FINANCE, COMPETITIVENESS & INNOVATION INSIGHT Prudential Regulatory and Supervisory Practices for Fintech: Payments, Credit and Deposits © 2019 The World Bank Group 1818 H Street NW Washington, DC 20433 Telephone: 202-473-1000 Internet: www.worldbank.org All rights reserved. This volume is a product of the staff and external authors of the World Bank Group. The World Bank Group refers to the member institutions of the World Bank Group: The World Bank (International Bank for Reconstruction and Development); International Finance Corporation (IFC); and Multilateral Investment Guarantee Agency (MIGA), which are separate and distinct legal entities each organized under its respective Articles of Agreement. We encourage use for educational and non-commercial purposes. The findings, interpretations, and conclusions expressed in this volume do not necessarily reflect the views of the Directors or Executive Directors of the respective institutions of the World Bank Group or the governments they represent. The World Bank Group does not guarantee the accuracy of the data included in this work. Rights and Permissions The material in this publication is copyrighted. Copying and/or transmitting portions or all of this work without permission may be a violation of applicable law. The World Bank encourages dissemination of its work and will normally grant permission to reproduce portions of the work promptly. All queries on rights and licenses, including subsidiary rights, should be addressed to the Office of the Publisher, The World Bank Group, 1818 H Street NW, Washington, DC 20433, USA; fax: 202-522-2422; e-mail: pubrights@worldbank.org. Photo Credits: Shutterstock.com FINANCE, FINANCE, COMPETITIVENESS & INNOVATION COMPETITIVENESS INSIGHT | FINANCIAL & INNOVATION INSIGHT INCLUSION, INFRASTRUCTURE & ACCESS TABLE OF CONTENTS ACKNOWLEDGMENTS III EXECUTIVE SUMMARY V INTRODUCTION 1 UNDERSTANDING THE CHALLENGE 3 Fintech Growth 3 Basic Technologies and Deriving Fintech Solutions 3 Fintech Benefits and Risks 5 Effect on Market Structure and Attendant Prudential Considerations 7 APPROACHES TO REGULATION 9 Monitoring and Engagement 9 Test Environments 9 Licensing 11 APPROACHES TO SUPERVISION 17 E-Money Providers and P2P Platforms 17 Outsourcing 20 Supervisory Technology 22 APPROACHES TO RESOLUTION 25 APPROACHES TO SAFETY NETS 27 DOMESTIC AND INTERNATIONAL COORDINATION 29 CONCLUSION 33 ENDENOTES 35 BIBLIOGRAPHY 37 REFERENCES 39 PRUDENTIAL REGULATORY AND SUPERVISORY PRACTICES FOR FINTECH I LIST OF BOXES Box 1: Existing Innovation Hubs and Hubs Linked to Regulators 10 Box 2: Operational, Forthcoming, and Proposed Sandboxes 10 Box 3: Early Information Technology Outsourcing in the Financial Sector 20 Box 4: Colombia Deposit Insurance for Sedpes 28 LIST OF FIGURES Figure 1: Growth of Number of Worldwide Noncash Transactions, According to Region: 2013-2017 4 Figure 2: Fintech Platform Growth: 2013-2017 4 Figure 3: Australia Restricted Authorized Deposit-Taking Institution Framework 12 Figure 4: Proposed Allocation of Responsibilities Between Cloud Customers and Providers 22 Figure 5: Data Collection Approaches 23 Figure 6: Existing Models of International Cooperation 30 LIST OF TABLES Table 1: Prudential Risks and Fintech 6 Table 2: Approaches to Licensing E-Money Providers 13 Table 3: Features and Requirements of National Peer-to-Peer Platform Registration Processes 14 Table 4: Minimum Capital Requirements for E-Money Providers 18 TABLE OF CONTENTS II FINANCE, FINANCE, COMPETITIVENESS COMPETITIVENESS & INNOVATION & INNOVATION INSIGHT | FINANCIAL INSIGHT INCLUSION, INFRASTRUCTURE & ACCESS ACKNOWLEDGMENTS T his report has been prepared by Charles Mahesh Uttamchandani, Marco Nicoli, Holti Taylor (consultant), Aquiles Almansi and Banka, Katia d’Hulster (all World Bank) and Aurora Ferrari (World Bank). The authors Jan Nolte and Froukelien Wendt (IMF). Lastly, gratefully acknowledge inputs and suggestions we thank Ann Redmon for editing this publication received from Alfonso Garcia Mora, Harish and Aichin Lim Jones and Amy Quach for design Natarajan, Matei Dohotaru, Yira Mascaro, Pierre and production services. Laurent Chatain, Erik Feyen, Matthew Saal, PRUDENTIAL REGULATORY AND SUPERVISORY PRACTICES FOR FINTECH III FINANCE, COMPETITIVENESS & INNOVATION INSIGHT EXECUTIVE SUMMARY T his report reviews progress in prudential governance standards for the outsourcing firms, but regulatory practices related to three basic this traditional approach becomes increasingly less fintech products—transaction accounts, effective when firms buy hardware and software credit, and payments. It examines advanced and as a service. Cloud suppliers continuously move emerging markets and developing economies and, the source of these services around their networks, based on that examination, highlights four priority so there is no longer a place for a customer (or areas for strengthening regulation. a regulator) to go to monitor and mitigate their risks. The in-house capability of financial firms is Four technologies are driving fintech forward: diminishing in relation to the capability of suppliers. application program interfaces, artificial intelligence, Making matters worse, if something goes wrong, distributed ledger technology, and cloud computing. and a cloud computing company fails, outsourcers Mobile technology has facilitated the expansion have become so dependent on cloud providers, of fintech products. Fintech can bring many and that industry is so concentrated globally, that benefits, although it is also associated with new practical options for switching are few. acquisitions and partnerships, new competitors, and new processes and business models and thus One area of growing prudential concern is the with potentially disruptive structural change. Old safety of customer funds held by the likes of boundaries are dissolving between segments in the telecommunications firms that provide e-money financial sector and between finance and the rest of services. Should the safety net that bank customers the economy. enjoy be extended to customers of these firms too? Some countries have explicitly ruled this out, Much uncertainty persists about future fintech some have approached it by requiring e-money prudential risks so, unsurprisingly, many firms to make back-to-back deposits in central jurisdictions are spending resources to monitor banks or banks, and some are looking into having developments and engage with industry. Sandboxes, e-money providers join deposit insurance schemes. where firms can test innovations under close The details of most of these approaches are still regulatory scrutiny, are becoming commonplace. being worked out, and key questions remain to Licensing practices are evolving to encourage or be addressed. A particularly thorny one is how to require innovators to come within the perimeter, address a nonbank e-money provider that fails so improving the ability of regulators to understand that customer assets are protected and continuity of fintech risks over time. Supervisory approaches services is ensured. are also maturing gradually and with significant differences between countries. Capital and liquidity For many jurisdictions, fintech has increased requirements, for example, seem to vary widely the importance of working with domestic and from country to country. Supervisors are themselves foreign regulators. The blurring of lines between embracing fintech through supervisory technology the financial sector and other industries, the rapid (suptech). dissemination of fintech developments, and the reach of global technology firms have contributed One trend is deceptively familiar—the increasing to this. Established regulatory forums such as dependence of financial firms on information the Financial Stability Board (FSB) and the technology outsourcing. For a long time, regulators Basel Committee have been monitoring fintech have approached outsourcing risks by setting developments. Fifty agencies from more than 20 PRUDENTIAL REGULATORY AND SUPERVISORY PRACTICES FOR FINTECH V jurisdictions participate in the Global Financial • Extension of safety nets to resources held Innovation Network.1 There they share information, by nonbank e-money providers: In several coordinate approaches, and explore the topics for jurisdictions, it is hard to say whether e-money mutual recognition of standards safety nets are robust. The details of what happens when an e-money firm fails are unclear. Financial regulators are making strides to improve Bankruptcy law may need to be changed. their understanding of fintech and to address potential associated prudential risks, but four areas • Embracing suptech: This presents opportunities remain worrisome: to manage the ever-increasing data flows from • Oversight of cloud computing service providers: regulated entities, improve analysis and take Regulators in different sectors and jurisdictions advantage of big data. But is also presents risks cannot oversee these giant providers by related to the capacity of supervisors, operations, themselves. Any corruption or disruption of their and data similar to those that regulated institutions services is likely to be systemic. face. • Capital and liquidity levels for fintech firms: No major jurisdiction except Mexico has seen These vary a great deal according to jurisdiction the need for a fundamental rethink of its financial and are only loosely related to risk. Sufficient legislation to cope with fintech. Time will tell capital and liquidity can absorb losses and whether regulatory coordination and cooperation encourage providers to take risk management and a patchwork of fixes will be enough to address seriously. future fintech prudential risks. EXECUTIVE SUMMARY VI FINANCE, FINANCE, COMPETITIVENESS COMPETITIVENESS & INNOVATION & INNOVATION INSIGHT | FINANCIAL INSIGHT INCLUSION, INFRASTRUCTURE & ACCESS INTRODUCTION T his report is a stock-take of the state of view of prudential regulation, which refers to prudential supervision and regulation of macroprudential regulations addressing risks to the fintech. It focuses on prudential questions financial system as a whole and microprudential related to three basic products—transaction regulation addressing risks to institutions or accounts (deposits and e-money accounts), credit, individual markets. Regulations should ensure that and payments—because they are foundational institutions’ risks are well managed and that they for all markets and essential for the deepening of have enough capital and liquidity.3 Then, in the event the financial systems of emerging markets and that they nevertheless fail, there should be a way developing economies. The report identifies types of to resolve the institution without disruption to the existing regulatory approaches, as well as emerging system or cost to the public. In the case of markets, key questions, but does not attempt to identify best microprudential regulation is aimed at ensuring practices, because the regulatory developments transparent price discovery and smooth clearance analyzed are too recent to draw conclusions. The and settlement of transactions.4 Cybersecurity is report is targeted at policy makers. not included in this report because it is addressed in a separate publication.5 The report adopts the Bali Fintech Agenda definition of ”fintech”: “advances in technology that have the The universe of publications that have been analyzed potential to transform the provision of financial consists mainly of English-language materials services spurring the development of new business that governments around the world and financial models, applications, processes, and products.”2 regulatory agencies have published. The team Of those technological advances, the report has also used materials published by international examines artificial intelligence (AI) (including financial institutions, standard-setting bodies, law machine learning (ML)), application programming firms, foundations, consultancies, and academics. interfaces (APIs), distributed ledger technologies The authors also interviewed officials and experts (DLTs), and cloud computing. These basic from Australia Brazil, Canada, China, Colombia, technologies are already affecting the financial Mexico, the European Union, Switzerland, the sector thanks in part to mobile technology, which United Kingdom, and the United States. has greatly facilitated the expansion of fintech The jurisdictions analyzed include emerging markets products. Other technologies that may matter in the and developing economies and advanced economies. future, such as quantum computing and wearables, Fintech market developments are not necessarily are not covered here. associated with degree of market development. For Against this definition of fintech, the report example, e-money providers are large and systemic in focuses on the effects that fintech has on some emerging markets and developing economies, market developments (including benefits and whereas they are small in mature markets. Therefore, risks) and attendant implications for existing fintech prudential experiences are relevant for prudential regulatory, supervisory, and resolution countries of all income groups. concepts and practices. It takes a comprehensive PRUDENTIAL REGULATORY AND SUPERVISORY PRACTICES FOR FINTECH 1 FINANCE, FINANCE, COMPETITIVENESS COMPETITIVENESS & INNOVATION & INNOVATION INSIGHT | FINANCIAL INSIGHT INCLUSION, INFRASTRUCTURE & ACCESS UNDERSTANDING THE CHALLENGE Fintech Growth China has emerged as a global leader in fintech growth. Credit via peer-to-peer lending increased T “ echnology has always played an important from $5.5 billion in 2013 to $358 billion in 2018, role in driving change in the financial sector: and although growth has slowed in the past year from the telegraph to the ATM” (Hauser owing to regulatory tightening, average year-over- 2017), but since the global financial crisis, the pace year growth over the whole period remains high. of change has accelerated, and the effect of new In 2016, 30 percent of fintech firms valued at more technologies has spread across a wider range of than $1 billion were in China. Payment platforms financial activities than ever before. associated with e-commerce and social media For example, the market for outsourcing of dominate the fintech space in China. For example, processes and decisions by financial sector firms Ant Financial (formerly Alipay), the largest is growing fast. Worldwide public cloud service payment service provider, supported 451 million revenue is estimated to grow from $182 billion in active users in 2015 and processed on average 153 2018 to $331 billion in 2022. Revenues for cloud million transactions a day, slightly ahead of VISA system infrastructure as a service (IaaS), which in 2016, at 150 million. are the most relevant for financial institutions processing their core banking systems and storing Basic Technologies and Deriving critical data in the cloud, are estimated to grow Fintech Solutions from $31 billion in 2018 to $77 billion in 2022. Four technologies underlie many of the applications When examining the effect of fintech on different that have driven fintech growth: APIs, AI, DLTs, segments of the financial services sector, the and cloud computing: payments industry stands out. From 2013 to 2017, • APIs are definitions, protocols, and tools that total electronic transactions globally grew by 50 specify how different pieces of software should percent. The pace of growth differs in different interact. Standardized APIs help connect economies, with Emerging Asia, Middle East disparate systems and separate organizations, and Africa experiencing faster growth in noncash allowing them to share data and analytics. APIs transactions (figure 1) than other countries. allow development of computer programs such as Fintech has also affected other segments of the personal financial management tools that access financial sector. The extension of credit by fintech different financial accounts (Dias 2017). They are increased from $11 billion in 2013 to $419 billion essential for open banking, because they make it in 2017 (figure 2). There are differences in the rate easy to share personal and product data securely of growth of fintech platforms, with markets in among financial institutions. China, the United States, and the United Kingdom experiencing the greatest growth in recent years, • AI computer programs are capable of performing albeit from a low base. (Fintech lending accounted tasks such as problem-solving, speech recognition, for approximately 13 percent of overall new lending pattern recognition, visual perception, and in the first half of 2018 in China, and in the United decision-making and providing expert advice States, credit volumes accounted for 4 percent of without human intervention. A central technology overall net loan origination in 2016.) underlying AI is ML, which refers to the way computer programs can be algorithmically refined PRUDENTIAL REGULATORY AND SUPERVISORY PRACTICES FOR FINTECH 3 Figure 1: Growth of Number of Worldwide Noncash Transactions, According to Region: 2013-2017 CAGR Growth (2013-17) (2015-16) (2016-17) Global 10.8% 10.4% 12.0% Developing Latin America 5.4% 3.4% 8.3% Middle East and Africa 15.9% 19.0% 19.3% Emerging Asia 34.6% 27.6% 32.5% Mature Asia-Pacific 10.5% 10.4% 11.0% Mature Europe (including Eurozone) 7.9% 8.4% 7.6% North America 5.4% 5.1% 5.1% Note: Middle East and Africa includes Turkey, South Africa, Saudi Arabia, Africa and Middle East, Russia, Other CE countries and Other MEA countries. Other CE countries includes Bulgaria and Croatia. Other MEA countries includes Algeria, Kenya, Nigeria, Egypt, Israel, UAE, and Morocco; Latin America includes Argentina, Colombia, Venezuela, Chile, Peru, Uruguay, Costa Rica, Bolivia, and Paraguay in other Latin American countries; Emerging Asia includes China, India, Hongkong and other Asian countries including Malaysia, Thailand, Indonesia, Philippines, Taiwan, Pakistan, Sri Lanka, and Bangladesh; Mature APAC (Asia-Pacific) includes Japan, Australia, South Korea, and Singapore; NA (North America) includes the US and Canada; Chart numbers and quoted percentages may not add up due to rounding.. Source: Capgemini Research Institute, 2019. Figure 2: Fintech Platform Growth: 2013-2017 $358bn $8bn $2.57bn $245.28bn $6.51bn $965m $4.72bn $3.81bn UK $24.30bn $1.11bn $101.69bn $645m $2.38bn $5.56bn $354m $43.87bn $36.17bn $35.32bn $11.56bn Europe China $4.4obn $0.95bn $0.24bn $0.15bn $0.45bn $0.08bn USA $3.63bn Africa & $0.73bn $1.12bn $0.34bn Middle East $0.06bn $0.11bn $0.02bn $2.00bn $0.27bn $0.14bn Latin America & the Caribbean APAC 2013 2014 2015 2016 2017 Source: Cambridge Center for Alternative Finance 2019 UNDERSTANDING THE CHALLENGE 4 to improve outcomes. In recent years, increases in relevant for financial institutions processing their data processing and storage power have boosted core banking systems and storing critical data in AI and ML (Dias 2017). With cloud computing, the cloud. AI has supported the emergence of lending (or peer-to-peer (P2P)) platforms. An indirect outcome of the development of API, AI, and cloud computing is that large volumes • DLTs propose, validate, and record data in many of unstructured (e.g., emails, internet traffic) and places at the same time so that all participants in structured (e.g., databases) data, so-called big data, a DLT system always have valid and identical can be stored, exchanged, and analyzed. versions of the data (Committee on Payment Clearing and Settlement 2017; Dias 2017).6 Fintech Benefits and Risks Unlike traditional databases, distributed ledgers are not centralized, although they may be These technologies are affecting market outcomes. managed by a single party.. Fintech can spur competition; recent research shows that, the less competitive the banking sector is, the • Cloud computing refers to the practice of using greater fintech credit by new players is (Claessens a network of remote servers, typically accessed et al. 2018). Financial services and products should over the internet, to provide information be cheaper than they would have been otherwise technology (IT) services. Public clouds that are as a result of cost-saving innovations. Advanced operated and owned by a third party are typically analytics may aid in customization. Big data and the pay-as-you-go and are available on demand, use of ML and AI may make it easier for financial offering scale, efficiency, and flexibility. They firms to identify specific market segments and to often have functions distributed over multiple understand their customers’ needs more precisely. locations. Clouds may also be limited to a single In addition, know-your-customer regulations may organization (private cloud) or a combination of be “automated through ML and advanced analytics; public and private (hybrid cloud). The largest similarly, transaction monitoring for suspicious public cloud is Amazon Web Services. Financial transactions or sanctions” (Institute of International firms can purchase different levels of service Finance 2016). from cloud providers. The basic level of service is IaaS, in which a vendor provides pay-as- Fintech should increase contestability (the ease you-go access to storage, networking, servers, with which new firms can enter and leave a market). and other computing resources in the cloud. Open-data policies, which require institutions to The next level is platform as a service (PaaS), ensure that customers have control of data about in which a service provider offers access to a them, should make it easier to switch from one cloud-based environment in which users can institution to another. Also, aggregators drawing build and deliver applications, and the provider on sources from different specialist firms should be supplies underlying infrastructure. With software able to challenge existing universal banking brands as a service (SaaS), a service provider delivers with a variety of competitive services, decreasing software and applications over the internet, that the value of brand and consumer loyalty. This could users subscribe to and access via the web or result in much better access to financial services. vendor APIs. The highest level is business process Nevertheless, the emergence of the basic technologies as a service, in which a firm outsources many of (API, AI, DLT, cloud) with their attendant positive its business processes to a cloud provider. Cloud implications for market developments are not computing is increasingly becoming a necessary without risks. Table 1 provides an overview of foundation for other disruptive technologies where the technologies presented above may affect such as AI. This report focuses on prudential prudential risks. considerations regarding IaaS, which is the most PRUDENTIAL REGULATORY AND SUPERVISORY PRACTICES FOR FINTECH 5 In particular: a downturn, when it may make a procyclical • Levels of uncertainty about the future. There is a contraction in credit worse. These uncertainties good deal of uncertainty about the effect of fintech provide a powerful justification for the emphasis on financial stability in the medium and long that many jurisdictions are placing on monitoring, term. Table 1 illustrates this with the number of engagement, and creation of test environments or data points where the effect of basic technologies sandboxes (discussed further below). could be positive or negative. For example, the • The technology whose effect is most uncertain effect of APIs on the risk of systems failure: APIs is cloud computing. Consider, for example, the that replace manual or patched-together systems effect of cloud computing on the risk of systems may make interactions more reliable in normal failure. Higher standards of IT management for circumstances but, in abnormal times, act as a critical outsourced systems in smaller financial conduit for contagion. Likewise, consider the institutions may reduce that risk while at the same effect of AI on reputation risk. To the extent that time increasing governance challenges, making the analysis of many forms of consumer data risk mitigation more difficult. This vulnerability supports inclusion and better credit assessments, is further explored in the section below it reduces risks, but it has not been tested in on outsourcing. Table 1: Prudential Risks and Fintech Institutional Instability Market Instability Network Instability Contagion Positive Liquidity Liquidity Operational Solvency Risks Risks Risks Risks Effects Feedback Loops Funding Lost Lost Credit Market Operational Reputational Liquidity (1) (2) Confidence Confidence Fire Risk Due to Due to Sales Asociation Exposures People Processes IT/Systems System Cyber Compliance Failure Data Data Privacy Privacy Artificial > > > > x < < x x – x x < < < Intelligence Distributed Ledger > > > > x > < x x – – > – – < Technolllogies Application Programming – – > > x < < x x – – – < < < Interface Cloud Computing – – x x x x x x x – – – x – – Source: World Bank staff 1 Net losses due to loan or exposure impairment or write-offs. 2 Net losses due to changes in asset market values includes interest rate, fx, equity, commodity risks. Also includes risks specific to options and derivatives. > = fintech may well reduce prudential risk; < = fintech may well increase prudential risk >< = it can go wither way; - = fintech likely to have minimal impact on prudential risk UNDERSTANDING THE CHALLENGE 6 • Other than cyber risk and fire sales, the category Second, these technologies are creating the of risk that fintech most affects is compliance risk. opportunity for nonfinancial firms to provide The concern is largely to do with data integrity and basic services. New entrants may disintermediate security, topics covered in the subsequent section on established institutions. Big technology firms such data governance. as Facebook in the United States and Alibaba in China have large customer networks and are • AI and APIs may amplify network instability. positioned to take share in several financial markets, In addition to the risk of APIs acting as a including payments, savings, and insurance. Two conduit for contagion effects, AI may exacerbate other examples are that greater efficiencies in contagion because it is a critical technology behind international remittance transfers arising from high-frequency trading and other trading and fintech may mean that a significant revenue investment strategies that may increase volatility. source for existing banks is going away and that APIs may facilitate customer switching, making DLT innovations in back office processing may deposits unsticky and, therefore, an unreliable disintermediate prime brokerages. The playing field source of funding for institutions holding customer may be uneven, with new entrants not subject to funds. For these reasons, safety nets for nonbank the same level of regulatory scrutiny as established financial institutions, which act as a bulwark institutions. Although this is no more than old- against any general loss of confidence and reduce fashioned regulatory arbitrage, it challenges the switching risks, are included in the report. structure of the industry and, from a regulatory point of view, challenges the common approach of Effect on Market Structure regulating institutions rather than activities. and Attendant Prudential Third, established providers such as banks are Considerations reacting to the threat of new competition by buying The technological developments described in or partnering with fintech developers. For new section below on test environments are changing technology entrants, these alliances give them the structure of the financial sector in three ways. access to consumer deposits or related account data, payment systems, credit origination, and First, they are leading to an increase in outsourcing compliance management (Brainard 2017). of activities and decisions. Outsourcing of activities is not a new phenomenon in the financial services These market trends raise fundamental questions industry; outsourcing of data processing and storing for regulators and supervisors regarding regulatory of data has existed for many years. What is new is perimeters and fragmentation. Although regulators that outsourcing leads to having no physical access to have traditionally monitored activities that fall the stored data or its processing. Furthermore, there outside their remit, with a view to expanding the is a high concentration of providers of outsourced regulatory perimeter if necessary, the speed of fintech services. Fintech is also leading to outsourcing innovation means that adequate coverage of activity of decisions, which mathematical algorithms and institutions today is no guarantee of adequate ultimately make, rather than human beings, who coverage tomorrow.7 In many jurisdictions, types often must have specific qualifications to make of institutions rather than types of activities define such decisions and must follow specific protocols the regulatory perimeter, and technology firms that laid out in manuals or other formal documents provide financial services are often outside the specifying the parameters to be considered in the perimeter. Conversely, innovative start-ups and decision-making process and what is or is not technology firms may not know when their products allowed (e.g., customer discrimination). or services will be subject to financial regulation. PRUDENTIAL REGULATORY AND SUPERVISORY PRACTICES FOR FINTECH 7 The increasing outsourcing of activities and means that multiple agencies may have a stake decisions of financial institutions is testing existing in considering certain fintech matters. It also supervisory practices. Are bank management means that new guidance and programs will often and boards able to exercise oversight on cloud come from multiple agencies and in some cases providers? Who should supervise cloud providers? may have narrower application than comparable How can algorithms making decisions be overseen measures from jurisdictions with more centralized to ensure certain regulatory criteria are included in authorities” (Tsai 2017). Fintech payment and the decision-making process? lending firms in particular say that complying with fragmented state requirements is costly and time Along with the regulatory perimeter, the other consuming (US GAO 2018). The United States is prominent theme in published documents about not unique in this regard. fintech regulation is the challenges that regulatory fragmentation creates. For regulators, these Fragmentation is also a challenge internationally. are challenges of coordination. For industry Technologies are often portable, and fintech participants, these are the challenges of navigating companies look for ways to exploit economies of many regimes if their activities span multiple scale by selling their services internationally, which subsectors or countries. increases the need for international coordination and cooperation between supervisors on the regulatory The problem may be particularly acute for treatment of cross-border technology companies, jurisdictions with multiple agencies responsible among other things. Greater international for regulation and supervision. For example, “the cooperation may be beneficial for all parties (Basel distributed nature of U.S. regulatory authorities Committee on Banking Supervision 2017).” UNDERSTANDING THE CHALLENGE 8 FINANCE, COMPETITIVENESS & INNOVATION FINANCE, INSIGHT | FINANCIAL COMPETITIVENESS INCLUSION, & INNOVATION INFRASTRUCTURE & ACCESS INSIGHT APPROACHES TO REGULATION T o stay abreast of fintech development and Jurisdictions around the world are engaging with ensure that firms are brought within the the industry in different ways. For example, in the perimeter when necessary, authorities United States, regulators are reaching out through so- around the world have created arrangements to called “office hours,” which means that they travel monitor and engage with the fintech community. from city to city to meet fintech company executives These arrangements range from holding regular and explain regulation to them.8 In France, in meetings to creating innovation hubs. Several 2016, the prudential authority in charge of banking jurisdictions have also created sandboxes— and insurance supervision (Autorité de Contrôle live test environments to observe new firms, Prudentiel et de Résolution (ACPR)) and the products, or processes outside of the regulatory securities markets regulator (Autorité des Marchés perimeter. Authorities have also modified the Financiers) created the Forum FinTech, which regulatory perimeter to take into account fintech gathers financial sector regulators, the Minister of developments. Some jurisdictions have used the Finance, and financial sector participants (fintech existing framework and applied it to fintech; others and more traditional segments) to share what they have created new types of licenses with different know about questions, concerns, and risks related prudential requirements. Supervisory practices to fintech. The Hong Kong Monetary Authority has are being developed for newly licensed fintech set up a “Fintech Supervisory Chatroom to provide companies, and existing supervisory approaches feedback to banks and tech firms at an early stage of are being applied to outsourcing to fintech firms. their fintech projects” (HKMA 2016). Supervisory practices overall are taking advantage Innovation hubs are another, often government-led, of technological developments, a phenomenon effort that can help prudential supervisors engage called suptech. No jurisdiction has modified the with the fintech industry and stay abreast of fintech existing resolution framework to take into account development. There are more than 30 innovation fintech developments, but some are experimenting hubs around the world, primarily in North America, with ways to include nonbank deposit payments of Europe, the Gulf countries, and Asia (box 1). In fintech firms in their safety nets. Lastly, domestic eight jurisdictions, the regulator or central bank is and international cooperation arrangements, ranging the host. Stated objectives of innovation hubs vary, from exchanges of information to harmonization of from promoting innovation to financial inclusion frameworks, are emerging. and risk mitigation. Bahrain, Cyprus, Estonia, Hong Kong, Malaysia, Singapore, and the United States Monitoring and Engagement have all identified risk mitigation to consumers and At any point in time, regulators need to know how the markets as a major objective of their hubs. fast fintech is developing. They need to know where processes have been created or eliminated Test Environments and where they have been streamlined so they Many regulators have decided to create test can understand the implications for adding value environments for fintech through sandboxes—formal in different parts of the financial sector and for regulatory programs that allow market participants emerging risks. to test new financial services or business models PRUDENTIAL REGULATORY AND SUPERVISORY PRACTICES FOR FINTECH 9 with live customers, subject to some safeguards and aim to establish the commercial viability of the oversight, usually for a limited time. More than 31 product, and those testing policies aim to assess authorities have created regulatory sandboxes in the whether particular rules or regulations should be last few years, nine are in process of creating one, changed based on specific use cases. The sandbox and nine are planning to (box 2). becomes the final step in a regulatory continuum, which begins with informal guidance on regulatory Broadly speaking, sandboxes may focus on testing uncertainties and ends with a test to determine products or policies. Sandboxes testing products whether the business model or an existing rule Box 1: Existing Innovation Hubs and Hubs Linked to Regulators Innovation Offices Innovation Hubs Linked to Australia Hong Kong Netherlands Regulators/Central Banks Austria Hungary Norway Abu Dhabi Bahrain Iceland Poland Bahrain Belgium Indonesia Romania Dubai Canada Ireland Singapore France Cyprus Italy Spain Hungary Denmark Japan Sweden Portugal Estonoa Latvia Switzerland Singapore Finland Liechtenstein Thailand South Korea France Lithuania UK Germany Malaysia USA Source: UNSGSA FinTech Working Group and CCAF 2019. Box 2: Operational, Forthcoming, and Proposed Sandboxes Forthcoming Proposed Operational Sandboxes Sandboxes Sandboxes Abu Dhabi Japan Russia Bermuda China Australia Jordan Saudi Arabia Brazil EU Bahrain Kazakhstan Sierra Leone India Fiji Brunei Lithuania Singapore Indonesia Israel Canada Malaysia Switzerland Jamaica Japan Denmark Mauritius Taiwan Kenya Malta Dubai Mozambique Thailand Mexico South Korea Hong Kong Netherlands UK Norway Sri Lanka Hungary Nigeria USA Spain Uganda India Philippines Indonesia Poland Source: UNSGSA FinTech Working Group and CCAF 2019. APPROACHES TO REGULATION 10 or regulation needs modification. The Monetary services.”10 Most national definitions of fintech Authority of Singapore (MAS) has been a pioneer approximate the FSB definition in practice. in this approach to evolving policy. With a fintech definition in hand, jurisdictions have adopted a one- or two-perimeter model. Under the Licensing one-perimeter model, all fintech firms must register Authorities are addressing the challenges that with the authorities so that they can be monitored. fintech poses to the regulatory perimeter in different Under the two-perimeter model, all fintech firms ways. Generally, common law jurisdictions have must register and be monitored, and a subset must been able to apply existing legislation and adapt also be licensed and supervised. Two approaches old procedures for chartering or licensing, whereas have emerged to the two-perimeter model: one in in civil law jurisdictions, it depends on institutional which the subset is defined in terms of activities or structure. If there is a unified financial regulator, it is size and another in which it depends on how long a easier to accommodate fintech licensing internally. firm has been registered. If different regulators are responsible for different China is a leading example of the one-perimeter parts of the financial system, it is harder, and new approach. Since 2015, China’s Ministry of Finance legislation can be needed. has defined its internet finance regulatory perimeter The United Kingdom is an example of a common law by enumerating specific activities, including jurisdiction. Although it has separate prudential and payment services, lending (P2P and online conduct regulators, most accommodations needed microfinance), crowdfunding, fund sales, insurance, for fintech could be made administratively within trust services, and consumer finance delivered over the Bank of England, the Prudential Regulation the internet. Firms engaged in this sort of activity Authority, and the Financial Conduct Authority. must register (Chinese Ministry of Finance 2018). At the other end of the spectrum is Mexico, a civil It is expected that the Chinese perimeter model will law country with a divided regulatory structure, evolve into one of the other forms. which had to pass new legislation in March 2018 to The European Union illustrates the first achieve its fintech policy objectives. approach under the second model. The European In between the United Kingdom and Mexico are Banking Authority (EBA) recently stated that common law and civil law countries that have used crowdfunding, consumer credit, robo advice, a combination of measures to establish appropriate financial intermediation services, comparison definitions of fintech through small changes to services, and credit reference services must all be existing primary legislation (e.g., Switzerland) or authorized—defining its inner perimeter where adapted rules or introduced secondary legislation firms are licensed and supervised. Firms engaged for licensing in various ways (e.g., Australia). in money broking, portfolio management, or portfolio advice need only be registered—defining Before they define a perimeter, jurisdictions need a second outer perimeter. Firms that simply provide a definition of the term “fintech.”9 Some have technology to financial firms, such as point-of-sale chosen to enumerate covered activities, whereas system providers, regulatory technology firms, others have defined fintech in terms of specific and technology support companies, do not need technologies and their potential effect. The FSB to register or be licensed and so are outside both definition of fintech has been influential: fintech regulatory perimeters. is “technologically enabled innovation in financial services that could result in new business models, Australia’s temporary restricted license for applications, processes, or products with an authorized deposit-taking institutions (ADIs) is an associated material effect on financial markets example of the second approach under the second and institutions and the provision of financial model. The Australian Prudential Regulation PRUDENTIAL REGULATORY AND SUPERVISORY PRACTICES FOR FINTECH 11 Figure 3: Australia Restricted Authorized Deposit-Taking Institution Framework Licensing Operating Pre-application Application and Restricted License License Direct Route Assessment Early Contact Licensing ADI ADI Discussions (with conditions) Restricted Route with APRA Assessment Restricted ADI Source: APRA n.d. Authority (APRA) limits the powers and size to be complicated, sometimes involving multiple of fintech start-ups that receive this license. It authorities, multiple steps, capital requirements, lasts for a maximum of two years, constituting a membership in a local industry association, and transitional phase for a new entrant in obtaining a certification from the International Organization for full ADI license. APRA assesses each applicant’s Standardization for information security (table 3). structure, ownership, governance, and business To obtain a license, fintech firms have generally plan. Fit and proper standards are the same, but had to meet specific conditions, and then, to keep capital requirements, shareholding concentration their license, they must operate within specific standards, IT requirements, and organizational rules that are enforced through some level of requirements are lighter than they are for a full supervision. The types of rules are broadly similar ADI license. Applicants also have to say how they across jurisdictions and closely follow those used expect to graduate to a full ADI license and, in the for banks. For example, the European Central Bank interim, must have an exit plan. has set out rules for license applications for fintech With respect to types of licenses, regulators have credit institutions that mirror those for regular developed four approaches for e-money providers European banks. based largely on the relative roles of banks (or narrow There are differences between rules for banks and banks) and nonbanks, such as telecommunications those for fintech. Capital and liquidity requirements, companies (Gates Foundation 2019). Table 2 as well as permitted and prohibited activities, stand summarizes these approaches and their various out. The paragraphs below highlight the features advantages and disadvantages and provides of fintech that may require a different approach or examples of e-money providers for each type of calibration. approach. Licensing requirements for lending or P2P platforms vary from country to country. • Governance arrangements: A management A recent World Bank technical note examined body comprising people who are competent and registration—one step in the licensing process— experienced is required. Typically, the founders in the United States, United Kingdom, China, and of a fintech company need qualifications and Indonesia. In these jurisdictions, registration seems experience that are very different from those APPROACHES TO REGULATION 12 Table 2: Approaches to Licensing E-Money Providers Licensing Nonbank Examples Advantages Disadvantages Model Functions1 Country Services Bank only None • Banks already licensed • Business case for Bangladesh bKash and supervised expansion may be   weak South Africa FNB eWallet • Risk management and   anti-money-laundering • May lack and countering financing understanding of poor of terrorism systems and rural markets in place • Few examples of • Can lead to other helping with financial services inclusion Narrow None • Clarity on licensing • Prudential requirements India Paytm Pay- bank and supervision for all banks may not fit ments Bank narrow banks well  Pakistan EasyPaisa Telenor Microfinance Bank Bank Branding • Clarity on licensing • Tight supervisory con- Cameroon MTN MoMo based but and and supervision trol of, for example, new nonbank delivery products and services, Uganda Airtel Money, led changes to MTN Mobile account limits Money • Indirect communication between nonbank and banking supervisors Nonbank All except • Common in high • Strain on supervisory Brazil Payment special safeguarding adoption jurisdictions capacity institutions purpose China vehicle • Direct communication • Mobile network Alipay between nonbank and operators may restrict Nigeria banking supervisors competition FirstMonie Tanzania (bank), Paga • Separate legal entity • Unclear legal authority United (nonbank) can help in governance, of banking supervisors States supervision, and over nonbanks M-Pesa resolution PayPal • Interagency coordination Source: Gates Foundation forthcoming. 1 Possible functions include license to issue e-money, direct communication, contractual agreement with customer, branding of e-money service, delivery of e-money service, safeguarding of customer funds. Note: Brazil requires technology companies with non-fintech businesses to set up a local fintech subsidiary. Not all countries fit neatly into this typology. For example, the UK Financial Conduct Authority has different payment and e-money licensing requirements based on size, with more demanding associated regulations as size increases. Thresholds are at average monthly turnover in payment transactions below $3.3m (€3m), between $3.3m and $5.5m, and above $5.5m (https://www. fca.org.uk/firms/authorisation-registration-emoney-payment-institutions). PRUDENTIAL REGULATORY AND SUPERVISORY PRACTICES FOR FINTECH 13 Table 3: Features and Requirements of National Peer-to-Peer Platform Registration Processes United States United Kingdom China Indonesia Multiple agencies Federal and Financial Conduct Federal and local state Authority only Steps in the process Multiple steps Two-step process Capital requirements None Minimum None Minimum requirements requirements Association membership Yes International Standards Yes Organization 27001 certification Source: World Bank staff required for effective bank leadership. For • Capital, liquidity and solvency: There should be a start-up, much-less-elaborate governance enough assured resources to cover initial losses, arrangements may suffice—simpler procedures finance growth, and possible strategic shifts that and smaller numbers of people involved— can be necessary in the early stages of any business provided they are transparent and effective. (ECB 2017). Details on the level of initial and ongoing capital required for e-money providers • Ownership and control structure: Shareholders and lending platforms in different jurisdictions in start-ups must have considerable financial and attendant observations are provided in resources from the outset to avoid excessive Table 4. With respect to the source of initial leverage as they grow. Broadly speaking, the capital, many fintech companies have foreign same is true of a fintech firm as a bank, although sources of capital. This may be challenging for requirements are calibrated to different short- and countries that have foreign exchange controls. long-term liquidity and capital requirements. • Business strategy and plan: There must be For fintech firms that are part of a larger established a well-thought-out business strategy and plan technology company, most countries require (including plans for any future acquisitions). In that company to set up a subsidiary. Kenya is a addition, some jurisdictions such as Australia notable exception. Segregation of the financial require firms to have a nondisruptive resolution sector activity in a subsidiary is critical should or exit plan. the parent or subsidiary fail. If the technology firm is an international one, a local subsidiary— • Internal controls and risk management or at least a supervisable local presence—is often arrangements: Strong, well-documented core a requirement. risk management processes are necessary. In banks, these include processes to score loan • Fit and proper owners and managers: Owners applicants, approve new loans, manage collateral, and managers must be of good character. This and manage nonperforming loans. Requirements standard is often the same for fintech firms for fintech firms can emphasize strong and banks. It is hard for applicants to prove a processes for cybersecurity and outsourcing risk negative—that they have never done anything management and data governance backed up by wrong—but evidence of good standing is good audits. typically part of fintech licensing requirements.11 APPROACHES TO REGULATION 14 • Consent of other supervisors: Consent of only since January 2019. The Swiss Financial any other supervisors is important for banking Market Supervisory Authority is assessing the first supervisors—for example, for listing a bank on applications, so it is too soon to say how many a stock exchange subject to separate regulation, will be granted. Similarly, in Mexico, the first although for fintech firms, particularly e-money licenses were due to be filed by late September providers, other agencies may need to be 2019. The authorities received 85 applications: involved, such as those responsible for IT, 60 for electronic payment institutions and 25 for industry development, telecommunications, or platforms. The Comisión Nacional Bancaria y de communications. Valores (CNBV) has six months to grant a license. During that time, it can go back one time to give the • Permitted and forbidden activities: Banks and fintech firm a month to modify its application. The fintech firms should engage only in permitted largest firms will be probably ready, but smaller activities. For banks, these typically include firms with limited resources and those who did not lending, payments, and deposit taking but may take the filing process seriously may not be able to also include other services such as custodian and file properly and in time. The situation will become trust services. For other activities such as securities clearer after the CNBV has completed its reviews.12 trading on their own account, permissions and prohibitions vary according to jurisdiction. For At the U.S. Office of the Comptroller of the fintech firms, permitted activities are typically Currency (OCC), which announced a special- more narrowly defined—payments, but not purpose fintech charter with fanfare in July 2018, lending for e-money firms and facilitating P2P there had been no formal applications as of June lending and maybe some borrower research for 2019 (OCC 2019).13 (Litigation from several states platforms—although permissions may be broader that challenges the OCC prerogative to supersede for fintech firms than banks in one respect; a parent their regulation has compromised the potential may be permitted to engage in commerce, as is the for this sort of license (Ballard Spahr LLP 2018).) case for Alipay, for example, which is a subsidiary Even in Singapore, where the MAS has been active of Alibaba, a company active in the e-commerce, in promoting fintech in a variety of ways, it was not retail, internet, and technology sectors. announced until July 2019 that MAS would award its first five digital banking licenses—two retail full It is too soon to see how these special licensing banks and three wholesale—and started accepting arrangements are going to work. In Switzerland, applications in August.14 for example, the fintech license has been available PRUDENTIAL REGULATORY AND SUPERVISORY PRACTICES FOR FINTECH 15 FINANCE, FINANCE, COMPETITIVENESS COMPETITIVENESS & INNOVATION & INNOVATION INSIGHT | FINANCIAL INSIGHT INCLUSION, INFRASTRUCTURE & ACCESS APPROACHES TO SUPERVISION F intech is affecting supervisory practices in three means through which the resources of customers dimensions. First, prudential regulators have are safeguarded and the relationship with the developed supervisory practices for recently regulators is maintained created fintech firms such as e-money providers and lending platforms. Second, supervisors have • No-bank special purpose vehicle schemes, in adapted existing supervisory practices to oversee which a bank is involved only in safeguarding and mitigate micro- and macroprudential risk customer funds emerging from increasing outsourcing of processes Table 4 illustrates that there are large differences and decisions by financial firms. Third, to manage in capital requirements during licensing and later ever-increasing data flows from regulated entities on as operations develop. Capital requirements are and more difficult analytical challenges and to take based on different ratios with regard to deposits, advantage of big data, regulatory and supervisory liabilities, risk-weighted assets, and, in the case of agencies have started using fintech internally. Bangladesh, an absolute number. This is referred to as suptech, which represents an opportunity but also presents risks. Capital requirements for lending platforms are also uneven. Only one-third of jurisdictions worldwide E-Money Providers and had minimum capital requirements, and one- fifth required P2P to hold capital proportionate to P2P Platforms the total amount invested in the lending platform Although supervision covers many aspects, this (WBG and University of Cambridge 2019). China section focuses on capital and liquidity, which firms and the United States, for example, had no capital need to operate, as well as the ability of supervisors requirement, the United Kingdom had a requirement to ensure that fintech companies comply with the of 0.2 percent of the total value of loaned funds up almost universal requirement of fund segregation. to £50 mm (USD64 million), with the marginal rate declining to 0.05 percent above £250 million It is difficult for financial authorities to set objectively (USD320 million) (World Bank 2019 b). justified capital requirements for fintech services, and there has been little international cooperation One useful way to think about capital requirements to set international standards. E-money providers for e-money providers and P2P platforms (and or payment services are a case in point. Table 4 other sorts of fintech services) is that many if not summarizes the capital requirements for e-money all of their risks are operational, and operational providers in four sorts of regulatory regimes: risks tend to be heterogeneous and fat-tailed, and applicable data for estimating loss distributions • Bank-only schemes, in which a banking license is tend to be scarce. For operational risks, there needed to provide e-money services are some useful points of reference. First, the • Narrow banking schemes, in which banks must Basel Committee has an operational risk capital set up a narrow bank specifically to provide standard for smaller banks that requires them to e-money services hold operational risk capital equal to at least 12 percent of operational revenues or operational • Banking-based but non-bank-led schemes, in expenses, whichever is greater. (“Smaller banks” which a nonbank firm takes the lead in branding are defined here as banks with operational and delivery, but a banking relationship is the revenues and expenses of less than Euro 1 billion; PRUDENTIAL REGULATORY AND SUPERVISORY PRACTICES FOR FINTECH 17 most e-money providers are likely to fall well there would be a wide dispersion in national capital below that threshold.) Second, the Committee on adequacy regimes for these sorts of fintech firms, Payments and Market Infrastructures–International but there are other considerations. For example, Organization of Securities Commissions (IOSCO) the length of time it takes to close down a network Principles for Financial Market Infrastructure have without causing instability depends on whether a requirement that unencumbered capital be at least there are alternative service providers and whether enough to cover fully loaded operational expenses the obligations (financial or operational) of their for 6 months, to allow for an orderly closure. customers can be transferred to those competitors cheaply and smoothly. For telecommunications It would be useful to know how e-money and operators in rural areas, transferring e-money P2P capital compare with these two capital accounts effectively might be difficult. Likewise, requirements. It seems likely from table 4 that Table 4: Minimum Capital Requirements for E-Money Providers Country Type Initial Requirement (USD) Ongoing Requirement Brazil SPV 54,000,000 Greater of 2% of monthly transaction value or 2% of liabilities Hong Kong SPV 3,200,000 Unspecified India Narrow bank 13,700,000 15% of risk weighted assets Mexico Narrow bank 11,100,000 8% of risk weighted assets Bangladesh Bank only 5,300,000 USD10,700,000 Columbia SPV 2,200,000 2% of deposits Myanmar SPV 1,900,000 Unspecified Malaysia SPV 1,200,000 8% of liabilities Ghana SPV 1,000,000 Unspecified Sri Lanka SPV 872,000 Unspecified Peru SPV 722,000 2% of liabilities Brazil SPV 470,000 Greater of 2% of monthly transaction value or 2% of liabilities EU SPV 400,000 2% of liabilities Tanzania SPV 219,000 Unspecified Kenya SPV 200,000 Unspecified Rwanda SPV 116,000 Unspecified Uganda Bank-based but Unspecified Unspecified nonbank led Source: Gates Foundation forthcoming. For Hong Kong: “https://www.hkma.gov.hk/media/eng/doc/key-functions/ finanical-infrastructure/infrastructure/retail-payment-initiatives/Explanatory_note_on_licensing_for_SVF.pdf,” Notes: USD0.13 = HK$1. Nonbank special-purpose vehicle (SPV) in this case refers to nonbanks whether or not they are a special purpose vehicle APPROACHES TO SUPERVISION 18 if a P2P platform gave its customers any ongoing and liquid funds available over a one-year time services after the initial match between lender horizon to meet the liquidity requirements that their and borrower, those services could last for several liabilities generate. years—the duration of a loan. In both cases, These standards are based on cash flow forecasts 6 months might not be enough to achieve a smooth under different circumstances. To ensure that those resolution. forecasts are accurate, supervisors must understand In banks, capital and liquidity requirements go their business models in some detail, so there is an together. For e-money and P2P platforms, liquidity associated supervisory capacity challenge. requirements may be much lower, depending on With respect to fund segregation, e-money and P2P precise institutional and contractual arrangements. platform operators are required to hold segregated Some major jurisdictions such as the United States accounts to back e-money liabilities in banks or, and the United Kingdom do not have liquidity more rarely, in their central banks (China and Brazil requirements for e-money providers. This makes being the most notable examples). Should the sense when an e-money provider is required to provider become insolvent, this account represents associate any funds held for its customers with a the first line of defense for customers, especially if segregated account in a commercial bank, because the account is ringfenced from claims by creditors. the liquidity requirement naturally falls on the Therefore, supervision of segregated accounts is bank. That is, any quick demand for funds from critical. Supervision of such accounts takes place e-money customers could be met by drawing down in three ways. the segregated account. Then the only additional liquidity requirement needed from the e-money • The provider must report the total amount of provider would be what might be needed to cover e-money issued and a statement from the bank any operational lag between changes in e-money where the segregated funds are held. accounts and the corresponding segregated bank account. • The above plus a system-based check on a limit set in the e-money issuance system on the There may, nevertheless, be a case for a bank that maximum e-money that can be issued. This is has a large liability to an e-money provider to set how most e-money providers monitor their own aside some extra liquidity itself against the risk that compliance. The system will not allow them to the e-money provider fails and all its customers issue more e-money than what is configured in demand funds at the same time. In the case of P2P the system. platforms, similar considerations apply. Only if the lending platform services loans or guarantees the • In addition to the system-based checks, some timeliness of debt service payments can a significant jurisdictions require independent validation by a liquidity requirement arise. certified audit company. Once again, bank regulatory standards may be a In practice, supervisory arrangements for segregated useful point of reference. The liquidity coverage accounts are weak. Existing supervisory practices ratio of banks operating in jurisdictions that have for custodian banks and security houses could adopted Basel promotes short-term resilience. provide some guidance here. Such institutions are Banks must have assets that can be converted into subject to inspections that include analysis of the cash quickly and easily to meet liquidity needs for sample of individual accounts and of transactions a 30-calendar-day liquidity stress scenario.15 They to assess their integrity. are also subject to a net stable funding requirement, which means that they must have enough capital PRUDENTIAL REGULATORY AND SUPERVISORY PRACTICES FOR FINTECH 19 Outsourcing providers, posing additional challenges for financial sector regulators. IT outsourcing is not a new phenomenon (box 3), but the regulatory framework and The evolution of software poses even more- supervisory practices have not kept pace with daunting conceptual challenges. Computer technological change. The increasing variety and applications run on a shrinking handful of standard complexity of outsourced IT services and the operating systems. Not only do the 500 most changing nature of third-party providers pose new powerful supercomputers in the world run on Linux conceptual challenges to financial regulators and today, but something similar is also happening in the institutions they supervise. Computer hardware the cloud. Most virtual computers on Amazon and software have been changing rapidly, altering EC2, for example, run on Linux.17 Meanwhile, the nature of the services that organizations can— 89 percent of desktop and laptop computers run and in some key respects must—outsource to third- on Windows. Another challenge is the growing party providers. complexity of software. The latest version of any application or operating system builds on layers of Cloud services have complicated regulation and software developed over many years by thousands supervision as services move offsite and providers of frequently unrelated programmers. Linux is an become more concentrated. Mainframe computers example of such complexity; more than 15,000 that all members of an organization could access developers from thousands of companies have from multiple terminals and the desktop computers contributed to developing the Linux kernel since and servers that started replacing them in the 2005, accumulating nearly 25 million lines of 1980s were products that financial institutions code in 14 years.18 Estimates for the proprietary could acquire and keep in their facilities. These Windows 10 operating system exceed 50 million were under their control and, consequently, within lines of code.19 The supply of core banking systems reach of bank supervisors and other authorities. It has exhibited a similar trend toward concentration is now possible to share computer resources with in a handful of increasingly complex software.20 remote data centers, including those outsourced to cloud providers located anywhere in the world.16 For individual banks to rely on a few specialized Furthermore, the cloud industry is concentrated in cloud providers makes sense and can even reduce a handful of mostly unregulated “big technology” microprudential risks owing to the much higher Box 3: Early Information Technology Outsourcing in the Financial Sector In September 1955, just one year after delivery of the world’s first business computer (Remington Rand’s UNIVAC-1), Bank of America unveiled the electronic recording method of accounting (ERMA) to process checks and automate account management. At around the same time, in partnership with General Electric and the Stanford Research Institute, Bank of America also developed magnetic-ink character recognition (MICR), the string of numbers we see at the bottom of checks that enables ERMA to read bank documents. The American Banking Association adopted MICR as the industry standard in 1956, and it remains the global standard. Since then, the financial system’s reliance on computers to handle all kind of processes has been increasing continuously. Bank of America did not develop ERMA and MICR on its own; it relied on the technical expertise of third parties such as General Electric and the Stanford Research Institute. As financial institutions have adopted more information technology in their operations since 1955, they have had to rely on numerous—including many unknown—third parties, outsourcing an increasing variety of information technology services. Source: World Bank staff. APPROACHES TO SUPERVISION 20 technological competencies of the cloud services would have a material effect on an institution’s providers, but at a macroprudential level, the operations, profitability, or compliance. Several challenges are significant. For example, if the cloud conceivable IT services, such as processing provider is compromised, there may be no ready transactions and storing customer information at a alternative provider to turn to. In other words, third-party provider, would seem to squarely meet risk mitigation may be a challenge. Even if there the definition of a material outsourcing arrangement, is an alternative, it is possible that a cloud service but some technology-intensive services are provider failure would lead to several financial already expressly excluded from outsourcing institutions looking for back-up at the same time, regulations. EBA (2019), for example, excludes causing problems. market information services (e.g., provision of data by Bloomberg, Moody’s, Standard & Poor’s, Regulators have sought to adapt existing frameworks Fitch); global network infrastructures (e.g., Visa, to address some of these challenges. EBA (2019), MasterCard); clearing and settlement arrangements Guidelines on Outsourcing Arrangements,21 MAS between clearing houses, central counterparties, (2016), Guidelines on Outsourcing,22 ACPR and settlement institutions and their members; (2013), Guidance: Risks Associated with Cloud global financial messaging infrastructures subject Computing,23 BIS (2012), and Principles for the to oversight by relevant authorities; correspondent Sound Management of Operational Risk24 are key banking services; and acquisition of services that documents. BIS (2012) notes that, “use of technology the institution or payment institution would not related products, activities, processes and delivery otherwise undertake (e.g., electricity, gas, water, channels exposes a bank to strategic, operational, telephone line). and reputational risks and the possibility of material financial loss. Consequently, a bank should have A crucial question is whether a separate or distinct an integrated approach to identifying, measuring, regulator covers the service in question (e.g., monitoring and managing technology risks. Sound utilities). Providers of cloud services such as technology risk management uses the same precepts Amazon EC2, Microsoft Azure, Google, and IBM, as operational risk management.” Furthermore, BIS hosting millions of virtual computers in networks of (2012) states that the board and senior management globally distributed data centers, only some which are responsible for understanding the operational customers fully design and administer, already risks associated with outsourcing arrangements and look like public utilities. Hence, it seems natural ensuring effective risk management. to ask whether existing outsourcing regulations are adequate to regulate the reliance of financial Whether the usual corporate responsibilities are institutions on their services, which might need a appropriate to address the ever-increasing reliance more nuanced regulatory framework. on technology developed, and increasingly operated, by third parties is unclear. EBA (2019) points out Microsoft25 has suggested an allocation of that the main focus of those responsibilities should responsibilities between customers, such as banks be “on the outsourcing of critical or important and other financial institutions, and their cloud functions, including that the availability, integrity service providers. This may help financial sector and security of data and information is ensured.” authorities decide the risks of which outsourced Consequently, to fully understand the outsourcing IT services can a financial firm be expected to of which IT services would require special attention control, and which ones must be supervised by an from the board and senior management of financial appropriate State agency, as it already happens with institutions, it is necessary to define those “critical utilities and other outsourced services. Microsoft’s or important functions.” suggested allocation of responsibilities on several critical dimensions of IT services, as opposed to Regulatory definitions of critical and important those that the supervised institution operates on functions focus on those in which a defect or failure its systems on its premises, depends on the cloud PRUDENTIAL REGULATORY AND SUPERVISORY PRACTICES FOR FINTECH 21 Figure 4: Proposed Allocation of Supervisory Technology Responsibilities Between Cloud Suptech is the use of innovative technology by Customers and Providers supervisory agencies to support supervision, especially in the areas of data collection and Responsibility On-Prem laaS PaaS SaaS data analytics, which have traditionally required Data Classification considerable human resources. Another area in which & Accountability suptech is used is automated data dissemination; this Client & End-point is not analyzed here because it is not widely used in Protection data collection and analysis. Identity & Access Despite the high initial investment required to Management adopt suptech tools, the benefits of using them are Application Level considerable and include enhanced effectiveness, Controls better identification of risks (particularly systemic ones), lower costs over the medium and long term Network Controps (for regulatory agencies and financial institutions), and greater ability to process information. Host Infrastructure Especially in the area of data analytics, the new technologies can support effective implementation Physical Security of risk-based supervision and forward-looking risk identification, potentially alleviating supervisory Cloud Customer Cloud Provider capacity constraints. Although the benefits of suptech are clear, there are Source: Microsoft 2017 Note: On-Prem, On Premises, namely when cloud services also associated risks. These can be grouped into are not used; IaaS, infrastructure as a service; PaaS, three categories: process as a service; SaaS, software as a service. • Technical risks: ranging from difficulty finding and retaining in-house expertise to difficulty integrating suptech solutions with legacy service delivery mechanism: IaaS, platform as a systems, including in most cases, limited internal service, and software as a service. capacity to manage implementation of complex Another concern of many regulators, for any type IT projects of cloud services, is the extent of physical access to the data stored with third-party providers. This • Data risks: from data privacy risks in using has already led some major jurisdictions, such as alternative data such as social media or the European Union, to restrict where the data can commercially sensitive raw data from regulated be stored, but given the nature of cloud services, institutions; includes unreliability or poor quality imposing similar restrictions at a national level of some big data types such as social media could make it impossible for financial institutions • Operational risk: cybersecurity and outsourcing to take advantage of technological change in most risks, especially from cloud computing and countries. Furthermore, preserving logical access algorithm providers encrypted data would seem to be far more important than just physical access to it. Given the novelty of suptech, mitigation of these risks by financial supervisors is at an early stage, although risk mitigation measures for regulatory APPROACHES TO SUPERVISION 22 agencies are likely to be similar to measures that the model has been implemented only recently, it is same agencies are requiring of market participants. too early to identify advantages and disadvantages For example, regulations on outsourcing for market with certainty, although the following observations participants are likely to be applicable to regulators can be made. Implementing the data pull approach as well when trying to mitigate outsourcing risks. is much more complex and correspondingly more expensive than implementing other suptech data Data collection tools are used to reduce the collection approaches. This complexity derives reporting time and increase the quality of data from the fact that all pulled information needs to be collected from different sources thanks to advanced mapped to the sources from the core banking system validation techniques. Four models have emerged of each bank. Any changes to the core banking with respect to data collection: data pull, data system require adjustment of data source mapping. push, a combination of pull and push, and API. A Any new products or changes to the existing ones schematic representation of the different approaches would probably require adjustment of data source in data collection, as well as areas of application, is mapping. In some jurisdictions, if primary data presented in figure 5. are incorrect, it may be impossible to hold bank The National Bank of Rwanda has implemented management accountable, because the information data pull, extracting data directly from the IT core will be extracted directly by the supervisor and not systems of the supervised institutions. Because this provided by the reporting entity. Figure 5: Data Collection Approaches Sources of Information Reporting Approaches Data Analytics Areas of Application Structured Supervised Information Data pull Entities Business Intelligence Credit risk Unstructured A B Information Other national Structured Data push Authorities Information Artificial Intelligence Liquidity risk Unstructured A B Information API International Structured Authorities Information Machine Learning Concentration risk Unstructured A B Information Structured Open (media) Information Sources Social Media Credit risk Unstructured Analyses Information Source: World Bank staff PRUDENTIAL REGULATORY AND SUPERVISORY PRACTICES FOR FINTECH 23 The Central Bank of Austria (OeNB) uses a The next frontier of suptech is issuance by combination of data push and pull. This approach supervisors of machine-readable regulations in entails creation of an intermediary layer between the form of software (code) that the financial the reporting entities and the supervisor that is institutions’ systems then run. Implementation responsible for the entire process. In Austria, banks of this reporting approach requires a high level created a company (AuRep) to which they upload of technological development in the supervisory all financial and prudential information that the authority and the financial industry. A number of supervisor requires. As soon as the information is authorities are exploring this approach (MAS and validated and uploaded in AuRep’s data warehouse, Financial Conduct Authority among them), and it OeNB can extract it for its own needs. Extraction of is still too early to assess the effect on the financial data from the AuRep data warehouse by the OeNB industry and its supervisors, especially with respect is technically similar to the data pull approach. to reporting costs and data quality. The data push approach has advantages and Data analytics tools that have application in disadvantages. First, for the intermediary model to the prudential supervision sphere are business be efficient, all reporting entities must be part of intelligence, AI, social media analysis, and ML. the reporting framework. Otherwise, there will be a These tools allow supervisors to effectively use redundant infrastructure for the process at the level unstructured information, which in the past used to of intermediary company (for entities that are part of be processed manually with high human resources this framework) and at the level of central bank (for costs and a high incidence of errors. These tools entities that are not part of this framework). Second, are essential to identify intentional wrongdoing although this approach is costly for the industry, (e.g., hidden related-party transactions, market reporting financial institutions can benefit from manipulation) that require processing of a the reporting framework and use nonconfidential significant amount of structured and unstructured system data from the data warehouse to identify information by supervisors. and monitor market developments and establish Business intelligence tools are by far the most benchmarks for different business indicators. popular suptech tools used for data visualization and Third, the intermediary layer can spare significant data drilling (drill down and drill through). These resources of the supervisor that otherwise would tools allow supervisors to process a significant have to be allocated to the reporting infrastructure. amount of structured data quickly and transform it Lastly, the Central Bank of the Republic of the into a user-friendly visual information to support Philippines is implementing the API approach, risk identification and supervisory decisions. which does not require human intervention. The The areas where supervisors most commonly use Philippines central bank has developed an API for business intelligence tools are oversight of credit banks to automatically report highly granular and risk, liquidity risk, and payment systems. near-real-time data. The tool offers back office Financial sector authorities have recently started functions such as automated validation, data using social media analysis tools, which are visualization, and report customization. Following designed to extract and process media and social the successful test of the prototype, the Philippines media information and highlight useful information. central bank is planning to introduce the API. An The Bank of Italy, for example, uses information advantage of this approach is that costs are much extracted from tweets as a meaningful signal of lower than in the data push and data pull approaches. inflation expectations. APPROACHES TO SUPERVISION 24 FINANCE, COMPETITIVENESS & INNOVATION FINANCE, INSIGHT | FINANCIAL COMPETITIVENESS INCLUSION, & INNOVATION INFRASTRUCTURE & ACCESS INSIGHT APPROACHES TO RESOLUTION O ne of the challenges that the entry of fintech good order, the e-money holders or P2P platform companies into retail banking and the customers can access their funds, although in most large scale of fintech outsourcing pose is cases, customer assets are part of the telecom what to do when one of these companies fails. In company or P2P platform estate.28 As a result, most jurisdictions, fintech companies are subject customers are general creditors, and access to to general corporate bankruptcy law. The primary e-money and P2P platform funds will not be objective of general bankruptcy frameworks is allowed until creditors higher than e-money holder maximization of the value of the firm, rather or P2P platform customers in the hierarchy are than protection of depositors, which is the satisfied. Even assuming that e-money holders or primary objective of deposit-taking institutions.26 P2P platform customers will receive the amount Furthermore, best practices would suggest that, corresponding to the value of e-money or amount at the start of a general bankruptcy proceeding, lent, this could take a long time. Given the longer the assets of the insolvent company would be timeframe of corporate bankruptcy, especially in frozen under a stay of proceedings, meaning that jurisdictions where e-money providers are systemic, customers would not be able to access the stored it would seem appropriate to require a nondisruptive resources immediately. exit plan, but only half of jurisdictions globally require it for P2P platforms (WBG and University With respect to e-money providers or P2P of Cambridge 2019). Such requirement is also not platforms, the legal frameworks of some countries mandatory for most e-money providers. recognize that customer assets that payment system and P2P platform participants collect are not part Another area that presents new challenges for of the company estate. In common law countries, resolution is cloud outsourcing. This industry is the customers’ assets are separated by requiring characterized by a high level of concentration, that the segregated account be a trust account. with four providers serving most of the global India, Hong Kong, and the United Kingdom financial sector industry. Although these providers have similar provisions. Civil law countries have perform functions similar to those of a utility, used other instruments (e.g., fiduciary, custodial, they are subject to general bankruptcy, with no or escrow accounts) to set up mechanisms with consideration for public safety or the public features similar to those of trust accounts. Peru good. Instead, the interests of their creditors drive and several other Latin American countries have bankruptcy decisions for cloud services providers. set up such mechanisms. Turkey requires e-money Furthermore, given the small number of providers providers to hold funds in a trust fund account; in operating globally, the considerable challenges of the case of insolvency, the funds are to be used to cross-border bankruptcy are also worrisome. compensate customers regardless of their priority Should a cloud provider fail, EBA and MAS stipulate in the bankruptcy process. that financial sector supervisors must continue If e-float and platform resources are ring-fenced to have access to stored information and require from claims by creditors, provided the insolvency banks to have in place alternative arrangements, but representative27 of the e-money provider authorizes depending on the type of service model stipulated access to the customer assets by other than in the contract between the financial institution telecommunication companies or P2P platform and the cloud provider, continuity and transfer staff and that the records of the subaccounts are in may not be possible. Transfer to another provider PRUDENTIAL REGULATORY AND SUPERVISORY PRACTICES FOR FINTECH 25 may not be possible if the cloud provider provides Following the global financial crisis, a great deal platform as a service and the platform used by the of attention was paid to resolution regimes for competitors is different. If the financial institution financial institutions, especially banks. Much has a software-as-a-service-type contract, the less attention has been paid to the resolution of financial institution may not technically be able to outsourcers, beyond requiring banks to have transfer the service to another provider, and there alternative arrangements in place. As safety nets may be legal restrictions in using the intellectual become more important on the retail side, it may property of the former provider with a new provider. be timely to consider how financial regulators Lastly, owing to the concentration of cloud services should work with regulators in other sectors and providers, if the failure of a provider affects several with bankruptcy authorities to avoid systemic institutions, it may be unclear whether the one or consequences if an important fintech firm collapses two alternative providers are capable of stepping in operationally or financially. to support all of the affected institutions instantly and simultaneously. APPROACHES TO RESOLUTION 26 FINANCE, COMPETITIVENESS & INNOVATION FINANCE, INSIGHT | FINANCIAL COMPETITIVENESS INCLUSION, & INNOVATION INFRASTRUCTURE & ACCESS INSIGHT APPROACHES TO SAFETY NETS A few regulators are asking whether some sort • With the direct approach, deposit-like products of safety net or insurance similar to deposit that nonbanks offer are insured. Colombia (box 4) insurance for banks should cover deposit- and Mexico have adopted this approach, creating like products that fintech firms such as e-money new specialized categories of regulated financial providers offer. Such a scheme would be activated institutions that may offer deposit-like products if the fintech firm failed and there were no back-to- provided they become members of the national back segregated bank accounts (direct approach). deposit insurance scheme. The law prohibits When back-to-back segregated bank accounts nonmembers from offering deposit-like products. are required, the scheme could be activated if the bank in question failed (pass-through approach). • The pass-through approach extends insurance Coverage by deposit insurance for deposit-like coverage to digital deposit-like products even products is particularly relevant for jurisdictions when the provider is not a member of the deposit where e-money providers have systemic importance insurance system. The United States has been and the failure of such providers could undermine implementing pass-through arrangements for confidence in the financial system as a whole. a long time for trusts and has extended this arrangement to e-money providers. Malaysia and In most countries, deposit insurance is restricted the Czech Republic have adopted this approach; to the customers of banks that belong to a Nigeria, Kenya, and Rwanda are in the early government-backed deposit insurance scheme. stages of adopting this approach; and Tanzania These schemes typically guarantee depositors that, is considering following this example. In these if their bank fails, they will not lose their deposits. countries, any nonbank provider must hold This protection is usually limited so that customers customer funds in a trust account (or account with large account balances may suffer some losses with similar features) with an insured depository if their bank fails. Limits are sometimes different institution. This trust account would protect for different sorts of customers and accounts. customers in case of failure of nonbank providers. In Nigeria, nonbank providers must also have In countries where deposit-like products that fidelity bond insurance for losses caused by nonbanks offer are sizeable, three approaches have fraudulent acts of their staff (e.g., if staff do not emerged (Izaguirre and Grace 2015; Izaguirre and deposit the float at an insured institution). The Grace n.d.): deposit insurance scheme would instead protect • The exclusion approach specifically excludes customers should the bank fail. In addition, the from the deposit insurance scheme any deposit- deposit insurer does not apply the usual coverage like products from a nonbank provider. Examples limit to the custodial account. Instead, the limit of countries using the exclusion approach applied is the sum of the amounts individual are the Philippines, Turkey, and Switzerland. e-money customers would have had insured if Normally, a country with an established deposit they had been direct customers of the bank. This insurance scheme does not have to change the would provide some protection for customers law to exclude e-money that nonbanks provide from a failure of the bank. because the insurance they offer is available only to bank depositors anyway, but when a country Each of these approaches has its advantages and first introduces deposit insurance, it must decide disadvantages. The exclusion approach provides whether to extend insurance to nonbanks. clarity and is easy to implement but does not PRUDENTIAL REGULATORY AND SUPERVISORY PRACTICES FOR FINTECH 27 Box 4: Colombia Deposit Insurance for Sedpes In 2014, the Colombian government introduced a new type of financial institution: sedpes. These licensed institutions can provide only electronic deposits and savings and payments. They are not allowed to provide retail credit but can on-lend the resources they collect from customers to banks. The Colombian financial supervisors supervise sedpes, which are subject to lighter prudential requirements than banks owing to the tight restriction on their activities. Deposit insurance for which the sedpes must pay cover sedpes deposits. If a sedpes fails, depositors are reimbursed from the pool of sedpes deposit insurance contributions. If a sedpes fails because the bank to which it on-lent deposits failed, sedpes depositors would be protected through a pass-through provision of the bank’s deposit insurance scheme. Source: Interview with Fogafin. protect potentially vulnerable and unsophisticated exclusion approach, and it may not be as easy as the customers of nonbank financial institutions. exclusion or inclusion approach to implement. The inclusion approach provides protection and The operational challenges of the pass-through clarity regarding regulatory prerogatives, but it approach are yet to be fully tested, so for example, may increase compliance costs, inhibit financial if a nonbank e-money provider failed, could the innovation, and impose demanding responsibilities bank holding the trust account identify exactly who on regulators. The pass-through approach provides owned which e-money accounts and how much some protection, perhaps without inhibiting each customer had in them? If the bank failed innovation so much, although operating costs may too, could the deposit insurer do the same thing? increase, as the requirement for e-money operators to Moreover, even if a bank or a deposit insurer could hold a fidelity bond insurance in Nigeria illustrates. identify the beneficial owners, how would it release The pass-through approach requires regulators funds to them if they are in remote areas of the to enforce the custodial account rule, making the country or otherwise have little contact with the deposit insurance scheme more expensive than the formal economy? APPROACHES TO SAFETY NETS 28 FINANCE, FINANCE, COMPETITIVENESS COMPETITIVENESS & INNOVATION & INNOVATION INSIGHT | FINANCIAL INSIGHT INCLUSION, INFRASTRUCTURE & ACCESS DOMESTIC AND INTERNATIONAL COORDINATION T he overlap between the financial issues. Set up by the FSOC in 2017, the Digital sector and other sectors such as IT and Assets Working Group is an example. It examines telecommunications is significant and questions related to digital assets and DLT, including evolving, meaning that coordination between financial institutions’ exposure, cybersecurity and financial sector regulators and with nonfinancial operational risks, and illicit activities. In other sector regulators is essential. Middle- and low- jurisdictions, senior-level coordination results income countries identify intergovernmental in creation of timebound taskforces to develop coordination as a greater obstacle than higher-income proposals or write milestone reports. For example, countries (WBG and University of Cambridge in the United Kingdom, the Treasury set up the 2019). Furthermore, the “internet of finance” does Triparty Cryptoassets Task Force with the Bank not respect borders between jurisdictions, and of England and the Financial Conduct Authority. gaps in regulatory coverage at these borders can In the United States, the Treasury issued a major create opportunities for regulatory arbitrage, as the report on nonbank financial companies, fintech, targeting of initial coin offerings (ICOs) to retail and innovation in 2018, after extensive consultation investors through online distribution channels by with all federal financial regulators. parties often located outside an investor’s home At the operational level, it has become common jurisdiction illustrates (WBG 2018; Gifford and for governments to create at least one fintech unit Chang2016). This makes international cooperation in one financial regulator. In addition to being a crucial. point of contact for fintech firms and other outside There are obstacles to intergovernmental parties, these usually have interagency coordination coordination. First is the sharing of information. responsibilities, which generally include information This is a particularly acute challenge between exchange. In civil law countries, their ability financial sector and non-financial sector regulators to coordinate policy usually must be statutorily and between foreign jurisdictions, especially for endorsed. In common law countries, less-formal administrative law countries, where information arrangements may suffice for them to coordinate exchanges may have to be codified in law to be policy development and, beyond that, supervision of effective, whereas a less formal sort of coordination, established firms adopting new financial technology such as memoranda of understanding (MoUs), and new fintech firms. may suffice in common law countries. Lack of With respect to international cooperation, different international standards also hampers coordination models are emerging. Figure 6 plots existing among jurisdictions. international coordination arrangements along Some countries use existing committees and other two axes. The extent of coordination is along the permanent groups for domestic coordination. horizontal axis, and the vertical axis defines the For example, in the United States, there are two scope of cooperation, ranging from bilateral to standing formal coordination mechanisms among regional to multilateral. the federal financial regulators: the Financial Sharing of information and experience: Standard Stability Oversight Council (FSOC) and the Federal bilateral information-sharing arrangements used Financial Institutions Examination Council. Both for other aspects of financial regulatory cooperation take up fintech issues from time to time and have are being used to coordinate on fintech. Bilaterally, set up working groups to address particular fintech PRUDENTIAL REGULATORY AND SUPERVISORY PRACTICES FOR FINTECH 29 Figure 6: Existing Models of International Cooperation Multilateral SSBs FSB Cooperation Fintech IFCs GFIN under Network HKMA lead ICO Network Regional ion Cooperation operat pe r Co Dee MoUs HKMA/ FCA MAS Bilateral and regtech Trade Finance Cooperation Lols Agreement Share Information Provide Inter-Operability & Agree Develop and Technical Single Point International Common Experience Assistance of Contract Standards Platforms Key: Part of Coordination As Usual Dedicated to Fintech Source: World Bank staff. this includes MoUs and letters of intent aimed at group of financial regulators created the Global information sharing, which apply also to fintech Financial Innovation Network (GFIN) in 2018—a developments. Multilaterally, most if not all network of regulators to share experiences and international financial standards-setting bodies best practices and to communicate to firms, a have devoted time to fintech in the ordinary course forum for joint policy work, and an environment of business. When appropriate, working groups in which to test cross-border technologies.32 It has have been set up to address specific challenges. 50 member organizations drawn from more than For example, the Basel Committee on Banking 20 jurisdictions, which is what makes GFIN stand Supervision has a working group on cyber security apart from other fora in which experience is shared. and a taskforce on fintech. By January 2018, IOSCO The underlying principle of the sandbox is that, if had established the ICO Consultation Network, a fintech firm is found to be satisfactory in a joint where members could discuss their experiences sandbox, then it passes muster with all the GFIN and bring concerns about ICOs, including cross- members who are signed up. GFIN is therefore a border problems.29 Then in May 2018, IOSCO set vehicle for coordinating sandbox initiatives, creating up its FinTech Network, covering matters beyond a cross-border testing framework so that firms can ICOs but with the same objective of discussing access different sandboxes simultaneously through experiences and bringing concerns.30, 31 a single point of contact. Cross-border testing has begun, with 17 jurisdictions participating, and the Interoperability and a single point of contact: results are expected to inform future development Building on an earlier proposal of the UK Financial of GFIN as much as the technology development of Conduct Authority to create a global sandbox, a participating firms.33 DOMESTIC AND INTERNATIONAL COORDINATION 30 Agreement on international standards: The financial regulation and global financial regulatory standards-setting bodies may do more on fintech cooperation, but a very few firms worldwide going forward. HKMA is chairing the Supervisory dominate this industry, and financial companies Review and Cooperation Committee in the FSB, are becoming increasingly dependent on them. which is examining this.34 Under their guidance, Serious consideration should be given to some sort that committee is looking into developing standards, of international regulatory oversight. potentially including for AI and sharing intelligence Development of common platforms: Two key on fintech developments. The follow-on to the Bali examples of potential common platforms have Fintech agenda identifies crypto-assets, mobile emerged. In October 2017, HKMA and MAS money services, and P2P lending as areas for signed a fintech cooperation agreement to bolster potential international standards (IMF 2019). Still, ties between Hong Kong and Singapore and foster some authorities remain skeptical; fintech may not fintech development in the region.35 They planned be ripe for standard setting, and existing standards, to collaborate on a number of initiatives, including such as for clearance and settlement, payments joint innovation projects, referrals of innovative systems, and data privacy, already cover many businesses, information sharing, and exchange of aspects of fintech. expertise. The two authorities also committed to There are two additional areas of concern for which linking a Hong Kong DLT trade finance platform something like common regulatory standards may with a similar platform in Singapore so that banks be required. The first relates to the resolution of in one jurisdiction can transact with banks in the fintech firms. The second is oversight of cloud other and avoid fake and duplicate transactions.36 service providers. These firms do not service only the To ensure that the linked platforms can operate financial sector, so their supervision poses a serious together, HKMA and MAS would harmonize trade institutional challenge to the current structures for finance regulations. PRUDENTIAL REGULATORY AND SUPERVISORY PRACTICES FOR FINTECH 31 FINANCE, COMPETITIVENESS & INNOVATION FINANCE, INSIGHT | FINANCIAL COMPETITIVENESS INCLUSION, & INNOVATION INFRASTRUCTURE & ACCESS INSIGHT CONCLUSION T his report has reviewed progress in regarding the segregated accounts for these firms prudential regulatory practices nationally and also fall short. This is particularly of concern internationally. Although much has been done because, together with capital, float accounts are since the global financial crisis 12 years ago, four the first line of defense for customers. areas are worth noting where additional efforts may be needed to strengthening regulation in the future. • To manage the ever-increasing data flows from regulated entities and more difficult analytical • At the top of the list is oversight of cloud challenges and to take advantage of big data, computing service providers, which are currently supervisors have embraced suptech. This outside the regulatory perimeter. The challenge is represents an opportunity, but it also poses risks a global one that requires regulators in different related to the capacity of supervisors, operations, sectors and jurisdictions to cooperate to oversee and data similar to those that regulated institutions these giant providers effectively. Then, if services face. are corrupted or interrupted or a provider fails, public policy needs to ensure that the financial • Details of the extension of safety nets to nonbank system is insulated from the worst consequences. e-money providers, especially in jurisdictions where they are systemic, are unclear. As a practical • Emerging requirements for capital and liquidity matter, what ensures that customer services will related to e-money providers and lending be uninterrupted if a nonbank provider fails? In platforms seem inadequate to address the types several jurisdictions, making e-money safety nets of risks these firms face. Supervisory practices robust may depend on changes in bankruptcy law. PRUDENTIAL REGULATORY AND SUPERVISORY PRACTICES FOR FINTECH 33 FINANCE, COMPETITIVENESS & INNOVATION FINANCE, INSIGHT | FINANCIAL COMPETITIVENESS INCLUSION, & INNOVATION INFRASTRUCTURE & ACCESS INSIGHT ENDNOTES 1. See https://www.fca.org.uk/firms/global-financial- 9. Some jurisdictions set policy with respect to innovation-network a slightly different concept. For example, in China, their policy is set for what they call World Bank 2019 a, By implication, this 2. “internet finance.” definition incorporates a broad notion of “a business model.” The narrow and maybe more 10. See https://www.fsb.org/work-of-the-fsb/policy- proper interpretation of a “business model” is development/additional-policy-areas/monitoring- the way that an organization adds value—the of-fintech/. The Bali Fintech Agenda definition, services and products it produces. The broader mentioned in the introduction, came later. The two interpretation includes significant aspects of definitions are extremely similar. how the business is organized. So, for example, 11. APRA for example, applies its bank standards outsourcing of information technology does for fit and proper to fintech firms. not affect the business model narrowly defined, but when outsourcing is extensive, it affects the 12. Based on an interview with Carlos Orta, organization of a business significantly and thus consultant. affects its business model as broadly defined. 13. See https://www.occ.gov/news-issuances/news- 3. See https://www.bankofengland.co.uk/prudential- releases/2018/nr-occ-2018-74.html regulation 14. See https://vulcanpost.com/667288/mas-digital- 4. See https://www.ecb.europa.eu/pub/pdf/fsr/art/ banks-singapore/ ecb.fsrart201405_03.en.pdf?0ee45487b0d855 2eb4ec32396d2702c7 15. See https://www.bis.org/publ/bcbs238.htm 5. World Bank 2018. http://documents.worldbank. 16. The U.S. National Institute of Standards and o rg / c u r a t e d / e n / 6 8 6 8 9 1 5 1 9 2 8 2 1 2 1 0 2 1 / Technology defines cloud computing as “a Financial-sector-s-cybersecurity-regulations- model for enabling ubiquitous, convenient, and-supervision on-demand network access to a shared pool of configurable computing resources (e.g., 6. See https://searchcio.techtarget.com/definition/ networks, servers, storage, applications, and distributed-ledger services) that can be rapidly provisioned and released with minimal management effort or 7. One indication of the speed of fintech service provider interaction.” (https://csrc.nist. developments is the rate of regulatory revision. For gov/publications/detail/sp/800-145/final) example, the EU Directive on payments, issued in 2018, was superseded by a new version issued 17. See http://thecloudmarket.com/stats in 2019. See https://eur-lex.europa.eu/legal- content/EN/LSU/?uri=CELEX:32015L2366 18. See https://www.linkedin.com/pulse/core- banking-systems-market-now-martin- 8. Interviews with the Office of the Comptroller whybrow/ of the Currency and the San Francisco Federal Reserve Board. 19. See https://www.makeuseof.com/tag/linux- market-share/ PRUDENTIAL REGULATORY AND SUPERVISORY PRACTICES FOR FINTECH 35 20. See https://www.linkedin.com/pulse/core- 29. See https://www.iosco.org/news/pdf/ banking-systems-market-now-martin- IOSCONEWS485.pdf whybrow/ 30. See https://www.iosco.org/news/pdf/ 21. See https://eba.europa.eu/regulation-and-policy/ IOSCONEWS497.pdf internal-governance/guidelines-on-outsourcing- 31. In the same month, the Committee on Payments arrangements and Market Infrastructures published a strategy 22. See http://www.mas.gov.sg/news-and- to encourage and help focus industry efforts to publications/media-releases/2016/MAS- reduce the risk of wholesale payments fraud. Issues-New-Guidelines-on-Outsourcing-Risk- See https://www.bis.org/cpmi/publ/d188.htm Management.aspx 32. See https://www.fca.org.uk/publication/ 23. See https://acpr.banque-france.fr/en/risks- consultation/gfin-consultation-document.pdf associated-cloud-computing 33. See https://www.fca.org.uk/firms/global-financial- 24. See https://www.bis.org/publ/bcbs195.htm innovation-network 25. See https://gallery.technet.microsoft.com/shared- 34. See http://www.fsb.org/work-of-the-fsb/policy- responsibilities-81d0ff91/file/153019/2/ development/additional-policy-areas/monitoring- Shared%20Responsibilities%20for%20 of-fintech/. Cloud%20Computing%20(2017-04-03).pdf 35. See https://www.hkma.gov.hk/eng/key- 26. Although there have been unique cases (auto information/press-releases/2017/20171025-4. industry bailout in the United States) in which shtml corporate insolvency law was used in specific 36. In recent discussions with the HKMA, a similar ways to protect “systemically important” trade finance initiative linking eight European businesses, this was widely seen as a perversion authorities was mentioned, but recent searches of corporate insolvency law and is far from the have not found anything regarding authorities norm. cooperating in Europe. Still, there is evidence 27. Often referred to as receiver, trustee, or various of banks operating in Europe to create a other names depending on jurisdiction and cross-border trade finance consortium called context. we.trade (https://we-trade.com/), and we.trade and its Asian counterpart, eTradeConnect, 28. It is possible, particularly under common law, have recently signed a MoU to develop that e-money deposits could be considered interoperability between their two networks. funds held “in trust” and therefore separate (https://cms.we-trade.com/app/uploads/ from the estate. It is precisely this uncertainty we.trade-and-HKTFPCL-Joint-press-release- that would lead one to conclude that this area FINAL.pdf.) deserves more attention from regulators. ENDNOTES 36 & INNOVATION FINANCE, COMPETITIVENESS FINANCE, INSIGHT | FINANCIAL COMPETITIVENESS INCLUSION, & INNOVATION INFRASTRUCTURE & ACCESS INSIGHT BIBLIOGRAPHY Basel Committee on Banking Supervision. 2018. European Banking Authority. 2017. “Discussion “Implications of Fintech Developments for Paper on the EBA’s Approach to Financial Banks and Bank Supervisors. Sound Practises.” Technology (FinTech).” http://www.eba.europa.eu/ Basel, Switzerland: Basel Committee on Banking documents/10180/1919160/EBA+Discussion+Pap Supervision. er+on+Fintech+%28EBA-DP-2017-02%29.pdf. Carney, Mark. 2017. “Building the Infrastructure to ———. 2018. “The EBA’s Fintech Roadmap.” http:// Realise FinTech’s Promise.” www.bankofengland. www.eba.europa.eu/documents/10180/1919160/ co.uk/speeches. EBA+FinTech+Roadmap.pdf. ———. 2017. “The Promise of FinTech – ———. 2019. “Guidelines on Outsourcing Something New Under the Sun? Speech given Arrangements.” https://eba.europa.eu/regulation- by Governor of the Bank of England Chair of the and-policy/internal-governance/guidelines-on- Financial Stability Board Deutsche Bundesbank outsourcing-arrangements G20 Conference on Digitising Finance, Financial European Commission. 2018. “FinTech Action Inclusion And.” Bank of England. https://www. Plan: For a More Competitive and Innovative bankofengland.co.uk/speech/2017/the-promise-of- European Financial Sector.” Brussels, Belgium: fintech-something-new-under-the-sun. European Commission. “CSA BUSINESS PLAN | 2016-2019.” 2019. European Commission. 2017. “Consultation https://lautorite.qc.ca/fileadmin/lautorite/ Document - Public Consultation on FinTech: publications/organisation/rapports-acvm/CSA- A More Competitive and Innovative European BusinessPlan-2016-2019.pdf. Financial Sector.” https://ec.europa.eu/info/sites/ DeNederlandscheBank. 2016. “More Room for info/files/2017-fintech-consultation-document_en Innovation in the Financial Sector.” https://www. .pdf#disintermediating%0Ahttps://ec.europa.eu/ dnb.nl/en/binaries/Discussion document AFM- info/sites/info/files/2017-fintech-consultation- DNB More room for innovation in the financial document_en_0.pdf. sector_tcm47-345198.pdf. European Commission - FISMA. “Detailed ———. 2017. “Regulatory Sandboxes.” Toronto Summary of Individual Responses to the ‘Public Centre. http://res.torontocentre.org/guidedocs/ Consultation on FinTech: A More Competitive Regulatory Sandboxes.pdf. and Innovative European Financial Sector,’” n.d. https://ec.europa.eu/info/sites/info/files/2017- Eley, Slavka. 2018. “RegTech and SupTech: fintech-summary-of-responses-annex_en.pdf. Innovation, Risks and Opportunities.” European Banking Authority. Financial Conduct Authority. 2017. “Distributed Ledger Technology Feedback Statement on ESMA, EBA and EIOPA 2017 “Joint Committee Discussion Paper 17 / 03.” https://www.fca.org.uk/ Discussion Paper on the Use of Big Data by publication/feedback/fs17-04.pdf. Financial Institutions” PRUDENTIAL REGULATORY AND SUPERVISORY PRACTICES FOR FINTECH 37 ———. 2017. “Regulatory Sandbox Lessons Jesse Mcwaters, R., and R. Galaski. 2017. “Beyond Learned Report.” https://www.fca.org.uk/ Fintech: A Pragmatic Assessment of Disruptive publications/research/regulatory-sandbox-lessons- Potential in Financial Services.” Deloittes/ World learned-report. Economic Forum. http://www3.weforum.org/docs/ Beyond_Fintech_-_A_Pragmatic_Assessment_of_ Financial Stability Board. 2017. “Artificial Disruptive_Potential_in_Financial_Services.pdf. Intelligence and Machine Learning in Financial Services Market Developments and Financial Mario Marcello. 2017. “FinTech and the Future of Stability Implications.” http://www.fsb. Central Banking: A Latin American Perspective.” org/2017/11/artificial-intelligence-and-machine- Speech Given at the Cambridge Centre for learning-in-financial-service/. Alternative Finance of the University of Cambridge, Cambridge, United Kingdom, June 29. ———. 2017. “Supervisory and Regulatory Issues Raised by FinTech That Merit Authorities’ Monetary Authority of Singapore. 2016. Attention.” Financial Stability Board. http://www. “Guidelines on Outsourcing.” http://www.mas.gov. fsb.org/wp-content/uploads/R270617.pdf. sg/news-and-publications/media-releases/2016/ MAS-Issues-New-Guidelines-on-Outsourcing- ———. 2017. “FinTech Credit Market Structure, Risk-Management.aspx Business Models and Financial Stability Implications.” http://www.fsb.org/wp-content/ Mersch, Yves. 2018. “The Regulatory Level uploads/CGFS-FSB-Report-on-FinTech-Credit. Playing Field.” Speech Given at the Second Annual pdf. Conference on “Fintech and Digital Innovation: Regulation at the European level and beyond”, Groepe, Francois. 2018. “The Fintech Phenomenon: Brussels, February 27 Five Emerging Habits That May Influence Effective Fintech Regulation.” South African Reserve Bank. National Economic Council. 2017. “A Framework April: 1–11. for FinTech.” Washington, DC: National Economic Council. Hong Kong Monetary Authority. 2016. “Fintech Supervisory Sandbox (FSS).” Guidelines and Office of the Comptroller of the Currency. 2016. Circulars. http://www.hkma.gov.hk/media/ “Exploring Special Purpose National Bank Charters eng/doc/key-information/guidelines-and- for Fintech Companies.” Washington, DC: Office circular/2016/20160906e1.pdf. of the Comptroller of the Currency. International Association of Insurance Supervisors. Prudential Regulatory Authority. n.d. “Business 2017. “FinTech Developments in the Insurance Plan 2018/19.” Bank of England. https://www. Industry.” https://www.iaisweb.org/file/65625/ bankofengland.co.uk/-/media/boe/files/prudential- report-on-fintech-developments-in-the-insurance- regulation/publication/pra-business-plan-2018-19. industry. pdf. International Organization of Securities Ravi Menon. 2016. “Singapore’s FinTech Journey Commissions. “Research Report on Financial – Where We Are, What Is Next.”, Speech Given at Technologies (Fintech). 2017.” Madrid, the FinTech Conference. Singapore, November 16 Spain: International Organization of Securities US Government Accountability Office. 2018. Commissions. “Financial Technology.” https://www.gao.gov/ CGAP 2019. “Deposit Insurance Treatment of assets/700/690803.pdf. E-Money: An Analysis of Policy Choices” Yoo, C., and J. Blanchette. 2015 “Regulating the Cloud, Policy for Computing Infrastructure.” BIBLIOGRAPHY 38 FINANCE, COMPETITIVENESS & INNOVATION FINANCE, INSIGHT | FINANCIAL COMPETITIVENESS INCLUSION, & INNOVATION INFRASTRUCTURE & ACCESS INSIGHT REFERENCES ACPR (Autorité de Contrôle Prudentiel et de CGAP. 2015. “Deposit Insurance for Digital Résolution). 2013. “Guidance: Risks Associated Financial Products 3 Approaches.” with Cloud Computing.” https://acpr.banque- Chinese Ministry of Finance. 2018. “Guidelines france.fr/en/risks-associated-cloud-computing. on Promoting Healthy Development of Internet APRA (Australian Prudential Regulation Finance,” Beijing, China: Chinese Ministry of Authority). 2017. “Licensing: A Phased Approach Finance to Authorizing New Entrants to the Banking Claessens, Stijn, Jon Frost, Grant Turner, and Feng Industry.” Sydney, Australia: APRA. Zhu. 2018. “Fintech Credit Markets Around the APRA. “ADI Licensing: Restricted ADI World: Size, Drivers and Policy Issues.” Basel, Framework.” https://www.apra.gov.au/file/7446 Switzerland: Bank for International Studies. Ballard Spahr LLP. 2018. “State regulators Committee on Payment Clearing and Settlement. file second lawsuit opposing OCC fintech 2017. “Distributed Ledger Technology in Payment, charter.” https://www.consumerfinancemonitor. Clearing and Settlement.” Basel, Switzerland: Bank com/2018/10/29/state-regulators-file-second- for International Settlements. lawsuit-opposing-occ-fintech-charter/ Dias, Denise. 2017. “FinTech, RegTech and SupTech: Banque de France 2016. “Financial Stability What They Mean for Financial Supervision.” Review - Digital Banking and Market Disruption: Toronto Centre. https://res.torontocentre.org/ A Sense of Déjà Vu?” guidedocs/FinTech%20RegTech%20and%20 SupTech%20-%20What%20They%20Mean%20 Basel Committee on Banking Supervision. 2017. for%20Financial%20Supervision%20FINAL.pdf “Consultative Document: Sound Practices for the Management and Supervision of Operational Risk.” EBA (European Banking Authority). 2019. “Report Basel, Switzerland: Basel Committee on Banking on Regulatory Perimeter, Regulatory Status and Supervision. Authorization Approaches in Relation to FinTech Activities.” London, UK: EBA. BIS (Bank for International Studies). 2012. “Principles for the Sound Management of ———. 2018. “Guide to Assessments of Fintech Operational Risk.” https://www.bis.org/publ/ Credit Institution Licence Applications.” Frankfurt, bcbs195.htm Germany: ECB. Brainard, Lael. 2017. “Where Do Banks Fit in Gates Foundation. forthcoming. Inclusive Digital the Fintech Stack?” Washington, DC: Board of Financial Services: A Reference Guide for Governors of the Federal Reserve System. Regulators.” Seattle, WA: Gates Foundation Cambridge Center for Alternative Finance. 2019. Hauser, Andrew. 2017. “The Bank of England’s “Landscape of Peer to Peer/Marketplace Lending FinTech Accelerator: What Have We Done and What Presentation.” Cambridge, UK: Cambridge Center Have We Learned?”, Speech Given at a meeting for for Alternative Finance. Fintech contacts of the Bank of England’s Agency for the South East and East Anglia at the offices if Capgemini Research Institute. 2019 “World Mills & Reeve. Cambridge, October 2017. Payments Report”. PRUDENTIAL REGULATORY AND SUPERVISORY PRACTICES FOR FINTECH 39 HKMA (Hong Kong Monetary Authority). UNSGSA (Office of the UN Secretary-General’s 2016. “Fintech Supervisory Sandbox (FSS).” Special Advocate for Inclusive Finance for Guidelines and Circulars. http://www.hkma.gov. Development) FinTech Working Group and CCAF hk/media/eng/doc/key-information/guidelines-and- (Cambridge Centre for Alternative Finance). circular/2016/20160906e1.pdf. 2019. “Early Lessons on Regulatory Innovations to Enable Inclusive FinTech: Innovation Offices, IMF (International Monetary Fund). 2019. “Fintech: Regulatory Sandboxes, and RegTech.” New York: The Experience So Far.” Washington, DC: IMF. UNSGSA. Institute of International Finance. 2016. “RegTech USGAO (US Government Accountability Office). in Financial Services: Technology Solutions 2018. “Financial Technology.” https://www.gao. for Compliance and Reporting.” Institute of gov/assets/700/690803.pdf. International Finance. https://www.iif.com/ publication/research-note/regtech-financial- WBG (World Bank Group). 2018 a. “Financial services-solutions-compliance-and-reporting. Sector’s Cybersecurity: Regulations and Supervision.” Washington, DC: WBG. Microsoft. 2017. “Shared Responsibilities for Cloud Computing.” Redmond, WA: Microsoft. ———. 2018 b.” Global Financial Development Report - Bankers without Borders.” https://doi. OCC (Office of the Comptroller of the Currency). org/10.1596/978-1-4648-1148-7. 2019. Testimony of Beth Knickerbocker, Chief Innovation Officer, Office of the Comptroller of ———. 2019 a The Bali Fintech Agenda Chapeau the Currency, Before the Task Force on Financial Paper. Washington, DC: WBG. Technology, Committee on Financial Services, ———. 2019 b . “Evaluation of China’s P2P United States House of Representatives. https:// Lending Regulatory Framework: International www.occ.gov/news-issuances/congressional- Comparison.” Washington, DC: WBG. testimony/2019/ct-2019-70-written.pdf. WBG and University of Cambridge. 2019. Ravi Menon. 2016. “Singapore’s FinTech Journey “Regulating Alternative Finance: Results from – Where We Are, What Is Next.”, Speech Given at a Global Regulatory Survey.” Washington, DC: the FinTech Conference. Singapore, November 16. WBG. Tsai, Gerald. 2017. “Fintech and the U.S. Regulatory Response.” San Francisco, CA: Federal Reserve Bank of San Francisco. REFERENCES 40