The events of this month, which effected key institutions in over 150 countries, have elevated cyber security as a priority issue.
Regulators already had cyber security on their list of priorities for firms, but it is now regarded by all as a key systemic risk for the financial services industry. Firms need to take action and to be able to demonstrate to regulators that their systems and processes are fully up-to-date, at the same time as embracing new technologies. KPMG member firms can help.
Technology can have positive effects: it can bring efficiencies in financial transactions, for example, and help firms and regulators meet the increasing demands for data, including from fiscal authorities. However, innovation is causing regulators to question whether existing rules and supervisory approaches are fit for purpose. They add to prior concerns about cyber-security, money laundering and terrorist financing, which have been amplified in the light of recent cyber-attacks.
Regulators recognise the benefits of new technologies and are seeking to accommodate them. For example, the Commission has made provisions for the use of FinTech in existing legislation, including in MiFID II, the Payment Services Directive and EMIR. And in March 2017, it issued a consultation paper on the development of its policy approach towards technological innovation in financial services. It is seeking “a genuine technology-enabled single market for retail financial services”.
National regulators are, in the main, trying to facilitate the roll out of FinTech in their jurisdictions, as evidenced by the growing numbers of national “sandboxes”, or safe spaces which provide potentially ground-breaking technologies with the support to test new ideas, often without imposing all the normal regulatory requirements.
However, even before the recent attacks, caution was increasingly being expressed about the need to address the risks in the new technologies, as well as their benefits. In a speech in January 2017, the FSB chair, Mark Carney, warned that some innovations could generate systemic risks through increased interconnectedness and complexity, greater herding and liquidity risks, more intense operational risk and opportunities for regulatory arbitrage. This may require a more intense focus on the regulatory perimeter, revised prudential requirements, more broad-ranging resolution regimes, and a more disciplined management of operational and cyber risks. The FSB is currently investigating the risks of FinTech and will present its findings at the G20 meeting in July.
Distributor Ledger Technology (DLT), for example, is a potential game changer. It has huge potential implications for settlement, and for firms’ back and middle offices. The technology aims to prevent fraud by using a public digital database that is continuously maintained and verified by the other computers in a chain of transactions. However, as yet, the technology is largely untested and this worries regulators.
The ECB’s committee on payments and market infrastructures said DLT could pose new risks to the financial system, including potential uncertainty about operational and security issues. Its report also cited potential legal and operational obstacles: “Having many nodes in an arrangement creates additional points of entry for malicious actors to compromise the confidentiality, integrity and availability of the ledger”.
ESMA has also consulted on the application of DLT, aiming to identify its benefits, risks and challenges in securities markets, and ways of addressing the risks. ESMA identified possible benefits in clearing and settlement, record of ownership and safekeeping of assets, reporting and oversight, reduction of counterparty risk, efficient collateral management, continuous availability, security and resilience, and cost reduction. DLT might also be used to enhance pre-trade information and the matching of buyers and sellers. Key risks identified by ESMA are cyber, fraud, money laundering, operational, herding behavior (increased market volatility) and unfair competition.
The ESAs published an opinion in March 2017 on the risks of money laundering and terrorist financing, which found that problems exist in firms' understanding and management of the risks they are exposed to. It also said there is a lack of timely access to intelligence that might help firms identify and prevent terrorist financing, and considerable differences in the way national authorities deal with it.
It is clear that European and national regulators now regard cyber-resilience as an imperative, for firms of all kinds and all sizes. Firms need urgently to review their current systems and processes against state-of-the-art standards and best practice, and speedily introduce necessary improvements.