Regulating Platform-Based Finance: Seeing the Big Picture

The scale and scope of platform-based finance extends beyond the powers of a single regulator — cooperation across agencies will be essential. Platforms combine technology, customer data and network effects across diverse markets. This brings in regulatory agencies covering a wide array of domains such as finance, competition, labor, consumer and data protection, telecoms and myriad commercial sectors. For financial regulators to act strictly within traditional silos framed in terms of financial institutions and services would be to ignore the multi-faceted nature of platforms , including risks that arise beyond the regulatory perimeter. How can financial regulators widen their perspective and take account of the big picture?

Risks and dependencies beyond the perimeter

Woman uses platform app on mobile phone
Photo: Nicolas Remene via Communication for Development Ltd.

Some examples can help illustrate the problem. First, consider the core markets to which platform-based finance is tied. The European Union’s Digital Markets Act (not yet in effect) cites eight sectors of “core platform services” such as search engines, social networking, operating systems and cloud services. Platform-based finance arises when such businesses offer financial services to participants as a way to support core markets, with the prospect of growing the finance business into a core service of its own.

In other words, financial services are sold by entities that are (at least initially) not licensed or authorized as financial institutions. Platforms may acquire financial service providers (FSPs) or apply for their own licenses. Alternatively, they might remain outside the purview of the financial regulator, choosing instead to partner with financial institutions (e.g., the platform offers credit to e-commerce clients for a fee while the bank underwrites loans and carries risk on its balance sheet). This means risk may be shared or shifted between partner entities, leaving the FSP without full visibility over the lending risks.

It is essential for the financial regulator to understand how the platform’s business in other sectors relates to its financial services offerings. For example, gains from platforms’ non-financial businesses could feed back into the financial services market as subsidies. This is especially concerning when those profits derive from improper market conduct. Ride-hailing and delivery platforms might impose harsh working conditions on drivers using the platform — only to channel excess profits into subsidized financial services. For example, Grab in the Philippines and Rappi in Argentina have faced driver strikes, labor law penalties and new legislation to protect drivers. Gig workers on platforms might experience data privacy breaches, overwork due to indebtedness and predatory loan terms designed for borrowers with low financial literacy. Interdependencies between the financial and non-financial offerings of platforms call for collaboration between relevant regulatory authorities.

The interdependencies go both ways. When financial services are embedded in a platform, this often means that a financial institution is relying on the platform as a third-party service provider. The FSP is in an outsourcing relationship. The platform is providing the FSP with services such as back-end systems, front-end customer interface, marketing, onboarding, sales, transaction support and data collection.

The outsourcing of cloud computing services by licensed financial institutions has attracted particular attention. While cloud computing is key to data-intensive digital finance, it also presents data security and privacy risks. Compliance risks arise as well because the financial institution loses some control over risk management. Finding the right balance in the regulation of outsourcing has proven to be a challenge. Despite many cases of regulatory overreach (e.g., data localization requirements), the basis for a workable, proportionate approach is clear. It means clearly defining criteria for material third-party contracting — that is, outsourcing of critical services or functions that, if disrupted, would threaten an institution’s ability to meet obligations and continue operations (e.g., data protection, due diligence in third party selection, applying performance standards, on-site audits).

Reaching across regulatory domains

While platforms operate in several regulatory jurisdictions, financial regulators often find their authority constrained within a narrowly defined perimeter. This can make it difficult for them to take full account of platforms’ relevant activities and address the risks stemming from beyond the licensing window. The European Banking Authority (EBA) warns that tech platforms in general lie “outside the perimeter of direct supervision” and that regulators struggle “to identify, within a platform ecosystem, who is carrying out any regulated financial services…and whether new activities are emerging that could warrant consideration for inclusion within the scope of the financial services regulatory perimeter.”

Effective oversight of platform-based finance requires a wider angle of vision than traditional regulatory silos allow. Short of legislation to bring platforms wholly under their jurisdiction, supervisors may set rules for outsourcing (e.g., standards for fintech and APIs). This allows them, in effect, to extend the perimeter and regulate platforms indirectly. Or oversight could mean testing proposed platform models on a pilot basis under supervision by the financial regulator, as in the Philippines.

The regulator’s ability to exert its power across sectors can be enhanced by the right balance of institution-based and activity-based regulation. Where a platform links a variety of companies and financial service activities, end-to-end supervision can keep the big picture in view. The regulatory perimeter should be wide enough to ensure consistent coverage of linked activities (e.g., e-commerce or cloud services) that have implications for financial stability. There is precedent for this in the prudential requirements for banks, which are largely entity-based and take into account all activities that an institution includes on its consolidated balance sheet. Subsidiaries of banking groups may be subject to these requirements, regardless of what they do and whether directly regulated or not.

Keeping a platform under a consistent supervisory lens also means limiting regulatory arbitrage. The decision as to who regulates a platform may depend on whether the platform is considered a mere intermediary or as actively marketing on the site. Many platforms work at the boundary between employers and outsourcing contractors (as in the above-mentioned cases of Grab and Rappi). Presenting themselves as pure middlemen, they may seek to transfer risk (e.g., of illness, injury, market downturns) to service providers. For example, Uber sought unsuccessfully (2017) to be classified as a pure intermediary rather than a transport company. This same kind of maneuver could be used to oppose financial authorities’ jurisdiction over platforms — not likely in general, but possible in those settings where regulatory and judicial institutions are vulnerable to external influence.

Coordinating a wide-angle approach

Unilateral efforts by the financial regulator are unlikely to be enough. A collaborative approach is needed. Existing mechanisms of coordination – e.g., consultation between banking and securities agencies – allow for expanded oversight and may serve as precedents for dealing with platforms. A further step would extend this to non-financial regulators such as telecoms, labor, consumer and transport authorities, or alternatively, multi-sector agencies dealing with competition or data. Some financial authorities have concurrent jurisdiction with competition agencies — for example, U.S. federal banking agencies monitor big techs as significant third-party service providers to banks. Or cooperation may be formalized in interagency agreements. In Mexico, the competition commission and financial services regulators coordinate on the basis of an MOU. The financial regulator could also coordinate with an independent data agency (e.g., European Data Protection Authorities) or the data unit of the telecom, consumer or competition regulator.

A truly comprehensive framework would need to be international, given the scope of many platform markets. Supervisors are often hampered by the foreign location (or multiple locations) of third party facilities (e.g., for cloud storage), inconsistencies between national legal frameworks and a paucity of skilled, experienced staff. In emerging markets and developing economies (EMDEs), even supervisors with the requisite authority may struggle technically (and politically) to deal with third parties, especially global big techs.

The way forward in this area is becoming increasingly clear. For example, the EBA has proposed to develop a collaborative national-European framework to collect information about financial institutions’ dependencies on digital platforms and to develop indicators (e.g., of concentration and systemic risk). There is also growing consensus that regulation of material outsourcing by FSPs (e.g., cloud services) should be consistent across financial sectors, functional authorities and countries. At a minimum, bilateral coordination between home and host countries is needed to allocate jurisdiction over providers, including audit and access rights, and to protect citizens’ rights over data held by a foreign provider. Further, a move toward multilateral frameworks is underway. Assuming this takes hold, it will be especially important in enabling EMDEs to uphold consistency in regulation as it affects their domestic customers and providers.

This is the final post a four-part blog series called "Platform-Based Finance: Regulatory Challenges and Solutions." The series explores the implications of platform-based finance for data protection, competition and regulatory coordination.

Add new comment