to identify the client and the beneficial owner. See Figure 2. A good example of the implementation of this model is the activity of Railsbank. Railsbank was founded in Great Britain by entrepreneurs Nigel Verdon and Clive Mitchell. It is a global banking and compliance platform that gives companies access to wholesale banking services. Railsbank turbo-charges the upscaling of businesses by significantly reducing the time and complexity associated with opening bank accounts, streamlining technical integration with banks, and enhancing banking functionality with core Railsbank services" (Verdon 2021). Railsbank is the card-issuing UK banking license holder. This notwithstanding, it is essentially a provider of technical outsourcing services. Its FinTech partners have their own banking/EMI/PI licenses and use their own brands to market their services. One of the FinTech partners is Wirex Limited, which is authorized by the Financial Conduct Authority as an e-money institution (Wirex 2021).
Another FinTech partner for Railsbank is the US-based Unifimoney. According to information available online, Railsbank will offer its complete platform, including banking as a Service, Cards as a Service, Compliance as a Service, and Credit Card as a Service (to a FinTech and "brand" customers in the US (Railsbank and Unifimoney 2021). Unifimoney is a FinTech partner of several financial institutions. The accounts held at those financial institutions are separate from the accounts of Unifimoney and are subject to separate terms, conditions, and restrictions, such as agreements governing the credit cards available through their Platform, which are concluded between the FinTech partner and the client (Unifimoney Terms of Service 2021). Deposit product services are offered by UMB bank. A good example of the implementation of this model is the activity of Railsbank. Railsbank was founded in Great Britain by entrepreneurs Nigel Verdon and Clive Mitchell. It is a global banking and compliance platform that gives companies access to wholesale banking services. Railsbank turbo-charges the upscaling of businesses by significantly reducing the time and complexity associated with opening bank accounts, streamlining technical integration with banks, and enhancing banking functionality with core Railsbank services" (Verdon 2021). Railsbank is the card-issuing UK banking license holder. This notwithstanding, it is essentially a provider of technical outsourcing services. Its FinTech partners have their own banking/EMI/PI licenses and use their own brands to market their services. One of the FinTech partners is Wirex Limited, which is authorized by the Financial Conduct Authority as an e-money institution (Wirex 2021).
Another FinTech partner for Railsbank is the US-based Unifimoney. According to information available online, Railsbank will offer its complete platform, including banking as a Service, Cards as a Service, Compliance as a Service, and Credit Card as a Service (to a FinTech and "brand" customers in the US (Railsbank and Unifimoney 2021). Unifimoney is a FinTech partner of several financial institutions. The accounts held at those financial institutions are separate from the accounts of Unifimoney and are subject to separate terms, conditions, and restrictions, such as agreements governing the credit cards available through their Platform, which are concluded between the FinTech partner and the client (Unifimoney Terms of Service 2021). Deposit product services are offered by UMB bank.
Yet another example of a FinTech is Statrys, a company active in Hong Kong and Singapore. It is a partner of Railsbank and offers local currency accounts to Asian SMEs. Statrys is licensed as a Money Service Operator in Hong Kong and Small Payment Institution in the UK (The Ultimate B2B Payments Guide 2021).

European Regulations
Two fundamental components of the EU legal and economic systems are the freedom to provide services and the freedom of establishment. This guarantees the mobility of businesses across the EU. The legal basis of these principles are articles: 26 (internal market), 49 to 55 (establishment), and 56 to 62 (services) of the Treaty on the Functioning of the European Union (TFEU). According to art. 56 of the TFEU, restrictions on freedom to provide services within the Union is prohibited with respect to nationals of Member States who are established in a Member State other than that of the person for whom the services are intended. Essentially, this legal framework ensures that companies established in one of the Member States are entitled to provide services in another Member State, either directly (cross-border) or by establishing a brand.
Separate special regulations, however, are in force for banking activities.
The directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms (CRD4) enables the possibility of "passporting" the services.
According to the principle of single authorization, the decision to issue an authorization valid for the entire EU shall be the sole responsibility of the competent authorities of the home Member State. A financial institution may then provide the services, or perform the activities, for which it has been authorized, throughout the Single Market, either through the establishment of a branch or the free provision of services.
According to the annex 1 to CRD4 (as amended by the Directive (EU) 2019/878-CRD5), the mutual recognition by all Member States includes, i.a., the following activities:

Outsourcing Arrangements
Legislation concerning outsourcing arrangements is not harmonized amongst EU members at the present time. The EU legal act concerning outsourcing has the status of Guidelines issued by EBA-the EBA Guidelines on outsourcing arrangements from 2019 (EBA Guidelines). These arrangements are considered to represent so-called "soft legislation". Notwithstanding its status as guidelines only, they have to be observed by national supervision authorities.
Additional local regulations concerning outsourcing exist in various Member States. In Germany for example, it is the German banking Law-Gesetz über das Kreditwesen (Kreditwesengesetz, KWG)-but also the Guidelines of the German banking Association from 2019 (Outsourcing Guidelines German Bankenverband 2019). As a general rule, in the case of outsourcing activities in relation to a third party, the legal rules relevant to the outsourcing party are applicable.

Mortgage Credit Intermediaries
On the EU-level legal harmonization exists only with respect to mortgage credit intermediaries. This activity is covered by the Directive 2014/17/EU of the European Parliament and of the Council of 4 February 2014 on credit agreements for consumers relating to immovable residential property (Mortgage Credit Directive). According to Art. 29 of this directive, Member States shall ensure that all admitted credit intermediaries, whether established as natural or legal persons, are entered into a register with a competent authority in their home Member State. Member States shall ensure that the register of credit intermediaries is kept up to date and is publicly available online. There are also EBA Guidelines on passport notifications for credit intermediaries under the Mortgage Credit Directive from 2015.
According to the Mortgage Directive there is an obligation to establish a register for intermediaries with regard to mortgage credits.

Consumer Credit Intermediaries
The definition of credit intermediary is set up in the directive 2008/48/EC of the European Parliament and of the Council of 23 April 2008 on credit agreements for consumers (Consumer Credit Directive). According to this directive, a "credit intermediary" is defined as a natural or legal person who is not acting as a creditor and who, in the course of his trade, business, or profession, for a fee, which may take a pecuniary form or any other agreed form of financial consideration: (i) presents or offers credit agreements to consumers; (ii) assists consumers by undertaking preparatory work in respect of credit agreements other than as referred to in (i); or (iii) concludes credit agreements with consumers on behalf of the creditor.
The Consumer Credits Directive does not require the set up and maintenance of a register for consumer credit intermediaries. Poland did, however, establish such a register which is kept by the Polish Financial Authority (Polish KNF Consumer Credit Intermediaries Register n.d.).

Deposits and Saving Accounts
The taking of deposits requires a banking license. Electronic Money Institutions and Payment Institutions are not allowed to take deposits. They can provide payment accounts services, but they cannot offer any interest on the funds in these accounts, especially fixed term deposits. As deposit accounts are, in most cases, combined with payment services, the rules of both banking law as payment services law apply to deposit accounts.

Accounts and Cards-Payment Services
As far as banks are concerned, there are two EU legal acts regarding the provision of services in the area of bank and payment accounts and payment services: the CRD4 directive and the PSD2 directive.
Both directives are transposed into the local laws of particular Member States. For Germany and Poland, these are: − In Germany-Kreditwesengesetz, Zahlungsdiensteaufsichtsgesetz (ZAG) and Bürgerliches Gesetzbuch (BGB); − In Poland-Prawo bankowe (Banking law) oraz Ustawa o usługach płatniczych (Payment Services Act).
Both regulations allow for the passporting of payment account services and payment services to another Member State.
In the "license lending" model, the FinTech partner of a White-label bank has the status of: (1) Outsourcing the services provider company for the banking activities; (2) An intermediary for the services of the bank towards the Clients; (3) A company providing its own services to its Clients.
For example, according to Polish banking law from 1997 (art 6a.1) with regard to outsourcing, the outsourcing services provider, when concluding and amending bank account agreements, or concluding and changing the payment card contract, has to be doing it on the basis of an agency contract.
According to PSD2, the FinTech has the status of a so-called Technical Service Provider as it does not come into possession of a clients' funds. This means that it is not bound by the provisions of PSD2 regarding authorization requirements. The PSD2 definition of TSP's services is: services provided by technical service providers, which support the provision of payment services without them entering at any time into the possession of the funds to be transferred, including the processing and storage of data, trust and privacy protection services, data and entity authentication, information technology (IT) and communication network provision, provision and maintenance of terminals and devices used for payment services, with the exclusion of payment initiation services and account information services (art. 3 j PSD2).
As far as the language is concerned, the PSD2 provisions enable a choice of the language. It is also possible to conclude an agreement and General Terms in the English language. Services offered to consumers, however, should be in the local language (as is in the general market).

Loans
The granting of loans is regulated on the EU level by the CRD4 directive and also bound to passporting rules. The directive is further transposed into the "local" legislation of Member States. These are for example: − In Germany-Kredittwesengesetz and for consumer credits-Verbraucherkreditgesetz from 2010; − In Poland-Prawo bankowe from 1997 (banking law) and for consumer credits-Ustawa o kredycie konsumenckim from 2011 (Consumer Credits Act).
In some of the jurisdictions there may be a requirement for approval as a loan intermediary. This is the case in the German market with a requirement to register as a loan intermediary according to § 34c Gewerbeordnung-German commercial activities law.
According to Polish banking law (art. 48j), a credit institution in Poland may provide services licensed by national supervising authorities. This includes granting consumer credits, although national laws apply to these activities.
There is also a definition of a consumer credit intermediary in the Polish Consumer Credit Act. A credit intermediary is an entrepreneur within the meaning of the provisions of the 23 April 1964 Civil Code, other than a lender who, in the scope of his business or professional activity, obtains financial benefits, in particular remuneration from the consumer. The activity of an agent consists in offering or conclusion of a credit agreement (art. 5 point 3 of the Polish Consumer Credit Act).
There is a requirement for consumer credits intermediaries to register in Poland in the register of credit intermediaries maintained by the Polish Supervision Authority (Polish KNF Consumer Credit Intermediaries Register n.d.). The legal basis for maintaining such a register is the Art. 59da of the Polish Consumer Credit Act.
With regard to consumer credits, each of the Member States may have separate additional requirements for the provision of such services. In an effort to ensure consumer protection, contracts are often scrutinized by consumer protection bodies. They most probably will have been provided in local language.
It is also worth mentioning that in Poland non-banking providers from other Member States are admitted as consumer loan providers (according to Art. 59d of the Polish Consumer Credits Act). Such providers are allowed to act cross-border (via Internet) or by establishing a branch.

Investment Products
Provision of services in the field of investment products by banks is regulated by the CRD4 and bound to passporting rules, including under Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments (MiFID2).
There is an example of such (intra-border) cooperation in Germany: Vivid Money GmbH offers the brokerage of transactions on the purchase and sale of financial instruments in the area of foreign exchange exclusively in the name and for the account of the Solarisbank AG. Vivid Money GmbH acts and is recorded as a "tied agent" of Solarisbank AG in the register which is kept by the German Federal Financial Supervisory Authority (BaFin).

Findings
The idea of Open Banking is still a hotly discussed topic in the European payment market following the opportunities opened up by the PSD2 directive. It requires banks to offer a "public" API-access to client bank accounts-to Third Party Providers (TTP). Offering such services does not require an agreement between the bank and the TPP. For the time being, however, PSD2 solutions are limited to payment initiation and account information services. The account data obtained by TPP can be further used for other services, such as AML verification, creditworthiness assessment, or marketing. There are, however, certain limitations regarding the further use of obtained data, particularly the "silent party" data, e.g., the name and bank account number of the payer. This area is covered in the European Data Protection Board Guidelines 06/2020 on the interplay of the Second Payment Services Directive and the GDPR from 17 July 2020.
Functioning parallel to PSD2 solutions, there are the developed business models of voluntary cooperation between banks and FinTechs, called White-label banking, Banking as a Service, or Bank in a box. The two models of such cooperations can be distinguished between, on the one hand a bank "lending" its license to a FinTech or, on the other hand, a bank acting solely as an outsourcing service provider and therefore not "using" its banking/electronic payment institution/payment institution license.
As far as the legal theoretical model of White-label banking is concerned, such "unions" of banks and FinTechs are not regulated separately. There is a general rule extending freedom to provide services and freedom of establishment in the Treaty of Functioning of the European Union. Additionally, a system of single authorization of banking activities and "passporting" banking activities to other member states is in place. The same passporting rules are in force for payment institutions and electronic money institutions (PSD2 directive). The services may be provided on the basis of establishing a branch, using an agent or acting cross-border.
With regards to outsourcing in the EU financial sector, the regulations are of the "soft legislation" kind based on guidelines regarding outsourcing arrangements issued by EBA. Generally, the outsourcing process is overlooked by supervision authorities in the Member State of the outsourcing party. Therefore, local rules may apply (such as the Guidelines of German Banking Association or Guidelines on outsourcing of the Polish Supervision Authority).
The bank-in-a box model may be set up with the use of an agent. Apart from mortgage credit intermediaries, there are no harmonized register rules for using agents in the financial services sector. Particular member states may require certain rules (e.g., agency contract) and registration (Poland-for consumer credits intermediaries) or authorization (loan intermediaries in Germany).
Special rules may apply to investment products. In this case, the FinTech partner may be required to register as a tied agent within the meaning of the MIFID2 Directive.
Various issues may arise when using the White-label banking model. In particular, the "lending" of the license model. In this model, a product is offered and branded by a FinTech, but the legal responsibilities remain with the bank/electronic money institution/payment institution. In the cross-border model, the supervising authorities of the member state of origin are bound to the supervision of such activities. This may be particularly important when offering savings account services. In the case of "lending" the license model, deposits shall fall under the guarantee scheme of the original Member State of the bank.
In considering the White-label banking model, certain managerial implications arise. The model is an opportunity for banks/EMI/PI to commercialize their assets. They can outsource back-end resources and can also use their license to obtain additional profits. The relationship with the client (e.g., marketing, closing of contract, servicing the contract, reminder process) may lay with the FinTech. The FinTech is not required to undergo an often complicated and costly authorization process. As far as the bank/EMI/IP assumes its responsibility in this model, the relationship between the bank and the FinTech should be shaped strictly according to the EU and local member state law. The involvement of other contracting party, however, is associated with certain risks. A thorough examination of the reliability and reputation of other party should be conducted. The outsourcing contract itself should not only consider the requirements of the EBA, but also provide rules for the technical cooperation and liability of the other party. It should also take into considerations the provisions of national law-in some cases both of the outsourcing service provider and of the outsourcing party. The risk aspects of the White-label banking model should be addressed in a dedicated and separate article.
The White-label banking model encompasses certain limitations. In the model of "lending" the license, the "natural" limitation is the special type of license which permits use in cooperation with FinTech. The legal requirements vary depending on the special services provided (investment services, payment services, etc.). They may not only take the form of a national statute but also remain in the soft-law, as guidelines or circular letters. On the one hand it is in line with the general EU principle of freedom to provide services and on the other hand it may cause a lack of legal certainty and various requirements depending on national legal systems. While the outsourcing model is to a certain extent harmonized by way of EBA Guidelines, the cooperation "lending" the license-model in which the bank or other licensed entity is using its public law entitlement to provide services within the services of a FinTech is based on general law principles. It would be worth considering the legal "frame" of such services. It may initially be based on the soft law principle, e.g., regulated in a guideline of the European supervising authorities.