FinTechs are increasingly transforming the banking sector, creating new perspectives of digitisation for banking regulations that question the classic postulates.
FinTech start-ups are enterprises that use innovative and disruptive business, technological or economic models, aimed at addressing existing or emerging issues in the financial services industry. The essential characteristic of a FinTech resides in the innovation factor, the fact that they present new operational and economic models and finally that there is a disruptive character in their raison d’être.
FinTechs may cover a multitude of services, from payment platforms to electronic portfolios, investment banking robots and financing platforms. Most of the “traditional” business lines of a bank are – can or may be – concerned:
- Payments, including mobile payment solutions through telecommunications services providers, electronic wallets that can centralize payments, or digital currency services (currently, restricted in Lebanon).
- Credit, with the development of crowdfunding or peer-to-peer lending.
- Savings, particularly through the use of automated investment advice or programmed savings.
- Asset management, through robot advisors and trading platforms.
- The back-office business is also modernised thanks to the secure transfers allowed by Blockchain technology.
Between 2010 and 2014, 24 billion USD was invested in the FinTech sector. In 2015 alone, 22 billion USD was spent on FinTechs in the United States, the United Kingdom and India alone. While in Europe the figures are slightly more modest, representing only 20% of global investments or 4,4 billion USD, they nevertheless continue to grow.
The reason which justified the emergence of what we designate under the qualification of “FinTech” is, essentially, one of the defining criteria of FinTech: its disruptive nature. There is originally a willingness to break with an established system. The emergence of Bitcoin in 2009 is probably no stranger to the financial crisis experienced by the world in 2008: with regard to the traditional tools available to the banking sector, a breakthrough was made possible thanks to technological innovation that allowed to develop new digital tools for the banking business and more broadly for the financial sector.
How does this rupture manifest itself in its relation to the banking system in Lebanon?
In other words, what may FinTechs bring to the future of the Lebanese banking system?
The contribution of FinTechs is manifested in two aspects. They allow, on one hand, a dematerialisation of financial services (I) and, on the other hand, their disintermediation (II).
I. Dematerialisation of financial services
Undoubtedly, the significant enhancement that FinTechs introduce lies in the dematerialisation of financial services. Such enhancement, although heterogeneous in its manifestations (1), generates a certain number of common risks (2) which regulators around the world are trying to circumscribe in order to ensure a suitable development of FinTechs.
1) Manifestations of dematerialisation
The dematerialisation of financial services manifests itself in different ways. First of all, it lies in the digitalisation of financial services (i). Dematerialisation is then reflected in all services based on the economics of data and the use of algorithms fed by Big Data (ii). Finally, dematerialisation is manifested by the outsourcing of bank data, which is especially allowed by the multiplication of cloud offers (iii).
i. Digitalisation of financial services
This digitisation of financial services is, first and foremost, a digitalisation of payment services. It was made possible by the updated definition of the “electronic banking and financial operations” introduced by BDL’s Intermediate Decision No. 11937 dated 26/1/2015 (Intermediate Circular 385) which gave the – false – impression of enlarging the scope of authorised e-banking operations, thus regulating new categories of payment services.
This definition also included the operations performed by the issuers or promoters of all types of electronic charge, debit, or credit cards, the institutions undertaking electronic transfers of funds, and by the websites that offer, purchase, sell, and perform all electronic banking services.
BDL’s Intermediate Decision No. 12018 dated 30/6/2015 (Intermediate Circular 393) seemed also to have an impact on the digitalisation of financial services in Lebanon. It authorised, under certain conditions, carrying out one type of banking operations via mobile and fixed electronic devices among customers of different banks.
However, the terms of BDL’s Basic Decision No. 7548 dated 30/3/2000 relating to Electronic Banking and Financial Operations limit carrying out the above-mentioned operations to the receipt of transfer request from the customer: the transfer itself should, in fact, only be performed in the conventional mean which is through the SWIFT system currently adopted among Lebanese banks.
ii. Services based on data
Dematerialisation also comes from the multiplication of services offered by FinTechs which rely on an economy built entirely around data. The use of Big Data for banking purposes makes it possible to obtain and offer solutions that are appropriately adapted to the client’s needs, with full knowledge of the risks for the offering bank, which allows it to limit them or to compensate for such risks by taking appropriate mitigation measures.
For example, techniques that define the bank’s borrower credit quality and solvency can be refined thanks to the quasi-predictive analyses made from the client’s data – collected during his internet browsing – purchased from an internet provider or collected from the FinTech’s platforms. The data of the client who can feed this analysis is the traditional personal and financial data that the traditional banker holds (for example, through the KYC forms), but also the traces of data left by the user during his internet navigation, in particular those left voluntarily in public access, for example, on social networks. It may also be the geolocation data that the user agrees to share publicly, consciously or sometimes less consciously.
Bank’s right to access public or private user data in order to make more accurate customer analysis is not yet specifically regulated in the Lebanese market. On another hand, the use of customer data by FinTechs to develop and offer related services is hindered by the rigidity of the applicable Banking Secrecy Law. Therefore, FinTechs are presently restricted to the use of data which is found in public access to develop new tools for banks.
iii. Outsourcing of bank data
Finally, the dematerialisation of financial services is reflected in the use of massive outsourcing of customer data. Cloud computing services make it possible to consider banking operations differently. The remote storage that is now possible allows to multiply online banking solutions or portfolio services that no longer involve physical establishment. Most of these data storage outsourcing services are offered by external service providers, mainly FinTechs.
It is obvious that the above-mentioned protective legislation of bank customers’ data applies to the storing and hosting of such data. Similarly, the rules apply to data transfers, in particular outside Lebanon, when outsourcing data involves such transfers. To date, the terms of the Banking Secrecy Law do not take into account the situation arising from cloud computing in financial matters: amendments need to be made in order to ensure, on one hand, a sufficient level of guarantee for data privacy and, on another hand, a confident entry for Lebanese banks into the realm of cloud-based financial services. The circulation of data and its protection constitute the two major issues to be taken into account to ensure the success and development of cloud computing solutions for the banking sector in Lebanon.
What could be the risks of such dematerialisation?
2) The risks of dematerialisation
In a joint publication dated March 2015 titled “Earning Consumer Trust in Big Data: A European Perspective”, consulting firm Boston Consulting Group and Law Firm DLA Piper have demonstrated the crucial importance that European consumers accord to their banking data especially the data stored on credit cards. There are no similar studies for the Lebanese market but there are no serious reason to think that Lebanese bank customers accord less importance to their banking data.
The dematerialisation of financial services generates significant risks of data breaches (i) and major risks of fraud (ii) which must both be taken into account by FinTechs to ensure a safe development of the sector.
i. Data breaches
In order to protect the data of customers who are becoming particularly vulnerable due to the dematerialisation of financial services offered by FinTechs, the regulations should put in place measures to restrict access to protected data which is strictly necessary for the service instead of, as the case is currently in Lebanon, rejecting such access completely.
Accordingly, with the prior explicit consent of the user, FinTechs should have access to personal data necessary for the performance of payment services and be safely able to process and store such data. The legislator will have to determine what type of data is concerned with the protection and, therefore, constitute protected personal data and which data is freely accessible and, therefore, not benefiting from the protection.
In order to prevent any abuse, this mechanism should also apply to data publicly accessible on social networks and which can be widely used by FinTechs without having to obtain the consent of the user beforehand.
The other main risk generated by the dematerialisation of financial services lies in fraud and more generally cybercrime, which is a widespread risk in the virtual world. Fraud, like financial services, is dematerialised. The theft of bank data may constitute a systemic risk for the banking sector. The means of achieving this crime, though often known, are nonetheless extremely effective.
Thus, the phishing technique, associated with numerous spam messages, makes it possible to retrieve customer data by simulating a bill or a message from a known entity. More recently, we have witnessed the development of banking and financial Trojans that allow the resale of bank details by cybercriminals on dedicated forums (Darknet) for 5 to 10% of the available credit on the account. Fraudsters are never short of ideas to offer new refinements to these different techniques, like the fraud carried out thanks to the malicious program Dridex. This fraud combines both techniques, giving new life to the technique of phishing, allowing to simulate the legitimacy of the source of the consignment. The message is accompanied by an attachment containing the program which, by infecting the computer and replicating on all of the user’s terminals, allows to suck the banking data of the victim.
This risk is real and important solutions are required to achieve a secure data. Two initiatives recently paved the way: The Special Investigation Commission’s “Cybercrime Guide for Financial Institutions 2017” which addresses cybercrimes conducted by email, and BDL’s Basic Decision No. 12725 dated 28/11/2016 related to the prevention of Cybercrime which offers a wider scope and mandatory framework.
However, more global and more technical solutions should be implemented in this regard. For example, a real strengthening of the authentication processes that provide strong client authentication based on 3D Secure solutions or based on the use of biometric data or one-use data.
II. Disintermediation of financial services
The disruptive nature of FinTechs is not only reflected in the dematerialisation allowed by new technologies. It also materialises in a disintermediation that questions the very essential function of the traditional bank. This disintermediation, in all its manifestations (1), generates risks that should be apprehended to ensure the virtuous development of FinTechs (2).
1) Manifestations of disintermediation
The disintermediation intervenes at a double level: it affects the banks first and aims to substitute new intermediaries for traditional ones. Following this banking disintermediation (i), FinTechs and the new technologies on which they thrive make it possible to envision a more fundamental rupture consisting of a general disintermediation (ii).
i. Banking disintermediation
The financial disintermediation that FinTechs realise, which manifests itself in the banking profession, consists in using a platform rather than a bank to carry out operations traditionally offered by banking institutions. The simplifications that platforms offer instead of banks undermines one of the fundamental functions of banking.
Credit is the first service to be affected by this disintermediation and the success of crowdfunding platforms attests of such influence. The Lebanese legislator hasn’t yet understood the potential of this new form of credit and hasn’t thus accompanied the development of this practice. There is currently no legal framework that favours this new form of credit that can be realised without resorting to banks. The abandonment of the banking monopoly is certainly the principal reason why this aspect of the disintermediation (i.e. crowdfunding) hasn’t yet been addressed.
Credit is not the only operation concerned by this disintermediation. Nonbank operators are timidly daring to offer payment solutions to their users. It is the case with features that allow users to pay via their nonbank account or through the payment card stored in their “wallet”. This feature, although it attracts many consumers around the world (for example, Apple Pay), could pose a threat for Lebanese traditional banks, especially that the new intermediaries that will be competing with them are Tech giants or telephony operators with considerable impact power in the market (for example, Apple Inc.). Again, the abandonment of the banking monopoly is certainly the principal reason why this aspect of the disintermediation (i.e. mobile payments and digital wallets) hasn’t yet been addressed.
Bank disintermediation is globally on the way. Even if the Lebanese market doesn’t apprehend it for monopolistic reasons, it may not stop just at the banks’ level.
ii. General disintermediation
New technologies are offering users worldwide the ability to bypass any platform acting as intermediary.
This is the challenge presented by the technology implemented by Blockchain which makes it possible to automatically perform operations without requiring any intermediate. It is on this technology that major cryptocurrencies are based like Bitcoin or Ethereum. Blockchain also makes it possible to envisage the realisation of international money transfers or, thanks to the smart contracts associated with it, to consider the realisation of crowdfunding operations without any intermediary.
The Blockchain is undoubtedly a bearer of promises as to the multitude of operations which it could allow due to the inviolability of the system. However, until this date, the prospects of developing and using this technology in Lebanon seem trivial since, by rejecting its main application – virtual currencies – the Lebanese banking regulator has, implicitly, took a cautious position towards such technology (BDL’s Financial Sector Announcement No. 900 dated 19/12/2013), undoubtedly based on considerations related to fighting money laundering and terrorism financing.
The disintermediation that FinTechs may achieve cannot be done without risks which must, for the soundness of the Lebanese banking sector, be controlled.
2) The risks of disintermediation
Historically, bank intermediation made it possible to secure financial transactions. It made it possible to embody confidence in a third party who bore the risks and assumed the responsibilities in case of difficulties in carrying out the operations or damage suffered by the customer during one of the operations. Mistrust in these traditional actors will certainly come from their disempowerment.
However, the establishment, monitoring and reinforcement of prudential rules have shown that regulation may be a way of compensating the risks associated with financial transactions. In fact, the temptation to block new FinTech practices from taking place in the Lebanese market translates a will of combating the risks arising from disintermediation. However, instead of blocking such practices and barring their entry into the market, regulating such practices have proved to be more beneficial to the market itself as seen with the UK and EU regulatory landscapes. It is, therefore, necessary to define which regulations are needed (i) and to define conceivable modalities of regulating the new FinTechs actors (ii).
i. Forms of regulation
Sectoral regulation or prudential regulation? That is the question regulators examined with regards to regulating FinTechs.
The first one allows the establishment of rules to regulate activities under the banking monopoly. It involves heavy obligations on FinTech operators wishing to carry out these activities and thus functions as barrier to the entry of new, smaller players than traditional market players. It is suspected that this form of regulation is favorited for the Lebanese market.
The second one aims to establish rules to limit the risks for users by forcing FinTech operators to put their own funds in adequacy with the risks borne. These prudential rules are hypothetically more respectful of a certain form of equality between the various operators by weighing indiscriminately on all the actors proposing the activities at risk.
ii. Rules of regulation
If we admit that it is necessary to regulate FinTechs, how should this regulation intervene? More specifically, if prudential regulation is chosen, how should it intervene?
Here two options are possible, the sandbox technique, which consists in easing the constraints, at first, for new market entrants to let them grow and flourish in their sandbox before weighing all the constraints when they have reached a maturity threshold.
Another way is possible, which is the one chosen by the French regulator, that of the accompaniment by the regulator: the new entrants are subjected to the same constraints as all the operators, no lightened regime is envisaged but the regulator helps new FinTechs to assimilate and conform to all applicable regulations by providing “personalised” support for new FinTech start-ups.
Further reading: “Sound Practices – Implications of fintech developments for banks and bank supervisors”, Basel Committee on Banking Supervision, February 2018. This publication is available on the Bank for International Settlements website (www.bis.org).