Andrea Enria, Chair of the Supervisory Board of the ECB, at the Banking Seminar organised by De Nederlandsche Bank, Amsterdam, started her speech by saying: In 1995, the inventor of Ethernet, Robert Metcalfe, boldly predicted, and I quote, “the internet will soon go spectacularly supernova and, in 1996, will catastrophically collapse”. It seems that technological progress is hard to predict, even for experts. More than twenty years later, I feel fairly safe in predicting that we face a binary future. We face a binary future in the sense that ones and zeros will play an ever bigger role in our lives. The world will become even more digital. The world of finance is no exception; banks, too, face a binary future – one, they adapt; zero, they perish. That said, it is hard to predict exactly how digitalisation will change the business of banking and the structure of the market.
I could make bold predictions, of course, but I don’t want to be quoted in a speech, twenty years from now, highlighting how wrong I was! So today I will simply offer you a few thoughts and observations.
Digital opportunities and how to seize them
Let’s start somewhere unexpected: sub-Saharan Africa, a region where financial infrastructures have not yet been well developed. Looking at the number of bank branches and ATMs, this region still lags far behind. But in the use of electronic money, sub-Saharan Africa leads the world. A quarter of all adults in that region hold a mobile money account, compared with only 10% of adults in Europe. So does sub-Saharan Africa offer us a glimpse of the future? Are we heading towards a banking sector that is mostly digital and mobile? Many people think we are, and I would tend to agree.
That said, the circumstances in Europe and Africa are quite different. As I said, financial infrastructure in Africa is patchy. There are big gaps, waiting to be filled by innovation and plenty of scope for leapfrogging into the future. Europe, by contrast, has a well-developed financial sector, populated by well-established banks. While this does not preclude structural change, it may well slow it down. Still, European banks have begun to implement a range of innovative technologies. Prime examples are artificial intelligence, or AI, for analysing big data, mobile wallets and cloud computing.
Let’s look more closely at AI and big data. One could say that data has become the raw material of the digital economy. In a sense, data equals power. But having a big mass of data is of little use without the ability to analyse it in a meaningful way. And this is where AI comes in. Machine learning offers a range of new tools for analysing huge amounts of unstructured data.
Big Data and Artificial Intelligence
Together, big data and AI can serve many purposes. Think of credit scoring. Here, the new tools help banks assess credit scores for clients with a limited credit history, they help them improve consistency by limiting human bias, and they help them do all this at low cost. In short: AI and big data help banks overcome information asymmetries quite efficiently. So digitalisation offers many opportunities. It can help to standardise and streamline processes, to develop new products and win new customers, and to provide better services to keep existing customers happy. So it can cut costs while boosting revenues.
But in order to reap these benefits, banks still need to do more. And they are under mounting pressure, as new competitors are pouring into the market. First to enter were fintech companies: tech-savvy, lean, small and agile start-ups, unburdened by legacy IT systems. And more recently, large tech firms have appeared on the scene: giant companies with access to vast amounts of data and a large customer base.
New players take over the market?
So banks might be squeezed from all sides. How this will play out is very unclear, though, and it can still go either way. New players might take over the market, pushing traditional banks out, or traditional banks might adjust, team up with new players and thrive. Many scenarios are conceivable, but we simply don’t know which one will materialise. For now, the new players seem to be focusing on specific parts of the value chain. They are mostly active in payments and retail banking.
In any case, it is not up to us supervisors to steer the market in one direction or the other. We are neutral on technology. But one thing we are not neutral on is risk. And any innovation might create new risks, digitalisation and digital business models being no exception. So let’s now turn to the relevant risks and look at how they can be mitigated.
Digital risks and how to mitigate them
One risk is quite obvious: the more business models become digital, the more important IT systems will be. In turn, IT problems will have a greater impact. And I am not even talking about cybercrime, but about regular IT risks. This is a valid concern: many banks still use rather outdated and fragmented IT systems. The more outdated and fragmented they are, the more prone they are to failure. So first and foremost, banks need to modernise, simplify and streamline their IT systems. If they fail to take this step, they will run into trouble further down the road.
But cybercrime is of course another relevant risk. The speed at which weaknesses in IT systems are detected and exploited is alarming. For euro area banks, losses from cyber incidents have so far been limited, leading mostly to just a short disruption of service. So might the risk be smaller than we think? I wouldn’t bet on it. First, many of the incidents were covered by media, putting the banks’ reputation at stake. Second, just because losses have been small so far does not mean they will be small in future. The big heist might already be in the making.
Against this backdrop, banks need to ramp up their safeguards. They don’t need to draw up sophisticated defence strategies. First, basic steps can go a long way: install the latest updates, properly manage access rights, use strong passwords, make backups. Such mundane tasks are often neglected even though they are crucial. Second, one of the weakest links is not technical, but human. A lack of staff awareness is one of the most significant weaknesses at euro area banks. Cyberattacks often start with a phishing email sent to unsuspecting staff. Banks must raise awareness and provide relevant training. Again a rather mundane exercise.
New risks emerge
But not all risks are IT-related. Digitalisation might also affect funding. New digital tools allow depositors to switch banks by clicking a few buttons. So competition is more intense, which is good. But, at the same time, deposits have become a less reliable source of funding, which is not so good. So new risks emerge and banks have to deal with them. The next question is whether these risks might go beyond individual banks. Could they become systemic? Yes, indeed they could.
The current trend seems to be to “slice and dice” the banking value chain. Each small piece may be occupied by an individual player – a bank or fintech. This, of course, leads to a new level of interconnectedness. More players are on the stage, forming complex and opaque networks. A problem in one part of the value chain could travel in all directions, affecting many players. In the worst case, it might trigger a systemic crisis. This is not the only potential systemic issue; another such issue is concentration. Digital services, such as cloud computing, might be offered by just a few players. If any of these players were to get into trouble, a huge number of banks might be affected, possibly unleashing a systemic crisis.
So some risks are new, and some have been heightened by digitalisation. Banks clearly need to build up relevant expertise and knowledge and establish adequate governance structures and proper risk management practices. All this is not new; it just needs to be adapted to the digital age.
Regulators and supervisors
And what about regulators and supervisors? Well, as I said: we are technology-neutral, but we are not risk-neutral. We cannot stand idly by. However, dealing with innovation is a challenge for regulators and supervisors. First, we must strike a balance. We must neither restrict innovation, nor let it run wild. We need to monitor innovation, assess any new risks and then tackle them head on. In doing so, we must adhere to a core principle: “same risk, same rules, same supervision”. This brings us to the perimeter of regulation and supervision. Should we extend it to include fintechs? Well, in my view, we should focus on the essence of banking: taking deposits and granting loans. This is how banks are defined in the regulation, and this is what defines the perimeter. Even if fintechs have ventured into banks’ territory, they have not fully taken up the essence of banking. While they compete with banks in parts of the value chain, they may not necessarily need to be licensed, regulated and supervised like banks. In that sense, the perimeter is clearly defined. But we need to keep a close eye on the boundaries and see whether they may need to be adjusted at some point. As soon as fintech companies engage in core banking business, they must be treated like banks.
They would first need a licence. In preparation, we have published a guide on licensing for fintechs. This guide explains how the ECB assesses licence applications and focuses on the aspects that are most relevant for banks with fintech business models.
Single Supervisory Mechanism fintech hub
To supplement the guide, in 2017 we set up a Single Supervisory Mechanism fintech hub. This hub is a central point of contact for the ECB and the national supervisory authorities on all things concerning the authorisation of fintech banks; it serves as a platform for sharing information and discussing best practices. As fintech banks might come under the scope of banking supervision, we need to tackle the relevant risks. And we are indeed tackling them. We have been monitoring IT and cyber risk since the early days of European banking supervision. In recent years, we have conducted a number of in-depth reviews to better understand the scope of the problem. We have also been conducting frequent on-site inspections on IT risk and cyber security. This helps us obtain a clearer picture of the specific issues that banks face and their particular vulnerabilities. We have also set up a cyber incident reporting process through which banks report significant incidents to us. We can therefore track actual incidents which might harm individual banks or the entire system. The information gained also allows us to track trends and spot common vulnerabilities.
But we also hold more general discussions with the national authorities and the European Banking Authority on how to supervise fintech banking. This joint approach is crucial. As fintech is a new phenomenon, we have the chance to take a common European stance right from the start. Our goal is to liaise with all stakeholders. In April we will, for instance, hold a workshop on fintech supervision. This workshop will bring together many different parties, including market authorities, bank supervisors, legislators and the banks.
What’s in it for supervisors?
So far, discussions on digitalisation have mostly centred on banks. But the new digital tools are open to anyone, us supervisors included. We, too, can benefit. After all, data are an important input to our work – that’s why we burden banks with so many reporting requirements. And here, the new tools could help; they could help us and the banks, in fact. Automated reporting, for instance, could ease the burden on banks and allow us to collect data more efficiently. At the same time, machine learning could help us to validate – and even analyse – the data. We could then become even faster in spotting new risks and dealing with them. So, supervisors have much to gain. And against this backdrop, I am happy to be here at DNB. DNB is very active in the field of supervision technology – or SupTech as it is known. I am truly impressed by the breadth and depth of the work that is being undertaken here.
Lab to explore new technologies
DNB has set up an innovation lab to explore new technologies and a Chief Innovation Office to coordinate SupTech initiatives. More concretely, DNB has lab-tested tools such as AI and Robotics Process Automation, including the use of neural networks to detect liquidity risk. This work should inspire other supervisors to follow suit. At the ECB we are also working on this topic, of course. Across the institution, we assess how digital tools can help us to do our job more effectively and more efficiently. Supervising banks is no exception. But working on such innovations in isolation will not take us very far. It is crucial for us to exchange views and share first experiences – with all stakeholders and at the global level. That’s why we attempt to connect with as many stakeholders as possible.
I clearly see the benefits of SupTech. But I am also still a supervisor, trained to constantly watch out for risks. And there are risks that we must keep in mind. Just think of the legal risks that could arise when we start to handle ever-larger amounts of sensitive data. So, when we supervisors start to apply digital tools, we ourselves must be as cautious as we expect banks to be.
But despite these words of caution, I think the time has come to harness the opportunities offered by SupTech. I am convinced that it will become part of our toolbox – not as a substitute for supervisory judgment, but as a complement to it. Our future is binary too.
The future is binary in the sense that the world we live in will become more and more digital. And we will use mobile and online services for more and more purposes – including for our financial affairs. So banking might eventually become an almost entirely digital business. What this means for banks is not clear, though. It mostly depends on how they deal with new technologies and how they approach the new players that have entered the market. But to be clear: this is not a battle between traditional banks and fintechs. Cooperation is also a conceivable scenario.
Regulators and supervisors have to react to such changes. But we must acknowledge that, essentially, the digital world is still quite similar to the analogue world. While we certainly have to address new risks, we must not throw all our rules, methods and principles over board. At the same time, we too should seize the opportunity to apply digital tools to make us more effective and more efficient. So, the future awaits. And while it is easy to get it wrong, it is still possible to get it right. Referring to his invention, Alexander Graham Bell predicted in 1917 that “this achievement surely foreshadows the time when we may be able to talk with a man in any part of the world by telephone and without wires.” And look where we are now.