The emerging landscape of fintech regulation

Just passing laws, everyone knows, will not work to control fintech.

Julian Roche, senior consultant at Redcliffe Training, explores the emerging landscape of fintech regulation.

The emergence of fintech

Fintech – the application of technology to finance – is not itself new. Virtually everyone in finance now knows that the past decade has seen explosive growth in the eight areas identified by the International Organisation of Securities Commissions (IOSCO) as constituting fintech: payments, insurance, planning, trading and investments, blockchain, lending/crowdfunding, data and analytics, and security. KPMG statistics show that whilst in 2005 approximately 1,600 companies were involved in fintech investment with total funding of $5.5 billion, this grew to 3,000 companies and $15.3 billion by 2010 and 8,800 and $100.2 billion by 2016.

Fintech then took a quantum leap in 2018, the full extent of which is not of course yet known, but it looks like doubling the size of the industry in a single year, “driven in part by two massive deals – the $12.9 billion acquisition of WorldPay by Vantiv and the $14 billion VC funding round raised by Ant Financial“, according to KPMG. Such deals demonstrate the maturity of a market that now has the capacity to influence the global economy and citizens almost everywhere on the globe.

Examples of the rapid growth of fintech or quasi-fintech firms abound. Issuance of licences to new entrants such as Atom, Revolut, Tandem and Monzo in the UK has permitted the migration of funds in their direction, yet their financial trajectory remains uncertain, to say the least, neither yet making a profit, as journalists have been quick to point out. In Scotland for example, Nucleus, which Ferguson set up with the backing of a number of financial advice firms in 2006, has developed software platforms that enable financial advisers to provide online access to clients for investments across ISAs, pensions and bond accounts. By the middle of 2018, assets under administration had pushed above £14 billion with further growth in the pipeline. Such examples could be multiplied manifold.

Why does regulation matter?

Perhaps the worry should be structural, but concern so far has focused on investment fraud, the classification of crypto-currencies as securities, derivatives, commodities, currency or other assets, systemic risk regulation and central bank functions as well as money laundering and taxation. Regulators worry about the possibility of artificial intelligence (AI) obtaining money by deception, for example by psychological manipulation of the elderly or less well-informed investors, the evasion of risk regulatory frameworks through the use of cryptocurrencies that can disguise the magnitude, direction and purpose of transactions, the rise of cross-border operations, especially in jurisdictions virtually beyond their control, difficulties in verification of disclosures, and the possibilities that distributed ledger technology offers to evade tax, sanctions and other regulations.

Just passing laws, everyone knows, will not work to control fintech. Regulators will have to be much more pro-active than hitherto. But what ought they to do?

What has been done to date?

Fintech regulation is best viewed under a number of different headings, though their very disparateness should give pause for thought for regulators themselves.

• Challenger banks

This is probably the most worrying and decisive area of regulatory concern, even if, as has been suggested, the new banks can actually be better at security and preventing fraudulent behaviour than their sedate, long-established peers, thanks to their more intelligent analytic capabilities. Real regulatory interest surrounds the introduction of tiered market licensing regimes (e.g. by ASIC in Australia) and the new restricted authorised deposit-taking institution (ADI) licensing and phasing frameworks by the Australian Prudential Regulation Authority (APRA), which may form a model for other jurisdictions equally concerned at losing first mover and competitive advantage for financial institutions in the morass of lengthy approvals processes.

• Comprehensive credit reporting (CCR)

Jurisdictions such as Australia have introduced mandatory CCR, with more to follow. Lenders, including fintechs, will be obliged to follow AMARP (“as much as reasonably practicable”) due diligence on clients, with deep, rich data to mine in determining credit status.

• Crowdfunding

Legislation covering both equity and debt raising has tumbled out internationally, including for real estate, with a range of different models emerging. Regulators are struggling to co-ordinate, for example to arrange exemptions, for example for exemptions for markets and clearing and settlement facilities, as well as to determine the scope of their territorial jurisdiction. Currently, crowdfunding regulations vary even across European jurisdictions, with apparently little chance of harmonisation in the short-term, let alone with the US.

• Data protection

Fintech is already coming to terms with the GDPR; most firms seem to be content with standardised, box-ticking solutions, apparently oblivious to the strong possibility that it may be Captcha-defying AI that is ticking the boxes. Legislators are already well aware of the risks that major companies may monopolise customer data (this was discussed at the Parliament, House of Lords, earlier this year).

• Initial coin offerings (ICO)

Enthusiasm for ICOs has tapered, and regulators are catching up. ASIC is seeking to apply existing laws to issuers, with enforcement actions against companies following US and Chinese practices where consumers have potentially been defrauded. The Financial Stability Board (FSB) has now issued its cryptocurrency regulatory framework, as urged by the G20, and it is unremarkable in itself: who could object to monitoring the size and growth of crypto-asset markets and worrying about volatility in pricing, the role of leverage, and the exposure of the financial sector in general to crypto-asset markets?

• Open banking

Although it has now been active in the UK and elsewhere for over six months, the development of open banking presents a number of different possible data management models, and regulators have hesitated before either insisting on one or announcing regulations for many. The implications for fintech of the EU’s Revised Payment Services Directive (PSD2), in particular the inclusion of payment initiation service providers (PISPs) are now being studied by affected fintechs.

• Sandboxes

Whilst some regulatory authorities such as Australia, the UK and Taiwan now recognise the need for larger, longer sandboxes, other regulators, such as the SEC in the US, have warned against potentially cozy relationships between regulators and non-bank lenders. As a result, legislation and regulations already vary widely.

These headings are not exhaustive: like other businesses, fintech works under Intellectual Property regulations, employment law, health and safety, and much else.

What could possibly go wrong?

Some stuff already has. One of the biggest risks is data theft. Customer data thefts at Equifax and payday lender Wonga (now in administration), and in a different arena, Singapore, where 1.5 million citizens had their health data stolen are all savage reminders that no database is really safe. Nor are cryptocurrencies reliable investments for the most part, despite the relative equanimity of international regulators, as the Tezos debacle demonstrated, and perhaps still more, the continued volatility of even the $200 billion Bitcoin market, albeit that it does seem to be slowly quietening down. A third example: there is plenty of evidence that fintech will indeed aid and abet money laundering and other criminal activity, which regulators have been unable to eradicate, especially when it is managed from poorly regulated jurisdictions.

Longer term, a problem with fintech is its potential to exacerbate already yawning gaps in compliance between developed and developing financial institutions, as well as between first rate and other institutions even in developed countries. Smart contracts have been discussed as if they are generic, rather akin to an Internet, in which a level playing field will be established between contracting parties, whoever and wherever they are. A moment’s reflection will glean the recognition that this is not in the interests of the major financial institutions that are currently ploughing investment into distributed ledger technology, for example for trade finance. They are not doing this out of the goodness of their hearts, or from an earnest desire to be able to treat banks in developing countries, and their clients, as equal partners. Quite the opposite. The stratified, hierarchical world of blockchain is already with us, and likely to continue into the next decade.

Likely changes in the coming decade

• Regulatory monitoring will start moving to real time

Financial results have traditionally been presented annually and quarterly. GDPR mandates reporting of data breaches within 72 hours, but even this timescale will appear antiquated in the future. Meet suptech, which the Bank for International Settlements (BIS) defines as “the use of innovative technology by supervisory agencies to support supervision”. In future, bank liquidity positions and compliance with Basel X, or whatever the standard is by then, will be monitored and controlled in real time, not just by internal compliance, fund management and audit, but by the regulators themselves.

Current leaders are ASIC, the Financial Conduct Authority (FCA) in the UK, and the Bank of Italy. The inevitable commercial result of this, regtech, is already consuming around 5% of fintech venture capital investment, so some $5 billion already, and it is certain to grow in importance, consuming progressively greater proportion of the compliance budgets of major financial institutions and demanding that they either partner with fintech companies, or develop their own. Given that AI and machine learning are also programmable proactively to identify, predict and control risk, so too suptech must generate the capacity to track, and where necessary influence, regtech AI.

• Regulation must get faster

At present, regulators take months, sometimes years, to respond to changes in financial practices. Successive Basel banking regimes are an excellent example. Fintech makes this kind of timescale simply infeasible for any effective regulatory system: fast online transactions demand equally fast regulatory capacity. Already, jurisdictions such as Hangzhou and the DIFC in Dubai are looking at establishing a “Court of the Blockchain”, initially exploring how to aid verification of court judgments in cross-border enforcement. The aim is streamline the judicial process, remove document duplications, and drive efficiencies. Where jurisdictions such as China and Dubai lead, others will follow.

• Regulation will recognise distributed risk

It has already been suggested that recognition of DLT risk and a predetermined risk budget similar to that for participation in a syndicate or other types of joint ventures could well be the outcome. Basel is one place where such an outcome may eventually emerge. Stress tests for the implications of fintech defaults are surely eventually inevitable – a basis for conducting them now already exists in embryo with the promulgation of the FSB framework for cryptocurrency metrics, to include trading volumes, pricing, clearing and margining for crypto-asset derivatives.

Real-time distributed risk management can then be implemented through regtech to assure conformity with the regulations, themselves evolving in real time as risks themselves change, propelled by global data capture and analysis at the level of the regulator.

• Regulation must be encoded

Forward-looking regulators recognise that regulations themselves will be encoded into the virtual supply chain. Whilst this should mean fewer breaches of contract, disputes will still flow around the five C’s of blockchain trading: currency, clock, competition, condition and coding. Down the line the use of the term “court” will itself change, becoming a virtual, transient institution, often with no or minimal human intervention. Think cloud, or sandbox.

• Regulation – and the law – must address AI

Although it already does, for example in respect of policy towards algorithm trading, the question of what legal status AI and robots operating in the fintech space will have must eventually get regulatory space. At present, for example, without legal personality for robots, companies themselves cannot pass on responsibility for criminal actions to robots in the way they can to individual employees, e.g. in the recent Barclays LIBOR manipulation case, although their penalties in financial terms were dwarfed by those paid by the banks themselves.

Robots are not paid, have no assets, and cannot really suffer imprisonment, none of which is not likely to change, but reserving funds and requiring insurance from third parties are possible regulatory solutions to the issue of tort as well as criminal responsibility devolving below the corporate level, including to robots, which the European Parliament has already proposed.

• Regulation must internationalise

The growing role of IOSCO in fintech regulation has now been widely recognised. IOSCO, along with the European Securities Regulator, the SEC, the China Securities Regulation Commission and other major regulators, can be expected to co-ordinate their efforts much more closely in the coming decade to meet essentially international challenges. Already in 2018, following the IOSCO report on fintech, the previous year, regulators have agreed to create a Fintech Network to facilitate the sharing of information, knowledge, and experiences related to fintech among IOSCO members, as well as a support network for the cross-border implications of ICOs.

Agreement on joint regulation, as has already been the case with state regulators in the US working together, will be the eventual next step, whilst the importance of organisations such as IOSCO and FSB can only increase. International regulators will then in turn push for the constructive use of fintech to internationalise regulation and compliance: for example, the blockchain has the capacity to create, and maintain, genuinely international credit reference agencies, which simply do not exist at present, it being possible concurrently to be a large borrower in one jurisdiction and completely unable to borrow in another, both for individuals and subsidiaries of corporates.

Conclusions for practitioners and investors

Fintech companies, already operating with little capital, are prone to severe regulatory risk, which could bring them down, endangering the larger institutions dependent on. Accurate forecasting of the fintech regulatory landscape will be crucial for both practitioners and investors – but not just in general, down to specifics in relation to marketing, data protection, capital requirements, and a host of other regulations. Nine out of ten fintech start-ups crash and burn: only proper due diligence, including of the regulatory environment in which they exist and must thrive in future, can prevent an investment in one of them.

The problem is one of informational asymmetry, as so often in an investment cycle. At present, the institutions best placed to analyse the regulatory risk facing any given fintech are the major consultancies – KPMG, Cap Gemini and the others – with their international scope, client range and databases. Yet the cost to hire them for due diligence of most VC investments in fintech – not the megadeals, but most – would be prohibitive. In the gap lies value creation, but tremendous risk: only by matching fintech with data-driven AI due diligence itself, with firms such as CB Insights and others of the same calibre, can that gap be successfully bridged.