Implications for bank supervisors and regulatory frameworks

Increased need for cooperation

Implication 5: FINTECH developments are expected to raise issues that go beyond the scope of prudential supervision, as other public policy objectives may also be at stake, such as safeguarding data privacy, cyber- security, consumer protection, fostering competition and compliance with AML/CFT.

Consideration 5: Where appropriate, safety and soundness and financial stability can be enhanced by bank supervisors communicating and coordinating with relevant regulators and public authorities, such as those charged with data protection, consumer protection, fair competition and national security, to ensure that banks using innovative technologies are complying with the relevant laws and regulations.

In several jurisdictions, some of the risks associated with the emergence of FINTECH, such as compliance with data privacy, data security, and AML/CFT standards, fall under the remit of public authorities separate from bank supervisors but still affect compliance risk for banks. Therefore crosssectoral cooperation across regulatory agencies may be warranted within certain jurisdictions to address risks that concern prudential supervision, but which may overlap with the mandates of other agencies. Such coordination may improve the reach of initiatives such as FINTECH consumer literacy programmes, and provide more consistent and effective supervision related to areas such as consumer protection, data protection, competition and cyber-security. In most jurisdictions the same or similar laws and regulations apply to both incumbent banks and non-bank organisations for similar activities. However, it is recognised that banking organisations developing FINTECH products and services tend to be subject to more direct supervisory oversight compared to non-bank competitors given their public trust role in holding insured deposits on behalf of customers. The consideration above for closer coordination between bank supervisors and other public authorities that may have more direct oversight authority over non-bank FINTECH firms can provide for greater transparency on the application of regulatory requirements for activities across both incumbent banks and non-bank organisations.

Implication 6: Many FINTECH firms, in particular those focused on lending and investing activities, currently operate at the regional or national level. However, some FINTECH firms, especially those engaged in payments (in particular, wholesale payments) and cross-border remittances, already operate in multiple jurisdictions and have high potential to expand their cross-border operations.

Consideration 6: Given the current and potential global growth of FINTECH firms, global safety and soundness can be enhanced by further supervisory coordination and information-sharing where appropriate for cross-border FINTECH that affects banks.

Existing FINTECH companies are developing mainly within individual jurisdictions. If some services were provided across borders (by relegated, disintermediated or new banks), this could increase the need for coordination and cooperation, both between jurisdictions as well as across sectors. Further supervisory coordination and information sharing for cross-border FINTECH operations that affect banks could be appropriate given the current and potential global growth of fintech firms. Some jurisdictions’ bank supervisors engage with these companies often on a national level, while the basis for some technologies (such as DLT and smart contracts) and business models (centred on payment or clearing activities) to thrive would be their cross-border and large-scale adoption. This would require legal stability and certainty across jurisdictions and shows that increased international cooperation may be beneficial for all parties. The scale of international cooperation between supervisory agencies should keep up with the pace of globalisation of these companies.

Bank supervisors’ internal organisation

Implication 7: FINTECH has the potential to change traditional banking business models, structures and operations, including the delivery of financial services. Such FINTECH-related changes may require bank supervisors to reassess their current supervisory models and resources in order to ensure continued effective oversight of the banking system.

Consideration 7: Safety and soundness could be enhanced by bank supervisors assessing their current staffing and training programmes to ensure that the knowledge, skills and tools of their staff remain relevant and effective in supervising the risks of new technologies and innovative business models. Supervisors may need to consider the addition of staff with specialized skills to complement existing expertise.

The financial industry is undergoing rapid technological changes in all scenarios considered. Bank supervisors may wish to continuously re-evaluate necessary skill sets and approaches to supervision to keep up with changes in the banking industry.

Based on surveys and interviews, prudential supervisors have generally relied on existing divisions, risk specialists and internal working groups to identify, monitor and assess the risks of new technologies and business models. However, some agencies have set up standalone units with dedicated resourcing and reporting lines in response to fintech issues. The mandates of these units are wide-ranging and include functions such as policy and research, licensing, public-facing contact points, supervision or the use of emerging supervisory technology (“suptech”). While most groups were staffed with approximately five full-time equivalents, a small number of units were allocated up to 10 and, in one instance, 20 full-time equivalents. It is important to note, however, that many of these units are still at a nascent stage and resource allocations may evolve based on a variety of factors. Fintech education/training is a key area of focus for some agencies. Most agencies noted that fintech-related modules had been included in recent training activities. Participants noted attending, participating in, and hosting conferences as ways to gather intelligence and build networks. A number of agencies noted frequent meetings with fintech entrants and technology companies. Two agencies have formal FINTECH training and/or lecture programmes currently in place. It was observed that, while many supervisors have instituted training programmes, only a few are reviewing the adequacy of their human resources, including hiring profiles, or engaging in direct experimentation (eg with DLT or other network-based technologies) to advance regulatory understanding of technological innovations. With regard to specific fintech developments, many agencies noted that their current recruitment programmes for IT risk supervision already emphasise technical skills and knowledge. A number of agencies with central banking mandates noted adding resources in the area of payments infrastructure and/or DLT. FINTECH business models can broadly impact banks’ operational processes and strategies, as well as IT processes. As a result, supervisors may want to review the adequacy of their human resources, including hiring not only IT experts but also data scientists, mathematicians and statisticians, for example, as well as providing training programmes to ensure appropriate responsiveness to developments in financial technology.

Suptech opportunities

Implication 8: The same technologies that offer efficiencies and opportunities for fintech firms and banks, such as AI/ML/advanced data analytics, DLT, cloud computing and APIs, may also have the potential to improve supervisory efficiency and effectiveness.

Consideration 8: Safety and soundness and financial stability could be enhanced by supervisors investigating and exploring the potential of new technologies to improve their methods and processes, and they may wish to share with each other their practices and experiences.

Based on survey results, respondents’ involvement with suptech is nascent and difficult to compare given their state of development. SUPTECH let supervisors conduct supervisory work and oversight more effectively and efficiently. This differs from regtech, as suptech is not focused on assisting with compliance with laws and regulations, but on supporting supervisory agencies in their assessment of that compliance. The benefits of SUPTECH may include increased efficiency and effectiveness, including (near) realtime data access and automation of supervisory processes. However, barriers to implementation may include standardised internal or government-wide policies around IT procurement, restrictions on crossborder data movement, and a lack of transparency as to how the new technology works and is being controlled (eg AI). A small number of agencies are currently exploring the feasibility of using innovative technologies such as AI/ML and distributed ledgers to enhance existing supervisory functions. As with other industries/sectors, big data holds the promise of expanding supervisors’ capacity by providing insights into large amounts of unstructured data. This functionality could be used to support financial institution risk assessments, monitoring/review exercises, or enhancements to regulatory guidance. DLT-based markets and reporting systems could potentially allow supervisors to monitor exposures and transactions of market participants in real time as “nodes” on the network which, if combined with AI capabilities, could further enhance supervisory functions. For instance, one integrated supervisor recently used natural language-processing AI to analyse visit reports from pension funds in order to highlight paragraphs containing potentially sensitive information. The same institution is also running an experiment in which a third-party AI solution is used to analyse banks’ annual reports. Some agencies are also using “accelerator” or “hackathon”30 models to work with fintech companies to address supervisory challenges. For instance, the Bank of England’s website disclosed summarised information regarding a proof of concept conducted with a partner specialising in AI/ML in which AI tools were used to detect anomalies in supervisory data. In addition to developing specific suptech applications, targeted workshops, collaborative and open source initiatives may have benefits such as building up staff knowledge as well as a network of firms to draw on in the future, applying the lessons learned to other supervisory areas (eg cyber-security).

Continued relevance of regulatory frameworks

Implication 9: Current bank regulatory, supervisory and licensing frameworks generally predate the emergence of technology-enabled innovation. In some jurisdictions, prudential authorities do not have a remit for firms that are not banks, and some services previously conducted by banks are now being provided by other firms that may not be regulated by bank supervisors.

Consideration 9: Where appropriate, a review by bank supervisors of their current supervisory frameworks in the light of new and evolving fintech risks could uncover ways in which elements of these frameworks could evolve in a manner that ensures appropriate oversight of banking activities while not unduly or unintentionally hampering beneficial innovation.

1. Supervision of third-party service providers An example of differences in supervisory frameworks is the oversight of third-party service providers. While many FINTECH firms offer financial services directly to their customers, many others partner or act as thirdparty service providers to banks. Use of fintech firms as third-party service providers can provide financial institutions with access to products, technical expertise and efficiencies from economies of scale that they may not have if the service were developed in-house. While access to third-party services can benefit financial institutions and provide their customers with access to a wider array of financial products, the operational, security, reputational and other risks remain with the financial institution. As such, financial institutions are expected to have sound due diligence, risk management and ongoing oversight programmes in place for the engagement and use of service providers. Third parties that provide critical services to large numbers of financial institutions may pose systemic risk to the financial sector and bank supervisors may consider enhancing supervisory programmes to ensure that banks have appropriate risk management practices and processes over any operation outsourced to or supported by a third party, including fintech firms. Financial firms in most jurisdictions are supervised at the legal entity level focused on licensed financial institutions. Thus, in the light of the growing use of non-bank third parties, several bank supervisors have developed alternative ways of monitoring and supervising the risks posed by these thirdparty providers to banks under their remit. To understand the varying degrees of supervisory authority across jurisdictions, a stocktake of current supervisory regimes for third-party service providers was performed (see Annex 2 for an overview).

Based on this stocktake, two regimes for third-party supervision were identified. In the first regime, the bank supervisor has the statutory authority to directly supervise third-party service providers or activities provided by third-party service providers to banks. Examples of supervisors with such statutory powers include the Commission de Surveillance du Secteur Financier (CSSF) in Luxembourg, the Saudi Arabian Monetary Authority (SAMA), and the Federal Reserve, Federal Deposit Insurance Corporation (FDIC) and the Office of the Comptroller of the Currency (OCC) in the United States. The second approach, which is most common among bank supervisors internationally, is to gain access to third parties via the contracts these parties have signed with supervised banks. Regardless of which regime is applied, bank supervisors were also asked whether they actively used this authority and had structures in place to regularly supervise third-party service providers on a regular basis. While some bank supervisors had supervision programmes in place, the majority of supervisors responded that they supervise third-party service providers only under limited circumstances and had no programme in place.

Licensing regimes

To assess how different regulatory structures affect the development of FINTECH firms, the BCBS conducted a survey on licensing frameworks. Agencies in 19 jurisdictions in several regions responded. Based on a comparison of the products, business model structures and licensing frameworks, the following observations emerged.

• The survey showed that licensing regimes typically have a range of options that include full banking licences, limited banking licences, and other types of licence with requirements and restrictions that vary based on the type of entity and/or activity. In most jurisdictions, traditional financial services are under some type of licence; generally full banking licences for activities typically conducted by banks (eg lending or deposit-taking) and/or another type of licence for financial services that usually involve non-bank financial entities (eg payment services or investment services).

• There are few global providers for the FINTECH financial products and services reviewed and only limited examples of products and services being offered in more than one jurisdiction. It is difficult to determine whether this is driven by the complexity of managing across differing licensing and regulatory frameworks, or if the FINTECH business models have yet to achieve full penetration of domestic markets that would warrant the increased investment.

• Completely new financial products and services tend to be subject to limited licensing or supervisory framework precedents, or none at all. This was observed with the issuance or transfer of digital cryptocurrencies, such as Bitcoin and its exchanges, where few jurisdictions have licensing requirements. The potential influence of different licensing regimes on the business models reviewed was observed for different fintech lending business model structures. These differences appear to be more directly tied to licensing differences than payment services and investment advisory services. However, basic regulatory and consumer protection requirements were applicable in all surveyed jurisdictions (see Annex 3). Recognising this potential influence, potential changes to licensing frameworks are being considered related to the emergence of fintech. Annex 3 provides examples from the European Union, India, Switzerland, the United Kingdom and the United States, where regulators have reassessed or revised certain processes by which new financial services providers, including banks, are authorised to better facilitate or support new entrants to the financial industry. Other jurisdictions also noted that they are considering additional changes to licensing regimes. Supervisors should closely monitor changes in how financial services are delivered and managed based on new innovative business models and how those changes affect their ability to supervise end-to-end financial transactions under current regulatory and licensing frameworks. Supervisors may wish to consider:
1. Changes to business models from emerging FINTECH companies that can potentially result in gaps in traditional supervisory and regulatory frameworks. Such gaps may arise if FINTECH companies are performing activities that are traditionally performed by regulated banks, or if banks are highly dependent upon activities that are not defined as regulated activities. Supervisors should closely monitor changes in bank business models and the delivery of financial services and, where warranted, should adapt their regulatory frameworks and supervisory approaches. Mapping risks and requirements based on products, services and their systemic nature can help in this process.

2. In FORFIRM surveys, most authorities responded that they are comfortable with the applicability of regulatory requirements to banking services offered by FINTECH firms. It was noted, however, that prudential authorities may not at present have a remit over firms that are not banks. In addition, many noted examples of new business products and models that operate outside what is considered traditional banking, such as crowdfunding, digital currencies and other innovative products that may not necessarily be covered by bank supervisors. As a result, nearly half of regulatory authorities are considering new regulations or guidance related to emerging FINTECH services.

3. Recognising the above, supervisors should establish processes to assess and monitor potential risks that financial service innovations, and the enabling technologies that support them, may pose to financial stability, and determine suitable responses. The range of actions that agencies have taken to date include research and papers on FINTECH developments, engagement with existing firms and new entrant FINTECH firms, and changes to supervisory processes and, in some cases, to regulatory requirements and processes. For instance, two statutes (crowdlending platform and crowdequity platform) were created in France in October 2014 in order to both tailor the nature of requirements to the activity of crowdfunding, and provide legal stability and certainty to actors willing to compete in this field.

4. A transparent view of end-to-end operations and the management of banks’ ability to manage new risks will be essential to effective supervision. The entry of new non-bank players, both as the main providers of banking services and as third-party service providers, could result in significant financial services activities that are integral to banks but not subject to prudential supervision under current supervisory frameworks. Each jurisdiction may monitor trends and consider whether their regulatory framework and supervisory approaches continue to be appropriate based on changes in the banking industry and how financial services are delivered. Virtually all jurisdictions conduct prudential supervisory and enforcement activities at the legal entity level, not by types of activity. Nonetheless, within most of these frameworks, opportunities exist for supervisors to focus on activity, rather than legal entity type.

5. Evaluating whether the current regulatory frameworks and supervisory processes may present unintended barriers to FINTECH innovations. These barriers could inadvertently result in the development of innovations outside the regulated financial industry, creating an unlevel playing field for competitors and potentially exposing financial consumers to unwarranted risk.


Facilitation of innovation

Implication 10: Supervisors in some jurisdictions have put in place initiatives to improve interaction with innovative financial players that could facilitate innovative technologies and business models for financial services, for example innovation hubs, accelerators and regulatory sandboxes.

Consideration 10: Supervisors could learn from each other’s approaches and practices, and consider whether it would be appropriate to implement similar approaches or practices. Some jurisdictions have put in place initiatives to improve interactions with fintech players that could facilitate innovative technologies and business models for financial services. To this end, these jurisdictions have set up a variety of innovation facilitation mechanisms captured under labels such as innovation hubs, accelerators and regulatory sandboxes. The BCBS and FSB conducted a joint survey on fintech supervisory approaches, supported by follow-up bilateral meetings between the BCBS and some supervisory authorities. Graph 10 below summarises the high-level findings with examples of the supervisory initiatives. The aim of these initiatives is to help companies navigate the supervisory regulations applicable to fully operational financial service institutions. While the level of support offered by each initiative varies, they all seek to provide regulatory guidance to innovative start-ups and incumbent firms. From the authorities’ perspective, these interactions with innovative firms add value by deepening the supervisory understanding of the risks and benefits emerging from the new technologies, products and services, as also noted by the FSB.32 A proactive approach to innovation also has the benefit of helping regulatory agencies identify and explore the use of new technologies for internal supervisory purposes (suptech). FORFIRM’s survey of innovation hubs, accelerators and sandboxes suggests that these terms are tailored to the individual authority and should therefore be approached with caution. The list of approaches is non-exhaustive and some agencies have labelled their innovation facilitator differently (catalyst, innovation lab, innovation programmes, task forces, helpdesk etc). In particular, programmes under the same label may differ in terms of mandate and resources. Each programme’s range of actions is specific and depends on the regulatory framework and the agency’s mandate. Thus, while the objectives are broadly similar, the implementation remains jurisdiction-specific. As most of these initiatives were set up in the past two years and continue to evolve, it is too early to draw firm conclusions on the benefits and challenges of these initiatives and to identify best practices. FORFIRM will continue monitoring these innovation facilitators and simultaneously encourage supervisors to observe, learn from other authorities’ approaches and experiences, and assess the opportunities for cross-border initiatives such as innovation channels and FINTECH bridges as an input when considering the development of supervisory approaches towards innovation.


Since FINTECH companies interact with prudential supervisors and also with conduct authorities or financial market agencies, the FORFIRM has looked at initiatives and programmes put in place by both member and non-member agencies. Box 7 outlines the distinctive features of these various approaches.


Innovation hubs

Innovation hubs aim at supporting, advising or guiding regulated or unregulated innovative firms in navigating the regulatory framework. An innovation hub can be described as an information exchange regime on FINTECH matters. In this framework, new companies as well as incumbent institutions with a new technology-driven project can enter into a dialogue with the respective supervisor. Communication between the company and the supervisor usually has a rather open and informal character. Innovation hubs can range from hosting and attending industry events to informal guidance or assistance in preparing and making an application for authorisation or new products. Supervisors may use innovation hubs to understand and monitor the new business models and technologies as well as to identify regulatory and supervisory challenges associated with FINTECH risks and opportunities. Against this background, single points of contact, dedicated newly created units, identified networks of experts or similar organisational arrangements can be considered as innovation hubs.


Accelerators are usually founded and run by experienced private sector participants. They are fixed-term programmes that include mentorship or education from the sponsoring partners. They can culminate in a public pitch event or a demo day where selected young firms can present their solutions to a problem.
Against this background, accelerators can be understood as projects or programmes by supervisors or central banks where private sector firms are involved to address specific problems or to explore new technologies. Through joint partnership and projects with private sector fintech firms, agencies can explore how innovative solutions could be used in central banking operations including in the conduct of supervisory tasks (suptech).

Regulatory sandboxes

A regulatory sandbox usually refers to live testing of new products or services in a controlled environment. Sandboxes may be considered to be more than just a dialogue or an informal exchange as they engage a supervisor’s active cooperation during the test period. Sandboxes also imply the use of legally provided discretions by the supervisory agency. Their use depends on the jurisdiction.
In contrast to innovation hubs, which provide regulatory advice upon request, the sandbox approach usually entails a prior application process and selection by the supervisor. Several criteria may have to be met by a firm when applying for a sandbox: for example, being a genuine innovation with a consumer benefit, not easily fitting into an existing regulatory framework and being ready for market. Based on initial feedback received on regulatory sandboxes, it is worth noting that these test runs may or may not involve regulated activities (deposit-taking, lending, payment services etc), even if financial firms are applying new technologies or new uses for data. Therefore, the sandbox can be made available to regulated as well as unregulated firms.
Sandboxes may also grant temporary regulatory forbearance or alleviation to selected firms. Since the sandbox regimes have been set up only recently, concrete insights about the regulatory implications of the sandbox are still limited. If they provide regulated products and services, they may be granted with a restricted licence or permission. It is worth observing that regulatory challenges are not always related to prudential banking regulation. They can also stem from data protection, consumer protection or AML/CFT rules. Therefore, sandbox participants must typically inform consumers and all relevant stakeholders that the company is providing the service under a sandbox regime. Confidentiality of customer data must also be ensured.

In addition, the testing environment often involves operating restrictions or parameters for the firms conducting the test (eg a maximum number of clients or maximum transaction level). Sandbox testing typically runs for a predefined period of time. Some authorities that have set up sandboxes also require sandbox participants to have a proper exit strategy to ensure that any obligation to customers is fulfilled or addressed before exiting the test. Sandbox approaches aim at encouraging fintech experimentation, especially with technologies that do not fit easily into the current regulatory framework. When authorities consider establishing a sandbox, they should ensure that the potential risks are properly managed, including those surrounding the ability of supervisors (as opposed to that of the market) to select promising companies, the supervisory authority’s liability in case of failure or complaints by consumers, any potential unlevelling of the playing field, and any potential violation of the authority’s duty of impartiality towards market participants. The purpose of sandbox environments should therefore be to facilitate innovation while limiting impact on customers and the banking system; some arrangements even allow waiving or easing regulatory requirements.