Financial services regulatory challenges
Fintech is a priority for today’s asset management firms, many of which see such technologies as the key to maintaining a competitive edge. It is easy to see why. Fintech innovations promise a myriad of opportunities, from greater efficiency in financial transactions through to the transformation of the business.
In recent months and years, we have seen regulatory bodies worldwide attempt a careful balancing act. On the one hand, regulators recognize the need for innovation, and are working to support and encourage fintech activity through actions such as framework changes and the creation of regulatory sandboxes. On the other hand, there are significant concerns that existing risks, especially surrounding cybersecurity and fraud, are becoming heightened by fintech’s growth.
Are financial regulations still fit for purpose?
The digital age has brought significant shifts in every jurisdiction around the world, and financial regulations have not kept pace. The rules as originally written assumed a world in which people conducted business face-toface, with physical signatures on paper. While regulators have updated rules over past decades, the accelerated pace of change means that regulators are now constantly playing catch-up with the implications of the newest innovations.
Current wisdom holds that fintech technologies do not pose significant financial stability risks in their own right. However, innovations already on the horizon could carry with them increased systemic risks through growing complexity and interconnectedness, greater operational risk, increased liquidity risk, and more. There is also uncertainty around where and how future operational and security risks might arise, meaning that regulators have the unenviable task of fighting fires before they are lit.
In watching recent regulatory changes and related discussions, it is clear that regulators are beginning to fundamentally rethink what ‘good conduct’ looks like in an age when contact is entirely digital — and may not involve human actors at any point. While in 2019 and beyond we see increasing divergence in worldwide regulatory standards in asset management, when it comes to facilitating fintech development, regulators appear to be of similar mind. Technologies such as robo-advice, blockchain and cryptocurrencies, and ‘big data’ are all on the regulatory radar, but addressing the heightened cybersecurity risks is clearly a top priority.
Cybersecurity an area of significant concern
Incidents drive greater scrutiny, so it is no wonder that the cyberattacks in 2018 have led to increased regulatory attention to digital safety and security. The European Securities and Markets Authority (ESMA), Germany’s Federal Financial Supervisory Authority (BaFin) and more have all created forums, cybersecurity panels and other methods to help develop appropriate approaches to the increasingly common problem of cybersecurity vulnerabilities. In addition to these steps, the Monetary Authority of Singapore (MAS) has also recently launched a US$30 million Cybersecurity Capabilities Grant to co-fund financial institutions’ establishment of global or regional cybersecurity centers of excellence in Singapore, as well as issuing a recent consultation paper on cyber hygiene that includes essential cybersecurity practices for financial institutions.
Given that high-level rules regarding operational effectiveness and protecting clients’ assets are already in force, in most global jurisdictions, regulators have yet to start changing rules — though change may be on the horizon. In many jurisdictions, the regulatory focus is currently on supervisory activity rather than rule changes. Many regulators are now also looking at fine-tuning the regulations surrounding security tests, checks and controls to keep pace with the accelerating pace of change.
Regulators are also increasingly interested in operational resilience. Trends show that regulators want to see that individual asset management firms have not only the necessary financial capability, but also the technological capability to operate in the current and evolving digital climate. Many fintech innovations connect asset managers to outside organizations, such as through the use of Application Programming Interfaces (APIs), creating the risk that the corporation does not possess the capability or capacity to effectively respond to a cyberattack, or that a response could come too slowly to be effective.
Other evolving risk areas
While cybersecurity may be regulators’ top concern, other fintech areas are also making waves. Distributed leger technology (DLT), such as blockchain, is one area under particular scrutiny. ESMA, for example, indicated that “its legal certainty and broader legal issues — such as corporate, contract, solvency and competition laws — need to be considered and clarified” before DLT can be used for larger-scale financial purposes, while the FCA raised concerns that DLT could lead to a “lack of individual accountability at firms”. Bitcoin and other cryptocurrencies have also received a skeptical reception from regulators around the globe, with incidents such as the Coincheck hack from early 2018 receiving particular regulatory scrutiny.
Other areas of growing regulatory concern include: robo-advice; crowdfunding, with some regulators proposing simplified rules for securities-based crowdfunding platforms; and continued interest in the implications of AI and big data.
Fintech innovations continue to shape the financial sector around the globe. Asset managers, like regulators, need to strike the right balance between the competitive advantages that fintech can provide and the risks inherent in the integration of these technologies with current business models.
Responding to the current regulatory climate
In talking with our firms' clients, many are asking: how should asset managers respond to the current regulatory uncertainty and changes surrounding fintech innovation? We generally provide two core recommendations:
1. Understand that no action is not an option. Fintech innovations can provide important competitive advantages, including benefits to the top line, bottom line and overall client experience. Yet even for asset managers that do not wish to engage heavily with fintech or are not looking to be a leader in innovation, the increasing regulatory pressure around organizational resilience demands a response. Understand, too, that it is not only regulators who will be looking to see that asset managers keep valuable data safe from cyberattacks. Malicious actors are actively pursuing vulnerabilities, and attacks will only increase.
2. Know what is happening at every touch point. Asset managers need to be fully informed about fintech innovations and regulators’ current thinking in order to make fundamental decisions about systems and processes throughout the business model, including across geographies. This includes investigating the technological capabilities, security policies and governance of not only outsourced service providers but also the suppliers’ suppliers, as any cyber risks that affect these downstream providers can ultimately impact the fund manager.