FinTech — technology-enabled innovation in financial services — have developed significantly over recent years and are significantly transforming the way financial services are provided. FinTech solutions using Artificial Intelligence, big data, DLT, cloud computing, quantum computing etc. – coupled with easier mobile access and increased internet speed and bandwidth –  are leading the emergence of new business models, applications, processes and products, with an associated material effect on financial markets and institutions.

The pandemic crisis has accelerated this trend, leading to a further digitalization and transformation of banking and financial institutions. The necessity of adjusting operations, in order to ensure business continuity and the uninterrupted provision of cross-border services, has highlighted the need for mature digital capabilities that can withstand high levels of remote working and provide continuous service to banking IT infrastructure.

Sector transformation. The wave of innovation, coupled with the pandemic crisis, is helping to transform the financial sector, with potential benefits for the global financial system. Fintech would allow increasing efficiency in delivering financial services, widening their range, boosting competition and promoting financial inclusion. New players are entering the financial market and providing services at lower costs, creating new products tailored to customer’s needs, and changing the way credit is extended and investment advice is provided.

However, such an accelerated disruptive wave comes with potentially significant risks. The massive and inevitable shift to digitalization increases financial institutions’ exposure to cyber threats and IT failures.

In light of this changing landscape, regulatory authorities have to face the challenge of balancing innovation – and its benefits to society – with their mandate of safeguarding the safety of financial markets. The key to deal with this challenge is to move operational resilience and cybersecurity up on the regulatory agenda, and require banks and financial institution to adopt effective IT risk management processes and controls to address new sources of risk.

New sources of risk

Regulators have to deal with a new ecosystem, where licensed banks and financial institutions stand next to Big-tech or non-bank Fintech (likely start-ups).

The entrance of Big-tech companies in the financial markets presents interesting risks. Big-tech have the potential to quickly gain significant market share, which could lead to concentration risks that, in the event of operational failures or cyberattacks, could have a systemic impact on the financial system as a whole. Moreover, the presence of such companies in many countries could result in different levels of supervisory scrutiny, reducing the insight of prudential supervisors into the type and scale of financial activities taking place in other jurisdictions, with the consequence that operational problems that arise in a country with low supervision may spread regionally or even globally.

On the other hand, non-bank Fintech – especially start-ups – face budget constraint and often have minimal risk governance, and may be less capable of complying with the complex and demanding regulations of the financial sector. 

Moreover, both Big-tech and non-bank Fintech introduce innovative technologies, which have often not been intensively market-tested and thus are inherently more risky from an operational perspective.

An additional significant challenge is that these new players will create more operational complexity, adding intermediaries in the financial sector and increasing third-party dependencies. It is incumbent on financial institutions to keep pace with emerging technology, and customer demands for collaboration with non-bank Fintech or big tech companies to deliver certain products. Sometimes, to ensure a more effective service, they must even outsource critical functions to third party. 

The risk of these partnerships is that the dependence from external technology providers increases the available attack surface, and increases the likelihood of cascading failures in the event of a successful attack or IT failure.

How Regulators are keeping the pace?

Principle of same activity, same regulation. A widely accepted principle, inspiring many recent regulatory developments, is that of “same activity, same regulation”, which aims at minimizing entities’ regulatory arbitrage. Emerging technology allows new players to perform activities that were previously conducted only by tightly regulated institutions. The collaboration with non-bank Fintech or Big-tech companies (e.g. for the outsourcing of critical functions or the delivery of certain products) could lead to the shift of risk-generating business activities between entities in search of lighter regulatory control.

To keep pace with the disruptive wave, regulators must move from institution-based regulation to activities-based regulation (i.e. the same activity creating the same risks should be regulated by the same rules, regardless of who is undertaking it). The goal is the creation of a level playing field between incumbents and new market entrants, where all entities involved in a specific regulated activity should be subject to the same rules, regardless of their nature or legal status.

The Achilles heel of this principle is that the same activity may generate different risks depending on who performs it. For example, Big-tech perform financial activities along with a wider business portfolio, thus they could generate systemic risks not only from strictly financial activities, but also through the risks generated by each activity of their business portfolio. It could be argued that a stricter supervisory focus on these entities is needed, but this would again be a departure from the principle of same activity, same regulation.

Activity-based regulation cannot preserve by itself the safety of financial markets in this new technological environment. Nevertheless, it should be considered a complement to institution-based regulation, rather than a substitute for it.

adapting regulation for technology, and technology for regulation. Another leading principle that is driving regulators is adapting regulation for technology, and technology for regulation. Such a principle responds to the need to keep regulation agile in the face of new and changed risks caused by the use of innovative technologies, and at the same time seize any emerging opportunities.

Such a principle is embedded in the creation of innovation hubs and regulatory sandboxes, and it is the response of supervisory authorities to the introduction of innovative technologies that have not been intensively market-tested.  

The provision of a space for an open dialogue on innovative applications is a useful way to, on one hand, encourage banks and financial institutions to launch innovative solutions and, on the other hand, to control (and test) the impact of new technologies in the market. Entities, in the safe environment of innovation hubs and regulatory sandboxes, may experiment with new financial products or services in a defined space and time, while limiting the consequences of possible failure.

This scheme enables supervisory authorities to monitor innovation activities, understand related risks, and foster innovation in a level playing field.

Suptech. Supervisory technology (Suptech) is the use of innovative technologies by supervisory Authorities to support supervision. Suptech would be the best way through which regulators could ride the disruptive wave.

Policymakers should seize the opportunity to explore Suptech and gauge where it can make the most impact. It could be applied, for example, in the area of data collection (e.g. automated reporting, real time monitoring) and data analytics (e.g. market surveillance, misconduct analysis, micro/macro prudential supervision).

Suptech can be used to enhance effectiveness, reduce costs and improve capabilities. It could potentially transform risk and compliance monitoring since, as technology develops, it will be possible to anticipate the behavior of regulated entities and their risk exposure. Suptech will never be able to replace human ability to catch nuances and subtleties but, through data collection and analytics, it can enrich, support and complement supervisory judgement (e.g. detecting AML and CFT infringements, or identifying fraud through detection of unusual transactions, relationships and networks).

Suptech examples. In light of the above, several institutions around the globe are adopting emerging tech to regulate the evolving financial markets.

The Monetary Authority of Singapore (MAS) has set up a team focused on data analytics in the AML/CTF sector. The team has applied network analysis techniques to suspicious transaction reports, supplemented by data collected from financial institutions and intelligence from law enforcement, in order to identify networks of suspicious activity across the financial sector. As stated by MAS at a conference in 2019: “We are working to add transactional information to this dataset, and augmenting our capabilities with natural language processing and machine learning tools to more effectively detect and prioritise networks for scrutiny.”

Another example of such trend is that the Bank  Innovation Hub (through its Singapore Centre) and the Saudi G20 Presidency have launched the TechSprint initiative to highlight the potential of new technology to tackle regulatory and supervisory challenges, and have invited private firms to develop innovative technological solutions.

Conclusion

In this rapidly evolving environment, a continuous dialogue between market players and supervisory authorities is essential, in order to encourage information and knowledge sharing and enhance collective understanding of innovative technologies, while also considering the global scope and scale of the innovation and business models of many new players. Regulators should plan a market intelligence strategy that set out a clear roadmap with actions to keep pace with this environment.

These actions must include:

• Targeted amendments to legislation and policies.
• Cross-border initiatives.
• Cooperation with other supervisory authorities and key players.
• Incorporation of supervisory technologies (Suptech) as a core strategic element of banking supervision.

In riding the disruptive wave, regulators have to continuously adapt their supervisory approach to the new needs of the financial market. Their continuing challenge is to promote a common understanding of Fintech-related risks and assess the potential impact of these new activities on consumers and investors, while also avoiding any unduly-restrictive action that would inhibit the development of new and promising innovations.

Financial authorities have the new scope of ensuring financial stability and the soundness of the market, while also foreseeing the potential societal benefits of strengthening innovation, financial development, inclusion and efficiency.

Andrea Rigoni – Cyber Risk Partner, Government and Public Services, at Deloitte Risk Advisory S.r.l.

https://www.linkedin.com/in/andrearigoni/

Susanna Savarese – Cyber Risk Analyst, Government and Public Services, at Deloitte Risk Advisory S.r.l.

www.linkedin.com/in/susanna-savarese

References:

• Expert Group on Regulatory Obstacles to Financial Innovation (ROFIEG), “Thirty Recommendations on  Regulation, Innovation and Finance”, Final Report to European Commission, 13 December 2019
• BIS, Basel Committee on Banking Supervision, Sound Practices, “Implications of fintech developments for banks and bank supervisors”, February 2018
• Dirk Broeders, Jermy Prenio,  BIS, Financial Stability Institute, FSI Insights on policy implementation No 9 “Innovative technology in financial supervision (suptech) – the experience of early users”, July 2018
• European Commission, “FinTech Action plan: For a more competitive and innovative European financial sector”, 8 March 2018
• Financial Stability Board, “FinTech and market structure in financial services: Market developments and potential financial stability implications”, 14 February 2019
• Johannes Ehrentraud, Denise Garcia Ocampo, Lorena Garzoni, Mateo Piccolo, BIS, Financial Stability Institute, FSI Insights on policy implementation No 23 “Policy responses to fintech:  a cross-country overview”, January 2020
• World Bank, Cambridge Centre for Alternative Finance, “Regulating Alternative Finance: Results From A Global Regulator Survey”, 2019
• Johannes Ehrentraud, Denise Garcia Ocampo, Camila Quevedo Vega, BIS, Financial Stability Institute, FSI Insights on policy implementation No 9, “Regulating fintech financing: digital banks and fintech platforms”, August 2020
• Fernando Restoy, BIS, Regulating fintech: what is going on, and where are the challenges?, October 2019
• European Central Bank, “ESCB/European banking supervision response to the European Commission’s public consultation on a new digital finance strategy for Europe/FinTech action plan”, August 2020
• Ms Loo Siew Yee, Assistant Managing Director at MAS, “Combatting Financial Crime through New Technologies Built on Strong Fundamentals“, Key Note Speech at the International Compliance Association Annual APAC Conference, 16 October 2019  https://www.mas.gov.sg/news/speeches/2019/combatting-financial-crime-through-new-technologies-built-on-strong-fundamentals