Emil Radziszewski, Managing Director of the Banking Supervision Division
The first steam engines were built at the turn of the 17th and 18th centuries as steam-powered water pumps for draining mines. Over the next 200 years, the steam engine technology enabled the energy from carbon and water to be put not only into pumps but also weaving machines, trains, huge transatlantic liners, and power stations. The Industrial Revolution, initiated by the steam engine, transformed the economy which was based on muscle strength and metabolism of food products into the economy based on a more efficient combustion of hydrocarbons or nuclear reaction. Such transformation enabled not only efficient extraction of water from mines but also space flights.
A similar process has been going on for the last 70 years (that is since the launch of the first computers, and then the creation of the Turing machine) in the field of replacing human brains, not any more human muscles, with machines. The computational power of processors is growing exponentially. The same happens with machine learning, and it’s highly probable that we’re at, or are about to enter, a culminating point beyond which most operations that can be done by a human (other than biological or physiological, of course) will be performed better and more efficiently by a machine. Undoubtedly, this is what the technological and digital progress is aiming at. This applies to all areas of human activity, including inventions and art, and obviously industry and services, so naturally also financial services.
The primary role of a human in this process, beside stimulating it and looking for applications of the new technology, is to control and identify the risks the process entails, and to find out how we can relate to that process in social relations and how to protect ourselves from the materialisation of actual risks. A tool which can be used to ensure such protection is another remarkable invention of humanity: the law or, more broadly, regulations. According to that paradigm of the human role in relation to technological progress, we reflect not on whether the digital transformation of the financial market is taking place or is advisable but on how the law should respond to that transformation and what challenges arising from the transformation the regulator is going to face.
It’s no exaggeration to define the digital transformation of the financial market as total transformation. It involves all the areas of the market and is progressing very fast. Computerisation and digitalisation happens in relation to internal systems of providers, the products and their distribution channels, customer relations, the clearing and settlement systems operating in the market (a good way to image the scale of changes that have occurred over the last 30 years is to compare the online pictures of the New York Stock Exchange from the nineties of the last century with the current pictures). The digital transformation of the financial market is followed by regulations. The most relevant ones include two recent EU Regulations: DORA (Regulation on digital operational resilience, establishing the requirements and framework for the management of risk to the security of networks and information systems with financial service providers and critical ICT third-party service providers) and MiCA (Regulation introducing regulatory framework for the crypto-asset issues and crypto-asset issuers and crypto-asset service providers) and the ongoing work on the revision of the Third Payment Services Directives (PSD3).
I’d like to use the example of banking to discuss three areas of banks’ activities where digital transformation is or will soon become very relevant, and the related regulatory issues. The areas include: customer relations, banking products, and internal governance.
In the area of customer relations, digital transformation started early and is still progressing. Particularly the banking sector in Poland has swiftly followed the trends and fast technological advancements in human communication as well as exchange of goods and values, becoming the global leader in terms of innovation and progress. The main drive comes from the internet and the development of communication tools and their functions. These days, a bank that doesn’t engage in direct and remote communication with clients, electronic, online and mobile banking, instant transaction and online payment management systems has no chances of business success. Another important aspect is the digitalisation of direct customer service and the use of artificial intelligence. In interactions with customers, such as offering of products or handling of complaints, the human factor on the bank’s part is increasingly replaced by artificial intelligence (AI). Those are still basic functions that are often irritating to customers but it’s rather a necessary transitional stage, which allows the collection of huge amounts of data. In the next couple of years, a proper use of those data for machine learning should enable a full emulation of the human factor, followed by its outperformance.
Are customer relations still a matter of interest to financial regulators? Directly – mostly in terms of banking secrecy. Beside that, it’s mainly a domain of consumer law, general regulations addressed to all providers of electronic services and, very importantly, regulations on the collection and processing of data, particularly in regard to privacy and personal data. Customer relations generate operational risk in terms of reputational and legal risks on the bank’s part, though. For example, the practice of remote electronic communication with customers and distribution of services has been increasingly used by criminals to swindle money from customers. Such crimes, precisely due to the use of digital technologies, are characterised by a negligent rate of detection of perpetrators and recoverability of the stolen funds. As a result of such crime, money is usually irreversibly transferred to the underworld, which, beside the financial consequences, has also far-reaching social consequences, especially when it comes to the scale of crime, the sense of security and general perception of the rule of law. It’s probable then that in case of inadequate effectiveness of preventive and educational measures, this area will soon require more regulations concerning banks’ operations.
The second area of banks’ activities where digital transformation may be relevant is the area of financial products a bank may offer to its customers. It’s not about the distribution of banking services (which is part of customer service) but new or innovative services which, with digital transformation, can be added to the banks’ offer. A small revolution has been seen in this area in recent years in connection with the implementation of the Second Payment Services Directive (PSD2) and introduction of the concept of open banking, which basically means providing a banking infrastructure for storing customer’s funds to offer payment services of other providers and to foster innovation in this regard. The Directive regulates the provision of two new payment services, still niche-oriented in the Polish market: the account information service (AIS) and payment initiation service (PIS). Some banks reacted cautiously to the changes. In general, while in the area of customer relations, distribution and easier access to services, banks have a leading role in terms of technology and innovation, they remain rather passive in the area of product engineering, i.e. design and marketing of new financial services (an exception – a creditable one, but still an exception – is BLIK, a payment system created almost 10 years ago by six cooperating banks). It might seem that banks are usually reluctant to accept product innovations. I think that it’s not about any conservatism or traditionalism in the world of banking. Creating and implementing a new, especially innovative, product always involves investment, i.e. staff, technology and marketing costs. For big organisations such as banks, such costs are always high and much higher than for start-ups. Plus, a new, especially innovative, product always involves a risk that the product won’t sell and the return on the investment won’t cover the development costs. It’s a significant risk for a bank; for a start-up, the risk is considered in the business model. It’s much easier then for a bank to buy a start-up that has created an interesting product, or even implement a product that has been tested in the market, and – using the financial and competitive potential – to take over the target market than to create an innovative product from scratch. For those reasons we can say that in the product area, banks will benefit from digital transformation more as followers than precursors, limiting their efforts to supplementing their offer with existing products that have been tested in the market, as it was the case with the AIS and PIS services.
I’d say the banking law should respond to digital transformation in the product area. The regulatory framework for banks’ operations laid down in the Banking Act has been in place for 26 years and it generally needs to be revised to better reflect the current reality of banking. Digital product innovations should be a good trigger. An example is the increasingly popular buy-now-pay-later service, which has already attracted banks’ attention but may raise doubts as to whether it can be classified as a banking operation specified in statutory law.
The third, in my opinion the most interesting, area of banks’ activities where digital transformation can be applied as an attractive solution is the area of management and, more broadly, internal governance. This area includes mainly:
and the rights, duties, responsibilities and mutual relations of the bank’s governing bodies and key function holders.
Internal governance and management system involve the bank’s policies, procedures and manuals defining the tasks, responsibility and operations of each organisational unit, position and function. All this helps control the functioning of the bank as a whole and generate management’s information which provides the basis for the management’s decisions as well as the bottom-up and top-down flow of information and decisions. As a system, it’s a perfectly fit and separate area where digitalisation and robotisation can be used. All the processes related to the planning, control, information collection and analysis, generation of decision-making items, and responding to changes in the environment, are in line with potential capacities of artificial intelligence and machine learning. Digital transformation in this area should also attract banks in terms of business opportunities. In contrast to the product area, the investments, even significant ones, should bring a relatively quick effect not in the form of an incremental increase in revenue but of a significant cost reduction.
However, digital transformation in the area of management system and internal governance might cause major regulatory issues, as this area is not described in detail in the regulations. At this point, a reference should be made to Article 9 et seq. of the Banking Law, Regulation on the risk management system and internal control system and remuneration policy at banks, various provisions of the CRR on prudential requirements for credit institutions and investment firms, KNF Recommendations on internal governance, internal control, the management of risk of credit exposure, and various guidelines of the European Banking Authority. All those regulations would need to be revised thoroughly and at least reinterpreted with regard to the requirements for banks, and answers to a number of questions would need to be found. Would a bank in which an integrated AI-based data analysis and management information generation system is to function and undergo real-time development still need to have policies, procedures and manuals in that respect? Would it need to separate the functions on three independent levels: (1) the management of risk in the bank’s operating activities, (2) the management of risk in organisational units or by bank staff members hired in positions related to management, and the activities of the compliance unit; (3) the activities of the internal audit unit? With such a system, how should the responsibility of the bank’s management board be defined and how should its conduct be assessed if management information, even the decisions, are to be generated by an IT system? How should the competence of such management board be assessed as part of the fit and proper assessment? Finally, how and using what tools should the supervisory authority assess the conduct of such a bank during an inspection or other supervisory processes? Those and many other questions may soon emerge and the current regulations certainly won’t provide a good answer.
To sum up, I’d like to point to the role of regulation. It’s a common belief that regulations impede innovation and technological development, which in my opinion is only apparently true. In fact, the role of the law is not to stimulate progress but to regulate social and economic relations to mitigate negative effects of changes in the environment for humans. Generally speaking, in order for the law to be effective, it should be of a secondary and reactionary, not proactive, nature. Not all innovations are objectively good (for example weapon of mass destruction). A reversed sequence – first, creating regulations and then developing innovations – would result in the need for too vague and too broad regulations, thus the possibility of bad solutions being legalised. This is why regulatory sandbox or innovation hubs are very good ideas that can be used to test various innovative methods of running a business or various products, with the next step being the consideration of a possible implementation and the necessary adaptation of regulations.