Regulating Fintech

Thoughts on the various regulatory approaches and some considerations

Hi all - This is the 13th edition of Frontier Fintech. A big thanks to my regular readers and subscribers. To those who are yet to subscribe, hit the subscribe button below and share with your colleagues and friends.

Introduction

This week I cover a dryer element of the overall Fintech space - regulation. Recent regulatory actions both in China and Nigeria have shown that Fintechs, banks and any other entities playing within this emerging space needs to have an eye on regulation. The perfect phrase for regulatory actions that stem out of the blue was captured by Eugene Wei as “invisible asymptotes” i.e. actions or events that can significantly derail your business and are unpredictable. Marc Rubenstein in his must read newsletter says that “Greater regulatory scrutiny represents an invisible asymptote for startup fintech companies. Once they get to a certain size it matters more”. One of the main issues within the African fintech ecosystem is that there’s a two-speed dynamic at play. On one hand, innovators are moving at the speed of light to create new customer propositions; and on the other hand, regulators are moving much slower to issue clear guidance and regulations to govern the space. When they do, the attitude is more akin to “kill it before it starts moving”. 

In my experience, when you’re bringing new products into the market, it helps to have a sense of empathy with regulators and understand the key factors they look at and think of when issuing regulation. It also helps to align your product with existing regulations from other markets because often regulations tend to align to global or regional norms and practices. One example is the Central Bank of Kenya’s regulations on mobile money and e-payments which have been rapidly adopted in the region in countries such as Uganda, Tanzania, Burundi and Rwanda.

I will look at first; what are the main goals of a regulator?, what risks are they trying to mitigate?, what are the emerging challenges with Fintech? and what are some of the approaches being taken globally as regards Fintech regulations?. Finally, I will touch on some areas that I think regulators need to pay attention to although I know they are fully cognisant of them.

Main Objectives of Regulators and Different Regulatory Frameworks;

I hate to bust your bubble but regulators are not here to foster innovation. It is usually a well worn item on most regulator websites, but often innovation ranks quite low on their priorities. At the heart of regulatory interest are the following fundamental elements not ranked in any particular order;

1. Ensuring financial stability;

2. Ensuring the integrity of the financial system;

3. Consumer protection;

4. Monetary stability;

5. Protecting against concentration of market power;

6. Enforcing KYC/AML and anti-terrorism financing;

Regulators are powerful bodies that set and enforce rules to guide the proper functioning of the financial system. As government entities, at the core of their mandate are key themes such as national security and sovereign interests. It is always key to remember this fact, those who don’t should be reminded of Marie Antoinette and her famous last words. 

The famous words were uttered by Marie Antoinette after learning that people could not afford to buy bread. The price of bread in 1789 had risen to 88% of a typical labourer's wages.

Maintaining stable prices, managing the swings in the capital account and ensuring that money doesn’t land into the hands of terrorists are central to a regulators’ mandates. Governments at core are built around propagating and ensuring their survival and survival often is a negative art driven by questions around what not to do rather than what to do. In the words of Chadlie Munger “All I want to know is where I'm going to die so that I'll never go there". Conservatism is thus deeply embedded into a regulators’ ethos.

In Africa it is even made more complicated by the presence of not only terrorism groups but also rebels and armed opposition groups. In many countries in Africa, regulators are strict against electronic payment methods particularly within the remittance domain largely due to the chance that rebels and opposition groups can receive payments.

Having established some of the core considerations that regulators have, it’s worth turning our eye towards another aspect of regulation that in the coming years will receive significant attention. This is the structure of regulatory bodies and whether they are consolidated or dispersed. Most regulatory bodies were formed when financial markets were clearly demarcated. Banking, insurance, capital markets and pensions all had clear market demarcations with different dynamics in each segment. 

Nonetheless, most business models merged with time and financial super-market business models formed. Banks and other financial institutions formed conglomerates that ventured into each vertical within the financial sector. Globally, regulators noted the interconnectedness of the financial sector and noted that systemic risk within one sector can easily spread into the next. A move towards consolidation of regulatory bodies unfolded with countries like Germany and Sweden having complete consolidation.

In most African countries, regulatory oversight is dispersed. Central Banks tend to regulate banking and payments, insurance regulators oversee the insurance sector and often there is a separate pensions and capital markets body. It’s critical to keep tabs on the level of consolidation within the regulatory space in Kenya, Nigeria, Ghana and South Africa because my view is that this will be a drag on the speed of innovation within the Fintech space in these countries. 

What is the challenge in regulating Fintech;

The diagram below from the Financial Stability Institute gives a good overview of Fintech and the regulatory perspective. In essence, new emerging fintech activities are taking place and are enabled by underlying technologies such as Blockchain, cloud computing, APIs and Artificial intelligence. The policy enablers are the regulatory activities that will enable these products and activities to grow.

Source: Financial Stability Institute

The main challenges around regulating the fintech space can be summarised as follows;

1. Transaction monitoring - due to the global nature of Fintech and the high volume of transactions that occur on Fintech platforms, transaction monitoring can be a challenge. Additionally, global connectivity enables money to be sent easily across the world thus posing a challenge for anti-terrorism financing and money laundering;

2. Significantly high disintermediation - In a recent post, I talked about how wallets start with one functionality say P2P payments and slowly add additional functionalities with a view of increasing revenue per user. This often involves moving into new segments such as wealth management, insurance and lending. In such instances, with dispersed regulatory bodies, it’s difficult to mark the perimeters of the relevant regulatory bodies;

3. Lack of reliable information as to market structures and participant company structures - given the novelty of most business models, regulators often don’t know how to regulate a specific activity because the risks are not yet apparent;

4. I also think with the high levels of VC capital sloshing around, traditional methods of evaluating business models and profitability may run counter to the operational realities of these companies. A number of neobanks are yet to achieve profitability almost 6 years after founding but are well capitalised - how does this fit into the regulatory toolkit where its a requirement that market participants be profitable ongoing concerns;

5. Regulatory arbitrage - there is the risk of creating regulations that favour new participants over incumbents or vice versa;

In addition to these challenges, there are some core risks that Fintechs present;

1. Cyber-security risks - of course this is not specific to Fintech largely because existing financial institutions have had glaring incidences of cyber-theft. Nonetheless the purely digital nature of Fintechs exposes customers to risks of data theft and security breaches. This despite the fact that most customers don’t think too much about data theft.

2. AML/KYC Risks - Already previously described;

3. Third party reliance - there is a risk of increased reliance on some key third party providers such as AWS and Stripe for payment processing. Critical infrastructure like this presents serious risks in the event of failure;

4. Enhanced cyclicality and market runs - particularly for neobanks and robo-advisors, the threat of cyclicality and herd behaviour is amplified due to the ease of processing transactions. The recent events with Robinhood and Gamestop are a case in point. In the event of a bank run, clients can withdraw all their funds in seconds thus causing market wide liquidity issues - particularly if current Fintechs scale to the levels of incumbents;

5. The threat of winner take all markets occuring in critical areas - Technology tends towards winner take all economics. M-Pesa is a prime example locally. Winner take all markets in industries such as retail banking, insurance and asset management pauses risks around overall financial stability. In China, Alipay and Wechat are now at the crosshairs of regulators and I think this is driven by the serious threat they pose to the sovereignty of the PBoC. They could easily launch vouchers, badges and other digital widgets that act and are accepted as currency;

6. Adverse selection - often in the case of lending marketplaces, there is the risk that fintechs grow lending without due concern about the type of assets they are creating given that they sell these loans to investors or originate for a third party. 

7. Exchange rate stability - particularly in Africa, exchange rate stability is a core issue. Remittance fintechs and cryptocurrencies could cause exchange rate instability at scale if the net operating position is over the long-term negative i.e. capital outflows exceed capital inflows. This is also the case with apps that enable local investors to invest in foreign assets;

What are some of the approaches being taken;

In light of these risks and challenges - regulators across the world are taking various measures which can be summarised into four categories; Wait and see approach, test and learn approach, innovation facilitators and regulatory and legal reform;

1. Wait and See approach - In this approach, the regulator permits new fintech activities to spring up and actively monitor the market as they build their capacity. With time, the regulator could slowly introduce new relevant regulations over time. This works best where there is a clear benefit for the technology to be introduced and there is a collective need to understand the business model and underlying risk factors. This model has been used before in China within the payment space where the regulators let Alipay and Wechat pay run amok before reining them back in. It also explains the M-Pesa approach although “no-objection” letters may not be legally viable in some jurisdictions.

2. Test and learn approach - This is meant to be an agile approach in the sense of rapid feedback loops and continuous adjustments. The regulator in this case gives permission in specific contexts for different products and business models to emerge. It gives the regulator the ability to understand the business model and its risk before applying any regulatory strategy. It’s a bit like the wait and see model in that regard and is not meant to be used indefinitely. The extensiveness of the frameworks have differed from market to market. A drawback is that this approach is useful in a small markets but can become difficult to scale where there are multiple market participants - Also the complexity and skill sets within the regulator is critical. More capable regulators can handle this approach better;

3. Innovation Facilitators - This runs the full gambit from sandboxes, accelerators and incubation hubs. 

   1. Innovation hubs are mostly a central point of contact to streamline queries and provide regulatory support, guidance and clarity to new operators in the market. The support does not include testing. It’s a very useful concept where most fintech innovators are young and largely come from outside the industry they’re disrupting. Hand holding by the regulator can be very useful in this case;

   2. Regulatory accelerators - More partnership focused between fintechs and regulators. This is typically complex to monitor and execute where there are limited resources both financially and in terms of skill;

   3. Sandboxes - this is the most common innovation facilitation mechanism and was recently unveiled by the Capital Markets Authority of Kenya. Sandboxes are a controlled live environment defined by regulators that allows innovators to test out products on a small scale. The products in this case need to be already built. Sandboxes are useful where there is no existing regulatory framework for the proposed product. It is important that there is a vibrant and mature entrepreneur ecosystem for a sandbox to work. Nonetheless, there is little evidence of Sandboxes producing viable enterprises or business models globally. It’s not clear what criteria regulators use to determine the viability of a business model and whether it’s their place to even determine viability;

4. Regulatory Laws and Reforms. This refers to the introduction of new laws or licenses to govern Fintech activities. The laws are both overarching and product specific in response to innovative firms or businesses. It usually includes special charters or Fintech licenses. Hong Kong has issued a virtual bank license and Mexico has a Fintech license. Singapore has also come up with two licenses; Digital Full Bank (DFB) License allowing licensees to provide a wide range of services as well as to take retail deposits and  Digital Wholesale Bank License that allows licensees to serve small and medium size enterprises and other businesses but not accept deposits in Singapore dollars from individuals. The regulation allows for “phase-in” approach where the licensee starts with a restricted license. The key restrictions are that licensees have to have Singaporean shareholders and headquartered in Singapore. In Australia, you can conduct limited banking for two years without being subject to the full set of prudential requirements - In the UK, the Prudential Regulation Authority and FCA established New Bank Start-up Unit to provide information and support to potential applicants for a bank license. 

Some considerations for Regulators particularly in Africa;

1. Regulators really need to accelerate their efforts around digital identity verification. In principle, most digital identity systems enable data storage in line with existing requirements. However, new regulations should cover emerging aspects such as live video interviews and liveness detection as opposed to physical KYC being a requirement. In principle, physical KYC is not demonstrably safer or more robust than say live interviews. If anything, live interviews can be stored for future verification. Additionally, new regulations can cover aspects such as how regular these interviews need to be conducted;

2. At a governmental level, I think it's important that a discussion around consolidating regulatory authority starts. My view is that financial institutions in five years will be more comprehensive and existing demarcations around regulatory oversight will prove cumbersome and be a drag to the economy at large. The main aspects of this larger authority should be competition, consumer protection, insurance, asset management, wholesale and retail banking as well as potentially pensions;

3. Regulators should embrace tech in a much deeper way. My perspective is that all financial institutions that fall under a regulator should connect to the regulator for real time audits, KYC checks and transaction monitoring with dashboards at the regulator level that show the real time situation across financial sector participants. This requires significant investment and re-skilling but I think it’s fundamental. In the case of digital identity verification and updating KYC databases, this live integration could prove very useful for monitoring and enforcement;

4. As regards to overall manpower - it would be useful for regulators to recruit outside industry. In the past, revolving doors between industry and regulators has caused a cosy relationship that defeats the purpose of having a regulator in the first place. With increased use of technology, regulators need to recruit from diverse industries particularly as concepts such as embedded finance take root;

5. At a continental level, there is a need for regional level engagement on regulatory sandboxes, a multi-jurisdictional sandbox. In addition, closer regulatory engagement in terms of best practices. This is already in place in most cases and ultimately local considerations differ vastly in Africa.

6. Potentially with modern tech stacks, regulators need to define redundancy measures and vendor policies so as to avoid single point of failure risk;

7. Ultimately, regulators need to be cognisant that the current technology environment could create a bi-polar world. On one side will be countries that attract investment and are part of a tech driven global community and on the other hand are laggards playing catch up. In as much as there is risk and regulators are not incentivised to drive innovation, failing to do so could have multiplier implications. We have seen this in the US with states such as Miami that are crypto-friendly benefitting significantly from their regulatory stance and attracting start-ups. 

Note that I have deliberately not mentioned crypto regulation largely because I think there is a fat chance of having any crypto-friendly regulation in Africa in the near future. It is an extreme long shot. 

It will be interesting to see where Fintech regulation in Africa goes. Hopefully market friendly regulation can spring up driven by closer engagement between regulators and Fintechs.

As always thanks for reading and drop the comments below and let’s drive this conversation.

If you want a more detailed conversation on the above, kindly get in touch on samora.kariuki@gmail.com;