Regulating fintech: is an activity-based approach the solution?

Speech by Mr Fernando Restoy, Chairman, Financial Stability Institute, Bank for International Settlements, to the fintech working group at the European Parliament, delivered virtually, 16 June 2021.

BIS, FSI speech  | 
16 June 2021


Thank you very much for this invitation. It is a pleasure to return to the European Parliament's Fintech Working group. It is also an honour to share with MEPs and other distinguished participants part of our work at the FSI and the BIS on fintech and big tech regulation.

The emergence of fintechs and big techs represents a major source of disruption in the market for financial services. Regulators are gradually adjusting their policy frameworks in order to cope with the risks that the new products and players pose, but without jeopardising the benefits they bring in terms of competition, efficiency and financial inclusion.

Still, there is a sense that we need a more comprehensive policy overhaul, in particular with regard to big tech platforms that offer a large variety of financial and non-financial services. Among other things, that comprehensive framework should aim at reducing competitive distortions that could penalise either incumbents or new players.

In this connection, the slogan of same activity-same regulation is often heard as the possible basis for regulatory reform.

This phrase basically suggests moving from a framework for entities with a specific license or charter (entity-based regulation) to a system of rules on specific activities, which would be applied uniformly to all types of entity involved in a specific activity (activity-based regulation).

Same activity-same regulation was first proposed by the industry, but it has also been publicly discussed by regulators and has even been mentioned in reports published by international standard-setting bodies. Of course, there are diverse motivations behind the support from different stakeholders.

When the banking industry uses this phrase, they are underlining the need to prevent big techs from wielding a competitive advantage due to their lighter regulatory burden vis-à-vis commercial banks. In particular, the industry is concerned that bank subsidiaries performing a specific activity (say payment services) are typically subject to rules (essentially prudential ones) that do not apply to non-banks performing the same activity.

When regulators consider the merits of an activity-based regulatory approach, they stress the need to reduce the scope for regulatory arbitrage. In other words, the aim is to prevent entities lying outside their regulatory perimeter from conducting regulated activities.

However, the current entity-based rules (such as banks' prudential requirements) have a rationale based on socially crucial policy objectives, such as financial stability. Therefore, any departure from the current framework must also support those primary policy goals. Against that framework, a relevant question is how far can we go in implementing an activity-based regulatory framework without jeopardising social objectives? Are there sufficient policy grounds to eliminate or substantially reduce different rules affecting different types of firm performing a specific activity?

Let me try to address those questions in the context of the ongoing discussion on how to regulate new fintech and big tech players.

The current setup

First, a few words on the current setup. We know that fintechs and, in particular, big techs, are expanding their activities. These now include the provision of financial services; in particular payments, credit underwriting and asset management (Frost et al (2019)). As they do so, they leverage data analytics, exploiting the information they gather to provide their customers with a wide array of services. This in turn creates large network externalities that generate further user activity. This is what we at the BIS call a data network activities (DNA) loop, that allows big tech to quickly scale up in market segments, such as financial services, which were originally outside their core business (BIS (2020)).

To offer regulated financial services, big techs hold licences such as the ones required to provide payment services, conduct wealth management and, in some jurisdictions, lend to firms or households. Main big techs in the European Union and the United States, however, do not typically hold banking licenses, although they partner with established banks to perform some banking activities (Crisanto et al (2021)). The situation in Asia is different, as big techs such as Ant or Tencent typically do hold participations in credit institutions. Moreover, big techs are also subject to cross-sectoral regulation in the areas of competition, data protection and so on.

Therefore, contrary to what is sometimes claimed, big techs offering financial services do need to satisfy regulatory requirements which are aligned, in principle, with those imposed on other market participants. The question is, of course, whether this suffices to curb the risks posed by the techs and to mitigate competitive distortions in the relevant markets.

Can regulatory asymmetries be justified?

Before addressing that question, I need to refer to a few general considerations.

Achieving a level playing field for market participants is certainly a key aim for authorities, but it is not the overriding one. To ensure adequate market functioning and, more generally, to protect the public interest, public authorities sometimes need to treat different players differently, even if that affects their relative competitive position.

Indeed, the risks generated by different entities performing a similar activity are not necessarily the same. For instance, different firms performing credit underwriting do generate different risks for the financial system. This depends on whether their activity is funded by their own resources, market leverage or deposits taken from the public. As a consequence, different entities with different funding options may need to be subject to different rules in order to properly address the specific risks they generate and, hence, safeguard financial stability. More concretely, the risk transformation business of banks requires a specific (prudential) regulatory treatment that is not necessary for credit providers that cannot accept deposits (Restoy (2019)).

Those regulatory discrepancies across entities may also be warranted in the area of competition. Here, firms that are more likely to indulge in anticompetitive practices may need specific constraints. This is, for example, the case for firms offering different but complementary goods (such as eg operating systems and browsers) or with vertically integrated business models.

However, in other policy areas, such as consumer protection or anti-money laundering/counter financing of terrorism (AML/CFT), there would seem to be no reason (based on primary policy objectives) for discriminating between providers of any particular financial service.

In general, entity-based rules are required when risks emerge not only from the provision of a particular service, but also from the combination of activities (such as deposit-taking, risky investment or payment services) that entities perform. This regulatory approach requires requirements and obligations at the group (consolidated) level regardless of the distribution of activities across different subsidiaries.

In sum, regulatory asymmetries between banks and big techs can sometimes be justified on policy grounds. That is the case in policy areas (such as financial stability or competition) where an entity-based approach should be pursued. Discrepancies would not be warranted, however, in other areas (such as consumer protection or AML/CFT), where an activity-based approach would be preferred.

Moreover, in entity-based policy areas, differences in regulatory requirements would be justified only if they address the specific risks posed by different types of entity. Failure to apply the rules required for some classes of entity while imposing entity-based rules on others would conflict with primary policy objectives and lead to unwarranted competitive distortions.

Do we see unwarranted regulatory asymmetries?

Let's now explore what happens in practice in the case of banks and big techs.

Focusing first on policy areas such as AML/CFT or consumer protection it is hard to find discrepancies in the requirements imposed on commercial banks as compared with the ones for other providers of financial services (Restoy (2021)).

By holding licenses to provide payment services, credit underwriting or wealth management, all players are subject to AML/CFT rules (such as those of the US Bank Secrecy Act or the EU AML Directive). Those derive largely from the international FATF standards, which are designed to cover essentially all financial service providers.

In a similar vein, consumer protection rules in the areas where big techs are active apply to all authorised financial service providers, regardless of the type of license they hold. In Europe, the Payment Service Directive (PSD2) or the market conduct rules contained in the Market in Financial Instruments Directive (MiFID) exemplify the broad scope of application of activity-based legislation.

Yet it can be argued that the implementation, supervision and enforcement mechanisms of activity-based rules for different types of entity are not always identical. In particular, there is a sense that supervisors apply more stringent consumer protection and, more importantly, AML/CFT standards to credit institutions than to other players. This may be partially due to the application of the proportionality principle, given the normally larger scale of banks' activities as compared with those of their competitors. But such discrepancies may also arise from the fragmentation of the oversight regime across different sectoral supervisors. Certainly, a functional (eg a twin-peaks model) rather than a sectoral organisation of supervision would help to deliver a more uniform application of activity-based rules across different entities, thereby contributing to a more level playing field.

A more important source of competitive distortion arising from regulation may be in the entity-based policy area. In particular, there may not be adequate rules to address the risks posed by big techs when operating its DNA business model (Carstens (2021), Restoy (2021)).

Take operational resilience, for example. Huge disruption could arise from a big tech's failure to ensure business continuity. To safeguard their resilience, a comprehensive approach may be warranted for big tech groups encompassing all their activities, as is currently the case for banks. This could be particularly critical for big techs that offer key services (such as cloud computing) to financial institutions. Quite possibly, the concept of systemicity – the criteria by which institutions are judged to be systemic and the controls that are applied to them – may need to be adjusted if they are to meet the new challenges posed by big techs in finance.

In addition, there would seem to be a strong case for adjusting competition rules to the potential damage that big techs could create by imposing specific entity-based requirements on them.

At present, competition-related policy measures rely very much on case law emerging from the ex post application of high-level principles to the specific activities of market players. A more forceful approach would be to introduce ex ante constraints on big tech practices concerning data use and data-sharing, service-bundling, admission criteria or any other source of potential discrimination across actual or potential participants in the platforms they run. That strategy would mitigate the risk that measures taken by competition authorities could come too late to prevent irreversible damage to a competitive marketplace.

Emerging entity-based regulatory initiatives

Some initiatives in different parts of the world do seem consistent with the development of new entity-based rules for big tech platforms.

In the area of competition, the US House of Representatives issued a set of recommendations last year that would require big techs to avoid specific practices that could work against free and fair competition. More recently, the Senate has started discussing a Competition and Antitrust Law Enforcement Reform Act that builds on some of the recommendations of the House report.

In China, the State Administration for Market Regulation has issued guidelines which effectively ban some of the practices seen at what they call internet companies. Similarly, the People's Bank of China has recently issued draft rules for non-bank payment service providers.

Finally, as you all know, the European Commission proposed last December a Digital Markets Act for the European Union. This aims at barring anti-competitive practices by large big tech platforms that act as gatekeepers, to use the EC's terminology.

In other policy areas, there has also been some action. In China, the authorities have introduced a number of specific constraints on big tech activities in relation to client balances on payment platforms and the originate-to-distribute credit underwriting model. Importantly, they have updated the regulation of financial conglomerates and have pushed Ant Group and Tencent to become a financial holding company. This constitutes a bold move towards applying a comprehensive regulatory regime to big techs active in the financial services market.

In the European Union, the Digital Services Act (DSA) contains entity-based provisions for big techs. These aim at, among other things, ensuring adequate management of the different operational risks that big techs generate. As such, they include requirements for governance, risk management and audit. Importantly, the DSA also envisages a specific supervisory regime for large tech platforms. This is, in my view, a very welcome development.

Concluding remarks

To conclude, I believe that we need a determined policy response to the disruption created by the emergence of fintech and big techs. The aim will be to uphold primary policy goals such as financial stability, market integrity, consumer protection and fair competition. Unwarranted regulatory and supervisory asymmetries between different players, should also be eliminated, although only as far as this is compatible with overarching policy priorities.

Yet, contrary to what is often argued, I do not believe that it would be a promising strategy to move in the direction of replacing entity-based rules by an activity-based regulatory approach. Two considerations lead me to this conclusion.

First, most fintechs and big techs that are active in financial services are already subject to activity-based rules in the policy areas (such as consumer protection or AML/CFT) for which an activity-based approach is warranted.

Second, replacing entity-based by activity-based rules in other areas, such as prudential regulation, may severely jeopardise primary policy objectives, such as financial stability. In these policy areas, rules need to address risks stemming from the combination of all the activities that entities perform and they must focus, therefore, on the consolidated balance sheets.

There is, in fact, a strong case for relying more rather than less on entity-based rules to properly regulate big techs. Their unique business model calls for entity-specific safeguards, such as the ones being developed in several jurisdictions, including the European Union, in areas such as competition and operational resilience. This will help not only to safeguard primary policy objectives but also to address the competitive distortions emerging from insufficient regulation of big techs as compared with that applied to banks.


Bank for International Settlements (2020): Annual Economic Report, Chapter 3, June. 

Carstens, A (2021): "Public policy for big techs in finance", introductory remarks at the Asia School of Business Conversations on Central Banking webinar, "Finance as information", January. 

Crisanto, J C, J Ehrentraud and M Fabian (2021): "Big techs in finance: regulatory approaches and policy options", FSI Briefs, no12, March.

Frost, J, L Gambacorta, Y Huang, H S Shin and P Zaiden (2019): "Big tech and the changing structure of financial intermediation"; Economic Policy, vol 34, no 100, pp 761–99.

Restoy, F (2019): "Regulating fintech: what is going on and where are the challenges?", speech at the ASBA-BID-FELABAN XVI Banking public-private sector regional policy dialogue on Challenges and opportunities in the new financial ecosystem, Washington DC, 16 October.

--- (2021): "Fintech regulation: how to achieve a level playing field", FSI Occasional Papers, no 17, February.

Related information