• Cheng-Yun Tsang

Regulating Fintech Collaborations – From Industry Sandbox to Supervisory Control Box


The rapid diffusion of Fintech has posed unprecedented challenges for regulators and begs the question of whether current regulatory thinking needs to change. The existing literature on fintech regulation mainly focuses on two fronts: the regulation of the use of innovative technologies by financial institutions and the regulation of the delivery of financial services by nonfinancial firms. This dichotomy in the literature fails to appreciate that rapid developments of fintech and the unbundling of financial services have given rise to greater collaboration between financial institutions and fintech innovators, and such collaboration calls for a rethinking of current regulatory regimes. These fintech-era collaborations, as identified by my recent paper (forthcoming this Fall in the University of Illinois Journal of Law, Technology & Policy), takes four major forms: Third-Party Service Relationships, Data-Sharing Arrangements, Regulatory Experiments, and Industry Consortia. Each type of collaboration presents certain risks or governance issues to the consumers, the collaborating firms, and the financial market as a whole, and introduces a range of challenges.

The analyses of each fintech collaboration suggest that an ideal system for regulating fintech-era collaborations should have the following characteristics. First, the regulatory system should enhance financial regulators’ capability and capacity to learn new technologies and collect data. Second, the regulatory system should allow the regulators to be in constant and close dialogue with the industry so as to facilitate the creation of ideal governance structure and liability framework among different stakeholders. Third, the regulatory system should enable infrastructures which allow data interoperability and portability in a safe manner. Fourth, the regulatory system should help regulators continuously explore adequate ways to regulate fintech collaborations.

The paper terms a regulatory system with those four characteristics as a collaborative data-empowerment supervisory regime. Such a regime empowers both the regulator and industry by enabling safe and efficient intra-industry, inter-industry and industry-regulator data-sharing and collaborative learning. It also harnesses both the regulatory and industry wisdom to explore an effective risk governance framework and enabling regulatory approach. Currently, worldwide regulators rely mainly on outsourcing regulations to oversee fintech-era collaborations. The paper conducts a holistic review of the existing outsourcing regulations in the US, the UK, the EU, Singapore, and Hong Kong and finds that contemporary outsourcing regulation seems to build on dated, and now questionable, assumptions and fails to effectively respond to challenges arising from fintech-era collaborations. As these collaborations deepen, diversify, and become more frequent and complex, traditional outsourcing regulation is likely to fail to respond effectively to challenges that arise. The financial regulator needs to think more creatively and engage with the industry more actively.

The paper, therefore, argues that regulators should participate actively in properly-designed industry sandboxes, developing SupTech (supervisory technology) solutions, and then utilizing SupTech to turn these sandboxes into “supervisory control boxes” based on which a collaborative data-empowerment supervisory regime can be made a reality. The supervisory control box symbolizes a new paradigm of technology-enabled self-regulation, which allows sandbox members to regulate themselves through a collaboratively-designed-and-maintained governance framework. In the control box, regulators facilitate the crafting of an effective governance framework, set common standards for regulatory reporting data sharing, develop SupTech solutions and apply them to sandbox members to gather user feedback. Regulators can also employ machine-executable rules to enable automated regulation in the sandbox, and conduct real-time monitoring of sandbox members. Regulators might also empower consumers with rights and infrastructures to enable data portability and interoperability, allowing consumers to freely decide whether and what to share with which industry sandboxes.

The use of supervisory control box brings various benefits. First, it can cure the weaknesses of the existing outsourcing regulation by forming a governance body in each control box and subjecting the body to the regulator’s direct supervision. The regulator can outsource some of its supervisory functions, and activities to the governance body and hold the body accountable for the members’ non-compliance. Second, it provides an informal but effective forum for inter-agency coordination as regulators from different agencies would generally be more comfortable and genuine in a controlled testing and collective learning environment. Most importantly, it would allow regulators to explore effective ways for managing novel risks such as algorithm discrimination, data security, cyber-attacks and third-party operational failures as repetitive tests will be conducted and collective learning will take place very frequently.

Rome was not built in a day, however. The realization of a supervisory control box remains remote for jurisdictions where regulatory reporting is not yet digitalized, and the regulatory staff is not adequately empowered by technology. The paper also proposes a roadmap to policymakers for future reforms and gradually shift the current regime to a new paradigm of technology-enabled regulation.

Cheng-Yun Tsang, National Chengchi Univeristy, Taiwan


Copyright © 2018 All Rights Reserved. Faculty of Law, The Chinese University of Hong Kong

The Chinese University of Hong Kong