Tobias Adrian [1], Financial Counsellor and Director of the Monetary and Capital Markets Department, IMF
European Parliament FinTech Working Group
It’s a pleasure to join you here today, and to explore with you some of the key regulatory challenges that are now posed by BigTech.
At the IMF, as we discuss potential regulatory approaches that can be helpful in addressing risks, we need to keep in mind the nuanced circumstances of different jurisdictions in our membership.
The Challenges of BigTech
There is no doubt technology is having a profound impact on the financial services industry globally.When we think of BigTech, we think of large technology conglomerates with extensive customer networks with core businesses in social media, telecommunications, internet search and e-commerce. They are present in all continents and in most – if not all - of our member jurisdictions.The business model of BigTechs leverages three factors: the data they already have on consumers, aiding BigTechs to understand customer needs better; the advanced analytics they use to deepen this understanding further; and the reliance on strong networks effects, from leveraging their large consumer base. Their expansion into financial services can happen very quickly, as network effects drive interaction, user activity and the generation of ever greater amounts of data.It is interesting to see that BigTech expansion into financial services happens in a different direction than what we would normally see in fintech start-ups. The new technologies that allowed fintech start-ups to unbundle financial services, offering partial financial services or aggregation and customer interface services, are used by BigTech to “reverse” the unbundling. Based on their large global user base of non-financial products, they benefit from cross-subsidization and economies of scale and scope. That makes them well positioned to capture a significant market share of financial services once they start providing them.There are some potential benefits in this “rebundling”. BigTechs can use their knowledge of consumer preferences obtained through their other business areas, such as consumer spending habits and credit worthiness, to offer financial services to customers who may be underserved by traditional lenders. The economic and social benefits of financial deepening can be compelling.So, why should financial regulators be concerned with BigTech?The provision of cloud services is a good example of how BigTech non-financial services could have broader implications. The cloud is the virtual delivery of computing services that powers the operations of diverse entities across all financial services. These range from the largest bank to investment managers and smallest start-ups.The range is wide, yet there is a strong dependency on only a few critical providers. The Bank of England, in a 2020 survey, estimated that more than 70 percent of banks and 80 percent of insurers rely on just two cloud providers for IaaS (Infrastructure as a service). [2] Globally, 52 percent of cloud services are provided by just two BigTech entities, while more than two-thirds of services are provided by four BigTechs. [3]This concentration highlights the reliance of the financial sector on the services provided by BigTech. Ultimately, failure of even one of these firms, or failure of a service could create a significant event in financial services, with a negative impact on markets, consumers, and financial stability. The importance of these services means that in some respects, BigTechs may be already ‘too-critical-to-fail' in some.Fintech firms in general are not yet systemically significant, because their market share of financial services in most jurisdictions is not yet material. But BigTech creates different regulatory challenges. The Financial Stability Board (FSB), in its reports on the potential financial stability implications of BigTech, [4] discussed that BigTech could potentially affect financial stability in three ways: (1) even if their isolated financial activities might not be systemic, they could but cumulatively generate significant financial risk, especially because these could be scaled-up very rapidly, (2) risks could be magnified by their interlinkages with regulated financial entities, such as partnerships to originate and distribute financial products, and (2) they could generate risks as they carry out a systemically important activity ancillary to financial services, such as cloud services.These characteristics bring very particular challenges to regulators.The regulators’ response to these potential risks varies, depending not only on the actual business of the BigTechs in a given country, but also on the institutional architecture and mandates of regulators.In the example of the non-financial service mentioned before, some jurisdictions seek to mitigate the excessive concentration of cloud service providers by imposing requirements through their regulated entities. For other jurisdictions, however, applying and enforcing existing outsourcing and third-party providers regulations to cloud services can be very difficult. The FSB’s report on the financial-stability implications of cloud services emphasizes the issue of “lock-in risk,” as well as risks related to data governance and access. [5]Similarly, other existing regulatory frameworks which would generally be applicable to BigTech focus on their financial activities and seek to regulate them directly or through regulated entities. However, while the principle of “same activity, same risk, same regulations” may seem a reasonable approach, it may not be sufficient in addressing the potential stability implications of BigTech .Financial services offered by BigTechs may be subject to some activity-based regulations, but BigTechs themselves are not normally subject to comprehensive group regulations or oversight. This could provide BigTechs with a competitive advantage - not through innovation and better products, but through the benefit they can gain from a less comprehensive regulatory framework. In that case, the “same activity, same risk” approach can create an uneven playing field between financial incumbents and BigTechs, and can create room for arbitrage. Many existing regulatory frameworks (like Open Banking), that aim to facilitate competition, may have unintended consequences. They could create a one-way flow of data that allows BigTechs to capture a larger market share.BigTechs also defy the fragmented international regulatory framework applicable to data governance, operational resilience, and group-wide risks. There is plenty of room for regulatory arbitrage, policy gaps and a build-up of financial stability risks across borders.The regulatory response to BigTech expansion in financial services is not an easy one. Much depends on the role of BigTech within a jurisdiction and on the institutional architecture for regulation in each country. But the international community needs to ensure that BigTech’s potential benefits are matched by regulatory protections and mitigation against new risks.
We’re all just beginning our journey to understanding the impact of BigTech on financial services. But let me share some initial thoughts — and a path we’re aiming to explore.
Regulating entities, regulating activities
Within the international regulatory community, discussions on the challenges for regulation are under way in several fora. In addition to the work of the FSB, other standard-setters are reviewing their existing standards and guidelines to understand how they can be applicable to BigTech. The underlying framework for sectoral regulation, however, may simply not work in this case. The underlying framework for sectoral regulation, however, may simply not work in this case. The BIS and FSI [6] have recently re-ignited the discussion on activity vs entity-based regulations and their adequacy to deal with BigTechs. I would like to explore these ideas a little further.Consider the entity-based approach — in which regulations are applied to licensed entities, or to groups that engage in regulated activities. Requirements are imposed at the entity level and may include governance, prudential and conduct requirements. The entity-based approach can be built on principle-based regulations that allow more flexibility, as it can rely on expectations of governance and risk management of the entities and groups. Most important: There is a continuous engagement between supervised firms and supervisors, allow for the monitoring of the buildup of risks and the evolution of business models. Implementation is supported by supervisory activities (such as off-site monitoring and on-site inspections). Supervisors usually have a range of early steps that can be taken to modify firms’ behavior that could lead to excessive risk-taking and instability.By comparison, consider the activity-based approach — in which regulations are applied to any entity (or individual) that engages in certain regulated activities. Those regulations are typically used for market conduct purposes. They are generally prescriptive, and compliance is ensured by fines and other enforcement actions. Most BigTech firms are already subject to such activity-based regulations in many countries, such as AML/CFT and consumer protection rules.In some ways, the activity-based approach may encourage competition by requiring that only relevant regulatory permissions are needed to carry out certain activities. In theory, this “levels the playing field” by applying the same rules to the same activities, whoever is doing them. However, there are some important caveats. The approach must define activities very precisely, which is likely to create regulatory arbitrage opportunities, as it may not be able to capture rapidly changing and hard to define fintech activities. There is less room for supervisors to take actions before proceeding to enforcement. Because of this heavy reliance on enforcement, the activity-based approach is generally not suitable for early supervisory action to modify risky behavior. It is also not very effective for cross-border activities, unless global regulators adopt consistent regulations and unless international agreements allow for cross-country enforcement actions.Therefore, where firms have a potentially systemic approach and have a business model that involves various inter-related risks, a more hybrid type of regulation makes sense. Since our Global Financial Stability Report of 2014, [7] the IMF has advocated for a mixed approach to address systemic risks posed by shadow banking. There are some similarities in the regulatory challenges between those from shadow banking and BigTech. For example, both have grown outside the regulatory perimeters to have potential systemic implications. While each individual entity and service may not pose systemic issues, the combination of the entities and services, provided as bank-like financial services, also creates systemic risks. Some entities and functions of both shadow banking and the BigTech ecosystem can easily relocate their headquarters and main activities to other jurisdictions where regulations are less robust.So, since 2014, we have been recommending that monitoring and risk identification should focus primarily on economic functions andactivities — but that regulation and supervision should focus on entities. A mixed approach could be based on the entity-based approach, but the requirements would be tailored to the activities that the specific entity or group is engaging in. No two BigTechs, after all, are the same. As in the entity-based approach, entities may be subject to licensing and other requirements. Supervisors would thus have a number of supervisory tools to monitor risk and, ultimately, to implement and enforce the requirements.In the ideal world, if BigTechs are identified as systemic, it is more likely that home supervisors will need an entity-based approach. There may be a bespoke regulatory framework for BigTechs. Depending on the country and the BigTech, perhaps the principal regulator would not be the financial regulator. Whatever the regulatory agency is, it should work in close partnership with sectoral regulators, and agencies that oversee data, privacy, competition, consumer protection and financial integrity. International cooperation and information-sharing arrangements would be needed address the many cross-border aspects of BigTech.In this less-than-ideal world, however, we observe that the combination of the activities-based approach and the entity-based approach seems to be linked to the position of jurisdictions as “home” or “host” authorities; the characteristics of the business of each BigTech in each jurisdiction; and the existing powers and mandate of supervisors.
For example, when we look at the evolution of China’s approach to BigTech, and to the developments in Europe, we see that the Chinese authorities, as home supervisors of BigTech, are gradually moving to an entity-based approach — which brings BigTech into the supervisory perimeter within a framework applicable to financial conglomerates. In the EU, on the other hand, we can observe a “host” jurisdiction stance, taking steps to mitigate the risks that arise from BigTech’s presence within financial markets. The Digital Services Act and Digital Markets Act contain targeted powers to leverage against platform providers and online gatekeepers, which would cover many BigTech entities. Both acts include measures to mitigate abusive market practices, improving disclosures and provisions around complaints handling, mitigating risks from combing end-user data from different sources without consent, no self-preferencing, data portability, and interoperability of ancillary services.
Realism and Pragmatism
When we look at the IMF’s broad and diverse membership, however, we can see that not all home jurisdictions will have the breadth of mandate to rein in BigTech, as the Chinese authorities are doing. And not all host jurisdictions will have the (economic and political) leverage to apply requirements to foreign BigTechs, as the EU is doing.In the longer-term, the regulatory framework, in practice, will need to consider the role of home and host jurisdictions in the regulation of BigTech — although it may be challenging to identify the home supervisor, in some casesWe think most “host” jurisdictions could consider activity-based regulations, supplemented by group-wide supervision, tailored to a BigTech’s entity-specific risks. This can probably be built within their existing regulatory frameworks and can be implemented with fewer additional resources. Depending on the circumstances, supplementary group supervision can help impose prudential requirements across a BigTech group’s financial activity.Again, for such an approach to work successfully, the optimal architecture would depend on home supervisors implementing robust regulations. In this sense, we are not very optimistic on what can be achieved in the very short term.Realistically, the biggest challenge for home supervisors would probably be the designation of BigTech as systemically important groups. Nonbank Systemically Important Financial Institution (“SIFI”) designation (to large asset managers and insurers) has become stranded by strong industry pushback. It may take substantial time to enact any designation (which may be necessary for a home supervisor to implement entity-based regulations in some countries) of BigTech as systemically important entities or infrastructure.
So, being pragmatic, we have been discussing, with some of our members, what could be done as a short-term fix. For many countries, what can be done in the short term — in addition to applying activity-based regulations to the extent possible — is to engage with BigTech firms to better understand their activities in the country. Encouraging the development of codes of conduct and disclosure requirements — akin to those applicable to securities markets — can be particularly helpful. They could help identify and monitor risks; help improve governance and oversight; and help regulators build understanding using minimum resources.
Easier Said Than Done
In 2018, along with the World Bank, the IMF jointly developed the Bali Fintech Agenda to provide a framework for jurisdictions to harness the benefits of financial innovation, while mitigating the risks. It provides a framework for authorities to consider their approach to fintech. Since then, we have seen that — when it comes to BigTech — this is much easier said than done.The rapid expansion of BigTech into financial services is happening on a cross-border and a cross-sectoral basis. Such expansion is significant in some emerging economies, where it may be creating significant risks, including to financial stability. But it also affects advanced economies in various ways, including the intensification of concentration risk.To achieve effective implementation, and the multiple objectives of regulatory authorities, we believe a mix of entity- and activity-based approaches — probably based on a home/host supervisor split — is the way forward in the longer term.The mixed approach would thus need to rely on a robust entity-based regulatory framework implemented by the home regulator. We recognize, however, that (in practice) it is likely to take several years before this can be achieved.In the meantime, we think most countries, as host supervisors, will do what is possible: They should actively use all of their existing regulatory powers — such as indirect supervision through regulated entities; activity-based regulations when feasible; and the development of codes of conduct and disclosure to pave the way to a better understanding of business models and risks.In this sense, we welcome the G7’s call for further discussions on ways to mitigate the risk of regulatory fragmentation and to facilitate coherency of emerging technology ecosystems. We look forward to policies to promote international consistency in Big Tech operations across borders. These efforts would be helpful to address the concerns of our broader membership.
This is a wide-ranging and complex area for the future of effective financial regulation — with enormous implications for financial stability. If we approach these concerns with flexibility — tailoring our approaches realistically to what is achievable in the short run, as well as what is ideal for the long run — we can help create an effective, evolving approach to regulation and supervision.
Reference
[1] With contributions from Parma Bains, Arif Ismail, Fabiana Melo, Nobuyasu Sugimoto, and Christopher Wilson.[2] How reliant are banks and insurers on cloud outsourcing? | Bank of England[3] • Chart: Amazon Leads $130-Billion Cloud Market | Statista[4] BigTech in finance: Market developments and potential financial stability implications - Financial Stability Board (fsb.org)[5] FSB reports consider financial stability implications of BigTech in finance and third party dependencies in cloud services - Financial Stability Board[6] Big techs in finance: regulatory approaches and policy options (bis.org)[7] IMF Global Financial Stability Report: Risk Taking, Liquidity, and Shadow Banking: Curbing Excess While Promoting Growth