A Glimpse into prudential practices for fintech

As fintech investment continues to evolve, prudential risks beyond cyber are gaining attention and regulatory practices are beginning to change.

In a recent working paper, we looked at payments’ mechanisms, the extension of credit and deposit taking as three areas where fintech is having a major impact and prudential concerns are significant. Four new technologies are driving developments: application program interfaces (APIs), artificial intelligence (AI), distributed ledger technology (DLT), and cloud computing. These are powering new competition, processes and business models at a rate and on a scale that could be disruptive. Old boundaries are dissolving between segments in the financial sector and between finance and the rest of the economy.

Much uncertainty persists about future fintech prudential risks. So, unsurprisingly, many jurisdictions are spending resources to monitor developments and engage with industry.  Sandboxes, where firms can test innovations under close regulatory scrutiny, are becoming commonplace. Licensing practices are changing to encourage or require innovators to come within the perimeter, so regulators can understand fintech risks better over time. Supervisory approaches are also maturing gradually, but with significant differences amongst jurisdictions. Capital and liquidity requirements for example seem to vary widely. And some supervisors are further advanced than others in embracing suptech.

One trend is deceptively familiar — the increasing dependence of financial firms on IT outsourcing. For a long time, regulators have approached outsourcing risks by setting governance standards for the outsourcing firms. However, this traditional approach becomes less and less effective when firms buy hardware and software as a service. Cloud suppliers continuously move the source of these services around their networks so there is no longer a place for a customer (or a regulator) to go to monitor and mitigate their risks. The in-house capability of financial firms in relation to the capability of suppliers is diminishing. And, making matters worse, if something does go wrong and a cloud computing company fails, outsourcers have become so dependent on cloud providers and that industry is so concentrated globally that practical options for switching will be few. 

Another area of growing prudential concern is the safety of customer funds held by the likes of telecoms firms that provide e-money services. Should the safety net enjoyed by bank customers be extended to customers of these firms too? Some countries have explicitly ruled this out: caveat emptor; some have approached this by requiring e-money firms to make back-to-back deposits in regulated banks or central banks; and some are looking into having e-money providers join deposit insurance schemes. The details of most of these approaches are still being worked out and key issues remain to be addressed. A particularly thorny one is how to resolve a non-bank e-money provider that fails so that customer assets are protected and continuity of services is assured.  

For many jurisdictions fintech has increased the importance of working with domestic and foreign regulators. The blurring of lines between financial sector and other industries, the rapid dissemination of fintech developments and the reach of global technology firms have contributed to this. Established regulatory forums such as the FSB and the Basel Committee have been monitoring fintech developments. Fifty agencies from over 20 jurisdictions now participate in the Global Financial Innovation Network (GFIN). ¹ There they share information, coordinate approaches and explore the scope for mutual recognition of standards.

Our study concluded by highlighting four areas that remain worrisome:

• oversight of cloud computing service providers. Regulators in different sectors and jurisdictions cannot oversee these giant providers by themselves. Any corruption or disruption of their services is likely to be systemic.
• capital and liquidity levels for fintech firms. These vary a great deal by jurisdiction and are only loosely related risk. Sufficient capital and liquidity can absorb losses and incentivize providers to take risk management seriously.
• the extension of safety nets to resources held by non-bank e-money providers. In several jurisdictions, it is hard to say if e-money safety nets are robust. The details of what happens when an e-money firm fails are unclear. Bankruptcy law may need changing. 
• risks faced by supervisors embracing fintech in their own operations. To manage the ever-increasing data flows from regulated entities and more difficult analytical challenges, and to take advantage of big data, supervisors have embraced suptech. This represents an opportunity, but it also harbors risks related to the capacity of supervisors, operations and data, similar to those faced by regulated institutions

No major jurisdiction except for Mexico has seen the need for a fundamental rethink of its financial legislation to cope with fintech. Time will tell whether regulatory coordination and cooperation and a patchwork of fixes will be enough to address future fintech prudential risks.