Part 2

Implications for banks and banking systems

This section focuses on the risks and opportunities associated with the developments described in the banking industry scenarios above. Graph 6 below lists the new opportunities and risks identified for banks and the banking system based on a survey of existing publications on FINTECH. Traditional banking risks (such as operational or liquidity risks) are only considered to the extent that FINTECH developments add a new dimension or specific features to the existing ones.




Many of the findings and observations in this paper are based on forward-looking scenarios and assumptions emanating from emerging financial technologies and business models.

Implication 1: The nature and scope of banking risks as traditionally understood may significantly change over time with the growing adoption of fintech, in the form of new technologies that can affect bank business models. While these developments may give rise to new and additional risks, they may also open up new opportunities for consumers and banks.

Consideration 1: While bank supervisors must remain focused on ensuring the safety and soundness of the banking system, they should be vigilant for opportunities to enhance both safety and soundness and financial stability while monitoring for current practices that might unduly or unintentionally hamper beneficial innovations in the financial industry.

FINTECH innovations hold potential benefits for all users of financial services. These include expanding access to financial services (financial inclusion), reaching under-served consumers, reducing transaction costs, providing greater transparency with simpler products and clear cost disclosures, providing greater convenience and efficiency, and enabling tighter controls over spending and budgeting. Collectively, these can result in an enhanced customer experience by providing a better understanding of products and terms. Likewise, many consumers may not know how to delete their credentials and other data held by data aggregators. Of note, where the risks associated with fintech vary significantly across the different scenarios, the identified opportunities will depend less on particular scenarios and more on the technologies that will allow them to be realised. Some important opportunities to consider include:

• Financial inclusion: Digital finance has improved access to financial services by under-served groups. Technology can reach remote locations. Only six out of 10 adults have a bank account, but there are more mobile devices than people in the world.16 The promise of digital finance to reach scale, reduce costs and, if coupled with the appropriate financial capability, broaden access is unprecedented. Financial services could be provided to more people with greater speed, accountability, and efficiency.

• Better and more tailored banking services: Banks are already regulated and know how to bring products to a regulated market.


FINTECH companies could help the banking industry improve their traditional offerings in many ways. Banks may, for example, provide white-label robo-advisors to help customers navigate the investment world and create a better and tailored customer experience. Partnerships with FINTECH companies could also increase the efficiency of incumbent businesses.

• Lower transaction costs and faster banking services: Innovations from FINTECH players may speed up transfers and payments and cut their costs. For instance, in the area of cross-border transfers, FINTECH companies in some cases can provide faster banking services at lower cost.

• Improved and more efficient banking processes: Innovation may allow the conduct of operations in a safer environment thanks to the use of cryptographic or biometric technologies and more interoperable systems decreasing the chances of failure.

• Potential positive impact on financial stability due to increased competition: The entry of new players competing with incumbent banks could eventually fragment the banking services market and reduce the systemic risk associated with players of systemic size, as also analysed by the FSB.17.

• Regtech: Fintech could be used to improve compliance processes at financial institutions. Regulation is increasing globally but the effective development and application of “regtech” (see Box 5 below) could create opportunities to, for example, automate regulatory reporting and compliance requirements as well as facilitate more cross-sectoral and cross-jurisdictional cooperation for improved compliance (eg AML/CFT).


Innovative technologies can help financial institutions comply with regulatory requirements and pursue regulatory objectives (prudential requirements including reporting, consumer protection, AML/CFT). In this context, regtech may provide banks with more effective ways to improve their compliance and risk management. It may also be a means of coping with change in the regulatory environment and driving down the costs involved in meeting the corresponding requirements.

Regtech could result in new processes, new distribution channels, new products or new business organisations that help banks comply with regulatory requirements and manage risk more effectively and efficiently. Some regtech firms offer compliance and risk management solutions to banks, through outsourcing or insourcing processes. Examples include the FundApps automated monitoring service for regulatory changes in the United Kingdom, and Fintellix in India, which offers data management for compliance with accounting rules.18 Regtech may open up opportunities for digital transformation of control and support functions within banks (risk, compliance, legal, finance, IT). Regtech could address a wide array of requirements related to regulatory reporting, financial crime, operational risk (including cyber-security and fraud detection), consumer protection and data protection regulation. Examples in these domains include BearingPoint’s Abacus solution for compliance with the European supervisory reporting requirements, and Trulioo’s and Qumran’s “know your customer” solutions in Canada and Switzerland, respectively, for compliance with AML/CFT rules.19 In Italy, anti-money laundering requirements for the opening of a new online account can be met by making a transfer from any bank account the customer holds at any other bank. All other necessary information and documents can be exchanged between the customer and the bank using e-mail, webcam, chat and other online tools. The technologies used include IT (software, cloud computing, API, automation and AI), data technologies (big data, machine learning, risk scoring, real-time monitoring), identity technologies (biometrics, vocal recognition) or new technologies such as the DLT that combines cryptography and IT solutions. Another potential use of regtech includes risk data reporting capabilities. During the financial crisis, firms were unable to aggregate risk data and perform analytics to aggregate risk exposures in response to events in a timely fashion. These failures influenced the FORFIRM’s compilation of the Principles for risk data aggregation and reporting. Regulators have placed increased expectations on firms to be able to accurately and completely aggregate risk data, with a view to improving their risk management and also facilitating supervisory requests, such as supervisory stress testing. Use of AI, advanced data analytics and other emerging technologies could improve firms’ ability to provide coherent and timely risk data.

While there are clear benefits from FINTECH, as noted above, innovation cannot be supported at the expense of safety and soundness. Banks and bank supervisors should consider maintaining similar focus on risk management, control standards and protections over new emerging delivery channels and services being introduced by financial institutions through FINTECH. However, prescriptive standards and rules, developed well before many of the technologies in use today were even considered possible, could potentially create undue or unintentional barriers.

Key risks

Implication 2: Key risks associated with the emergence of FINTECH include strategic risk, operational risk, cyberrisk and compliance risk. These risks were identified for both incumbent banks and new FINTECH entrants into the financial industry. Consideration 2: Safety and soundness and financial stability can be enhanced by implementation of supervisory programmes to ensure that banks have effective governance structures and risk management processes that appropriately identify, manage and monitor risks arising from the use of FINTECH including associated new business models applications, processes or products. These structures and processes may include:

• Robust strategic and business planning processes that allow banks to adapt their business strategies to take into account the potential impact new technologies and market entrants may have on their revenue

• Staff development processes that ensure that bank personnel have the appropriate awareness and capability to manage fintech risks • Sound new product approval and change management processes to appropriately address changes not only in technology, but also in business activities • Risk management processes in line with the portions of the Basel Committee’s Principles for sound management of operational risk (PSMOR) that are relevant to fintech developments • Processes for monitoring and reviewing new products, services or delivery channels for compliance with applicable regulatory requirements, including, as appropriate, those related to consumer protection, data protection and anti-money laundering and countering the financing of terrorism (AML/CFT). While the rise of cyber-risks has been identified by both banks and supervisors as a major area of focus, this paper focuses on the broad implications of fintech beyond specific risks. In addition, this document assesses the concerns and opportunities brought by fintech in the cyber space through a broader analysis of business models and disruption risks. Fintech developments could lead to more competition for incumbent banks from non-traditional players in an already challenging market environment, which could impact the sustainability of banks’ earnings. They could also put pressure on banks to improve digital interfaces to better meet customer expectations. Incumbent banks may find it increasingly difficult to respond quickly and competitively to emerging technologies so as to keep control of customer relationships. The proliferation of innovative products and services may increase operational complexity and risks. Many of the challenges outlined above are consistent with risk principles addressed in the existing PSMOR. Below are potential applications of PSMOR to current and future fintech developments, for the reference of both incumbent and new banks, as well as their third-party service providers.

Overview of risks using scenario analysis The FORFIRM used the five banking scenarios described in Part II.E and case studies to obtain a better understanding and overview of the individual risks, their likelihood under each scenario and their impact on individual banks, the financial sector, and consumers and society more broadly.

Better bank

The key risks under the better bank scenario focus on the execution risk related to the implementation of the new strategy (banks’ ability to manage and effectively implement both the technology and business process changes) and the strategic and profitability risks. Even in the better bank scenario, there is likely to be tough competition among incumbent players to select the winning strategy and the right time to market. While some aspects of operational risk management may benefit from improved and more efficient banking processes, operational risk may increase because of the further development of cyber-risks and increased reliance on outsourcing. Indeed, the incumbent banks, which still carry legacy technologies and premises, are likely to accelerate the transition from legacy environments to new digital platforms. The new digitised environment may carry cyber-security risk in its various forms. This scenario also raises issues about the supervisory authorities’ ability to effectively supervise the new technologies and products

New bank

The size and scale of many incumbent banks may make it difficult to effectively modernise and digitise their current processes to achieve cost-effective operations as well as to provide innovative products for customers within an acceptable timeframe. If neo-banks were to gain significant scale, the combination of customer drain to challenger banks, lower profitability on reduced revenues, and investors moving funds to more profitable challenger banks could raise safety and soundness issues for incumbent banks.

Distributed bank

The key risks highlighted in most of the case studies for the distributed bank scenario focus on banks’ and bank supervisors’ ability to monitor and manage end-to-end transactions across one or multiple third parties. Effective third-party risk management processes would be essential for banks. Whether fintech companies are service providers, business partners or provide the primary customer interface, banks will need processes in place to conduct appropriate due diligence, contract management and ongoing control assurance and monitoring of outsourced services operations in order to safeguard themselves and their customers. Also, questions on ownership of the customer relationship and the use of customer data with regard to consumer protection and data protection regulations were raised as part of the distributed bank scenario. Finally, there might be questions about risk management functions as a consequence of weaker, less stable and more fragmented customer relationships. The loss of the customer relationship can result in loss of revenue and cross-selling opportunities. Also, on the compliance side, banks will need to have appropriate AML/CFT monitoring processes in place if they process transactions on behalf of FINTECH companies’ customers. From a financial stability perspective, the distributed bank scenario may reduce the “too big to fail” issue, since increased competition and a sharing of the value chain is likely to lead to a more fragmented banking sector. On the other hand, the distributed bank scenario is associated with increased interconnectedness between financial institutions and the dilution of accountability.

Relegated bank

In this scenario, banks become a back office service provider for front office customer-facing platforms, with banks providing the necessary licences, access to payment networks and maintaining deposits and access to funding. There is a risk that banks and bank supervisors will have limited ability to monitor end-to-end transactions and systemic risk. As in the distributed bank scenario, the loss of the customer relationship and the dependence on these new platforms that channel financial products may have adverse consequences for risk management functions and revenue streams (revenues would need to be shared with the new intermediaries). Front office customer platforms are also expected to accentuate competition between banks, which may further accelerate customer mobility, deposit transfer speeds and aggressive pricing on loan offers. This scenario raises also significant issues for consumer protection, since the customer relationship will be handled by new platforms, which would be based on automated processes and extensive and innovative uses of consumer data. In addition to data privacy and data security issues, inappropriate marketing practices could emerge under this scenario. If the number of new platforms is low, concentration risk will increase, especially if bigtech firms gain a large market share. This would also lead to “too-big-to-fail” issues.

Disintermediated bank

The disintermediated bank scenario is considered unlikely to gain significant scale in the short to medium term. Indeed, large-scale use of public distributed ledgers for processing payments is still impeded by many technological and legal factors. P2P lending platforms also face difficulties in matching lending and borrowing, which underlines the continuing economic need for balance sheet intermediation. Moreover, P2P lending platforms are currently pivoting to a business model where institutional investors such as banks, pension funds or insurance companies progressively replace retail investors in the investor base. However, these scenarios were covered as there is a potential risk that banks could be disintermediated from certain aspects of financial services. The key risk in these scenarios would be that financial activities taking place outside regulatory environments would be subject to looser standards and oversight, and as a result be inherently less controlled and secure. Bank supervisors could potentially find that their ability to monitor systemic areas of risk in the financial industry is eroded.

Fintech presents a wide variety of risks that cut across various sectors and often blend both tactical and strategic risk elements. A number of these risks feature more or less prominently in all five scenarios:

• Strategic risk: The potential for rapid unbundling of bank services to non-bank fintech or bigtech firms increases risks to profitability at individual banks. Existing financial institutions could stand to lose a substantial part of their market share or profit margin if new entrants are able to use innovation more efficiently and deliver less expensive services that better meet customer expectations. In today’s environment, a deterioration of profitability due to a lack of anticipation and agility, and the loss of profitable direct customer relationships and/or margin compression might weaken the ability of incumbent institutions to weather future business cycles, for example, if banks react to falling profits by engaging in riskier activities, such as moving down the credit spectrum.

• High operational risk – systemic dimension: The rise of fintech leads to more IT interdependencies between market players (banks, fintech and others) and market infrastructures, which could cause an IT risk event to escalate into a systemic crisis, particularly where services are concentrated in one or a few dominant players. The entrance of fintech firms to the banking industry increases the complexity of the system and introduces new players which may have limited expertise and experience in managing IT risks.

• High operational risk – idiosyncratic dimension: A proliferation of innovative products and services may increase the complexity of financial services delivery, making it more difficult to manage and control operational risk. Legacy bank IT systems may not be sufficiently adaptable or implementation practices, such as change management, may be inadequate. As such, some banks are using greater numbers of third parties, either through outsourcing (eg cloud computing) or other fintech partnerships, thereby increasing complexity and reducing the transparency of end-to-end operations. This increased use of third parties and partnering may increase risks surrounding data security, privacy, money laundering, cyber-crime and customer

protection. This is particularly the case if banks are less efficient in applying the required standards and controls to manage those risks, or where fintech firms may not be subject to the same stringent security standards. In addition, use of third party service providers could increase banks’ step-in risks: banks may find themselves in the position of having to support a provider in financial distress or face discontinuation of critical services that they provide.

• Increased difficulties in meeting compliance requirements and especially AML/CFT obligations: Banks will need appropriate AML/CFT monitoring processes in place if they process transactions on behalf of fintech companies’ customers. If the customer makes payments with a bank card or account, the bank currently has some level of responsibility for authenticating the customer and may be responsible for covering fraudulent transactions under several regulatory regimes. The higher level of automation and distribution of the product or service among banks and fintech companies can result in less transparency on how transactions are executed and who has compliance responsibilities. This can increase conduct risk for banks as they may be held accountable for the actions of fintech partners if a customer suffers loss or compliance requirements are not met (see Box 6 below for further details).

• Compliance risk with regard to data privacy: The risk of not complying with data privacy rules may increase with the development of big data, more outsourcing due to tie-ups with FINTECH firms, and the associated competition for ownership of the customer relationship. • Outsourcing risk: If more parties are involved in the offering of financial products and services than at present (distributed bank, relegated bank, disintermediated bank), ambiguity could arise regarding the responsibilities of the various actors in the value chain, potentially increasing the likelihood of operational incidents. Within banks, a proliferation of innovative products and services from third parties could increase operational complexity and risks, if controls fail to keep pace. A key challenge for financial institutions will lie in their ability to monitor operations and risk management activities that take place outside their organisations at third parties. Outsourcing risk would be even more prominent if some part of the services provided by third parties were to become dominated by globally active players, resulting in a concentration of risk. Where specialised FINTECH companies are the service providers, business partners or provide the primary customer interface, incumbent banks will need to consider the appropriate processes to conduct appropriate due diligence, contract management and ongoing control assurance and monitoring of operations in order to safeguard the bank and its customers.

• Cyber-risk: Cyber-risk is likely to rise in all scenarios. New technologies and business models can increase cyber-risk if controls do not keep pace with change. Increased interconnectivity between market players can create benefits for banks and consumers, while amplifying security risks. Heavier reliance on APIs, cloud computing and other new technologies facilitating increased interconnectivity with actors or sectors not subject to equivalent regulatory expectations could potentially make the banking system more vulnerable to cyber-threats, and expose large volumes of sensitive data to potential breaches. This emphasises the need for banks, FINTECH firms and supervisors to promote the need for effective management and control of cyber-risk.

• Liquidity risk and volatility of bank funding sources: The use of new technology and aggregators creates opportunities for customers to automatically change between different savings accounts or mutual funds to obtain a better return. While this can increase efficiency, it can also affect customer loyalty and increase the volatility of deposits. This in turn could lead to higher liquidity risk for banks.

Risks and opportunities of fintech for anti-money laundering and countering the financing of terrorism (AML/CFT) Increased risk: Digital finance raises news risks and challenges with regard to AML/CFT. New areas of vulnerability might develop because of new financial products (virtual cryptocurrencies) and new technologies (eg a permissionless distributed ledger based on anonymous users and on decentralised governance without accountability). Digital finance gives rise to an increasing number of financial players and eases cross-border transactions, which makes the monitoring of transactions more complex for financial institutions and public authorities. Finally, while new financial players are reshaping the financial sector, they may be outside the scope of banking sector regulation and subject to less stringent AML/CFT rules than are banks. If not proportionate to the AML/CFT risks, these regulatory gaps or loopholes may lead to some distortion of competition, which may violate the level playing field principle and lead to increased potential for financial crime. Innovative solutions: New technologies may support greater efficiency for AML/CFT policy. Regtech companies are especially keen to enter this field, which could attract significant investment by banks. Analytics of non-structured data (big data) associated with machine learning and AI can support banks’ financial crime divisions in the monitoring and reporting of suspicious transactions. While non-face-to-face relationships are usually considered as a “high risk” for AML/CFT, requiring enhanced due diligence (see Financial Action Task Force’s 2012 report on money laundering),20 technologies such as biometry (eg fingerprints, iris or vocal recognition, touch ID etc), and scanning technologies may also help identify fraud in a digital environment and promote remote but secure customer identification and authentication processes. E-identification and e-signatures may provide new secure opportunities to facilitate the digital on-boarding of customers and non-face-to-face business relationships. Initiatives in a number of countries involving the use of innovative technologies for identification services are in different stages of development. For example, the UK government is promoting e-identification through its Verify programme,21 to which banks such as Barclays contribute by certifying the identity of their customers. In Canada, SecureKey,22 a private sector company that includes a number of banks as investors, proposes to use a third-party blockchain as an identity and authentication provider to simplify consumer access to online services and applications. Similarly in the Netherlands, a service called IDIN,23 supported by seven Dutch banks, was launched in 2016 to enable customers to identify themselves to other organisations online using bank authentication credentials. Both the UK and Canadian initiatives are supported, to some degree, by governments. In these identity “ecosystems”, banks may provide identity information, subject to customer consent, as well as receive it. Some regtech providers and countries would like to set up shared KYC utilities for due diligence using cloud and online platforms. The BCBS acknowledges such utilities for conducting customer due diligence in its revised guidelines on the sound management of risks related to money laundering and financing of terrorism.24 However, jurisdictions may follow different approaches in promoting innovative business models and emerging technologies, while mitigating and addressing associated money laundering and terrorist financing risks.

C. Implications of using innovative enabling technologies
Implication 3: Banks, service providers and other fintech firms are increasingly adopting and leveraging advanced technologies to deliver innovative financial products and services, such as artificial intelligence (AI), machine learning (ML), advanced data analytics, distributed ledger technology (DLT), cloud computing and application programming interfaces (APIs). While these innovative technologies present opportunities, they may also pose new sources of risks.

Consideration 3: Banks relying on these innovative technologies should ensure they have effective IT and other risk management processes and control environments that effectively address new sources of risk. Bank supervisors, for their part, could enhance safety and soundness by ensuring that banks adopt such risk management processes and control environments.

Three fintech-enabling technologies, namely AI/ML/advanced data analytics, DLT and cloud computing, have been analysed in detail in industry publications that were reviewed to assess the impact that their development may potentially have on the banking industry. These enabling technologies are not new financial products or services themselves, but instead are the catalyst that allows for the development of new innovative products and for fintech companies to enter the banking markets. These technologies may lower barriers for entrants by allowing for low-cost infrastructure and access to direct delivery channels to customers, thus bypassing traditional channels.


Artificial intelligence /machine learning /advanced data analytics

AI makes possible advanced analytical tools that, by leveraging the capability to process large volumes of data, support innovative solutions for business needs. This capability enables the development of multichannel customer access, increased self-service by customers, ability to gain greater insight into customer needs and the provision of more tailored or customised services. There is an increasing use of AI/ML for the termination of credit limits, although the accuracy and validity of these models is as yet unproven. Many fintech companies have leveraged these capabilities to provide data collection, aggregation and storage services, advanced data analytics and personal finance management directly to customers. In modernising and digitising incumbent banks, most of these services support a better bank scenario where banks use advanced data analytics to research customer needs, provide real-time service delivery and enhance their risk management. Fintech companies based on data aggregation business models, or bigtech companies, monetise customer data and use them to gain an in-depth knowledge of their users (through search history, personal data and preferences shared on social media, consumption and spending habits etc) and tend to compete directly with banks for ownership of the customer relationship (the distributed, relegated and disintermediated bank scenarios). Many data aggregators provide customers with the opportunity to manage diverse financial accounts on a single platform with limited need for direct contact with multiple financial service providers. The answers to questions such as who owns customer data, the conditions under which personal data can be used, and for what purposes, will likely shape developments in advanced data analytics and big data. These legal questions are being debated in several jurisdictions.

Distributed ledger technology

As an emerging technology, DLT solutions tend to be more complex than other enabling technologies and have the potential to be applied for multiple purposes. DLT is being considered for a large number of use cases. Some DLT developments focus on facilitating value transfer exchanges between parties without the need for intermediation, such as central counterparties and central securities depositories, while others target the efficiency of the intermediary functions, without challenging the role of intermediaries, by reducing settlement times or improving the transparency of recordkeeping and reporting. Some DLT solutions also focus on banks’ back office operations. Thus, better information-sharing via DLT could also benefit banks’ business processes. Depending on the DLT solution, other benefits could include eliminating data duplication and reducing maintenance costs to support different databases. DLT developments, although still heterogeneous and immature, could trigger concerns as some solutions still display limited scalability, and a lack of data privacy or harmonised industry standards, with little in the way of interoperability and recourse mechanisms. Exploratory investments are being made by financial institutions, with some projects achieving limited internal deployment for intragroup purposes with the aim of improving services. Examples of DLT platforms moving into testing or production include platforms for trade finance, syndicated loans, repo clearing, and derivatives recordkeeping and processing.


Cloud computing

Cloud computing allows the sharing of on-demand computer processing resources in a way that promotes efficiencies and economies of scale. Such cost-cutting may be attractive for banks, but concerns over safety and privacy seem to have initially inhibited banks from using cloud computing infrastructure. Now, however, many banks are experimenting with public cloud operations.27 For new entrants, cloud solutions often allow easier access to back office infrastructure that incumbents spent decades building, helping to engage in operations at a lower cost. Cloud-based services can take many forms, ranging from infrastructure only to fully fledged software solutions (including white-labelled banking solutions), as shown in Graph 9 below.28 While responsibility for managing cloud operations (see Graph 9) would be located variously in each of the different scenarios depicted, banks continue to retain risk management and oversight responsibilities for all their activities, including those outsourced.


Cloud computing as a service provider to banks can act as an enabler in all fintech-related scenarios, and need not in itself cause business models to be disrupted. However, while cloud computing helps both incumbent banks and new players, it is more of an enabler for new players and therefore fits scenarios that challenge the current banking system (all scenarios apart from the better bank). Incumbent banks can be considering the use of cloud computing to develop new solutions and migrate away from legacy systems. In doing so they may face the challenge of integrating the new technology with the old, which is usually not an easy task. For new players, on the other hand, cloud computing could be a pure enabler as they would have traditionally had to invest time and money in building up their own infrastructure. The use of cloud computing could therefore allow them to focus on their business and increase their scale as the business grows. Banks’ dependence on technologically complex systems could increase significantly, including the use of cloud-based services and infrastructure (all scenarios), requiring an enhanced technological expertise to understand and supervise effectively. In cases where banks outsource important parts of their operational processes, especially in the case of internationally active players, concerns may arise regarding, for instance, geographical location of data storage.

Focus on outsourcing and partnering risk

Implication 4: Banks are increasingly relying on third-party service providers for operational support of technology-based financial services; as a result, the delivery of these services has become more modular and commoditised. The primary drivers of outsourcing are cost reduction, operational flexibility and increased security and operational resilience. While operations can be outsourced, the risks and liabilities associated with those operations remain with the banks.

Consideration 4: Safety and soundness and financial stability can be enhanced by implementation of supervisory programmes to ensure that banks have appropriate risk management practices and processes over any operation outsourced to or supported by a third party, including FINTECH firms, and that controls over outsourced services are maintained to the same standard as those applied to operations that the bank itself conducts. Relevant practices and processes include due diligence, operational risk management, ongoing monitoring and appropriate execution of contracts with third-party service providers that set out the responsibilities of each party, agreed service levels and audit rights.

The rise of FINTECH could increase operational risks and could raise complexity in the banking industry. The financial sector is becoming more modular, both at the front end with FINTECH firms partnering with banks (via for instance APIs), and in back offices and supporting functions where more IT infrastructure and services are outsourced to globally active bigtech firms and start-ups. While in certain cases these developments could increase security, these new business models and their supporting technologies could also potentially increase operational complexity and risk. The key areas of interest that emerge in most – if not all – of the stylised scenarios described above are:

• When engaging a service provider or FINTECH partner, banks and new entrants should consider the Basel principles addressing operational risk and outsourcing risk, such as the Basel Committee’s Core principles for banking supervision (2012), the PSMOR (2011)29 and the guiding principles established by the Joint Forum about Outsourcing in financial services (2005). Some of the principles address corporate governance frameworks in general, which is relevant not only for incumbent banks but maybe also for new entrants including non-financial ones. Others addressing risk culture and risk appetite/tolerance could be applicable to all financial services firms. However, it is uncertain whether emerging FINTECH players will adhere to these principles. The larger the gap of “risk culture” and “risk tolerance” among entities participating in the financial system, the more likely it is that weaknesses will develop in the operational risk control framework.

• Banks can mitigate risk by extending their risk management culture to third parties performing operational activities on behalf of the bank, particularly those supporting fintech technologies or dependent products.

• A bank’s operational risk framework is expected to be able to identify emerging risks and to enable a timely response to any developments that materially change existing operational risks, or introduce new risks.

• Periodic reviews of the framework should also assess whether banks’ risk functions are capable of maintaining effective oversight of the emerging risks posed by new technologies, which may require specialist competencies to address.

• Business impact assessments should take account of relevant business disruption scenarios, which should then be reflected in the firm’s business continuity and disaster recovery plans, and incident management procedures. From the point of view of banking supervision, the use of third-party service providers poses operational risks that need to be specifically addressed. Where such services are critical to the performance of the banking business globally, common, global standards could aid in ensuring auditability and ease compliance with due diligence requirements. In addition, common standards could provide financial institutions with more consistent points of comparability between providers. At the same time, there are concerns that direct regulation of this sector could hinder the growth of innovative models. The range of supervisory oversight of third-party providers is provided in Annex 2.