Technology and innovation (“FinTech”) again featured prominently in this year’s Financial Conduct Authority (FCA) business plan. Andrew Bailey, Chief Executive of the FCA, remarked that “technology is supporting competition, transforming markets and changing the way consumers engage with them. […] creating a conveyor belt of risks and opportunity”. Given this, and despite the need for the FCA to dedicate a significant proportion of its resources to the UK’s withdrawal from the EU, FinTech was confirmed as a key priority for the FCA over the coming year. The two specific FinTech priorities highlighted in the business plan are: Innovation, big data, technology and competition and Data security, resilience and outsourcing.
The Prudential Regulation Authority (PRA)'s emphasis on technological innovation in its business plan is relatively less pronounced. Nevertheless, it too is exploring ways to innovate as a regulator, by continuously monitoring FinTech developments, and supporting the authorisation and supervision of new banks and insurers.
Innovation, big data, technology and competition
The FCA re-affirmed its commitment to sustain a regulatory environment which can encourage and support innovation and competition for the benefit of consumers, while reducing or mitigating the associated harms, including any impact on vulnerable customers.
Over the next year, the FCA will focus on a number of key activities:
- Innovate programme and a global sandbox
The FCA will continue to support innovating firms through its Innovate programme by giving them the opportunity to test the commercial and regulatory viability of their products and services in the Regulatory Sandbox. The FCA also confirmed that over the next few months it will work with interested regulators on a blueprint for a global sandbox, which would build on existing international agreements with other non-UK authorities, and allow firms interested in expanding internationally to conduct tests across multiple jurisdiction at the same time.
As per the PRA business plan, the joint FCA/PRA New Bank Start-up Unit is expected to lead to, over the next three years, the supervision of around 20-30 new banks. The PRA also announced that it will review how it might improve the current authorisation process to facilitate the entry of new insurers as well.
The FCA will also increase its testing and adoption of RegTech and advanced analytics for its own regulatory work. Specifically, in summer 2018 the FCA will publish a feedback statement which will bring together the results of its Call for Input on machine executable regulation, the proof of concept developed in its November 2017 TechSprint, and further industry discussions. Additionally the FCA is also conducting experiments with advanced analytics in three additional areas:
- Automated detection of unauthorised business activities on the internet.
- Testing advanced Natural Language Processing technologies to automate manual supervisory tasks.
- Automated evaluation and detection of misleading advertising.
- Firms’ use of data
The FCA will review the use of data by financial services firms, including Machine Learning of big data pools, algo-trading, and wider Artificial Intelligence, to assess both potential opportunities and harm that may result from the use of these technologies, and where it may need to intervene.
As part of this work the FCA announced it will strengthen its relationship with the Information Commissioner’s Office as the General Data Protection Regulation comes into force in 2018 – the FCA and Information Commissioner’s Office will publish an updated Memorandum of Understanding setting out how the two regulators will work together in future.
- Retail banking business models
The FCA is looking at the key differences between emerging and traditional retail banking business models, assessing how these are being driven by innovation and technological advances, and how they affect competition, consumers, and firms’ conduct. The FCA plans to publish an update on this by June 2018, in which it will present preliminary findings and the proposed next steps.
Understanding the impact of FinTech on the business models of banks and other financial services providers is also on the agenda of the PRA. The PRA will continue to engage with firms and other industry participants (including other regulators) to monitor these developments and consider whether any reassessment of regulation is required.
As crowdfunding markets are evolving rapidly, the FCA has been working on additional rules to address areas of concerns, especially for loan-based crowdfunding. The FCA will publish the proposed new rules for consultation in 2018.
The FCA, together with the Bank of England (BoE) and HM Treasury, will participate in the Cryptoassets Task Force recently launched to support the UK Government’s FinTech Sector Strategy. The FCA highlighted that the Task Force will have to “ask important questions about what is the right boundary for our regulatory perimeter and our regulatory activity” and will publish a Discussion Paper later in 2018 outlining its policy thinking on cryptoassets, including Initial Coin Offerings (ICOs), and what a coherent strategy for addressing the risks that they present may look like.
The EU Commission, as part of its FinTech Action Plan, is also assessing the applicability of current regulatory frameworks across the EU for cryptocurrencies and ICOs.
Data security, resilience and outsourcing
As part of its second FinTech cross-sector priority the FCA (and PRA) will focus on ensuring firms are resilient to both cyber-attacks and technology outages, including ensuring that new and replacement technologies are resilient. This will involve three key activities:
To protect both market integrity and consumers, and tackle the evolving nature of cyber-threats, the FCA will continue to scale-up its work with firms to enhance their cyber-resilience.
Over the next year, the FCA plans to strengthen its supervisory assessment of the highest impact firms to improve its understanding of their current and planned use of technology, staff expertise and training, and resilience to cyber-attacks. As part of this assessment, the FCA will review how firms’ governance, strategy, system architecture, and culture contribute to their data security.
The FCA will also conduct thematic work with “lower impact” firms and continue to give smaller firms information on how to improve their resilience.
Finally, the FCA will work closely with the UK Government, other regulators, nationally and internationally, on cyber-resilience, including ways to minimise the impact of breaches and systems failures on consumers and the market. In particular the FCA will continue to work with the BoE to develop new regulatory tools to better assess firms and identify where harm could occur.
The PRA will continue its focus on firms’ cyber and operational resilience and its work will be closely aligned to that of the FCA and BoE. The PRA will run another sector‑wide assessment to assess the sector’s ability to respond to major disruption and it is also expected to clarify its supervisory expectations of firms’ cyber resilience.
- Outsourcing and the risks posed by third-party providers
As firms are increasingly relying on, often unregulated, third-party providers to deliver major and critical services, the FCA will increase its focus on outsourcing arrangements. In particular, the FCA will pay particular attention to service providers supporting multiple firms to identify the impact of service disruption on the market. Over 2018/19, through both thematic and firm-specific work, the FCA will seek to enhance its understanding of how firms use third parties, their concentration in the market and the potential risks.
Finally, the FCA will also look at other risks to firms’ resilience. These include ring-fencing where significant restructuring will continue into 2018, and the implementation of the revised Payment Services Directive (PSD2). The FCA acknowledges that while PSD2 is expected to increase competition in payments, it also has the potential to increase cyber-attacks and data breaches. The FCA will monitor the roll-out, from August 2018, of the Competition and Markets Authority recommendations to measure consumer understanding of resilience by requiring firms to publish service quality data on technology and resilience issues.
The FCA business plan highlights its powers to act outside the perimeter in certain circumstances, and states that it may exercise them where unregulated activity could potentially undermine confidence in the UK financial system or have an impact on a regulated activity – this may be relevant for example to some growing FinTech areas, such as cryptoassets and ICOs, or unregulated technology third-party providers.
Both the PRA and FCA acknowledge that preparing for the UK’s departure from the EU will dominate their agenda for 2018/19. Despite this, the prominence of FinTech-related priorities in the business plans is again testament to the ever increasing role of technology in the financial services sector.
The PRA’s external Fintech focus is largely on ensuring technological innovation does not compromise cyber and operational resilience of firms and financial markets. The work of the PRA and FCA will be complemented by the BoE’s planned upgrade of its Real-Time Gross Settlement Systems (RTGS), which will support competition by making the BoE’s RTGS directly accessible to non-bank payment service providers and compatible with new technologies, such as Distributed Ledger Technologies.
The number and type of activities the FCA plans to undertake over the next year gives a strong indication that, while innovative businesses will continue to enjoy its support, the level of understanding of technological innovation, specifically in relation to the inherent risks, and the scrutiny that the FCA will apply are increasing appreciably. Market participants need to be ready for this.