View from Asia: Fintech and regtech remain high priority
Fintech and regtech remain high on the list of issues for APAC businesses. Given the continuing fight for "market share" in relation to start-ups and tech businesses in the region, jurisdictions are increasingly focusing regulatory requirements and initiatives on these matters in an effort to show how suitable they are for acting as a cradle of innovation, but at the same time not allowing the environment to be too lax in terms of control and investor protection.
Fundamentally, there are risks of arbitrage at a jurisdictional level, and even at a domestic level: enthusiastic wooing of tech providers can challenge a level playing field. While that is true of the wider picture of financial activities and developments, it comes into sharp focus in the fintech and regtech areas.
Singapore has opted for an aggressive charm offensive on providers, and Australia and Japan are also active in the mix. Others are following suit.
In Hong Kong, a nuanced domestic angle is demonstrated by the Securities and Futures Commission (the securities regulator) adopting a "suck it and see" approach to regulation, carefully monitoring the market and assessing as and when the time may be right to impose formal specific regulation to augment the already extensive regime. Restrictions on internal systems and controls at a principles-based level already to an extent provide regulatory cover to cater for tech developments.
From the Hong Kong Monetary Authority, which acts as Hong Kong's banking regulator, there is a more pro-active approach demonstrated by the introduction of a "Sandbox" to allow for initiatives to be aired and tested in a "controlled" environment. "Supervisory flexibility" is favoured for new ideas, which can be rolled out in a "soft" launch fashion, for example, to existing customers prepared to act as guinea pigs, where boundaries are defined, customer protection measures are in place and risks are managed. There is the need for the roll-out to be based on a "ready to go, subject to final testing" approach – not as a way to side-step the relevant requirements. Combined with the "Fintech Innovation Hub", designed to act as a place to share ideas, there is a path forward for institutions to take advantage of the (cautiously) welcoming Hong Kong regime.
Uncertainty remains concerning turf boundaries among the regulators; Bitcoin is a good example. The recent hack in Hong Kong has highlighted the unregulated nature of this model and raised the issue of which regulator has responsibility for responding and how they should do so, when dealing with an innovative product that does not fit clearly (or at all) within the current regulations.
The risk for businesses is an emergency clamp-down on innovations if they spiral out of control, with little time to adjust to new restrictions and sanctions and the potential for either a freeze on a business and/or substantial costs to rectify indemnified/perceived issues.
The philosophical and practical issues surrounding the right timing for an intervention by regulators – not too early to stifle innovation – but not too late – are clearly seen from the above examples.
To head off as far as possible these attempts to "time" the markets as regards stepping in, which remains a hazardous approach, there is a need for a longer term view on the part of the regulators and the industry as a whole. They should assess and re-evaluate the current regulatory regimes and identify what needs to be done to make them not only flexible enough to react swiftly to crises but also to changing technologies to allow for the automation of compliance processes. This area is important, and developing, in relation to AML and KYC – where block chain technologies and the outsourcing of data to AML/KYC "hubs" may provide efficiencies to avoid "double-counting" and fraud. A good example of where regulation should be modified to allow for automated compliance processes is the disclosure of interests-type requirements: in Hong Kong the legislation is notoriously unclear and cumbersome, and therefore impossible to programme for precisely, relying on difficult judgement calls which currently cannot be catered for by available technology.
Ultimately, a key consideration is the level of "good" data available to regulators and the regulated to ensure as far as possible that all stakeholders have sufficient control. Regulators must ensure they do not set reporting requirements so broadly that they are swamped with information (and are potentially caught in any enforcement context with having been given relevant information as to risks, etc which they have simply not recognised). The regulated must be able to manipulate their data in a manner so that it can be used efficiently and creatively to meet the needs of their businesses and reasonable regulator requirements.
In this regard, data protection legislation – in Hong Kong, bringing to bear yet another regulator, the Privacy Commissioner – cannot be ignored. This, together with confidentiality and bank secrecy issues, outsourcing rules, recovery and resolution requirements for institutions and other regulatory issues, need to be viewed on a holistic basis rather than piecemeal.
The need for continuing industry-regulator dialogue is clear so as to achieve a reasonable balance of all of these aspects since, given the nature of rapidly moving technological advances, this should not be viewed as taking sides in a fight, more a matter of arriving at a series of sensible checks and balances designed to open a collective path to future development.
This case summary is part of the Allen & Overy Legal & Regulatory Risk Note, a quarterly publication. For more information please contact Karen Birch firstname.lastname@example.org, or tel +44 20 3088 3710.