Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On February 15, Treasury Assistant Secretary for Financial Institutions Graham Steele delivered remarks before the Exchequer Club of Washington, D.C., during which he discussed the U.S. Treasury Department’s financial institutions agenda on fintech, cryptocurrency, and cloud service providers. Stating that “significant potential exists to harness the underlying technology in fintech, digital assets, and cloud services adoption,” Steele cautioned that there exist common risks across these spaces related to inadequate oversight, excessive concentration, and consumer harms.
With respect to nonbanks and fintech, Steele noted that participation by nonbanks in financial services is a key priority for Treasury. He commented that while nonbanks add diversity and competition pressure to consumer finance markets, they “have largely not been subject to the kind of comprehensive regulation and supervision to which banks are subject,” which has created numerous “risks related to regulatory arbitrage, data privacy and security, bias and discrimination, and consumer protection, among others.” Steele highlighted recent Treasury recommendations primarily focused on using existing authorities held by the federal banking regulators and the CFPB as a way to coordinate supervision of bank-fintech partnerships and credit underwriting models. Another area of concern, Steele noted, are big technology firms—those that generally seek to enter the consumer finance market via relationships with banks and third-party fintech firms, and who avoid prudential regulation, supervision, and risk-management requirements that would apply if they offered banking services. “Big Tech firms may have incentives to leverage their existing commercial relationships, consumer data, and other resources to enter new markets, expand their networks and offerings, and scale rapidly to achieve capabilities that others—including depository institutions—do not have and cannot replicate,” Steele said.
Steele also touched on Treasury’s objectives for crypto assets, in which he referred to several studies examining “the potential financial stability implications of crypto-asset activities” and the risks and opportunities they might present to consumers, investors, and businesses. He also addressed concerns about misleading claims and representations in this space (for example, with respect to the availability of deposit insurance) and noted that there exist several gaps in existing authorities over crypto assets. Finally, Steele discussed a recent Treasury report, which examined potential benefits and challenges associated with the adoption of cloud services technology by financial services firms (covered by InfoBytes here).
On February 8, the U.S. Treasury Department launched the interagency Cloud Services Steering Committee in an effort to improve regulatory and private sector cooperation and develop best practices for cloud-adoption frameworks and contracts. As part of the announcement, Treasury released a first-of-its-kind report discussing potential benefits and challenges associated with the adoption of cloud services technology by financial services firms. While recognizing that cloud-based technologies can improves access and reliability for local communities and help community banks compete with financial technology firms, Treasury found that financial services firms that rely on these technologies need more visibility, staff support, and cybersecurity incident response engagement from cloud service providers (CSPs).
The report identified several significant challenges resulting from the use of cloud-based technologies in the financial sector. These include: (i) insufficient transparency to support due diligence and monitoring by financial institutions (financial institutions must fully understand the risks associated with cloud services in order to implement appropriate protections for consumers); (ii) gaps in human capital and tools to securely deploy cloud services (CSPs should engage experts and improve tools and frameworks to ensure financial institutions are able to implement resilient, secure platforms for customers); (iii) exposure to potential operational incidents (financial institutions have expressed concerns that cyber vulnerabilities originating at a CSP could have a cascading impact); (iv) potential impact of market concentration in cloud service offerings on the financial sector’s resilience (the current market relies on a small number of CSPs that likely exists across banking, securities, and insurance markets); (v) dynamics in contract negotiations given market concentration (the small number of CSPs could affect financial institutions’ bargaining power); and (vi) international landscape and regulatory fragmentation (regulatory conflicts could result from the patchwork of global regulatory and supervisory approaches to cloud technology).
The report, which received extensive input from U.S. regulators, private sector stakeholders, trade associations, and think tanks, does not impose any requirements, nor does it endorse or discourage firms from using a specific provider or cloud service. It does, however, recommend that Treasury and the broader financial regulatory community further evaluate the financial risks associated with having a limited number of CSPs offer cloud services.