Last month saw the fourth cohort of firms approved for the FCA innovation sandbox. This is at the same time as the FCA is leading a partnership with additional regulators to setup a global sandbox. The aim of this sandbox model? Encourage financial services to take advantage of innovations and partner with new FinTech companies without a fear of falling foul of the regulator if the results aren’t fully as expected. The sandbox does not give firms carte blanche to fail and impact their clients. However, it was seen as a key shift in accepting that technology use is rapidly changing within the industry and, in fact, could be a great way to increase competition within the industry – a stated aim of the FCA since 2013.
FinTechs are the most commonly highlighted group targeted by these initiatives, with both the FCA and ECB being very vocal in their desire to see financial services firms partnering with FinTechs – and here is where we have the conundrum…
Technology integration is not new – but times are changing
The sandbox has a very tightly defined set of criteria, such as needing to be first through the door to qualify. These criteria mean few initiatives may meet the bar. At the same time, there is a push from the industry for high level outputs and trends identified by each cohort to be made public – to aid the wider adoption of innovative ideas. Wealth managers have been integrating front office solutions such as eXimius and XPLAN with custodian solutions for some time now. These integrations are increasingly making use of additional FinTech components, such as niche functions like KYC/Due Diligence. This is a great example of how FinTechs can make use of unstructured data, which often forms the basis of KYC activities, against Big Data sources.
Now this is not anything new. Wealth managers have been partnering with technology firms for years – there was a time when being a Salesforce or SAP specialist meant you were set for life, but things change. Instead of large, mature players offering on-premise or hosted solutions, the industry is now saturated with smaller, niche players, increasingly offering cloud based solutions. This trend only shows signs of continuing if not accelerating, meaning the cost of due diligence increases if 20 micro-providers were to supply services previously delivered by a couple of large providers who were used to this level of rigour.
With greater opportunities come greater risks
This comes at a time when regulators are increasingly imposing new rules to improve the behaviour and conduct of the industry. The question which keeps arising is: are start-ups mature enough to potentially perform a key function of your business? If there are problems because of any partnership, the regulator will be knocking on your door as a regulated company as opposed to your FinTech partner.
Another option is opting for regulated partners, which brings a debate on the perceived differences in maturity. You would expect regulated partners to be familiar with how to deal with a regulator and be on-top of all changes, much more than FinTechs. At the same time, a key reason for engaging FinTechs is the agility of solutions, but operational governance and resilience is perceived to be stronger in the regulated space. The key word here is “perceived”, as there is no hard and fast rule. The only way to make a decision is to perform adequate due diligence, as already mandated by the regulator’s Systems & Controls requirements.
Due diligence will be specific to your business but some key themes, which must always be considered, apart from whether the required functional capabilities are provided, include:
- Capitalisation and size – will your partner be there tomorrow?
- Governance – is the delivery and service controlled? Policy documents are great but are they 10 years old and sitting on a shelf?
- Regulatory awareness – how will the solution stay compliant tomorrow? Are you able to holistically view the upcoming regulatory horizon?
- Resilience – how will the service recover from failure scenarios, including worst case? What support is available to you – do you need 24x7?
- Cyber Security – how protected is your data and service? Does your partner understand and react to the fact that the cyber landscape is ever changing?
- Hosting – who controls the underlying system infrastructure? How do they fulfil the above considerations?
Regulators are still playing catch up, so individual due diligence is key
This due diligence must always be approached through the lens of your own risk appetite. Not everything needs the gold-plated solution – but ensure you know what is critical to your business. The cost of this exercise should not be underestimated and will increase as the inherent criticality of the functionality increases.
The regulators are playing catch-up on the constantly changing technology landscape. The drive to make more use of innovative technologies and FinTechs is one example of this. Another example is the recent joint BoE/PRA/FCA paper, indicating that the industry must focus on operational resilience whilst in the same breath seeming to accept that trying to keep pace with technology change and smaller competitors could result in operational issues occurring. The proliferation of Cloud service providers is another area of interest within regulator due diligence guidelines, where the “right of entry” for this purpose is just not provided by most big players.
Eventually, it will come down to one thing; your company and you are accountable for deciding on whom you rely to service both it and, ultimately, your clients. The regulator is trying to reduce some of the regulatory burden of trying new ideas and selecting new partners as a means of encouraging innovation and competition but if you pick the wrong partner, even if the regulator doesn’t censure you, your clients and your reputation would still ultimately be impacted and it is still your investment which may have been wasted.