FinTech is already delivering significant benefits to consumers and investors; to financial services companies and financial market infrastructure to financial stability and financial inclusion. In addition, this phenomena has generated a wider range of financial products and services being delivered more efficiently and effectively and this is a reason for high competitive pressures on companies to adopt a more consumer-centric approach. At this point, a new game changer engages in the chain - regulators and supervisors, responsible for the new rules and guidance.
The regulatory and supervisory response to FinTech sector has evolved through three stages:
Initially, the response was to focus on the benefits of FinTech and on supporting the growth and adoption of new FinTech solutions. The regulatory intervention was limited to little more than fine-tuning to take account of the impact of FinTech on the ways in which financial services were provided.
In the second stage, regulators and supervisors began to worry increasingly about the risks arising from FinTech. These risks can be characterized as risks to:
- Consumers and investors
- Financial services firms
- Financial stability
In the third stage, regulators and supervisors have been taking specific actions in response to these risks. This has included the development of international standards, the implementation of increasingly detailed and prescriptive national rules and guidance, and shifts in supervisory priorities.
These initiatives cover a wide range of areas, including technology risk, cybersecurity, and operational resilience. More generally:
- data privacy
- consumer protection
- firms’ governance and risk governance
- amendments to anti-money laundering requirements
The emerging international standards have mostly taken the form of high-level principles, leaving national implementation (both regulation and supervision) to diverge considerably across jurisdictions and across different financial services sectors.
Financial services firms need to be able to demonstrate not only that they are in compliance with the growing array of FinTech-related regulatory requirements but that they have considered and taken into account the various risks posed by FinTech more generally. Successful well-managed firms will adopt a proactive response to:
- emerging risks
- evolving regulation
Financial authorities will soon begin an unprecedented countdown. In 2018, FinTech became an entrenched priority for the financial sector, and a multitude of strategies emerged to address the challenges of digitization. In 2019, financial authorities should take action and implement a global approach to the challenges of the new era. The importance of FinTech regulation, as a consequence of digital transformation, is not limited by borders: in Europe, mid-way through 2018, both the European Commission and the European Banking Authority (EBA) published their action plans, establishing a roadmap through mid-2019. Across the ocean, the U.S. Treasury Department produced a report – more than 200 pages long – on non-bank financials, FinTech, and innovation. Important changes have also occurred in Mexico with the approval of a comprehensive financial technology law (known as the “FinTech Law”), which intends to exploit the opportunities of digitization in order to make advances in financial inclusion.
FinTech is moving rapidly from ‘under the regulatory radar’ and is attracting growing regulatory responses and supervisory scrutiny. The list of regulatory and supervisory responses to FinTech-related risks continues to lengthen. This will ratchet up over the coming years as the FinTech sector and the adoption of FinTech solutions continue to develop and grow, and as the associated risks evolve:
- The identification of measures to encourage the development of new business models, while appropriately controlling risks. An example: the cryptocurrency environment. By early 2019, some results have already been seen in Europe. For example, in parallel with the publication of their action plan, the Commission introduced draft legislation to regulate crowdfunding in the EU.
- The identification and removal of barriers that impede the financial sector’s adoption of innovative technologies, such as cloud computing and artificial intelligence.
- The implementation of schemes to facilitate innovation (regulatory sandboxes and innovation hubs). Recently, European supervisory authorities published a report advising the Commission on relevant aspects related to regulatory sandboxes.
The challenge has also gotten the better of international authorities, who must find a way to increase cooperation and coordination to respond to the challenges of digitization. Fortunately, numerous international regulators recognized this need toward the end of 2018. In recent years, various challenges have been identified as the major challenges of the future, and they will remain firmly on the agenda for both the financial sector and its regulators.
Some FinTech developments, such as the use of cryptocurrencies, the outsourcing of cloud computing, and the move of some non-financial services firms into the provision of specific products and services such as lending to SMEs and retail payments systems, raise questions about where the regulatory perimeter should be drawn. The regulatory net is widening, and some firms that are currently outside the perimeter may find themselves subject to regulation in the future. As the regulatory net widens, the intensity of regulation may also increase. For example, the regulatory requirements on loan-based and investment-based crowdfunding have tended to expand from their initial emphasis on clear communications and risk warnings to funders. These requirements have shifted to a focus on service providers holding capital-type resources to protect funders in some circumstances, and putting in place adequate procedures for credit risk assessment, governance, systems and controls, and complaints handling. This is also reflected in guidance on FinTech credit license applications, with a focus on governance, internal controls, operations, capital, and liquidity.
Regulators are turning to familiar approaches to consumer protection in the FinTech age, using a mixture of:
- transparency and disclosure to raise consumer awareness of the nature and risks of products and services
- prohibiting or limiting the sale of some products and services to retail customers
- re-writing detailed conduct of business requirements to adapt them to FinTech developments.
Existing data protection legislation, such as the EU General Data Protection Regulation (GDPR), already covers some of the data protection issues arising from FinTech. But FinTech developments are continually highlighting new areas in which additional or refined regulation may be required. For example, in the use of artificial intelligence and distributed ledger technology, and in the general trend towards the gathering of an ever-broader range of financial and non-financial data from, and sharing across, a wider set of parties. A more intense debate can be expected about whether there are appropriate frameworks in place for the gathering, storing, sharing and use of data, both domestically and cross-border.
Although mostly covered by existing regulatory requirements on risk management, some FinTech developments have generated regulatory responses calling for regulated firms to address specific FinTech-related emerging risks within their risk management framework. This has included:
- the money laundering and market abuse risks in the use of crypto assets
- the risks arising from the use of distributed ledger technology in payment, clearing and settlement systems, and more generally in the storing and validation of transactions data
- the application of outsourcing principles to specific FinTech applications such as cloud computing and artificial intelligence
- the testing and use of artificial intelligence, machine learning and ‘big data’ across a range of applications
- data privacy, security, and protection.
Regulators and supervisors may rely in part on the codes and principles developed by the industry or by other agencies.
The first steps by regulators here are likely to continue to focus on data and information gathering and analysis, but in due course, some regulatory interventions may emerge in response to FinTech related risks to financial stability.
FinTech can generate new types of exposure, such as crypto assets, requiring clarification or revision of the accounting and regulatory (risk weight) treatments.
Regulation has in part constituted a market in open banking by establishing the basis on which data can be shared between different parties, usually through an application programming interface (API).
Regulators are increasingly setting rules or guidelines that focus on ensuring that boards and senior management have sufficient awareness and understanding of the FinTech applications being used by the company, in order to manage the risks effectively. Some regulators are also requiring firms to identify clear individual senior manager responsibilities and accountabilities for managing FinTech-related risks. Within this approach, some regulators are also focusing on board and senior management responsibilities in specific areas of risk such as algorithmic trading, cybersecurity, outsourcing to third-party service providers, and operational resilience more generally.
The major milestone in 2018 was the enactment of the new Payment Services Directive (PSD2), which seeks to foster competition and strengthen payment security in Europe. To this end, it regulates third-party access to customer payment accounts. Third parties will be able to offer account information and payment information services. During the year, authorities have continued working to define the technical details.
Last year, there was increased awareness of the value of data as a strategic asset in the digital economy. So much so that it is regarded as necessary to create attractive value propositions for the customer, but at the same time privacy concerns have grown. In Europe, this resulted in two regulations:
- the General Data Protection Regulation (GDPR), which came into effect in May 2018
- and the ePrivacy regulation, which is still under discussion
Privacy concerns also intensified in other regions, such as the U.S. where some states have already begun to update their state-level legislation on the matter. Concurrently, open banking regulations similar to the previously mentioned PSD2, have been expanded, as in the case of Mexico. In the recently approved FinTech Law, access to data and the right of data portability are regulated.
The increase in the frequency and sophistication of cyber-attacks in 2018 accounts for the continued work to improve harmonization and international cooperation. Cybersecurity was at the center of the 2018 priorities for the European Commission and European Central Bank.
Harmonizing financial regulation across multiple jurisdictions, and creating new automated reporting and analytics standards has the potential to improve the financial services industry efficiency, reduce systemic risk and deliver economic benefits. Effective financial regulation is clearly crucial to innovation and the future success of the financial services industry and, in specific, FinTech. There are also unprecedented opportunities for reforming regulation and also creating new businesses in the process. Examples include: using “big data” regulatory online reporting and analytics to streamline reporting and stimulating a new generation of “RegTech” companies to provide the regulatory/compliance software.