Opportunities, risks and challenges: considering financial regulation and technological innovation - Gerry Cross, Director, Financial Regulation – Policy & Risk

26 March 2019 Speech

Gerry Cross

Remarks delivered at Funds Europe, European FundTech Lab event

I would like to thank Funds Europe for inviting me to speak at today’s event.

The mission of the Central Bank is to serve the public interest including by working to ensure that the financial system operates in the best interests of consumers and the wider economy. We recently published our Strategic Plan for 2019-2021. In that we identify five strategic objectives for the Central Bank: strengthening resilience, strengthening consumer protection, Brexit, engaging and influencing, including of course in Europe, and enhancing our organisational capability.

Running through these strategic objectives is the issue of technological innovation and its implications for financial regulation. Specifically we say that we will identify and act upon the emerging risks, opportunities and challenges presented by financial innovation (Fintech) and the rapidly evolving technological landscape within which we, and the regulated firms and individuals that we supervise, operate. And that is what I would like to say a little about this afternoon: technological innovation, its risks, opportunities and challenges, seen from a financial regulatory perspective.

Before turning to that question, I mentioned that one of our Strategic Objectives for the next period is preparing for and responding to the challenges of Brexit. I don’t want to say much about this topic today as I could not do it justice in a few short lines. I would refer you however, if you wish to know more about the Central Bank’s views on this, to the Opening Statement of Governor Lane to today’s hearing of the Oireachtas Joint Committee on Finance, Public Expenditure and Reform, and Taoiseach; to the transcript of a recent interview by Deputy Governor Ed Sibley with the Irish Independent and available on our website1; and to the recent speech by Deputy Governor Sharon Donnery at the Institute of International and European Affairs2. These discuss the challenges of Brexit, including it’s potential impact on the economy, the long-running preparations and planning by the Central Bank to be ready for it, including for the risk of a no-deal Brexit, and the significantly increased resilience of the financial system as a result of the changes and improvements of the past ten years.

Risks, Opportunities and Challenges

Now I would like to speak a bit more about why we have elevated our focus on innovation and technology. Simply put, new technologies mean new risks, that we, as a regulator, need to understand, be prepared for, and respond to. At the same time, new technology also means new opportunities, for customers, for firms, and for the Central Bank as a regulator. We inform our focus on the risks with considerations of these opportunities. And to do all this, we must be cognisant of the challenges involved for all participants in the financial services ecosystem. So, risks, opportunities, challenges.

As financial firms, and the financial system, become ever more data-driven and its customer interface ever more technological, new risks arise and old risks manifest in new ways. If one thinks of some of the key components of a well functioning financial system – soundness, the prioritisation of consumer interests, trustworthiness, orderly functioning – it is immediately clear the extent to which technological innovation, not strongly and effectively managed, can give rise to risks. To take some examples:

There is the risk, which I and my colleagues have spoken about often, that regulated firms’ IT strategy, governance and risk management fail to keep pace with or remain aligned with their business strategy. IT weaknesses and failures are amongst those risks that we are most concerned about precisely because they go to the heart of regulated firms’ activities while in many cases not having been given the level and quality of governance, risk management, or resilience testing that such functionality requires.

There is the risk that unsuitable products will be sold to consumers. The risk of mis-selling has long been a concern of financial regulation. But new technologies are changing the method of delivery with new types of sales platforms and new modalities of distribution. It is important we ensure these new platforms are not delivering poor outcomes for consumers.

There is the risk that the integrity of data systems becomes compromised with the result that customers personal data comes into unauthorised hands. Or that systems that customers rely on to carry on their day-to-day personal or business activities break down causing disruption and loss.

I could go on . This is just a short list of examples of how technological innovation in financial services is giving rise to an evolution in the risks we think about - both the types of risk and how they manifest. In order to be effective in our mission, we have to understand how risks are evolving with technology. And that is one reason why innovation is an important aspect of our strategic planning for the coming period.

It is not just the risk, however, that we look at. There are of course significant opportunities represented by financial technological innovation. Opportunities for consumers, for the economy, for financial firms themselves. One of our jobs as a financial regulator is provide the framework whereby such opportunities can be realised in the context of a well-regulated financial sector. New services, products and platforms for delivery can reduce costs, improve the user experience and promote financial inclusion and long-term savings. Improvements in data analytics can also increase access to credit and insurance and allow for more tailored products and services. Competition and new entrants can result in new and more efficient methods of payment and lower costs for consumers.

So too for firms. They have the opportunity to benefit from reduced costs, increased efficiencies, and new ways of engaging with the customer. Firms will be in a good position to succeed if they can harness these opportunities while delivering real benefits for consumers and addressing the risks.

And that brings us to the question of challenges related to innovation in financial services. For regulators like the Central Bank, we need to ensure that our approaches to authorisation, supervision and policy-making continue to be high quality and effective as the sector evolves. We need to ensure that our authorisation and supervision teams have the right skills to robustly challenge the firms that we regulate. And we need to ensure that we are harnessing new technologies to most effectively deliver on our mandate. All the while ensuring that we do not unduly inhibit the development of innovation in the sector for the benefit of consumers. Let me say a few words then on some of the work that we have been doing at the Central Bank to ensure that we are well-equipped to address these challenges.

Open and Active Engagement

One important initiative that we have taken has been the launch one year ago of our Innovation Hub. This initiative is designed to do two things: to provide an informal and straightforward mechanism for innovators to engage with the Central Bank on the one hand; and to provide us with a good window onto the innovation that is taking place relevant to the financial sector.

The Innovation Hub is a direct and dedicated point-of-contact at the Central Bank for firms—both start-ups and incumbents—developing or implementing innovations in financial services based on new technologies. It provides an open platform for us to listen to innovators and enhance our sight of ongoing and upcoming developments in FinTech. We use that information to build on our existing intelligence on changes in the financial services landscape.

Just a few weeks ago we published our Innovation Hub 2018 Update, which you can find on our website.3 This details the number (78) and types of engagement that we have seen come through the hub in its first eight months of operation. For example, 86% of enquiries came from unauthorised entities. Payments and RegTech firms were the type of entity that most contacted the hub, but enquiries came from across the spectrum of different sectors. All in all the hub is already showing that it is fulfilling the role we hoped it would including giving us better insight into the activities and perspectives of such innovators.

In parallel with our domestic work in relation to Fin Tech, a lot has been going on over the past year in Europe as well. In particular, together with fellow financial regulators we have been engaged in work in all three of the European Supervisory Authorities (EBA, ESMA, and EIOPA). In January, the ESAs published a comparative assessment of “innovation facilitators” in place at a national level, along with best practices in their design and operation. The report is intended to promote convergence in the design and operation of innovation facilitators and thereby protect the level playing field across Europe. In addition to best practices—with which, the Central Bank of Ireland’s Innovation Hub is very much in step—the report recommended the creation of a European network to bridge innovation facilitators established at the member state level. The Central Bank is supportive of this effort and we look forward to participating in it.

Cryptoassets

One issue related to Financial Technological Innovation that has been the subject of quite a bit of work in both EBA and ESMA over the past year has been that of cryptoassets.

One of the challenges with cryptoassets is to be clear as to exactly what we are talking about. ESMA, in its recent report to the European Commission on the subject4 notes that the term can refer to both virtual currencies and to digital tokens which are associated with initial coin offerings (ICOs).

In the last couple of years the Central Bank has issued warnings or alerts to consumers about the risks associated with virtual currencies and with ICOs. These have reflected similar warnings or alerts issued by the European Supervisory Authorities (ESAs). The risks that gave rise to these warnings include high levels of volatility and risk of loss, the absence of protections associated with unregulated activities, inadequate and/or misleading information, the risk of technological flaws, etc.

Since those warnings were issued work has continued amongst the regulatory community in Europe to consider what more, if anything, might be needed in relation to this area of activity. This work resulted in the publication earlier this year of reports by both ESMA and EBA on the question of cryptoassets.5

Both reports agree that anti-money laundering rules (AML) should apply to all activities involving crypto assets. They recommend that the European framework incorporate the October 2018 Financial Action Task Force FATF recommendations on the topic.6 This would bring “virtual assets” and “virtual asset service providers” into the Anti-money laundering / Counter terrorism financing (AML/CTF) framework.

ESMA was asked by the European Commission to consider the legal nature of crypto assets. In particular whether, and the extent to which, individual cryptoassets fall within the meaning of financial instruments and/or transferable securities, and therefore within the scope of existing financial regulation.

This is a complicated question. Firstly, cryptoassets can take a wide variety of forms. And depending upon this they may or may not fall within the scope of existing legislation and regulation. To the extent that a cryptoasset does fall within existing regulation, then those responsible for its issuance, distribution, or trading are required to comply with the requirements of the relevant regulation. Secondly, there are also differences of approach across the different jurisdictions, both in relation to the interpretation of particular terms and concepts and also in how the issue of cryptoassets is approached.

This gives rise to an important and differentiated set of recommendations. To the extent that cryptoassets do fall within the meaning of transferable securities or other type of MiFID financial instrument then there are a number of potential gaps in the framework and potential for inconsistent approaches given that the frameworks were not designed with these types of assets or technology in mind. ESMA recommends that the European Commission gives consideration as to these aspects and to addressing the gaps identified.

Concerning cryptoassets which do not fall within the meaning of transferable securities or within the scope of existing regulation, ESMA considers that a priority issue to be addressed in addition to the AML aspect is the need to have appropriate risk disclosure aspects in place. These should include disclosure in relation to the issuer, the project, the rights attached to the cryptoasset, the underlying technology, and potential conflicts of interest.

As concerns a wider regime of regulation ESMA considers that there are trade-offs in this regard, in particular as that risks legitimising cryptoassets and encouraging wider adoption. Therefore at this stage ESMA’s advises to focus on disclosure and warning rather than a wider regime. EBA in its report recommends that the Commission should carry out a cost-benefit analysis to consider the trade-offs of a regulatory framework. It also advises that work be done, alongside the work of the Basel Committee to develop an agreed prudential treatment for cryptoassets, to promote consistency in approach in accountancy treatment of such assets. In the meantime a conservative prudential approach should be adopted by supervisors.

Finally under this heading, let me mention that in light of what is discussed above – our warnings to consumers, the high levels of uncertainty, the liquidity and valuation challenges - at the Central Bank of Ireland we do not consider that funds authorised for retail investors, in particular UCITS, should at this time, provide exposure to cryptoassets notwithstanding that the fund is managed by a professional investment manager. We are not convinced that it is possible to cover the risks in the manner necessary for a retail fund. We also note the difficulties for depositaries associated with providing safekeeping where direct investments in virtual currencies are foreseen.

A final thought on this topic. Given the importance of the sustainable finance agenda in achieving European and Global climate change prevention objectives, there is surely a question around the compatibility with that agenda of cryptoassets which make disproportionate draws on non-renewable energy resources.

Outsourcing

I would like to turn now to a topic which has, because of it’s importance in the area of information technology, a direct link to the question of financial technological innovation. But it is also a topic which is enormously important more generally and has a particular importance in the fund space. It is the topic of outsourcing.

We recognise the significant benefits that outsourcing can bring to firms and, thereby, to their customers. Outsourcing can help firms to avail of economies of scale, provide services to global customers on a 24/7 basis and access skills and expertise that may not be available in-house, all the while helping to manage costs.

However, significant risks may accompany these benefits. It is essential, if the benefits are to be realised, that these risks are governed and managed effectively.

Across the different sectors, outsourcing has been an important area of focus for the Central Bank over the recent period. And it continues to be. We have assessed regulated firms’ management of outsourcing-related risks through targeted onsite inspections and through wider thematic reviews. In many cases, significant remediation work has been required of firms in order to provide assurance that risks are effectively managed. As we continue to engage with firms on this subject it has become clear that more work is required.

As a result of this work and in recognition of the growth and evolution of the outsourcing landscape, the Central Bank has more recently embarked on a cross-sectoral review of outsourcing. This has included the completion of a survey of regulated firms’ outsourcing activity and analysis of the findings from our direct supervisory work on outsourcing. The findings from this exercise led to the publication of our discussion paper entitled ‘Outsourcing – Findings and Issues for Discussion’ in November of last year.7

The aim of the paper is twofold. First, it brings together the Central Bank’s findings and observations from our work across different sectors over the recent period and sets out our minimum supervisory expectations around the management of outsourcing risk. Our work in this regard is taking place in parallel with and is fully informed by similar work underway in Europe. We have been closely involved for example in the work culminating in the recent publication of EBA’s revised guidelines on outsourcing.8

The findings set out in our document are concerning; they point to weaknesses involving poor governance and controls around risk assessment and management of outsourcing, inadequate monitoring and reporting, failure to consider outsourced service providers in business continuity planning and testing, and a lack of exit strategies, amongst other weaknesses. This is of concern to the Central Bank, particularly as many of the findings relate to outsourcing arrangements that were deemed critical or important by the firms surveyed. The Central Bank expects that actions required to address such weaknesses are identified and implemented by the boards and management of regulated firms.

Secondly, the paper highlights some of the key risks and evolving trends associated with outsourcing. It seeks to initiate discussion with industry around the challenges presented by these evolving risks and challenges and how they should be effectively managed. The risks considered include; sensitive data risk, concentration risk, offshoring, chain-outsourcing and substitutability. Feedback has been sought from industry on the paper and we are considering the submissions that we have received.

The Cloud

A significant evolving feature of outsourcing is the continuing increased use of Cloud Service Providers (CSPs). The use of CSPs brings benefits to regulated firms, such as access to specialist skills and technology, scalability and cost management.

However, there is a concern that many firms lack the knowledge and skills to truly understand the service they are receiving and how to effectively oversee it. Such arrangements require careful consideration and planning on the part of regulated firms. Appropriate governance and risk management measures must be in place to ensure that the Board and senior management of regulated firms can demonstrate that risks are appropriately identified, measured, monitored and managed.

Outsourcing to the cloud also raises concerns surrounding location and security of customer and business sensitive data. The nature of many cloud solutions means that data can be segmented and disseminated to different servers in different locations. At any point in time, firms need to have clear visibility as to where their data is and in the event of any disruption, how they would get it back. Firms should also employ strategies to ensure that they are not essentially ‘locked-in’ to a provider and hence unable to switch to an alternative should the need arise. Ensuring appropriate security, resilience, business continuity and exit strategy planning is key when considering outsourcing to the cloud. Regulated firms must always be cognisant that even though they outsource the activity, they always retain the responsibility for it.

Outsourcing and Funds

In addition to the extensive work that has been undertaken in relation to outsourcing on a cross-sectoral basis, I wanted to take this opportunity to say a few words about the Central Bank’s work on this issue for the funds sector specifically.

At the outset, it is important to clarify that under the UCITS and AIFMD frameworks, no distinction is drawn between the terms ‘outsourcing’ or ‘delegation’. Indeed, as set out in the recent discussion paper, the Central Bank is clear that no difference may be inferred where these terms are used. In all cases, whether it is called delegation or outsourcing, it must be subject effective due diligence, appropriate oversight arrangements and good governance to ensure that any tasks not performed by the regulated entity are carried out to a high standard with ultimate responsibility for the function being retained by the regulated entity.

In this regard, the Central Bank has conducted extensive work in relation to Fund Management Company effectiveness – often referred to as the “CP86” body of work. This work involved three separate Central Bank consultations and ultimately culminated in the introduction of some new requirements and extensive guidance for fund management companies. These have been in full effect for all management companies since July 2018. In the coming period, we will be carrying out an important exercise to review how management companies have implemented these requirements, and to consider whether the outcomes sought are being achieved and whether further guidance may be needed.

In addition, in 2016, Central Bank supervisors carried out a review of fund administration outsourcing arrangements. This work was undertaken as outsourcing is a key area of operational risk of almost all large Fund Administrators. At that time, the Central Bank issued observations and recommendations which are to be taken into account by fund administrators when considering outsourcing arrangements. These are now part of our formal guidance for fund administrators on outsourcing and we continue to review the way in which they are applied.

As a final note, consideration of issues in relation to depositary delegation has been underway at the European Securities and Markets Authority (ESMA) for some time. The Central Bank is very supportive of this work as consistent application of the requirements under UCITS and AIFMD for depositaries is critical.

Conclusion

I will conclude here. As a final word, let me reiterate that the Central Bank is openly and actively engaged with innovation. That we are focused on understanding and responding to the risks presented by new technologies, so that the opportunities presented can be realised and the challenges overcome. 

------------------------------------------------------

1 Transcript of Deputy Governor Ed Sibley interview with Donal O' Donovan, Irish Independent (15 March 2019)

2 Donnery, Sharon: Risks and Resilience in Uncertain Times - Deputy Governor Sharon Donnery (2019)

3 Innovation Hub

4 ESMA: Crypto-assets need common EU-wide approach to ensure investor protection (9 January 2019)

5 ESMA: Crypto-assets need common EU-wide approach to ensure investor protection (9 January 2019) and EBA: EBA reports on crypto-assets (9 January 2019).

6 The FATF Recommendations: International Standards on Combatting Money Laundering and the Financing of Terrorism & Proliferation (October 2018).

7 Central Bank of Ireland: Discussion Paper 8 - Outsourcing - Findings and Issues for Discussion (19 November 2018).

8 EBA publishes revised Guidelines on outsourcing arrangements (25 February 2019)