In recent years, the Domain Name System (DNS) attracted the attention of EU regulators, spanning from cybersecurity to agricultural policy. There has been a growing trend of including domain names in legislation outside the typical digital sphere. One such area that has emerged as increasingly relevant for registries and registrars is financial regulation. Based on recent EU financial regulations such as MiCA, FiDA and PSR, it is possible to identify the clear direction in which financial oversight is moving. While domain names are critical for almost all digital services available online, this criticality has also translated into a powerful enforcement tool, as EU financial policymakers have recently discovered.
Domain takedowns as an enforcement measure
Recent EU financial regulation started a trend of including a standard domain-deletion clause reserved for supervisory authorities in the financial sector to deal with non-compliant financial institutions. The measure was first spotted in a crypto-assets regulation, which is an emerging market given the popularity of cryptocurrencies and e-wallets based on blockchain technology. In particular, the Regulation on Markets in Crypto-Assets (MiCA) was the first piece of recent financial regulation to include an extensive list of supervisory and investigative powers for financial supervisory authorities, including the power to order registries and registrars to delete a domain name of a non-compliant crypto-asset provider.
MiCA started a domino effect of including domain name deletion as a standard enforcement measure in every subsequent financial policy initiative. The proposal for the Framework for Financial Data Access (FiDA), and, most recently, the Payment Services Regulation (PSR) negotiations, include a power to order domain name deletion for reasons of consumer protection, data protection, and financial fraud prevention.
EU financial policymakers were clearly inspired by the existing consumer protection legislation, which has included the possibility of domain takedowns since 2017, under the framework of the Consumer Protection Cooperation (CPC) Regulation. However, when transferring certain elements of existing legislation from one area to another, there are some important caveats that are worth mentioning in connection to the specific cases of MiCA, FiDA and PSR.
Lack of impact assessment
The deletion of a domain name is a drastic measure. It can be equally painful for both the affected business and its customers. If a domain name is deleted, all associated services cease to be available, be it a platform, online bank application, website and all communication services connected to it, including emails and live chats. Consequently, it can be a very distressing experience for customers when they are unable to access their bank account or an application, given the sensitive nature of financial matters for individuals and businesses alike. This is true even when the actions ordered by competent authorities are well-intentioned. For these reasons, any punitive action involving domain takedowns must undergo a strict proportionality assessment and be reserved for exceptional circumstances: It should be considered a measure of last resort.
In the CPC framework, the need to include a specific domain takedown measure was justified by gathering evidence in the pre-legislative phase. The impact assessment accompanying the CPC proposal considered challenges that authorities face when trying to reach out to online traders or investigate serious infringements of consumers' collective interests. It also made sense to include an extensive cross-border enforcement mechanism to enable consumer protection authorities to take more effective enforcement action within a single market under the umbrella of an EU-wide coordination network.
In the context of MiCA and PSR, however, the European Commission did not foresee the need for such an enforcement mechanism in the pre-legislative phase. Consequently, there is a lack of public evidence or debate on the necessity for including it from the outset, as the enforcement measure was added almost last minute ahead of the trilogue negotiations.
Although the European Commission included the domain name-level enforcement measure in the initial proposal for FiDA, it did not follow the wording of the law (neither CPC or MiCA) and did not include any evidence or justification why deleting domain names can be considered an appropriate data protection measure. Fortunately, both co-legislators have aligned the enforcement measure and corrected a technical action that, if retained in its original wording, would have had a detrimental effect on financial customers. These unfortunate hiccups could have been avoided with an informed and evidence-based impact assessment.
Overlapping regimes
Another reminder of why it is not always the best idea to copy/paste enforcement mechanisms from one piece of legislation to another is the fact that the CPC Regulation is a horizontal legislation. It harmonises and provides better enforcement coordination between EU authorities, regardless of the consumer protection area - be it online retail, social media, or air travel.
This is a crucial aspect of the CPC coordinated actions, offering legal clarity for all parties involved: businesses, consumers and authorities. Rather than including the enforcement mechanisms in every piece of consumer legislation, the CPC Regulation consolidates and clarifies all the enforcement measures available to authorities under EU consumer protection legislation with cross-border significance. The Annex of the Regulation even provides a list of the relevant consumer protection legislation falling under the CPC framework.
Furthermore, the Annex lists payments as one of the financial areas where the CPC Regulation can be invoked. This makes further developments in financial regulation, especially with regard to the PSR enforcement, redundant and confusing.
The objectives of consumer protection and financial supervisory authorities are completely different, and their areas of responsibility should not overlap. Consumer protection in the financial sector should undoubtedly be a priority, particularly in crypto markets and FinTech. However, the supervisory regime for financial institutions fundamentally differs from consumer protection aims. Even the European Central Bank (ECB) has highlighted the challenges involved in aligning the consumer protection objectives of the FiDA proposal with the supervisory authorities' competences in the financial sector. The ECB's supervisory role is limited to ensuring that credit institutions implement risk management processes and internal control mechanisms relevant for their financial safety and soundness. However, the proposed FiDA regulation pursues an objective of consumer protection that lies outside the scope of financial supervision.
As a result, there are conflicting and overlapping supervisory regimes in the financial sector. One financial service can be subject to multiple supervisory regimes, with the drastic measure of having its domain (and as an extension also the business) taken away for every possible mishap. Under FiDA, this could happen simply for not sharing customer data with third parties, as the proposal does not address tackling fraudulent activity itself. The maximum fraud-mitigating obligation of financial institutions under FiDA is mandatory liability insurance in the event of a security policy failure, resulting in an unauthorised access to data. The deletion of a domain name has no effect on the financial customer data that has already been gathered, or leaked. It is also not an appropriate way to address data breaches, as it offers no redress mechanisms for affected individuals.
Furthermore, it is virtually pointless to establish a conflicting and overlapping supervisory regime for PSR (and, by extension, for e-money under MiCA), since payments are already covered by the CPC regime. Consumer protection authorities can already take action, including ordering the deletion of a domain name as a last resort, in case payment services pose a threat to consumers.
Conclusion
The domain-level enforcement measure has become the latest trend in financial regulation, and despite very little justification why such a measure is needed within financial oversight, it is snowballing from one piece of financial regulation to another.
We hope that EU financial policymakers will treat this area of enforcement with due diligence and care. Domain takedowns can be painful and are definitely not an appropriate response to data protection breaches. To protect consumers, it would be beneficial to streamline the work of existing consumer protection experts and invest any additional resources needed to enable them to address consumer issues within the financial sector more efficiently. They already have the necessary enforcement powers to address serious infringements in a cross-border online environment.
