This presentation focuses on the balancing act between innovation, safety and soundness of digital financial services as well as steps to support consumer protection. It also includes a review of the current guidelines and a checklist format to guide regulators and policy makers to compare their own regulations, policies, environments and supervisory capacity in relation to emerging developments in the field of DFS.
The Role of Regulations in the Development of Digital Finance
1. THE ROLE OF REGULATIONS
AND DEVELOPMENT OF DFS
JOHN V OWENS
2. KEY ASPECTS OF DFS REGULATIONS
• Proportionate AML/CFT (FATF
Compliance)
• Tiered KYC Regulations
• E-Money Operator Regulations and
Guidelines
• Remote Account Opening Rules
• Agent Regulations (for banks and NBFIs)
• Security and Fraud Mitigation
• Consumer Protection Issues
• Interoperability
• Fair Access to ICT
• Retail Payment Systems Laws and
Regulations
• Competition Policies
3. Risk-based approach to AML/CFT regimes and
financial inclusion
In 2012, FATF revised the recommendations to combat money laundering and the
financing of terrorism.
Countries should identify, assess, and understand the money laundering and terrorist
financing risks for the country, and can follow a risk-based approach commensurate with
the risks identified.
Allows a new level of flexibility in the application of certain elements of a country’s
AML/CFT regime, which should complement, rather than inhibit, national financial
inclusion efforts.
FATF further states in Recommendation 1: “where countries identify lower risks, they
may decide to allow simplified measures for some of the FATF Recommendations under
certain conditions.”
The area where this is most relevant is in the context of customer due diligence (CDD)
Allows for tiered KYC procedures.
4. PRUDENTIAL AND MARKET CONDUCT
REGULATIONS
These include:
capital requirements
reserve requirements
governance requirements
reporting and disclosure requirements
5. DFS AND CONSUMER PROTECTION ISSUES
Adequate and Complete Information
Other risk factors that should be considered as the regulator prepares consumer
protection for DFS include:
• New technology as a source of risk
• Risks associated with agents
• Particular challenges with new services and/or DFS providers
• Consumer and data privacy concerns
• Outsourcing to third-party service providers
6. SETTING UP CONSUMER PROTECTION POLICIES AND
REGULATIONS FOR DFS
Regulatory framework for consumer protection:
• DFS providers are licensed to operate under clear rules to protect consumers
• Level playing field that promotes competition
• Standards for disclosure and transparency of information;
• Simplified consumer protection rules for low-value transactions;
• Responsibility for all their services (including through a third-party or agent;
• Clear data privacy and confidentiality rules are in place;
• Adequate complaint resolution;
• Relevant data has been collected by the regulator.
7. CREATING THE REGULATORY ENABLING
ENVIRONMENT AND PROVIDING PROPER OVERSIGHT
AND SUPERVISION OF DFS
Relevant Core principles for effective banking supervision to the regulation and
supervision of institutions relevant to financial inclusion
• Principle 1: Responsibilities, objectives and powers
• Principle 2: Independence, accountability, resourcing and legal protection for
supervisors
• Principle 3: Cooperation and collaboration
• Principle 4: Permissible activities
• Principle 5: Licensing criteria
8. CREATING THE REGULATORY ENABLING
ENVIRONMENT AND PROVIDING PROPER OVERSIGHT
AND SUPERVISION OF DFS (CONT.)
• Principle 8: Supervisory approach
• Principle 9: Supervisory techniques and tools
• Principle 10: Supervisory reporting
• Principle 11: Corrective and sanctioning powers of supervisors
• Principle 12: Consolidated supervision
See the Basel Committee on Banking Supervision: Guidance on the application of the Core
principles for effective banking supervision to the regulation and supervision of
institutions relevant to financial inclusion http://www.bis.org/bcbs/publ/d351.pdf
9. ADDRESSING ACCESS ISSUES - REGULATORY OPTIONS
• Tiered KYC
• Alternative ID options
• E-money regulations
• Agent regulations
11. AGENT BANKING REGULATIONS
Three issues determine the best liability rules in any context.
1. Allocation of risk and economic incentives
2. Agent insolvency risk
3. Agent supervision
Regulating banks’ and MNOs’ use of DFS agents requires an appropriate legal
framework. Factors influencing the framework’s design include the following:
• Business relationship;
• Principal-agent contract;
• Supervisory and regulatory structure; and
• Legal foundation of the economy (common or civil)
12. AGENT BANKING REGULATIONS
• Who can be an agent?
• What are the agent eligibility requirements?
• What can an agent do?
• Restrictions on fees charged by agents?
• Can an agent subcontract? Are super-agents allowed?
• Can agents be exclusive or must they be non-exclusive?
• What is the principal liability for agents?
See CGAP Focus Note: Regulating Banking Agents
https://www.cgap.org/sites/default/files/CGAP-Focus-Note-Regulating-Banking-
Agents-Mar-2011.pdf
14. DFS CONSUMER PROTECTION ISSUES
1) Risks for DFS Consumers
Adequate and Complete Information
New Technology as a Source of Risk
Risks Associated with Agents Providing DFS
Challenges with New Services and Service Providers
Consumer Privacy Concerns with DFS
15. DFS CONSUMER PROTECTION ISSUES
2) Outsourcing and Third Party Service Providers
3) Responsibilities of the DFS Providers
4) Responsibilities of the Financial Regulator
5) Responsibilities of the DFS Consumer
6) Smart Campaign Principles Applicable to DFS
16. DFS CONSUMER PROTECTION PRINCIPLES
1. Appropriate product design & delivery
• Advertising and marketing practices
• Electronic payment processing & collection practices
2. Prevent of over-indebtedness
3. Transparency
• For borrowers
• For investors (individual and institutional especially relevant for
marketplace lenders)
4. Responsible pricing
17. DFS CONSUMER PROTECTION PRINCIPLES
5. Fair and respectful treatment of clients
• By digital providers
• By brokers/mobile lead generators/aggregators
• Big data and non-discrimination
6. Privacy of client data
• Privacy notice
• Opt-in/Opt-out standards
• Management of third-party service providers/vender to protect client data
7. Mechanism for complaint resolution
8. Compliance with local laws and regulations for lending
18. DFS CONSUMER PROTECTION PRINCIPLES
9. Security and risk management practices/standards
• Safety and soundness practices
• Authentication and security information
• For Mobile Channel – customer mobile security measures
• Consent to communicate electronically
• Risk management practices
• Network Stability
10. Governance & Controls
19. DFS CONSUMER PROTECTION PRINCIPLES
11. Implementation of a code of ethics
12. Responsible Investment – Environmental, Social, Corporate Governance
13. Targeted Financial Education
14. Regulatory Empowerment & Focus
20. NEXT STEPS - RESPONSIBLE DIGITAL FINANCIAL SERVICES
DFS
Providers
Industry
Associations
Clients
Investors
Consumer
Protection /
Market Conduct
Regulations
Reputational
Risk
Business Case
21. CLASS EXERCISE
Discuss the various risks faced by DFS Consumers from
your perspective.
With more partnerships and traditional financial players
connecting to third party service providers, what are the
particular risks that should be taken into account from a
consumer protection standpoint?
What should be the responsibility of the financial
regulator, the DFS providers and ultimately those of the
consumer?
Risk-based approach to AML/CFT regimes and financial inclusion
In 2012, FATF revised the FATF 40 Recommendations to combat money laundering and the financing of terrorism. In the revision, FATF stated that countries should identify, assess, and understand the money laundering and terrorist financing risks for the country, and should take action to mitigate those risks effectively. Based on that assessment, FATF also requires countries to apply a risk-based approach commensurate with the risks identified. This requirement for risk assessment applies at the national level, as well as at the level of obligated financial institutions and designated non-financial businesses and persons (such as lawyers, notaries and real estate agents).
This shift toward the risk-based approach allows for a new level of flexibility in the application of certain elements of a country’s AML/CFT regime, which should complement, rather than inhibit, national financial inclusion efforts. FATF further states in Recommendation 1: “where countries identify lower risks, they may decide to allow simplified measures for some of the FATF Recommendations under certain conditions.”
The area where this is most relevant is in the context of customer due diligence (CDD). In the past, it has been suggested that overly strict requirements regarding customers’ identification and verification has contributed to financial exclusion. For example, in a country where many people may lack official documentation to prove identity, strict application of CDD requirements may exclude them from the formal financial system. Or, strict CDD procedures that lead financial institutions to pass on costs to the customer could act as a disincentive for customers – especially the poor – to use those services. Under the revised FATF Recommendations, should a country be able to identify lower-risk scenarios or products (a prepaid low-value product, a basic account with strict deposit/withdrawal thresholds etc), the country may allow simplified CDD processes for those situations.
Source: FATF, http://www.bis.org/cpmi/publ/d133.pdf
However, different financial services involve various levels of risk, and so merit different types of regulationFor example, some basic financial services do not entail significant systemic risk, and only require certain key protections:
Conversion of cash to electronic money (cash-in) depends on proper authentication of the cash, identification of the customer, and a reliable bookkeeping system.
Storage of money for safe keeping depends primarily on the same things, as well as control over access to the funds, making governance, audits and KYC procedures key to ensure the integrity of the system.
Transfers and payment services require documentation of the delivery to and transfer by the network, authentication of the recipient, and so rely on internal messaging and control protocols to protect against fraud and system failure. Prevention of terrorism finance and money laundering may also justify limiting the amounts that may be transferred, requiring certain record keeping, and identification of the sender
Principle 1: Responsibilities, objectives and powers
An effective system of banking supervision has clear responsibilities and objectives for each authority involved in the supervision of banks and banking groups. A suitable legal framework for banking supervision is in place to provide each responsible authority with the necessary legal powers to authorize banks, conduct ongoing supervision, address compliance with laws and undertake timely corrective actions to address safety and soundness concerns. By looking at banks and the banking system, there is a reference to also including NBFIs especially if they serve a significant number of individuals.
Principle 2: Independence, accountability, resourcing and legal protection for supervisors
The supervisor needs to possess operational independence, transparent processes, sound governance, budgetary processes that do not undermine autonomy and adequate resources, and is accountable for the discharge of its duties and use of its resources. The legal framework for banking supervision includes legal protection for the supervisor. Under this guiding principle, supervisors responsible for multiple types of institutions require adequate resources to conduct effective supervision and oversight. They should be financed in a manner that does not undermine their autonomy or operational independence. As supervisors are confronted with new types of institutions (such as nonbank e-money issuers), new products and services, and new arrangements among banks and nonbanks (including the use of retail agent networks as a primary customer interface), and since such institutions can grow quickly in number, scope and scale, supervisors should regularly evaluate existing staff skills and projected staff requirements over the short- and medium-term, and implement measures to bridge any gaps in numbers and/or skill-sets identified.
Principle 3: Cooperation and collaboration
Laws, regulations or other arrangements provide a framework for cooperation and collaboration with relevant domestic authorities and foreign supervisors. These arrangements reflect the need to protect confidential information. Cooperation and coordination among different regulators and supervisors are key to developing an effective regulatory and supervisory framework for financial institutions targeting unserved and underserved customers, in particular: (i) to design informed and proportionate rules and requirements for the licensed institutions (as opposed to simply having different standards, rules and requirements); (ii) to delineate regulatory and supervisory responsibilities as clearly as possible as to avoid or minimize overlaps and gaps, as well as arbitrage by institutions offering similar products; and (iii) to avoid or minimize inconsistent or overly burdensome requirements that interfere with implementation of policy objectives, including financial inclusion. This is particularly important as financial regulators increasingly need to cooperate with ICT regulators as well as competition authorities in the area of DFS providers.
Principle 4: Permissible activities
The permissible activities of institutions that are licensed and subject to supervision as banks are clearly defined and the use of the word “bank” is controlled. Commercial banks are typically permitted to engage in a wide number of activities, while nonbank financial institutions typically engage in a narrower range of activities, which are often limited to lending and possibly taking deposits. Increasingly, various types of nonbank financial institution targeting unserved and underserved customers are also engaging in one or more of the following activities: domestic and international transfers (remittances), issuing payment cards or e-money, using an agent, acting as an agent of a financial institution, and acting as a distributor of basic insurance.
While the taking of deposits from the public should be reserved to banks and nonbank deposit-taking institutions that are licensed and subject to supervision, institutions that offer e-money and other digital stored-value products not defined as deposits may also need to be licensed and subject to supervision as appropriate for the risks involved. This may be the case for nonbank e-money issuers, which are emerging in many jurisdictions as important financial institutions providing an alternative to conventional deposits to unserved and underserved customers. In some cases, this may mean that a non-financial firm, such as an MNO, is required to establish a separate legal entity to offer financial services, such as e-money issuance and storage.
Principle 5: Licensing criteria
The licensing authority has the power to set criteria and reject applications for establishments that do not meet the criteria. At a minimum, the licensing process consists of an assessment of the ownership structure and governance (including the fitness and propriety of Board members and senior management) of the bank and its wider group, and its strategic and operating plan, internal controls, risk management and projected financial condition (including capital base). Where the proposed owner or parent organization is a foreign bank, the prior consent of its home supervisor is obtained. This is especially important in supervising new financial players like EMIs who should demonstrate that they have a proposed strategic and operating plan, projected financial condition, adequate corporate governance, risk management policies and internal control policies including oversight of outsourced functions.
Principle 8: Supervisory approach
An effective system of banking supervision requires the supervisor to develop and maintain a forward-looking assessment of the risk profile of individual banks and banking groups, proportionate to their systemic importance; identify, assess and address risks emanating from banks and the banking system as a whole; have a framework in place for early intervention; and have plans in place, in partnership with other relevant authorities, to take action to resolve banks and supervised NBFIs in an orderly manner if they become non-viable. Supervisors need to also monitor other financial service providers that fall outside of their supervision such as P2P lenders and the rise of crypto-currencies in order to identify risks, assess the systemic risk of both regulated and un-regulated DFS providers, and evaluate whether or how they should be regulated or whether they should be considered illegal or too risky to continue to operate in the market.
Principle 9: Supervisory techniques and tools
The supervisor uses an appropriate range of techniques and tools to implement the supervisory approach and deploys supervisory resources on a proportionate basis, taking into account the risk profile and systemic importance of licensed financial institutions. Supervising banks and nonbanks targeting unserved and underserved customers, will depend on the approach chosen for a particular sub-sector, the range of institutions, the range of products, their delivery channels, the systemic importance, size, risk profile and complexity of each institution.
Principle 10: Supervisory reporting
The supervisor collects, reviews and analyzes prudential reports and statistical returns from supervised FIs on both a solo and a consolidated basis, and independently verifies these reports through either on-site examinations or use of external experts. With respect to financial institutions targeting unserved and underserved customers, supervisors may adjust the reporting requirements to make sure they have the information needed to also understand the business models and related risks, and to carry out effective and proportionate supervision. To avoid unduly burdensome reporting requirements, supervisors need first to identify the key risk indicators that need to be monitored.
Principle 11: Corrective and sanctioning powers of supervisors
The supervisor acts at an early stage to address unsafe and unsound practices or activities that could pose risks to banks or to the financial system. The supervisor has at its disposal an adequate range of supervisory tools to bring about timely corrective actions. This includes the ability to revoke the financial provider license or to recommend its revocation. This is especially important in the case of EMIs, especially those offered by MNOs. Laws or regulations should ensure that these providers are separately licensed or registered for the purposes of engaging in regulated financial services. This facilitates supervision by a prudential supervisor and provides the authority for the regulator to ensure that prompt corrective actions or sanctions can be imposed if needed.
Principle 12: Consolidated supervision
An essential element of banking supervision is that the supervisor supervises the banking group on a consolidated basis, adequately monitoring and, as appropriate, applying prudential standards to all aspects of the business conducted by the banking group worldwide.
No one group will have sufficient pressure on digital lenders but there was quite a bit of concern about reputational risk by providers, investors and regulators so the business case for being proactive may help move the needle quicker than would have been possible for other providers such as MFIs in the past. In addition digital borrowers, especially those borrowing online as well as via a mobile are quite connected to others and do comparison shop. In addition, information made available at the finger tips of customers online especially mobile friendly portals will be able to gather data and can be encouraged to demand better consumer protection principles and responsible lending practices that were not possible only a few years ago.
The biggest challenges will be in cultural differences especially the major divide between countries that view data privacy completely differently like Germany and China.
In addition, in markets with little or no policies and those with limited supervisory capacities, ensuring oversight will need to be done in stages as consumer risks become clearer and evidence brings issues to light. Helping develop strategies that build on industry and that are customer-driven may be the best option, especially where regulators/supervisors struggle with capacity issues. Regtech developments may hold promise for support in this area (Philippines mobile app consumer protection tool).