FinTech But cyber security is not just about technology. Investment in and execution of an organization-wide strategy to understand and combat cyber-attacks is critical. Effective strategies include governance combined with a culture of prudent business control and risk management, including training, communications, documented business processes and being vigilant over different infiltration points such as email or access to company WiFi.
New entrants For several years FinTechs have been quietly and now loudly and explosively leading the charge to address the gaps identified by our clients to capture market share. New entrants and technology developments are driving business model disruptions where VBProfiles found that investments in FinTech reached more than $38 billion in 2015. The extensive scope of activities across the new entrants makes it difficult to know what to focus on and where the greatest threats or opportunities may be. Small but successful startups can pose legitimate threats to even the strongest companies by disintermediating the banks or relegating them to being the “dumb pipes.” Further, non-traditional financial services companies like PayPal, Google and Apple are leveraging cloud and mobile technologies as well as viral distribution to quickly start and scale business at low cost to address the friction clients experience. New technologies like distributed ledger or blockchain enable new paradigms for exchange of value and create new “rails” that sit outside of the traditional bank to Financial Market Utilities (FMU) payment infrastructure. Banks have stepped off the sidelines with many having set up innovation centres to experiment with new business models and technologies. Some banks have invested in a range of different startups, and are collaborating and partnering with FinTech players.
Regulatory diversity As if infrastructure transformation, cybersecurity challenges and FinTech disruption were not enough, the industry continues to experience an amplification of regulatory oversight with increasing requirements aimed to protect the payment ecosystem, build resiliency of payment providers and utilities, and encourage
innovation and competition. Multiple layers of governance over the ecosystem are in place from global oversight bodies such as the Bank of International Settlement, the Basel Committee on Banking Supervision, and the Financial Stability Board, to regional and local oversight such as Office of the Superintendent of Financial Institutions (OSFI), The Bank of Canada, The Department of Finance, The Canada Deposit Insurance Corporation and the Office of the Privacy Commissioner of Canada. The regulatory environment is complex with new requirements emanating from the different bodies to revitalize and address outdated legislation and regulation, and to address the payment market conditions. Heightened capital and liquidity requirements through BASEL III, operational resiliency and “living
like Blockchain or virtual currencies like Bitcoin who do you regulate (FinTechs, exchanges, programmers, originators, beneficiaries)? How should they be regulated (legislation, acts, common law, civil law, codes of conduct, and what jurisdiction)? Many of these questions have yet to be answered. Regulations on FinTechs are nascent and vary greatly creating uncertainty for financial institutions that bank these firms and this uncertainty may constrain innovation among FinTechs. Various jurisdictions have introduced “regulatory sandboxes,” relaxing some of the regulatory requirements to encourage exploration and innovation in a flexible environment in which FinTechs can test technology and business models. Once the application has reached defined thresholds, commercialization generally requires full adherence to regulatory obligations. In some cases new regulations may be needed to ensure safety and security that reflect the unique characteristics of the new technology or business model. Examples of regulatory sandboxes include the United Kingdom’s Financial Conduct Authority, the Monetary Authority of Singapore, and the Australian Securities and Investments Commission. Systemic infrastructure change, new risks, new entrants and heightened regulatory pressure… it’s a frenzied pace but payments is the most exciting business to be in. Opportunities are everywhere to innovate, to deliver greater value to our clients, to enhance the client experience, create efficiency, effectiveness and transparency, reduce costs, drive new revenue, and enable a stronger, safer and more secure operating environment. Partnership and collaboration between the banks, FinTechs and regulators are the best way forward through these unprecedented times of change.
Small but successful startups can pose legitimate threats to even the strongest companies by disintermediating the banks or relegating them to being the “dumb pipes.” will” requirements, ongoing anti-money laundering and terrorist financing efforts, and cyber risk management controls are just a few of the topics impacting the payment world. To address the rise of cybercrime in particular, in 2016 The European Union adopted the Network and Information Security (NIS) Directive and General Data Protection Regulation; and in the U.S. the Cybersecurity Information Sharing Act was signed into law December 2015. In Canada the Government has articulated a cyber-security strategy and has created the Canadian Cyber Incident Response Centre (CCIRC) and is also considering legislation. For regulators and banks a conundrum exists with respect to FinTechs: Is a FinTech a technology company or is it a payment provider that should be governed similar to a bank? If so, which regulations apply and which ones do not and what falls under the regulations? In the case of new technologies
As TTS payments regulatory head, Stephanie Zee leads a team responsible for creating and driving Citi’s strategy to meet regulator expectations and is responsible for the management of emerging risks across global payments.
Financial Operations | Winter 2016 | www.financialoperations.ca
13