On July 5, 2022, the Financial Stability Institute released a research report on the role of large technology firms in the financial sector (the “Report”).1 The Report assesses interdependencies in the business models of certain large technology firms based on publicly available information and outlines the regulatory and risk implications of how these firms provide and support financial services. Financial institutions and technology firms should review its recommendations in light of increased emphasis from regulators on the oversight of third-party service providers.2
The Report describes how certain large technology firms operate online platforms through which users may purchase products and services or execute contracts. The technology firm may be the user’s counterparty, may find counterparties for users (e.g., independent merchants), or may partner with counterparties.
Typically, the core business for the large technology firm is to engage in e-commerce and provide related digital and other services. However, some large technology firms also typically provide payment services to facilitate e-commerce and digital transactions and technology services to support either their own or others’ commercial activities (e.g., cloud computing services).
Through the operation of these platforms, large technology firms create ecosystems that encourage users to engage and use multiple services. Further, large technology firms typically collect information on users through the process, and the use of multiple services multiplies the amount of information that can be collected. The need to maintain and grow this network effect creates an incentive for large technology firms to continuously grow their core business and branch into new markets and businesses.
The Report identifies common payment and technological infrastructures as key dependencies within large technology firms. In particular, it notes that large technology firms often operate proprietary payment systems that are easy to use and important for connecting different businesses. Other key dependencies noted in the Report include the collection and sharing of user data across businesses and the use of sophisticated proprietary credit scoring systems.
The Report explores the connection between large technology firms and financial institutions, explaining that financial institutions may rely significantly on the technology services provided by large technology firms. It notes: “While this dependence might increase the resilience of individual financial institutions and could be cost-effective for smaller ones, it would exacerbate system-wide operational and concentration risks in [cases where] big techs were to experience significant disruptions.”
The Report also indicates that large technology firms enter into partnerships with financial institutions to expand into new markets and facilitate cross-border payments. This may be done through white labelling or banking-as-a-service arrangements that leverage the brand name and global platform of the large technology firm.
The Report emphasizes the critical role that large technology firms play as service providers to financial institutions and states that this dependence is likely to increase going forward. In light of this growing, critical role, the authors of the Report express concern that large technology firms may become “single points of failure” and create “new forms of concentration risk” for financial institutions. They suggest that a mitigant for this financial stability risk may be for large technology firms to “implement best-in-class operational resilience and cyber security frameworks.” They also suggest the development of specific entity-based regulations for large technology firms that operate in the financial sector. They believe that these regulations (including risk assessments) should be applied to large technology firms at the group level and across borders, which is similar to the way that banking currently is regulated.
The Report does not solicit comments or propose any specific action but is worth a read by those with risk management responsibility in the financial services and fintech sectors. Financial regulators remain focused on the operational resilience of financial institutions and regularly examine technology firms that provide core services to financial institutions. This is another trend that is likely to grow over time and will require increasing coordination between these vital sectors of the global economy.
1 FSI, Big Tech Interdependencies (July 5, 2022), https://www.bis.org/fsi/publ/insights44.htm.
2 See our Legal Update on new incident notification obligations for service providers to US banks: https://www.mayerbrown.com/en/perspectives-events/publications/2021/11/breach-notification-requirement-finalized-by-us-banking-regulators.