I was having a conversation with a friend about the issues at Monzo this week (among others). Their third-party payments processor had an outage at the weekend so the cards couldn’t be used. Then they had crashes on Android and lost payments in the app. It’s a challenge being a challenger. However, the reason for sharing this here is not to have a dig at Monzo – we like those guys – but to raise an issue I had not thought of before.
The Prudential Regulatory Authority (PRA) has had guidelines in place for a while around using third party processors for critical functionality, like making payments. Any bank outsourcing such functions opens themselves up to regulatory risk:
The requirements are primarily there to ensure that the outsourcing of the regulated activity, service or function does not lead to an outsourcing of responsibility by the entity in question, or pose a barrier to effective supervision of the specific entity by a regulator. It must not cause detriment to the entity’s clients.
To this end, the rules still require the entity outsourcing the particular activity, and/or its auditors, and the regulators to obtain physical rights of access to premises, so as to ensure that they may exercise the same level of supervision, access to data, access to relevant personnel and to service provider premises connected with the activity or business unit as they would were the regulated activity not outsourced.
This may change under the new European General Data Protection Regulation (GDPR) , which will require cloud providers to make available to banks “all information necessary” to demonstrate their own compliance with the new data processor requirements and “allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller”.
Regardless, the PRA’s SYSC8 rule makes it clear that if a bank is relying on a third party for the performance of operational functions which are critical for the performance of regulated activities, listed activities or ancillary services (in this chapter “relevant services and activities”) on a continuous and satisfactory basis, ensure that it takes reasonable steps to avoid undue additional operational risk.
The bottom-line is that any bank using third party processing services is liable to be asked for a physical inspection of their data stores and, if they cannot show them, face fines and sanctions. Therefore, you can imagine how a bank would interpret reasonable, and how this might dissuade banks from working with fintechs, whilst emoney and payment institutions do not have such restrictions.
This is the point my friend was making, and underlining that banks are so nervous about the regulatory risk of using cloud outsourcing under these rules, that they just won’t do it. I made the counterpoint that it seems incongruous that, on the one hand, the regulator is forcing the bank to shut up shop and keep everything internalised whilst, on the other hand, forcing them to open up with APIs and Open Banking services through the Payments Services Directive 2 (PSD2) and other regulatory programs.
Does the regulator know what it’s doing? Well, that’s a question I ask often. I always remember MiFID addressing pre-trade operations without any clue of what happened post-trade, particularly in clearing and settlement. I see the move towards harmonised payments, but wonder why there isn’t a parallel move towards harmonised onboarding and harmonised revocability. Don’t get me wrong – these things are eventually implemented – but it’s like watching a motorway (interstate for my American friends, highway for anyone else) with lots of cars on it. The cars are all moving at different speeds and different directions, but they all represent a regulation of some form. Across the highway is a big metal bar. That’s the live banking system. Quite a few of the regulations are in front of the metal bar; some are behind it; some are driving away from it; and some have smashed headlong into it.
Equally, there isn’t just one big metal bar, but several. One has an American flag on it; one has a Chinese flag; one a European; and then quite a few smaller bars with national flags for Singapore, Britain, Mexico and so on. All the cars are buzzing around different bars, and no one seems to know what the hell the journey is all about anyway.
Maybe my metaphor is wrong, but I have always thought that banking was about three fast cars: the first is the criminals who are always trying to be one step ahead of the second, which is the banks; the third is the regulators all driving behind the first two and trying to keep up.
Now, with digital transformation taking off so fast, the regulators have decided to deploy many more vehicles to support this move to open sourced structures. I just hope they haven’t unleashed a fast lane for the criminals that the banks cannot keep up with.