The $865 billion that Statista research estimates has been invested in fintech companies between 2019 and 2023 has brought benefits to banks, but also created new vulnerabilities and amplified existing risks. A new report by the Basel Committee on Banking Supervision (BCBS) looks at the implications of increased digitisation in finance, and considers the regulatory and supervisory implications.
The Digitalisation of finance report builds on a previous paper, Sound practices: implications of fintech developments for banks and bank supervisors, that was published in 2018. It identifies three broad areas in which banking services have been transformed by technological innovation.
- An expansion of financial services and products, and of the distribution channels through which they are offered.
- The emergence of new technological suppliers of these services (for example big techs, fintechs and third-party service providers).
- The increasing use of digital innovations for managing, mitigating and overseeing risks.
Technologies identified as contributing significantly to the process of change are application programming interfaces (APIs), enabling easier, faster and, importantly, more secure sharing of data; the use of artificial intelligence and machine learning in both front and back office functions; and increased use of distributed ledger technology (DLT) and cloud computing.
Neobanks, fintech, big tech
Those technologies have facilitated new entrants and business models in the banking and financial services sector, for example neobanks, fintechs and so-called big techs. Those new competitors often have inbuilt data and technology system advantages over their more traditional rivals.
And the report notes the growth in partnerships between banks and non-banks and technology firms in which non-banking intermediaries serve as the interface between the bank and its customers – or banking as a service (BaaS).
While the report says that “digitalisation holds the promise of expanding access to financial services (ie improving financial inclusion), reducing transaction costs, improving customer experiences and increasing competition,” it recognises that digitalisation “can also create new vulnerabilities and amplify existing risks to banks, their customers and financial stability.”
These risks could be strategic, reputational or operational. One example provided of a heightened operational risk is “banks that rely on non-bank partners to undertake KYC and AML checks may be exposed to heightened compliance and legal risks if the processes of the non-bank partners are not appropriately vetted.” And, the report observes, “new technologies and new business arrangements can increase cyber risks if controls do not keep pace with change.”
The list of operational risks highlighted in the report will resonate with most risk and banking professionals, highlighting how advances in digital technologies can compound existing risks.
| Risk type | Digitisation impact |
|---|---|
| Model risk | Introduction of AI / ML amplifying risk through lack of explainability, overfit or the presence of bias or bad data. |
| Technology risk | Legacy systems a poor fit for new operating models, adding unnecessary complexity and remaining nodes of vulnerability within many bank technology stacks. |
| Cyber risk | Technologies and interconnectivity expanding the potential interface and entry points for cyber attacks. |
| Legal uncertainty | Challenges around product status in connection with new products as well as accountability and liability in connection with AI or DLT. |
| Compliance risk | Vulnerability as a result of reliance on inadequate third parties as outlined above as well as product innovation (crypto, DeFi and DLT, but also AI in connection with customer interactions). |
| Fraud-related risks | Enabling new types of fraud, such as the use of deepfakes. |
| Third-party risk | Amplification of issues relating to information and data security, cyber security, privacy and operational resilience (also, mentioned in the report in connection with the use of cloud service providers, the potential reduction in internal expertise, particularly technological expertise that is required not only to supervise third-parties effectively). |
Role of data
The data intensive nature of many new technologies can also increase governance challenges, with the report saying that “the use of new data sources or techniques may also present challenges in integrating these processes with legacy risk management processes.” Plus, “Increased interconnectivity and the sharing of data between banks and third parties creates potential challenges for data security and protection, and may introduce additional vulnerabilities as different parties access a bank’s data.”
And there can be greater risk to financial stability, for example through increased interconnectivity adding levels of complexity that make it harder to identify, assess and respond to risks, and the increased speed of transactions enabling the faster spread of contagion.
| Risk type | Digitisation impact |
|---|---|
| Increased interconnections | Additional complexity and opacity making risk identification more challenging. |
| Regulatory arbitrage | Undermining the identification of risk and efficacy of supervisory rules. |
| Contagion | Rapidity of transactions increasing the speed at which problems could spread throughout an interconnected ecosystem. |
| Amplification of financial risk | Liquidity problems as a result of rapidity of customer withdrawals; procyclical behaviour including market swings and sudden shocks. |
| Fragmentation risk | Lower levels of interoperability potentially reducing financial system stability. |
| Concentration risk | Common infrastructure or model problems leading to systemic issues including disruption connected to the failure of a critical service provider. |
Governance structures
The report devotes some time to setting out how governance structures are being adopted in response to technological development. One example given is the mitigation of risk associated with increased use of APIs “by adapting existing controls to assure robust and risk-based information technology risk management and the overall safety and soundness of outsourcing/third-party relationships”. This could take the form of “granting access to APIs according to the principle of least privilege (that is, strictly limiting access to services to what is needed only).”
The list of effective governance structures and processes is very helpful in framing internal discussions around how governance can be bolstered and this list is applicable not only to financial services, but to any businesses that are dealing with rapid advances in technology:
- Robust strategic and business planning for new technology impact.
- Adequate staff development and training.
- Sound new product approval and change management processes.
- Robust risk management processes including resilience and business continuity.
- Continuous monitoring of new products, services and delivery channels to ensure compliance coupled with contingency planning.
- Robust IT processes.
- Effective controls and risk management covering all key risk areas.
There is also reference to regulatory frameworks evolving to meet new challenges, with the BCBS providing a reminder that it “issued a standard on the prudential treatment of banks’ exposures to cryptoassets (BCBS (2022c)), and new and revised principles on operational resilience and operational risk. (BCBS (2021a,b)).”
The report concludes with some consideration of new supervisory approaches and tools, and a roundup of implications of digital developments for banks as well as for supervisors.
