Over the past decade a new era of FinTech (‘financial technology’) has emerged through the increasing convergence of the long-term process of digitization of finance, datafication, and new technologies like cloud computing, blockchain, big data and artificial intelligence. The rate of  FinTech development and proliferation is fast in mature global markets, and at times even faster in emerging markets. The benefits brought to markets from the network effects of increasingly interconnected technological channels are immense. However, so are the risks.

Our article ‘The Dark Side of Digital Financial Transformation: The New Risks of FinTech and the Rise of TechRisk’, accepted for publication in the Singapore Journal of Legal Studies, analyses the new dimension of TechRisk in the FinTech age and suggests some basic principles on how such risks can be monitored and addressed, focusing in particular on the role of regulatory technology (‘RegTech’).

A potent contemporary example of TechRisk has arisen of late in Australia. Westpac, one of its major banks, established their own technological alternate to SWIFT for remittances, and got the tech wrong. The result was some 23 million breaches of AML/CTF laws, the prompt resignation of the CEO, the announced resignation of the Chair of the Board, and Westpac’s systems being used to pay for appalling child pornography.  

We posit that cybersecurity risks are now evolving into major threats to financial stability. Three factors are particularly salient to these findings. First, the growing rate of technological development and adoption in finance is leading to more concentrated data nodes and less software diversity, the cybersecurity measures of financial institutions are thus becoming as strong as those of their weakest defended parties. Second, the lag and divergence in cyber governance regimes in different countries lead to at best, significant gaps, and at worst, normative clashes between various actors—capable of disrupting the relatively frictionless global financial network. Third, the increasing convergence of national security and financial stability in the cyber domain—as states increasingly designate financial institutions as critical infrastructure—has led to vastly varying approaches to transnational cybersecurity cooperation which expose potent weaknesses.

Following cybersecurity issues, we propose that financial stability risks are also intimately tied to data security and privacy matters. First, as the compound effects of concentrated data nodes with more levels and forms of analysis are unclear, impact assessments remain abstract and regulatory efforts struggle to fully capture data threats. Second, the compound network effects enjoyed by firms with access to large data panels allows for an asymmetric and opaque access to information, dampening competition and reinforcing market domination. Third, the growth of datafication and increase in the sharing of data and privacy risks between public and private sectors require sufficient legal and technical capacity to mitigate the risks—however, heterogenous methodological approaches and access to resources across jurisdictions produce systematic strains.

The entry of major technology firms into finance (‘TechFins’) brings two new issues capable of exacerbating TechRisk. The first arises in the context of new forms of potentially systemically important infrastructure, such as data and cloud services providers. The second arises from data—like finance—benefitting from economies of scope, scale, and network effects and—even more than finance—tending towards monopolistic or oligopolistic outcomes. Such tendencies spark the potential for systemic risk in new forms of ‘Too Big to Fail’ and ‘Too Connected to Fail’ phenomena. 

We find that TechRisk can be similar to the deficiencies that led to the 2008 Global Financial Crisis:  a concern for large concentrated frictionless movements of data, with debate regarding the merits of international centralization, and an unknown potential for contagion. To avoid the previous shortfalls, we conclude by encouraging the formation of a new risk agenda, one which responds proactively to global TechRisk. 

Seven steps are suggested to create a future-proof regulatory system capable of mitigating the variety of new challenges that will arise. First, regulators must prioritize TechRisk as strongly as financial risks. Second, in-house tech expertise must be strengthened. Third, reporting requirements must be enhanced regarding TechRisk management. Fourth, TechRisks must be prioritized in supervision to enable hands-on assessment of tech capacity in subject institutions. Fifth, cybersecurity risks should be depoliticized to foster the development of intergovernmental and sectoral cybersecurity capacity. Sixth, regulators should utilize RegTech to properly respond to the vast amount of data streams in need of monitoring. Lastly, regulators should actively seek to harmonize normative cyber and data policies to avoid friction, uncertainty and loopholes. 

Ross Buckley is Scientia Professor, and the KPMG Law – King & Wood Mallesons Professor of Disruptive Innovation and Law at the University of New South Wales, Australia.

Douglas Arner is Kerry Holdings Professor in Law and Co-Founder, Asian Institute of International Financial Law, Faculty of Law at the University of Hong Kong.

Dirk Zetzsche is Professor of Law, ADA Chair in Financial Law (Inclusive Finance), Faculty of Law, Economics and Finance at University of Luxembourg.

Eriks Selga is a PhD candidate at the University of Hong Kong.