Technology often is filled with the promise that it will make life better and viewed as an enabler of creating a more efficient, profitable and competitive organization. But for all the hype and expectations of the current fintech revolution, is Wall Street doing enough to identify and manage the associated risks?
The Depository Trust & Clearing Corporation (DTCC) is asking this question – and attempting to help trading firms, technology vendors, regulators and others become more aware of how these new technologies may impact the safety and stability of the financial system. In a recently released white paper Fintech and Financial Stability – Exploring How Technological Innovations Could Impact the Safety & Security of Global Markets, DTCC cautions that while fintech adoption benefits the financial services industry in areas such as improving client experience, strengthening critical infrastructure components, creating efficiencies and reducing costs, it could also pose or exacerbate certain risks, including cyber security concerns and other third-party risks.
DTCC has created a framework of nine factors that firms can use to evaluate fintech’s potential systemic impact. Among some of the issues the DTCC examines:
While the transformative potential of fintech holds great promise, it could also have risk-related implications that are systemic in nature. What are the key considerations when determining fintech’s potential impact on systemic risk?
Interconnectedness is a key dimension of systemic risk and has become a critical topic for market participants in recent years. What role can fintech play in helping to mitigate interconnectedness risks?
The industry has made great strides since the financial crisis in improving market transparency and enhancing the ability of regulators to understand the nature of risk in the financial system. How are global regulators addressing fintech and systemic risk today?
Fintech involves a number of transformative technologies — including robotics, machine learning and artificial intelligence – which hold great potential to transform the landscape of financial services. What are some of the unique challenges these technologies present to systemic risk?
The entire white paper can be viewed here.
While many fintech offerings are still in their early stages, which makes it difficult at this time to fully assess their impact on financial stability, DTCC recommends that the rapid growth of fintech adoption requires close monitoring to identify emerging systemic risks on a timely basis. Further, DTCC suggests that impact analyses should be conducted on a case-by-case basis, given the wide range of underlying applications under consideration for fintech upgrades, each with their own characteristics and specific context.
Andrew Gray, Managing Director and Group Chief Risk Officer, DTCC
“We are at the earliest stages of a fintech revolution that could have significant implications for the financial services landscape,” explained Andrew Gray, Managing Director and Group Chief Risk Officer at DTCC in a conversation with Traders Magazine. “As a systemically important financial market infrastructure, we look forward to collaborating with industry stakeholders and regulators to assess and monitor potential risks as fintech innovations become more widely adopted. This will help us to gain a deeper understanding of fintech’s potential impact on financial stability.”
Gray added that DTCC is monitoring fintech-induced concentration risk, fintech-related fragmentation risk, substitutability of fintech services, reliance on automated decision-making processes and provision of core banking functions by fintech vendors.
Craig Donohue, Chief Executive Officer at the Options Clearing Corporation, is also watching new technology development with a careful eye. To that end, he is focusing some of the firm’s new efforts on cyber security and protecting both information and technology in the marketplace.
“Technology is enabling us to do things much more efficiently and less expensively,” Donohue began. “And I think also with a higher degree of security then we have had in the past. Now we’re focused on cyber resiliency and cyber security. So, I don’t think we can be afraid of new technology. We just have to think about how to incorporate new technology in a way that is protective of the financial infrastructure here in the United States.”
So, for Donohue when it comes to fintech risk, he looks at it from a protection perspective.
“Yeah, I think that’s safe to say. I think financial technology is an important part of innovation and growth and efficiency for the industry. We just have to adapt to the new technology in the right ways and ensure security.”
Upstream and Downstream
Given the recent spate of cyber-attacks – ranging from Equifax to SEC’s EDGAR system – security has taken a foremost position of concern. And when taking a deeper dive into organizations that have been the victims of a cyber-attack, one must not only look at the headline firm – such as Equifax or Finra – as the weak links. Often, these firms rely on countless others in their technology chain and they must be carefully examined for their security practices. And if some of these firms are newer or even startups, then companies doing business with them must employ rigorous due diligence processes, explained John Manganiello, Head of Business Development at Richard Fleischman & Associates, an information technology, consulting and hosting services consultancy in New York.
“You have to actually know who you’re working with nowadays,” Manganiello began, referring to the third-party downstream technology providers. “I like to think of it as due diligence of third parties. And it’s something the regulators are looking at.”
Manganiello explained that he advises hedge fund clients that when brokering a technology provider deal, it is critical to conduct a “deep dive” security check and due diligence process on the technology provider, including conducting checks on their employees and hiring practices.
“In just understanding who their employees are, do they outsource them,” asked Manganiello. ”What’s that hiring processes behind them? What type of data are they handling? This is especially important when you are talking about people handling confidential trading data. You now have your firm’s sensitive data being handled away from your own servers and firm. Does the vendor store your confidential data on secure severs or on the Cloud? You need to conduct third-party audits – especially as businesses continue to adopt Cloud-based solutions.”
Manganiello wanted to be clear that he wasn’t against using third party providers – whether they be startups or established firms – but upstream users must be aware of the myriad risks and make the requisite investments in due diligence to ensure as secure a technology stream as possible. And in this day and age of new firms emerging with new technology and processes this initial diligence, while time consuming and potentially expensive, can prove to be an extremely prudent investment.
“Increasingly, it is up to the firm to conduct the proper due diligence – which is no different than an investor doing his due diligence on a hedge fund or company to invest in,” Manganiello said.
To that point, Manganiello said the days of agreeing to use a firm based on a handshake and single conversation with a salesman are long gone. Now though, firms employ due diligence questionnaires and vetting documents to reduce risk. Some firms, he added, actually conduct on-site inspections and interviews to minimize risk.
“If I’m a major bank or some type of exchange I’m going to go on site and meet the vendor’s people, and do that type of in person due diligence,” he said. “Which to me is no different than an investor doing a thorough review of a company he wants to invest in. Everyone now is taking a deeper dive and really understanding these new technologies and companies.”
In other words, know you’re partner. Thoroughly. Or else.
And risk minimization and mitigation are not a static process. DTCC’s Gray and RFA’s Manganiello both noted that being aware of risk is a continuous process that can reduce risk and increase reward – when done within a proper established framework. And this constant vigilance not only applies to the technology vendors but also to the buy- and sell-side firms that employ them. Some of the largest banks and asset managers have hundreds of sub-contractors handling a portion of their business and as part of their fiduciary responsibility must protect their shareholders.
“Some of these mega money managers have hundreds of vendors. And all these vendors are a risk to the firm, right,” Manganiello said. “It’s not enough to tell your shareholders ‘we outsourced that’ or ‘we didn’t know.’ Well, investors, the stakeholders don’t care. You have to take ownership of the vendors you work with.”