The systemic risks and vast opportunities in fintech

Technology has made the world a smaller place.

A look at the vulnerabilities, risks, promises and innovations in the fintech ecosystem

In the ‘Global Village’, netizens in one country can influence the stock market in another, national regulations can choke international innovation and nimble tech start-ups can usurp legacy financial institutions.

In this dizzying new world, where the links in the chain seem to stretch into the infinite, one small shock to the system can have a multiplying effect across the entire network.

But there are opportunities, too. The democratisation and decentralisation of finance promise participation for ordinary people, for example.

FinTech Futures sat down with Megan Long, senior consultant at Deloitte, to discuss the vulnerabilities, risks, promises and innovations in the fintech ecosystem.

Goldilocks zone

Regulation serves many purposes and has never been more important in a closely connected financial services ecosystem.

While many legacy institutions are thoroughly regulated, it seems that many non-traditional players experience a more hands-off approach from overseers.

Navigating that ‘Goldilocks zone’ of just the right amount of regulatory supervision, where oversight and scrutiny keep financial institutions in check but don’t nix innovation, requires a move from predominantly entity-based regulation to activity-based regulation, Long believes.

In her recent research, Long suggests that both unregulated and partially regulated financial players are contributing to a disproportionate share of systemic risks.

But she doesn’t necessarily believe it’s a matter of having too much or too little regulation.

“It’s about having the right regulation in place where there’s a mix of entity-based and activity-based oversight and recalibrating from the current predominant focus on entity-based regulation,” Long says.

Regulators need to understand the nuances of new business models and tease out the distinction between Big Tech and traditional banks, for example. And the Big Tech regulatory models themselves also look different depending on jurisdiction.

Focusing more on activity-based oversight when it comes to players that are non-traditional, as well as within the broader financial system, is going to become increasingly important in order to ensure that there is the right supervisory oversight in place given the pace of innovation.

Long explains that entity-based regulation is predominantly what’s been in place since the 2008 global financial crisis. Global systemically important banks (GSIB) and systemically important financial institutions (SIFI) are two globally recognised types of entity-based regulation.

But when you see Big Tech start to enter the domain of financial services, regulations should be created that are not dependent on the entity type.

“If regulators are able to more deliberately articulate activity-based oversight to include these novel players, it will help fill in those gaps in regulation that we have seen exist to date,” Long says.

Peeling an onion

In a world with complex digital supply chains, it can make it really difficult to identify vulnerabilities before they turn into full-blown problems.

This means that organisations – whether a bank, an insurance firm, a reinsurer or a fintech – are only going to be as protected as the weakest link in their network. “And those weak links could be any of those players,” says Long.

And the picture becomes increasingly blurred when we consider indirect parties. Relationships between players are no longer bilateral and there are third-party technology vendors that institutions employ to hedge their own operational risks, and these have their own third parties who have their own third parties.

“Understanding the entire ecosystem exposure becomes even more important since these direct connections no longer occur in isolation,” Long says.

With so many different layers of connectivity, it’s easy to lose track and accountability if you have that many players who are outsourcing their security.

When you throw into the mix emerging financial activities that remain outside the regulatory regime, you see even more novel ways in which to undermine security within the financial system.

Long’s research has found that non-traditional financial players are rapidly evolving hand-in-hand with decentralised finance, digital assets, the aggregation of consumer financial data, blockchain and cryptocurrency exchanges. All are emerging in a rapidly evolving space.

The fact that these activities are so novel and so peripheral means that we haven’t actually seen the full range of risks and the appropriate regulatory controls are not yet in place.

And given the inherently decentralised nature of decentralised finance, it is very difficult to have a centralised regulatory entity oversee the activities of that new system.

This friction between centralised regulation and the promise of decentralised finance presents unique challenges for the way we think about regulation traditionally.

“Ultimately, the core intention of regulatory bodies is to ensure financial stability, safe transactions and also general consumer protection, and this is really challenged in this uncharted arena that naturally opposes those traditional structures,” Long says.

Splinternet

Megan Long, senior consultant at Deloitte

The lack of a shared taxonomy, and incongruent national approaches, provides fertile ground for cyber-attacks.

Every region, let alone nation, seems to take a slightly different approach, with unique perspectives and priorities. And this leads to a number of spheres of influence developing.

Long says her research has certainly identified spheres of influence developing with geographic or sectoral nuances.

“Whether it’s schools of thought or the general approach to regulation and protection of the system, they are very different and this is present in certain degrees.”

Globally, regulation is very jurisdictionally nuanced, with those nuances based on the individual market dynamics of a country or region. And they will definitely remain.

“Harmony might not be feasible, particularly in the near term, but I think lessons can be learned from each individual’s sphere of influence.”

For example, let’s look at the number and weight of factors that determine the systemic nature of an institution. SIFIs are largely based on traditional factors such as the size of their asset book. But more novel approaches such as looking at the network size, or digital interconnections of a specific entity, are slowly becoming more important than just the outright size of the business or entity itself.

Amazon Web Services wouldn’t be classified in the current regulatory regime as a systemically important institution from a financial perspective. But the big four cloud providers are core to the sound functioning of today’s financial system.

In that vein, China’s regulators have instructed Chinese tech conglomerate Ant Group to form a financial holding company under their supervision.

“I think that was a clear signal that the Chinese domain or the Chinese jurisdiction is actively identifying entities that they believe pose systemic risks. We’ve not yet seen that in the Western sphere,” Long says.

On the split between the West and China, Long says that while the prevention mechanisms are different, “I think lessons can be learned across the two spheres”.

In the EU, the Digital Services Act now contains entity-based provisions for Big Tech through its supervisory regime. The goal of the regime is to ensure adequate management of the different operational risks that Big Tech generate.

Long believes this is a macro-indirect approach to ensuring that gaps that have enabled cyber-attacks, cross border data issues and other systemic risks are closed and resolved.

Don’t feed the trolls

There are a variety of new and emerging sources and channels of influence that are driving change within the financial system, and we can classify these into four broader categories: social media platforms, web-based forums and communities, private messaging platforms and finfluencers.

Emerging sources of influence, Long says, have been great in terms of providing retail consumers entry into domains that have traditionally been exclusive to sophisticated market participants.

But while access to information that can adequately inform a newbie investor has been democratised, the flip-side of that is the growing potential for rampant misinformation and disinformation. This can easily spread through the same digital channels and reach countless users without impartial checks and balances in place.

And legacy consumer protection mechanisms can’t keep pace given a lot of this information sharing is occurring entirely outside of the walls of the financial ecosystem itself.

Viral trends can certainly influence public sentiment and spur a stock buying or selling frenzy, “which can harm market participants and also erode the trust in the system as a whole”, Long says.

Bias in AI

One of the key systemic risks in financial services is the baked-in bias of some artificial intelligence (AI) applications and algorithms.

Long says players in the ecosystem can start to adopt enterprise frameworks that can help to address AI decision-making processes and should be assessing the level of transparency required for each stage.

Simpler forms of machine learning could be considered, for example. One technology prototype Long outlines is counterfactual fairness.

If the data used to train AI models contains societal biases against certain ethnicities, genders or demographic groups, that ultimately means that those models over time will exhibit those same biases too.

But if developer teams can account for and compensate for those different social biases, “that’s something we think is really exciting and helps to tap into that issue of transparency when it comes to algorithmic biases”, Long says.

Data pools

New sources of data will also be essential to ward off the compounding effects of exogenous shocks, which could compromise actors, nations and the global financial system.

In the future, where edge cases – a problem or situation that occurs only at an extreme operating parameter – become more frequent, there’s going to be less and less data that actually exists within the walls of individual entities to help predict those unknown or unknowable futures.

“When we think about climate risk and climate change or forecasting events such as natural disaster, it is going to become increasingly difficult as those events become more unprecedented in the future,” Long says.

Therefore, players in the system should start to think about enhancing their repository of early warning indicators, sourcing anonymised synthetic datasets to help uncover important interactions that don’t yet exist and sample predictions that have been the basis of models in the past.

Another alternative dataset being explored is spatial temporal data, which essentially means information across space and time. That can help formulate matches to uncover patterns in a more meaningful way when it comes to unpredictable or unforeseen future cases.

Long says when we look at the siloed way that individual entities and jurisdictions operate, cross-border data sharing is the “first order of operations that needs to be solved” for us to be able to better tap into the data that is available. Data must be shared freely, and not held within the walls of one individual entity or nation.

In a world connected like never before, it is only by acknowledging the threads that bind us together will we be able to tackle the threats that face us all.