Daniel Foa
Daniel Foa
Daniel holds a Ph.D. in Law and Business at LUISS Guido Carli (Rome) and is an MSc. Candidate in Law and Finance at University of Oxford (F. Bonelli Scholar)

Banking and financial services in the metaverse: Between new operational models, social inclusion and exploitation of individual vulnerabilities

Banking and financial services in the metaverse: Between new operational models, social inclusion and exploitation of individual vulnerabilities
I. Introduction

The metaverse promises to revolutionise human interaction and provides tools to offer innovative products and user experiences. The banking and finance industry has been quick to act and some use cases have already landed on the market. The contribution intends, on the one hand, to identify the characterising elements (and the potential) of the metaverse banking; on the other hand, to provide an initial answer to the question if, in this sector, further user protection is needed for interactions in the phygital environment.

Summary: 1. Metaverse and virtual worlds: defining elements - 2. Applications in banking and finance - 3. Phygital experience and users’ vulnerability

II. Metaverse and virtual worlds: defining elements

Following the rebranding of a major big tech company, the term metaverse entered the common lexicon and is now widely used to refer to an ecosystem that enables three-dimensional and immersive experiences [1]. Considerable market interest has been generated around virtual worlds, so that the EU Commission took a stance: in April 2023, a call for evidence on ‘An EU initiative on virtual worlds: a head start towards the next technological transition’ was launched; it was followed in July 2023 by the publication of an EU Commission Communication on the topic [2]. The latter has the merit of clarifying a number of definitional profiles, identifying the main regulatory issues and outlines the next steps the European Commission intends to pursue. In these documents, the European Commission avoided providing a definition of metaverse, providing instead a notion of virtual worlds (the building blocks on which the broader ecosystem is based) as “persistent and immersive environments, based on technologies such as 3D and extended reality (XR), that allow physical and digital worlds to merge in real time, for a variety of purposes such as designing, simulating, collaborating, learning, socialising, transacting or providing entertainment”. While this definition has the merit of capturing the main elements of the ecosystem, it does not appear sufficiently future-oriented and functional for regulation. An alternative proposal was formulated by me in 2023 available here[3].

Although their development is still at an early stage of development, virtual worlds promise to revolutionise many areas of human interaction thanks to the possibility of blending real and virtual world, thus making services more attractive; at the same time, they may improve accessibility for geographically distant users, with clear benefits for social inclusion. However, operating in the metaverse is not without risks: both for the end users and for the companies that are involved in various ways in the value chain.

The banking and financial sector will also inevitably be affected by this revolution: new forms of interaction will allow greater penetration in the customer segments that are currently less served, will increase engagement, and improve the user experience thanks to a strong personalisation of services and the immersivity of interaction. In particular, the latter (characterised by the so-called in-web presence, sensoriality and synchronicity) [4] allows users to communicate and interact as if they were actually in the same (virtual) room with their interlocutor. This results in unprecedented applications that could redraw the boundaries of distance communication and call for a rethinking of rules on distance marketing of contracts [5].

These are not abstract issues: there are already the first use cases of banks’ operations in the metaverse (see here which offers an examination of the various concrete applications of Metaverse banking today by a number of market participants, and here) [6]. Despite still being characterised by a low level of sophistication, they are a clear indication of the strong interest of credit institutions in developing metaverse banking services. Parallel to the development of new business models, significant legal questions are also beginning to arise: in relation to the theoretical framing of phenomena, the identification of applicable rules, and the assessment of the adequacy of safeguards. Therefore, it seems useful to analyse which peculiar risks are posed by the provision of banking and financial services in the metaverse to make a preliminary assessment of the need for regulatory interventions aimed at dealing with possible regulatory gaps and situations subject to inadequate protection at present.

III. Applications in banking and finance

The use cases of use of virtual worlds by credit institutions emerged on the market [7] can basically be grouped into four macro-categories: 1) training programmes for employees of financial institutions; 2) exhibition spaces to showcase their products; 3) virtual spaces where more complex interactions can take place, including the conclusion of contracts; as well as 4) the provision of innovative (e. g. custody of NFTs) and traditional (e. g. payment services) services embedded within the options available to users of virtual worlds. e.g. custody of NFTs) and traditional services (e.g. payment services) embedded within virtual worlds’ experiences.

The technological context in which these services are offered is therefore relevant both as an ecosystem in which new interactions are enabled (and innovative services are thus developed) as well as a distribution channel.

These concrete applications of metaverse banking require an assessment of the risks involved and to consider whether the existing rules are sufficient to cope with them. Some of such risks are characteristic of all interactions in the metaverse (e.g., the risks of social exclusion dictated by the digital divide and the risks of exploitation of the vulnerabilities revealed by interaction through avatars), while others are more significant with reference to financial institutions (e.g., cybersecurity in the payment industry). Some of these risks are already covered by specific rules: think of those contained in the GDPR [8] and [DORA] [9], which imposes a preventive and reactive approach on financial institutions in managing their digital resilience. However, those may be insufficient due to the operational complexities underlying the metaverse ecosystem.

More generally, both generalist disciplines (e.g., DSA, Unfair Commercial Practices Regulations) and sector-specific rules apply to the activities of banks in the metaverse. Nevertheless, there is no shortage of applicative challenges. For example, looking at the rules on banking, it can be debated whether metaverse banking services may only be provided through specialised virtual worlds (e.g., the one set up by Kia.ai bank); or whether, on the other hand, the reserve of activity is sufficiently respected when such activities are carried out by authorised entities. Although there might be reasons to create a ‘safety cordon’ around the provision of banking services, banks can in fact offer services through any technological environment that respects the qualitative characteristics imposed by financial regulation, which precisely devotes particular attention to technological risks (see EBA Guidelines on ICT and Security Risk Management, here [10].

Another area of bank operations in the metaverse that raises relevant legal issues is the provision of safekeeping services for digital assets (e.g., such services are offered by Mercobank and Commerzbank).

However, the most distinctive area of the metaverse banking is that of direct interaction between the bank employees and the customer within a phygital environment (where physical and digital experience are merged). In this context, the immersivity enabled by AR/VR technologies allows for the provision of a personalised experience that is more responsive to the user’s needs, but at the same time poses the problem of exploiting the user’s vulnerabilities.

IV. Phygital experience and users’ vulnerability

In the metaverse, digital vulnerability - accentuated by the possibility of acquiring biometric and cognitive data, including through eye-tracking - and the presence of avatars (which very often are the projection, even in physical connotations, of the human being who acts), together with the strong personalisation of services, can reduce the perception of risks. This may also be determined by unconscious submission to profiling techniques and subjection to unfair commercial practices that increasingly affect awareness of the consequences of one’s choices and actions.

The user, therefore, must be guaranteed a sufficient level of understanding and awareness of the type of activity being carried out: if a service appears to be ‘like a video game’, the investor may not be sufficiently aware of the type of activity being carried out, and of the related risks, including in terms of the possible impact on his or her assets. In fact, the specific modalities of interaction (even in relations with supervised intermediaries) may diminish the understanding of the phenomena and related risks, affecting the user’s decision-making process.

To prevent this from happening, it is necessary for intermediaries to always act in full application of the principles of fairness, good faith and diligence, thus seeking - by every possible means - to sterilise the possible risks arising from such specific additional vulnerabilities [11]

In order to correctly frame the problem of the increased vulnerability of the user in the context of an immersive virtual environment, we need to consider the thoughts elaborated by behavioural finance scholarship: the assumption of the rationality of perceptions clashes with the tendency of individuals to acquire and process information using a limited number of intuitive or heuristic rules; in this way, by means of approximations, the user can reduce the complexity of the system but not without the [risk of systematic and significant errors] 12, which lead individuals to make suboptimal choices [13].

Thus, personalisation addresses first and foremost the need to provide services more in line with users’ preferences, but it also allows them to take advantage of consumers’ cognitive limitations, exploiting individual vulnerabilities with a granular commercial approach [14].

In this context, the question arises as to how the disclosure requirements of the regulatory framework apply and, on the other hand, whether remedies such as the right of withdrawal are effective.

As is well known, in the banking and financial sector, information (and the consequent awareness of the user in making decisions) is fundamental: indeed, lack of clarity in pre-contractual information could lead to choices that are not fully understood and considered, which could have a significant impact on the client’s financial position. In the context of the metaverse, the pitfalls for the investor could then increase considerably due to the complete personalisation of the experience (think of the possibility of providing each individual with an advisor that is compatible with his or her cultural background), capable of triggering familiarity bias phenomena. These are characteristics that will have to be taken into account in the product oversight and governance processes of manufacturers and distributors of metaverse banking products and services [15].

The phygital experience will, therefore, be central to contracting in the metaverse: as anticipated, the feature of immersivity will make even activities performed at a distance ‘in presence’. Moreover, the sensoriality of the metaverse experience (enabled by haptic interfaces) may create novel situations in which customers’ senses may be stimulated in such a way as to push them towards a certain choice (also in view of the data presumably available to the intermediary on the user’s preferences and vulnerabilities). It will therefore be necessary to overcome the differentiation between ‘in-presence’ and ‘remote’ models of protection, since in such an environment the user’s experience - even when at a distance - regains the elements of physicality, in an environment that is much more insidious than in the physical bank.

Nor can it be overlooked that metaverse banking experiences could also include ‘in-presence’ interactions, when augmented reality tools are used, integrating the live and in-presence experience with virtual elements. Therefore, protection tools applied in a purely virtual experience should equally operate in this hypothesis, as the same vulnerabilities could be exploited (although probably with different intensity) and similar biases could be triggered.

This raises the question of whether there is a need to rethink the regulation of distance contracts, introducing remedies to mitigate user vulnerability in the metaverse (A proposal on the modification of the distance marketing of financial services regulation has already been formulated, see here) [16].

On the one hand, the establishment of purely ex post remedies (such as the right of withdrawal) does not seem to guarantee a sufficient level of protection for the customer, who could experience a negative and detrimental user experience that would undermine his trust in the system; on the other hand, the application of the disclosure rules already provided for seems insufficient to neutralise the risks inherent in such contracting models. The duties of disclosure remain central, but will have to evolve in view of the new potential offered by technology: caution will have to be exercised in identifying the information to be shared and the manner in which such disclosure should be made, so that an effective caveat emptor can be realised.

It would then have to be considered whether it is necessary to define the technologies that may be used (and their characteristics), so as to prevent client vulnerabilities from being exploited to the client’s detriment. This would, in theory, conflict with the principle of technological neutrality, but would be justified by the need to achieve goals that are relevant to the legal system, such as the protection of savers/investors and the stability of the financial system. Similar to what has already been envisaged in the proposal to amend the directive on financial services concluded at a distance, it seems desirable to limit the bank’s ability to use tools in its online interface that could distort or impair the ability of consumers to make a free, autonomous and informed decision or choice [17].

Finally, user education will be fundamental: it can improve their understanding of the characteristics of the products and services offered to them, in order to correct any cognitive errors (debiasing) that may occur in the decision-making process. Financial education must, however, be accompanied by effective digital education because in this context, technological phenomena profoundly condition the way in which users’ decision-making processes are formed.


[1] Among others, I. Hupont Torres, et al., Next Generation Virtual Worlds: Societal, Technological, Economic and Policy Challenges for the EU, 2023; Y.K. Dwivedi et al., Metaverse beyond the hype: Multidisciplinary perspectives on emerging challenges, opportunities, and agenda for research, practice and policy, International Journal of Information Management, 2022, p. 66 ff.; T. Madiega et al., Metaverse. Opportunities, risks and policy implications, EPRS (European Parliamentary Research Service), PE 733.557, June 2022.

[2] European Commission, Communication ‘An EU initiative on Web 4.0 and virtual worlds: a head start in the next technological transition’, 11.7.2023, COM(2023) 442/final.

[3] While this definition has the merit of capturing the main elements of the ecosystem, it does not appear sufficiently future-oriented and functional for regulation. An alternative proposal was formulated in F. Di Porto - D. Foà, Defining Virtual Worlds: Main Features and Regulatory Challenges, Issue Paper, CERRE - Centre on Regulation in Europe, July 2023.

[4] F. Di Porto - D. Foà, Defining virtual worlds, cited, p. 12.

[5] On this point also C.A. Mauro - V. Lemma, Metaverse. Economic entropy and market regulation processes, Open Review of Management, Banking and Finance, May 2022.

[6] S. Sarkar, Banking in Metaverse Opportunities and Challenges, The Management Accountant Journal, 2023, 58.1, p. 65, which offers an examination of the various concrete applications of Metaverse banking today by a number of market participants and M. Abbott, The metaverse has got banks thinking about a radically different future, Forbes, 14 September 2022.

[7] S. Sarkar, Banking in Metaverse, cited, p. 65 ff.

[8] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.

[9] Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022.

[10] See EBA Guidelines on ICT and security risk management, EBA/GL/2019/04, 29 November 2019.

[11] On the concept of digital consumer vulnerability see F. Lupiáñez-Villanueva, et al., Behavioural study on unfair commercial practices in the digital environment: dark patterns and manipulative personalisation, Final Report European Commission, April 2022.

[12] D. Kahneman - A. Tversky, Prospect theory: an analysis of decisions under risk, Econometrica, 1979, 47, p. 263 ff.

[13] Some research on consumer behaviour has shown a tendency to underestimate the risks of transactions. A premature termination of the search for and collection of relevant information on the transaction they were about to conclude was recorded, due to the intuitive perception that they were already sufficiently informed. See J.A. Luzak, To withdraw or not to withdraw? Evaluation of the mandatory right of withdrawal in consumer distance selling contracts taking into account its behavioural effects on consumers, Amsterdam Law School Legal Studies Research Paper No. 2013-21, Centre for the Study of European Contract Law Working Paper No. 2013-04.

[14] A. Davola, Fostering Consumer Protection in the Granular Market:: the Role of Rules on Consent, Misrepresentation and Fraud in Regulating Personalized Practices, Technology and Regulation, 2021, p. 76 ff..

[15] EBA, Guidelines on product oversight and governance arrangements for retail banking products, EBA/GL/2015/18, 15 June 2015.

[16] A proposal on the modification of the distance marketing of financial services regulation has already been formulated, see European Commission, Proposal for a Directive of the European Parliament and of the Council amending Directive 2011/83/EU concerning distance contracts for financial services and repealing Directive 2002/65/EC, COM(2022) 204 final 2022/0147 (COD), 11.5.2022.

[17] In this regard, the introduction of tools to assess the client’s actual understanding of the implications of the use of certain technologies could be useful (even envisaging blocking effects, similar to the suitability test under MIFID). This hypothesis was put forward by F. Annunziata, Retail Investment Strategy How to boost retail investors’ participation in financial markets, Study requested by ECON Committee, June 2023, p. 7.

comments powered by Disqus