Professional Documents
Culture Documents
Regulation and Supervision of Fintech: Ever-Expanding Expectations
Regulation and Supervision of Fintech: Ever-Expanding Expectations
supervision
of fintech
Ever-expanding expectations
March 2019
kpmg.com
1 Regulation and supervision
of fntech
Contents Executive
Executive summary..................... 1
Implications for frms................... 3
Fintech risks ................................ 5
Regulation and supervision ......... 7
How KPMG can help ................. 13
summary
Contacts .................................... 15
Fintech
“Technologically enabled fnancial innovation that could
result in new business models, applications, processes
or products with an associated material effect on
fnancial markets and institutions and the provision of
fnancial services.”
Financial Stability Board
Fintech regulation
© 2019 KPMG International Cooperative (“KPMG International”). KPMG International provides no client services and
is a Swiss entity with which the independent member frms of the KPMG network are affliated. All rights reserved.
3 Regulation and supervision of fintech
for firms
awareness and
understanding of fintech
applications and fintech--
related risks.
Firms should also be aware of, and Redrawing the Risk governance framework
responsive to, the different ways in regulatory perimeter Regulators and supervisors are
which regulation and supervision might Regulators are redrawing the focusing on how fntech affects the
affect their businesses, and to build regulatory perimeter to take account of core risk governance competencies of
this assessment into their strategic new or changing products and services identifying, managing, measuring and
planning and risk mitigation activities. emerging as a result of fntech controlling risks across the three lines
solutions and emerging technologies. of defence, and having the appropriate
This needs to be a proactive process, resources, skills and expertise to
led by the frm itself, thinking in Governance deliver this effectively.
advance about how it can address and
mitigate fntech-related risks, not a Ever-expanding regulations and Depending on the business activities
purely reactive response to regulatory supervisory expectations are being and fntech applications adopted by
and supervisory initiatives as and introduced to require the Boards a frm, this is likely to cover at least
when they emerge. and senior management of frms to the development of new products
understand, oversee and manage and services, outsourcing, the use
effectively the risks arising from the of artifcial intelligence and the
development and adoption of fntech automation of both front and back
solutions and emerging technologies. offce tasks, technology risk, cyber
security, operational resilience, AML
and conduct risk.
© 2019 KPMG International Cooperative (“KPMG International”). KPMG International provides no client services and
is a Swiss entity with which the independent member frms of the KPMG network are affliated. All rights reserved.
Regulation and supervision of fntech 4
Risk
governance Data
Governance Business
Firms model viability
adopting
fntech
© 2019 KPMG International Cooperative (“KPMG International”). KPMG International provides no client services and
is a Swiss entity with which the independent member firms of the KPMG network are affiliated. All rights reserved.
5 Regulation and supervision of fintech
Fintech risks
In response, regulators and
supervisors have identifed a wide
range of risks – to consumers, to
regulated frms themselves, and
potentially to fnancial stability.
Risks to consumers
Although fntech should bring many
Regulators and supervisors have identifed risks arising from benefts to consumers, there is
three main fntech-related drivers, namely the increasing also scope for consumers to be
reliance of fnancial services frms on technology, the disadvantaged.
increasing interconnectedness within the fnancial sector, and Lack of consumer understanding –
the prospect of greater concentration and herd-like behaviour. consumers may not fully understand
the nature and risks of the fntech-
related products and services they are
being offered.
© 2019 KPMG International Cooperative (“KPMG International”). KPMG International provides no client services and
is a Swiss entity with which the independent member firms of the KPMG network are affiliated. All rights reserved.
7 Regulation and supervision of fintech
Regulation and
supervision
Fintech is moving rapidly from ‘under the regulatory radar’ and
is attracting growing regulatory responses and supervisory
scrutiny. The list of regulatory and supervisory responses to
fntech-related risks continues to lengthen. This will ratchet up
over the coming years as the fntech sector and the adoption
of fntech solutions continue to develop and grow, and as the
associated risks evolve.
© 2019 KPMG International Cooperative (“KPMG International”). KPMG International provides no client services and
is a Swiss entity with which the independent member firms of the KPMG network are affiliated. All rights reserved.
Regulation and supervision of fintech 8
Regulation
The regulatory response to fntech Data and artifcial intelligence –
takes many forms. existing data protection legislation,
such as the EU General Data
Regulatory perimeter – some fntech Protection Regulation (GDPR), already
developments, such as the use of covers some of the data protection
crypto currencies, the outsourcing issues arising from fntech.
of cloud computing, and the move
of some non-fnancial services frms But fntech developments are
into the provision of specifc products continually highlighting new areas in
and services such as lending to SMEs which additional or refned regulation
and retail payments systems, raise may be required, for example in
questions about where the regulatory the use of artifcial intelligence and
perimeter should be drawn. The distributed ledger technology, and
regulatory net is widening, and some in the general trend towards the
frms that are currently outside the gathering of an ever-broader range of
perimeter may fnd themselves subject fnancial and non-fnancial data from,
to regulation in the future. and sharing across, a wider set of
parties. A more intense debate can
As the regulatory net widens, the be expected about whether there are
intensity of regulation may also appropriate frameworks in place for
increase. For example, the regulatory the gathering, storing, sharing and use
requirements on loan-based and of data, both domestically and cross-
investment-based crowdfunding have border.
tended to expand from their initial
emphasis on clear communications Governance of regulated frms –
and risk warnings to funders. These regulators are increasingly setting rules
requirements have shifted to a or guidelines that focus on ensuring
focus on service providers holding that boards and senior management
capital-type resources to protect have suffcient awareness and
funders in some circumstances, understanding of the fntech
and putting in place adequate applications being used by the frm, in
procedures for credit risk assessment, order to manage the risks effectively.
governance, systems and controls, Some regulators are also requiring
and complaints handling. This is also frms to identify clear individual
refected in guidance on fntech credit senior manager responsibilities
licence applications, with a focus and accountabilities for managing
on governance, internal controls, fntech-related risks.
operations, capital and liquidity.
Within this approach, some regulators
Retail conduct – regulators are are also focusing on board and
turning to familiar approaches to senior management responsibilities
consumer protection in the fntech age, in specifc areas of risk such as
using a mixture of (a) transparency algorithmic trading, cyber security,
and disclosure to raise consumer outsourcing to third party service
awareness of the nature and risks of providers, and operational resilience
products and services, (b) prohibiting more generally.
or limiting the sale of some products
and services to retail customers,
and (c) re-writing detailed conduct of
business requirements to adapt them
to fntech developments.
© 2019 KPMG International Cooperative (“KPMG International”). KPMG International provides no client services and
is a Swiss entity with which the independent member frms of the KPMG network are affliated. All rights reserved.
9 Regulation and supervision of fintech
Risk management – although Open banking – regulation has in part Similarly, in the UK the government
mostly covered by existing regulatory constituted a market in open banking has established a Centre for Data
requirements on risk management, by establishing the basis on which Ethics and Innovation. Although not
some fntech developments have data can be shared between different itself a regulator, the role of the Centre
generated regulatory responses parties, usually through an application will be to analyse and anticipate
calling for regulated frms to address programming interface (API). gaps in governance and regulation
specifc fntech-related emerging that could impede the ethical and
risks within their risk management Accounting and regulatory innovative deployment of data and
framework. This has included the treatments – fntech can generate artifcial intelligence (AI); agree and
money laundering and market abuse new types of exposure, such as to articulate best practice, codes of
risks in the use of crypto assets; the crypto assets, requiring the clarifcation conduct and standards that can guide
risks arising from the use of distributed or revision of the accounting and ethical and innovative uses of data
ledger technology in payment, clearing regulatory (risk weight) treatments. and AI; and advise government on the
and settlement systems, and more specifc policy or regulatory actions
generally in the storing and validation Financial stability – the frst steps by required to address or prevent barriers
of transactions data; the application regulators here are likely to continue to innovative and ethical uses of data
of outsourcing principles to specifc to focus on data and information and AI.
fntech applications such as cloud gathering and analysis, but in due
computing and artifcial intelligence; course some regulatory interventions
the testing and use of artifcial may emerge in response to fntech-
intelligence, machine learning and ‘big related risks to fnancial stability.
data’ across a range of applications;
and data privacy, security and Endorsing industry and other
protection. codes and principles – regulators
and supervisors may rely in part on
Cyber security – regulators are codes and principles developed by the
generally focusing on the national industry or by other agencies.
implementation of international
standards in the key areas of For example, the EU Commission has
governance, workforce skills and established a High-Level Expert Group
capabilities, identifcation (risk analysis on Artifcial Intelligence, tasked with
and assessment), protection and making recommendations on policy
detection (access management, development and on ethical, legal
information security, security controls, and societal issues related to artifcial
expertise and training, monitoring and intelligence. The Group proposed a
testing, and information sharing), and draft set of artifcial intelligence ethics
incident response (crisis management, guidelines in December 2018.
recovery and learning lessons).
© 2019 KPMG International Cooperative (“KPMG International”). KPMG International provides no client services and
is a Swiss entity with which the independent member firms of the KPMG network are affiliated. All rights reserved.
Regulation and supervision of fntech 10
and competition
Data protection
investor access
Limits on retail
Governance of
Concentration
Disclosures to
Changing the
management
resilience of
Operational
consumers
regulatory
perimeter
Firms’’risk
frms
frms
AML
Crypto assets
Cloud computing
Crowdfunding
Payment systems
“ ”
© 2019 KPMG International Cooperative (“KPMG International”). KPMG International provides no client services and
is a Swiss entity with which the independent member firms of the KPMG network are affiliated. All rights reserved.
11 Regulation and supervision of fintech
Supervision
Supervisors are increasingly refecting More specifcally, supervisors are Risk management function –
fntech-related issues in their focusing (to varying degrees across whether frms have reshaped their
supervisory priorities. This is seen countries) on: internal organisation in response to
most generally in areas such as cyber fntech developments, with adequate
security, outsourcing, operational Business models and viability – resources and clear reporting lines
resilience and AML. whether a frm has a well-considered across all three lines of defence;
strategy and business model that and whether frms (and indeed their
To a large extent the focus here is takes account of fntech developments supervisors) have the technical
on the ‘basics’ of how regulated and provides a solid basis for the capabilities required to manage
frms identify, monitor and manage continuing viability and sustainability of technological innovation, including
the risks to them arising from the frm. hiring for appropriate skill sets such as
fntech. Supervisors are reviewing data scientists, mathematicians and
and evaluating how frms address Governance – how well boards and statisticians.
these risks through their strategic senior management understand
and business planning, new product fntech and its related risks, and how Conduct – in addition to complying
approval and outsourcing procedures, well a frm has identifed, assessed with specifc detailed regulatory
and risk management practices more and addressed these risks. requirements, whether frms are
generally; and how frms monitor and taking a more wide-ranging view of
review the impact of fntech on their how fntech may be changing the risks
compliance with applicable regulatory facing consumers and how these risks
requirements, including those might be addressed.
related to consumer protection and
data protection.
Fintech-related
- regulatory and supervisory initiatives Oct 2017
International standard setters, EU and UK FSB report on fnancial
sector cyber security
May 2017 regulations, guidance and
FSB report on fntech credit: supervisory practices
market structure, business
models and fnancial
Dec 2016 stability implications
ESAs Joint
Committee report on
Feb 2015 the use of big data by Feb 2017 June 2017
EBA opinion on lending - fnancial institutions IOSCO research FSB report on fnancial stability
based crowdfunding report on fntech implications from fntech
Feb 2017
June 2015 June 2017
Committee on Payments Nov 2017
FATF guidance on a risk-based EBA report on
and Market Infrastructure FSB report on artifcial
approach to virtual currencies innovative uses of
report on distributed ledger intelligence and machine
technology in payment, consumer data by learning in fnancial services
clearing and settlement fnancial institutions
Key:
Aug 2017
General The EBA's
’ approach to
Crypto assets May 2017 fnancial technology
Distributed ledger technology EBA draft recommendations
on outsourcing to cloud
Peer to peer lending service providers
Data and AI
Cyber security
“
© 2019 KPMG International Cooperative ("KPMG International"). ”
KPMG International provides no client services and
is a Swiss entity with which the independent member frms of the KPMG network are affliated. All rights reserved.
Regulation and supervision of fintech 12
Outsourcing – whether frms are In addition, major frms may be Firms active in this area are being
exercising appropriate oversight over expected to advance from meeting asked to demonstrate that they
third party providers, including the core requirements towards understand and can manage
frm’s access and audit rights, and implementing more advanced effectively the risks that greater use of
the implications of outsourcing for tools (such as technology and risk AI and machine learning might pose.
business continuity, recovery and management tools) to manage cyber
resolution planning. risks more proactively, and to drive Sandboxes – using sandboxes
innovation in people, processes, and innovation hubs to test fntech
Cyber security – whether frms technology and information sharing to applications and to identify and
can demonstrate that they have enhance cyber resilience. address risks in a constrained
in place effective governance, risk environment.
identifcation, security controls Artifcial intelligence and machine
(over access management, incident learning – how well frms control “Suptech” – the use of fntech by
management, network security and and mitigate the risks arising as supervisors to improve the regulatory
end-user computing), detection and they make increased use of AI and reporting process and the supervisory
prevention, testing, incident response machine learning, not least in terms analysis of data and other information
and information sharing. of governance, understanding, and (for example to detect outlier
relationships with third party providers. frms, money laundering, fraud and
suspicious trading patterns).
2018 2019
Jan 2019
Mar 2018 Jul 2018
ESAs Joint
EU Commission legislative FCA consultation on loan-
Committee
proposal for an EU based (‘‘peer-to-peer’
- - ’)
report on
framework on crowd and Mar 2018 and investment-based
-
Dec 2018 regulatory
peer to peer fnance ECB guide to assessments crowdfunding platforms
EBA draft guidelines sandboxes and
of fntech credit institution
on technology innovation hubs
licence applications
and security risk
management
Feb 2019
FSB Global
monitoring report on
non--bank fnancial
intermediation
“
© 2019 KPMG International Cooperative (“KPMG ” KPMG International provides no client services and
International”).
is a Swiss entity with which the independent member frms of the KPMG network are affliated. All rights reserved.
13 Regulation and supervision of fntech
How KPMG
can help
KPMG member frms have established teams
of specialists able to help fnancial institutions to
identify opportunities and benefts from fntech,
and to support them in addressing a wide range
of fntech-related risks.
“
© 2019 KPMG International Cooperative (“KPMG ” KPMG International provides no client services and
International”).
is a Swiss entity with which the independent member frms of the KPMG network are affliated. All rights reserved.
Regulation and supervision of fntech 14
“
© 2019 KPMG International Cooperative (“KPMG ” KPMG International provides no client services and
International”).
is a Swiss entity with which the independent member frms of the KPMG network are affliated. All rights reserved.
Contacts
Ian Pollari Anton Ruddenklau
Global Co-Leader
- of Fintech Global Co-Leader
- of Fintech
KPMG International KPMG International
T: +61 2 93358408 T: +44 20 76942224
E: ipollari@kpmg.com.au E: anton.ruddenklau@kpmg.co.uk
kpmg.com
The information contained herein is of a general nature and is not intended to address the
circumstances of any particular individual or entity. Although we endeavor to provide accurate and
timely information, there can be no guarantee that such information is accurate as of the date it is
received or that it will continue to be accurate in the future. No one should act on such information
without appropriate professional advice after a thorough examination of the particular situation.
Some or all of the services described herein may not be permissible for KPMG audit clients and
their affiliates or related entities.
© 2019 KPMG International Cooperative (“KPMG“ ” a Swiss entity. Member firms
International”),
of the KPMG network of independent firms are affiliated with KPMG International. KPMG
International provides no client services. No member firm has any authority to obligate or bind
- - third parties, nor does KPMG International
KPMG International or any other member firm vis-à-vis
have any such authority to obligate or bind any member firm. All rights reserved. The KPMG name
and logo are registered trademarks or trademarks of KPMG International.
The KPMG name and logo are registered trademarks or trademarks of KPMG International.
CREATE. | CRT109370A | March 2019