Banking in Web3.0 – Metaverse, DeFi, NFTs and beyond.

COMP 7412 Sem A, 2023-24

Banking in Web 3.0 –

Metaverse, DeFi, NFTs and beyond.
Lecture 02:
Regulatory requirements, Risk management in Banking

Dr. Juergen Rahmel, MBA

HSBC Hongkong / Germany

Banking in Web3.0 – Metaverse, DeFi, NFTs and beyond. 2

Table of Contents
• Lecture Objectives

• Regulation: Origin and organisation

• The requirements for banks (selection)

• RegTech: streamlining fulfilment and reporting

• Risk Management
• Financial Risks
• Non-financial Risks

• Summary
Banking in Web3.0 – Metaverse, DeFi, NFTs and beyond. 3

Regulation: Origin and organisation

Example: Hong Kong Banking Regulatory and Supervisory Regime

From the website of the Hong Kong Monetary Authority (HKMA):

“The HKMA is responsible for the authorization, regulation and supervision of banking
business and the business of taking deposits in Hong Kong.
The HKMA adopts a risk-based approach in evaluating banks’ safety and soundness,
risk-management systems and internal controls. This enables the HKMA to pre-empt
any serious threat to the stability of the banking system.
Apart from banks, the HKMA is also responsible for approving and supervising money
brokers operating in the interbank foreign exchange and deposit markets in Hong
Kong. ”
Banking in Web3.0 – Metaverse, DeFi, NFTs and beyond. 4

Regulation: Origin and organisation

Elements of HKMA’s approach:

• the HKMA is responsible for the authorization of authorized institutions as well as
suspension and revocation of such authorization.
• The authorization criteria aim to ensure that only fit and proper institutions are
entrusted with public deposits
• so called ‘Authorized Institutions’ fall into these categories:

They differ in:

- Target Customers
- Products
- Domestic vs International
- Channels to interact
- Ownership structure
- …
Banking in Web3.0 – Metaverse, DeFi, NFTs and beyond. 5

Regulation: Origin and organisation

Supervisory Objective
The Banking Ordinance provides the legal framework for banking supervision in Hong
Kong. Section 7(1) of the Ordinance provides that the principal function of the Monetary
Authority (MA) is to "promote the general stability and effective working of the banking
system".

Compliance with International Regulatory Standards

The HKMA seeks to establish a regulatory framework in line with international standards,
in particular those issued by the Basel Committee on Banking Supervision and
the Financial Stability Board. The objective is to maintain a prudential supervisory
system which underpins the general stability and effective working of the banking system,
while at the same time providing sufficient flexibility for authorized institutions to take
commercial decisions.
Banking in Web3.0 – Metaverse, DeFi, NFTs and beyond. 6

Regulation: Origin and organisation

Regulatory Requirements
Authorized institutions have to comply with the provisions of the Banking Ordinance
which, among other things, require them to:
• Maintain adequate capital and liquidity;
• Submit periodic returns to the HKMA;
• Adhere to limitations on exposures to any single counterparty (or group of linked counterparties)
or to directors and employees; and
• Seek approval for the appointment of directors and chief executives, and for controllers.

Supervisory Approach
The HKMA follows international practices as recommended by international standard-
setting bodies, such as the Basel Committee on Banking Supervision, to supervise
authorized institutions.
The HKMA adopts a risk-based supervisory approach based on a policy of "continuous
supervision", through on-site examinations, off-site reviews, prudential meetings, co-
operation with external auditors and sharing information with other supervisors, with the
aim of detecting any problems at an early stage.
Banking in Web3.0 – Metaverse, DeFi, NFTs and beyond. 7

Regulation: what are the requirements for banks?

One major resource:

The Basel framework

Maintained by the
Basel Committee on Banking Supervision
Banking in Web3.0 – Metaverse, DeFi, NFTs and beyond. 8

Regulation: what are the requirements for banks?

Another major resource:

Financial Stability Board: Key Standards for Sound Financial Systems

Proposes Key standards in three areas:

• Macroeconomic Policy and Data Transparency
• Financial Regulation and Supervision
• Incl. Core Principles for Effective Banking Supervision -> BCBS, as seen previously

• Institutional and Market Infrastructure

Banking in Web3.0 – Metaverse, DeFi, NFTs and beyond. 9

Regulation: what are the requirements for banks?

Let’s use a more tangible view:

(important: this only represents
a partial view … but it contains
those parts we need to
work with looking at
our target ‘Web 3’)

Source: HKMA/KPMG
Banking in Web3.0 – Metaverse, DeFi, NFTs and beyond. 10

Regulation: what are the requirements for banks?

Detailed view / breakdown:

Source: HKMA/KPMG
Banking in Web3.0 – Metaverse, DeFi, NFTs and beyond. 11

Regulation: what are the requirements for banks?

Detailed view / breakdown:

Source: HKMA/KPMG
Banking in Web3.0 – Metaverse, DeFi, NFTs and beyond. 12

Regulation: what are the requirements for banks?

Detailed view / breakdown:

Source: HKMA/KPMG
Banking in Web3.0 – Metaverse, DeFi, NFTs and beyond. 13

Regulation: what are the requirements for banks?

Detailed view / breakdown:

Source: HKMA/KPMG
Banking in Web3.0 – Metaverse, DeFi, NFTs and beyond. 14

Regulation: what are the requirements for banks?

Detailed view / breakdown:

Source: HKMA/KPMG
Banking in Web3.0 – Metaverse, DeFi, NFTs and beyond. 15

Regulation: what are the requirements for banks?

Detailed view / breakdown:

Source: HKMA/KPMG
Banking in Web3.0 – Metaverse, DeFi, NFTs and beyond. 16

Regulation: what are the requirements for banks?

Detailed view / breakdown:

Source: HKMA/KPMG
Banking in Web3.0 – Metaverse, DeFi, NFTs and beyond. 17

RegTech: streamlining fulfilment and reporting

Historically, many supervisory processes were

• manual and slow
• silo-ed within the different risk and compliance categories
• disconnected with regards to the market participants
• often even only sampled and not complete

for modern times (higher volumes, faster execution, digital systems)

this is not sufficient anymore

RegTech (incl. SupTech) is the use of technologies that enhance

efficiency and/ or the effectiveness of risk management and regulatory
compliance – through
• Automation of monitoring and reporting, reduction of human error
• Connectivity between market participants
• Standardisation of rules and how to audit according to them
• Developing new methods to analyze and predict potential issues
• Improved cost/Benefit ratio for supervisory initiatives
Banking in Web3.0 – Metaverse, DeFi, NFTs and beyond. 18

RegTech: streamlining fulfilment and reporting

RegTech is a contributor to the transformation of Risk & Compliance

• the target state is represented by a ‘one system – all goals’ view
Banking in Web3.0 – Metaverse, DeFi, NFTs and beyond. 19

RegTech: streamlining fulfilment and reporting

RegTech is paving the way for ‘new’ benefits that were not achievable
before:

Source: ADB
Banking in Web3.0 – Metaverse, DeFi, NFTs and beyond. 20

RegTech: streamlining fulfilment and reporting

Regulatory compliance lifecycle

• the regulatory landscape is constantly changing – across the globe
• a sound process to identify and include new requirements is key
Banking in Web3.0 – Metaverse, DeFi, NFTs and beyond. 21

RegTech: streamlining fulfilment and reporting

Areas of application

Source: FSB
Banking in Web3.0 – Metaverse, DeFi, NFTs and beyond. 22

RegTech: streamlining fulfilment and reporting

Usage of tools and Technology

• results from an FSB Survey:

Source: FSB
Banking in Web3.0 – Metaverse, DeFi, NFTs and beyond. 23

RegTech: streamlining fulfilment and reporting

Generations of tools and Technology

Source: BIS
Banking in Web3.0 – Metaverse, DeFi, NFTs and beyond. 24

RegTech: streamlining fulfilment and reporting

How and where can Artificial Intelligence help?

Source: HKMA/KPMG
Banking in Web3.0 – Metaverse, DeFi, NFTs and beyond. 25

RegTech: streamlining fulfilment and reporting

Key Barriers of AI adoption:

Talent and relevant skillset shortage:

• Talent and relevant skillset shortage has been identified as a significant barrier to
Regtech adoption. AI is a fastmoving topic, and developments in AI-related skillsets
are constantly progressing. Emerging domains that require innovation – such as AI-
enabled Regtech – are still experiencing a large skills gap.
Data availability and quality:
• The effectiveness of AI applications depends on the availability of high-quality,
diverse, and dynamic datasets. Banks should therefore have the right data
infrastructure in place (e.g. a data lake hosting data from multiple source systems)
to ensure that all the relevant internal and external data are available and current.
Poor data quality has a direct correlation to inaccurate and biased results.
Adoption of Cloud computing:
• Cloud computing provides the data storage capacity and massive processing power
that are fundamental to AI innovation. Many AI-based Regtech solutions available in
the market are also cloud-based.
Source: HKMA/KPMG
Banking in Web3.0 – Metaverse, DeFi, NFTs and beyond. 26

RegTech: streamlining fulfilment and reporting

Key Risks of AI adoption:

Data Privacy and right of use:

• AI-based Regtech solutions are reliant on the ingestion of vast amounts of data to train
models and detect patterns. Regtech solutions may involve personal data. Related
data privacy risks include:
• Excessive data are collected than required
• Data are used for purposes other than specified
• Data are stored and transmitted insecurely
• Risks of discrimination and profiling

Accuracy and reliability:

• While some AI models can make judgements/decisions with minimal human
interference, outputs can be biased and can lose accuracy over time. In addition, AI
model performance will degrade over time due to various reasons, such as when
previously unseen data become available, or variables and parameters change
triggered by a change in the business and upstream data changes.

Source: HKMA/KPMG
Banking in Web3.0 – Metaverse, DeFi, NFTs and beyond. 27

RegTech: streamlining fulfilment and reporting

Key Risks of AI adoption:

Explainability:
• While AI-based solutions offer significant automation opportunities, there is a major risk
for the growing AI sophistication, i.e. explainability. The lack of understanding of how
AI-based solutions work to produce output is also referred to as a “black box” risk. AI-
based Regtech solutions should contain adequate measures to ensure an appropriate
level of transparency and explainability commensurate with the materiality of the
solutions.

Source: HKMA/KPMG
Banking in Web3.0 – Metaverse, DeFi, NFTs and beyond. 28

Risk Management: Overview

Why do we need Risk-Management?

The financial crisis in 2008 originated in parts from major weaknesses

in risk assessment and risk modelling, namely:
• misleading ratings from rating agencies
• unrealistically simple risk models, i.e., models that were not designed
to deal with the complexity of structured credit products
• inaccurate data
• short-term financing with too little consideration for liquidity risk

This triggered an overhaul of the requirements for risk management in

banks as well as their supervision
Banking in Web3.0 – Metaverse, DeFi, NFTs and beyond. 29

Risk Management: Overview

The re-invention of risk management

With new guidelines and standards, financial authorities around the

globe have emphasized the importance of
• identifying, evaluating and minimizing ALL foreseeable risks
• demanding a provisioning of capital in banks to cover losses from
materializing risks
• tightening the supervisory scrutiny
• creating and expecting a market discipline to emerge among market
participants
Banking in Web3.0 – Metaverse, DeFi, NFTs and beyond. 30

Risk Management: Overview

The re-invention of risk management

Example: a major part of the BCBS and FSB requirements are aimed at
the internal improvements of the risk management.

From the foreword of the ‘Core princples for effective banking

supervision’:
The revised Core Principles strengthen the requirements for supervisors, the
approaches to supervision and supervisors’ expectations of banks. This is achieved
through a greater focus on effective risk-based supervision and the need for early
intervention and timely supervisory actions. Supervisors should assess the risk
profile of banks, in terms of the risks they run, the efficacy of their risk
management and the risks they pose to the banking and financial systems. This
risk-based process targets supervisory resources where they can be utilised to the
best effect, focusing on outcomes as well as processes, moving beyond passive
assessment of compliance with rules.
Banking in Web3.0 – Metaverse, DeFi, NFTs and beyond. 31

Risk Management: Overview

The Basel Framework works with three pillars:

Banking in Web3.0 – Metaverse, DeFi, NFTs and beyond. 32

Risk Management: Overview

some views onto the Risk Universe

Third,

Source: HKMA/KPMG
Banking in Web3.0 – Metaverse, DeFi, NFTs and beyond. 33

Risk Management: Overview

A high level view onto the Risk structure:

partially depending on the

(financial) behaviour of
counterparties and
markets

mostly depending on
controllable behaviour of
the internal organisation
and management of
external partners

external factors and

Source: assessments
Deloitte
Banking in Web3.0 – Metaverse, DeFi, NFTs and beyond. 34

Risk Management: Financial Risk

A taxonomy of financial risks:

for a particular
product or
service, the next
level details will
be listed and
analysed

Source:
Article
Banking in Web3.0 – Metaverse, DeFi, NFTs and beyond. 35

Risk Management: Non-Financial Risks

A detailed view onto the Non-Financial Risk structure:

risks to be
looked at in
Source:
Web3 context Deloitte
Banking in Web3.0 – Metaverse, DeFi, NFTs and beyond. 36

Risk Management: Non-Financial Risks

Non-financial Risks: Measuring and Monitoring

Source:
Deloitte
Banking in Web3.0 – Metaverse, DeFi, NFTs and beyond. 37

Risk Management: internal organsiation

a de-facto standard is the organisation of risk management into 3 parts:

Source:IIA
Banking in Web3.0 – Metaverse, DeFi, NFTs and beyond. 38

Readings
Pre-Reading:
• https://www.adb.org/sites/default/files/publication/820686/regulatory-technology-
ecosystems-asia-financial-stability.pdf

Sources from Slides (not all are fully relevant, please see for yourself if the content is
interesting/helpful to you):
• https://www.hkma.gov.hk/media/chi/doc/key-information/press-release/2020/20201102c3a1.pdf
• https://www.hkma.gov.hk/media/eng/doc/key-information/press-release/2020/20201102e3a1.pdf
• https://www.bis.org/basel_framework/index.htm?m=2697
• https://www.bis.org/basel_framework/index.htm?export=pdf
• https://www.fsb.org/work-of-the-fsb/about-the-compendium-of-standards/key_standards/
• https://www.fsb.org/wp-content/uploads/P091020.pdf
• https://www.hkma.gov.hk/media/chi/doc/key-information/guidelines-and-circular/2022/20220718c1a1.pdf
• https://www.hkma.gov.hk/media/chi/doc/key-information/guidelines-and-circular/2022/20220428c1a1.pdf
• https://www.bis.org/fsi/publ/insights19.pdf
• https://www.mdpi.com/2227-9091/7/1/29/htm
• https://www2.deloitte.com/cy/en/pages/financial-services/articles/non-financial-risk-management-framework.html
• https://www.theiia.org/globalassets/documents/resources/the-iias-three-lines-model-an-update-of-the-three-lines-of-
defense-july-2020/three-lines-model-updated-english.pdf