Author(s): Fernando Restoy
Date published: Feb 2020
SUERF Policy Note, Issue No 134
by Fernando Restoy1
Bank for International Settlements
The article reviews recent policy developments in the area of fintech. Leveraging on the FSI’s fintech tree concept, policy initiatives are classified into three groups: (i) those relating to the regulation of new fintech activities (eg digital banking, crowdfunding, e-money, robo-advice); (ii) requirements for the use of new technologies (eg cloud computing, artificial intelligence/machine learning); and (iii) policy enablers (eg digital identities, innovation hubs, sandboxes). It also discusses pending challenges, focusing on the need to strike the right balance between promoting orderly innovation and preserving market integrity, financial stability, consumer protection and a level playing field. Finally, it stresses that the principle of “same activity, same regulation” does not provide the full answer to regulatory challenges. The same activity performed by different entities (deposit-takers versus non-deposit-takers, regular fintechs versus big techs) generates different risks. Therefore, activity-based regulation should be considered as a complement to rather than as a substitute for entity-based regulation.
Issues relating to technological developments loom large in the current debate on the prospects and challenges of the international financial system. This article focuses on policy actions undertaken to address the implications of the use of new technologies by financial market participants.
In fact, it is a major challenge everywhere to design an adequate policy framework for fintech.2 On the one hand, authorities need to help bring the potential benefits of technological developments to fruition, for the good of the economy and the financial system. Fintech promises to increase efficiency in delivering financial services, widen their range, increase competition and promote financial inclusion. On the other hand, policymakers must address a set of risks that could merit public intervention. In particular, increasing reliance on technology and unregulated third-party providers throws operational risks into sharper relief; new payment systems and instruments could compromise market integrity and, ultimately, the monetary system; new products may be mis-sold to consumers who do not understand their risks or cannot afford to bear them; and the business opportunities created by new technologies may erode privacy and encourage unethical conduct.
To varying degrees, regulators are striving to deal with all those challenges across a number of jurisdictions. But it remains to be seen whether these policy actions will be enough to safeguard an orderly modernisation of the financial industry, let alone address the ongoing risks that technology poses to the achievement of key social objectives.
This article analyses current developments in the fintech domain and related policy challenges. For that purpose, it draws on the ongoing work at the BIS and, in particular, a recent FSI study on national and global policy initiatives to adjust existing financial regulation to new activities and players.3 It is structured as follows: Section 2 provides a conceptual framework for the classification of policy initiatives in the fintech domain (the fintech tree); Section 3 describes the policy approaches followed in each relevant dimension; Section 4 identifies pending policy challenges; Section 5 discusses the limits of the concept “same activity, same regulation”; and finally, Section 6 provides some concluding remarks.
Fintech-related policy measures can be usefully classified into three groups: (i) those that directly regulate fintech activities; (ii) those focus on the use of new technologies in the provision of financial services; and (iii) those that promote digital financial services more specifically. This classification. as proposed in Ehrentraud et al (2020, op cit), can be illustrated by means of a fintech tree, where the treetop represents fintech activities, the trunk enabling technologies and the roots enabling policies (Figure 1).
Figure 1: The fintech tree – a taxonomy of the fintech environment
Source: J Ehrentraud, D García Ocampo, L Garzoni and M Piccolo, “Policy responses to fintech: a cross-country overview”, FSI Insights on policy implementation, no 23, January 2020.
The first group of measures relates to the regulation of specific activities such as digital banking, peer-to-peer (P2P) lending or equity-raising, robo-advice and payment services. The second group includes new rules or guidelines on market participants’ use of technologies such as cloud computing, biometrics and artificial intelligence. The third group covers enabling policy initiatives such as those related to digital identities, data-sharing and the establishment of innovation hubs, sandboxes and accelerators. Over the last few years, most jurisdictions have applied policy measures in some or all of these three areas. The next section outlines the various types of policy initiative.
Adjusting the regulatory perimeter
In general, technological developments have not yet resulted in any major upheaval in the structure of financial regulation. In terms of their core content, the rulebooks on prudential safeguards, consumer protection and market integrity remain broadly unaffected.
In particular, a banking licence is still required for any activity entailing a substantial risk transformation of funds raised from the public. When non-banks are allowed to source cash from the public – typically for payment services – they face severe restrictions in terms of safeguarding customers’ funds. Examples are maximum volumes, such as the CHF 100 million cap for fintech licence holders in Switzerland; and ample liquidity coverage, such as the 100% reserve requirements for outstanding client balances (the float) in Brazil and China. Moreover, little has been done to develop specific licensing requirements for digital banks. In some jurisdictions – as in the euro area4 – supervisors have issued guidance on how standard requirements would apply to the new business models. However, only a few jurisdictions – notably Hong Kong SAR5 and Singapore6 – have formulated specific licensing requirements for banks centred on digital services.
A similar approach has been followed in other areas such as investment advice (robo-advice) or insurance services (insurtech).7 In general, no specific licensing regime has been foreseen for those activities, although a number of market supervisors have communicated specific supervisory guidance or expectations.8
Specific licensing and conduct-of-business requirements have been established for several activities such as issuance of e-money, provision of payment services, and equity and loan crowdfunding. In most cases, regulatory requirements focus on consumer and investor protection – in particular, the safeguarding of customers’ funds – anti-money laundering (AML) and combating the financing of terrorism (CFT), and operational resilience.
Regulation on cryptoassets and related activities differs markedly across jurisdictions. In general, approaches depend on the nature of the issuer (whether regulated or unregulated), the function performed (eg means of payment, investment opportunity or access to services) and the existence and nature of underlying assets (securities, commodities etc). Authorities have often issued warnings – mostly referring to the use of cryptoassets for investment purposes – and clarifications on the regulation applied to issuers, holders and intermediaries. Moreover, several authorities have banned specific cryptoasset-related activities (eg Belgium, China, India and Mexico).
Regulating the use of enabling technologies
While regulators generally aim to be technology-neutral, some jurisdictions have made moves to address both the positive implications of and the risks arising from the use of specific innovations. As an example of supporting policy, the use of application programming interfaces (APIs) has been explicitly promoted to facilitate open banking – in the European Union, Mexico and Singapore, among others.
In some instances, authorities need to take action to provide legal certainty for the effective application of technological innovations in the financial industry. This would be the case, for example, if distributed ledger technology (DLT) is to be accepted as providing finality in the settlement of securities transactions. The same would be true for the use of biometrics to identify customers in regulated transactions (such as opening a bank account).
In most cases, however, policies have focused on limiting the potential risks associated with the use of a technology. In particular, as regulated financial institutions make increasing use of cloud computing, authorities have already set requirements (as in Brazil) or issued recommendations (as in the European Union) to control and manage the operational risks involved.
Some authorities are also taking action to address the risks posed by the misuse of artificial intelligence and machine learning algorithms – for instance, in credit or insurance underwriting. Such actions include, in Luxembourg and Singapore, publication of papers that underline the risks arising from the inadequate handling of personal data, poor governance, lack of transparency and unethical behaviour; and, in Singapore, issuance of high-level principles for firms to follow in controlling these risks.9
Most jurisdictions have adopted policies to create the infrastructure for digital services. These include reforms to allow financial institutions to use digital technologies to identify and verify customers without their physical presence.
In some jurisdictions (such as Hong Kong SAR, India and Singapore), authorities have put in place a centralised platform that provides residents with a unique electronic key that can be used for verifying their identity in all types of transaction, with both the public and the private sector.
Other jurisdictions have moved to regulate the exchange of customers’ information between different players. In the European Union, the new Payment Systems Directive (PSD2) establishes the transferability – given customers’ consent – of payment account data held by payment service providers (including banks) among themselves and to third-party providers such as account aggregators or payment initiators. In India, a centralised system stores, protects and facilitates the exchange of customer financial data that can be fed by and released to financial firms with their clients’ consent.
In addition, most advanced and emerging market economies have set up various types of arrangement aimed at promoting an orderly application of new technologies in the financial industry. Those arrangements take the form of innovation hubs as well as regulatory sandboxes and accelerators.
Innovation hubs are the most widespread of these facilitators. They provide support and guidance to innovative firms or products, to facilitate a good understanding of regulatory requirements. A number of jurisdictions have also created regulatory sandboxes that allow the risks associated with new business models to be assessed in a controlled environment. So far, sandboxes have been used mainly to assess whether consumers would be adequately protected in using new applications, products or services. Approaches vary in terms of criteria for accepting projects, testing parameters, application process and exit strategy. In some cases the final outcome is simply an authorisation to continue offering the tested products or services, while in others it may also include an adjustment or a formal clarification of existing regulatory requirements. Only a few jurisdictions (eg France and the United Kingdom) have created innovation accelerators that explicitly support projects which could be directly relevant to central banking operations or supervisory oversight.
The overview provided in Section 3 suggests that authorities have so far taken a piecemeal approach to policy, resorting to a wide array of measures to meet a variety of policy objectives. To date, it appears that regulations on new fintech activities and technologies have focused more on curbing risks in consumer and data protection and operational resilience but rather less on strengthening prudential safeguards. The general sense is that, for the time being, new technology does not by itself pose any major risks to financial stability.10 This is based on the perception that the new business models rarely entail significant risk transformation – and also that the riskier innovations, such as cryptoassets, have hitherto had only a limited take-up. All this limits the potential for technological developments to destabilise the financial system, at least up to now. That perception explains why the perimeter of prudential regulation – whether macro or micro – has hardly changed in most jurisdictions.
But it remains to be seen whether new forms of systemic risk could emerge from big techs – large non-bank technology firms that offer a wide range of financial services – and whether current regulation will adequately contain those risks. It is likely that new sources of systemic risk, such as major cyber incidents, will need to be addressed by novel policy tools, given that standard prudential instruments such as capital or liquidity requirements can hardly be the most effective response.
Another area in which additional policy reflection is warranted is the effects of innovation on the structure of the financial services industry and how this might affect market functioning.
Admittedly, it is still far from clear how technological developments will disrupt the financial industry, and how far. Or how far technology might promote competition and diversity – as often assumed – or whether it might instead foster the emergence of new (potentially global) big tech oligopolies that could work against the interests of consumers and generate new kinds of financial stability risks. That process could be the consequence of a seemingly efficient Schumpeterian dynamic in which new, more efficient entrants will outperform incumbents. In such a process, however, network externalities might lead – absent public intervention – to a more concentrated industry centering on natural oligopolies.11 A further issue is whether existing regulation could distort the restructuring of the industry by unduly penalising either the traditional or the new players.
Depending on the answers to these questions, different types of public intervention would be more or less warranted. Therefore, much analysis and evidence is still required to decide on possible additional reforms to regulatory frameworks. In any event, the transition to a new market structure is likely to put the sustainability of specific business models under stress, potentially eroding the viability of some traditional financial institutions. As a consequence, prudential supervisors and the international standard-setting bodies need to closely monitor the process and act promptly to shape, as far as possible, the orderly transformation of the financial sector.
As I have just mentioned, a key aspect of the current regulatory debate is how financial services regulation could facilitate an orderly adaptation of the industry’s structure to a new environment characterised by new technologies, new players and new activities.
A widely accepted principle, and one that has inspired many of the recent regulatory developments, is that policy actions should aim to minimise the scope for regulatory arbitrage. New technologies help new players perform activities that were traditionally conducted only by tightly regulated institutions. Regulation should therefore be adjusted in order to prevent risk-generating business activities from migrating between entities in search of lighter regulatory control.
That said, the actual implementation of this principle is far from straightforward.
In this regard, the concept of same activity, same regulation is often seen as a reference for sound policy to promote a level playing field and prevent regulatory arbitrage following the emergence of fintechs and big techs. The key thought is that all entities involved in a specific regulated activity should be subject to the same rules, regardless of their nature or legal status.
Yet the same activity may generate different risks depending on who performs it. For instance, the risks for the financial system are not equivalent if lending or securities investment is undertaken by a closed-end mutual fund – which engages in hardly any risk transformation – as opposed to a deposit-taking institution. This combination of deposit-taking and risky investment is precisely the object of prudential regulation, which need not be applied to entities that perform only the latter activity.
Some of the services offered by banks – such as payment processing – could be conducted by banks’ subsidiaries that are not funded with deposits. However, especially since the Great Financial Crisis of 2007–09, supervisors have understood that risks cannot be easily segregated and distributed across legal entities which are linked to a banking institution. Consequently, they have adopted a conservative approach in defining the consolidation perimeter on the basis of which banking groups must satisfy prudential requirements.
As a consequence, banking institutions, and even their non-deposit-taking subsidiaries, are subject to different rules than some non-bank competitors. That could arguably affect the competitive position of different players in some market segments. However, if the regulatory framework were to be completely harmonised for all types of entities performing a specific activity, financial stability might suffer, given that some sets of institutions generate more (or less) systemic risk than others. This sets a limit on how far a purely activity-based approach can be pursued.
The case of big techs also shows the limitations of a strictly activity-based approach. The point here is that the financial activities of big techs exist within a wider business portfolio which may include e-commerce, payment services, credit underwriting and wealth management, among other activities.12 It is easily conceivable that big techs could generate systemic risks not only through the scale of their operations but also through a destabilising interaction of the risks generated by each activity. If that proves to be the case, one could argue that a more encompassing approach to regulation and supervision is needed, one that focuses on entities, their activities and the broader ecosystem. And this would again justify a departure from the principle of same activity, same regulation.
In any event, measures could be considered to remove discrepancies in the regulatory requirements for different types of institution. For example, it is hard to argue that rules relating to policy objectives such as consumer protection or AML should be substantially different, as still is the case in some jurisdictions, depending on the type of licence a firm holds. These requirements should obviously follow a proportionate approach, but proportionality should be defined in terms of the risks that different firms pose – as a consequence of the scale of their operations or the technologies used – rather than in terms of their legal status.
All this supports the idea that activity-based regulation does not represent, by itself, the silver bullet that could preserve the robustness of the regulatory framework in the new technological environment. Most likely, it should be considered as a complement to entity-based regulation, rather than as a substitute for it.
Naturally, the identification of the exact form of the required combination of different types of regulatory measures constitutes a major policy challenge. At all events, financial authorities need to coordinate their actions with those taken in other policy domains, such as competition or data protection. No less importantly, they need to cooperate with their peers in other jurisdictions, given the global scope of both innovation and the business models of many new players.
Twenty-five centuries ago, Democritus said, “Do not trust all men, but trust men of worth; to do the former is foolish, the latter a mark of prudence.” To regulate fintech adequately, authorities will need to apply the elusive mix of prudence and determination that is so often required in policymaking. Prudence is needed to avoid discouraging innovations that could eventually benefit society, and also to prevent key public goals – such as financial stability and market integrity – from playing second fiddle to short-term industrial policy aims.
As for determination, this consists primarily in taking action to combat emerging risks as soon as they are recognised. But determination will also be needed to underpin the necessary cooperation between authorities in different fields and jurisdictions.
About the author
Fernando Restoy became Chairman of the Financial Stability Institute on 1 January 2017. He had been Deputy Governor of the Bank of Spain since 2012. Previously, he held other senior positions at the Bank of Spain, which he joined in 1991. From 1995 to 1997 he was Economic Advisor and Head of the Monetary Framework Section at the European Monetary Institute in Frankfurt. Mr Restoy was Vice Chair of the Spanish Securities and Markets Commission (CNMV) from 2008 to 2012 and Vice Chair of IOSCO Technical Committee (now Board). He was the Chairman of the Spanish Executive Resolution Authority (FROB) from 2012 to 2015 and has been a Member of the Supervisory Board of the ECB"s Single Supervisory Mechanism from 2014 to end 2016.
SUERF Policy Notes (SPNs) focus on current financial, monetary or economic issues, designed for policy makers and financial practitioners, authored by renowned experts. The views expressed are those of the author(s) and not necessarily those of the institution(s) the author(s) is/are affiliated with.
Editorial Board: Natacha Valla (Chair), Ernest Gnan, Frank Lierman, David T. Llewellyn, Donato Masciandaro.
SUERF - The European Money and Finance Forum
A-1090 Vienna, Austria
www.suerf.org • email@example.com