As technology reshapes business, watchdogs are modernising to better detect and act on bad behaviour
In a nutshell:
- Regulators are becoming concerned with Big Tech firms' ability to use their online distribution advantage to crowd out competitors. Perceived concentration risks are also starting to be addressed for non-financial firms providing digital solutions to large parts of the financial industry.
- Existing and new regulatory sandboxes remain an important innovation tool.
- Regulators' operations are modernising to match those of the firms they supervise, taking advantage of data and software tools to understand inputs and outcomes, and to increase ability to detect and act on bad behaviour.
Continued technological change is reshaping the way that firms provide, and customers interact with, financial services. This has created challenges and opportunities for firms, customers and regulators.
Some key themes have emerged:
- Concentration risk – competitively and operationally
- Facilitating innovation
- Data collection, internal tooling, and "regulating at scale"
After a somewhat hesitant start, financial firms have been moving significant parts of their systems from on-premises hosting and internal or customised tooling to cloud providers and software-as-a-service solutions. While this has enabled firms to allocate resources more efficiently, modernise systems and perhaps even improve their security and resiliency, lawmakers have recognised a trend of – and potential systemic risk posed by – a small number of third parties providing critical services to large proportions of the industry. Cloud service providers – across infrastructure and software – are frequently cited examples.
While economies of scale and winner-takes-most effects have long been a feature of the financial industry's supply chain, the perceived difference here is the degree of control given up by financial firms, in a way that may create more correlated risks than the prior model did. To illustrate, under the earlier model many firms may have licensed the same software, but managed the infrastructure and versioning of it individually, perhaps with their own implementations and acceptance testing. If there were issues with the software or with the vendor, these factors would reduce the correlation in type and timing of those issues. Now, with more widespread use of commonly-managed software and infrastructure, outages could affect larger parts of the industry at once.
The IMF published a paper on Big Tech in financial services, which concluded that cloud and other services' importance to the financial sector "means that, in some respects, BigTechs are already too big to fail." The Bank for International Settlements has also examined some of the systemic risks posed by critical third parties as part of a wider analysis of Big Tech in the financial sector. An initiative proposed to address this issue in the UK is a "critical third parties" regime, under which regulators could designate certain of these parties for direct regulatory oversight despite not being financial firms themselves. In the EU, the Digital Operational Resilience Act includes provisions for the creation of an EU oversight framework for EU financial entities' critical IT and communications vendors, including cloud service providers. Such vendors based in third countries will be required to establish EU subsidiaries to enable proper oversight. In Australia, the Government is requiring critical infrastructure assets, including in the financial industry, to report on such technology concentration risks under Security of Critical infrastructure reforms.
In addition to operational resilience risks, regulators are also taking aim at the risk of concentration in digital distribution affecting competition, particularly in retail financial services as more services move online and branch networks shrink. The UK Financial Conduct Authority (FCA) is currently consulting on how to address the potential for competitive distortions arising from increasing Big Tech involvement in payments, deposit taking, consumer credit and insurance in particular, in parallel with international focus on and investigations into these firms' competitive positions and regulatory architecture more broadly.
To foster innovation, regulators in many jurisdictions have for some time now provided test environments and/or exempted firms from certain regulatory requirements while they operate within a regulatory "sandbox". In Australia, a number of firms have joined an "enhanced" regulatory sandbox since 1 September 2020 to test a broad range of financial services and credit products in a controlled environment without a licence. New sandboxes are also emerging. The EU pilot regime for market infrastructures based on distributed ledger technology will be open for applications in March 2023. Legislation has been proposed in the UK which will pave the way for a new sandbox for financial markets infrastructure. Not only do sandboxes allow firms to innovate, fill gaps and find new use cases, they also allow regulators to understand and learn how the market wishes to use new tools.
Regulating at scale
Regulators are also investing in their ability to automate higher-volume work where possible, with use cases including identification of "phoenixing" among firms applying for licences and monitoring for cloned firms, non-compliant financial promotions, sanctions breaches and unregulated firms operating within the regulatory perimeter. Blockchain analysis tools also provide opportunities for more direct oversight where funds and services touch public blockchains.
Relatedly, the trend towards "bring your own device" — often referred to as "BYOD" — and the normalisation of digital communication and remote working has led to massive proliferation of firms' data on personal devices. This has the potential to significantly complicate compliance, and has resulted in large fines in the US, UK and elsewhere. We expect continued focus on these issues from regulators and firms.
As firms' operations have digitised and become more complex, so too have the demands on their supervisory bodies. Regulators have begun to staff data science teams to enable them to ingest and analyse a higher volume of data from firms and turn that information into actionable insight. This is likely to involve changes to the way that firms report regulatory data – the UK's regulators are working on a joint programme to "transform" data collection and regulatory reporting, targeted for implementation to begin in June 2023. Likewise, Australia's financial services regulator is increasing its experimentation with and operationalisation of new datasets, technologies and analytic techniques to enhance its supervisory activities.