Blockchain in Financial Services – Compliance and Regulatory Challenges

chain-566778_640

The common consensus seems to be that it is not a question of if but rather when Blockchain technology will become mainstream in Financial Services. The industry appears to be caught in a race to develop solutions based on distributed ledger technology that could make business faster, safer and cheaper. A recent report by the World Economic Forum gave evidence by citing that in the last three years $1.4 billion had been invested in Blockchain-based startups.

Before we will see a wide spread adoption of products and services based on Blockchain technology by financial institutions, several obstacles have to be overcome and Compliance and Regulation is right at the top of the list.

Before we look at the specific areas of regulation that affect Blockchain adoption, we must point two things out:

Private versus Public

The discussion about the impact of regulation and compliance obligations depends whether we talk about a private or a public Blockchain. Just as a reminder, private blockchains differ from fully public ones as its access permissions are more tightly controlled. Reading or modifying the information is usually limited to a selected number of users. At the same time private blockchains mirror the advantages of the technology of decentralisation, authenticity, transparency and speed. The current efforts of financial institutions are mostly based on private blockchains as they provide a higher level of control for the developers. It is important to bear in mind though that because of the nature of private blockchains, regulations may affect the respective use case differently or even not at all depending on how the solution is structured.

Jurisdiction

Another caveat is in respect to jurisdiction: a key element of Blockchain technology is its element of decentralisation and one of the positive consequences could be with regard to the execution of cross border transactions. As a result it may be difficult to determine, which jurisdiction is applicable since it could be argued that it is the jurisdiction of any country where one of the node of the network sits or at least those that are used in any certain number of transactions. However, that means that theoretically a Blockchain based solution would need to comply with regulations of various jurisdiction in respect of the same topic, for instance, follow a super standard in respect of data protection that is in accordance with the rules of, say, the US, Canada, the European Union and so on. This is obviously difficult to achieve and in some cases not practical. It is, however, a different topic, which we will not discuss in this article, but, again, it is important to bear in mind.

Areas of regulatory concern

So what are the key areas of regulatory application for Blockchain products and services?

– AML/CFT

An obvious concern for regulators is the use of distributed ledger technology for the purposes of money laundering and terrorist financing. Though Blockchain is praised for its transparency, the identity of the transacting parties is encrypted. As in the use of cryptocurrencies, Blockchain based solutions that contain a risk of money laundering or terrorist financing will need to address this, so regulators are comfortable with the information available. This will vary with the level of risk of the respective product or service and obviously anonymity does not necessary equal automatically an unlimited right to privacy.

Another aspect is once again the decentralized nature of Blockchain solutions. It might be necessary to demonstrate that the solution in question cannot be used to circumvent controls or predominantly be used for regulatory arbitrage. That means, for instance, that while it is generally not illegal to base a firm’s operations in a jurisdiction that is from a regulatory perspective les burdensome (e.g. see the HSBC announcements to relocate away from London in case of stricter banking rules), regulators are not likely to react very favorable of any attempt to primary structure a product or service in a way to sidestep rules. Though it might be initially possible to avoid regulatory action, eventually lawmakers and enforcement agencies will find a way as history has taught us.

– Consumer Protection

As a result of the financial crisis of 2008 and other recent blunders, consumer protection is a priority for legislators that is going to increase further with future regulations such as MiFID II in 2018, which will significantly increase levels of consumer and investor protection as well as the regulatory obligations of financial firms. Similar to cryptocurrencies like Bitcoin, financial watchdogs will want to make sure that clients don’t find themselves victims to missold products and services or even fraud.

Given that Blockchain technology requires a high level of technical understanding, it is perceivable that it could be used as part of structured products in order to gain an unfair competitive advantage, for instance, through the use of algorithms. The key element for regulators will be the extent to which consumers understand how the Blockchain technology works as well as how it is communicated that in this context it is merely a more optimised internal algorithm. Considering the praise Blockchain technology has received as a potential game changer, it may well be used to lure investors into believing that it will automatically guarantee higher returns.

blocks grid-871475_640

– Payments Regulation

Payments Regulations such as the Payment Services Directive 2 (PSD2) will have a significant impact on innovation. PSD2, which entered into force in January this year and will have to be implemented into the national legislation of the EU member states by 13 January 2018, aim to protect consumers better when they make payments, promote the development and use of innovative online and mobile payments and make European payment services safer. The Directive calls for banks to open up its APIs to third parties giving FinTech firms access to bank data, which will in turn put them in the position to build better products and services. Incumbent bank will come under pressure through the competition of newcomers who often make better use of the large amounts of data the banks accumulate. While it will force established institutions to raise their game, they have the advantage that they may have better resources when it comes to regulation since the opening bank APIs comes with the price of strict restrictions. So any new entrant aiming for disruption will need to ensure that its solutions are in accordance with these rules.

– Data Protection

Data Protection regulations are a key element for Blockchain applications from a regulatory perspective and one of the main concerns understandably for the authorities is the rising risk in respect of cybersecurity. Though Blockchain technology theoretically should add a layer of security through its network of nodes that confirm and modify transactions and the respective data, the encrypted data could still be compromised. This is, for instance, highlighted in a report (see our previous post here) by the German financial watchdog BaFin, which stressed the importance of the protection of systems from cyberattacks as well as the safety of transaction data. In a speech by Christopher Woolard, Director of Strategy and Competition at the FCA, last week pointed to the same issues when he raised the question regarding what data security exists for users. At the same time he also pointed to further questions the regulator has in respect of data protection and which is reverberated by other authorities that is going beyond the remit of pure cyber security, which is how individuals gain access to a distributed network and who controls this process.

The General Data Protection Regulation of the European Union, which will apply 25 May 2018, will deal some of these questions to an extent, but will surely have to be complemented by further legislative acts that focus directly on the aspects of data protection in respect of DLT and the EU is just one, though not insignificant jurisdiction.

– Other areas of regulatory concern

The areas of regulatory concern do not stop here, however. Other aspects, such as Outsourcing, Governance or Risk Management are also on the radar of regulators as expressed, for example, by BaFin on a recent FinTech event, where the authority discussed its view with industry members and interested parties. Not to mention more the more legal concerns such as enforcement and recission of contract.

And then there will be product specific regulations that, beyond the specific areas discussed above, will be applicable depending on the specific instrument or service built on Blockchain technology. For example, building a trading platform on DLT for trading securities raises questions about the nature of the undertaking and its classification as a broker-dealer or an exchange, which is governed by different securities laws in jurisdictions around the globe. Thus, it is understandable that regulators worldwide currently seem to be at an information gathering stage to gain a better understanding of the technology and its use before adding to already existing rules (like the ones referred to above) to fill the gaps to cover all forms of Blockchain applications in financial services.

Conclusion

As pointed out in the introduction, wide spread adoption of Blockchain technology in Financial Services seems a certainty, but so is the need to overcome several obstacles and it looks that regulators will play an important part in this process. Considering the potential the technology has, also and in particular in respect of contributing to make the financial system safer and more transparent, regulatory authorities and lawmakers do well to seek a better understanding and maintain an open dialogue with all parties.