Fintech is fundamentally changing the provision of financial services. By now, the global financial community is well aware of the potential for digital technology to advance development and inclusion. While eager to embrace the fintech promise, financial authorities—including those with an explicit financial inclusion mandate—need to be able to do so in a safe and responsible way. Innovation without financial stability would jeopardize advances in development and inclusion. In a recent paper, we take a look at fintech risks and, taking as reference the World Bank-IMF Bali Fintech agenda and guidance from global Standard Setters, we offer authorities some recommendations to strike a good balance in their regulatory and supervisory approaches towards digital financial services.
While the types of financial risks arising from fintech activities are broadly the same as for traditional financial activities—including credit, market, operational, consumer and integrity risks-—their intensity, interlinkages, and spread across the system may be very different. How much depends on many factors such as the business model and distribution channels used, the legal status and regulation of the providers, or the nature and degree of adoption of the fintech activity performed. New entrants operating exclusively in the digital space tend to be undercapitalized, exposed to illicit financing risks and more vulnerable to cyberattacks.
In our research, we found examples of unregulated fintech firms that went out of business because of insufficient funds and, or lack of experience in the financial sector, with bad implications for retail investors and savers. The risks of inappropriate commercial uses or disclosure of consumer data is also higher in a digital context where data is highly valued and instrumental for most businesses. And, of course, cyber risks can be exacerbated as new digital distribution channels expand the network and increase the number of points of entry for a cyber-attack.
The best way to keep fintech risks within tolerable levels, while still promoting innovation, is to put in place regulatory and supervisory frameworks that are well targeted and proportionate to the risks identified. The principle of “same activity, same risk, same approach” should govern the endeavor. Targeting the activities (as opposed to entities) ensures the level playing field and minimizes the need for constant reviews in the scope and perimeter of the regulation as new technologies or fintech players emerge. Yet, when the activity is highly interconnected and the provider is a systemic institution (think of Bigtechs, for example), a more traditional entities-based approach would be warranted to preserve financial stability and safety.
What to regulate? When to regulate? How to regulate?
In our paper, we propose a decision tree, with the optimal policy response depending on the maturity, degree of adoption and risks of the fintech ecosystem, as well as the existing regulatory and supervisory settings. In some cases, existing frameworks are fit for purpose or need only a few amendments. This is the case, for example, of Anti Money Laundering/Counter Financing Terrorism (AML/CFT) rules and banking regulations that apply to digital banking activities by traditional banks. In other cases, regulatory frameworks will need to be complemented by supplementary guidance. For example, Ghana’s central bank issued the Guidelines for E-money Issuers and Agent Guidelines in 2015. It may also happen that the existing regulations are not directly applicable to fintech activity but provide a solid basis from which to undertake the necessary changes to effectively regulate and supervise it. An example of this is the introduction of new digital banking licenses in Hong Kong SAR, China, Republic of Korea, and Singapore. Finally, in some cases, new bespoke rules are required to either officially ban, for example, ICOs in China, or allow fintech activity, such as new e-money laws in Singapore and Hong Kong SAR, China or Indonesia’s regulations for lending platforms.
Devising a good supervisory response to Fintech is essential. The growing number of emerging digital technologies and actors involved—from small, new third-party providers to big techs—has spotlighted the supervisor’s responsibility to monitor the fintech landscape and examine new ways by which risks and vulnerabilities can materialize and spread across the system. New technologies, such as machine learning, artificial intelligence, cloud computing or Application Programming Interfaces (APIs) can accelerate the process of bringing products and services to the market. Supervisors may need to act swiftly. Others, such as distributed ledger technology (DLT) which gives rise to Decentralized Finance (DeFi) allow for a degree of decentralization that calls into question classic notions of liability, responsibility, and transaction reversibility. The volume of data involved has expanded exponentially in the last few years that supervisors must be able to process and analyze. In the same vein, the rapidly increasing use of customers’ personal data raises concerns about the ethical use of this information, calling for enhanced customer protection and data privacy frameworks. Supervisors should also be aware of the potential risks that new technologies might pose, especially when they operate outside the purview of financial oversight.
Only by having a good understanding of how these technologies operate, including business model and main technical constraints and specificities, will authorities have the expertise to properly supervise fintech.
Overcoming supervisory capacity constraints is another challenge, especially for emerging markets and developing economies (EMDEs). As discussed in our paper, Fintech supervisory resources generally consist of a core group supported by an expert network, but other less centralized models also exist. Most authorities in Advanced Economies have made changes to enhance their supervisory capacity along these lines but EMDEs’ efforts to build up IT examination capacity seems to be progressing at a much lower pace.
Hiring programs should also expand into new skill areas to ensure supervisory capacity is attuned to the new environment. These include: DLT to better understand use cases and associated risks and data science, to exploit the analytical capabilities of big data and machine learning. One particularly challenging area is the oversight of providers of crypto-asset-related services. Since it may be difficult to build this capacity in-house, authorities should have the flexibility to hire experts from the private sector , something that might be out of reach for many low- income countries. Narrowing the knowledge and skills gap can also be accelerated through collaboration with industry.
Designing mechanisms for authorities to deal with firms under stress in a manner that mitigates impacts over the real economy is another challenge. While bank resolution regimes do not apply to fintech firms, they can be a source of inspiration for the development of policies to deal with fintech, especially with those that can have systemic impacts upon failure.
Protecting clients in case of failure of e-money providers is an issue for consideration. Extending deposit insurance protection is a solution but one with potential adverse effects, such as increasing costs and creating moral hazard. Mechanisms such as segregation and ringfencing of client resources, or the obligation to keep them in government securities, seem to be a more cost-effective protection mechanism.
As fintech penetration increases, so will associated potential risks for consumers and investors, for stability, and for integrity. There is no silver bullet for striking the right balance between keeping these risks at bay—a priority—and promoting development through innovation and competition. The closest the policy response gets to ensuring certainty and consistency, proportionality, and technology neutrality, the higher the probability that the balance will be right. In a highly innovative environment, which challenges many rules and supervisory practices, building confidence and fostering public trust is of paramount importance.
Join the Conversation