chevron-down Created with Sketch Beta.

The Business Lawyer

Summer 2024 | Volume 79, Issue 3

Regulating Financial Innovation: FinTech, Crypto-assets, DeFi, and Beyond

Steven Lance Schwarcz

Regulating Financial Innovation: FinTech, Crypto-assets, DeFi, and Beyond
iStock.com/welcomia

Jump to:

Abstract

The term “FinTech” encompasses advances in technology that facilitate financial innovations, such as crypto-assets, algorithmic smart contracts, and decentralized financial platforms and services. Although FinTech promises greatly expanded financial inclusion and other valuable economic benefits, its radical transformational consequences are threatening to disrupt finance and even jeopardize the stability of the financial system. Scholars have been grappling with how the law can control these risks, but their contributions to date have been largely ad hoc. They also disagree whether FinTech-driven innovations are radically changing the financial system, necessitating completely new forms of regulation, or whether those innovations merely present the same types of risks already associated with electronic banking. This article attempts to build a systematic framework for regulating FinTech-driven innovations. In that process, it clarifies and simplifies the confusing terminology, which makes FinTech appear more complicated than it is. The article also shows how its framework should more generally inform the regulation of financial innovation.  

Introduction

“FinTech” generally refers to the use of technology to facilitate financial innovations. A FinTech company can include “any business that uses technology to modify, enhance, or automate financial services.” Robinhood Financial LLC, for example, exemplifies a FinTech company because it facilitates digital stock trading, thereby avoiding the need for a traditional broker-client relationship and reducing trading cost.

FinTech’s innovations can provide valuable and, some argue, revolutionary new economic benefits. These include increased access to financial markets and products, thereby greatly expanding financial inclusion and creating a “democratization of the financial system.” At the same time, the radical transformational consequences of these innovations are threatening to disrupt traditional finance and even jeopardize the stability of the financial system.

The complexity of blockchains, for example, can reduce transparency and cause programming errors. The anonymity of decentralized finance (“DeFi”) can obscure the identity of counterparties, thereby preventing them from resolving disagreements and increasing counterparty risk. It also can shift financing away from regulated banks to unregulated funding sources. The U.S. Treasury believes that DeFi can even threaten national security by enabling the financing of rogue states and other bad actors.

The unchecked execution of smart contracts, which operate automatically based on pre-programmed steps, can also spread panic. The classic Disney movie, “Fantasia,” provides an analogy. A sorcerer orders his apprentice, Mickey Mouse, to fill a cauldron with water. Deciding to nap, Mickey conjures a broom to pour the water. He later wakes in horror, unable to stop the broom from continuing to pour water and creating a flood.

Even those who argue that FinTech-driven innovations represent the same types of risks raised by traditional finance—credit risk, market risk, liquidity risk, and operational risk—admit that FinTech can incrementally change those risks. Consider cryptocurrencies, a commonly known FinTech innovation referring to currencies whose ownership and transfer are electronically recorded by blockchain cryptography. Even one of the most conservative types of cryptocurrencies, stablecoins, might impair financial stability. Being redeemable for “reference” assets having intrinsic value, such as U.S. dollars, the mere perception that a stablecoin issuer might become unable to redeem the coin for its reference assets could panic stablecoin holders, resembling a classic bank run and reducing the stablecoin’s value. If the stablecoin is widely used as a common store of value—which would be likely in emerging markets and developing economies—even a moderate variation in its value might cause significant fluctuations in holders’ wealth. If that fluctuation is sizeable enough to affect spending decisions and economic activity, it could cause a recession.

FinTech’s riskiness should, nonetheless, be put into perspective. FinTech is not entirely new; its historical roots are exemplified by the advent of computers. Computers made it feasible to transmit and settle payment orders electronically, to facilitate cross-border payments, and to develop online banking. Advances in computing power enabled high-frequency trading by allowing parties to analyze market conditions and execute orders in fractions of a second. Increased computing power also enabled firms to model potential new securities markets and their risks, enabling innovative financing techniques such as securitization.

Although beneficial, these financial innovations brought significant risks. For example, computerized high-frequency trading became so fast, executing thousands of orders per second, that (somewhat like smart contracts) they operated unchecked in real time. As a result, erroneous trades disrupted finance by causing substantial losses before they were able to be discovered.

Similarly, computer-enabled innovations in securitization jeopardized financial stability by causing, or at least greatly contributing to, the 2008 global financial crisis (“global financial crisis”). In connection with that crisis, securities issued in standardized securitization transactions were pooled together and “re-securitized” in highly complex leveraged transactions. The complexity of these transactions reduced transparency and, coupled with high leverage, created a risk that relatively small errors in cash-flow projections could disproportionately impair repayment of the re-securitized securities. The unanticipated 2007 decline in housing prices produced those errors, reducing cash flow on the mortgage loans underlying many of those leveraged transactions and significantly impairing repayment. That caused defaults on many re-securitized securities that were rated at the low end of investment grade and also prompted credit-rating agencies to downgrade the more highly rated re-securitized securities. These defaults and downgrades panicked investors, reducing confidence in all credit ratings—even the ratings on basic corporate bonds and commercial paper. That destabilized the market for debt securities, severely reducing business credit and exacerbating the crisis.

These tensions between benefits and costs raise a fundamental but not fully answered question: How should the law regulate financial innovation? Although scholars have attempted to answer that question, their approaches have been ad hoc. Furthermore, there is fundamental disagreement over whether FinTech-driven innovations are radically changing the financial system, necessitating completely new forms of regulation, or whether they merely present the same types of risks already associated with electronic banking. This article strives to build a more systematic framework for analyzing how FinTech-driven innovations in particular, and financial innovation in general, should be regulated.

This article proceeds as follows. Part I explains certain relevant FinTech-related terminology, including crypto-assets and blockchain, smart contracts, and DeFi. Part II examines and synthesizes actual precedents for regulating financial innovations. Part III then analyzes and synthesizes normative regulatory models. Based on that foundation, Part IV of the article builds an integrated regulatory framework to address financial innovation. Finally, Part V applies that framework to FinTech-driven innovation and to financial innovation more generally. Part V also applies that framework to cross-border innovations.

I. Terminology

Understanding FinTech terminology is essential for this article’s analysis. This Part I introduces the basic terms. Those familiar with FinTech terminology may wish to skip directly to Part II.

A. Crypto-assets and Blockchain

FinTech significantly (though not exclusively) relies on blockchain cryptography. A blockchain is simply a computerized database that is used to record information—the electronic equivalent of a paper ledger. The term “cryptography” means that the database is encrypted for security.

By creating a secure but yet traceable record of transfer, blockchain is also used to record—thereby helping to facilitate markets for—the sales of electronically transferred property, including “cryptocurrencies” such as bitcoin and stablecoins; “tokenized” assets such as non-fungible tokens, or “NFT”s; and fractionalized securities such as undivided interests in shares of stock and bonds. Any item of property whose ownership or transfer is electronically recorded by blockchain cryptography can be referred to as a crypto-asset.

The blockchain database typically is stored in different computers, known as nodes. This provides cross-checking redundancy, which is believed to reduce the need for a trusted central intermediary. The descriptor “block” of the term “blockchain” refers to the fact that once the recorded data reach a certain storage capacity, they are fixed as a permanent record, known as a “block.” Thus, the data associated with the transfer of particular items of electronically transferred property are recorded through sequences, or “chains,” of blocks.

Normally, each block is timestamped by “validators” when added to the chain. Validators are persons that use their computing power to confirm—that is, to validate—transactions on the blockchain and receive rewards for doing so. Because a blockchain’s data are (equally) available from any of the different node computers, blockchains are sometimes referred to as distributed ledger technology (“DLT”).

B. Smart Contracts

FinTech firms sometimes use “smart contracts” to trade crypto-assets and other electronically transferable property. A smart contract is simply an algorithm—a precise list of pre-programmed steps, expressed in computer code, to conduct specified actions depending on the initial input. These pre-programmed steps are often called DeFi protocols or rules. The DeFi protocols of a smart contract might provide, for example, that by paying $100 an investor receives a 1 percent fractionalized interest in a specified security of a particular issuer.

A collection of DeFi protocols is sometimes called a DeFi “platform.” Depending on the programming, these protocols could allow an investor or other party to access the types of financial services typically offered through banks and other traditional financial intermediaries, including borrowing and securities trading.

Because they usually execute their steps automatically based on the applicable DeFi protocols, smart contracts do not (after they are created) utilize financial intermediaries, such as banks. For example, DeFi crypto-lending platforms using smart contracts allow borrowers to access lender-deposited money by providing pre-specified forms of collateral. Loans can be disbursed nearly instantaneous, cutting lending costs. Some believe that smart contracts can “eliminate the need for intermediaries in [other] financial transactions—replacing exchanges, market-makers, asset managers, banks, and other lenders with software protocols.” That view, however, ignores the business reality that prudent lending should require at least “two ways out,” not only through collateral or asset-liquidation value but also through borrower cash flow. The failure to recognize this is precisely what led, for example, to the global financial crisis as well as the Great Depression.

C. Decentralized Finance (DeFi)

Smart contracts epitomize how DeFi enables “disintermediation”—removing the need for a financial intermediary and thereby reducing costs. Although banks and other financial intermediaries traditionally “have been the key nodes in the financial system that control the accuracy of customer accounts, perform bookkeeping functions and ensure that unauthorized persons do not have access to an account,” smart contracts arguably could perform those functions. Smart contracts also could increase financial inclusion by allowing anyone globally with an internet connection to access funding. By utilizing multiple nodes, blockchain’s recordkeeping may also be safer than traditional bookkeeping, which has a single point of failure—the failure of the financial intermediary’s bookkeeper.

DeFi’s proponents argue that by replacing human-managed intermediaries, algorithmic smart contracts and blockchain reduce the chance of human error. One industry leader explains that DeFi “operates through immutable code [in this case, smart contracts], and as such, represents ‘an economy of laws and not of men.’ It is this neutral, objective foundation for economic arrangements which future generations will look back upon and thank us for.”

DeFi cannot, however, completely eliminate the chance of human error. Because people write the smart contracts and program the blockchain, the risk of human error remains. Furthermore, most DeFi services rely on human governance structures for “management functions, fixing problems with the code, or altering the functionality of the smart contracts to some degree.” For example, DeFi services require so-called oracles—which are purportedly trustworthy third parties, managed by humans—to provide reliable real-world information. Moreover, the consequences of non-human error can be hard to fix because “smart contract[] . . . computer code . . . cannot be modified once executed.”

DeFi’s proponents also assert that smart contracts are designed to avoid recourse to the legal system. “[C]ontracting parties,” they argue, are required to “complete contracts as much as possible ex ante.” It is nearly impossible, though, to craft a contract that covers all possible scenarios. In practice, therefore, smart contracts must have some form of legal backing. Without that backing, “up-front costs will become especially high when there is large uncertainty about the future states of the world or if these states are hard to imagine and to define ex ante.”

D. Artificial Intelligence (AI)

Although its uses go far beyond finance, the technology of artificial intelligence (“AI”) is increasingly prevalent in the financial sector—especially for algorithmic and high-frequency trading. This article therefore introduces the concept of AI. The regulation of AI, however, goes beyond this article’s scope.

AI refers to the “capacity of computers or other machines to exhibit or simulate intelligent behavior.” In what later became known as the Turing test, Alan M. Turing posited that a computer’s ability to exhibit such intelligent behavior could be evidenced if an interrogator simultaneously communicating through a text-only channel with a human and a machine would be unable to distinguish the machine from the human. Later definitions of AI became more exacting by attributing the term “intelligence” to a computer system only when the computer takes such action that “is most likely to achieve the goal, or . . . maximizes expected utility.” These definitions correspond to the expanded tasks that AI could perform, including “learning, reasoning, planning, perception, language understanding, and robotics.”

AI’s development depends not only on powerful computers but also on so-called “Big Data,” which refers to extremely large data sets that computers can analyze to reveal patterns, trends, and associations. AI has developed to the point that machines appear to think and act rationally, such as by perceiving patterns to infer actions and optimize outcomes. Machines can now also process human language and learn. In the financial sector, these capabilities are being used to design more reliable risk assessments, to strengthen fraud protection, and to enhance investment strategies.

AI’s algorithms remain imperfect, however, sometimes containing biases that can result in discrimination, dehumanization, oppression, or violence. Machines still cannot duplicate the human sense of fairness. Furthermore, AI’s complexity, coupled with automated decision-making and the use of Big Data, can make it difficult to explain a given outcome or result.

II. Regulatory Precedents

Next, consider the actual precedents for regulating financial innovations. These precedents show that there is still no consensus about how to design that regulation.

A. Computers and High-frequency Securities Trading

As discussed, computerized innovations in high-frequency securities trading have disrupted finance because of increased complexity and over-delegation of control. Critics also have accused Wall Street insiders of profiting from that trading at the public’s expense. In the United States, the regulatory response has been industry self-policing: imposing capital requirements on broker-dealers engaging in high-frequency trading orders, while allowing those same broker-dealers to use “their reasonable business judgment” in determining how much capital to require. The European Union response has also been relatively weak: merely requiring broker-dealers that engage in high-frequency securities trading to register with the government.

B. Securitization and Re-securitization

As observed, innovations in securitization—especially complex leveraged re-securitizations—greatly contributed to the global financial crisis. The U.S. regulatory responses are primarily embodied in the Dodd-Frank Act and partly embodied in the implementation of the Basel III capital requirements. These responses fall into four categories: increasing disclosure, requiring risk-retention, reforming rating agencies, and imposing capital requirements. The EU regulatory responses largely parallel these U.S. responses.

The overall effectiveness of these regulatory responses is unclear. Even though the Dodd-Frank Act requires the disclosure of information regarding the financial assets backing each class of securitized securities, parties always were required to, and did, disclose that information. To attempt to address potential moral hazard resulting from the originate-to-distribute model of loan origination (under which lenders sell off their loans as they are made), the Dodd-Frank Act also requires originators and sponsors of securitizations and re-securitizations to retain at least 5 percent of the credit risk (so-called “skin in the game”) for most of those financial assets. In reality, however, it was always “common practice for the bank sponsoring a securitization to retain a substantial amount of the” risk on those financial assets.

The Dodd-Frank Act’s purported reform of rating agencies also might be questioned. That Act required the SEC to prescribe regulations requiring each rating agency to include “in any report accompanying a credit rating . . . [a description of the] representations, warranties and enforcement mechanisms available to investors . . . and how the[se] differ from the representations, warranties and enforcement mechanisms in issuances of similar securities.” The Act also significantly reduced reliance on rating agencies by banks and federal agencies. Although these reforms may have independent merit, they are not necessarily responsive to the failures of securitization and re-securitization that contributed to the global financial crisis: rating agency abuses have been alleged, but not clearly shown, to be responsible for such failures.

Finally, the imposition of capital requirements is problematic. These requirements certainly prejudice investors in securitized securities by forcing them to hold much more capital than they would be required to hold for investments in other types of securities. These requirements also have been subject to widespread industry criticism, being derided as punitive and illogical because their “very conservative tightening of capital standards” requires investors in securitized and re-securitized securities to hold more regulatory capital than if they invested directly in the financial assets backing those securities.

In short, the regulatory responses to securitization and re-securitization have largely missed the mark. Professor Turk provides an insightful explanation of that failure, summing it up as “regulating in the dark”:

A central aim of the Dodd-Frank Act was to rein in the perceived excesses in securitization markets with a comprehensive new regulatory framework. Yet the outcome was a set of regulatory rules that more or less affirmed the industry status quo. A high-level explanation for this surprising outcome lies in the political and legislative process. The passage of Dodd-Frank has rightly been labelled an exercise in “regulating in the dark,” meaning that the statute was rushed through Congress at a time when the underlying policy problems unmasked by the financial crisis were still poorly understood. The more specific misfire that followed was that Dodd-Frank’s securitization reforms embodied a relatively sensationalist view of the [global] financial crisis, which saw its root cause as being what more or less amounted to a criminal conspiracy on the part of financiers at Wall Street banks. Because the statutory structure that this misdiagnosis inspired was designed to prevent a caricature of the conduct that took place, the new regulations have been unable to materially influence the operation of actual securitization markets.

C. Shadow Banking

Shadow banking loosely refers to the provision of financing outside of traditional banking channels. A form of financial innovation, shadow banking “rivals the traditional banking system in the intermediation of credit to households and businesses.”

Shadow banking is much less regulated than traditional banking. As a result, regulatory arbitrage drives the demand for shadow banking services. To that extent, shadow banking does not necessarily represent a public good. Furthermore, if left unregulated, shadow banking can pose systemic risks to the financial system. For example, “[m]aturity and credit transformation in the shadow banking system [arguably] contributed significantly to asset bubbles in residential and commercial real estate markets prior to the [global] financial crisis.”

Regulatory reforms to shadow banking address two specifically identified problems. They reduce interrelationships between shadow banks and traditional banks, thereby making it less likely that the failure of a shadow bank could impact traditional banks. For example, accounting rules have been changed to make it more difficult for banks to operate off-balance-sheet (that is, unconsolidated) shadow-banking entities, and banks have been required to maintain higher capital on consolidated shadow-banking risk exposures.

They also reduce the risk of maturity transformation—the risk that an investment vehicle’s collections on invested assets do not match, and therefore are insufficient to pay investors the maturing principal and interest due on the vehicle’s securities. To this end, both the United States and the EU have introduced mandatory liquidity requirements for money-market funds (MMFs), a type of investment vehicle that investors often view as substitutes for traditional bank deposits.

These regulatory responses to shadow banking are thoughtful and prudent. As later discussed, however, their broader application to financial innovation is limited.

D. Cryptocurrencies

Although the rise of cryptocurrencies, such as bitcoin, has not yet been widely regulated, governments are beginning to examine possible regulatory approaches. Multinational governmental organizations, such as the G20-sponsored Financial Stability Board (or “FSB”), have suggested using a functional “same-business, same-risks, same-rules” approach. Under this approach, regulation of the innovation should follow existing regulation to the extent the innovation follows existing business risks. At least to the extent issued by central banks, cryptocurrencies are likely to follow existing currency risks:

Currencies have changed their forms over the centuries, with regulation evolving to adapt to the changes. In the United States, for example, early currencies were in the form of gold and silver coins, so the currency itself had inherent value as a commodity. That changed to “silver certificates,” where the paper currency was theoretically exchangeable for silver. That, in turn, changed to fiat currency in the form of Federal Reserve notes, where the currency is simply promissory notes made by the U.S. Treasury. Under the . . . “same business, same risks, same rules’ principle,” the evolution of regulation to adapt to [central bank digital currencies] should roughly parallel the evolution of regulation to adapt to these other changes—the tangible or intangible nature of a currency being mostly (though not entirely) irrelevant to the business or risks of payments.

Privately issued cryptocurrencies such as stablecoins, however, are raising additional risks that regulators are just beginning to address. In the United States, for example, the Office of the Comptroller of the Currency (“OCC”) has begun issuing interpretive letters to banks on their authority to engage in cryptocurrency activities. These letters do not purport to impose substantive regulation; rather, they provide the OCC’s opinions on how to engage in those activities consistent with safe and sound banking practices.

The European Union recently promulgated regulation that begins to address stablecoins, among other crypto-assets. Its Markets in Crypto-Assets (MiCA) regulation distinguishes between stablecoins that purport to maintain a stable value by referencing the value of a single official currency (such as euros or U.S. dollars) and those that purport to maintain a stable value by referencing another value or right or a combination thereof, including a basket of official currencies. MiCA seeks to protect the holders of these categories of stablecoins, for example, by requiring the stablecoins to be issued by an authorized legal person or a credit institution and to be backed at all times by a reserve of assets that are legally segregated from the issuer’s estate. MiCA also contemplates licensing and supervising the parties that provide these stablecoin (and certain other digital-currency) services, like brokerage, transfer, and custody. Furthermore, it imposes fiduciary duties on these parties and subjects them to governance, asset segregation, and operational risk requirements.

MiCA has notable gaps, however. For example, it does not purport to regulate fully decentralized cryptocurrencies, such as bitcoin. Nor does it cover such important cryptocurrency services as crypto-lending and crypto-staking—although these services might be covered by other provisions of EU financial regulation.

It remains to be seen how MiCA will work in practice. It combines goals from other types of financial regulation, a combination that is untested. Furthermore, given the speed of digital-currency innovation, some believe that it faces the risk of soon becoming outdated.

E. Synthesis of Regulatory Precedents

These regulatory precedents represent individualized, case-by-case, responses to attempt to identify and limit potential harm caused by the financial innovations. To identify the harm, the precedents require self-policing and disclosure of perceived risks. To limit the harm, the precedents take a range of steps. For example, to align incentives to attempt to mitigate risk-taking, the precedents require risk retention. To reduce contagion, the precedents impose capital requirements on systemically important firms and also limit potentially systemically risky interrelationships. To reduce the risk of maturity transformation, the precedents impose certain liquidity requirements. And to try to ensure that critical intermediaries act properly, the precedents sometimes license those intermediaries and impose on them fiduciary duties. In almost no case did regulators ban the innovations.

For example, in response to computerized innovations in high-frequency securities trading, the regulation focused on making traders more self-aware of the problem by requiring them to self-police or to register with the government. In response to innovations in securitization, the regulation focused on reducing externalities by correcting what regulators perceived (rightly or wrongly) as institutional failures to limit risk. To that end, presumably, increasing disclosure would make securitization risk more transparent to investors, requiring risk retention would better align issuer incentives with those of investors and society, reforming rating agencies would make their credit ratings more likely to accurately assess risk, and imposing capital requirements would require investors to account for securitization risk more directly. In response to shadow banking, the regulation focused on making it less likely that the failure of a shadow bank could impact traditional banks by reducing interrelationships between those entities and reducing shadow-bank liquidity risk. In response to the rise of cryptocurrencies, governments are considering a same-business, same-risks, same-rules approach for regulating central-bank-issued currencies. At the same time, they are examining other potential risks of stablecoins and other privately issued cryptocurrencies. To that end, for example, the MiCA regulation contemplates licensing and supervising the parties that provide stablecoin services such as brokerage, transfer, and custody, as well as imposing fiduciary duties on these parties.

III. Normative Models

As Part II shows, the actual regulatory responses to financial innovations have been somewhat individualized to the particular innovation. Although individualized responses can be valuable, they should complement a more systematic normative framework. The absence of such a framework may well reflect a presumption that financial innovation is inherently good, and thus not seriously needing regulation.

The global financial crisis, however, has shifted that presumption to a more cautious view. This Part III responds to that caution, analyzing why and how financial innovation should be regulated. Subpart A starts by examining the smart-regulation model recently proposed to regulate FinTech. Thereafter, subparts B, C, D, and E examine, respectively, the same-business, same-risks, same-rules model, the freedom-of-contract model, the market-failure model, and the consequentialist model.

A. Smart-Regulation Model

Several scholars have proposed the “smart regulation” of FinTech-driven innovation. Described as “regulating just enough and in the right ways,” this model begs the fundamental normative questions of what regulation should be “just enough” and what should be the “right ways” to regulate. The smart-regulation model thus gives the appearance of rigor that it might not fulfill.

Scholars argue, for example, that smart regulation should focus on controlling risk fundamentals, facilitating access to financial markets, and regulating competition. These types of regulatory goals, however, are well-recognized and extremely broad.

The smart-regulation model becomes more meaningful insofar as it contemplates allowing firms to experiment with FinTech subject to several stages of regulation, each with increasing complexity, costs, and operational scope. The early stages of that regulation would be conducted within a “regulatory sandbox,” a concept originated by the UK’s Financial Conduct Authority (“FCA”) as “a ‘safe space’ in which businesses can test innovative products, services, business models, and delivery mechanisms without immediately incurring all the normal regulatory consequences of engaging in the activity in question.” A regulatory sandbox would enable a FinTech firm to test its financial innovations on a limited number of customers in restricted markets. In principle, that sounds reasonable.

Some express caution, though, about regulatory sandboxes. Whereas a small-scale trial of innovations in a controlled environment may be useful to generate preliminary data about the innovation’s risks and market implications, that data will not necessarily inform the risks and implications of implementing the innovation (e.g., marketing an innovative product) on a large scale. This concern is especially important for complex innovations that might generate systemic risk. A prominent SEC commissioner also worries that the use of regulatory sandboxes could slow down or halt innovation if regulators become too close to the innovative process, potentially controlling its development. Moreover, anecdotal evidence indicates that officials have underestimated the high cost of creating and operating a regulatory sandbox.

Using regulatory sandboxes therefore may be appropriate to allow FinTech firms to engage in limited experimentation with new products. But regulatory sandboxes cannot, by themselves, test whether those firms could safely and cost effectively introduce those products more widely.

Some scholars of smart regulation also focus on managing specific risks, such as the excessive amounts of financial data generated by FinTech. Fearing this excess could overwhelm the ability of the Financial Action Task Force (“FATF,” an intergovernmental body established by the G7 nations) to enforce governmental policies against money laundering and terrorist financing, those scholars propose that regulators introduce a “Know Your Data” (KYD) approach to supplement the traditional “Know Your Customer” (KYC) approach. Like the KYC standards—which are designed to protect against money laundering and terrorist financing by requiring financial institutions to establish customer identity, understand the nature of customer activities, and ascertain that the source of funds is legitimate—KYD standards would require financial institutions to monitor and internationally harmonize data sharing.

This article similarly advocates identifying and managing specific risks. That goal is not, however, a systematic regulatory model; it simply reiterates the individualized responses, and it begs the question of whether all such risks can be identified.

B. Same-Business, Same-Risks, Same-Rules Model

Under this model, regulation should remain largely the same unless the nature of the regulated business or the risks associated therewith fundamentally change. That invites an inquiry into whether financial innovation causes any such fundamental changes.

In the context of FinTech-driven innovation, that inquiry splits legal scholars into two camps. Some believe that innovation is radically changing the financial system, necessitating completely new forms of regulation. Others argue that innovation presents the same types of risks already associated with electronic banking (“e-banking”), merely incrementally changing those risks:

The effort and resources regulators are putting into understanding the FinTech sector is perhaps surprising, particularly as they are, to some extent, revisiting the same questions and risks identified over fifteen years ago with e-banking. Furthermore, apart from specific products (e.g., robo-advisory), the business models of FinTech companies are not radically different from their traditional counterparts. . . . To some extent, FinTech is going full circle and providing only incremental changes, both from industry and regulatory perspectives.

The majority of scholars, even those observing only incremental changes, nonetheless support the view that FinTech-driven innovation necessitates some new forms of regulation. For example, due to the nature of smart contracts as compared to plain-language contracts that control traditional finance, DeFi poses certain new transaction-level risks. The anonymity of DeFi can cause instability because parties cannot be consulted to try to resolve unforeseen disagreements, jeopardizing the ability to effectuate transactions. Such disagreements are inevitable because smart contracts, like all contracts, cannot anticipate all possible scenarios and thus are inherently incomplete. The automatic execution of smart contracts can also spread panic. Additionally, the complexity of blockchains may lead to programming errors, forcing liquidation and other undesirable effects. Ironically, any attempt to make smart contracts more comprehensive, to try to minimize potential contractual gaps, would increase the complexity of their programming, making them more prone to coding errors. DeFi’s new risks also might include the diminished transparency and governability of firms and boundary blurring due to the “inherently borderless and functionally fluid nature of digital assets . . . and monetizable data.”

Superficially paralleling the same-business, same-risks, same-rules approach, staff members of the Bank for International Settlement (“BIS”) have asked whether regulation of “the risks posed by [crypto-assets] should have the same objectives that have underpinned the approach to” regulating traditional finance. They conclude such regulation should have the same objectives: protecting consumers and investors; preserving market integrity (including the integrity of the monetary system) against fraud, manipulation, money laundering, and the financing of terrorism; and safeguarding financial stability. At least as articulated by the BIS staff members, however, that parallel approach relies on objectives that appear too broad to inform specific regulation. Based on those broad objectives, the BIS staff members have proposed, at a “high level,” “three potential lines of action” to “mitigate the risks emanating from” financial innovation (again, in their case, crypto-assets): (i) a complete ban, (ii) containment by isolating the innovation from traditional finance, and (iii) regulation. These lines of action are not helpful, though. They do not explain how to design the regulation, and they are duplicative because regulation can include a ban and also can impose firewalls (that is, isolation) between financial activities.

C. Freedom-of-Contract Model

This model grapples with the fundamental question of why freedom of contract, and thus freedom to contract for financial innovation, should be regulated. Freedom of contract typically has been believed to produce beneficial societal outcomes. To that extent, it should not be regulated. Nonetheless, freedom of contract should not be absolute. It generally should be subject to constraints based on public policy, paternalism, and externalities. These limitations arose, in part, because absolute contractual freedom “began to offend the sense of justice.” Freedom to contract for financial innovation should be subject to these same constraints, of which externalities and paternalism are particularly relevant.

Financial innovation sometimes can be harmful, creating externalities. To that extent, regulators should consider whether to constrain those externalities. It might appear, though, that financial innovation should be constrained by paternalism only in a consumer context. To that extent, the U.S. Consumer Financial Protection Bureau (“CFPB”) is already “dedicated to making sure [that consumers] are treated fairly by banks, lenders and other financial institutions.” This article does not purport to duplicate the CFPB’s paternalistic consumer-protection agenda, except to observe that the CFPB should continue to monitor and regulate to protect consumers from illegitimate providers of FinTech services.

Nonetheless, even sophisticated market participants sometimes might need paternalistic protection from financial innovation. Tech firms, for example, increasingly have been offering financial products that use big data and algorithmic decisionmaking, resulting in highly customized products. These products are not fully transparent to, and thus not always fully understood by, sophisticated market participants, including customers and investors.

D. Market-Failure Model

Under this model, the goal of regulation—and thus of financial regulation—should be to correct market failures that could be harmful. Designing financial regulation thus should turn on understanding how financial innovation could create those failures. That, in turn, requires an understanding of what market failures are.

Market failures are said to occur when free markets do not operate efficiently. Although economists recognize a range of market failures, the three most generally referenced in the context of financial markets are information failure, agency failure, and externalities.

Information failure means that market participants are not fully informed. This can result from information asymmetry (one participant having less information than another, such as a buyer of a used car having less information than the seller), lack of transparency (such as the buyer of a security not fully understanding the risks, absent full disclosure), lack of complete information, or “bounded rationality” (market participants “misinterpreting, over-relying, or under-relying on information,” or simply panicking). Agency failure refers to “problems in a principal-agent relationship,” such as agents failing to act in the best interests of their principals.

Economists view externalities as another category of market failure. From that perspective, the market-failure model and the freedom-of-contract model overlap: both address externalities. Technically, though, externalities are neither market failures nor the causes of market failures; rather, they are results of market failures. Nonetheless, consistent with economic practice, this article will discuss externalities as market failures.

To assess whether a financial innovation could create harmful market failures, one must examine how such an innovation could cause market failures that create harm. The most fundamental harm of a financial innovation would be impairing the ability of the financial system to perform the socially beneficial functions for which it is intended. That primary socially beneficial function is “funding”: the provision, allocation, and deployment of capital. The financial system performs this function by aggregating funds from multiple investors and then transferring the funds to firms that can productively use them. For example, banks engage in funding by borrowing money from depositors and (other) investors and then lending the money to firms. Firms also can obtain funding by issuing their own securities (e.g., commercial paper or bonds) to investors.

The financial system also has functions that advance funding. Certain of these functions, such as risk management, behavior monitoring, and information processing, help to make funding more efficient. Additionally, the financial system functions as a network within which its funding-related functions can be conducted. Regulation thus should operate to correct market failures caused by financial innovation that could impair the ability of the financial system to provide any of these functions.

E. Consequentialist Model

Another possible regulatory model would be consequentialist: “Consequentialism . . . is simply the view that normative properties depend only on consequences.” The goal of consequentialist regulation is utilitarian: to maximize net good for society. Under this model, financial regulation should attempt to maximize net good for society. In the context of financial innovation, this should boil down to reducing social harm without unduly impeding that innovation. Intuitively, this is a sensible approach.

F. Synthesis of Normative Models

Although the foregoing normative models are articulated differently, their fundamental principles are similar, and also similar to actual regulatory precedents. Each of these models focuses on identifying and cost-effectively controlling new risks arising from innovation—that is, externalities—that might harm parties, including investors, customers, or the public.

Thus, the smart-regulation model contemplates designing cost-effective regulation to manage new risks of financial innovation. It also contemplates using regulatory sandboxes to allow firms to (relatively) safely experiment with those innovations. The same-business, same-risks, same-rules model would rely on existing regulation, which presumably cost-effectively controls risk, to the extent an innovation is sufficiently similar to traditional forms of innovation. Regulation under the freedom-of-contract model would limit harmful externalities. It also would protect market participants who do not fully understand the risks of their innovations. Regulation under the market-failure model would correct harmful market failures—such as failures that could impair the ability of the financial system to productively fund businesses. The consequentialist model contemplates regulation to reduce the social harm of financial innovation without unduly impeding that innovation.

IV. Building a Regulatory Framework

This Part IV next builds a framework for regulating financial innovation based on the foundation provided by the foregoing regulatory precedents and normative models. Subpart A identifies the relevant regulatory precedents and normative models. Thereafter, subpart B integrates those precedents and models to build the framework.

A. Identifying the Relevant Regulatory Precedents and Normative Models

Part II’s regulatory precedents were enacted to attempt to address the circumstances that caused certain financial innovations to be harmful. Not all of those precedents are applicable to FinTech-driven innovations or even to financial innovation more generally.

The most relevant precedents would include identification of risks by requiring FinTech firms to self-police and to disclose an innovation’s risk. Self-policing and disclosure may be insufficient, though; because the interests of private FinTech firms are distinct from those of society, some firms might overlook risk that only affects the public.

Better aligning incentives by requiring FinTech firms to retain some portion of an innovation’s risk would not work absent a practical way to accomplish that risk-retention. Imposing capital requirements on the firms’ investors could discourage innovation by discouraging investment. Moreover, deciding on an appropriate level of capital would be pure guesswork.

Further reforming rating agencies would be irrelevant if, as some believe, the reforms already implemented ensure credit-rating accuracy. Reducing interrelationships between FinTech firms and SIFIs also would be irrelevant because, at least currently, FinTech firms tend to be relatively small; their failure, therefore, would be unlikely to trigger a SIFI’s failure. Furthermore, because they are not structured as investment vehicles, FinTech firms are unlikely to engage in maturity transformation. Regulating their liquidity risk therefore should be irrelevant.

Trying to ensure that critical intermediaries act properly by licensing and imposing on them fiduciary duties contemplates that such intermediaries exist and can be identified. Although that may well be the case for most stablecoins and other cryptocurrencies, DeFi can make it difficult to identify intermediaries which, when they do exist, may be individuals rather than institutions.

Part III’s normative models are more broadly applicable to FinTech-driven innovation and to financial innovation more generally. The smart-regulation model applies directly to FinTech-driven innovation. That model contemplates using regulatory sandboxes to cost-effectively allow FinTech firms to experiment with new products. By themselves, however, regulatory sandboxes are an insufficient response; they cannot test whether firms could safely and cost-effectively introduce those products more widely.

The remaining normative models all boil down to cost-effectively controlling new risks that might harm parties, including customers, investors, or the public. The same-business, same-risks, same-rules model would require regulators to assess whether the new risks are sufficiently similar to existing risks. If sufficiently similar, existing regulation should cost-effectively control those risks. This model, however, requires identifying those risks.

The freedom-of-contract model would limit financial innovation that harms third parties or (otherwise) impairs public policy. That invites an inquiry into whether FinTech-driven or other financial innovation could harm third parties—again, requiring one to identify the risks. The freedom-of-contract model also would protect market participants against innovative financial products that are insufficiently transparent to be fully understood. Consistent with the regulatory precedents, that would require firms to disclose an innovation’s risk. The market-failure model would correct failures that impair the ability of the financial system to provide funding to firms that can productively use it. It appears unlikely, however, that FinTech-driven or other financial innovations could, by themselves, have such a dramatic systemic impact. And the consequentialist model, most directly, contemplates regulation to reduce social harm without unduly impeding innovation.

B. Building an Integrated Regulatory Framework

This subpart integrates the relevant precedents and models to build a framework for regulating FinTech-driven innovation. The first logical stage of this framework should be to create an open but controlled environment for innovation, using regulatory sandboxes to provide FinTech firms with flexibility to test innovative products and services on a limited number of customers in restricted markets. Regulators should be cautious, though; this limited testing cannot fully account for the costs and the risks of widely introducing those products and services.

At all stages of the framework, regulators should require FinTech firms to self-monitor for any risks of their innovative products and services. Those firms should be required to report any such risks to regulators and to disclose those risks to customers. Because self-monitoring is likely to be insufficient, regulators also should implement a system of third-party expert monitoring.

The success of that monitoring will depend on the monitors’ ability to identify risks. Given the complexities of FinTech-driven innovation, regulators should work with the monitors—whether the FinTech firms themselves or third parties—to help them identify potential risks. These should include not only risks to the firms and their customers but also risks to other market participants and to the public. To these ends, regulators might wish to coordinate and work jointly with expert agencies such as the Office of Technology Assessment (OTA), which has expertise in technological innovation, and the Financial Stability Oversight Council (FSOC), which has expertise in monitoring systemic risk and financial stability.

Once a risk of FinTech-driven innovation is identified, regulators should consider how, if at all, to regulate it. To that end, they first should examine whether it is sufficiently similar to existing risks to be controlled, in principle, by existing regulation. To the extent that risk is sufficiently similar, they should examine whether the scope and application of the existing regulation technically covers the risk. If not, they should extend that scope and application as needed.

If a new risk cannot be controlled by existing regulation, regulators should examine how to cost-effectively control it. Under existing norms, regulators use cost-benefit analysis (“CBA”) to assess the cost effectiveness of any proposed new regulation. The theoretical basis of CBA is Kaldor-Hicks efficiency analysis, which holds that an outcome is socially desirable if its overall benefits exceed its overall costs, regardless of which parties benefit and which lose.

V. Applying the Regulatory Framework

This Part next applies the regulatory framework to financial innovation, with subpart A applying it to FinTech-driven innovations and subpart B applying it to other financial innovations. Because financial innovations are not bound by national borders, subpart C thereafter applies the regulatory framework in a cross-border context.

A. Applying the Framework to FinTech-Driven Innovations

Subparts A.1, A.2, and A.3 focus, respectively, on the three fundamental FinTech-driven innovations herein discussed: smart contracts, DeFi, and other crypto-based products and services. Thereafter, subpart A.4 focuses on a more incidental FinTech-driven innovation: technically motivated vertical integration.

1. Smart Contracts. Recall that a smart contract is a precise list of pre-programmed steps, expressed in computer code, to conduct specified actions depending on the initial input. Like all contracts, smart contracts are inherently incomplete because they cannot be written to anticipate all possible scenarios. To that extent, their regulation should follow the same-business, same-risks, same-rules approach—those rules being the rules of contract law that govern incomplete contracting.

Smart contracts can raise new risks, however, due to their automatic, and thus unchecked, execution. Additional risks can arise when smart contracts are used in DeFi scenarios because the anonymity of DeFi protocols can prevent contracting parties from knowing the identity of their counterparties. This subpart A.1 focuses on risks arising from automatic execution; subpart A.2 addresses risks arising from DeFi anonymity.

The automatic execution of smart contracts creates the risk that a smart contract could lead to an unanticipated or even random outcome due to poor programming, unpredictable inputs, or other errors. Such automatic execution might also increase systemic risk by spreading contagion. This could occur, for example, if similar collateral is liquidated in a correlated manner across numerous loans, causing the value of the foreclosed collateral to plummet, thereby triggering further collateral liquidations and devaluations in the equivalent of a fire sale. How could regulation constrain those risks?

The regulatory response to control the automatic execution of high-frequency trading—temporarily suspending trading in problematic markets—would not apply to smart contracts. Because any parties can use smart contracts (in contrast to limitations on market traders of securities), their diversification makes centralized control difficult. At the very least, though, regulators should consider requiring business users of smart contracts to self-monitor and ascertain the identity of their counterparties, as well as to report any risks and disclose those risks to their counterparties and customers. Regulators also should consider establishing third-party expert monitoring to supplement that self-monitoring. Regulators should have the power to suspend a business’s right to enter into new smart contracts if the monitoring reveals that its current use of smart contracts is creating significant risk.

From a cost-benefit standpoint, these remedies are limited and should not impose significant costs. The benefits of these remedies, although relatively modest, may well exceed their costs. To that extent, these remedies would be socially desirable.

2. DeFi. Many believe that DeFi’s decentralization of finance poses a unique anonymity risk: potentially depriving regulators of specific parties on whom to impose and enforce regulation. From the standpoint of this article’s regulatory framework, anonymity could also make monitoring impractical.

The complete anonymity of those parties would have serious consequences. For example, many fear that the inability to identify and regulate DeFi participants could jeopardize enforcement of the laws against money laundering and terrorist financing. That, in turn, could threaten monetary integrity and even national security. The FATF recommends these types of laws to protect the global banking and financial system. In enacting these types of laws, nations generally follow the FATF’s recommendations. Anonymity would make it uncertain on whom governments could enforce those laws. Some also fear that the inability to identify and regulate DeFi participants could leave banks subject to lawsuits if injured investors cannot identify DeFi arrangers. Others are concerned that the inability to regulate DeFi participants would arbitrage financing away from regulated banks, causing a significant portion of the financial system to become unregulated. Anonymity also could prevent parties to smart contracts from easily identifying their counterparties, thereby making it difficult to resolve disagreements and potentially exacerbating counterparty risk.

The semantics surrounding DeFi, however, obscure the reality that, at a fundamental level, people control the operation of decentralized finance. Although they might not be readily identifiable, DeFi’s controllers are the parties who program, create, and arrange the environment in which DeFi operates. Accordingly, “DeFi services often have a controlling organization that provides a measure of centralized administration and governance.” Furthermore, DeFi platforms “typically have some form of centralized governance framework to fix errors and outline their operations.” Investors in and users of those platforms often receive “governance tokens” that enable them to vote about changes to the platform. Parties having such control or governance power should, in theory, be able to be identified. Regulators could also require their registration. Once identified, these parties could be monitored and regulated.

From a cost-benefit standpoint, identifying the parties controlling DeFi services or governing DeFi platforms could be expensive. Once identified, however, the benefits could be substantial, including enabling enforcement of the laws against money laundering and terrorist financing (thereby protecting monetary integrity), protecting national security, protecting global banking, and preventing the arbitrage of financing away from regulated banks to unregulated DeFi. Those benefits almost certainly should exceed the costs.

As an alternative to regulating decentralized DeFi parties, regulators might also consider requiring DeFi services and the operation of DeFi platforms to be provided by centrally registered and well capitalized entities. For example, the FATF has recommended that “countries should ensure that virtual asset service providers [defined as “VASP”s] are regulated for [anti-money-laundering and countering-financing-of-terrorism] purposes, and licensed or registered and subject to effective systems for monitoring and ensuring compliance” with FATF recommendations. A report of the International Monetary Fund (IMF) recommends that regulators “encourage DeFi platforms to be subject to robust governance schemes, including industry codes and self-regulatory organizations. These entities could provide an effective conduit for regulatory oversight.” However, because these limitations on DeFi parties might impair some of the benefits of decentralized finance, regulators should study them carefully, including consulting with representatives of the DeFi industry, before adopting them.

3. Other Crypto-based Products and Services. This article’s regulatory framework applies generally to crypto-based financial products and services. The FSB is particularly concerned about possible risks associated with crypto-assets. It cautions that “[a]lthough the extent and nature of use of crypto-assets varies somewhat across jurisdictions, financial stability risks could rapidly escalate, underscoring the need for timely and pre-emptive evaluation of possible policy responses.”

In the first stage of this article’s regulatory framework, regulatory sandboxes could provide FinTech firms with flexibility to test innovative crypto-based products and services on a limited number of customers in restricted markets. Regulators also should require FinTech firms to self-monitor for any risks of those products and services and to report and disclose such risks. Additionally (as for smart contracts), they should implement a system of third-party expert monitoring, coordinating their work with agencies such as the OTA and FSOC that have the relevant expertise.

If the risk of such a product or service is sufficiently similar to existing risks to be controlled by existing regulation, regulators should examine whether the scope and application of that regulation technically covers the risk; and then they should extend that scope and application as needed. Existing product-liability law, for example, might help to control the risk of some new financial products.

However, if a new risk cannot be controlled by existing regulation, regulators should examine how to cost-effectively control it. For example, in what might be viewed as a variant of the precautionary principle, Professors Posner and Weyl have proposed creating a regulatory agency, akin to the FDA, to approve new financial products. Firms would be required to seek approval from this agency before marketing new financial products. That approach reverses the presumption, at least in the context of new financial products, that private-sector freedom of contract produces beneficial societal outcomes. That reversal would seriously impede financial innovation if the agency requires proof of safety before approving a product, given the unavoidable ex ante uncertainty about a financial innovation’s welfare effects. From a cost-benefit standpoint, therefore, requiring firms to obtain government approval before marketing innovative crypto-based (or other new) financial products or services appears questionable.

A less intrusive and more concrete approach to control the risks of new financial products and services might focus on SIFIs. By definition, SIFIs are the entities whose failure—including failure due to overinvestment in new financial products and services—could trigger a systemic economic collapse, causing harmful consequences such as “widespread poverty and unemployment.” The overinvestment risk is growing because SIFIs “are increasingly willing to undertake activities in, and gain exposures to, cryptoassets.”

Regulation could help to control that risk. For example, regulators could restrict the amount of crypto-assets and other innovative financial products (as defined by law) that a SIFI is allowed to hold. This approach would parallel Federal Reserve regulations that protect banks engaged in margin lending. The Fed has restricted that lending to a level that should not cause a bank to become insolvent even if the value of the collateral falls by 50 percent. Regulators similarly might consider restricting the amount of crypto-assets and other innovative financial products (as defined by law) that a SIFI is allowed to hold to a level that would not cause the SIFI’s insolvency even if the market price of those products were to fall precipitously.

Whatever the approach, it should be supplemented by adequate disclosure. Innovative financial products and services can be highly complex and, without such disclosure, even sophisticated institutional users might not understand them. When derivatives first came into widespread use, for example, some of the most sophisticated institutions did not understand them.

In their form and use, some innovative financial products so closely resemble securities that they should be subject to securities law in order to impose disclosure requirements on their trading, to set suitability standards on parties eligible to acquire them, and to prevent fraud. This would be especially important to protect consumers.

There currently is controversy, for example, whether interests in certain cryptocurrencies are securities, and thus should be subject to securities law. Some argue that the sale of these interests, which generally are characterized as tokens or coins, should not represent the issuance of securities if the proceeds of their sale are used for ordinary purposes (such as purchasing goods, even if the purchase is made through a blockchain platform). In contrast, the SEC looks to the substance of the transaction, not the form, with emphasis on whether the financial product involves or is used in any profit-sharing arrangement. Thus, crypto-assets “that incorporate features and marketing efforts that emphasize the potential for profits based on the entrepreneurial or managerial efforts of others continue to contain the hallmarks of a security under U.S. law.”

A final question is whether crypto-based financial products and services should be specially regulated because they utilize cryptography. Cryptography risks, however, are at least currently similar to other cyber risks—namely, the cyber-security and privacy risks of utilizing computer-based electronically recorded or transmitted data. Those cybersecurity risks include hacking, malware, phishing, data breaches, and fraud (including identity fraud), and cyber-operation risks such as software programming errors. Those privacy risks include unauthorized access, misuse, or loss of personal data due to issues with custodians or the computers of individuals. Existing regulation already covers those risks. Therefore, under the same-business, same-risks, same-rules regulation approach, that regulation should adequately cover the cryptography risk.

4. Technically Motivated Vertical Integration. FinTech’s technical complexity is leading to an acute vertical integration of the FinTech industry. This contrasts with the typical incentive for vertical integration: to increase economic efficiency by combining different stages of production under common ownership.

For example, SoFi is an online financial services provider offering checking and savings accounts, credit cards, brokerage accounts, mortgage loans, and multiple forms of loan servicing. Similarly, companies like Plaid have emerged to offer services to other FinTech firms that provide an interface for various transactions including peer-to-peer payment processing, fraud compliance and identity verification, and the linking of various investment accounts to view in one account, among other things. Clients of Plaid include FinTech firms Venmo, Chime, SoFi, and Betterment. Ironically, vertical integration in the FinTech industry goes against the industry’s goal of achieving DeFi.

Vertical integration of the FinTech industry can have advantages and disadvantages. The advantages include possible informational and service efficiencies, including sharing of resources. But the disadvantages include the potential for FinTech firms to ignore conflicts in order to try to maximize overall corporate value, without regard for flaws that could jeopardize the public. The extensive vertical integration in the residential mortgage-backed securities (“RMBS”) industry illustrates this concern.

Prior to the global financial crisis, for example, Countrywide was a vertically integrated RMBS firm which, among other things, originated and serviced mortgage loans. Its servicing of mortgage loans was excellent and highly profitable. However, its need to continue originating enough mortgage loans to keep earning lucrative servicing fees is believed to have motivated a sharp decline in the quality of its mortgage-loan-origination standards. Ultimately, Countrywide’s inability to stand behind its representations and warranties regarding the purported quality of those loans caused its bankruptcy. Even worse, Countrywide’s origination of billions of dollars of poor quality mortgage loans, many of which later defaulted, is believed to have significantly contributed to the global financial crisis.

Vertical integration’s disadvantages also can arise from behavioral psychology. For example, a firm seeking profit (potential gain) in arm’s-length transactions will tend to be risk averse. Whereas for non-arm’s-length transactions, a firm trying to maximize the overall value of itself and its affiliates—as could occur with a vertically integrated firm—may well be willing to take risks at some affiliates to try to avoid overall consolidated losses. But that would expose the risk-taking affiliates to greater uncertainty and potential default, which could cross-default to other members of the affiliated group.

Requiring disclosure and greater transparency could help to reduce vertical integration risk. Among other things, disclosure should be directed at identifying and explaining possible internal conflicts that could drive risk-seeking behavior. It also should focus on the most critical functions—in the case of a stablecoin, for example, the stablecoin issuer’s ability to redeem the “coins” for the reference assets, on demand. Although the benefits of requiring that disclosure and transparency might be modest, the costs should be very low.

Another possible regulatory approach to reducing this type of risk would be to require ring-fencing of critical crypto firms and activities, as is often required by state public utility commissions for critical utilities. This approach would impose much higher costs, however, and its benefits would be uncertain. Any implementation of ring-fencing should therefore be studied in detail before actually tried.

B. Applying the Framework to Other Financial Innovations

Securitization and re-securitization are some of the most important examples of financial innovation of the past century. Given their blame for the global financial crisis, they may also be among the riskiest examples. This subpart B tests the article’s regulatory framework by applying it retroactively to securitization and re-securitization and then comparing that framework-derived regulation with the actual post-global-financial-crisis regulation.

1. Explaining Securitization and Re-securitization. A typical securitization is a financial transaction in which a sponsor purchases a pool of loans, accounts receivable, or other rights to payment (financial assets) from firms originating those assets, such as mortgage lenders, and then sells them to a special purpose vehicle (“SPV”). The SPV pays for those assets by issuing debt securities to investors; those securities are repayable from collections on the financial assets. Businesses have long used securitization to monetize, or transform into cash, financial assets. By 1992, the Securities and Exchange Commission (“SEC”) observed that securitization was “becoming one of the dominant means of capital formation in the United States.”

A problem arose, however, when securities issued in standardized securitization transactions were pooled together and “re-securitized” in highly complex leveraged transactions. Ironically, to signal the quality of the securities they were selling to investors, financial institutions that sponsored these re-securitization transactions—grossly misjudging their risk—often invested in the most subordinate, and thus risky, of the re-securitized securities. That not only exposed those financial institutions to significant investment risk but also misled investors generally about the safety of—thereby attracting massive investments in—the more senior re-securitized securities.

Many of those re-securitized securities were indirectly backed by home-mortgage loans. When housing prices declined in 2006–07, a significant portion of those securities defaulted, jeopardizing the solvency of investors therein and causing their counterparties to demand collateral. Investors that were unable to provide that collateral, including Lehman Brothers, filed for bankruptcy protection in response to the demands, leading to the “near collapse of the financial system.”

2. Applying the Regulatory Framework to Securitization and Re-securitization. The first stage of this article’s regulatory framework contemplates using regulatory sandboxes to create an open but controlled environment for innovation. That approach could have tested highly complex leveraged re-securitization deals before they became pervasive. Even those deals, however, performed well prior to the 2006–07 housing price declines. This reinforces the article’s caution that limited testing using regulatory sandboxes cannot fully account for the costs and the risks of widely introducing innovative financial products and services.

The framework requires FinTech firms to self-monitor for any risks of their innovative products and services. It also requires those firms to report those risks to regulators and to disclose them to customers. Although theoretically salutary, self-monitoring would have been insufficient because, as discussed, the financial institutions that sponsored re-securitization transactions often grossly misjudged their risk. This illustrates the importance of the framework’s recommendation that regulators also should implement a system of third-party expert monitoring. Although those monitors did not exist when re-securitization transactions were first implemented, the FSOC now exemplifies such a possible monitor.

Once they identify the risks of securitization and re-securitization, regulators should consider how, if at all, to regulate those risks. To that end, they first should examine whether those risks are sufficiently similar to existing risks to be controlled by existing regulation (and, if so, whether the scope and application of that regulation technically covers the risk). If those new risks cannot be controlled by existing regulation, regulators should examine how to cost-effectively control them.

The author has separately examined how to cost-effectively control the risks of securitization and re-securitization. In response to the global financial crisis, the European Union’s simple, transparent, and standardised (STS) regulation incentivizes straightforward securitizations, in contrast to the complex and leveraged re-securitizations, as an effective funding channel to the economy. It does this not by prohibiting re-securitization or other innovations on securitization; rather, it motivates parties to engage in straightforward securitizations by reducing regulatory capital requirements for investors therein. The STS proposal is reasonable because it motivates the beneficial transactions (straightforward securitizations) without prohibiting experimentation and financial innovation.

3. Comparing that Framework-derived Regulation with the Actual Regulation. The actual regulatory responses to securitization and re-securitization fall into four categories: increasing disclosure, requiring risk-retention, reforming rating agencies, and imposing capital requirements. As observed, however, the overall effectiveness of these regulatory responses is unclear. For example, the purported requirement to increase disclosure disregarded that parties always were required to (and did) disclose the relevant information. The risk-retention requirement simply reflected the existing common practice. The rating-agency reforms were valuable, but rating agency abuses may not have been responsible for the securitization and re-securitization failures that contributed to the global financial crisis. And the imposition of capital requirements has been characterized as punitive and illogical.

In contrast to those actual, albeit questionable, regulatory responses, this article’s regulatory framework suggests more targeted and cost-effective responses to securitization and re-securitization—focusing primarily on re-securitizations which created the critical risks. The first such response, using regulatory sandboxes, is admittedly insufficient because it would not have revealed re-securitization’s risks. Nonetheless, observing that insufficiency illustrates the limitations of using regulatory sandboxes as a tool. Requiring the sponsors of re-securitization transactions to self-monitor for risks would similarly have been insufficient because the sponsors misjudged the risks. Again, however, observing that insufficiency illustrates the importance of regulators implementing a system of third-party expert monitoring.

Because existing regulation cannot control re-securitization’s risks, this article’s framework calls for examining how to cost-effectively control those risks. That examination favors regulation along the lines of the EU’s STS approach, which incentivizes straightforward securitization transactions by reducing regulatory capital requirements for investors therein. Sponsors are more likely to understand risks associated with straightforward transactions, and investors are more likely to understand disclosures about those risks. The STS approach is flexible, however; it does not prohibit experimentation with re-securitization or other potential future innovation. The benefits of the STS approach are therefore likely to be significant, whereas the costs should be modest.

No single regulatory framework or approach is always perfect, however. Financial innovations can evolve incrementally, for example, without critical recognition of increasing risk. In examining the origin of the global financial crisis, Professor Judge thus argues that the narrow focus of market participants and regulators on the latest incremental developments prevented them from viewing the “big picture.” This suggests that any framework for regulating financial innovation should be supplemented by a framework for mitigating the potentially systemic consequences of failing to control an innovation’s risks. Designing that second framework involves a separate analysis.

C. Applying the Framework in a Cross-Border Context

Financial innovation creates risks that can cross national borders, especially for products and services that are widely used internationally. Controlling those risks requires cross-border regulation.

Coordinating that regulation can be difficult. Due to their decentralized nature, for example, DeFi activities cannot always be linked to specific jurisdictions. Coordinating multiple, and potentially conflicting, legal frameworks could generate high costs. Furthermore, the interaction of conflicting legal frameworks could create uncertainty about the enforceability of contracts governing those activities.

If all potentially relevant jurisdictions had uniform laws, the inability to link an activity to specific jurisdictions should be inconsequential. To achieve such uniformity, policymakers have devised two strategies.

The traditional strategy is to enact a multilateral convention or treaty (the terms being synonymous), which represents an agreement or compact among nations under which each such nation is bound to adhere to the convention’s requirements without requiring further action by its legislative body. A more recent, and arguably more innovative, strategy is to formulate a model law for governments to enact uniformly as domestic law in their jurisdictions. Model laws are thus sometimes called uniform laws.

Treaties are more formal than model laws. Treaties are binding upon contracting states and may only be modified or denounced by a treaty amendment. Although this binding feature provides greater certainty that treaty-bound nations will follow through on their commitments and not renege as political winds shift, some nations may see that as a disadvantage, especially if they are experimenting with the regulation. Moreover, the expectation that a treaty needs widespread consensus can significantly delay, if not also discourage, its adoption. That delay makes a convention particularly unsuitable for innovative financial products that might require regulators “to move faster to contain the risks.”

Financial innovation involves experimentation, which requires flexibility. The more relaxed nature of a model-law strategy can provide that flexibility. Model laws may be amended or denounced unilaterally by a nation without violating international law. Furthermore, the less formal process of developing and enacting a model law can promote open communication. A model-law strategy can also minimize delay because it becomes effective for each nation as soon as that nation enacts the uniform text.

Therefore, if consensus develops around an approach for regulating financial innovation (such as this article’s proposed framework or any other appropriate scheme), regulators should consider pursuing a model-law strategy to enact that approach. To that end, however, they should be cautious. Although regulatory uniformity is important, it might inadvertently increase systemic risk by decreasing the flexibility and resilience of the financial system. Professor Romano argues, for example, that the Basel II capital requirements contributed to the global financial crisis by globally correlating faulty rules. Furthermore, in our “rapidly changing financial system,” there also is “a very real danger that the wrong rules will be” coordinated.

Conclusion

FinTech’s innovations can provide valuable and potentially revolutionary new economic benefits, including greatly expanding financial inclusion. At the same time, the radical transformational consequences of these innovations are threatening to disrupt traditional finance and jeopardize the stability of the financial system.

These tensions between FinTech’s benefits and costs raise a fundamental but not fully answered question: How should the law regulate financial innovation? This article seeks to answer that question by building a systematic framework for analyzing how FinTech-driven innovations in particular, and financial innovation in general, should be regulated. In that process, the article introduces readers to basic FinTech-related concepts such as crypto-assets, blockchain, smart contracts, and DeFi. It also clarifies and simplifies the confusing terminology, which makes FinTech appear more complicated than it is.

The article is both descriptive and normative. It begins building its framework by analyzing actual precedents for regulating financial innovation and then comparing normative regulatory models. Thereafter, the article integrates these precedents and models into a regulatory framework which it applies to FinTech-driven innovations and financial innovation more generally, thereby testing the framework’s ability to cost-effectively control the risks of those innovations. That testing confirms that the article’s framework, or at least a more systematic normative framework for financial regulation than currently exists, should help regulators to devise appropriate and cost-effective rules for regulating financial innovation. That, in turn, should improve the prevailing process for regulating financial innovation, which has been compared to “regulating in the dark.”

In closing, it should be noted that this article seeks to build a substantive regulatory framework. From a more procedural perspective, financial regulators should be cautious lest premature regulation restrict innovation and impose transaction costs without effectively controlling harm. In the context of examining existing and future stablecoin regulation, several central bankers from the Bank for International Settlements and the Federal Reserve Bank of New York recently elegantly described this perspective.

Even though different jurisdictions are at different stages of examining how to regulate stablecoins, they believe “there is value to experimentation among approaches” to show which policy choices are more efficient. Effective regulation, they observe, almost invariably entails some trial and error. Furthermore, any stablecoin regulation should be based on evidence of problems that actually require new regulatory solutions.

Even where new regulation is needed, there also is a question of timing. Early regulation can run the risk of being underinclusive or overbroad. The latter, for example, can impose unnecessary costs, such as the expenses of preparing and implementing a supervisory program, developing employee expertise, and updating examination and training manuals as well as databases for receiving, analyzing, and storing information. For these reasons, they suggest that policymakers initially might consider more principles—than rules-based regulation, deferring granular decisions about implementation to the regulators. That can be controversial, however, entrusting unelected officials “with choices that could have significant consequences for an industry, its customers, and perhaps the broader economy.” Accordingly, a “first choice facing policymakers should be whether regulation should wait until it is truly needed.”

The author thanks Abdulelah Alkhuraif, Jon Frost, Scott A. Lessne, D. Daniel Sokol, Dirk Zetzsche, and participants in a Duke Law faculty “Ideas” workshop and a University of Luxembourg FDEF x SnT Lecture for valuable comments and Joshua Allen, Lea Daun, Jonathan Rosen, Daniela Pereira Salas, and especially Dominic Petric for invaluable research assistance. This work was supported by a Fuller-Perdue Grant.

    Author