by Vijay Singh Shekhawat^{^}, Avdhesh
Kumar Shukla^{^}, ACV Subrahmanyam^{^}
and Abhishek Singh^{^}

Bigtechs are uniquely positioned to alter the financial services landscape with their technological advantages, large user base, wide-spread use by the financial institutions and network-effects. This article presents a survey of the global regulatory practices in this domain which points to development of a framework that aligns both entity and activity-based regulations. However, with the increasing complex interlinkages between financial institutions and tech-companies, the regulatory frameworks need to keep up the pace with innovations to contain the vulnerabilities that may arise from the new risk propagation channels.

Introduction

The last two decades witnessed the meteoric rise of technology-centric companies both in the financial and non-financial domains. In the financial domain, the fintechs with their innovations have disrupted the traditional channels of financial intermediation, increased competition, and have altered the scope and scale for delivering financial services. They often collaborate with the existing players like banks/ insurance companies, leading to greater financial inclusion, improved process efficiency, lower transaction and operational costs. In the non-financial domain, the technology firms such as Alibaba, Amazon, Facebook, Google and Tencent, commonly known as ‘bigtechs’ have grown exponentially over the last two decades. Building on the advantages of the reinforcing nature of the data networks they generate, a few bigtechs have ventured into fintech space offering financial services, including payments, money management, insurance, and lending.

Globally regulators recognise the benefits of fintechs and endeavour to create a supportive ecosystem. Furthermore, they are also cognizant of the new risk elements from the entry of bigtechs into finance. Notwithstanding the benefits of improved service access and financial inclusion, the regulators are wary especially regarding the bigtechs’ impact on competition and market contestability, consumers’ data privacy rights, and on financial intermediation / stability (FSI 2021a).¹ They face the challenge of balancing between promoting efficiency, protecting data privacy and ensuring financial stability as illustrated below (Figure 1). Consequently, regulators are realigning their regulatory frameworks to facilitate a level playing field in the fintech space, while containing the plausible risks from the emergence of bigtechs (BIS 2021).²

In this context, this study analyses the benefits and the challenges posed by the entry of bigtechs in the financial domain; and the response of the regulatory and supervisory authorities across jurisdictions in balancing them.

The rest of the study is structured as follows - Section II discusses the entry of bigtechs in finance and the possible concerns they pose. Section III discusses the evolving regulatory landscape to address the financial stability, competition, operational resilience, and data privacy challenges from the emergence of bigtechs and Section IV concludes.

II. Bigtechs Entry into Financial Domain – Risks and Concerns

The activities of bigtechs in finance are a special case of broader fintech innovation. While fintech companies are set up to operate primarily in financial services, bigtech firms offer financial services as part of a much wider set of activities. Bigtechs’ core businesses are in information technology and consulting (e.g., cloud computing and data analytics), which account for around 46 per cent of their revenues vis-a-vis financial services which represent about 11 per cent of their revenues (FSI 2019). Table 1 (a and b) illustrate the entry of select bigtechs for providing various financial services in key jurisdictions.

The three major financial services provided by bigtechs are payments, credit provisioning and banking. For bigtechs, the regulations require them to acquire licenses before offering financial services. As illustrated in Table 1b, bigtechs hold licenses for these services either through subsidiaries or joint ventures with varying levels of ownership control (Restoy 2021).

The pervasiveness of bigtechs provides them with a large client base who are entrenched in using their platforms/ products with access to multiple facets of customers’ data, generating strong networks effects. The entry of bigtechs into finance also reflects strong complementarities between financial services and their core non-financial services. Given their entrenched clientele base using their non-financial services like search engine, e-commerce platforms, it is possible for bigtechs to create products and establish their footprint in the financial domain with greater ease vis-à-vis the nascent fintechs. This poses a serious barrier in terms of creating a level playing field to promote innovation in the fintech space. Besides the technological advantages, the bigtechs typically also have the financial muscle to withstand the competitive pressures.⁴ In this background, the key risks posed by the bigtechs can broadly be grouped under three categories.

1. Firstly, the complex governance structure of the bigtechs, limits the scope for effective oversight and design of entity-based regulations.

2. Secondly, bigtechs can impact the risk and maturity transformation functions through their direct exposure to provision of financial services. At times this may also translate or lead to shadow banking activities, undermining financial stability.

3. Thirdly, bigtechs, given their pervasive adoption as third-party service providers, generally become the underlying platform on which a host of services are offered. This uniquely positions the bigtechs to easily acquire cross-functional databases which can be exploited for generating innovative product offerings, making them dominant players in the market (Moenjak and Santiprabhob, 2021).⁵

III. Regulatory Frameworks to Address Risks from bigtechs in Finance

Regulators across the globe have increased the scrutiny of the bigtechs and their business models in the financial domain and are adjusting the policy frameworks to cope up with the risks presented by bigtechs. The global regulatory initiatives can be broadly calibrated on the following five key dimensions (FSI 2021a)⁶, viz.,

a) Competition and Market contestability,

b) Data protection and Data-sharing,

c) Conduct of Business,

d) Operational Resilience, and

e) Financial Stability

III.a Ensuring Competition and Market Contestability – Limiting Dominance

With the advent of bigtechs into the financial domain, the primary concern for regulators globally has been to preserve competition and market contestability. Bigtechs with their entrenched customer base can require exclusivity of participants, discriminate across potential or existing vendors, give preferential treatment to their own products, bundle their services, create cross-product subsidisation, or abuse their wealth of data to gain a competitive advantage (FSI 2021a). Through their data networks based business models, the bigtechs have the potential to become dominant players raising competition and data privacy issues. Hence, the regulatory authorities are introducing regulations to preserve the level playing field and competition by ensuring equitable access to data.

The competition authorities are realizing that the traditional ex-post approach may prove ineffective in the case of bigtechs and are focusing on ex-ante entity-based rules, and thus, requiring the bigtechs to re-align their business models. Given the possible systemic risks that dominant bigtechs can pose, the focus has shifted to initiating proactive action to limit anti-competitive practices. In key jurisdictions like US, EU and China, the burden of proof that mergers would not create a dominant market position for the firm or result in loss of consumer welfare has shifted from the regulator to the firms. Further, the proposed regulations require interoperability between bigtechs and third parties, ensuring equal treatment of own and third-party apps, etc. Besides, most jurisdictions have intensified ex-post supervisory actions on bigtechs to closely monitor their market dominance.

Table 2 summarizes the provisions of key acts enacted or proposed in the US, EU and China. As major bigtechs are domiciled in these jurisdictions these regulations are likely to impact the business models of bigtechs.⁷

III.b Securing Data Protection and Data-Sharing – Ensuring Customer Protection

The EU’s GDPR (The General Data Protection Regulation) is a comprehensive regulatory framework, which addresses the data protection and data sharing aspects in general. Several countries have aligned their data protection regimes close to the EU’s GDPR⁸. The “purpose specificity” and “security requirements” related aspects of data protection under GDPR are particularly relevant to the bigtechs. The purpose specificity requires the user’s data to be collected and utilized for the purpose consented by the respective user. This limits the bigtechs’ ability to use network effects to analyse customer data collected from other platforms. Further, the security requirement specifies that the bigtechs should put in place adequate organizational measures to protect the integrity, confidentiality, and availability of users’ data.⁹ The key features of the regulations surrounding the data protection and data sharing aspects in major economies are presented in Table 3.

The regulations on data portability/data sharing enable users to get their personal data back from bigtechs / fintechs for their own purpose or ask to transfer their data to a third party in a technically feasible format. This enables the customers to choose their preferred service provider without loss of historical/ personal data and therefore, limiting the dominance of bigtechs¹⁰. Regulations like Digital Services Act (DSA) in the EU, State Administration for Market Regulation (SAMR) guidelines in China aim to protect the interests of bigtech users. The overarching theme for the regulations is – (i) to gear the data portability and data sharing aspect of business models towards a more comprehensive open banking regime, and (ii) to promote fairness and transparency for business users and protect them from deceptive or misleading practices.

III.c Tracking Conduct of Business – Creating Effective Governance

Bigtechs have a complex governance structure. Often, they provide financial services through their subsidiaries operating under different licenses for different services, such as payments, consumer loans, wealth management and insurance. They have an integrated business model with a holding company or parent company (group) at the top and other verticals offering a wide range of services. Also, these bigtechs offer services across jurisdictions, at times depending on the trade agreements/ host country regulations. The parent or holding company could be outside the regulatory/ supervisory perimeter and could be far removed from the financial-service activities of the subsidiaries. This complex governance structure creates the possibility of expanding shadow banking activities, and thus, undermining the broader financial stability. An illustrative governance structure of a bigtech firm is shown below (Figure 2).

Across jurisdictions, the bigtechs are seeking licenses for providing payment, credit, and banking services either through subsidiaries or through joint ventures with varying degree of ownership control. However, the regulatory response has been to create guidelines which are generic that have a broader applicability. For example, in the case of EU, the guidelines for authorization of payment, and e-money institutions is based on the “Payment services (PSD-2) – Directive”.¹¹ Further, these guidelines adopt a proportional approach based on the activity undertaken by the applicants in seeking information and specifying compliance. In case of UK, the Financial Conduct Authority (FCA) has set out its approach specifying the guidelines for granting authorization for payment institutions and e-money institutions.¹² The FCAs’ approach clearly specifies the requirement to have unhindered supervisory outreach on the company (seeking license/ authorization) and requires a clear detailing on the corporate structure of the parent and subsidiary (if the company is part of conglomerate/ holding structure). In sum, the licensing/authorization approach is being guided by the ‘proportionality’ and ‘flexibility’ depending on the complexity of services offered.

The bigtechs are being closely watched by regulators globally for their restrictive business practices in their core business areas. The antitrust regulations are being contemplated to be used against the bigtechs to protect consumer welfare. Legislations like Digital Markets Act (DMA) and Digital Services Act (DSA) enacted by the European Parliament, have the potential to change entire digital landscape. DMA would regulate activities of market gatekeepers by laying clear rules - a list of “dos” and “don’ts” - which aim to stop them from imposing unfair conditions on businesses and consumers. On the other hand, the DSA would protect fundamental rights of the users online and will make digital space safer¹³.

Also, economies like Singapore, Netherlands and Hong Kong have specified the principles focused on governance, accountability, consumer protection, etc., for use of artificial intelligence models with greater oversight by the board/ management to ensure ethical business conduct¹⁴.

III.d Monitoring Operational Resilience – Ensuring Business Continuity

The aggressive collaboration between bigtechs and financial institutions are building new linkages and dependencies in the financial eco-system. Bigtechs can expose the financial system to new operational risk challenges vide both their financial and non-financing services.

• As financial service providers: Bigtech firms provide payment services to their customers and any service outage may result in disruption of financing activity.

• As Non-financial service providers: Bigtech firms yield a greater threat to financial stability due to operational risk emanating from their non-financing services. Only a few bigtech firms provide technology services and infrastructure (e.g., cloud computing and data analytics) to the global financial system.¹⁵ The failure of even one of these firms, or failure of a service offered by any bigtech firm could create a significant event in financial services, with a negative impact on markets, consumers, and financial stability.

The criticality of these services means that bigtechs may be already ‘too-critical-to-fail’. Reckoning the same, the Central banks and regulatory agencies across jurisdictions are discussing regulations to address the operational risks and challenges emanating from the services provided by bigtech firms. A few are detailed hereunder:

• European Union (EU): The proposed Digital Operational Resilience Act (DORA) by EU is a comprehensive framework on digital operational resilience in the financial sector. By specifying the security requirements to be adhered, the DORA brings ‘critical ICT third party providers’ (CTPPs), including cloud service providers (CSPs), within the regulatory perimeter. For bigtechs, DORA is relevant in two ways. First, bigtechs as users of third-party services in their financial services operations would have to abide by technical standards on evaluating and monitoring third-party risks, including the development of minimally disruptive exit strategies, if a third-party provider is compromised. Second, bigtechs as providers of third-party services that are considered “critical” (e.g., cloud computing) will become subject to additional requirements and direct supervision.

• China: In China, Financial Holding Companies (FHC) framework strengthens operational resilience by requiring all FHCs to establish a comprehensive risk management system based on both qualitative and quantitative methods that will monitor various risks, including operational, and IT risks.

• United States: In the United States, federal banking agencies have oversight powers to monitor bigtechs as significant third-party service providers to banks. The Significant Service Provider Program established under the Bank Services Company Act, oversees the operational resilience of bigtech companies as service providers to banks. Further, the Federal Reserve Boards’ interagency guidance on managing risks associated with third-party relationships outlines risk management principles for the different stages in the life cycle of third-party relationships and sets forth considerations concerning the management of risks arising from these relationships.

• United Kingdom: Bank of England in its Financial Stability Report (July 2021) called for additional regulatory measures to tackle the risks emanating from the increasing reliance of financial institutions on a small number of Cloud Service Providers (CSPs) and other critical third parties

While there are specific regulations aimed at bigtechs as providers of critical services, the general approach has been to strengthen the regulations on outsourcing activities (IT/ cloud-based services). The key guiding principles have been to ensure a well-defined outsourcing policy framework focussed on governance, risk assessment and due diligence, business continuity, data privacy and data localisation, management of expertise, etc., in line with risk appetite of the financial institution.

Further a key regulatory stipulation on outsourcing of services is that entities should ensure unhindered ‘supervisory/ audit/ data’ access from the services outsourced. The regulations require entities to reckon host country regulations to ensure unhindered supervisory access in case of outsourcing arrangements/ service providers in foreign jurisdictions.

III.e Reinforcing Financial Stability – Limiting the Plausible Systemic Impact

Bigtech firms can pose a systemic risk to financial stability via risk transformation of funds at their disposal, linkages of their money market fund (MMF) business with the financial system and other shadow banking activities. For example, in China, risk transformation across financial subsidiaries of a bigtech group happened in two ways.

• First, an e-wallet provider subsidiary of the bigtech group allowed its customers to automatically sweep the ‘leftover balances’ in their e-wallet to a MMF which was managed by another wealth management subsidiary of the bigtech. These MMFs in turn invested in interbank CDs, commercial paper, repurchase agreements, etc. and hence, establishing linkages with the financial system. The ability of e-wallet customers to have the money in their e-wallet accounts invested into the money market fund, and seamlessly redeem the money from the money market fund through their e-wallet apps constituted a risk transformation of funds with the potential to threaten financial stability.

• The second case of risk transformation by financial-service subsidiaries of bigtech firms involved the securitisation and selling of microloans by lenders associated with Chinese bigtech platforms. By using advanced analytics, subsidiaries of these bigtech platforms offered customised microloans to individual customer risk profiles, and afterwards securitised and packaged the loans and sold them to investors including traditional banks. Through the practice of originating, packaging and selling microloans to the banks, the Chinese bigtech platforms engaged in risk transformation of funds, as banks used depositors’ money to buy up the packaged loans from the bigtech firms.

Innovative financial products by bigtechs can increase their interconnectedness with the banking system, with a possibility to transmit shocks and increase vulnerability during a crisis through new channels for the propagation of risks. Recognising the same, the Central banks and policymakers across jurisdictions are discussing the potential systemic implications of bigtech financial activities and introducing regulations to maintain financial stability. Two key regulatory prescriptions are emerging to address the financial stability risks from the bigtech companies.

• The first option is to issue a digital-banking license to a bigtech firm, where the holding company of the bigtech is outside the purview of the financial regulator. This would consolidate legally separated subsidiaries of bigtech offering different financial services. The design of a digital banking license depends largely on the regulator’s licensing objectives. This could range from the objectives of enhancing competition and efficiency in the banking industry (e.g., Australia, China and the UK), promoting fintech and innovation, and enhancing the customer banking experience (e.g., Hong Kong, South Korea, Singapore and the UK), to providing small and medium-sized businesses with access to capital and financial services (e.g., China).¹⁶

• The second option is to impose a holding company structure on financial-service subsidiaries of the bigtech and subject that holding company to financial regulations. By structuring the subsidiaries into a holding company structure, the governance structure could be simplified, and financial regulators could assess risk and address various concerns holistically. At present China requires non-financial conglomerates/ bigtechs that have two or more subsidiaries in the financial domain to carve out a financial holding company framework for such subsidiaries.

IV. Conclusion

Bigtechs are foraying into the financial domain bringing with them benefits of greater financial inclusion, efficient operations and lower transaction costs. However, they also pose the risk of stifling competition, operational resilience issues and financial stability.

Several regulatory initiatives have been taken recently in China, the EU and the United States to address the novel challenges presented by bigtechs, specifically in the areas of competition, data protection, conduct of business, operational resilience and financial stability. In India, efforts have been initiated towards bringing critical payment intermediaries into the formal regulated / supervised framework. The directions issued for Payment Aggregators / Payment Gateways and Framework for Outsourcing of Payment and Settlement-related Activities by Payment System Operators are a step in this direction. Initiatives are also on to up the payments acceptance infrastructure in India. India has also mandated local storage of payments data and is also in the process of legislating its own data protection law.

Given the increasingly dominant role of bigtechs and fintechs in the financial ecosystem, the Reserve Bank of India has issued the draft guidelines on outsourcing of Information Technology (IT) and Information Technology Enabled Services (ITeS) by the regulated entities, to ensure effective management of attendant risks in outsourcing of IT activities viz. IT infrastructure, network security, cloud computing, application service providers, etc.¹⁷ The recent initiatives across the countries represent important steps in addressing the relevant risks posed by bigtechs.

Primarily, the regulators appreciate that the risks stemming from bigtech activities cannot be adequately captured/ addressed through entity-specific or activity-specific regulations alone. The regulations/ regulatory framework should also reckon the risks that are created by substantive interlinkages within bigtech groups and their role as critical service providers for financial institutions. The key paradigmatic shift in the regulatory approach towards addressing the risks from bigtechs lies in calibrating the regulatory frameworks with a mix of entity and activity-based rules. The requirements for creating holding companies involved in financial activities, the activity-specific licenses, requirements on data protection, security, equal treatment of third-party applications, data portability etc. augur well for limiting the risks posed by bigtechs. Furthermore, as the interaction of bigtechs with the financial sector evolves, close cooperation between competition (anti-trust), data, governance and financial authorities are called for to design/ update regulations to protect competition and promote financial stability.

Also, as the bigtechs operate across jurisdictions, there is already a compelling case to seek international consistency of policy developments. In this light, there have also been efforts by international standard-setting bodies to ensure that existing financial regulation (particularly in payments) properly cover the activity of new non-bank players. However, the exact calibrations on both entity and activity-based approaches will need to be further explored and tailored to country-specific conditions to ensure that regulators’ concerns be addressed without stifling financial innovations.

The regulatory responses of the emerging markets and developing economies (EMDEs) so far have been to create enabling environment by developing payment infrastructure and digital identity data. EMDE financial authorities have responded by developing dedicated units (e.g., innovation hubs, sandboxes etc.) for developing policy to support innovation. Going forward, the regulations in EMDEs need to be mindful of the new interlinkages that bigtechs might create with the existing financial institutions.

References

Bank for International Settlements (2019), “Bigtech in Finance: Opportunities and Risks”, Annual Economic Report, Chapter III, June. https://www.bis.org/publ/arpdf/ar2019e3.htm

Bank for International Settlements (2021), “Regulating Bigtechs in Finance”, August, BIS bulletin No. 45. https://www.bis.org/publ/bisbull45.pdf

Carstens, A. (2018): “Bigtech in Finance and New Challenges for Public Policy”, Keynote address at the FT Banking Summit, December. https://www.bis.org/speeches/sp181205.htm

Croxson, K., J. Frost, L. Gambacorta and T. Valletti (2021), “Platform-based Business Models and Financial Inclusion”. https://www.dcfintechweek.org/wp-content/uploads/2021/10/Jon-Frost-Karen_Croxson-et-al-Platform-based-business-models-and-financial-inclusion-Oct-2021.pdf

Financial Stability Board (2019), “Bigtech in Finance: Market Developments and Potential Financial Stability Implications”, December. https://www.fsb.org/2019/12/bigtech-in-finance-market-developments-and-potential-financial-stability-implications/

Financial Stability Board (2020), “Bigtech Firms in Finance in Emerging Market and Developing Economies - Market Developments and Potential Financial Stability Implications”, October. https://www.fsb.org/wp-content/uploads/P121020-1.pdf

Financial Stability Report (2021), Bank of England, July. https://www.bankofengland.co.uk/financial-stability-report/2021/july-2021

FSI (2020), “Policy Responses to Fintech: A Cross- Country Overview”, January, FSI Insights on policy implementation no. 23. https://www.bis.org/fsi/publ/insights23.pdf

FSI (2021a), “Bigtech Regulation: What Is Going On?”, September 2021, FSI Insights on policy implementation no. 36. https://www.bis.org/fsi/publ/insights36.htm

FSI (2021b), “Bigtechs in Finance: Regulatory Approaches and Policy Options”, March, FSI Briefs No. 12. https://www.bis.org/fsi/fsibriefs12.htm

Moenjak and Santiprabhob (2021), “Regulating Bigtech And Non-Bank Financial Services in the Digital Era”, 12thApril, Central Banking. https://www.centralbanking.com/central-banks/financial-stability/7820121/regulating-big-tech-and-non-bank-financial-services-in-the-digital-era

NITI Aayog (2021), “Digital Bank: A Proposal for Licensing and Regulatory Regime for India”, November. https://www.niti.gov.in/sites/default/files/2021-11/Digital-Bank-A-Proposal-for-Licensing-and-Regulatory-Regime-for-India.24.11_0.pdf

Reserve Bank of India (2017), “Report of the Working Group on Fintech and Digital Banking”. https://rbidocs.rbi.org.in/rdocs/PublicationReport/Pdfs/WGFR68AA1890D7334D8F8F72CC2399A27F4A.PDF

^ The authors are from the Department of Supervision (DoS).

* Guidance and encouragement received from T K Rajan, CGM DoS are gratefully acknowledged. The views expressed are those of the authors and not of the Reserve Bank of India.

¹ “Bigtech regulation: what is going on?”, September 2021, FSI Insights no. 36.

² “Regulating Bigtech in finance”, FSI Briefs, BIS bulletin No. 45, August 2021.

³ https://voxeu.org/article/policy-triangle-big-techs-finance

⁴ To illustrate, as more fintechs/ bigtechs enter the financial domain, the cost of business increases as competitors must spend more to acquire and retain their customers. Fintech or new digital offerings are often accompanied by various discount/reward offers leading to higher cash burn.

⁵ Regulating bigtech and non-bank financial services in the digital era - Central Banking, 12th April 2021.

⁶ For a detailed discussion on risks and benefits of bigtechs in finance see, for example, BIS (2019), Carstens (2018), Croxson et al (2021) and FSB (2019, 2020).

⁷ Bigtechs are increasingly facing enforcement actions in China and EU. In US, the bigtechs are facing multiple law suits challenging their market dominance (FSI 2021a).

⁸ China’s proposed framework on data protection shows a high degree of alignment with EU’s GDPR.

⁹ GDPR enables easier business process automation, increased trust and credibility, a better understanding of the collected data, improved data management, protected and enhanced enterprise/ brand reputation, and helps in creating an even privacy playing field (John Edwards, Jan 2021).

¹⁰ The Bigtechs viz. Apple, Facebook, Google, Microsoft and Twitter are also working on their Data Transfer Projects with the goal of creating an “open-source, service-to-service data portability platform.

¹¹ https://www.eba.europa.eu/regulation-and-policy/payment-services-and-electronic-money/guidelines-on-authorisation-and-registration-under-psd2

¹² https://www.fca.org.uk/publication/finalised-guidance/fca-approach-payment-services-electronic-money-2017.pdf

¹³ https://www.europarl.europa.eu/news/en/headlines/society/20211209STO19124/eu-digital-markets-act-and-digital-services-act-explained

¹⁴ Policy responses to fintech: a cross-country overview (Insights no. 23 – January 2020), Financial Stability Institute, Bank of International Settlements

¹⁵ The Bank of England, in a 2020 survey, estimated that more than 70 per cent of banks and 80 per cent of insurers rely on just two cloud providers for IaaS (Infrastructure as a service).

¹⁶ For a detailed discussion please refer the discussion paper on Digital Banking (NIIT Aayog).

¹⁷ Reserve Bank of India : Draft Master Direction on Outsourcing of IT Services, dated June 23, 2022 (https://www.rbi.org.in/scripts/bs_viewcontent.aspx?Id=4156)