2241.FNT104

Fintech and Techfin are similar terms that refer to the intersection of technology and finance, but they are often used in slightly different ways.

Fintech generally refers to the use of technology to improve and automate financial services. This can include a wide range of products and services, such as mobile payments, online lending, and robo-advisory services.

Techfin, on the other hand, is often used to refer specifically to technology companies that are entering the financial services space. This can include companies like Apple, Google, and Amazon, which are developing financial products and services such as digital wallets, credit cards, and insurance.

In summary, Fintech refers to the use of technology in the financial services, while Techfin refers to the technology companies entering financial services space.

Regtech (Regulatory Technology) refers to technology solutions that help financial institutions comply with regulations, reduce compliance costs and manage risks. This can include solutions for compliance management, anti-money laundering (AML), and know-your-customer (KYC) requirements. 

Suptech (Supervisory Technology) refers to technology solutions that are used by regulators and supervisors to monitor and oversee the financial industry. This can include solutions for data collection, analysis, and surveillance, as well as tools for on-site inspections and risk assessments.

In summary, Regtech focuses on technology solutions to help financial institutions comply with regulations, while Suptech focuses on technology solutions that help regulators and supervisors identify and address risks and potential issues within the financial industry.

There is no doubt that Financial Services is a highly regulated industry – and for good reasons, as it is the lifeblood of our modern economy and because it deals with people’s life savings. 

Many people, especially in the tech world, see regulation as a nuisance – a necessary evil – something that at best needs to be reluctantly complied with.  This is partially true – compliance with applicable regulations is tedious and requires a lot of work.

However, from a strategic point of view this is not necessarily a bad thing: to the extent that a company is better able to navigate the regulatory environment than others, this can and does provide a competitive advantage.

Because of their very nature, FinTech companies need to deal with regulatory compliance in each and every market in which they operate.

Compliance being costly is one thing, but from a scaling point of view what is more important is that regulatory compliance means delays: even before the first customer interaction takes place, a company has to ensure that it can comply with the applicable requirements, document this, and then seek approval or registration in the relevant jurisdiction.

This process can be very time-consuming, especially if approached the wrong way, and the more regulatorily nimble competitors will leapfrog FinTech companies that are seeking regulatory compliance as an afterthought rather than a core strategic skill.

Whilst there is a general belief that markets work well in most instances, there is also an understanding that there are market failures, and as history has proven itself time and time again when markets are left to themselves it can lead to suboptimal or bad outcomes.

In many cases, market failures can be traced back to the fact that one party is better informed than the other one – not because they have failed to do their homework, but because structurally one party to the transaction finds it impossible or at least very expensive to acquire information that the other side has.

This is why we need to have regulation in place that is beneficial to both parties – we call this Beneficial Regulation.

Financial services are complex, so let’s start with an example where the market failure is very obvious: Taxi services.

First let's define the service, the classic street-hailed taxi service where a customer must go from point A to point B within that city. Being at point A they'd therefore go to the closest busy street, or to the next taxi stand, and take a taxi to point B.

What the customer wants is to get there (a) unharmed, (b) reasonably fast, and (c) at a reasonable and predictable cost.

Unfortunately, if the customer just stands next to road waving his hand and a car stops, he will not have the information that would allow him to assess the points (a)–(c) above.

For example, he'd like to know that the driver is sufficiently capable and not a psychopath, and that the car is safe in order to assert (a). To assert (b) he'd want to driver to be sufficiently skilled in navigating the city, and to assert (c) he'd either need to know that the driver is honest, or would need a benchmark to assess what is a fair price.

It is interesting that technology changes how those constraints can be addressed.

For example, since GPS units have become ubiquitous, being able to navigate the city is no longer a big issue, and even non-residents can assess the length of a trip, and whether or not the price demanded is fair. However, ignoring the fact that nowadays it is possible to quasi-street-hail taxis using a smartphone app, the issue of a honest and skilled driver with a sufficiently safe car remains: when a car pulls up at the kerb or waits at the taxi stand, the potential passenger has no means of getting all the information he needs.

That is the fundamental market failure in taxi services, and in the absence of a mechanism to address this, potential customers might find it too dangerous to take a taxi, and therefore a mutually beneficial deal would not happen.

There are fundamentally two different ways in which this can be addressed:
Reputation and Regulation.

In countries where taxis are not well regulated one tends to have large taxi companies that dominate the market.

For example, when I was in Jakarta a few years ago, I was strongly advised to only use cars of a specific company, and to always order a car by phone, lest rogue drivers manage to get hold of a car of that company.  This is also why you hear announcements at our own Toronto Pearson Airport constantly reminding tourists to hail cabs only from designated spots.

One impact of this was that it was rather difficult to get a cab when not in a location where some trusted friend or an honest concierge could order a car, and the company was able to charge premium prices because they had a quasi-monopoly on vetting reliable drivers.

In most cities of the world, Taxis are regulated.

They are easily identifiable as taxis, and both the car and the driver must be in possession of a valid licence. Licensed taxis are equipped with an official meter that both the customer and the driver can see, and that is the sole basis for the fare that will be due at the end of the ride. The taxi meter is regularly verified to ensure that it works correctly, and police makes spot checks on taxis in operation and fines offenders who do not comply with the aforementioned requirements.

In this environment, customers do not have to worry whether or not a taxi they hail in the street conforms with the requirements (a)–(c) discussed previously.  Thus, provided the car is a licensed taxi, the customer can be assured that both the driver and car are vetted and that he or she therefore does not need to worry about taking this taxi. 

In short, the Taxi’s fundamental market failure has been addressed.

With the previous example of Taxi services - we saw that information asymmetry can lead to a market failure in the market for street-hailed taxis, meaning that the market breaks down because potential customers may not be comfortable with their potential providers and therefore may not engage in taxi commutes.

In financial services the situation is similar: for example, it is impossible for individuals to assess the strength of financial institutions, and therefore:

• they might either not deposit money with those institutions, or
• withdraw it at the first sign of distress

Either of the above constitutes a financial market failure.

Historically, we have seen two mechanisms that can be deployed to get around this financial market failure:

• services are provided by companies whose size and market share are sufficient to allow them to develop a strong brand; these are able to charge premium prices. 
• services are provided by small companies, and there is a small number of private authorities who vet the providers and have a brand strong enough to support this.

In the early days of banking, banks mostly employed the first solution, i.e. brand and reputation was the major means of addressing this issue. A testament to this are the splendid branches that banks built to credibly signal the financial stability and solidity.

In modern banking there is also an element of the second solution, in that all major banks are rated by reputable rating agencies, and in the major developed economies such as ours: most banks are rated AA, or at worst A.

However, whilst rating agencies are an important data point in assessing the creditworthiness of a bank, in practice ultimately the only way to ensure that people leave their deposits with banks even in times of distress seems to be to make sure that:

• the banks are tightly regulated and risk is at an acceptable level, and
• deposits are insured, and there are sufficient business continuity procedures in place to ensure that the distress does not spread through the financial system.

Whenever an industry is regulated this fundamentally alters its strategic landscape.

The strategic impact of regulation cannot be understood generally, but must be analysed on a case-by-case basis.

For example, in markets with natural monopolies – e.g. utilities or transport - regulation is often the only way that competition can be maintained. In other markets, the purpose of regulation is not competition, but, say, customer safety or systemic stability, in which case regulation is more often than not an additional barrier to competition.

One universal truth, however, is that in regulated environments, being able to play the regulatory game well is a key competitive advantage, especially for new entrants trying to break into an existing market. This is doubly important for tech companies, where the focus is on being able to scale quickly and efficiently, and where regulatory moats can be both an opportunity for those who are on the right side of them, and a hurdle for those who are not.

All regulation, even when it is meant to increase competition, creates moats.

Moats are good for companies, at least for those whose strategy means that they find themselves on the correct side of it. In an established business, the moats protect the incumbents. In a fast-changing yet highly regulated business segment, creating and taking advantage of regulatory moats can be key to becoming the new incumbent.

This is very important to understand: whilst regulation is a barrier to doing business, regulation is not necessarily bad for businesses, at least not for those businesses who find themselves on the right side of the moat.

This is even the case when it is bad regulation: customers might pay more or receive a worse service than if the regulation was better or not present, and the market size might be reduced, but a specific company using that regulation to its advantage might still find itself in a very comfortable situation.

It is in the nature of Regulators to be reluctant.

Regulators have a duty to protect markets, and those markets typically require protection because they are important for the overall economy and/or for a significant part of the population. Also, whilst those markets in their regulated state might not be perfect, they tend to work sufficiently well. In that environment, innovation poses an asymmetric risk: the downside is destroying something that is essential in peoples' lives, whilst the upside is an incremental improvement whose value, even if it works, is often uncertain and not yet well understood.

Thus, regulators have a natural bias towards being reluctant and not rocking the boat.

In addition, regulators are typically underfunded and stretched, and their personal incentive structure is even more asymmetric as they'll get the blame if things blow up, but not much of the credit for marginal improvements.

There are two fundamentally different  cultures within the regulatory community, a permissive culture and a pre-approval culture .

Under the permissive culture, regulators are more comfortable with companies going ahead and doing new things, to be regulated (or not) eventually.

Under the pre-approval culture, regulators expect everything that might need regulation to be pre-cleared from the beginning.

Those cultures can also temporarily shift, for instance when markets are perceived as not working as they should. An example for this would be the period after a financial credit crisis. In such an environment , regulators are often eager to help new entrants to enter the market, for example by treating them more leniently than proportionate regulation would imply, or by actively helping them, e.g. in a regulatory sandbox environment.

Those episodes where regulators are eager are typically temporarily and geographically limited. Being in the right place at the right time when this happens is very important.

As long as business scale is below the regulatory scale, incumbent businesses experience economies of scale when dealing with regulation. Hence, regulation creates a moat.

Active regulatory strategies can reduce or increase this moat. At the lower end, the moat is reduced if there is a proportionate regulatory regime in place; at the upper end, a certain moat is maintained if there are passporting or equivalence regimes in place, or at least some common regulatory rules that allow large players to reap economies of scale across multiple regulated markets.

The underlying reason here is that compliance costs do not scale much with the business volume, i.e. they have a significant fixed component. For example, bank regulators might require certain reports. The actual work of crunching the numbers for the report is done by a computer, and the cost of running a report pales against the cost of programming the computer. Regulatory compliance usually imposes a high fixed cost, and this creates moats.

Proportionate regulatory regimes acknowledge not only that there is this high fixed cost component in compliance, but that it is often not necessary.

For example, rules that are meant to keep the overall system safe if a bank defaults can be safely ignored when regulating a small bank whose default can easily be absorbed by the system.

On the other hand, rules that are meant to protect the customers of this bank remain equally important, regardless of whether the bank is big or small. A proportionate regulatory regime would therefore allow small banks not to spend many resources on the first objective, but would not reduce the burden on the second one.

Things like common regulatory frameworks, equivalence and passporting regimes go the other way: they allow players present in multiple jurisdictions to reap some economies of scale, thereby benefitting from regulatory moats.

Common Regulatory Frameworks indicate that the requirements are similar—for example, a company might still have to submit reports to all their regulators, but all the reports can be the same or at least very similar.

Under an equivalence or passporting regime, the host (local) regulator assumes that the home regulator (where the company is based) does a good job and leaves the main regulatory burden with the home regulator.

The difference between equivalence and passporting is one of degree. 

• Passporting, in particular, is used in the EU where it refers to the unconditional right of businesses resident and regulated in one market to operate across the entire EU Single Market;
• Equivalence is an agreement between two regulatory jurisdictions that the two systems are currently equivalent, but that can be withdrawn at short notice.

Being a trailblazer is hard, in every business. It is hard to be a regulatory trailblazer, in terms of cost, effort, and time to market. The best position from a regulatory strategy point of view is that of a close follower, with the exception of where the trailblazer's business model has some hard-to-replicate features that they manage to slip into the regulation. Distant followers will find regulatory compliance the easiest as rules are already set, but their lack of scale and market share might hinder them.

Regulators will often lean on companies to do the leg work on that as they themselves lack the resources and incentives to do so. Once all those issues are resolved, however, regulators no longer need convincing, and the document requirement and regulatory frameworks are in place.  All a competitor has to do is to contact the regulators, and they'll guide them through the authorization process. There is a slight twist if the trailblazer can shape the regulation in a manner that plays to their own strengths and to their competitor's weaknesses, but this is very rare with a good regulator.

When regulation has not settled yet, precedents are very powerful. 

In descending order of power, key precedents are:

1. Someone else doing the same thing in the same jurisdiction, regulated by the regulator in question.
2. Doing the same thing, in a different jurisdiction, regulated by the regulator of that jurisdiction.
3. Similar regulation with a clear carry-over being in place in that particular jurisdiction, or in another one with sufficient reputation.
4. The possible regulatory concerns are understood and agreed, and there is a written regulatory draft framework that addresses them.
5. The business is up and running at a not-insignificant scale, and is well-liked by the public, and/or is in line with the current public opinion (e.g. ‘the financial system has failed us and needs to be renewed’).

Even in a passporting regime, the local regulations still matter, if not de jure then de facto, so all local regulators should be kept informed and on-board.

In passporting regimes - and in the weaker equivalence regimes of course - the local regulator will always be able to throw a spanner in the wheels if they feel that a company is not following local rules that they consider important, even if passporting means that they do not have to follow the rules.

If the local regulator is unreasonable, ultimately the regulated company will be able to rectify this when going through the appeals process, but this is a costly and lengthy process, and possibly not a good strategy for start-ups with limited resources.

The best strategy is usually to address such conflicts early on, and to comply with local regulatory demands where this is economically justifiable.

Jurisdictions within a passporting environment might offer two choices to start-up companies that are subject to regulation:

• compliance with a lightweight local framework, or
• compliance with a more complex cross-jurisdictional framework that can be passported.

This choice is ultimately down to individual circumstances, and should be given serious thought by the start-up's executives, ideally together with competent advisors.

The local regime probably allows for a quicker and less-costly time-to-market, and an easier pivot if need be.

The passportable regime, on the other hand, might save time scaling and, importantly, avoids the risk of getting stuck in a business model that does not scale.

Regulations are about addressing market failures.

There are a number of market failures in the financial services space, and it is useful to classify the different types of regulation according to the market failure that they are meant to address:

• Prudential regulation
• Market structure regulation
• Conduct regulation
• Public interest regulation

Prudential regulation: Micro‐prudential regulation addresses the issue that single institutions have incentives to take excessive risks, and macro‐prudential regulation addresses the same issue for markets as a whole; many of them have a tendency to operate in destructive boom and bust cycles.

Market structure regulation: Market structure regulation addresses the issue that markets are not operating optimally, e.g. because of asymmetric information.

Conduct regulation: Conduct regulation addresses the issue that customers are not able to properly assess the respective risks and rewards of financial products, and that they can't see ahead of time who'll treat them fairly once they are tied in.

Public interest regulation: Public interest regulation addresses the issue that the financial system can be used for illicit purposes, for example money laundering or terrorist financing.

The regulation that is meant to ensure the safety of financial institutions and financial infrastructure is commonly known as prudential regulation.  Prudential regulation can be further classified into micro‐prudential and macro‐prudential.

The former deals with the stability of individual institutions without considering their context, and this was the main focus of prudential regulation before the crisis. Up to that point it was widely believed that if all banks are considered safe, then the system can be considered safe as well. Since then, regulators have realized that this is not necessarily the case. To give an example, banks might choose to hold a portfolio of reasonably liquid assets in case they run into liquidity problems, and regulators might consider this sufficient, given the liquidity they see in the market. However, if many banks hold similar assets, and if there is a general liquidity stress, all companies might all try to sell those securities at the same time, and they might find that markets seize up. Macro‐prudential regulation is meant to discover and address those risks.

On the micro‐prudential side, regulators want to ensure that individual institutions are safe and well run. For banks, for example, the major prudential requirements are that:

• they hold sufficient capital to be reasonably certain that depositors and other senior liability holders don't suffer any losses in case of distress
• they hold sufficient liquid assets to be reasonably certain they will be able to repay obligations when they come due
• they competently assess, manage and mitigate all risks they face, including operational risks. This includes business continuity planning as it is important that a bank failure does not interrupt the business for their customers.

It is crucial for a Fintech start‐up to understand the regulations that apply to their regulated competitors. Also, for early‐stage Fintech companies there is a real risk that companies cease operations, so regulators expect contingency plans in place that allow for an appropriate level of business continuity.

Macro‐prudential regulation is about protecting the interconnected system as a whole, not individual players.

Size matters here: macro‐prudential regulators will usually ignore an institution that has only a few thousand customers - or even a few ten‐thousands of customers for that matter - and similarly they are likely to ignore individual start‐ups if their business volume is insignificant in the overall scheme of things.

The toolkit of macro‐prudential regulators is mostly analytic - they collect and analyze data, and if they have specific concerns they ask for specific reports, or for stress tests under scenarios they are worried about.

Another important tool is living wills and resolution plans: for companies that are considered systemically important, regulators may ask for a detailed plan as to how they can be wound down without risk to the overall financial system. It is similar to a business continuity plan but is more detailed and is created in close interaction with regulators.

Market structure regulation is about making sure that markets are as close to being efficient as is reasonably possible. The main issue to address here is usually information asymmetry in its various guises.

Market structure regulation tries to address the situations where some participants are in a structurally superior position. For example, it outlaws insider dealing, i.e. it makes it in many cases a criminal offence to trade a security when in possession of material non‐public information. Other regulations ensure that players do not have different access to key market information, for example that some players are not allowed to see orders significantly earlier than others, or also that companies must release information such as annual reports or ad hoc messages to all investors at the same time.

It also addresses natural oligopoly issues that often arise in financial services, in part because of regulatory moats.  Thus, in order to ensure competition, regulators can require access to key infrastructure on fair and non‐discriminatory terms, thereby allowing the smaller players to compete with the larger ones.

Financial markets are both important and complex for many people to understand.

Conduct regulation is in place to ensure that customers are treated fairly. 

What this means depends on the exact regulatory regime in place - some are more protective than others - but the principle is that customers should be put in a position to make informed decisions with respect to their finances. For example, some jurisdictions might simply require customers to be provided with sufficient information, others might require the financial services company to ensure that their customers understand the information they have been given.

Conduct regulation also includes data protection and privacy rules that regulate what level of protection customers can expect by regulated institutions and their partners in this area. This is important as customers are not in a position to audit their provider’s systems and processes in this respect, and might not even be able to ascertain whether or not the protections provided in a company's terms and conditions are adequate.

Financial institutions' conduct is also regulated for the common good, for example for crime prevention and similar public policy purposes.

The key areas covered with those regulations are:

• Anti Money Laundering (AML)
• Combat Terrorist Financing (CTF)
• Anti‐Bribery Corruption (ABC) - includes Politically Exposed Persons (PEP) processes.

All of the above enlist financial systems as a deputy in the fight against crime, corruption, and terrorism, and also to support politically motivated actions, in particular embargoes.

The central element in all those processes are the Know Your Customer (KYC) rules: financial institutions must know their customers - and where necessary the ultimate beneficiaries behind their customers - to assert whether or not flows of funds they observe correspond to legitimate activities, and that the persons involved do not appear on any of the relevant lists.

Know Your Customer (KYC) is the process of obtaining information about the customer and verifying their identity.

The scope of identity information to be obtained varies by jurisdiction.

Usually, businesses need at least the following data:

• Name
• Date of Birth
• Address

During the verification process, customers provide businesses with certain credentials, such as their ID. It’s on the businesses to ensure that submitted documents aren’t fake and that customers are who they say they are.

AML is a series of measures and procedures carried out by financial institutions and other regulated entities to prevent financial crimes. For regulated businesses, this includes analyzing customers and their transactions, recordkeeping, reporting to AML authorities on suspicion of money laundering, and so forth.

Regulated businesses must develop their AML measures under the AML regulations of the country or region they operate in. Here are some examples from across the world:

• The Money Laundering, Terrorist Financing and Transfer of Funds Regulations in UK
• The Anti-Money Laundering Act in Germany
• The Payment Service Act (PSA) in Singapore

In Canada, the federal government introduced anti-money laundering (AML) and anti-terrorist financing (ATF) legislative changes, as recently as in April of 2022. The changes came into force on April 5, 2022.

AML involves a broad range of measures, usually referred to as an AML compliance program. KYC is just one component of this program, and is therefore a subset of AML.

AML program requirements can vary across jurisdictions. But, usually, they involve:

• Customer Due Diligence (CDD)
• Enhanced Due Diligence (EDD)
• Risk assessment
• AML policies and internal controls
• Ongoing monitoring
• Suspicious activity and transactions reports
• AML compliance officer appointment
• AML training programs for staff

During the CDD procedure, businesses must identify and verify customers—in other words, carry out KYC checks and define customer risk profiles.

AML compliance, including KYC, is mandatory for regulated entities but its scope varies across jurisdictions. Usually, this includes:

• Financial institutions
• Credit institutions
• Insurance companies
• E-money institutions
• Payment institutions
• Virtual Assets Service Providers (VASPs)
• Gambling service providers
• Art dealers, etc.

VASPs fall under AML regulations in many countries, including the Canada, USA, UK, France, Singapore, Japan, South Korea, and others. Whereas, in some other countries, VASPs aren’t yet even written into law, or are banned altogether.

KYC/CDD is required in a number of cases described by national AML regulations.

Usually, they include, but are not limited to, cases when the client:

• Establishes a relationship with a business for the first time (for example, opening an account at a bank or crypto exchange platform)
• Makes a transaction exceeding the amount defined by AML regulations
• Poses suspicions in relation to money laundering/terrorist financing

Businesses can implement either manual (performed by a human compliance team) or automated KYC/AML checks. Automated KYC/AML and sanctions screening solutions reduce the risk of losing applicants by increasing pass rates. By automating KYC, businesses obtain customer identity data through online identity verification. This process can occur on a mobile or web platform, and usually involves 5 steps:

1. The user selects their ID document type
2. The user uploads photos of their document
3. The KYC platform screens and validates the document
4. Users upload a photo of themselves holding the document
5. The KYC platform verifies that the user is a real person

Automated KYC procedures can also include biometric checks. An example is: liveness, which is a face authentication process that verifies whether the client is a real person.

Automated AML and sanctions screening solutions are beneficial in terms of costs and efficiency. They reduce manual work and protect businesses from crime by getting reliable data from trustworthy sources, such as:

• PEP (Politically Exposed Person) lists
• Sanctions lists
• Watchlist
• Adverse media lists

With automated AML solutions, businesses can build verification flows according to AML/KYC requirements in any given jurisdiction.

Banking, fintech, and crypto markets are the most vulnerable to money laundering and fraud. Effective KYC/AML processes can mitigate this by:

Lowering legal and reputational risks
By complying with AML laws, businesses can avoid hefty fines and other penalties from regulators while safeguarding their reputation.

Detecting fraudsters
In financial services, fraudsters not only use fake IDs, but apply a variety of sophisticated schemes, for example, money muling. By ensuring that only verified users can become customers, businesses can curb even the most innovative fraud attacks.

Improving user experience
When businesses optimize their KYC/AML flows according to applicant risk profiles, users don’t have to pass extra checks. This reduces drop-offs and improves user experience.

2241.FNT104