We have all heard about digital transformation before, and banks and savings banks are currently in the midst of change - I doubt I need to elaborate on that for the benefit of anyone. I would like to raise a number of questions that concern not only individual enterprises but also the evolution of the sector as a whole and thus its regulatory framework, too. We have to realise that many of the developments that are still individual projects at present and are taking place gradually are part of a major upheaval. What is more, it is up to us to help shape this transition, which some are calling the fourth industrial revolution.
This is challenging, because our objective - successfully shaping digital transformation in the financial sector - is in flux and the processes involved are complex. So I am not here simply to lecture you on this topic in my supervisory capacity; rather, I am in favour of all parties involved - banks and supervisors - working together to think about how this is all going to evolve.
I would like to talk about three aspects of digital transformation: first, the opportunities; second, the risks; and, finally, the matter of the right framework.
Opportunities presented by digitalisation
I'm not talking about business specifics here, but rather developments in the wider context. The term "digitalisation" is difficult to grasp, and the language in which the term is wrapped obscures what it is ultimately really all about: innovation that translates into productivity and benefit. I say this because, generally speaking, digitalisation and technological progress do not automatically lead to productivity growth.
In order to unleash a technology's potential, we need to get to grips with the technology itself, what we ourselves do with it as well as the environment in which it operates. This is where the actual innovation takes place. This is what I am alluding to when using the term "digital transformation."
Essentially, the idea is to re-evaluate the things we do every day. For the most part, we spend far too little time doing this. On top of that, it is about rethinking what is possible in technological terms.
In the face of the explosive surge in technological innovation, I see countless ways at the economic level to advance the economy as a whole and the financial sector, in particular.
Given the accelerating speed at which information can be exchanged, efficiency on the markets can be increased further. Just think of the communications cable that was laid between New York and London for several hundred million euro. Data can now be transmitted back and forth in 60 milliseconds. This is a highly worthwhile investment for high-frequency trading on the stock exchange, where even very short periods of time may seem like an eternity.
Thanks to digitalisation, markets can also become more international and grow closer together: nowadays, it no longer matters whether you are transferring a sum of money to your neighbour or to an acquaintance in Portugal because both payments are handled the same way. Securities, too, can now be transferred quickly and flexibly to all euro area countries. This means that risks are also transferred more easily and can actually be borne by those agents whose business models are compatible with such risk-taking.
Digitalisation can also help to reduce information asymmetry - just think of search engines, news feeds, networks or knowledge platforms such as Wikipedia, for instance.
Taken altogether, improved, faster and broader-based information sharing between market participants can thus contribute to the more efficient mediation of capital and risk.
Also - and especially - from end customers' perspective, by which I mean consumers and enterprises, there are clearly opportunities that are reflected quite generally in higher quality, lower prices, and customised products and services. Furthermore, from enterprises' perspective, digital innovations are what creates opportunities and market niches in the first place.
The opportunities presented by digitalisation are also apparent when it comes to making individual decisions. Using algorithms, it is possible to keep a better check on sources of error in decision-making processes. After all, digital tools can address weaknesses that make their way into the financial markets as a result of prejudices, biases or simple human error. For example, we, as human beings, regardless of how well educated we are, tend to have systematic psychological biases. Reason-based algorithms embedded into an appropriate incentive structure can overcome this problem and play a role in more efficient decision-making.
Banks are already doing this today - when making credit decisions, for instance, they use algorithms to objectively evaluate available information. The same goes for bank customers when making investment decisions.
As you might have guessed already, we at the Bundesbank take an overall positive view of digitalisation. Established banks, fintech firms and other enterprises are all in the process of transforming technologies into innovations.
In economic terms, this is resulting in productivity gains, growth, improved competitiveness, a more robust economy and, last but not least, greater prosperity. It is also enhancing the stability of the euro.
As a supervisory authority, we want to monitor these developments in a constructive way because, ultimately, they promise cost-saving opportunities as well as new earnings potential for individual institutions.
But of course, as a supervisory authority, we are also keeping a close eye on the inherent risks. I see no contradiction here. Quite the contrary: when it comes to innovation, getting a handle on the risks it poses is key. In 90 years of banking supervision, this has always been the case.
We should not simply equate innovation with novel financial products or processes that provide no added value in the long run. Innovation needs to be a package deal.
Risks of digitalisation
This brings us to the risks and challenges that arise in the context of digital transformation and need to be taken into account. To be clear, tackling digital risk is an enormous challenge. I believe that this can be put down to three key factors.
First, there are new types of risk. Traditionally, banking supervisors focus on capital and liquidity. And that will remain the case for new types of risk - in IT, for instance. However, simply wanting to hold sufficient capital to counter any and every new risk has its limitations. For example, how can a server outage of several hours, with all its ramifications, be expressed in terms of financial risk? How can you put a figure on the damage caused by internal processes coming to a standstill and on the losses that arise due to nothing working anymore and no service being available? In many cases, there is no historical parallel or other benchmark for such matters, but there still exists the need to come to grips with such risks.
Furthermore, there are what are referred to as "unknown unknowns" - risks whose existence may remain entirely undiscerned until the first time they cause an incident. With that in mind, banks are now employing innovative technologies such as advanced analytics in certain data-intensive areas, which examine large data volumes for anomalies and help staff identify the very existence of certain risks in the first place.
Second, we are faced not just with new risks but also with a shifting risk landscape. I am thinking in this respect, in particular, about IT.
As long as digital services, hardware and software keep constantly evolving and the complexity of processes and software generally goes on increasing, there will be technology that is prone to disruption. Furthermore, people make mistakes or deliberately exploit weaknesses. IT risks therefore remain a moving target for the supervisory authorities.
Digitalisation is a moving target for both enterprises in the financial sector and for the supervisory authorities. In the past few years, we as a supervisory authority have responded to the increased significance of IT-related risks and specified our requirements more clearly.
However, the topic also affects our day-to-day supervisory work. Our supervisors' jobs have become more challenging. And this is not just down to the rate and number of tasks to be performed but also to their complexity. Ten years ago, IT-related supervisory standards were fairly manageable. Nowadays, specialisation within this risk category is playing an increasingly important part. Knowledge of IT risks needs to be updated constantly. Information sharing between supervisory authorities across national borders has become a major factor, and knowledge management is becoming a key task in this regard.
Added to this is the fact that issues have increasingly taken on an interdisciplinary dimension. To put it loosely, when it comes to some topics, it is no longer possible for a single person to make a comprehensive assessment. Supervisory authorities, much like the institutions themselves, need to combine legal, economic and technical expertise in order to evaluate, say, the technology-intensive business model of an enterprise.
A lot of people insist that these are no more than organisational details and that, after all, it mainly comes down to having good rules. But organisational matters can, of course, become crucial to the effective enforcement of our regulatory framework.
I would now like to mention a third aspect that is also contributing to the challenging environment. New enterprises have joined the market - mainly fintechs and bigtechs - which often provide just one of the process steps that make up a banking service (customer onboarding or credit scoring, for instance) or technical support processes (for mobile payments or for general cloud services, for example) in partnership with banks. As a result, the boundaries of the sector have become somewhat blurred.
Many of the new players are not licensed as banks, financial service providers or payment institutions, but may be involved at key stages in processes or the market structure as a result of outsourcing or other forms of cooperation.
This is all leading to a more complex competitive landscape and new forms of cooperation which, of course, can give rise to new and additional risks. More generally, this raises the question of how far the legal framework can keep pace with the transformation of the financial sector. And that is what I would like to discuss next.
Outlook for the supervisory regime
The first thing we should note is that the long-established legal framework has remained very largely the same despite the changes the sector has undergone. Much of this is due to the prevailing regulatory approach in Germany and Europe as a whole. This stipulates that the legal requirements do not apply to particular types of enterprise, but to specific business activities with a direct bearing on the risks that financial supervisors deal with. The norms can still be applied to innovative products and business ideas by looking at precisely how the enterprise's business idea is supposed to work and how it fits into the legal framework. It doesn't matter in this context whether an enterprise calls itself a "fintech", "bigtech" or "established financial institution" - nor what technology it uses.
Formulating abstract requirements and standards instead of detailed technical rules has helped ensure the stability of the supervisory framework. It goes without saying that the IT requirements have become more diversified and more clearly defined over the last few years, but even so, they are formulated generically - and for good reason. Since technologies and applications differ over time and from bank to bank, standards need to remain applicable and instructive in every case.
We must nonetheless consider whether our regulatory framework will still be suited to the financial industry of tomorrow. I have already mentioned the blurring of the boundaries between sectors, as new enterprises that often do not perform a business that requires a licence, but that play a major role in the system as a whole, join the market. So how does the legal framework interact with the economic realities in this situation?
Outsourcing activities are a key case in point when considering this question. Banks outsource certain processes to external service providers. From a banking supervisory perspective, the rules are clear. External providers that do not themselves perform business subject to the supervisory rules do not fall within the scope of regulation. It is the supervised institutions that bear full responsibility for any risks arising from cooperation with an external service provider. Examples of such risks are a potential default by the external service provider, or the possibility of reputational risk. The institutions must ensure that the risks remain manageable - for instance, by including relevant terms and conditions to this effect in cooperation agreements and by considering from the outset how they can keep their business up and running if the partnership is terminated unexpectedly.
So this sums up the conditions de jure. But are they always appropriate to the economic conditions? Depending on the individual case, the picture can be very different. Where credit institutions work with large technology firms, such firms' negotiating power might be so large, for instance, that institutions have difficulty effectively imposing their conditions on their contracting partners for the service being provided. You might call this "the tail wagging the dog."
We also have to make sure that it does not make sense to outsource certain tasks simply because you can afford to be more relaxed about dealing with the resulting risks outside the regulated enterprise.
The more the boundaries between sectors are blurred and the more intensively banks work with non-licensed enterprises, the more relevant discussions like this will become. My personal view is that we should discuss to what extent we might take a closer look at supervising individual activities - activity-based supervision - in addition to entity-based supervision. I am thinking here, for instance, about services provided by insourcers of a certain size and importance, such as cloud service providers. However, this would have significant repercussions - not least for supervisors.
So that's why it's crucial that the debate does not take place in a vacuum, but always with a view to what is necessary and essential in order to tackle the key risks effectively. We are still in the early stages of this debate. In any case, the entity-based supervisory approach should remain unaffected. We cannot start to define areas where an institution is relieved of its responsibility for risks that ultimately affect its own services. This would pose a problem not just from the point of view of effective supervision, but also in regulatory terms.
I also see a European dimension here. Europe is already pressing ahead with regulation for issues emerging as a result of digitalisation. I am thinking, for example, of the EBA's recently issued guidelines on outsourcing arrangements. The Bundesbank and BaFin helped to draft these guidelines. Looking further ahead, I would like to see the European stakeholders set the right course for the overarching framework of digitalisation.
First, cross-border business will be even more relevant in the digital age. A key concern for banks and fintechs is that their innovative products and services can be rolled out across Europe straight away. Here, the EU should focus on counteracting any national fragmentation of regulation in its early stages. This is also important for Europe's global competitiveness in areas such as artificial intelligence, blockchain technology, video identification or even issues relating to competition law.
Second, the EU could set its sights on objectives beyond strengthening the single financial market. Regulatory issues brought to light by digitalisation often also have a more far-reaching impact. For instance, the framework for using artificial intelligence also raises ethical questions. Considering topics from various angles appears to be something the EU is good at - in any event, EU regulation is often seen as being very well balanced from outside the European Union. Other countries and jurisdictions have already chosen to model their own projects on the European Data Protection Regulation. I therefore see a very real chance that the EU could end up playing a leading role in developing the rules for the digital financial sector.
Expectations of this have already emerged, in fact. In the new legislative period, we should therefore be proactive in tackling pressing topics and questions.
Digitalisation is about to bring about a fundamental transformation of the financial markets. So it can't be a matter of blocking or preventing developments. Instead, it should be the task of legislators, supervisors and market participants alike to shape these developments.
Even if these developments cannot be stopped, digitalisation will ultimately be what we make of it. We can encourage and support these developments by: taking a broad-based, open approach to the way we think about and tackle digitalisation; raising awareness of the fact that risks can change and shift at any time; and creating a framework for future developments that does not limit potential opportunities and, at the same time, appropriately reflects risk.
A new debate has begun.
By Prof Joachim Wuermeling,
Member of the Executive Board of the Deutsche Bundesbank