Regulatory Relations

Big tech’s move into financial services has been keenly observed by financial institutions and regulators alike in recent years. Yet latest communications from the Bank for International Settlements indicate a decisive change in tone – financial regulators need to “get a grip on big techs and be prepared to act quickly”. By Kuangyi Wei, director of regulatory strategy at Accenture.

Why the change?

Big tech’s presence in financial services alone should not warrant such apprehension. Financial services represent just over 10% of big tech’s revenue globally. The scope for greater innovation, efficiency and consumer choice remains ample. And in most cases, big tech’s forays into finance – be that payments, consumer credit or wealth management – have been delivered in partnership with regulated incumbents. 

Big tech’s ability to redefine the contours of the regulatory framework is another story. Harnessing what the Bank for International Settlements (BIS) describes as a D-N-A model, big techs are seasoned operators in capitalising on extensive customer Data and the associated Network effect to launch new, value-adding Activities. 

This, combined with enviable balance sheets and fully-fledged customer bases, gives big techs a formidable speed to scale, beyond the pace at which regulatory frameworks can adapt. Big techs’ business models also naturally straddle across the remits of data, communication, financial and competition authorities, making the trade-offs between regulatory objectives more visible and the co-ordination more challenging. 

Entity-based regulation

Close to financial regulators’ hearts is big tech’s impact on financial stability. This can arise from many factors: big techs’ potential in disintermediating the financial value chain and ‘decoupling’ origination from funding; mobile payments’ growing importance for consumers; and more pressingly, big techs’ role in powering digital transformation across financial services. 

To date, big techs’ provision of cloud and other technology services have been managed ‘at arm’s length’ by financial regulators – by setting expectations for financial institutions, in their capacity as big techs’ clients, on areas of material outsourcing, security, resilience and data governance. 

Yet a digital uptick propelled by the pandemic is calling this approach to question. Cloud adoption has accelerated across financial services and moved beyond back-office functions. Core banking and payment processing are now seen as prime targets for cloud migration, according to research firm Gartner. 

This development has made the resilience of big techs integral to both financial stability and consumer protection. In response, the financial regulators are now exploring direct oversight – or, in BIS language “entity-specific rules” for big techs – something traditionally preserved for global banks. 

Across key jurisdictions, the policy dial is already shifting. The US House of Representatives fired the opening salvo in August 2019 with a letter to the Financial Stability Oversight Council regarding designating US cloud service providers as “systemically important financial market utilities” under the Dodd-Frank Act. 

The EU has since drafted the Digital Operational Resilience Act (Dora), which would empower the three European supervisory authorities to supervise technology providers serving the financial industry directly. More recently, the Bank of England/Prudential Regulation Authority called for “additional policy measures, some requiring legislative change” to address the concentration of third-party services to UK firms. In practice, this could mean designating cloud service providers (as well as other providers) as “critical” with the associated governance process, resilience standards and testing. 

While these developments are geared towards enhancing resilience, China went a step further in giving big techs the prudential treatment. Technology firms that operate two or more financial businesses are asked to set up regulated financial holding companies with capital and resolvability requirements. 

Where next?

In most markets, there is little reason to treat big techs as big banks: few have shown appetite in deposit-taking or maturity transformation. But singling out big techs’ cloud services provision for more direct oversight now seem unavoidable. If the approach explored by Dora paves the path for a global template, firms – big banks and big techs alike – will want to be on the front foot.

For financial institutions, regulatory caution should not deter digital transformation. However, firms need to give more balanced consideration to both technological and regulatory developments during their journey to the cloud. This requires a clear enterprise-wide articulation of the business objectives and a holistic cost-benefit analysis of financial, operational, and control factors. For incumbents, managing change risk is as key as mitigating cloud risks. Treating the journey to the cloud as a multi-year ‘regulatory business plan’ may help to capture broader stakeholder considerations.

For big techs, growing regulatory scrutiny may come as a culture shock to their disruption-centric heritage. Governance, risk management and control frameworks may lag technology firms’ innovation prowess. Notable areas to watch out for may include product development that misaligns with regulatory expectations, an increased conflict of interest from diversified businesses within the group, and unfamiliar operational and compliance challenges from new entity-based, cross-border requirements.

Agustín Carstens, head of the BIS, aptly captured financial regulators’ changing perspective on big techs as “from ‘too small to care’, to ‘too big to ignore’ to ‘too big to fail’.” Perhaps, just as banks look to big tech for innovation, there are a few leaves big techs can take from banks’ books when it comes to regulatory excellence in a fast-evolving landscape. 

Speaker’s Corner: A Speakers’ Corner is an area where open-air public speaking, debate and discussion are allowed. The original and most noted is in the north-east of Hyde Park in London.

This article is free to read, request a no obligation trial access to Global Risk Regulator.