Are fintechs a systemic risk?

The fintech sector poses a growing risk to the financial system because it lacks the regulatory restraints put on banks, according to a new paper released Thursday by Federal Financial Analytics.

The paper argues there are threats in a number of areas related to fintechs and big tech firms, including the potential for credit discrimination and violations of consumer privacy. But the biggest hazard of all is monopolistic cloud providers. Financial companies and government agencies' dependence on these providers, which lack the same capital and operational resiliency requirements that are imposed on systemically important financial institutions, could prove to be a weak point that endangers the entire economy.

“What if, for example, not only the private financial system but the Fed also were reliant on a cloud service provider? Not only could the system blow but the Fed’s ability to interact with it could go, too,” said Karen Shaw Petrou, managing partner of Federal Financial Analytics and the paper's author, in an interview. “It’s a classic concentration risk, but it’s in the critical infrastructure.”

crisis-ahead.jpeg
Caution Sign - Crisis Ahead
Jim Vallee/Jim Vallee - stock.adobe.com

Petrou sees a parallel between the events leading up to the mortgage crisis of 2008 and what’s going on in fintech today.

“Industry regulators recognize there are significant benefits [to fintech innovation]; It’s not only really cool, but often really useful,” she said. “And everybody is afraid to monkey with it, much as in the run-up to the 2008 crisis, everyone was afraid to do anything meaningful about mortgage regulation because of the American dream of home ownership. Now we have an American ideal of technological innovation, but nothing is that perfect. Nothing is risk free.”

Fintech risks

The paper also examines the risk from fintechs' role in "virtualized finance," where a financial transaction is fully electronic from inception to termination, such as a Venmo payment.

“Virtualizing financial risk by housing it in fintech companies does not change the fundamental nature of actual risk,” Petrou wrote. “Most tectonic shifts of this magnitude end in earthquakes.”

Banks are required to attempt to make customers whole when there’s an electronic snafu, but fintechs are not so obligated.

“In a bank transaction, not only is there the equivalent of a paper trail... but there’s also legal liability,” Petrou said. “That’s a big issue when you get into virtualized finance with fintechs. Who is liable for what?”

One example could be Michael Terpin’s case against AT&T. Terpin says he had $24 million worth of digital currency stolen from his mobile phone by criminals who were able to trick AT&T store employees into forwarding Terpin’s communications to their cell phone (after reportedly trying and failing 11 times). In the case of erroneous money transfers, banks have to make customers whole according to Reg E. Phone companies are not subject to Reg E, however.

Because fintechs do not face capital requirements, they may not be able to withstand a massive fraud, Petrou said.

“When a regulated financial provider with capital at risk owns customer personally identifiable information or similarly sensitive data, it has the resources with which to make good on fraudulent, data breach, or similarly problematic transactions such as those for which current U.S. law assigns principal liability to the financial provider,” Petrou wrote. “In the event of large-scale disruption to a payment provider such as Venmo or to a non-bank payment service (e.g., Amazon), funds may be available for minor disruptions, but deep pockets for sustained losses are uncertain even at giant platform companies with no clear legal obligation to make customers whole in the event of system breaches or widespread infrastructure damage.”

There’s also the risk that fintechs could misuse customer data.

“Many fintech business models are based on or offered in concert with services that offer free products (e.g., contact networks, search capacity) in return for rights to use data in ways (e.g., monitoring browsing to price credit) little understood and often undisclosed to consumers,” Petrou wrote.

Fintechs can use this information to “up-price” financial products or “limit offerings in exclusionary or even discriminatory ways.”

Senators have suggested disclosure rules and opt-out rights for consumers, but Petrou said disclosures have long been an ineffective method to enhance consumer protection.

Such risks can be exacerbated by unregulated fintechs’ use of artificial intelligence in their decision-making, she said. This can lead to what Petrou calls "opacity" and some people refer to as the "black box" problem.

“Banks are required to keep careful documentation on and then to validate their underwriting and product-offering procedures,” she wrote. “Absent any effort by the Bureau of Consumer Financial Protection to assert authority, no such examination or documentation requirements apply to fintech services, making it difficult to evaluate systems to determine if problematic outcomes are the result of market factors or illegal and improper actions.”

A lack of transparency could lead to unseen forms of discrimination, she warned.

“The ability of platform companies to ‘micro-target’ offerings or financial-product advertisements to selected groups is also of significant concern,” Petrou wrote. “Online marketplace lending that uses credit underwriting models based on factors such as university attended are also likely to have very disparate impact on lower-wealth borrowers.”

A virtualized risk mitigation framework that applied equally to all parties would reduce these risks, Petrou suggested.

Fintechs often say they are already heavily regulated by state regulators, the CFPB and other entities, but Petrou said it's not close to the same as what banks face.

“They have no clue what heavily regulated means,” she said. “They think they are because they have to comply with state licensing requirements, but there’s no capital regulation, there’s no operational resilience regulation. The regulation that applies outside the banking model is largely around business conduct, i.e., do you have a criminal record. It is not prudential and nothing like what the banks have.”

The CFPB, the Commodity Futures Trading Commission and the Securities and Exchange Commission are not prudential regulators, she noted. They don’t pay attention to capital levels, backup, security and other areas where a failure could bring a company down.

The fixes

In her paper, Petrou acknowledged that “heavy-handed regulation suppresses innovation and efficiency, but light-touch rules premised on the need to advance innovation and competitiveness have a dismal record of stoking financial crises.”

One answer, she said, is to require fintech and tech companies to meet information fiduciary obligations. This means they would have to have “operational living wills” or plans for recovery and resolution in the case of something going very wrong.

“If you have critical infrastructure like cloud service providers — three firms on which the entire global financial ecosystem is coming to depend — regulators need to ensure it has the same operational resiliency or hopefully better than electric utilities,” Petrou said.

The information fiduciary responsibility would also include the need to protect customers’ data. This part might look something like the European Union’s General Data Protection Rule, with its requirements for data security, just-in-time consent, data portability and the right to be erased, among other things.

An information fiduciary would need to give consumers the opportunity to make an informed decision between getting a service free while giving away their personal data or paying for the service but keeping their information private, Petrou said. Such a model would also have to be enforceable.

“I have zero faith in good conduct pledges,” she said. “When there’s an enforcement risk, companies are much better at self-policing and risk management. When there’s no downside, there’s no reason to put costly risk management systems in place.”

More controversially, she argued that large tech companies that are a part of the financial services world should be regulated like water and electric companies.

“A utility regulatory model means you make money but you are required to operate in a sustained, durable way in the interests of your customers and the broader economy that depends on you,” Petrou said.

But though she sees the largest tech and fintech companies as the biggest threats, Petrou doesn’t give small fintechs a pass either.

“I want to be sure the small guys are still subject to robust anti-discrimination and equal access standards, including for the disabled,” she said. “Just because they’re little doesn’t mean they can pick and choose who they want to serve regardless of the various laws.”

Petrou’s aim, she said, is to “ring the gong” about a spectrum of risks from the potential for credit discrimination, unequal access in the provision of critical financial services, up to the potential for profound systemic disruption.

“I don’t think we’re thinking enough about them,” she said.

Editor at Large Penny Crosman welcomes feedback at penny.crosman@sourcemedia.com.

For reprint and licensing requests for this article, click here.
Fintech regulations Fintech Regtech Risk management Artificial intelligence Cloud computing Cloud hosting CFPB News & Analysis RegTech Conference
MORE FROM AMERICAN BANKER