Sat, Oct 20, 2018

The New Systemic Risk: Adoption of New Technology and Reliance on Third-Party Service Providers

A new form of systemic risk, largely a result of the increasing reliance on service providers and use of the cloud to support financial institutions' critical infrastructure, has emerged, and this has caught the attention of regulators worldwide.

The issues regarding systemic risk, largely centred on "too big to fail", have become less of a focus for regulators after nearly a decade of intense supervision, with new regulations designed to ensure that global systemically important financial institutions (G-SIFIs) do not collapse overnight or operate on thin capital.

The adoption of new financial technology (fintech) and regulatory technology (regtech), the emergence of non-financial entrants into a financial services sector which used to be the sole prerogative of banks, the increasing reliance on third-party service providers and the use of the cloud have all introduced new risk to the financial system.

As the financial services sector moves toward increasing digitalization and the internet of things, the financial system becomes increasingly connected, said Kevin Nixon, founder of Nixon Global Advisory in Sydney. The regulatory community needs to intensify work that looks at the potential systemic risk posed by new technology, he said.

"Systemic risk is best characterized not by size but connectedness. As the world becomes more connected, it increases systemic risk. The more points of connectedness there are, the more points of vulnerability because the chain is only as strong as the weakest link. I personally am of the view that new technology could pose a systemic risk to the financial system. The question is how best to manage that system risk without compromising innovation," he said.

Regulators Increasingly Concerned

The extended enterprise of financial services which can refer to third, fourth or fifth party service providers, including using fintech firms as in-sourced or out-sourced providers, and the adoption of regtech solutions amongst financial institutions, have all opened up new vulnerabilities for the banking sector, said Keith Pogson, senior partner, financial services at EY in Hong Kong.

"It is not about 'too big to fail' anymore. The vulnerability has moved. The concept of G-SIBs and D-SIBs is increasingly outdated. It is these new systemic risk concentrations which regulators are increasingly worried about now," he said.

Regulators are increasingly concerned about financial institutions' over reliance on service providers to support some of their critical infrastructure, the widespread use of the cloud and that too many financial institutions are, for instance, using the same cloud providers, Pogson said.

"Regulators are worried about whether there is too much use of the cloud or whether financial institutions are all using the same cloud providers. What if one of the cloud providers blows up? That is where systemic risk concentration comes in," he said.

The failure of a cloud provider would be catastrophic not just for the financial industry, but the entire economy as well, said Paul Jackson, managing director, APAC lead, cyber risk at Kroll in Hong Kong. Cloud service providers would need to undergo security and stress-testing to ensure that they are resilient, he said.

"It is something which risk managers at banks need to be part of. They need to be sure there is a back-up plan in place. It needs to be looked at from a business continuity point of view. Banks need to examine the factors in the entire cloud environment," he said.

Hong Kong Regulators Recognise New Systemic Risk

Recent statements from top officials at the Hong Kong Monetary Authority and the Securities and Futures Commission of Hong Kong pointed to similar concerns. Pogson said this shows that regulators are beginning to recognise the existence of systemic risk concentration which will require them to review their regulatory parameters.

"Regulators have to go via the banking system to provide new governance structures and tools to deal with this issue. The U.S. and UK regulators are calling this 'resilience'. What they are alluding to is the resilience of the service providers both in terms of the services provided and also around data protection," he said.

BCBS Yet to Address New Systemic Risk

But in reality, the systemic risk concentration created by the adoption of new technology has not been fully addressed, Pogson said. While a number of jurisdictions have undertaken efforts to address this new form of systemic risk, no solution has yet been proposed by the Basel Committee on Banking Supervision (BCBS), he said.

"Regulators are still working on this topic. At the heart of it is the topic of regulatory construct. Regulators will be looking into a number of issues such as how they are set up to regulate, and to regulate what. What processes do you have? And over whom?" he said.

Areas to Think Through

Nixon pointed to a number of areas which need to be thoroughly thought through including whether existing regulations can apply to new technology as well as data security and privacy concerns. For instance, regulators would need to ask whether a new technology like the cloud is any different from physical outsourcing when considered from a risk and regulatory perspective, and as such whether existing outsourcing rules will still be relevant.

"Outsourcing rules are designed around physical infrastructure so that your own servers aren't processing but your service providers are. Traditionally when you outsource you still have physical servers but with the cloud, you don't have that. Cloud is great for data storage, accessibility, and computation but you need to ask what is the risk and does it pose systemic risk? Cloud does not necessarily pose systemic risk but you need to ask questions. With cloud, do you need new regulation or do existing regulations suffice?" he said.

Nixon said cloud providers should be subject to regulation given that they are providing critical infrastructure of a systemic nature to financial institutions.

"The question is what sort of regulations should cloud providers be subject to. Part of the problem is that the answers aren't there yet in terms of how we should go about regulating them but the technology and its use are already there. There is a need for quick thinking around it lest we stifle innovation," he said.

Challenge: Managing Risk in an Increasingly Connected Digital World

While the easiest way to stop systemic risk from growing in the global financial system could be to stop innovation, innovation provides many benefits and connectedness continues to take place which requires the issue to be carefully thought through, Nixon said. The challenge therefore lies in managing risk in a more connected digital world, particularly when new entities and new way of providing financial services are developing rapidly, he said.

"We have had a very static system where traditionally licensed banks take deposits and give loans. Now you have new ways of doing things and new entrants being more active in the financial system. There hasn't been a definitive regulatory position developed but a lot work is taking place to understand the risk factors provided by new technology," he said.

Security: A Major Factor to Consider for New Financial Products

Amid new fintech solutions, cryptocurrencies and new ways of providing financial services, security will be major factor, particularly for the players who are bringing new products to the financial market, Jackson said.

"It's a race to the market with new innovations. We have to make sure that security is part and parcel of this whole development process. The way is to have security enhanced. The APIs and mobile apps for example, need to be tested for security right from the outset. They need to build security culture around the development cycle of the technology," he said.

Human Factor Needs to be Considered

Jackson also pointed out that risk does not lie in technology alone; the human factor needs to be considered as well. Banks communicating through encrypted mobile apps like WhatsApp and WeChat will inevitably attract criminals' attention and will be used for committing crime.

"When technology is being used, you can guarantee that criminals will think about how they can trick the users. They will look at it in a completely different way. Banks also need to think that way. Banks may think that here is a new technology which customers will love, but there may be gaps in the technology or the business process which criminals can leverage to commit crime," he said.

This story was first published on Regulatory Intelligence, Thomson Reuters