Ravi Menon: Financial regulation - the way forward

Speech by Mr Ravi Menon, Managing Director of the Monetary Authority of Singapore, at the Official Monetary and Financial Institutions Forum (OMFIF) City Lecture, Washington DC, 20 April 2017.

The views expressed in this speech are those of the speaker and not the view of the BIS.

Lord Meghnad Desai, Chairman of the OMFIF Advisory Board,
Mr David Marsh, Managing Director, OMFIF,
Ladies and gentlemen, good morning.  I am grateful to OMFIF for organising this City Lecture and giving me the opportunity to share my thoughts with you.

The world experienced nine years ago a most devastating financial crisis.  In response, we saw the implementation of perhaps the most wide-ranging reforms in financial regulation ever in history.

We are now at an inflection point.  The phase of active rule-making is drawing to a close.  Where do we go from here? 

The 19th century Danish philosopher Søren Kierkegaard once said: 
"Life must be understood backwards, but it must be lived forward."

In the spirit of Kierkegaard, I see two key priorities in the next phase of financial regulation:

• First, to take stock of the reforms to-date - evaluate their effects, consolidate what we need to preserve, and fine-tune what we need to improve.
• Second, to position regulation for the technological changes sweeping the financial industry - harness the opportunities they present while managing their risks.

Taking stock of post-crisis regulatory reforms

Reaffirming the rationale

In taking stock of the reforms, let us begin with why we embarked on them.  It is easy to forget how close the world came to a full-blown depression as a result of the financial crisis in 2008. 

The global financial crisis was remorseless in the wake of destruction that it unleashed upon the economy and society. 

• The cumulative loss of output since the crisis is estimated to be 25% of one year's world gross domestic product ¹. 
• For the US alone, estimates of the output loss from the crisis vary from US$6 trillion to US$22 trillion².

The crisis revealed deep fault lines in the financial system:

• financial institutions that leveraged themselves to the hilt (as much as 40 dollars of debt to 1 dollar of equity) and had severe mismatches in liquidity;
• lax underwriting standards, made worse by conflicts of interest in banks originating mortgages;
• an opaque OTC derivatives market, leading to rapid contagion when liquidity suddenly dried up.

The Financial Stability Board (FSB), working closely with standard-setting bodies, put in place over the last eight years a comprehensive set of regulatory reforms to address these fault-lines.  The aim is to make the financial system less prone to crisis and more resilient in the event of crisis. 

There are three key thrusts.

• First, strengthening the banks. This is being done through the Basel III reforms, increasing capital buffers, setting liquidity requirements, and constraining leverage.
• Second, making derivatives markets safer. This is being done through requirements for trade reporting, central clearing, and margining.
• Third, tackling the too-big-to-fail problem. Global systemically important financial institutions have been identified and are being subject to higher capital requirements, more intensive supervision, and resolution planning.

Evaluating the impact

With the rule-making largely done and implementation generally making good progress, it is time to evaluate the impact of the regulatory reforms.  The FSB is developing a framework to do this, focusing on two key questions:

• effectiveness - are the reforms achieving their intended outcomes?
• effects - what are their broader social benefits and costs of the reforms?

This work is especially important in the current context.

First, the regulatory changes of the last eight years are substantial, especially when taken cumulatively.  It is incumbent on us as regulators to be accountable for these changes, to evaluate objectively their intended outcomes as well as any unintended consequences.

Second, with memories of the crisis fading and the compliance burden of new regulation continuing to grow, pressures have begun to mount to unwind some of the reforms.  Any adjustments to be made should be grounded in an objective assessment of the impact of the reforms.

How effective have the reforms been?  The preliminary assessment is encouraging.

• Large banks are now stronger, more liquid, less leveraged, less complex.
• Derivatives markets are safer, with central clearing covering more than 90% of OTC derivatives trades in 14 major jurisdictions.
• The financial system as a whole seems more robust and more resilient.
  • The system has remained resilient through several episodes of market stress, ranging from the 2014 US Treasury "flash crash", and the 2015 Swiss Franc de-pegging to the 2016 Brexit vote.

What have been the overall effects of the reforms?  Work in this area is nascent, there are no clear answers yet.  But let me sketch some of the key issues.  In each of these areas, we are confronted with the problem of attribution.  It appears that regulation has had some role but we do not know how much of a role alongside other factors.

Let me begin with market liquidity.  There are concerns that liquidity has declined in some markets.   Preliminary evidence indicates there is less depth and potentially less resilience under stressed market conditions³. 

• Some of the blame has been ascribed to the emergence of more automated trading, which has little to do with regulation.
• But other factors - such as less market making by dealer banks and increased post-trade transparency in corporate bond markets - appear to have stemmed from regulation.

Second, bank profitability. The profitability of several large banks today is below the cost of capital. This is worrying.

• Banks need to be profitable in order to be strong.  Retained earnings are one of the major sources of equity - which is the highest quality capital that banks hold.  Unprofitable banks are a potential source of instability.
• Banks also need to be profitable to be able to support the real economy.  They have to earn a decent return for intermediating credit, otherwise they will do less of it.

Bank profitability has come under pressure from a combination of the three realities of the post-crisis financial landscape: slow growth, easy money, tight regulation.  More work is needed to discern the impact each of these factors is having on bank profitability. 

Be that as it may, as we put the finishing touches to the Basel III reforms, it is important that the overall capital requirements on banks not be increased significantly.

It is also quite clear that the cost of risk management and compliance has exploded and this is something regulators need to be alert to. 

• According to a Thomson Reuters report, more than one-third of financial firms spend at least an entire day each week tracking regulatory change⁴.
• The headcount for legal, compliance, and regulatory matters has grown significantly in financial firms, in some case, even doubling.

Third, have regulatory reforms contributed to strong, sustainable, and balanced economic growth?  This is much tougher to answer, but this is the central question. 

• Across most countries, overall credit provision to the economy has been stable despite higher capital and liquidity requirements.
• The cost of financing has remained low, although this has had do with highly accommodative monetary policies, which are not permanent.

But there are distributional effects that we need to monitor closely.

• Studies suggest that small business loans have been shrinking as a share of non-bank loans in the US. Small banks are trimming product lines and pulling back from certain customer segments.
• Emerging market and developing economies (EMDEs) have expressed concerns that global banks have been reducing their activities in these markets as they review their business models in light of the new regulatory environment. The FSB is keeping a close watch on this.

We have rightly focused our regulatory efforts to minimise the risk of another financial crisis.  But we must continually ensure that we do so without minimising economic growth and opportunity.

Fine-tuning regulation

We must be careful to avoid "pendulum swings" in regulation that could undermine the gains in financial stability that we have achieved, not to mention prolong and add to the uncertainties facing the financial industry. 

• That regulations have imposed costs on the economy is in itself not sufficient reason to unwind them.
• These costs have to be weighed against the benefits of a more stable financial system to support sustainable economic growth.  De-regulation has its own costs.

Having said that, some fine-tuning may be necessary to reduce the unintended effects of reforms while preserving their benefits.

• Regulatory policy must continually seek the fine line between discouraging excessive risk-taking and encouraging innovation. 
• We should not be afraid to adjust and fine-tune where necessary. 
• As Dan Tarullo, former governor of the Federal Reserve Board, says with respect to the Dodd-Frank Act and other regulations in the US, "some recalibrations and reconsiderations will be warranted on the basis of experience." ⁵

There are two key principles to keep in mind as we fine-tune regulations: risk proportionality and global consistency.

Risk proportionality

We need to be mindful of proportionality when applying international regulatory standards. Subjecting banks of different sizes, different scope of activity, and different degrees of internationalisation, to the same rules is not appropriate.

Most of the new regulations were designed with large, cross-border financial institutions in mind. They are a poor fit for smaller institutions - like local community banks and finance companies - that tend to pose fewer systemic risks. 

• Here in the US, there are concerns that post-crisis regulations have been unduly punitive on smaller banks and have affected their ability to support small businesses.

Regulators need to review their frameworks to ensure they remain risk proportionate.

• They are not starting from a blank slate.  In the US, for example, the Dodd-Frank Act already exempts firms with less than $50 billion in assets from the tougher prudential requirements.
• And Bill Dudley, President of the New York Fed, has suggested: "- this threshold could be raised significantly without unduly increasing the risk to the broader financial system." ⁶

Global consistency

Adjustments to domestic regulation must not lead to inconsistency with agreed international standards.  Global harmonisation of regulation enables fair competition and minimises regulatory arbitrage. 

Harmonisation does not mean identical rules.  Country differences matter.  We therefore need to establish effective mechanisms to recognise and defer to one another's national regulatory regimes.

Conflicting rules on cross-border OTC derivatives trading is a case in point.  If not resolved, it may fragment global markets into distinct liquidity pools that are less resilient to market shocks.

• Christopher Giancarlo, Acting Chairman of the CFTC, has put it well: "It is critical that we make sure our rules do not conflict and fragment the global marketplace - the CFTC should operate on the basis of comity, not uniformity, with overseas regulators."  ⁷  

Adjustments to domestic regulation must not impede the globalisation of finance and the free flow of capital.

• Breaking up large banks or trapping capital and liquidity through ring-fencing measures may make them easier to resolve but could weaken their ability to respond to different stress scenarios.
• Ring-fencing could also hinder the ability of global banks to provide connectivity and facilitate intermediation across different pools of capital, especially in EMDEs. 
• If global finance is fragmented, both financial stability and financial inclusion could suffer.

I come from a small country.  And we small countries have an instinctive pull towards international standards and a global system.  This may seem to matter less to large countries.  But may I suggest that all countries today are smaller than they used to be, or smaller than they think they are.  Smaller in the sense that what happens outside our borders has an increasingly larger impact on what happens inside. 

The US has much to gain from continuing to work alongside other regulators, exercise leadership where needed, and help to shape and promote international regulatory standards. International cooperation necessarily involves some compromises. The benefit of such give-and-take is a safer global financial system that benefits all countries.

Positioning regulation for technological innovation and cyber risks

Let me move now to the second key priority of financial regulation going forward - positioning for the technological innovation sweeping the industry and the challenge of cyber security.

FinTech or the application of technology to financial services is transforming as well as disrupting the industry.

• Digital payments are becoming more widespread, propelled by advances in near-field communications, identity authentication, and biometrics.
• Internet-enabled distribution platforms are emerging that make financial products directly available, e.g. peer-to-peer lending, crowd-funding, and pay-as-you-use insurance models.
  • The smartphone is becoming your bank, your insurance broker, and your investment adviser.
• Blockchains or distributed ledger systems are being tested for a variety of financial operations - to settle interbank payments, to reconcile trade finance documentation, to execute performance contracts.
• Cloud technology is being used to store large volumes of data at low cost and retrieve them on-demand.
• Big data - aggregating and analysing large data sets, including through the use of sensor networks and natural language processing - is being used in many areas of finance: to gain richer insights into customer needs, to detect fraud in financial transactions, to sharpen surveillance of market trends.

Regulating FinTech

How should regulation deal with FinTech?

First, we need to develop a deep understanding of these emerging technologies and the risks and opportunities they present.  Financial regulators should not be afraid to work collaboratively with financial institutions or even FinTech companies.

• At MAS, we did not understand the risks and benefits of cloud technologies until we started to work directly with cloud service providers. Such collaboration helped us develop guidelines on cloud computing that facilitated its adoption by industry.
• Take another example - blockchains. MAS participated directly in proof-of-concept trials together with industry players to test the application of this technology to inter-bank payments. We learnt much from the exercise.

Second, regulation must not front-run innovation. Introducing regulation prematurely may stifle innovation and potentially derail the adoption of useful technology.

• MAS' approach is to apply a materiality or proportionality test.
• This means regulation kicks in only when the risk posed by the new technology becomes material or crosses a set threshold. 
• And the weight of regulation must be proportionate to the risk posed.

Third, we need to allow experimentation to facilitate FinTech innovation while limiting its risks to consumers and the financial system should these innovations fail. The regulatory sandbox is a useful device to test new ideas in a confined environment.

Several jurisdictions have introduced regulatory sandboxes over the last 12 months. Singapore was among the earliest, shortly after the UK. Let me outline briefly how the MAS sandbox works.

• The sandbox is available to both regulated financial institutions and unregulated FinTech players to test innovative products and new technologies.
• Firms entering the sandbox do not need to meet all the relevant regulatory requirements at the onset.
• To ensure that the consequences of any failure are contained, the experiments are conducted within agreed boundaries, such as the number of clients, scope of the activity, etc.
• The experiment is time-bound.
  • If successful, the entity must exit the sandbox and fully comply with all relevant regulations if it wants to roll out the innovative product to the broader market.
  • If the experiment fails, well, we all learn something.

Regulatory sandboxes not only encourage FinTech innovation by providing a safe space for experimentation. They also give regulators an opportunity to learn the risks associated with new technologies and right-size regulation accordingly. In fact, the sandbox is an experiment not only for firms but for regulators as well.

Harnessing technology to manage risk

We must also look to harnessing FinTech to better regulate and supervise financial institutions and help them manage their risks. 

From a regulatory perspective, among the more promising applications of technology is in what is called "RegTech", aimed at enhancing the efficiency and effectiveness of financial firms' risk management and compliance.  We can see RegTech advancing in several areas.

Predictive analytics is being used in stress testing - to assess the ability of large, complex financial institutions to withstand a variety of stresses affecting different parts of the business in different geographies.

Cognitive computing and behavioural algorithms are being used to monitor and detect suspicious trading and possible misconduct in financial institutions. Machine learning capabilities can help to identify subtle patterns in behaviour, which are hard to detect using traditional data analysis.

In the future, financial regulators will increasingly harness big data to detect and prosecute misconduct, and to identify weaknesses to focus on.

• In a recent case, the US SEC obtained a settlement against a broker-dealer for its failure to adequately train its representatives when they were selling certain complex debt instruments.
• Custom analytics tools, instead of traditional investigative techniques, were used to sift through millions of trading records. They helped identify over 8,000 retail customers for whom the investment in the debt instruments was inappropriate.
• This is how 21st century regulation and supervision should look like.

Strengthening cyber risk management

As financial services increasingly move online and FinTech becomes more pervasive, the key risk that financial institutions and regulators have to deal with is likely to be in cyber space.

• The core IT systems which are buried deep in financial institutions' inner sanctums can now be reached by a hacker sitting on the other side of the world.   

Cyber risk is already a clear and present threat. The frequency, scale, and complexity of cyber attacks is worrisome.

• In February 2016, cyber-attackers gained access to the Bangladesh Central Bank's payment transfer credentials and used it to steal US$81m from the Bank. Subsequently it was found that several other central banks had been targeted in the same way since 2013.
• In February 2017, malware was uploaded to the Polish and Mexican financial regulators' website. These websites were then used to infect financial institutions' IT systems whenever the regulators' websites were accessed. Dozens of banks were affected in this manner.

Even more alarming is how long it takes to detect successful cyber penetrations.

• According to a study⁸, the median time it takes to discover a cyber attack is 146 days.
• This means that of all the cyber attacks in the world happening this week (in April), more than half of them will not be detected until after Labour Day in September.

It is not inconceivable that a future financial crisis could be precipitated by a cyber attack.

The regulatory and supervisory framework for cyber risk management is still evolving. Two areas are likely to figure prominently.

First, we need some common risk management standards in cyber defence. 

• Given how inter-connected systems across the global financial industry are, common standards for the swift recovery of critical functions disrupted by a cyber attack will help reduce systemic vulnerabilities.
• Given how often cyber incidents stem from compromised user IDs and passwords, a global minimum standard for robust authentication for online financial services is worth considering.

Second, we need to encourage sharing of cyber intelligence within the financial industry. 

• This will heighten the industry's collective situational awareness, so that it can respond more quickly and more effectively to impending cyber threats.
• Regulators can help to establish common infrastructure, processes and protocols to facilitate this.
  • A good example is the US Financial Services - Information Sharing & Analysis Centre (FS-ISAC).
  • And with support from MAS, FS-ISAC is in the process of setting up in Singapore its Asia-Pacific cyber intelligence centre.

Third, we need to encourage sharing of cyber intelligence among financial regulators. 

• Cyber threats do not respect sovereign boundaries.  Cyber attacks in one country can have serious spill-over effects on other countries. 
• Regulators need mechanisms to share cyber intelligence efficiently in real-time.
  • There are already informal, bilateral arrangements for such information-sharing.
  • But more can be done. We need to identify and reduce the barriers inhibiting cyber threat information sharing, such as legal, confidentiality, and operational constraints.

I believe that cyber risk management is likely to emerge as the new frontier for global regulatory harmonisation and supervisory co-operation.

Conclusion

Let me conclude.

We have accomplished much - regulators and industry together - to make the global financial system safer.  But we are not done yet.

• We must ensure that implementation of regulatory reforms is consistent across jurisdictions.
• We must evaluate the effectiveness as well as effects of the reforms.
• We must be prepared to adjust and fine-tune regulations where necessary - but we must do so in a way that does not undermine the gains in financial stability that have been painstakingly achieved.

We need to look ahead to a world of technological change.  FinTech - if smartly harnessed and safely managed - offers hope and dynamism for an industry facing the triple headwinds of slower growth, tighter regulation, and growing competition.

• We must allow innovation and the adoption of new technologies - to harness their benefits while managing their risks.
• We must step up our efforts and cooperation to combat the growing threat of cyber risk.

A common theme emerges when we look back as well as look forward.

• The choice is not between light regulation and hard regulation, or between less regulation and more regulation. 
• What we must collectively seek is smart regulation - regulation that achieves resilience with efficiency, stability with growth, safety with innovation.
• We will then have a financial industry that is systemically sound and also serves the needs of the economy and society.
• It is a vision worth working for, together.

Thank you.

---

¹ Ollivaud & Turner, "The effect of the global financial crisis on OECD potential output", OECD Journal of Economic Studies, 2014.

² See for instance, David Luttrell, Tyler Atkinson, and Harvey Rosenblum, "Assessing the costs and consequences of the 2007-09 financial crisis and its aftermath", Dallas Federal Reserve, September 2013; and US Government Accountability Office "Financial regulatory reform: financial crisis losses and potential impact of the Dodd-Frank Act", January 2013.

³ FSB, "Report on implementation and effects of G20 reforms", August 2016. 

⁴ Thomson Reuters, "Cost of Compliance 2016"

⁵ Daniel Tarullo, "Departing Thoughts", 4 April 2017.

⁶ William Dudley, "Principles for Financial Regulatory Reform", 7 April 2017.

⁷ Christopher Giancarlo, "CFTC: A New Direction Forward", 15 March 2017.

⁸ B. Boland, "M-Trends Asia Pacific", www.fireeye.com, 24 August 2016, https://www.fireeye.com/blog/threat-research/2016/08/m-trends_asia_pacifi.html