In August 2017, a task force of the Basel Committee on Banking Supervision (BCBS) published a consultative document assessing the impact of financial technology, or fintech, on the banking industry and the implications of fintech-driven changes on banks’ business models and the agencies that regulate banks. Though the size of the fintech sector is difficult to measure, as the BCBS notes, it remains relatively small but has had an outsized impact on the financial services industry in the competition for customer relationships and customer data.
In the document, the BCBS analyzes the impact of fintech products and services on banks through five forward-looking scenarios, ranging from enhancing existing operations and legacy systems with modern customer interfaces - dubbed a “better bank” - to a fully-disintermediated bank (which refers to the full displacement of existing banks from customer financial transactions).
The common theme across these scenarios is that banks will face growing challenges in retaining and developing new customer relationships and maintaining profitability if they do not adopt and implement innovative, technological advances. The BCBS also notes that the uncertainty of technological change and customer expectations related to fintech advancements further challenge banks and bank supervisors to develop and execute effective strategies to mitigate the increased risk of safety and soundness concerns.
Following an evaluation of the implications of the opportunities created by fintech for banks and the banking system, the BCBS task force identifies 10 key observations and recommendations for consideration by banks and bank supervisors. These include the following key findings:
In addition, the increased utilization of advanced technologies to deliver financial services comes with its own set of information technology, security and data privacy risks. Banks should ensure they have effective IT-related risk management processes to address such risks and properly support innovative products, services and technologies.
In addition, it recommends that bank supervisors continuously evaluate current regulatory frameworks against the risks associated with innovative products, consider leveraging the technology of fintech firms to improve the efficiency of supervisory activities, and review staffing and training to be informed of new technologies and business models.
The BCBS recognizes that the banking industry has undergone transformation previously as innovative financial technologies revolutionized how products and services were offered to consumers. It notes, however, that the current fintech wave is different, with lower barriers to entry and many more non-bank players. Successful financial services innovation requires the ongoing active participation of banks, fintech firms, and supervisory agencies to ensure awareness of new fintech trends and risks, and that those risks are appropriately mitigated to protect the safety and soundness of banks, fintech firms and the financial services industry.
In October 2017, the Consumer Financial Protection Bureau (CFPB) issued a final rule to implement new consumer protections related to payday, vehicle title and certain high-cost installment loans. The rule highlights the CFPB’s focus on so-called payday debt traps and is meant to address unfair, deceptive and abusive practices related to the origination and servicing of certain short-term loans.
The availability and affordability of short-term, small-dollar loans (often referred to as payday loans) has been the subject of much discussion in the financial services industry given the nature of the products and services offered (typically small loan amounts, offered at high rates and with a very short-term repayment period), the institutions that offer such loans (often non-bank entities, and increasingly through online means), and the consumers who use these products services (who often cannot access credit in any other form and/or may be experiencing a temporary distressing event). The final rule is intended to address CFPB concerns that lenders that offer such loans operate business and credit models that deviate from standard practices in other credit markets.
The final rule applies to the following categories of covered loans and lines of credit:
Certain types of loans, even if they meet the definitions above, such as home mortgages, vehicle purchase loans, student loans, and credit cards, are excluded.
The rule implements three main requirements:
Compliance with the final rule is required by August 2019. Institutions that offer covered loans to consumers should begin evaluating the impact of these final rules on their existing or planned product and service offerings and related originations and servicing processes. Institutions should follow prudent regulatory change management and project planning processes to determine whether and how they must enhance their policies, programs and systems to ensure compliance with the technical and operational requirements of the new rule.
In October 2017, the Consumer Financial Protection Bureau (CFPB) issued a set of consumer protection principles related to the protection of consumers when they authorize access to their financial information for third parties to provide to them consumer financial products and services. The guidance is directed at all companies that provide, use or aggregate consumer-authorized financial information. The principles are the result of a 2016 Request for Information by the CFPB to gather feedback on industry practices and risks, as well as the CFPB’s evaluation of activities such as screen scraping, where consumers input their banking information into an application or tool for use of the information by third parties.
The CFPB acknowledges that there is a developing market for services based on the customer-authorized use of financial data. Many companies, including those engaged in fintech, offer consumers and financial institutions (including banks) data-based services that require customer authorization to access consumer financial information. The CFPB cites services such as fraud screening, identity and asset verification, and bill payment among the burgeoning services offered by these non-bank providers to customers and/or financial institutions that require access to consumer financial data.
The benefits of such innovative products and services are many, including consumer access to information from multiple accounts in one step to manage finances or bill payment, or obtain financial planning advice without providing paper-based records, or obtain timely approval of a loan or purchase transaction. The CFPB notes, however, that increased consumer control of consumer data and transparency must also be weighed against the importance of privacy and information security.
The principles demonstrate the CFPB’s vision for a safe and workable data aggregation market that can protect consumer data while bringing value to the market and encouraging innovation. While the principles provide neither new binding obligations on market participants nor guidance on existing consumer protection laws and regulations, they do express the CFPB’s viewpoint that consumer information is to be used only to the extent that is necessary for the selected services to be performed for the consumer. Key concepts addressed by these principles include:
The CFPB’s principles will seem familiar to financial institutions required to comply with the General Data Protection Regulation (GDPR). Increasingly, regulators are focused on matters related to consumer privacy and security, and the CFPB’s principles are demonstrative of the global effort to provide to consumers increased control over their personal data and regulate how institutions use and protect this information.[1]
Financial institutions and non-bank providers of consumer financial products and services that provide, use or aggregate consumer-authorized financial information should evaluate the impact of these principles on their current products and services, agreements, and third- party arrangements and systems. Companies must take steps to clearly request and obtain consumer authorization and ensure that the privacy and security of consumer financial information is obtained, as well as make transparent these practices to consumers, prevent misuse, and properly dispose of information.
Finally, as partnerships with non-bank providers are expected to increase, a more discerning and nuanced approach must be taken by institutions to manage third-party risk. This will invariably be different for each institution. Protecting consumers will require an end-to-end view of the critical processes that need to be supported by both organizational design and responsibility and appropriate governance and control methodologies, as well as having enterprise visibility of all third-party relationships and risk exposure.
In October 2017, the OCC released revised guidance outlining its expectations for national banks to prudently manage the risks associated with new, expanded and modified products and services (referred to as “new activities”). The timing of the revised guidance is critical given recent, rapid evolution of financial products and services, delivery methods, and entrants in the market, most notably reflected in the emergence of fintech. In the bulletin, the OCC emphasizes the importance of new activities aligning with national banks’ overall business plans and strategies. The OCC also underscores the importance of responsible innovation by banks in meeting the changing needs of customers.
At the time of its original guidance in 2004, there was a period of rapid change in the industry as banks introduced new, more complex products and services to customers, and to potentially riskier segments of customers. For example, traditional mortgage products were transformed to expand access to consumers with weaker credit profiles, and provided new features such as allowing a consumer to select from alternative repayment options. The OCC acknowledges that today banks are again in a period of rapid evolution driven largely by innovations in technology, and the opportunities that they create for bringing innovative products and services to customers. These opportunities come with new risks that national banks must manage not only to operate in a safe and sound manner but also to remain competitive.
The main concepts and updates addressed in the revised guidance include:
The revised guidance highlights also the growing importance of fintech companies, and the importance of understanding the technologies that these companies offer, the associated risk and controls, and the effect that the new delivery channel will have on existing operations. In the guidance, the OCC reminds national banks that fintech companies should be included in their third-party risk management processes, particularly if offering critical activities to the bank.
Board and senior management of national banks should evaluate the revised guidance and revisit their existing policies and procedures related to the risk management of new activities to ensure that they address the OCC’s expectations. In doing so, they should also ensure that they are up-to-date on the technological changes that are transforming the industry so they can develop effective strategies reflective of the new environment and the risks associated with it. Given the interrelatedness, change management and third-party risk management programs should also be evaluated to address the guidance regarding new activities.
Click here to access all series