Excerpts from speech by Prof Joachim Wuermeling, member of the Executive Board of the Deutsche Bundesbank, at the Banking and Corporate Evening (Banken- und Unternehmensabend), München, 23 May 2019.
Digitalization is about to bring about a fundamental transformation of the financial markets. So it can’t be a matter of blocking or preventing developments. Instead, it should be the task of legislators, supervisors and market participants alike to shape these developments.
As you might have guessed already, we at the Bundesbank take an overall positive view of digitalization. Established banks, fintech firms and other enterprises are all in the process of transforming technologies into innovations. In economic terms, this is resulting in productivity gains, growth, improved competitiveness, a more robust economy and, last but not least, greater prosperity. It is also enhancing the stability of the euro.
As a supervisory authority, we want to monitor these developments in a constructive way because, ultimately, they promise cost-saving opportunities as well as new earnings potential for individual institutions. But of course, as a supervisory authority, we are also keeping a close eye on the inherent risks. I see no contradiction here. Quite the contrary: when it comes to innovation, getting a handle on the risks it poses is key. In 90 years of banking supervision, this has always been the case.
We should not simply equate innovation with novel financial products or processes that provide no added value in the long run. Innovation needs to be a package deal. Tackling digital risk is an enormous challenge. I believe that this can be put down to three key factors.
First, there are new types of risk. Traditionally, banking supervisors focus on capital and liquidity. And that will remain the case for new types of risk – in IT, for instance. However, simply wanting to hold sufficient capital to counter any and every new risk has its limitations. For example, how can a server outage of several hours, with all its ramifications, be expressed in terms of financial risk? In many cases, there is no historical parallel or other benchmark for such matters, but there still exists the need to come to grips with such risks.
Furthermore, there are what are referred to as “unknown unknowns” – risks whose existence may remain entirely undiscerned until the first time they cause an incident. With that in mind, banks are now employing innovative technologies such as advanced analytics in certain data-intensive areas, which examine large data volumes for anomalies and help staff identify the very existence of certain risks in the first place.
Second, we are faced not just with new risks but also with a shifting risk landscape. As long as digital services, hardware and software keep constantly evolving and the complexity of processes and software generally goes on increasing, there will be technology that is prone to disruption. Furthermore, people make mistakes or deliberately exploit weaknesses. IT risks therefore remain a moving target for the supervisory authorities.
Digitalization is a moving target for both enterprises in the financial sector and for the supervisory authorities. In the past few years, we as a supervisory authority have responded to the increased significance of IT-related risks and specified our requirements more clearly. Knowledge of IT risks needs to be updated constantly. Information sharing between supervisory authorities across national borders has become a major factor, and knowledge management is becoming a key task in this regard.
Added to this is the fact that issues have increasingly taken on an interdisciplinary dimension. To put it loosely, when it comes to some topics, it is no longer possible for a single person to make a comprehensive assessment. Supervisory authorities, much like the institutions themselves, need to combine legal, economic and technical expertise in order to evaluate, say, the technology-intensive business model of an enterprise.
A third aspect that is also contributing to the challenging environment. New enterprises have joined the market – mainly fintechs and bigtechs – which often provide just one of the process steps that make up a banking service (customer onboarding or credit scoring, for instance) or technical support processes (for mobile payments or for general cloud services, for example) in partnership with banks. As a result, the boundaries of the sector have become somewhat blurred.
Many of the new players are not licensed as banks, financial service providers or payment institutions, but may be involved at key stages in processes or the market structure as a result of outsourcing or other forms of cooperation. This is all leading to a more complex competitive landscape and new forms of cooperation which, of course, can give rise to new and additional risks. More generally, this raises the question of how far the legal framework can keep pace with the transformation of the financial sector.
The first thing we should note is that the long-established legal framework has remained very largely the same despite the changes the sector has undergone. Much of this is due to the prevailing regulatory approach in Germany and Europe as a whole. This stipulates that the legal requirements do not apply to particular types of enterprise, but to specific business activities with a direct bearing on the risks that financial supervisors deal with. The norms can still be applied to innovative products and business ideas by looking at precisely how the enterprise’s business idea is supposed to work and how it fits into the legal framework. It doesn’t matter in this context whether an enterprise calls itself a “fintech”, “bigtech” or “established financial institution” – nor what technology it uses.
Formulating abstract requirements and standards instead of detailed technical rules has helped ensure the stability of the supervisory framework. It goes without saying that the IT requirements have become more diversified and more clearly defined over the last few years, but even so, they are formulated generically – and for good reason. Since technologies and applications differ over time and from bank to bank, standards need to remain applicable and instructive in every case.
So how does the legal framework interact with the economic realities in this situation? Outsourcing activities are a key case in point when considering this question. Banks outsource certain processes to external service providers. From a banking supervisory perspective, the rules are clear. External providers that do not themselves perform business subject to the supervisory rules do not fall within the scope of regulation.
It is the supervised institutions that bear full responsibility for any risks arising from cooperation with an external service provider. Examples of such risks are a potential default by the external service provider, or the possibility of reputational risk. The institutions must ensure that the risks remain manageable – for instance, by including relevant terms and conditions to this effect in cooperation agreements and by considering from the outset how they can keep their business up and running if the partnership is terminated unexpectedly.
So this sums up the conditions de jure. But are they always appropriate to the economic conditions?
Depending on the individual case, the picture can be very different. Where credit institutions work with large technology firms, such firms’ negotiating power might be so large, for instance, that institutions have difficulty effectively imposing their conditions on their contracting partners for the service being provided. You might call this “the tail wagging the dog”. We also have to make sure that it does not make sense to outsource certain tasks simply because you can afford to be more relaxed about dealing with the resulting risks outside the regulated enterprise.
The more the boundaries between sectors are blurred and the more intensively banks work with non-licensed enterprises, the more relevant discussions like this will become. My personal view is that we should discuss to what extent we might take a closer look at supervising individual activities – activity-based supervision – in addition to entity-based supervision. I am thinking here, for instance, about services provided by insourcers of a certain size and importance, such as cloud service providers. However, this would have significant repercussions – not least for supervisors.
We are still in the early stages of this debate. In any case, the entity-based supervisory approach should remain unaffected. We cannot start to define areas where an institution is relieved of its responsibility for risks that ultimately affect its own services. This would pose a problem not just from the point of view of effective supervision, but also in regulatory terms.
I also see a European dimension here. Europe is already pressing ahead with regulation for issues emerging as a result of digitalization. I am thinking, for example, of the EBA’s recently issued guidelines on outsourcing arrangements. The Bundesbank and BaFin helped to draft these guidelines. Looking further ahead, I would like to see the European stakeholders set the right course for the overarching framework of digitalization.
First, cross-border business will be even more relevant in the digital age. A key concern for banks and finechs is that their innovative products and services can be rolled out across Europe straight away. Here, the EU should focus on counteracting any national fragmentation of regulation in its early stages. This is also important for Europe’s global competitiveness in areas such as artificial intelligence, blockchain technology, video identification or even issues relating to competition law.
Second, the EU could set its sights on objectives beyond strengthening the single financial market. Regulatory issues brought to light by digitalisation often also have a more far-reaching impact. For instance, the framework for using artificial intelligence also raises ethical questions. Considering topics from various angles appears to be something the EU is good at – in any event, EU regulation is often seen as being very well balanced from outside the European Union. Other countries and jurisdictions have already chosen to model their own projects on the European Data Protection Regulation. I therefore see a very real chance that the EU could end up playing a leading role in developing the rules for the digital financial sector.