Technology has changed how services are developed and delivered to customers. Regulators are hard-pressed to figure out how to respond, what to regulate, and what to leave aside. Determining the touch point of regulation is not easy.
“Regulators, under unprecedented pressure, face a range of demands, often contradictory in nature: be less intrusive – but be more effective; be kinder and gentler – but don’t let the bastards get away with anything; focus your efforts – but be consistent; process things quicker – and be more careful next time; deal with important issues – but do not stray outside your statutory authority; be more responsive to the regulated community – but do not get captured by industry.”
These are not my words, but those of Malcolm Sparrow, a former British detective turned Harvard academic. Writing in The Regulatory Craft: Controlling Risks, Solving Problems, and Managing Compliance, Sparrow aptly captured what sometimes can be a thankless job facing regulators. In taking decisions about which entity to license, which one to penalize, or which one to shut down, regulators are damned if they do, damned if they don’t.
The integration of technology, notably in financial services, has only made things worse. On one hand, regulators – as was the case with M-Pesa – want to support financial innovation that adds value to society. On the other hand, they are keen not to rush in authorizing innovation they’re yet to fully grasp, as was the case with the advisory by the Central Bank of Kenya (CBK) against the use of virtual currencies, or the recent law in California to impose additional obligations on how Uber treats its drivers.
Many regulators are attempting to figure out how they should regulate financial technology (fintech). Can those two words (‘regulate’, ‘technology’) even be put in the same sentence? Some think so, others forcefully disagree.
The central question in these debates can be summed up as follows: what should be the touchpoint of the rules, standards and policies that regulators impose?
The answer here can be either of three choices: provider, platform or product. Let’s christen them the ‘3P’s’. This is the existential question facing regulators. Despite the methodological device that is used to try and answer this question (e.g. sandbox, test-and-learn etc.), the primary question still remains – is the target of regulation the provider deploying the innovation, the platform upon which it is delivered or the product utilising the technology?
Let’s discuss each in turn.
Regulation, simply put, comprises the statutory obligations placed on firms operating in a sector which, left on its own, would put public and consumer interests at risk. Regulation comes in various forms to mitigate those risks. Regulators have traditionally operated by imposing demands on ‘providers’, namely, the firm seeking to enter a regulated market, e.g. capital requirements, fit and proper and other requirements. However, regulating the first ‘P’, could have major shortcomings. Someone who is fit and proper at the point of licensing, may fail to be so next month. Or if directors promise to organise their firm’s technology in a particular way, things might turn out differently. Safeguards, such as on/off site inspections can be deceptive or manipulated, as regulators in the U.S. found out with the financial giant Lehman Brothers: it had received a clean audit report in mid-2008, a few months before its dramatic collapse. Closer home in Kenya, Imperial Bank.
Secondly, regulators can target the platform (really, the underlying technology) that a provider is deploying to reach and serve customers. This is one of the most hotly contested topics. The battle on whether Uber drivers are contractors, with no entitlements that come with standard employment contracts, or whether an initial coin offering (ICO) is a security or commodity (each would attract starkly different regulatory response), epitomises this debate. Regulating platforms can be annoyingly difficult, perhaps even futile, for two reasons. One, the underlying technology that powers these platforms changes every minute. Second, platforms are huge: we’ve all seen the quotes around the biggest hotel chain not owning any buildings (Airbnb), or the largest movie company not owning any production studio (Netflix). Simply put, regulators find it hard to oversee something they can’t put a perimeter around.
Finally, regulators, especially in financial services, are increasing turning to regulating the application side of things: if imposing obligations on providers becomes increasingly obsolete in a heavily digitised economy, and if regulating platforms can be like chasing a mirage, then regulation can impose demands on what makes use of that technology, i.e., on the product itself. In some jurisdiction, this is termed ‘activity-based regulation’, focusing on the underlying product or service. As an example, mobile platforms in Kenya are now being used to provide not just voice and data (the traditional applications) but also payments, credit, insurance, health services and many more. The range of activities seems limitless. Regulators in other countries have experimented with product governance – as I argued in a previous blog – obligations on firms to ensure their products, regardless of how the platform operates, are safe or fit for purpose, meeting customer’s needs.
The choice on which ‘P’ to target is not a mutually exclusive one.
M-Pesa is a good example. As a payments services provider, Safaricom is authorised under Kenya’s National Payments Act. That legislation and its regulations require the mobile money platform to behave in a particular way, e.g., to reduce or eliminate downtimes, to offer prompt payments, and to be organized in a way that minimises risk of fraud. In turn, M-Pesa as a platform has had numerous application (the products), such as M-Shwari, KCB M-Pesa, merchant and utility payments and so on. Each of these applications is in turn regulated in terms of how it operates and interacts with customers.
Overall, the main primary choice is both about which ‘P’ to target, but also, where to put a high degree of emphasis. The emphasis does vary by sector. For example, in industries like pharmaceuticals or airlines, the emphasis is on ‘product regulation’ (safe aircrafts and drugs). In sectors like nuclear energy the emphasis is on ‘platform/technology’ (colossal amounts are spent to foolproof the technology).
Turning back to financial services, the 2008/2009 financial crisis showed that regulators should not rest just by targeting any one of the P’s. Providers can faithfully meet statutory requirements by filing returns. However, they could be busy selling toxic products, or using their platforms launder money, thereby threatening the stability and integrity of the entire financial system.
FSD Kenya supports work in policy and regulation across all 3P’s—provider, platform and product—to help create an enabling environment for the delivery and use of financial solutions that create real value for Kenyans and the Kenyan economy.
Gitau Mburu is Head of Regulation at FSD Kenya. Email: firstname.lastname@example.org; Twitter: @mjgitau