Jessica Chew Cheng Lian: Evolving governance, risk and control in the digital age

Welcoming remarks by Jessica Chew Cheng Lian, Deputy Governor of the Central Bank of Malaysia (Bank Negara Malaysia), at the Conference on "Governance, Risk and Control in the Era of Disruption", Kuala Lumpur, 9 December 2019.

The views expressed in this speech are those of the speaker and not the view of the BIS.

Central bank speech  | 
10 December 2019

Dr. Firas Raad, World Bank's Country Manager for Malaysia, Distinguished Guests, Ladies and Gentlemen.

Good morning and welcome to Sasana Kijang.

Bank Negara Malaysia is delighted to host this Conference on Governance, Risk and Controls in the Era of Disruption. Let me begin by sincerely thanking our joint host, the World Bank Group for working with us to put together a rich programme that speaks directly to issues that I am sure are keeping at least some of us awake at night.

In the year 2000, the English author and academic, Sir Malcolm Bradbury wrote this: "We no longer live in the Age of Reason. We don't have reason, we have computation. We don't have a tree of knowledge, we have an information superhighway. We don't have real intelligence, we have artificial intelligence. We no longer pursue truth, we seek data and signals. We no longer have philosophers, we have thinking pragmatists. We no longer have morals, we have lifestyles."

This rather grim view of the world was written almost two decades ago. Since then, the extent of technological change and disruption that has come to define our world gives these words a significance that few could have imagined.

For central banks and financial regulators, technological changes have far reaching implications - in particular on the structure of financial markets, banks and other financial institutions.

Corporations around the world from every industry, origin and size, are directing enormous resources towards investments in technologies that are transforming the way they conduct business. The global annual spend on business technology is estimated to be close to US$4 trillion in 2019 . Of this, financial services firms rank in the top quartile of annual spend to revenue. Global investments in financial technology start-ups are reported to have chalked up another US$22 billion in the first half of 2019 , driven by a combination of interest and demand from consumers for new fintech propositions and the scaling up of challenger and collaborative fintechs.

These developments raise important questions for the conduct of monetary policy, the management of payment systems, financial regulation and supervision, and even the very concept of money as the lifeblood of any economy.

On many fronts, we find ourselves in unchartered territory - often uncomfortably so.

In response, central banks and financial regulators are similarly expanding resources both to better leverage technology in performing our core functions of promoting monetary and financial stability, and to defend against its attendant risks. Central to both these goals is our ability to evolve - and in many respects, re-define - our governance, risk and control environment for the age of disruption.

Why is this necessary? Because new financial technologies are presenting significant opportunities, but also enormous challenges for central banks and financial regulators.

They hold out the promise for achieving broader and more inclusive access to financial services, characterised by greater speed and convenience, and lower costs. The emergence of new financial institutions and multiple payment systems could dramatically improve financial intermediation and reduce concentration risks. Greater access to data also carries tremendous value for better surveillance and policymaking.

However, these developments also carry with them new risks and challenges - from more interconnected systems through which risks can transmit in and across organisations and financial systems; to concerns associated with privacy, misinformation, security and criminal abuse. Moreover, as financial systems continue to undergo major technological transformations, their resilience remains largely untested during periods of crisis.

Technological disruptions will continue to push the limits of our ability to identify and pre-empt risks. This will also increasingly place authorities who are responsible for financial stability, at odds with a desire to encourage and not stifle innovation. Managing this balance will require us to approach governance, risk and controls with fresh lenses.

For Bank Negara Malaysia, this has entailed a number of strategic imperatives. The first has been a sharper focus on strengthening regulation and supervision to promote resilience. The Bank recently published new standards on risk management in technology for financial institutions and strengthened our expectations on the management of outsourcing risks by firms. Financial institutions will also be required to develop recovery plans for surviving a range of stressed scenarios, a key objective of which is to preserve the continuity of critical economic functions performed by systemic financial institutions.

Work is also in progress to establish a financial sector cyber threat intelligence platform. The platform which will be operational in the coming year, seeks to overcome barriers to critical information sharing on cyber threats and will have the capacity to collate, aggregate, analyse and share cyber threat information from multiple sources in real time. We have also doubled our approved headcount for IT supervision to ensure that we continue to provide adequate coverage of technology risks in the financial system in our supervisory activities.

Second, the Bank has sought to encourage a more nimble response to innovation in the financial sector. Along with a number of other regulators, the Bank introduced its regulatory sandbox in 2016 to enable firms to test innovative solutions in actual production with appropriate safeguards, while suitable regulation that is fit-for-purpose is developed. At a practical level, this has led to important changes in the way the Bank works, leveraging on "agile" teams where small, cross-functional and dynamic groups are formed to observe, gather feedback, efficiently assess and formulate regulation iteratively.

Since its establishment, over 80 solutions have been evaluated for testing in the sandbox. Of this, about a quarter have piloted or are preparing to pilot their solutions in the sandbox, with some already having graduated to offer their solutions in the broader financial system. The insights gained have led to adaptations of existing regulations as well as the development of new frameworks for firms that exit the Sandbox. They have also informed the Bank's thinking on regulating innovation, with lessons taken in the development of the digital bank framework which will be issued for consultation very shortly.

The idea of the sandbox has since been replicated internally within the Bank as an avenue for staff to prototype new solutions that will improve the way the Bank works. This includes new technological applications in regulation and supervision, surveillance, data analytics, communications and in the delivery of the Bank's public services.

The third imperative has been to ensure alignment in the Bank's governance and culture with our digital objectives and priorities. At the Bank, we are keenly minded that it's the people and the risk culture, or "the way we do things around here" that ultimately matters.

This arguably remains the most difficult part of our journey. Digitalisation is driving disruption, and the digital world is inherently complex - in its logic, design, development and delivery. We have put in place strengthened and more integrated governance arrangements to direct our digital strategy, policy and standards. At the same time, we recognise that our digital goals and aspirations can only be achieved through the values and behaviours of staff that promote inclusivity (between those that have technological skills and those that don't); accountability (that is, the effective and responsible use of technology); effective collaboration that breaks away from working in silos; and an appropriate level of risk-taking that is compatible with a more agile and responsive organisation.

And so we have taken pains to be specific and deliberate in our approach to building a digital culture within the Bank. This starts with being clear across the organisation on our tolerance for higher risks associated with disruptive innovations - through the development and communication of our digital risk appetite. We are shifting conversations on new digital initiatives away from the technical solutions themselves, to a greater focus on the business process transformations that they are intended to serve, and that is what we measure and track.

We are also investing heavily in equipping our people with the knowledge, skills and confidence to make sound judgment calls in an environment where the pace of change is occurring at a dizzying speed, and our ability to anticipate risks is likely to be more constrained. At a practical level, this means being more precise about escalation, decision and communication protocols, while allowing more flexibility in internal policies to allow business lines to respond swiftly to emerging situations. It also means allowing more dynamic structures to evolve within the organisation to support specific strategic business use cases, such as our cloud centre of excellence.

In an era of disruption, efforts to reduce the complexity of financial products and services to the average person could become more challenging. A key reason for this is the dramatically increased access to financial solutions for people from every walk of life, whether they are suited for them or not. To reap the promise that such access brings of opportunities to reduce inequality and improve standards of living, it is imperative that individuals are sufficiently confident and capable of making wise financial decisions.

This brings me to the fourth strategic priority of the Bank - which is building financial capability among the Malaysian public to navigate opportunities and risks in the changing financial landscape. It has long been our conviction that encouraging a population that is both financially and digitally literate is a necessary and vital condition to harness the full potential of fintech and contain its risks.

To that end, the Government recently launched Malaysia's National Strategy for Financial Literacy which includes a specific focus on helping consumers protect themselves against fraud and exploitation, and embrace innovation more confidently in the digital era. In the area of remittances, our work to improve conditions for the use of formal remittance channels by leveraging on technology, particularly by workers and small businesses across the country, has led to substantial reductions in the cost of remittances. This has been accompanied by a marked increase in the volume of remittances now captured through formal channels as a result of our outreach and education efforts which also benefitted greatly from our four-year collaboration with the World Bank under the Greenback initiative.

Ladies and gentlemen,

As central banks and financial regulators, the opportunities and challenges confronting us in the era of disruption are both internal and external. Internally, we share many of the same concerns and pressures that firms in general face in dealing with technological disruptions. Externally, however, we are confronted with broader issues of financial stability and consumer protection that will continue to challenge existing regulatory frameworks and approaches. How we think about governance, risk and controls need to take both perspectives into account, and will demand a high degree of organisational agility.

In closing, I would like to take another crack, if I may, at Malcolm Bradbury's reflections. "We live in the Age of Disruption. We have algorithms, data and signals, and so we must aspire for greater insight and understanding. We have greater uncertainty, and so we must aspire for greater predictability in our actions. We have greater access for all, and so we must equally aspire towards greater confidence for all. We have thinking pragmatists, and so we must complement them with philosophers of information and human capacity for change. We have digital-driven lifestyles, and so we must strive to preserve shared values that promote societal well-being."

I think we would do well to keep these goals in mind in our efforts to strengthen governance, risk and controls in the era of disruption. On that note, let me welcome you once again to the Conference and wish you productive discussions ahead.

Thank you very much.