Regulating fintech: what is going on, and where are the challenges?

Speech by Mr Fernando Restoy*, Chairman, Financial Stability Institute, Bank for International Settlements, at the ASBA-BID-FELABAN XVI Banking public-private sector regional policy dialogue "Challenges and opportunities in the new financial ecosystem", Washington DC, 16 October 2019.

BIS, FSI speech  | 
17 October 2019


Let me first thank the organisers for inviting me to this important forum.

Issues relating to technological developments and their impact on the financial system loom large in today's event. This is quite logical, as these issues have become a major theme in the ongoing dialogue between the public and the private sectors.

The BIS is working for a better understanding of the impact of new technologies on financial markets and to help its stakeholders address the related policy challenges. Indeed, this is a key theme of the BIS medium-term strategy, Innovation 2025. In particular, Innovation 2025 provides for the start-up of an Innovation Hub at the BIS with the aim of reaching in-depth insights into critical trends in technology for central banks; developing public goods in the technology space to improve the functioning of the global financial system; and serving as a focal point for a network of central bank innovation experts.

The FSI will contribute through its work on capacity-building and the dissemination of good regulatory and supervisory policies in the new technological environment. Indeed, today I want to refer to policy actions undertaken to address the implications of the use of new technologies by financial market participants. In fact, it is a major challenge everywhere to design an adequate policy framework for fintech.1 On the one hand, authorities need to help bring the potential benefits of technological developments to fruition, for the good of the economy and financial system. Fintech promises to increase efficiency in delivering financial services, widen their range, increase competition and promote financial inclusion. On the other hand, policymakers must address a set of risks that could merit public intervention. In particular, increasing reliance on technology and unregulated third-party providers throws operational risks into sharper relief; new payment systems and instruments could compromise market integrity and, ultimately, the monetary system; new products may be mis-sold to consumers who do not understand their risks or cannot afford to bear them; and the business opportunities created by new technologies may erode privacy and encourage unethical conduct.

To varying degrees, regulators are striving to deal with all those challenges across a number of jurisdictions. But it remains to be seen whether these policy actions will be enough to safeguard an orderly modernisation of the financial industry, let alone address the ongoing risks that technology poses to the achievement of key social objectives.

In this presentation, I would like to share with you some thoughts on current developments in the fintech domain and related policy challenges. For that purpose, I will draw on ongoing work at the BIS and, in particular, an FSI study we are now conducting on national and global policy initiatives to adjust existing financial regulation to new activities and players.2

Types of policy action

Fintech-related policy measures can be usefully classified into three groups: (i) those that directly regulate fintech activities; (ii) those focused on the use of new technologies in the provision of financial services; and (iii) those that promote digital financial services more specifically.3

The first group of measures relates to the regulation of specific activities such as digital banking, peer-to-peer (P2P) lending or equity raising, robo-advice and payment services. The second group includes new rules or guidelines on market participants' use of technologies such as cloud computing, biometrics or artificial intelligence. The third group covers enabling policy initiatives such as those related to digital identities, data-sharing and the establishment of innovation hubs, sandboxes or accelerators. Over the last few years, most jurisdictions have applied policy measures in some or all of these three areas. Let me now briefly outline the various types of policy initiative.

Adjusting the regulatory perimeter

In general, technological developments have not yet resulted in any major upheaval in the structure of financial regulation. In their core content, the rulebooks on prudential safeguards, consumer protection and market integrity remain broadly unaffected.

In particular, a banking license is still required for any activity entailing a substantial risk transformation of funds raised from the public. When non-banks are allowed to source cash from the public - typically for payment services - they face severe restrictions in terms of safeguarding customers' funds. Examples include maximum volumes such as the CHF 100 million cap for fintech licence holders in Switzerland, or ample liquidity coverage such as the 100% reserve requirements for outstanding client balances (the float) in Brazil and China. Moreover, little has been done to develop specific licensing requirements for digital banks. In some jurisdictions - as in the euro area4 - supervisors have issued guidance on how standard requirements would apply to the new business models. However, only a few jurisdictions - notably Hong Kong SAR5 and Singapore6 - have formulated specific licencing requirements for banks centred on digital services.

A similar approach has been followed in other areas such as investment advice (robo-advice) or insurance services (insurtech).7 In general, no specific licensing regime has been foreseen for those activities although a number of market supervisors have communicated specific supervisory guidance or expectations.8

Specific licensing and conduct-of-business requirements have been established for several activities such as issuance of e-money, provision of payment services and equity and loan crowdfunding. In most cases, regulatory requirements focus on consumer and investor protection - in particular the safeguarding of customers' funds - anti-money laundering (AML) and combating the financing of terrorism (CFT) and on operational resilience.

Regulation on cryptoassets and related activities differs markedly across jurisdictions. In general, approaches depend on the nature of the issuer (whether regulated or unregulated), the function performed (eg means of payment, investment opportunity or access to services) and the existence and nature of underlying assets (securities, commodities etc). Authorities have often issued warnings - mostly referring to the use of cryptoassets for investment purposes - and clarifications on the regulation applied to issuers, holders and intermediaries. Moreover, several authorities have banned specific cryptoasset-related activities (eg Belgium, China, India and Mexico).

Regulating the use of enabling technologies

While regulators generally aim to be technology-neutral, some jurisdictions have made moves to address both the positive implications and the risks arising from the use of specific innovations. As an example of supporting policy, the use of application programming interfaces (APIs) has been explicitly promoted to facilitate open banking, in the European Union, Mexico and Singapore, among others.

In some instances, authorities need to take action to provide legal certainty for the effective application of technological innovations in the financial industry. This would be the case, for example, if distributed ledger technology (DLT) is to be accepted as providing finality in the settlement of securities transactions. The same would be true for the use of biometrics to identify customers in regulated transactions (such as opening a bank account).

In most cases, however, policies have focused on limiting the potential risks associated with the use of a technology. In particular, as regulated financial institutions make increasing use of cloud computing, authorities have already set requirements (as in Brazil) or issued recommendations (as in the EU) to control and manage the operational risks involved.

Some authorities are also moving to address the risks posed by the misuse of artificial intelligence and machine learning algorithms, for instance, in credit or insurance underwriting. For example, in Luxembourg and Singapore, authorities have published papers that underline the risks arising from the inadequate handling of personal data, poor governance, lack of transparency and unethical behaviour. In Singapore, the authorities have also issued high-level principles for firms to follow in controlling these risks.9

Enabling policies

Most jurisdictions have adopted policies to create the infrastructure for digital services. These include reforms to allow financial institutions to use digital technologies to identify and verify customers without their physical presence.

In some jurisdictions (such as Hong Kong SAR, India and Singapore), authorities have put in place a centralised platform that provides residents with a unique electronic key that can be used for verifying their identity in all types of transaction, with both the public and the private sectors.

Other jurisdictions have moved to regulate the exchange of customers' information between different players. In the EU, the new Payment Systems Directive (PSD2) establishes the transferability -given customers' consent - of payment account data held by payment service providers - including banks - among themselves and to third-party providers such as account aggregators or payment initiators. In India, a centralised system stores, protects and facilitates the exchange of customer financial data that can be fed by and released to financial firms with their clients' consent.

In addition, most advanced and emerging market economies have set up various types of arrangement aiming at promoting an orderly application of new technologies in the financial industry. Those arrangements take the form of innovation hubs as well as regulatory sandboxes and accelerators.

Innovation hubs are the most widespread of these facilitators. They provide support and guidance to innovative firms or products, to facilitate a good understanding of regulatory requirements. A number of jurisdictions have also created regulatory sandboxes that allow the risks associated with new business models to be assessed in a controlled environment. So far, sandboxes have been used mainly to assess whether consumers would be adequately protected in using new applications, products or services. Approaches vary in terms of criteria for accepting projects, testing parameters, application process and exit strategy. In some cases, the final outcome is simply an authorisation to continue offering the tested products or services, while in others it may also include an adjustment or a formal clarification of existing regulatory requirements. Only a few jurisdictions (eg France and the United Kingdom) have created innovation accelerators that explicitly support projects which could be directly relevant to central banking operations or supervisory oversight.

Pending policy challenges

This overview suggests that authorities have so far taken a piecemeal approach to policy, resorting to a wide array of measures to meet a variety of policy objectives. So far, it appears, regulations on new fintech activities and technologies have focused more on curbing risks in consumer and data protection and operational resilience but rather less on strengthening prudential safeguards. The general sense is that, for the time being, new technology does not by itself pose any major risks to financial stability.10 This is based on the perception that the new business models rarely entail significant risk transformation - and also that the riskier innovations, such as cryptoassets, have so far had only a limited take-up. All this limits the potential for technological developments to destabilise the financial system, at least to date. That perception explains why the perimeter of prudential regulation - whether macro or micro - has hardly changed in most jurisdictions.

But it remains to be seen whether new forms of systemic risk could emerge from bigtechs - large non-bank technology firms that offer a wide range of financial services - and whether current regulation will adequately contain those risks. It is likely that new sources of systemic risk, such as major cyber incidents, will need to be addressed by novel policy tools, given that standard prudential instruments such as capital or liquidity requirements can hardly be the most effective response.

Another area in which additional policy reflection is warranted is the effects of innovation on the structure of the financial services industry and how this might affect market functioning.

Admittedly, it is still far from clear how technological developments will disrupt the financial industry, and how far. Or how far technology might promote competition and diversity - as often assumed - or whether it might instead foster the emergence of new (potentially global) bigtech oligopolies that could work against the interests of consumers and generate new kinds of financial stability risks. That process could be the consequence of a seemingly efficient Schumpeterian dynamic in which new, more efficient entrants will outperform incumbents. In such a process, however, network externalities might lead - absent public intervention - to a more concentrated industry centering on natural oligopolies.11 A further issue is whether existing regulation could distort the restructuring of the industry by unduly penalising either the traditional or the new players.

Depending on the answers to these questions, different types of public intervention would be more or less warranted. Therefore, much analysis and evidence is still required to decide on possible additional reforms to regulatory frameworks. In any event, the transition to a new market structure is likely to put the sustainability of specific business models under stress, potentially eroding the viability of some traditional financial institutions. As a consequence, prudential supervisors and the international standard-setting bodies need to closely monitor the process and act promptly to shape, as far as possible, the orderly transformation of the financial sector.

Same activity, same regulation?

As I have just mentioned, a key aspect of the current regulatory debate, is how financial services regulation could facilitate an orderly adaptation of the industry's structure to a new environment characterised by new technologies, new players and new activities.

A widely accepted principle and the one that inspires many of the recent regulatory developments is that policy actions should aim at minimising the scope for regulatory arbitrage. New technologies help new players perform activities that were traditionally conducted only by tightly regulated institutions. Regulation should therefore be adjusted in order to prevent risk-generating business activities from migrating between entities in search of lighter regulatory control.

That said, the actual implementation of this principle is far from straightforward.  

In this regard, the concept of same activity, same regulation is often seen as a reference for sound policy to promote a level playing field and prevent regulatory arbitrage following the emergence of fintechs and bigtechs. The key thought is that all entities involved in a specific regulated activity should be subject to the same rules, regardless of their nature or legal status.

Yet, the same activity may generate different risks depending on who performs it. For instance, the risks for the financial system are not equivalent if lending or securities investment is undertaken by a closed-end mutual fund - which does hardly any risk transformation - as opposed to a deposit-taking institution. This combination of deposit-taking and risky investment is precisely the object of prudential regulation, which need not necessarily be applied to entities that perform only the latter activity.

Some of the services offered by banks - such as payments processing - could be conducted by banks' subsidiaries that are not funded with deposits. However, especially after the Great Financial Crisis, supervisors have understood that risks cannot be easily segregated and distributed across legal entities which are linked to a banking institution. Consequently, they have adopted a conservative approach in defining the consolidation perimeter on the basis of which banking groups must satisfy prudential requirements.

As a consequence, banking institutions and even their non-deposit-taking subsidiaries are subject to different rules than some non-bank competitors. That could arguably affect the competitive position of different players in some market segments. However, if the regulatory framework were to be completely harmonised for all types of entities performing a specific activity, financial stability might suffer, given that some sets of institutions generate more (or less) systemic risk than others. This sets a limit to how far a purely activity-based approach can be pursued.

The case of bigtechs also shows the limitations of a strictly activity-based approach. The point here is that the financial activities of bigtechs exist within a wider business portfolio which may include e-commerce, payment services, credit underwriting, wealth management and other activities.12 It is easily conceivable that bigtechs could generate systemic risks not only through the scale of their operations but also through a destabilising interaction of the risks generated by each activity. If that proves to be the case, one could argue that a more encompassing approach to regulation and supervision is needed, one that focuses on entities, their activities and the broader ecosystem. And this would again justify a departure from the principle of same activity, same regulation.

In any event, measures could be considered to remove discrepancies in the regulatory requirements for different types of institution. For example, it is hard to argue that rules relating to policy objectives such as consumer protection or AML should be substantially different, as still is the case in some jurisdictions, depending on the type of license a firm holds. These requirements should obviously follow a proportionate approach but proportionality should be defined in terms of the risks that different firms pose - as a consequence of the scale of their operations or the technologies used - rather than on their legal status.

All this supports the idea that activity-based regulation does not represent, by itself, the silver bullet that could preserve the robustness of the regulatory framework in the new technological environment. Most likely, it should be considered a complement to entity-based regulation, rather than a substitute for it.

Naturally, the identification of the exact form of the required combination of different types of regulatory measures constitutes a major policy challenge. In any event, financial authorities need to coordinate their actions with those taken in other policy domains, such as competition or data protection. No less importantly, they need to cooperate with their peers in other jurisdictions, given the global scope of both innovation and the business models of many new players.


Twenty-five centuries ago, Democritus said "Do not trust all men, but trust men of worth; to do the former is foolish, the latter a mark of prudence." To regulate fintech adequately, authorities will need to apply the elusive mix of prudence and determination that is so often required in policymaking. Prudence is needed to avoid discouraging innovations that could eventually benefit society, and also to prevent key public goals - such as financial stability or market integrity - from playing second fiddle to short-term industrial policy aims.

As for determination, this consists primarily in taking action to combat emerging risks as soon as they are recognised. But determination will also be needed to underpin the necessary cooperation between authorities in different fields and jurisdictions.

Many thanks.

*       I am grateful to Morten Bech, Claudio Borio, Juan Carlos Crisanto, Johannes Ehrentraud and Denise Garcia Ocampo for their helpful comments and to Christina Paavola for her useful support. The views expressed are my own and do not necessarily reflect those of the BIS.

1       I use the term fintech, following the FSB definition, as technologically enabled innovation in financial services that could result in new business models, applications, processes or products with an associated material effect on financial markets and institutions and the provision of financial services.

2       See J Ehrentraud, D García Ocampo, L Garzoni and M Piccolo, "Regulating fintech: A cross-country analysis", FSI Insights on policy implementation, forthcoming, 2019.

3       This is the classification proposed in Ehrentraud et al (2019) op cit: That document portrays this classification as a fintech tree in which the tree top represents fintech activities, the trunk enabling technologies and the soil enabling policies.

4       See European Central Bank, "Guide to assessment of fintech credit institutions credit applications", September 2017. 

5       See Hong Kong Monetary Authority (HKMA), "Guide to authorization", 2018. HKMA, "Authorization of virtual banks", 2018.

6       See Monetary Authority of Singapore, "Eligibility criteria and requirements for digital banks", 2018.

7       Following Braun et al (2017), insurtech includes comparison portals, digital brokers, insurance cross-sellers, peer-to-peer insurance, on-demand insurance, digital insurance, big data analytics and insurance software, Internet of Things and blockchain and smart contracts.

8       For example, guidance on elements specific to robo-advice has been issued in Australia, Canada, China, Colombia, Hong Kong SAR, the Netherlands, Singapore, South Africa, Sweden, the United Kingdom and the United States. For insurance providers, the Hong Kong Insurance Authority (HKIA) has issued guidelines for regulating the use of internet distribution that take into account the differences between online and conventional distribution channels.

9       See Monetary Authority of Singapore, "Principles to Promote Fairness, Ethics, Accountability and Transparency (FEAT) in the Use of Artificial Intelligence and Data Analytics in Singapore's Financial Sector", Monographs/Information Papers, 12 November 2018.

10      See Financial Stability Board, Financial Stability Implications from FinTech: Supervisory and Regulatory Issues that Merit Authorities' Attention, June 2017; Basel Committee on Banking Supervision, Sound Practices: Implications of fintech developments for banks and bank supervisors, February 2018; and Financial Stability Board, FinTech and market structure in financial services: Market developments and potential financial stability implications, February 2019.

11      See BIS, Annual Economic Report, 2019, Chapter 3; and H S Shin, "Big tech in finance: opportunities and risks", speech on the occasion of the BIS Annual General Meeting, Basel, 30 June 2019.

12      See A Carstens, "Big tech in finance and new challenges for public policy", speech at the FT Banking Summit, London, 4 December 2018.