Peering into a cloudy future
Wayne Byres, Chairman - 2018 Curious Thinkers Conference, Sydney
Good afternoon, and thank you for inviting me to address the ‘Curious Thinkers’ conference. A good prudential supervisor should be naturally curious, so hopefully I can meet your expectations.
I’ll start today with a clash of predictions that symbolises where we find ourselves.
Earlier this year, with bitcoin having lost two-thirds of its value in just a few months, World Bank President Jim Yong Kim said the vast majority of crypto-assets were “basically Ponzi schemes” – by implication, dangerous and to be avoided. Yet his counterpart at the IMF, Managing Director Christine Lagarde, had recently cautioned that it’s unwise to dismiss the potential of digital currencies, noting “some experts argued that personal computers would never be adopted, and that tablets would only be used as expensive coffee trays”. 
Time will tell whose crystal ball is most accurate. But what’s clear is that companies, regulators and international agencies are all grappling to predict the impact that technology-enabled innovation will have on the structure of the financial sector and the viability of existing business models.
Change is not new, of course. The concept of technological innovation improving the business of finance is as old as the abacus. But what is unsettling for today’s financial institutions is the sheer pace of change. That pace makes predicting the future difficult, and is why the crystal balls of even the most well-informed are cloudy.
While everyone agrees major change is inevitable, the consensus also seems to be that it is too soon to tell whether the financial world faces evolution or revolution. Several scenarios could well play out:
- agile new fintech companies, better able to tailor their services to customers’ individual needs and built on modern technology platforms, could eat into the market-share of the large incumbents, and replace existing small incumbents; or
- big technology companies, with strong brand, advanced technology, reams of data and superior analytics, could elbow their way into the financial sector, usurping the major incumbents as the dominant market players; or
- the incumbents, using their regulatory and funding advantages as well as inherent customer stickiness, could partner with (and possibly eventually subsume) new market entrants, thereby maintaining their market positioning.
Whatever the scenario, the production and delivery of financial services will change. A recent report by the Basel Committee on Banking Supervision, which examined the implications of fintech for banks and bank supervisors, concluded that “the current position of incumbent banks will be challenged in almost every scenario.”
Put simply, many traditional business models will no longer be competitive without significant change driven by technological investment. Moreover, some incumbents will struggle to afford that investment; for others, the challenge will be successfully managing a large transformation program. An added burden is that incumbents have to maintain the faith with their existing customers, not all of whom embrace new technology like many of you in this room (I am yet to see a new entrant even think of offering products with cheque facilities, but incumbents feel obliged to maintain them).
Whatever direction technological innovation drives the financial sector, APRA’s job is twofold: first, making sure that regulated entities are adequately managing change and not exposing customers to undue risks along the way; and second, making sure our regulation and supervision are fit for the future and can adapt as the financial system and its participants evolve. I would like to say a few words about both those tasks today.
APRA’s protective umbrella
Historically, most technological advancement in finance has worked to enhance the market positioning of the major incumbents. That is because, by and large, they were able to control the pace and timing at which new technology was made available. There was certainly competition within the sector to be the first to market with new products and services, but externally-generated innovation was much more difficult.
The future will likely be different. New technologies have dramatically lowered barriers to entry. Cloud computing, for example, allows small organisations to operate innovative financial services without the need to maintain their own costly infrastructure and support staff. The advent of digital distribution and servicing removes the need for branch and broker networks. Open banking and comprehensive credit reporting will help new competitors to challenge established players. And, of course, regulators are making it easier to navigate the process of entry into the regulated financial system. Taken together, competition in the supply of financial services will only intensify.
On the demand side, consumer attitudes are changing. Customer loyalty appears to be declining: consumers are increasingly comfortable switching brands, trying new technologies and conducting business online. Successive scandals in the financial sector, highlighted by damaging evidence exposed at the Royal Commission, have also rightly encouraged consumers to think harder about how they manage their money. For an industry that has built many of its products and practices to take advantage of customer inertia, that ‘awakening’ will only increase the challenges.
What is APRA’s role in all this? I would summarise it as to make sure regulated entities are resilient and responsive to change, but not protected from it. Yes, we are interested in promoting stability – indeed, that is our statutory mandate – but that does not mean standing in the way of change. Ensuring regulated entities are well-managed, soundly capitalised and able to withstand severe stresses is designed to protect the interests of their depositors, policyholders or members. But to be clear, it is not APRA’s role to protect incumbent players when better, safer and more efficient ways of doing business emerge.
In the context of technological change, that means making sure that the community’s financial interests are protected during any potential change in market structure, or should any entity need to exit the industry. That is not an unfamiliar role for us, as we are regularly involved in some hard discussions with management and boards who find themselves in a strategic dead-end. Sometimes their desire to continue to compete is difficult to overcome, even when clearly fighting a losing battle. But ultimately we seek to look at it with a sharp focus on what is in the longer-run interests of their depositors, policyholders or members – not the business itself, or its owners – and make sure that boards and management are doing likewise. If that means their time is up, so be it: our role then becomes ensuring they make an orderly exit from the industry.
A dark cloud
Though the coming wave of fintechs and other innovations will inevitably change the composition of the industry, which companies flourish and which wither is far from determined. But investment decisions made today (and yesterday) play a big role in determining which category a company will fall into.
I am conscious of over-simplifying, but discussions on technology investment often tend to focus on two themes: the need to invest sufficiently in new technology for products and service delivery to grow revenue and stave off new competitors, and the need to invest adequately in cyber security and risk mitigation. A third, far less exciting, theme often attracts less attention: ongoing investment in the health of existing systems, ensuring they remain ‘fit for purpose’.
A concern for APRA is that the understandable desire to invest in new technology-enabled products and services, coupled with the necessary investment in cyber security and risk mitigation, comes at the expense of ongoing maintenance of existing technology platforms. This is particularly problematic given the legacy infrastructure on which many institutions are currently operating, often a patchwork of systems that have been bolted together over many years. “How should we allocate our investment’’ is an important question, but a more important precursor is: “How much do we need to invest?”’
Keeping the lights on and systems operational is no trivial task. As Reserve Bank Assistant Governor Michele Bullock warned in July, the increasingly common incidence of IT outages, affecting everything from bank websites to ATMs, is disrupting commerce and eroding public confidence in the payments system.
Over the past couple of years, we have looked into systems hygiene in the banking sector. Our technology risk team recently pulled together the results of their reviews, which covered almost 90 per cent of the industry by assets. The reviews found, for example, a number of instances of critical systems (applications and infrastructure) at end-of-life or end-of-support, without funded remediation plans in place. Moreover, there was also limited evidence of adequate escalation and clear reporting of these system health issues and the associated risks at executive and board levels.
The financial sector, particularly in banking, also faces increased demands to make data available to external parties. The Consumer Data Right and Comprehensive Credit Reporting will require banks to make data available to customers and competitors. This would be threatening enough if the data was readily available to banks, as a source of competitive advantage will be lost. But that assumes the data is already accessible and being actively used. In reality, the complexity of systems and process environments and reliance on manual processes has made the mapping of data lineages, managing data quality and the aggregation of data difficult. Larger ADIs have begun to tackle this through the appointment of Chief Data Officers and the development of enterprise data management frameworks. A ‘fit for the future’ bank, however, would have long ago built the systems and have high quality data readily to hand for its own purposes. As things stand, significant investment will be needed to meet the new obligations.
Overall, our reviews suggested the health of the systems environment and associated risks have not been as well understood by peak decision-makers as they should be. The issues we highlighted have not arisen overnight, and reflect persistent underinvestment over a number of years. Our reviews emphasise that, to facilitate new technology, investment budgets need to be increased, not just reprioritised. They will also likely need to be maintained at a higher level than has been the case in the past to allow for a catch up on the backlog of maintenance that is needed.
A silver lining
One exception to this underinvestment has been in information security, where regulated entities – particularly the largest – have gone to considerable effort and expense to protect themselves from cyber-attacks. While that is welcome, we need to ensure it isn’t false comfort given the insidious and growing nature of the threat. That threat also prompted us to release our first information security prudential standard for consultation in March. In doing so, we want cyber-soundness to be thought about in the same way as institutions think about financial soundness.
Another area of noted change over recent years concerns the use of cloud computing. When APRA released its first information paper on the subject in 2015, we expressed reservations about the use the cloud for initiatives with heightened or extreme inherent risk. Much has changed since then: cloud service providers have strengthened their control environments, increased transparency regarding the nature of the controls in place, and improved their customers’ ability to monitor their environments. APRA-regulated entities have also improved their management capability and processes for assessing and overseeing the services provided.
For that reason, APRA is today releasing an updated version of our 2015 paper which reflects our more open stance on cloud usage. The new paper acknowledges advancements in the safety and security in using the cloud, as well as the increased appetite for doing so, especially among new and aspiring entities that want to take a cloud-first approach to data storage and management. To be clear, cloud usage is not without risk – but nor is the status quo. In addition to reinforcing steps to minimise the risks of cloud usage, the information paper also summarises observed weaknesses that industry must continue to focus on. And while cloud usage, as with all other shared service arrangements, involves a degree of shared responsibility, boards and senior management of regulated entities remain ultimately accountable for the security of their data. That accountability cannot be outsourced.
The dilemma regulators face in this rapidly changing environment is largely the same as that confronting businesses: trying to anticipate how technology will change the financial services sector, and being sufficiently responsive to keep pace with those changes.
A major challenge that technology poses for regulators is the growing trend towards outsourcing and partnering. Outsourcing and partnering are far from new concepts, but increasingly it is occurring for business-critical functions, not just at the periphery of activities. Importantly, many of these new partners and providers of critical functions sit outside regulators’ reach. The prudential supervisors’ ability to ‘kick the tyres’ will be much harder in future, without new tools and methods.
Two potential risks arise from this broader trend.
The first is a possible fragmentation, as niche specialist providers disaggregate existing business models by performing specific roles and functions more efficiently and effectively than incumbents can do in-house. An ecosystem of small providers will challenge management models, as well as regulatory understanding of risks, as more data and activity sits outside the (increasingly narrow) regulated entity. It poses an interesting thought experiment: in the extreme, if all the processes in a bank were disaggregated into their specialist parts, which parts would we call “the bank”?
The second risk is, in some sense, the opposite – the systemic risk of an ostensibly large and diverse number of entities all dependent on just a few unregulated providers for critical services, creating a substantial concentration risk and increasing the threat of contagion in the event of a service failure.
Another challenge could come from the so-called TechFins – large technology companies moving into financial services. I am sure most of this audience would have balances in some form of digital wallet with these companies, allowing us to transact, albeit within the confines of the company’s offerings. Although these offerings are not banking, we are getting close to the point where it may be possible to offer banking without being a bank. Indeed, at least in concept, it is not inconceivable that a provider of transactional payment services in Australian dollars could emerge that does not have any presence in Australia. This will clearly test regulatory statutes and frameworks, which are built on the concept of a single authorised legal entity with a domestic physical presence, undertaking the bulk of critical services in-house. But if, like Uber, consumers flock to the service, can the law stand in the way?
Like everyone in the industry, APRA recognises change is coming. But sadly, our crystal ball is as cloudy as everyone else’s. Without clarity as to how the industry will evolve, our goal is to make sure we gather the skills and intelligence needed to be well-prepared to respond to whatever technology-driven changes lie just over the horizon.
First, we have already recognised that applicants for new banking licences may not fit the traditional mould. We have therefore established a new licensing regime to provide for easier entry – but not lower standards – to the banking system for applicants with unconventional or non traditional business models. The goal of the new Restricted ADI regime is to allow applicants to commence limited banking business while still developing their capabilities and resources. Importantly, it also allows APRA to learn about, and gain comfort with, new ways of doing things. In this way, entry into the banking sector is facilitated without materially lessening entry standards that serve as important protections for the Australian community.
Along with our colleagues on the Council of Financial Regulators, we are also announcing today a review of the regulatory framework for purchased payment – or stored-value – facilities. This potentially covers facilities from prepaid cards to services that are bank-like, such as digital wallets. APRA only regulates one such company at the moment, but there are a number of applicants in the pipeline with a variety of business models. As an area of considerable innovation worldwide and evolving international regulation, it is timely to review the Australian framework. I encourage you to participate in the consultation.
Internally, we are putting increased effort into ensuring APRA has the expertise, knowledge and technology in place to monitor and interpret the changing nature of the financial sector. We have established an internal Fintech Council to examine developments and trends in the fintech sector. Guided by the Council, we have stepped up our engagement with a range of players from outside the regulated sphere, such as Fintech Australia, the RegTech Association and InsureTech Australia. The purpose of this engagement is to create a dialogue with players in these emerging sectors to ensure APRA is up-to-speed with developments, and keep ahead of emerging issues that may cause regulatory challenges. We also appreciate the valuable insights we get from participating in ASIC’s Digital Finance Advisory Committee.
In addition, anyone who has read APRA’s latest Corporate Plan – don’t worry, I won’t ask for a show of hands! – will have noticed one of APRA’s key strategic priorities over the coming years is to broaden our risk-based supervision. In our 20 years of existence, APRA’s regulation has been firmly founded on entities: ADIs, general insurers, life insurers, private health insurers and superannuation trustees. As the lines defining what is and is not a financial services company increasingly blur, supervisors may need to focus on functions, rather than companies. I refer to this change as shifting from supervising entities to supervising ecosystems. Another example is APRA’s data modernisation program, which commenced in 2017 and has already begun to enhance our capabilities, harnessing modern technology and analytics to help us spot trends and emerging prudential threats. The pace of technological change also raises questions about employee capability, and we are mindful of ensuring we continue to possess the right mix of skills and expertise for us to keep pace as the financial sector evolves. Just like the entities we regulate, that increasingly may mean partnering to find certain specialist skills or technical expertise.
There is no shortage of curiosity as to the impact of technology on the future of the financial sector. But prominent organisations and regulators that have released reports on the subject – the IMF, the World Economic Forum, the Basel Committee on Banking Supervision – are (unfortunately) largely unanimous in their conclusion: it is too hard to predict.
Right now it seems inconceivable that any of Australia’s big banks or major insurers might not exist at some future point. But the same was no doubt once said about dominant companies such as Remington typewriters, Kodak, or Blockbuster Video. Not every financial sector business or business model will navigate their way through the intense period of change we are experiencing, but so long as they are operating, APRA will insist that they are operated in a safe and sound way for the community. However, I’d stress that by stepping up their investment in operational and information security infrastructure, entities are not only fulfilling our prudential expectations; they are also giving themselves the best chance of not ending up on a list of once iconic but now extinct brands.
For APRA, technology also means change: changes to the business models of the entities we supervise will necessitate changes to the way we go about our business. The only thing I am certain of, however, is we will need to do things differently in future.
But I am certainly curious to see how it will all play out!
Technology that is end-of-life, out-of-support or in extended support is typically less secure by design, has a dated security model and can take longer (or may be unable to) effect change.