Over the past 50 years, technology has transformed finance.
During the 2010s, FinTechs, typically small, agile start-ups, were the focus of much of the attention. In our view, the focus of attention across the 2020s will be something entirely different: digital finance platforms. Quietly, behind the scenes, digital financial platforms are increasingly serving as indispensable technological environments for all areas of finance – particularly investment funds – throughout the world. The two standout examples are Blackrock’s Aladdin, the world’s largest risk management platform and China’s Ant, a financial ecosystem with more than 1.2 billion clients and the company behind the what was meant to be the world’s largest IPO before it was halted by Chinese on November 10, 2020. Many modern financial markets would grind to a halt without such platforms, and yet they remain largely beyond the reach of financial regulation, designed to be activated by crossing thresholds designed in an earlier age.
Covid-19, among many others impacts, has dramatically driven forward digitalization of finance, reinforcing the trend towards winner-take-all platforms. Our forthcoming paper in the University of Pennsylvania Journal of Business Law analyzes the rise of these platforms and the exquisite challenges they pose to regulators.
The ubiquity and importance of these platforms highlights one example of “TechRisk”: the new risks that arise due to a heavy and growing reliance of modern finance on technology.
Another sort of TechRisk has been highlighted by a banking scandal in Australia that led to the resignation of the CEO and the Chairman of the Board of one of the nation’s largest banks, Westpac. Some years ago, Westpac decided that it could build a platform for international payments that was cheaper and faster than SWIFT. It achieved the economy and speed but failed to incorporate all of the protections of SWIFT into its new technology. The upshot was some 23 million breaches of AML/CTF laws and a fine of 1.3 billion AUD.
But the reputational costs for Westpac arguably exceed the costs of this massive fine because pedophiles exploited Westpac’s systems to pay for live-streaming of child sexual abuse – scripted and filmed to order — and an entire nation was revolted.
TechRisk is real. It is on the rise. And its magnitude is expanding rapidly.
In a paper just published in the Singapore Journal of Legal Studies, we analyze the various dimensions of TechRisk and suggest some basic principles on how it can be monitored and addressed, focusing in particular on the role of regulatory technology.
TechRisk by the end of 2019 had already arguably become the most important form of financial stability risk. Covid-19 however – through its impact on digitalization – has driven this to entirely new heights.
Our analysis suggests cybersecurity risks now constitute major threats to financial stability. Three factors are particularly relevant. First, the growing rate of technological development and adoption in finance is leading to more concentrated data nodes and less software diversity. As a result, the cybersecurity measures of financial institutions are becoming as strong as those of their weakest defended parties. Second, the lag and divergence in cyber governance regimes in different countries lead to at best, significant gaps, and at worst, normative clashes between various actors – capable of disrupting the relatively frictionless global financial network. Third, the increasing convergence of national security and financial stability in the cyber domain – as states increasingly designate financial institutions as critical infrastructure – has led to vastly varying approaches to transnational cybersecurity cooperation which expose potent weaknesses.
Following cybersecurity issues, we propose that financial stability risks are also intimately tied to data security and privacy matters. First, as the compound effects of concentrated data nodes with more levels and forms of analysis are unclear, impact assessments remain abstract and regulatory efforts struggle to fully capture data threats. Second, the compound network effects enjoyed by firms with access to large data panels allows for an asymmetric and opaque access to information, dampening competition and reinforcing market domination. Third, the growth of datafication and increase in the sharing of data and privacy risks between public and private sectors require sufficient legal and technical capacity to mitigate the risks – however, heterogenous methodological approaches and access to resources across jurisdictions produce systematic strains.
The entry of major technology firms into finance – TechFins and in particular digital finance platforms – brings two new issues that exacerbate TechRisk. The first arises with new forms of potential systemically important infrastructure, such as data and cloud services providers. The second arises from data – like finance – that benefits from economies of scope, scale, and network effects and – even more so than finance – tends towards monopolistic or oligopolistic outcomes. Such tendencies spark the potential for systemic risk around data in new forms of “Too Big to Fail” and “Too Connected to Fail” phenomena.
We conclude by encouraging the formation of a new risk agenda, one which responds proactively to global TechRisk. Covid-19 has dramatically reinforced existing trends of digitalization, increasing TechRisk and requiring a strong regulatory response.
Seven steps are needed to create a future-proof regulatory system capable of mitigating the variety of new challenges that will arise. First, regulators must prioritize TechRisk as strongly as financial risks. Second, in-house tech expertise must be strengthened. Third, reporting requirements must be enhanced regarding TechRisk management. Fourth, TechRisks must be prioritized in supervision to enable hands-on assessment of tech capacity in supervised institutions. Fifth, cybersecurity risks should be depoliticized to foster the development of intergovernmental and sectoral cybersecurity capacity. Sixth, regulators should utilize RegTech to properly respond to the vast amount of data streams in need of monitoring. Seventh, regulators should actively seek to harmonize normative cyber and data policies to avoid friction, uncertainty, and loopholes.
Ross Buckley is the Australian Research Council Laureate Fellow and KPMG Law – KWM Professor of Disruptive Innovation at the University of New South Wales.
Dirk Zetzsche is a full professor in Financial Law, ADA Chair in Financial Law and Inclusive Finance at the Universite du Luxembourg.
Douglas Arner is the Kerry Holding Professor in Law and Director of the Asian Institute of International Financial Lawat the University of Hong Kong.
William Birdthistle is a Professor of Law at the Chicago-Kent College of Law.