Bank 4.0 Page 8

  The effect of identity reform in India is that the number of those included in the financial system has skyrocketed. The segment of the population most excluded in the old banking system—lower income households and women—have seen 100 percent year-on-year growth every year since the Aadhaar card initiative was launched. As of 2015 more than 358 million Indian women (61 percent) now have bank accounts, up from 281 million (48 percent) in 2014. This is the biggest single jump for “banked” women among eight South Asian and African countries17. You can either lower identity requirements or create new identity structures to support inclusion, but you can’t create IDV requirements that need driver’s licenses and passports for a population that doesn’t drive and doesn’t travel and expect financial inclusion through branches. That model is a recipe for financial exclusion as the 25 percent of US households that are underbanked already know.

  From a regulation perspective, however, the question should be asked, who has the best IDV capability today? Who is well placed to support financial inclusion and access over the next couple of decades? Frankly, it isn’t the banks.

  The largest holders of broad identity data sets today are Facebook, Apple, Tencent, Amazon, Alibaba/Alipay, Uber, Snapchat and other platforms with massive scale. Those platforms not only have basic identity data, but they often have quite sophisticated behavioural data sets along with biometric data like facial recognition, etc. It is likely that Facebook18 today has better identity information than the majority of retail banks in the world. Oh, and they are all on the cloud.

  As real-time delivery capability becomes essential for competitiveness, the need to present at a branch to provide an identity document that large swathes of the population no longer use, is simply a structural impediment to inclusion. Regulators that insist that face-to-face verification is required using a driver’s license or passport, along with a physical signature, are not securing banking for consumers, they are part of the problem. It is a problem that is only going to get worse. Face-to-face verification backed by a wet signature will guarantee disruption from frictionless FinTech’s providing alternate value stores on top of ubiquitous platforms like those mentioned above.

  The only way for regulators to guarantee incumbents stay competitive is to remove both the face-to-face and cloud platform constraints. By 2025, we could see most banks outsourcing identity to identity brokers like Facebook or the Aadhaar card. It simply doesn’t make sense for banks to be collectors and holders of identity data in the future. It’s far more likely banks will interface with identity services and just pass enough information across to verify the identity of the new customer is accurate. Not to mention that technology like software-based facial recognition is 15–20 times more accurate at identifying a customer than a typical face-to-face interaction19. A fact that would indicate face-to-face account opening is no longer safe—it’s probably statistically the single riskiest thing a bank could do in this day and age.

  But read later the chapter on blockchain, where I will argue that regulators and banks won’t have to worry about identity collection and KYC regulations for much longer.

  Heads in the cloud?

  Another key challenge is that regulators must join the global technology migration to cloud computing. Until recently, examiners in the US routinely required banks to produce things like physical e-card keys for accessing server rooms and written fire suppression plans for protecting servers—these have been mandatory elements in IT risk management. FinTechs, in contrast, don’t have server rooms. The data is in the cloud. When Moven first migrated our technology to Canada, the Canadian regulator wanted Amazon Web Services (AWS) to tell us where the physical servers that stored anonymised, tokenised customer data were housed. Needless to say AWS didn’t comply with the request.

  Regulators have generally frowned on cloud-based systems due to security concerns. Done right, however, cloud systems like Amazon Web Services are actually far more secure, not less. This is mainly because they are much easier to defend. Traditional bank IT systems have numerous weak links, because every point of access is a potential vulnerability. In banks, points of access are everywhere—in multiple server rooms in many locations; in systems that typically run numerous kinds of software, often in versions that are not fully up-to-date; and in the leaky pipes between these systems, which are full of cracks in security where data can be lost or stolen. The stealing can be done by hackers, and also by the many bank employees who must have access simply to maintain it all.

  More critically though, cloud-based providers like AWS or Microsoft Azure have grown up in a combative security environment where they are constantly being probed by hackers, and their cyber-security teams are the best in the world. Over time this acts like an immune system, enabling the big cloud providers to build military grade security20 of their platforms—platforms that routinely outperform bank-owned IT systems on both security and performance criteria.

  In a cloud system the data is all online, which means it’s protected from physical disasters like fire, and it can be secured efficiently. Regulators should focus on security outcomes, not forms. If the bank and regulators properly run penetration testing to assure that the environment is secure, it shouldn’t matter how the security is being achieved, as long as customer data remains secure.

  Regulators are increasingly open to this, but they need to make a full conversion to permitting and even encouraging cloud-based systems. Both the banks and their consumers will be better off for it. So will the regulators themselves, who will be increasingly able to monitor banks’ compliance performance through RegTech strategies that analyse easily-gathered data.

  The trend of regulators to require on-premises solutions is effectively building stand-alone “islands” in the technology architecture of future financial systems. These islands prevent banks from working seamlessly with other providers.

  We have to assume that in the future more cloud-based financial service providers will emerge than not. In fact, it’s likely that the majority of experience-based capabilities will have a cloud element. By restricting the use of cloud as a platform for regulated entities, regulators are actually ensuring that their banks won’t be able to sustain competitive platforms against emerging FinTechs and technology leaders. In turn, cloud prohibitions will make a financial services marketplace less effective and less competitive over all. Restricting the cloud today will increase the gap between the most progressive financial markets and your own.

  Improvements in credit access

  Another widening gulf between old regulation and new technology is in credit risk assessment, and therefore financial inclusion. Today, lenders can use new kinds of data and machine learning to fine tune risk evaluation models that were developed in an era when, again, data and computing power were both scarce. Combined with the mobile phone, which is bringing financial access to billions of people never served by brick and mortar branches, this data revolution is the most democratizing force in the history of finance. Unfortunately, public policy and bias towards incumbent lending institutions threaten to block much of this potential, especially in countries like the United States where credit agencies are very well established.

  While US regulators permit many kinds of data modeling for risk analysis, policymakers have created a special risk zone around using new kinds of data for consumer lending. The laws that prohibit credit discrimination include the concept of illegal “disparate impact”, meaning non-intentional discrimination in the form of statistical disparity in lending outcomes for “protected classes” such as women and minorities. Lending that shows such statistical patterns may be challenged as illegal unless the provider can prove a business need and can demonstrate that this need cannot be met with a less discriminatory approach.

  All lending produces different outcomes for different groups of borrowers, and these disparities are often adverse for racial and ethnic minority populations that have lower income, wealth, job security and other attributes that can impa
ct creditworthiness. Long ago, regulators blessed use of certain models, despite such impacts, viewing them as statistically sound and predictive. These approved models generally rely heavily on use of credit scores, and so work well for consumers who have good scores. However, they can inadvertently exclude or penalize people with “thin” credit files, no credit history, or complex histories that are hard to evaluate efficiently through available data (such as a past financial setback due to a health problem). With such customers, reliance on credit scores can exclude people who are actually creditworthy and could prove it, if the lender could evaluate more information about them.

  Technology makes that possible. Lenders today can readily learn much more about people beyond their credit histories and scores—in fact, they routinely do so in areas like detecting fraud and complying with the anti-money laundering KYC rules. In credit, most lenders are afraid to use alternative data, because regulators have not clarified how such practices will be evaluated for discriminatory disparate impact.

  In the United States, an estimated 80–130 million Americans live at the fringes of the financial system, relying on high-cost services.21 Millions could be brought into accessing well-priced mainstream credit, on terms they can afford, if the regulation can catch up with the technology.22

  The future form and function of regulation

  Returning to first principles, we need to ask why we created regulation in the first place. At bottom, it’s a function, not a form. In modern finance, though, the function has become encased in old and rigid structures that are increasingly mismatched to the task.

  The oldest remaining central bank, and technically the first government regulator of money, was Riksbank23 in Sweden, which began operations in 1668. Government involvement in control of money is not a new phenomenon, however. The earliest examples of state controls over currencies go back to Egypt around 2750 BC, where the state-issued shat24 unit of currency was pegged to gold. The Bank of England was established soon after Riksbank in 1694, but as a mechanism to raise money for war with Louis XIV of France.

  Central banks originally were the private banks of the government or royal families. As such, their role in regulating the financial system effectively evolved over the 18th and 19th centuries. Until 1844, commercial banks in Britain were able to issue their own notes. After this date, issuance of new bank notes was restricted to the central bank, and backed by gold (generally referred to as “seigniorage”). Over time central banks came to manage the banking market as a whole, including licensing of banks for commercial operations. Later, economic policy also became the purview of central bankers and monetary authorities as a means to regulate growth. It is fairly clear today that after the Global Financial Crisis of 2007–2008, central banks can no longer effectively boost economic growth with monetary policy alone.

  Regulation of banks came with central bank controls on issuance of notes—only a licensed bank could issue notes or take deposits. This all changed in the 1930s with the Great Depression, as regulation was introduced to protect consumers more broadly from failing banks and stock markets.

  Thus, regulation of institutions that take deposits or issue currency is the historical role of central banks, but in a world where cryptocurrencies can be issued by a collective group of programmers, or a technology company like Ant Financial, Microsoft (with XBox credits), or Starbucks can hold more deposits (read funds) on behalf of their customers than a modern bank—the control and structural elements start to break down.

  There is a very real question of what value a banking license itself will hold in the near future, as value stores become more fungible and as utility is increasingly owned by non-bank actors. Should Microsoft be forced to issue a FDIC deposit guarantee on the funds it holds for you? Should Ant Financial, Facebook or Amazon be forced to get a banking or payments license to be able to move money around the economy?

  However, what if Alipay (for example) is issued a payments license in China, but half of its users are outside of China? Should Alipay be required to get a payments license in every country it operates? This is what current regulation would assume. But what about deposits or value held in its wallet—should Ant Financial be required to get a banking license in every country where they hold deposits? I think only regulators would assume this is a reasonable ask—shareholders in Ant Financial would argue it is not reasonable. Operationally, you could very well have laws in China that restrict a company like Ant Financial from operating in the United States, or you could have regulations that are in conflict. A non-bank entity in the UK that has an e-money license or a challenger bank charter, is still prohibited from taking deposits from a customer in the US. What if they allowed a US resident to deposit cross-border using Bitcoin and then issued a UK debit card to the US resident? This would be in breach of US regulations, but would be very difficult to police and prevent.

  The reality is as our economy becomes increasingly global, and as money movement becomes less and less defined by geography, the role of central banks to authorize a technology actor to act as an extension to the traditional banking system assumes that the traditional banking system works efficiently. However, in pure economic terms, the way we license banks and the way we limit the ownership of bank accounts will fail to cater for the plethora of new types of value stores and value exchange systems we see emerging in the future world of finance.

  Take for example the ability for AI-agents or smart assistants like Siri and Alexa to act as agents conducting commerce on your behalf in a few years time: “Alexa, book me a restaurant in Chinatown Friday night for five people. Make sure they serve dim sum for dinner and it’s rated 4-stars or better.”

  In this scenario, if the restaurant in question also has an AI agent handling bookings, it’s fairly certain that before long payments will be fully automated by these agents. These two AI-agents will negotiate between each other to facilitate the payment, but the underlying value store won’t matter—an AI probably won’t stop because you don’t have a MasterCard linked to your Alexa account. If you’re a Chinese tourist visiting Chinatown in New York City, your AI will likely be powered by a WeChat or Alipay style value store enabled in the cloud and built into your phone; so by the time that you’ve finished your meal the restaurant AI would poll the tourists’ agent requesting payment, and some clearing house would facilitate a payment from Alipay to the restaurant’s Citibank bank account held in New York.

  To extend the analogy: what if the restaurant receives delivery of foodstuffs via a delivery robot and has to pay the robot a delivery charge? The robot will have a value store to accept payment; but which bank is going to enable robots to open traditional bank accounts so they can be issued a 16-digit card number from their social security number? It’s far more likely that this value store will be more like a stored value GPR prepaid card or a so-called e-wallet (PayPal, Venmo, Alipay, WeChat, etc) construct than a traditional bank account. When a sizeable chunk of commerce shifts to non-bank value stores, do we license every variety of value store and insist on a deposit guarantee? Or do we simply monitor that activity to protect consumers?

  What could go wrong?

  A parade of horribles will arise out of the coming regulatory failures, in overlapping categories.

  First, over-regulation will inevitably throttle desirable and helpful innovation. This will happen because regulators do not understand the upside potential but are built to see the downside risks. Innovation, especially by small startups, inherently involves business and technology risk. Some innovators will fail, leaving customers stranded, including people who were storing value in uninsured instruments, and will lose their money. Innovators will also experience security breaches. Such breaches are, of course, common in today’s highly-regulated banks as well, but there will be public and regulatory backlash against newer kinds of entities. In other cases, policymakers will frequently seek to block innovation due to political pressure from incumbents seeking regulatory protection from more agile com
petition.

  Second, under-regulation and gaps in legacy regulatory domains will allow new risks to emerge and grow. These will include loss of consumer privacy and cyber security, rising money laundering, bias and inaccuracy in algorithmic decision-making, and instability in the financial system. The fact is, innovative methods of financial service are evolving at a rate faster than regulators can adapt. So expect these gaps to grow.

  A third type of failure will be regulatory inconsistency producing market distortions and also systemic uncertainty that chills the entry of new capital into promising fields. In most countries, multiple regulators have overlapping mandates and jurisdictions with, generally, only weak (and very slow) mechanisms for collaboration and coordination. The United States has a uniquely intense version of this problem, with five national agencies directly supervising financial institutions, another two dozen involved in financial regulatory matters, and 50 states also overseeing banks and non-bank financial companies. Despite some coordinating bodies, this splintered structure causes extensive inconsistency, which breeds regulatory uncertainty and risk and again, deters innovation.

  Finally, regulations will simply become increasingly ineffective in achieving their goals. Regulators built on analogy technology will increasingly lag behind industry (as well as criminals and terrorists) using advanced digital and computational approaches grounded in massive data and AI.