How should asset managers respond to regulatory uncertainties around fintech innovation?
Fintech is a priority for today’s asset management firms, many of which see such technologies as the key to maintaining a competitive edge. It is easy to see why. Fintech innovations promise a myriad of opportunities, from greater efficiency in financial transactions through to the transformation of the business.
In recent months and years, we have seen regulatory bodies worldwide attempt a careful balancing act. On the one hand, regulators recognise the need for innovation, and are working to support and encourage fintech activity through actions such as framework changes and the creation of regulatory sandboxes. On the other hand, there are significant concerns that existing risks, especially surrounding cybersecurity and fraud, are becoming heightened by fintech’s growth.
The digital age has brought significant shifts in every jurisdiction around the world, and financial regulations have not kept pace. The rules as originally written assumed a world in which people conducted business face-toface, with physical signatures on paper. While regulators have updated rules over past decades, the accelerated pace of change means that regulators are now constantly playing catch-up with the implications of the newest innovations.
Current wisdom holds that fintech technologies do not pose significant financial stability risks in their own right. However, innovations already on the horizon could carry with them increased systemic risks through growing complexity and interconnectedness, greater operational risk, increased liquidity risk, and more. There is also uncertainty around where and how future operational and security risks might arise, meaning that regulators have the unenviable task of fighting fires before they are lit.
In watching recent regulatory changes and related discussions, it is clear that regulators are beginning to fundamentally rethink what ‘good conduct’ looks like in an age when contact is entirely digital – and may not involve human actors at any point. While in 2019 and beyond we see increasing divergence in worldwide regulatory standards in asset management, when it comes to facilitating fintech development, regulators appear to be of similar mind. Technologies such as robo-advice, blockchain and cryptocurrencies, and ‘big data’ are all on the regulatory radar, but addressing the heightened cybersecurity risks is clearly a top priority.
Incidents drive greater scrutiny, so it is no wonder that the cyberattacks in 2018 have led to increased regulatory attention to digital safety and security. The European Securities and Markets Authority (ESMA), Germany’s Federal Financial Supervisory Authority (BaFin) and more have all created forums, cybersecurity panels and other methods to help develop appropriate approaches to the increasingly common problem of cybersecurity vulnerabilities. In addition to these steps, the Monetary Authority of Singapore (MAS) has also recently launched a US$30 million Cybersecurity Capabilities Grant to co-fund financial institutions’ establishment of global or regional cybersecurity centres of excellence in Singapore1, as well as issuing a recent consultation paper on cyber hygiene that includes essential cybersecurity practices for financial institutions2.
Given that high-level rules regarding operational effectiveness and protecting clients’ assets are already in force, in most global jurisdictions, regulators have yet to start changing rules – though change may be on the horizon. In many jurisdictions, the regulatory focus is currently on supervisory activity rather than rule changes. Many regulators are now also looking at fine-tuning the regulations surrounding security tests, checks and controls to keep pace with the accelerating pace of change.
Regulators are also increasingly interested in operational resilience. Trends show that regulators want to see that individual asset management firms have not only the necessary financial capability, but also the technological capability to operate in the current and evolving digital climate. Many fintech innovations connect asset managers to outside organisations, such as through the use of Application Programming Interfaces (APIs), creating the risk that the corporation does not possess the capability or capacity to effectively respond to a cyberattack, or that a response could come too slowly to be effective.
While cybersecurity may be regulators’ top concern, other fintech areas are also making waves. Distributed leger technology (DLT), such as blockchain, is one area under particular scrutiny. ESMA, for example, indicated that “its legal certainty and broader legal issues – such as corporate, contract, solvency and competition laws – need to be considered and clarified” before DLT can be used for larger-scale financial purposes, while the FCA raised concerns that DLT could lead to a “lack of individual accountability at firms”.3 Bitcoin and other cryptocurrencies have also received a skeptical reception from regulators around the globe, with incidents such as the Coincheck hack from early 2018 receiving particular regulatory scrutiny.
Other areas of growing regulatory concern include: robo-advice; crowdfunding, with some regulators proposing simplified rules for securitiesbased crowdfunding platforms; and continued interest in the implications of AI and big data.
Fintech innovations continue to shape the financial sector around the globe. Asset managers, like regulators, need to strike the right balance between the competitive advantages that fintech can provide and the risks inherent in the integration of these technologies with current business models.
In talking with our firms' clients, many are asking: how should asset managers respond to the current regulatory uncertainty and changes surrounding fintech innovation? We generally provide two core recommendations:
Fintech innovations can provide important competitive advantages, including benefits to the top line, bottom line and overall client experience. Yet even for asset managers that do not wish to engage heavily with fintech or are not looking to be a leader in innovation, the increasing regulatory pressure around organisational resilience demands a response. Understand, too, that it is not only regulators who will be looking to see that asset managers keep valuable data safe from cyberattacks. Malicious actors are actively pursuing vulnerabilities, and attacks will only increase.
Asset managers need to be fully informed about fintech innovations and regulators’ current thinking in order to make fundamental decisions about systems and processes throughout the business model, including across geographies. This includes investigating the technological capabilities, security policies and governance of not only outsourced service providers but also the suppliers’ suppliers, as any cyber risks that affect these downstream providers can ultimately impact the fund manager.
©2021 KPMG, an Australian partnership and a member firm of the KPMG global organisation of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved. The KPMG name and logo are trademarks used under license by the independent member firms of the KPMG global organisation.
Liability limited by a scheme approved under Professional Standards Legislation.
For more detail about the structure of the KPMG global organisation please visit https://home.kpmg/governance.