Free Novel Read

Bank 4.0 Page 9


  These kinds of failures will certainly threaten the soundness of the financial system. Banks are far more regulated and supervised than non-banks, a pattern likely to intensify as market change accelerates. Banks will probably continue to be forced to carry higher regulatory costs and risks than competitors and to maintain old systems, such as to keep branches open, especially in lower-income areas. One result will be loss of market share. Another will be likely failures of banks that don’t adapt. All these problems will tend to spiral, as regulatory strictures and costs continue to drive innovation out of the banking sector and into less-scrutinised space. There, risks will rise, undetected, sometimes leading to crises that produce reactive policies that may make matters worse long term (as happened in the subprime mortgage crisis, sparking popularisation of the term “shadow banking.”) These trends could bring systemic crises in system liquidity, capital and public trust.

  Don’t expect this to negatively impact non-bank players necessarily. While many banks point to “trust in banks” as a core of their ability to service the market, the reality is players like M-Pesa, Alipay and WeChat Pay have established strong trust through their utility, which is in turn amplified by network effect.

  Private companies that don’t adapt rapidly to new technology will be replaced by ones that do, ones with better utility. In the regulatory realm, however, institutions are created by sovereign governments. Despite some likely restructuring, most are here to stay. To avert the regulatory disasters described above, these organisations will have to change. The journey to a 21st century financial regulatory system will be long and hard.

  Elements of reform

  Success will require strategies grounded in first principles of assuring financial system stability, customer fairness, and curtailing money laundering (and in some countries, fostering economic growth by promoting competition and financial inclusion for consumers and small businesses). Below are the critical elements:

  RegTech and SupTech: principles-based, data-driven supervision: Policymakers will have to de-emphasize rules-based regulation and rely increasingly on principles-based supervision married to data-intensive monitoring against quantified metrics. Rules-based regulation can work in some realms, but prescriptive, procedural requirements will increasingly lag behind tech-driven change in products and practices. (In advanced economies, it can take several years to create a new regulation, making many likely to be obsolete at issuance.)

  Instead, regulators must move to data-intensive, AI-driven monitoring of transactions, business conduct, and market patterns, using “RegTech” for regulators, or supervision technology, often called “SuperTech” or “SupTech”. This will require setting quantified, measurable standards for satisfying the principles embodied in the goals of each regulation, ranging from adequacy of risk-adjusted capital and preventing insider trading to nondiscriminatory treatment of consumers.

  Digitally-native regulation: Reform should create new systems that are digitally-native, not mere enhancements of old analog processes. They should determine what data and analysis are needed to achieve the goal and then digitize the regulatory design to make it better, faster and cheaper all at once, as happens with all things that are digitized. In many areas, these new approaches should be established in parallel with the analog model and industry should be allowed to choose between the two, as a means of easing transition.

  Machine-executable regulation: In November 2017, the UK Financial Conduct Authority (FCA) conducted an experiment in machine-executable regulation. Convening a collaborative hackathon with industry, they coded a change in a regulatory reporting mandate, applied it to a set of dummy data, and successfully produced a report reflecting the revised rule, machine-to-machine. The reporting change, which might have taken months or years to execute through traditional means, was implemented in about ten seconds. The FCA has issued a report on the test, requested public input on next steps, and reached out to engage regulators from other countries. Machine-executable regulation would not work for some purposes but where it can, it could save vast amounts of time and money for both government and industry. It should be central to regulatory reform.

  AML network monitoring: As discussed earlier. For example, the future won’t be based on a reporting mechanism that requires banks to act as a virtual police force for tracking down suspicious transactions and suspicious account owners. Instead, AIs will track transactions en masse, looking for suspicious flows and identifying the centres of AML activity that need policing response. Bad actors could be flagged in much the same way fake phishing websites are identified today, and banks would automatically know not to transact with those entities.

  Test beds, sandboxes and Reg-Labs: Regulators will need new strategies that can enable them to formulate and test technology-driven change before adopting it system-wide. Similarly, industry will need a carefully designed safe space within which to test promising innovation that does not fit squarely within current regulatory requirements. For both, regulators should create and permit test beds, Reg-Labs, or regulatory “sandboxes” under clear, thoughtful limits and at very small scale.

  These are already spreading, worldwide. Inspired by the one created by the UK’s Financial Conduct Authority, more than 20 countries have created or are exploring establishment of Reg-Labs.25

  Changes in missions, cultures, skills and protocols: Most current regulatory bodies will need rethinking regarding missions, scope and protocols. They will need to change training and to recruit new skills, especially in data science. They may need to reorganise around tech-centered issues and create new leadership roles like chief innovation officer or chief data officer. They will also have to alter cultures that are conservative and focused heavily on risk avoidance, rather than open to the upside of innovation. Changes may be needed to enhance their freedom to collaborate with industry and other interested parties and in some cases to “co-create” regulations and shared databases. Other changes will be required in regulatory procedure protocols that require lengthy formal periods for public comment—although constant input will be more important than ever.

  Structural modernisation will have to include updating which companies can access central payments systems and how, and how this should be regulated. This will also mean thinking through the challenges of regulating cryptocurrencies, and the nature of banking itself.

  Regulatory agility, open platforms, and code: Regulators will have to speed up their cycles for creating and updating regulations. Some might be structured to function like GitHub or an app store, operating on an open platform that would prescribe standards and then permit innovation in how to meet them. Eventually, regulators may promulgate some regulations in the form of computer code that simply plugs into industry systems and creates self-executing compliance. The ability to deploy cloud-based systems in their markets will be essential both for new players, incumbents and the regulators themselves.

  Practical implementation roadmap: If we were starting today from scratch, few if any people would design the regulatory systems we now have, with their pre-digital assumptions, missions, technologies and structures. However, we are not starting from scratch. While change can come to the private sector through competition, the regulatory world can only change through the will of policymakers. The regulators’ dilemma will most likely work against that happening—like an immune system attacking the virus of change.

  Figure 3: Regulation is largely about absorbing tech, monitoring algos and risk mitigation in real-time.

  It is crucial, therefore, to create not only a vision of possibilities, but also a practical pathway that can get us there from here. No such pathway exists using traditional methods for changing the government—new laws, new regulations, regulatory reorganisation, and the like.

  Where do regulators start?

  Instead, regulators need to do three concrete things and start small, but fast.

  First, regulators must use the test-beds described above as small-scale learning l
aboratories where they can develop empirical proof that key changes will produce benefit and little risk or harm (the testing can determine what harm-mitigation steps should be built in). The empirical proof can help build support for needed reforms by convincing sceptics of their merits, while the testing process provides the needed insight on how to go forward.

  Second, regulators must build these Reg-Lab learnings into an experimental, alternative regulatory channel that works through data and AI. Again, this channel should start small. Furthermore, crucially, it should be made optional for the industry.

  Regulated entities should be given a choice: they can remain in the traditional regulatory process they hate but know, or they can elect a new data-driven RegTech channel, submit to intensive, real time scrutiny, and be relieved of process-oriented compliance requirements. The government’s stance would be that if the entity can prove through data that it is meeting desired outcomes, measured using transparent and empirical standards, then regulators need not care how they got there.

  Making this new channel optional would avoid the biggest obstacle to regulatory reform, namely the need to force change on the entire system at once. Regulators today don’t even know what changes are needed—this needs to be learned through testing and other means—but even when they do, the system will exert massive political resistance to major change, due to both fear of the risks involved in opening up set rules and fear that the reform’s benefits won’t outweigh the transition costs of adopting them. Removing that fear makes it possible to spread new regulatory norms gradually through the financial system, learning and refining at small scale before scaling up.

  Lastly, regulators must retool—the most critical change is one of leadership focussed on technology-based or digitally-native supervision, rather than policy and process-based regulation. The skill set required by the regulator of 2030 is not one of policymaking and examiner-based compliance; it is almost entirely technology supervision based and the ability to respond and correct the market in a very dynamic, real-time capability. This evolution will happen quickly in regulatory terms, over just 10–15 years.

  These changes will require strong leadership and courage by policymakers. Fortunately, many leaders are already stepping up.

  Endnotes

  1The Innovator’s Dilemma, by Clayton Christensen. See: https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&cad=rja&uact=8&ved=0ahUKEwj9rOKe_uDVAhUMmoMKHb1-CBkQFgg0MAI&url=httppercent3Apercent2Fpercent2Fwww.claytonchristensen.compercent2Fbookspercent2Fthe-innovators-dilemmapercent2F&usg=AFQjCNHyfrCGTv2MBU9wUzlWnNrj8n2SrA.

  2Even in countries like China where the “Great Firewall” restricts access, the proliferation of VPN (virtual private networks) has allowed circumventing these restrictions for years.

  3Bitcoiners even have a slang term for this mantra of retention, which is HODL or “Hold on for dear life!”

  4“Are cryptocurrencies about to go mainstream?”, The Observer, 1 July 2017—https://www.theguardian.com/technology/2017/jul/01/cryptocurrencies-mainstream-finance-bitcoin-ethereum.

  5SEC Investor Bulletin: Initial Coin Offerings (https://www.sec.gov/oiea/investor-alerts-and-bulletins/ib_coinofferings).

  6Founded in 1989 at the G7 Summit in Paris, also known by its French name, Groupe d’action financière (GAFI).

  7Source: FATF/United Nations Office on Drugs and Crime (UNODC).

  8https://www.unodc.org/unodc/en/money-laundering/globalization.html.

  9HSBC were fined $1.9 billion—https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&cad=rja&uact=8&ved=0ahUKEwi7qbb4hOHVAhXBfyYKHa5-DcAQFggtMAE&url=httpspercent3Apercent2Fpercent2Fdealbook.nytimes.compercent2F2012percent2F12percent2F10percent2Fhsbc-said-to-near-1-9-billion-settlement-over-money-launderingpercent2Fpercent3Fmcubzpercent3D1&usg=AFQjCNGaAgOEpYZrn0Pp0WaupEedz3rwIw.

  10Alliance for Financial Inclusion report on pillars for financial inclusion—http://www.afi-global.org/publications/2458/The-2016-Global-Policy-Forum-GPF-Report-Building-the-Pillars-of-Sustainable-Inclusion.

  11“Overseas Americans can’t open foreign bank accounts because of FACTA? Court says tough luck!”, AngloInfo.com, 29 April 2016 by Virgina La Torre Jeker.

  12Suspicious Transaction Report.

  13“Uber second-quarter bookings increase, loss narrows”, Reuters Technology News, 24 August 2017.

  14“A New Direction: Our Changing Relationship with Driving and the Implications for America’s Future”.

  15Less voting rights, too.

  16Source: Standard Bank/Accenture Research (2015).

  17Source: Intermedia.

  18Fake profiles aside.

  19Research shows that Australian Customs and Border Patrol Officers doing face-to-face verification missed one in seven fake IDs—http://theconversation.com/passport-staff-miss-one-in-seven-fake-id-checks-30606.

  20Amazon literally provides cloud services for the U.S. Department of Defense (see https://aws.amazon.com/compliance/dod/).

  21Report on the Economic Wellbeing of U.S. Households in 2015, Federal Reserve Board of Governors, May 2016—https://www.federalreserve.gov/2015-report-economic-well-being-us-households-201605.pdf.

  22At this writing the US Consumer Financial Protection Bureau is evaluating this issue and may undertake rulemaking or other guidance to address it.

  23Effectively translates as “Bank of the Estates of the Realm”.

  24I swear—I’m serious.

  25Aspen Institute Report: https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0ahUKEwjj1unioOHVAhVk6YMKHeOtANEQFggmMAA&url=httpspercent3Apercent2Fpercent2Fassets.aspeninstitute.orgpercent2Fcontentpercent2Fuploadspercent2F2017percent2F07percent2FModernizing-Reglabs.pdf&usg=AFQjCNEZSooEnB6NYEFmWRbZVvyiOyNMKA.

  There is no doubt at all that the future of banking is entangled with the future of identity. Digital identity is a key resource in the new economy and banks, just like other organisations, will need to develop digital identity strategies. But what should these be? And, we might speculate, what happens if banks do not develop these strategies?

  We have all read countless articles and sat through countless conference presentations and seen countless blog posts and noted countless tweets that all highlight the key role of digital identity in the new economy. The authors may not all be entirely clear on what a digital identity actually is, but they do share the common suspicion that unless we have some form of digital identity infrastructure in place then the potential growth and attendant benefits of the transition to a new online economy cannot be fully realised. I more than share this suspicion. In fact, I think it’s a absolute certainty that unless an appropriate infrastructure can be put into place, then we have no chance of moving forwards.

  Digital identity is, not to put too fine a point on it, critical infrastructure for the future. But how will it work? Who will be in charge of it? When it comes to thinking about this sort of thing, I admit to having some form. I’ve been working in the space for many years and indeed have something of a reputation for my modest intellectual contributions to the evolution of the subject. Along with my colleagues at Consult Hyperion, I developed a pretty good model of digital identity that has been tried and tested and found useful in a number of different areas. This model, the “three domain identity” (3DID), as shown in Figure 1 (below), frames digital identity as the bridge between the mundane and virtual worlds and sets out a clear framework for thinking about the dynamics of the bindings with either of them. At a high level, it’s sufficient to know only that these bindings are highly asymmetric: it is time-consuming, complicated and expensive to bind a digital identity to something in the real world but it is inexpensive and quick to bind the digital identity to something in the virtual world. It’s all about encryption and keys and how you manage them (see “A Model for Digital Identity” in Digital Identity Management, edited by yours truly back in 2007).

  Figure 1: The “three domain identity” model.

  There are a number of reasons for thi
nking that while there are a wide variety of organisations that could instantiate these bindings, and indeed a number of different institutional arrangements that could come into existence around these bindings, it is a plausible hypothesis that it should include banks who could be vanguard providers of digital identity. A few years ago, I wrote a book about this (Identity is the New Money, LPP: 2014) to explore some of the issues around identity infrastructure, making some positive suggestions about how we might construct a better identity infrastructure more suited to the modern world and explaining why it was that banks might be the right organisations to create and manage these bindings.

  On the whole, I think that my arguments still hold true. I was reminded of them recently when a friend of mine had some problems with his Facebook account being taken over by fraudsters. He was extremely frustrated by his efforts to contact Facebook and have something done about it. As I pointed out to him, I could not see any reason why he should have expected anything different. Facebook has no statutory obligation to remedy such problems1. Banks, on the other hand, are regulated financial institutions—were they to provide identity services—would be obligated via regulation to ensure your identity was protected. If your bank account was taken over by thieves, then you might reasonably expect the bank to do something about it and have some procedures to establish who the rightful owner of the bank account was, restore control of the account to that person and provide appropriate compensation if the bank had behaved negligently in some way.

  I like this vision of the future. Let’s imagine a non-financial use case to see what I mean. Internet dating sites provide a rich and practical environment for exploring different notions of identity, so let’s use them as our example. Let’s imagine I go to the dating site and create an account. As part of this process the dating site asked me to log in via my bank account. At this point it bounces me to my bank, where I carry out the appropriate two-factor authentication to establish my identity to the bank’s satisfaction. The bank then returns an appropriate cryptographic token to the internet dating site, which tells them that I am over 18, resident on Jersey and that I have funds available for them to bill against. In this example my real identity is safely locked up in the bank vault, but it has been bound to a virtual identity that I can use for online interactions. So my internet dating persona contains no Personally Identifiable Information (PII), but if I use that persona to get up to no good then the dating sites can provide the token to the police, the police can see that the token comes from Barclays and Barclays will tell them that it belongs to Dave Birch2. This seems to me a very appropriate distribution of responsibilities. When the internet dating site gets hacked, as they inevitably do, all the criminals will obtain is a meaningless token: they have no idea who it belongs to, and Barclays won’t tell them.

 



< PrevNext >