欧盟的监管科技之路（英文版）.pdf

Vol.:(0123456789) Journal of Banking Regulation doi/10.1057/s41261-019-00104-1 ORIGINAL ARTICLE The road touni00A0RegTech: theuni00A0(astonishing) example ofuni00A0theuni00A0European Union Rossuni00A0P.uni00A0Buckley 1 uni00A0 Douglasuni00A0W.uni00A0Arner 2 uni00A0 Dirkuni00A0A.uni00A0Zetzsche 3,4 uni00A0 Rolfuni00A0H.uni00A0Weber 5 Springer Nature Limited 2019 Abstract Europes road to RegTech has rested upon four apparently unrelated pillars: (1) extensive reporting requirements imposed after the Global Financial Crisis to control systemic risk and change in financial sector behaviour; (2) strict data protection rules reflecting European cultural concerns about data privacy and protection; (3) the facilitation of open banking to enhance competition in banking and particularly payments; and (4) a legislative framework for digital identification to further the European Single Market. The paper analyses these four pillars and suggests that together they are underpinning the develop- ment of a RegTech ecosystem in Europe and will continue to do so. We argue that the European Unions financial services and data protection regulatory reforms have unintentionally driven the use of regulatory technologies (RegTech) by inter- mediaries, supervisors and regulators, and provided an environment within which RegTech can flourish. The experiences of Europe in this process will provide insights for other societies in developing their own RegTech ecosystems in order to support more efficient, stable, inclusive financial systems. Keywords Data protectionuni00A0 Digital identityuni00A0 FinTechuni00A0 European Unionuni00A0 Financial regulationuni00A0 General Data Protection Regulation (GDPR)uni00A0 Open bankinguni00A0 Payment Services Directive 2 (PSD 2)uni00A0 RegTech JEL Classif_ication D23uni00A0 G38uni00A0 K22uni00A0 L22uni00A0 M15uni00A0 O16 Introduction Extensive regulatory reforms imposed as the result of the 2008 Global Financial Crisis (GFC) have caused dramatic structural changes in finance globally. The GFC led to an internationally coordinated process of regulatory reform, focused on reducing risk-taking and systemic risks in the financial sector 1, 2. These reforms have also been a major driving factor in the adoption and use of new technologies in the sector, particularly the technologies that aid compliance with regulation, known as RegTech 36. In parallel with these financial regulatory reforms have been extensive reforms of data protection, the advent of open banking, and the development of digital identification regimes. This contribution in honour of our friend Professor David Mayes explores how these four areas of regulatory reform in the European Union, each introduced for their own discrete rea- sons, are interacting today in Europe to drive and support the development and adoption of a RegTech-based approach to financial regulation, supervision, compliance and risk man- agement. We believe David very much would have appreci- ated this discussion of the role of technology in enhancing financial regulation in order to build foundations for better, more stable financial systems. Within the current regulatory environment, questions remain around the role of technology in regulation, compli- ance, and digital transformation. These questions relate to the role of RegTech in supporting the process of transition and providing the basis of a system to address its require- ments; furthermore, they monitor compliance and support the achievement of regulatory and policy objectives by regu- lators and policymakers. There has been little analysis, so This article draws upon a much longer piece of work addressing a wider range of issues, by the same authors, entitled The Future of Data-driven Finance and RegTech: Lessons from EU Big Bang II. * Ross P. Buckley ross.buckleyunsw.edu.au 1 UNSW Sydney, Kensington, Australia 2 University ofuni00A0Hong Kong, Pokuni00A0Fuuni00A0Lam, Honguni00A0Kong 3 University ofuni00A0Luxembourg, Luxembourg, Luxembourg 4 Heinrich-Heine-University, Dsseldorf, Germany 5 University ofuni00A0Zurich, Zurich, Switzerland R.uni00A0P.uni00A0Buckley et al. far, as to how a comprehensive RegTech ecosystem should be developed. We explore the relationship between financial regulation, data protection, open banking and digital iden- tity. Drawing on the European experience, we argue that these four factors together provide a regulatory ecosystem that supports the transformation towards technology-based regulation. In Part I, we evaluate FinTech and RegTech. In Part II, we analyse the four EU regulatory frameworks which, with the benefit of hindsight, have empowered the growth of RegTech solutions. RegTech in Europe developed rapidly with the introduction of extensive, purely digital, reporting from intermediaries to regulators, pursuant to new finan- cial legislation imposed after the Global Financial Cri- sis including, inter alia, the Alternative Investment Fund Managers Directive (AIFMD 2011 7, pp 173) and the European Markets Infrastructure Regulation (EMIR 2012 8, pp 159), the fourth Capital Requirements Directive and the Capital Requirements Regulation (CRD IV 9, pp 338436/CRR 10, pp 1337) in 2013, and the reformed Markets in Financial Instruments Directives (MiFID II 11, pp 349496) in 2014 (Part II.1.). In parallel to these regu- lations, rigorous data protection rules have been introduced by the General Data Protection Regulation (GDPR 12, pp 188) (Part II.2.), which has fundamentally altered how all firmsincluding financial services firmsdeal with per- sonal data. The third measure was the imposition of open banking by the second Payment Services Directive (PSD 2 13) requiring that incumbent intermediaries must share cli- ent data with new competitors (Part II.3.). The fourth facili- tative measure was cross-border digital identity pursuant to the eIDAS framework 14, pp 73114 that establishes a network of national identity providers which can be either public or private (Part II.4.). Overall, the evolution of Europes RegTech ecosystem is the result of the interaction of these four different legal frameworks implemented for separate reasons but coming together to provide an environment which is transforming European finance and has both demanded, and supported, a RegTech revolution. In doing so, the EU is providing a glob- ally significant case study for regulators and policy makers from around the world on questions relating to the develop- ment and use of RegTech. In Part III, we compare these EU developments with other major jurisdictions, in particular the USA and India. Europe differs from the USA mainly with regard to its unique, privacy-oriented approach to data protection, reinforced by its approach to data portability and open banking. This has allowed the emergence of a small group of BigTech/ TechFin 15 firms in the USA in an environment of low regulation, in contrast to the densely regulated environment of Europe. The main difference between Europe and India is that India has developed a centralized strategy to build a RegTech ecosystem to underpin digital financial transforma- tion, with Europeto datecharacterized by a less coor- dinated approach across major areas. While these markets are at very differing stages of development, all three are nonetheless characterized by being large jurisdictions, with rapidly evolving RegTech ecosystems. In Part IV, we put the European developments into con- text, consider the lessons learned from other jurisdictions and formulate policy recommendations. Part V concludes. FinTech, RegTech, anduni00A0theuni00A0origins ofuni00A0digital f_inance Financial technology (FinTech) is growing rapidly and creat- ing new opportunities through big data 1517, the Internet of Things (IoT) 18, 19, artificial intelligence (AI)/machine learning 20, distributed ledger technology and blockchain 21, 22, smart contracts 2325, and digital identity 26, among others. Sometimes this occurs through regulatory arbitrage or regulatory avoidance; sometimes it is the direct result of the implementation of regulation. Crowdfunding 27, 28, digital currencies 29, initial coin offerings 30, 31, p 1109, touchless and e-payment solutions 32 and robo advisors 33 all display the breadth of FinTech appli- cations. In many cases, these innovations have the potential to reduce transaction costs or the need for intermediaries the latter in a phenomenon referred to as disintermediation or disruption. At the same time, one of the biggest drivers of technology spending in financial services (and the growth of the compliance industry) is the implementation of financial regulatory requirements, with BCBS239s risk data aggrega- tion requirements being paradigmatic 34. In addition to opportunities, rapid evolution in FinTech is raising new risks. The sheer amount of data facilitates looking at correlations rather than causations, and correla- tions can lead to unintended, and socially regressive, conse- quences. Yet the methods to properly supervise and control self-learning algorithms are still being developed. Cyberse- curity risks and tech-based complexity challenge supervi- sors and regulators trained to deal with traditional financial services 35. The clash of cultures of traditional bankers communicating with computer scientists prompts risks of miscommunication and design and compliance failures. As an increasing number of spectacular cyberattacks and IT bugs have demonstrated, these new risks could mean the net impact of FinTech for some investors and clients of financial intermediaries will be negative. FinTech has not abolished risks. It has altered the nature of some existing risks and added new risks, including one we have referred to as Global Technology Risk (GTR) 35. The road touni00A0RegTech: theuni00A0(astonishing) example ofuni00A0theuni00A0European Union As laid out in previous research, the new risks created by FinTech can be addressed by new approaches to regulation (which we have termed Smart Regulation 36, 37) which incorporate an ecosystem design approach involving regula- tory and supervisory technologies (collectively referred to as RegTech). RegTech is a contraction of regulatory and technol- ogy 38 and describes the use of technology, particularly information technology (IT), for regulation, monitoring, reporting and compliance 3, p 4, 39. RegTech has initially evolved to address regulatory challenges in the financial sys- tem through innovative technology. It can support the techni- cal handling of large amounts of data, sophisticated analysis of data and automated data processing within intermediaries as well as between intermediaries and supervisors. Examples of RegTech include electronic Know-Your-Customer (KYC) systems which facilitate client on-boarding by financial intermediaries as well as enhancement of market integrity 26, p 62, automated compliance monitoring and reporting with regard to trading limits, and algorithm-based reviews of trading patterns in listed stocks, to ensure compliance with insider dealing laws. RegTech differs from FinTech in that FinTech mostly addresses business processes, while RegTech concerns the relationship between intermediary and supervisor and/or regulator; that is, RegTech ensures the law is complied with more effectively, meaning either a higher degree of compli- ance or the same degree of compliance at lower cost, and also provides systems for designing better regulatory and supervisory systems and infrastructure. FinTech by defini- tion also involves only the financial sector, whereas RegTech can apply in any area of regulation, compliance and system design, whether in the context of finance or otherwise 37, p 336. In light of its benefits, the common view among regula- tors and scholars is that RegTech is, in principle, desirable. Nascent research on the functions of RegTech argues that RegTech could include the use of technology for enhanc- ing operations (framed by Luca Enriques as Operations RegTech 6, p 4), for increasing compliance controls (ComplianceTech), for intensifying or improving finan- cial supervision (OversightTech or SupTech), and for influencing the legislature (PolicyTech). As we define it, the term RegTech subsumes all of these. At the same time, there is a consensus that RegTech (like FinTech) brings new challenges including, for supervisors, the need for highly qualified human resources and adaptations in internal gov- ernance as well as new cybersecurity risks. The intersection of finance and data lies at the heart of FinTech and RegTech. This raises challenges for regulators in dealing with sometimes conflicting policy objectives and systems. However, it also provides an opportunity for us to think about how RegTech ecosystems can be designed to support financial efficiency, integrity and stability going forward, which form the subjects of Part II. The rise ofuni00A0RegTech inuni00A0Europe The four legislative measures analysed in this part were all implemented for separate reasons, but their combined effect has been to give an extraordinary, unanticipated impetus to the rapid evolution of a RegTech ecosystem in the EU. The measures are the digital regulatory reporting requirements particularly of AIFMD and MiFID II, the rigourous data protection of GDPR, the open banking regime introduced by PSD 2 (particularly combined with the data portability requirements in GDPR), and the pan-European digital iden- tity framework built pursuant to eIDAS. Each is considered in turn. Extensive, Digital Regulatory Reporting Obligations: From AIFMD touni00A0CRR anduni00A0MIFID II Since the 2008 Crisis, in tandem with post-crisis interna- tional regulatory approaches, European regulators have imposed ever higher reporting obligations on financial intermediaries in an effort to combat systemic risk as well as address a range of integrity risks emerging from money laundering, terrorism financing and competition scandals (in particular those around LIBOR and foreign exchange trad- ing). The most important regulatory initiatives in this regard include, for the banking sector CRR/CRD IV (finalized in 2013 and effective in 2014), for the asset management sec- tor the AIFMD (2011/2013), for financial markets MiFID II/MiFIR (2014/2018), for market infrastructure the EMIR (2012/2013), for payment services PSD 2 (2015/2018), and for money laundering the AMLD 5 (Anti-Money Laundering Directive 2018/2020). These frameworks share a common focus related to international financial regulatory standards in the EU and a common imposition of extensive reporting requirements upon the financial services industry. Regulators in the EU, by requiring financial intermediaries to report far more data on their decisions, activities and exposures, have trig- gered a RegTech revolution in Europes regulated financial industry. It is given today that when faced with a proposed regulation, the financial services industry will demand suf- f