A. Smart-Regulation Model
Several scholars have proposed the “smart regulation” of FinTech-driven innovation. Described as “regulating just enough and in the right ways,” this model begs the fundamental normative questions of what regulation should be “just enough” and what should be the “right ways” to regulate. The smart-regulation model thus gives the appearance of rigor that it might not fulfill.
Scholars argue, for example, that smart regulation should focus on controlling risk fundamentals, facilitating access to financial markets, and regulating competition. These types of regulatory goals, however, are well-recognized and extremely broad.
The smart-regulation model becomes more meaningful insofar as it contemplates allowing firms to experiment with FinTech subject to several stages of regulation, each with increasing complexity, costs, and operational scope. The early stages of that regulation would be conducted within a “regulatory sandbox,” a concept originated by the UK’s Financial Conduct Authority (“FCA”) as “a ‘safe space’ in which businesses can test innovative products, services, business models, and delivery mechanisms without immediately incurring all the normal regulatory consequences of engaging in the activity in question.” A regulatory sandbox would enable a FinTech firm to test its financial innovations on a limited number of customers in restricted markets. In principle, that sounds reasonable.
Some express caution, though, about regulatory sandboxes. Whereas a small-scale trial of innovations in a controlled environment may be useful to generate preliminary data about the innovation’s risks and market implications, that data will not necessarily inform the risks and implications of implementing the innovation (e.g., marketing an innovative product) on a large scale. This concern is especially important for complex innovations that might generate systemic risk. A prominent SEC commissioner also worries that the use of regulatory sandboxes could slow down or halt innovation if regulators become too close to the innovative process, potentially controlling its development. Moreover, anecdotal evidence indicates that officials have underestimated the high cost of creating and operating a regulatory sandbox.
Using regulatory sandboxes therefore may be appropriate to allow FinTech firms to engage in limited experimentation with new products. But regulatory sandboxes cannot, by themselves, test whether those firms could safely and cost effectively introduce those products more widely.
Some scholars of smart regulation also focus on managing specific risks, such as the excessive amounts of financial data generated by FinTech. Fearing this excess could overwhelm the ability of the Financial Action Task Force (“FATF,” an intergovernmental body established by the G7 nations) to enforce governmental policies against money laundering and terrorist financing, those scholars propose that regulators introduce a “Know Your Data” (KYD) approach to supplement the traditional “Know Your Customer” (KYC) approach. Like the KYC standards—which are designed to protect against money laundering and terrorist financing by requiring financial institutions to establish customer identity, understand the nature of customer activities, and ascertain that the source of funds is legitimate—KYD standards would require financial institutions to monitor and internationally harmonize data sharing.
This article similarly advocates identifying and managing specific risks. That goal is not, however, a systematic regulatory model; it simply reiterates the individualized responses, and it begs the question of whether all such risks can be identified.
B. Same-Business, Same-Risks, Same-Rules Model
Under this model, regulation should remain largely the same unless the nature of the regulated business or the risks associated therewith fundamentally change. That invites an inquiry into whether financial innovation causes any such fundamental changes.
In the context of FinTech-driven innovation, that inquiry splits legal scholars into two camps. Some believe that innovation is radically changing the financial system, necessitating completely new forms of regulation. Others argue that innovation presents the same types of risks already associated with electronic banking (“e-banking”), merely incrementally changing those risks:
The effort and resources regulators are putting into understanding the FinTech sector is perhaps surprising, particularly as they are, to some extent, revisiting the same questions and risks identified over fifteen years ago with e-banking. Furthermore, apart from specific products (e.g., robo-advisory), the business models of FinTech companies are not radically different from their traditional counterparts. . . . To some extent, FinTech is going full circle and providing only incremental changes, both from industry and regulatory perspectives.
The majority of scholars, even those observing only incremental changes, nonetheless support the view that FinTech-driven innovation necessitates some new forms of regulation. For example, due to the nature of smart contracts as compared to plain-language contracts that control traditional finance, DeFi poses certain new transaction-level risks. The anonymity of DeFi can cause instability because parties cannot be consulted to try to resolve unforeseen disagreements, jeopardizing the ability to effectuate transactions. Such disagreements are inevitable because smart contracts, like all contracts, cannot anticipate all possible scenarios and thus are inherently incomplete. The automatic execution of smart contracts can also spread panic. Additionally, the complexity of blockchains may lead to programming errors, forcing liquidation and other undesirable effects. Ironically, any attempt to make smart contracts more comprehensive, to try to minimize potential contractual gaps, would increase the complexity of their programming, making them more prone to coding errors. DeFi’s new risks also might include the diminished transparency and governability of firms and boundary blurring due to the “inherently borderless and functionally fluid nature of digital assets . . . and monetizable data.”
Superficially paralleling the same-business, same-risks, same-rules approach, staff members of the Bank for International Settlement (“BIS”) have asked whether regulation of “the risks posed by [crypto-assets] should have the same objectives that have underpinned the approach to” regulating traditional finance. They conclude such regulation should have the same objectives: protecting consumers and investors; preserving market integrity (including the integrity of the monetary system) against fraud, manipulation, money laundering, and the financing of terrorism; and safeguarding financial stability. At least as articulated by the BIS staff members, however, that parallel approach relies on objectives that appear too broad to inform specific regulation. Based on those broad objectives, the BIS staff members have proposed, at a “high level,” “three potential lines of action” to “mitigate the risks emanating from” financial innovation (again, in their case, crypto-assets): (i) a complete ban, (ii) containment by isolating the innovation from traditional finance, and (iii) regulation. These lines of action are not helpful, though. They do not explain how to design the regulation, and they are duplicative because regulation can include a ban and also can impose firewalls (that is, isolation) between financial activities.
C. Freedom-of-Contract Model
This model grapples with the fundamental question of why freedom of contract, and thus freedom to contract for financial innovation, should be regulated. Freedom of contract typically has been believed to produce beneficial societal outcomes. To that extent, it should not be regulated. Nonetheless, freedom of contract should not be absolute. It generally should be subject to constraints based on public policy, paternalism, and externalities. These limitations arose, in part, because absolute contractual freedom “began to offend the sense of justice.” Freedom to contract for financial innovation should be subject to these same constraints, of which externalities and paternalism are particularly relevant.
Financial innovation sometimes can be harmful, creating externalities. To that extent, regulators should consider whether to constrain those externalities. It might appear, though, that financial innovation should be constrained by paternalism only in a consumer context. To that extent, the U.S. Consumer Financial Protection Bureau (“CFPB”) is already “dedicated to making sure [that consumers] are treated fairly by banks, lenders and other financial institutions.” This article does not purport to duplicate the CFPB’s paternalistic consumer-protection agenda, except to observe that the CFPB should continue to monitor and regulate to protect consumers from illegitimate providers of FinTech services.
Nonetheless, even sophisticated market participants sometimes might need paternalistic protection from financial innovation. Tech firms, for example, increasingly have been offering financial products that use big data and algorithmic decisionmaking, resulting in highly customized products. These products are not fully transparent to, and thus not always fully understood by, sophisticated market participants, including customers and investors.
D. Market-Failure Model
Under this model, the goal of regulation—and thus of financial regulation—should be to correct market failures that could be harmful. Designing financial regulation thus should turn on understanding how financial innovation could create those failures. That, in turn, requires an understanding of what market failures are.
Market failures are said to occur when free markets do not operate efficiently. Although economists recognize a range of market failures, the three most generally referenced in the context of financial markets are information failure, agency failure, and externalities.
Information failure means that market participants are not fully informed. This can result from information asymmetry (one participant having less information than another, such as a buyer of a used car having less information than the seller), lack of transparency (such as the buyer of a security not fully understanding the risks, absent full disclosure), lack of complete information, or “bounded rationality” (market participants “misinterpreting, over-relying, or under-relying on information,” or simply panicking). Agency failure refers to “problems in a principal-agent relationship,” such as agents failing to act in the best interests of their principals.
Economists view externalities as another category of market failure. From that perspective, the market-failure model and the freedom-of-contract model overlap: both address externalities. Technically, though, externalities are neither market failures nor the causes of market failures; rather, they are results of market failures. Nonetheless, consistent with economic practice, this article will discuss externalities as market failures.
To assess whether a financial innovation could create harmful market failures, one must examine how such an innovation could cause market failures that create harm. The most fundamental harm of a financial innovation would be impairing the ability of the financial system to perform the socially beneficial functions for which it is intended. That primary socially beneficial function is “funding”: the provision, allocation, and deployment of capital. The financial system performs this function by aggregating funds from multiple investors and then transferring the funds to firms that can productively use them. For example, banks engage in funding by borrowing money from depositors and (other) investors and then lending the money to firms. Firms also can obtain funding by issuing their own securities (e.g., commercial paper or bonds) to investors.
The financial system also has functions that advance funding. Certain of these functions, such as risk management, behavior monitoring, and information processing, help to make funding more efficient. Additionally, the financial system functions as a network within which its funding-related functions can be conducted. Regulation thus should operate to correct market failures caused by financial innovation that could impair the ability of the financial system to provide any of these functions.
E. Consequentialist Model
Another possible regulatory model would be consequentialist: “Consequentialism . . . is simply the view that normative properties depend only on consequences.” The goal of consequentialist regulation is utilitarian: to maximize net good for society. Under this model, financial regulation should attempt to maximize net good for society. In the context of financial innovation, this should boil down to reducing social harm without unduly impeding that innovation. Intuitively, this is a sensible approach.
F. Synthesis of Normative Models
Although the foregoing normative models are articulated differently, their fundamental principles are similar, and also similar to actual regulatory precedents. Each of these models focuses on identifying and cost-effectively controlling new risks arising from innovation—that is, externalities—that might harm parties, including investors, customers, or the public.
Thus, the smart-regulation model contemplates designing cost-effective regulation to manage new risks of financial innovation. It also contemplates using regulatory sandboxes to allow firms to (relatively) safely experiment with those innovations. The same-business, same-risks, same-rules model would rely on existing regulation, which presumably cost-effectively controls risk, to the extent an innovation is sufficiently similar to traditional forms of innovation. Regulation under the freedom-of-contract model would limit harmful externalities. It also would protect market participants who do not fully understand the risks of their innovations. Regulation under the market-failure model would correct harmful market failures—such as failures that could impair the ability of the financial system to productively fund businesses. The consequentialist model contemplates regulation to reduce the social harm of financial innovation without unduly impeding that innovation.
IV. Building a Regulatory Framework
This Part IV next builds a framework for regulating financial innovation based on the foundation provided by the foregoing regulatory precedents and normative models. Subpart A identifies the relevant regulatory precedents and normative models. Thereafter, subpart B integrates those precedents and models to build the framework.
A. Identifying the Relevant Regulatory Precedents and Normative Models
Part II’s regulatory precedents were enacted to attempt to address the circumstances that caused certain financial innovations to be harmful. Not all of those precedents are applicable to FinTech-driven innovations or even to financial innovation more generally.
The most relevant precedents would include identification of risks by requiring FinTech firms to self-police and to disclose an innovation’s risk. Self-policing and disclosure may be insufficient, though; because the interests of private FinTech firms are distinct from those of society, some firms might overlook risk that only affects the public.
Better aligning incentives by requiring FinTech firms to retain some portion of an innovation’s risk would not work absent a practical way to accomplish that risk-retention. Imposing capital requirements on the firms’ investors could discourage innovation by discouraging investment. Moreover, deciding on an appropriate level of capital would be pure guesswork.
Further reforming rating agencies would be irrelevant if, as some believe, the reforms already implemented ensure credit-rating accuracy. Reducing interrelationships between FinTech firms and SIFIs also would be irrelevant because, at least currently, FinTech firms tend to be relatively small; their failure, therefore, would be unlikely to trigger a SIFI’s failure. Furthermore, because they are not structured as investment vehicles, FinTech firms are unlikely to engage in maturity transformation. Regulating their liquidity risk therefore should be irrelevant.
Trying to ensure that critical intermediaries act properly by licensing and imposing on them fiduciary duties contemplates that such intermediaries exist and can be identified. Although that may well be the case for most stablecoins and other cryptocurrencies, DeFi can make it difficult to identify intermediaries which, when they do exist, may be individuals rather than institutions.
Part III’s normative models are more broadly applicable to FinTech-driven innovation and to financial innovation more generally. The smart-regulation model applies directly to FinTech-driven innovation. That model contemplates using regulatory sandboxes to cost-effectively allow FinTech firms to experiment with new products. By themselves, however, regulatory sandboxes are an insufficient response; they cannot test whether firms could safely and cost-effectively introduce those products more widely.
The remaining normative models all boil down to cost-effectively controlling new risks that might harm parties, including customers, investors, or the public. The same-business, same-risks, same-rules model would require regulators to assess whether the new risks are sufficiently similar to existing risks. If sufficiently similar, existing regulation should cost-effectively control those risks. This model, however, requires identifying those risks.
The freedom-of-contract model would limit financial innovation that harms third parties or (otherwise) impairs public policy. That invites an inquiry into whether FinTech-driven or other financial innovation could harm third parties—again, requiring one to identify the risks. The freedom-of-contract model also would protect market participants against innovative financial products that are insufficiently transparent to be fully understood. Consistent with the regulatory precedents, that would require firms to disclose an innovation’s risk. The market-failure model would correct failures that impair the ability of the financial system to provide funding to firms that can productively use it. It appears unlikely, however, that FinTech-driven or other financial innovations could, by themselves, have such a dramatic systemic impact. And the consequentialist model, most directly, contemplates regulation to reduce social harm without unduly impeding innovation.
B. Building an Integrated Regulatory Framework
This subpart integrates the relevant precedents and models to build a framework for regulating FinTech-driven innovation. The first logical stage of this framework should be to create an open but controlled environment for innovation, using regulatory sandboxes to provide FinTech firms with flexibility to test innovative products and services on a limited number of customers in restricted markets. Regulators should be cautious, though; this limited testing cannot fully account for the costs and the risks of widely introducing those products and services.
At all stages of the framework, regulators should require FinTech firms to self-monitor for any risks of their innovative products and services. Those firms should be required to report any such risks to regulators and to disclose those risks to customers. Because self-monitoring is likely to be insufficient, regulators also should implement a system of third-party expert monitoring.
The success of that monitoring will depend on the monitors’ ability to identify risks. Given the complexities of FinTech-driven innovation, regulators should work with the monitors—whether the FinTech firms themselves or third parties—to help them identify potential risks. These should include not only risks to the firms and their customers but also risks to other market participants and to the public. To these ends, regulators might wish to coordinate and work jointly with expert agencies such as the Office of Technology Assessment (OTA), which has expertise in technological innovation, and the Financial Stability Oversight Council (FSOC), which has expertise in monitoring systemic risk and financial stability.
Once a risk of FinTech-driven innovation is identified, regulators should consider how, if at all, to regulate it. To that end, they first should examine whether it is sufficiently similar to existing risks to be controlled, in principle, by existing regulation. To the extent that risk is sufficiently similar, they should examine whether the scope and application of the existing regulation technically covers the risk. If not, they should extend that scope and application as needed.
If a new risk cannot be controlled by existing regulation, regulators should examine how to cost-effectively control it. Under existing norms, regulators use cost-benefit analysis (“CBA”) to assess the cost effectiveness of any proposed new regulation. The theoretical basis of CBA is Kaldor-Hicks efficiency analysis, which holds that an outcome is socially desirable if its overall benefits exceed its overall costs, regardless of which parties benefit and which lose.
V. Applying the Regulatory Framework
This Part next applies the regulatory framework to financial innovation, with subpart A applying it to FinTech-driven innovations and subpart B applying it to other financial innovations. Because financial innovations are not bound by national borders, subpart C thereafter applies the regulatory framework in a cross-border context.
A. Applying the Framework to FinTech-Driven Innovations
Subparts A.1, A.2, and A.3 focus, respectively, on the three fundamental FinTech-driven innovations herein discussed: smart contracts, DeFi, and other crypto-based products and services. Thereafter, subpart A.4 focuses on a more incidental FinTech-driven innovation: technically motivated vertical integration.
1. Smart Contracts. Recall that a smart contract is a precise list of pre-programmed steps, expressed in computer code, to conduct specified actions depending on the initial input. Like all contracts, smart contracts are inherently incomplete because they cannot be written to anticipate all possible scenarios. To that extent, their regulation should follow the same-business, same-risks, same-rules approach—those rules being the rules of contract law that govern incomplete contracting.
Smart contracts can raise new risks, however, due to their automatic, and thus unchecked, execution. Additional risks can arise when smart contracts are used in DeFi scenarios because the anonymity of DeFi protocols can prevent contracting parties from knowing the identity of their counterparties. This subpart A.1 focuses on risks arising from automatic execution; subpart A.2 addresses risks arising from DeFi anonymity.
The automatic execution of smart contracts creates the risk that a smart contract could lead to an unanticipated or even random outcome due to poor programming, unpredictable inputs, or other errors. Such automatic execution might also increase systemic risk by spreading contagion. This could occur, for example, if similar collateral is liquidated in a correlated manner across numerous loans, causing the value of the foreclosed collateral to plummet, thereby triggering further collateral liquidations and devaluations in the equivalent of a fire sale. How could regulation constrain those risks?
The regulatory response to control the automatic execution of high-frequency trading—temporarily suspending trading in problematic markets—would not apply to smart contracts. Because any parties can use smart contracts (in contrast to limitations on market traders of securities), their diversification makes centralized control difficult. At the very least, though, regulators should consider requiring business users of smart contracts to self-monitor and ascertain the identity of their counterparties, as well as to report any risks and disclose those risks to their counterparties and customers. Regulators also should consider establishing third-party expert monitoring to supplement that self-monitoring. Regulators should have the power to suspend a business’s right to enter into new smart contracts if the monitoring reveals that its current use of smart contracts is creating significant risk.
From a cost-benefit standpoint, these remedies are limited and should not impose significant costs. The benefits of these remedies, although relatively modest, may well exceed their costs. To that extent, these remedies would be socially desirable.
2. DeFi. Many believe that DeFi’s decentralization of finance poses a unique anonymity risk: potentially depriving regulators of specific parties on whom to impose and enforce regulation. From the standpoint of this article’s regulatory framework, anonymity could also make monitoring impractical.
The complete anonymity of those parties would have serious consequences. For example, many fear that the inability to identify and regulate DeFi participants could jeopardize enforcement of the laws against money laundering and terrorist financing. That, in turn, could threaten monetary integrity and even national security. The FATF recommends these types of laws to protect the global banking and financial system. In enacting these types of laws, nations generally follow the FATF’s recommendations. Anonymity would make it uncertain on whom governments could enforce those laws. Some also fear that the inability to identify and regulate DeFi participants could leave banks subject to lawsuits if injured investors cannot identify DeFi arrangers. Others are concerned that the inability to regulate DeFi participants would arbitrage financing away from regulated banks, causing a significant portion of the financial system to become unregulated. Anonymity also could prevent parties to smart contracts from easily identifying their counterparties, thereby making it difficult to resolve disagreements and potentially exacerbating counterparty risk.
The semantics surrounding DeFi, however, obscure the reality that, at a fundamental level, people control the operation of decentralized finance. Although they might not be readily identifiable, DeFi’s controllers are the parties who program, create, and arrange the environment in which DeFi operates. Accordingly, “DeFi services often have a controlling organization that provides a measure of centralized administration and governance.” Furthermore, DeFi platforms “typically have some form of centralized governance framework to fix errors and outline their operations.” Investors in and users of those platforms often receive “governance tokens” that enable them to vote about changes to the platform. Parties having such control or governance power should, in theory, be able to be identified. Regulators could also require their registration. Once identified, these parties could be monitored and regulated.
From a cost-benefit standpoint, identifying the parties controlling DeFi services or governing DeFi platforms could be expensive. Once identified, however, the benefits could be substantial, including enabling enforcement of the laws against money laundering and terrorist financing (thereby protecting monetary integrity), protecting national security, protecting global banking, and preventing the arbitrage of financing away from regulated banks to unregulated DeFi. Those benefits almost certainly should exceed the costs.
As an alternative to regulating decentralized DeFi parties, regulators might also consider requiring DeFi services and the operation of DeFi platforms to be provided by centrally registered and well capitalized entities. For example, the FATF has recommended that “countries should ensure that virtual asset service providers [defined as “VASP”s] are regulated for [anti-money-laundering and countering-financing-of-terrorism] purposes, and licensed or registered and subject to effective systems for monitoring and ensuring compliance” with FATF recommendations. A report of the International Monetary Fund (IMF) recommends that regulators “encourage DeFi platforms to be subject to robust governance schemes, including industry codes and self-regulatory organizations. These entities could provide an effective conduit for regulatory oversight.” However, because these limitations on DeFi parties might impair some of the benefits of decentralized finance, regulators should study them carefully, including consulting with representatives of the DeFi industry, before adopting them.
3. Other Crypto-based Products and Services. This article’s regulatory framework applies generally to crypto-based financial products and services. The FSB is particularly concerned about possible risks associated with crypto-assets. It cautions that “[a]lthough the extent and nature of use of crypto-assets varies somewhat across jurisdictions, financial stability risks could rapidly escalate, underscoring the need for timely and pre-emptive evaluation of possible policy responses.”
In the first stage of this article’s regulatory framework, regulatory sandboxes could provide FinTech firms with flexibility to test innovative crypto-based products and services on a limited number of customers in restricted markets. Regulators also should require FinTech firms to self-monitor for any risks of those products and services and to report and disclose such risks. Additionally (as for smart contracts), they should implement a system of third-party expert monitoring, coordinating their work with agencies such as the OTA and FSOC that have the relevant expertise.
If the risk of such a product or service is sufficiently similar to existing risks to be controlled by existing regulation, regulators should examine whether the scope and application of that regulation technically covers the risk; and then they should extend that scope and application as needed. Existing product-liability law, for example, might help to control the risk of some new financial products.
However, if a new risk cannot be controlled by existing regulation, regulators should examine how to cost-effectively control it. For example, in what might be viewed as a variant of the precautionary principle, Professors Posner and Weyl have proposed creating a regulatory agency, akin to the FDA, to approve new financial products. Firms would be required to seek approval from this agency before marketing new financial products. That approach reverses the presumption, at least in the context of new financial products, that private-sector freedom of contract produces beneficial societal outcomes. That reversal would seriously impede financial innovation if the agency requires proof of safety before approving a product, given the unavoidable ex ante uncertainty about a financial innovation’s welfare effects. From a cost-benefit standpoint, therefore, requiring firms to obtain government approval before marketing innovative crypto-based (or other new) financial products or services appears questionable.
A less intrusive and more concrete approach to control the risks of new financial products and services might focus on SIFIs. By definition, SIFIs are the entities whose failure—including failure due to overinvestment in new financial products and services—could trigger a systemic economic collapse, causing harmful consequences such as “widespread poverty and unemployment.” The overinvestment risk is growing because SIFIs “are increasingly willing to undertake activities in, and gain exposures to, cryptoassets.”
Regulation could help to control that risk. For example, regulators could restrict the amount of crypto-assets and other innovative financial products (as defined by law) that a SIFI is allowed to hold. This approach would parallel Federal Reserve regulations that protect banks engaged in margin lending. The Fed has restricted that lending to a level that should not cause a bank to become insolvent even if the value of the collateral falls by 50 percent. Regulators similarly might consider restricting the amount of crypto-assets and other innovative financial products (as defined by law) that a SIFI is allowed to hold to a level that would not cause the SIFI’s insolvency even if the market price of those products were to fall precipitously.
Whatever the approach, it should be supplemented by adequate disclosure. Innovative financial products and services can be highly complex and, without such disclosure, even sophisticated institutional users might not understand them. When derivatives first came into widespread use, for example, some of the most sophisticated institutions did not understand them.
In their form and use, some innovative financial products so closely resemble securities that they should be subject to securities law in order to impose disclosure requirements on their trading, to set suitability standards on parties eligible to acquire them, and to prevent fraud. This would be especially important to protect consumers.
There currently is controversy, for example, whether interests in certain cryptocurrencies are securities, and thus should be subject to securities law. Some argue that the sale of these interests, which generally are characterized as tokens or coins, should not represent the issuance of securities if the proceeds of their sale are used for ordinary purposes (such as purchasing goods, even if the purchase is made through a blockchain platform). In contrast, the SEC looks to the substance of the transaction, not the form, with emphasis on whether the financial product involves or is used in any profit-sharing arrangement. Thus, crypto-assets “that incorporate features and marketing efforts that emphasize the potential for profits based on the entrepreneurial or managerial efforts of others continue to contain the hallmarks of a security under U.S. law.”
A final question is whether crypto-based financial products and services should be specially regulated because they utilize cryptography. Cryptography risks, however, are at least currently similar to other cyber risks—namely, the cyber-security and privacy risks of utilizing computer-based electronically recorded or transmitted data. Those cybersecurity risks include hacking, malware, phishing, data breaches, and fraud (including identity fraud), and cyber-operation risks such as software programming errors. Those privacy risks include unauthorized access, misuse, or loss of personal data due to issues with custodians or the computers of individuals. Existing regulation already covers those risks. Therefore, under the same-business, same-risks, same-rules regulation approach, that regulation should adequately cover the cryptography risk.
4. Technically Motivated Vertical Integration. FinTech’s technical complexity is leading to an acute vertical integration of the FinTech industry. This contrasts with the typical incentive for vertical integration: to increase economic efficiency by combining different stages of production under common ownership.
For example, SoFi is an online financial services provider offering checking and savings accounts, credit cards, brokerage accounts, mortgage loans, and multiple forms of loan servicing. Similarly, companies like Plaid have emerged to offer services to other FinTech firms that provide an interface for various transactions including peer-to-peer payment processing, fraud compliance and identity verification, and the linking of various investment accounts to view in one account, among other things. Clients of Plaid include FinTech firms Venmo, Chime, SoFi, and Betterment. Ironically, vertical integration in the FinTech industry goes against the industry’s goal of achieving DeFi.
Vertical integration of the FinTech industry can have advantages and disadvantages. The advantages include possible informational and service efficiencies, including sharing of resources. But the disadvantages include the potential for FinTech firms to ignore conflicts in order to try to maximize overall corporate value, without regard for flaws that could jeopardize the public. The extensive vertical integration in the residential mortgage-backed securities (“RMBS”) industry illustrates this concern.
Prior to the global financial crisis, for example, Countrywide was a vertically integrated RMBS firm which, among other things, originated and serviced mortgage loans. Its servicing of mortgage loans was excellent and highly profitable. However, its need to continue originating enough mortgage loans to keep earning lucrative servicing fees is believed to have motivated a sharp decline in the quality of its mortgage-loan-origination standards. Ultimately, Countrywide’s inability to stand behind its representations and warranties regarding the purported quality of those loans caused its bankruptcy. Even worse, Countrywide’s origination of billions of dollars of poor quality mortgage loans, many of which later defaulted, is believed to have significantly contributed to the global financial crisis.
Vertical integration’s disadvantages also can arise from behavioral psychology. For example, a firm seeking profit (potential gain) in arm’s-length transactions will tend to be risk averse. Whereas for non-arm’s-length transactions, a firm trying to maximize the overall value of itself and its affiliates—as could occur with a vertically integrated firm—may well be willing to take risks at some affiliates to try to avoid overall consolidated losses. But that would expose the risk-taking affiliates to greater uncertainty and potential default, which could cross-default to other members of the affiliated group.
Requiring disclosure and greater transparency could help to reduce vertical integration risk. Among other things, disclosure should be directed at identifying and explaining possible internal conflicts that could drive risk-seeking behavior. It also should focus on the most critical functions—in the case of a stablecoin, for example, the stablecoin issuer’s ability to redeem the “coins” for the reference assets, on demand. Although the benefits of requiring that disclosure and transparency might be modest, the costs should be very low.
Another possible regulatory approach to reducing this type of risk would be to require ring-fencing of critical crypto firms and activities, as is often required by state public utility commissions for critical utilities. This approach would impose much higher costs, however, and its benefits would be uncertain. Any implementation of ring-fencing should therefore be studied in detail before actually tried.
B. Applying the Framework to Other Financial Innovations
Securitization and re-securitization are some of the most important examples of financial innovation of the past century. Given their blame for the global financial crisis, they may also be among the riskiest examples. This subpart B tests the article’s regulatory framework by applying it retroactively to securitization and re-securitization and then comparing that framework-derived regulation with the actual post-global-financial-crisis regulation.
1. Explaining Securitization and Re-securitization. A typical securitization is a financial transaction in which a sponsor purchases a pool of loans, accounts receivable, or other rights to payment (financial assets) from firms originating those assets, such as mortgage lenders, and then sells them to a special purpose vehicle (“SPV”). The SPV pays for those assets by issuing debt securities to investors; those securities are repayable from collections on the financial assets. Businesses have long used securitization to monetize, or transform into cash, financial assets. By 1992, the Securities and Exchange Commission (“SEC”) observed that securitization was “becoming one of the dominant means of capital formation in the United States.”
A problem arose, however, when securities issued in standardized securitization transactions were pooled together and “re-securitized” in highly complex leveraged transactions. Ironically, to signal the quality of the securities they were selling to investors, financial institutions that sponsored these re-securitization transactions—grossly misjudging their risk—often invested in the most subordinate, and thus risky, of the re-securitized securities. That not only exposed those financial institutions to significant investment risk but also misled investors generally about the safety of—thereby attracting massive investments in—the more senior re-securitized securities.
Many of those re-securitized securities were indirectly backed by home-mortgage loans. When housing prices declined in 2006–07, a significant portion of those securities defaulted, jeopardizing the solvency of investors therein and causing their counterparties to demand collateral. Investors that were unable to provide that collateral, including Lehman Brothers, filed for bankruptcy protection in response to the demands, leading to the “near collapse of the financial system.”
2. Applying the Regulatory Framework to Securitization and Re-securitization. The first stage of this article’s regulatory framework contemplates using regulatory sandboxes to create an open but controlled environment for innovation. That approach could have tested highly complex leveraged re-securitization deals before they became pervasive. Even those deals, however, performed well prior to the 2006–07 housing price declines. This reinforces the article’s caution that limited testing using regulatory sandboxes cannot fully account for the costs and the risks of widely introducing innovative financial products and services.
The framework requires FinTech firms to self-monitor for any risks of their innovative products and services. It also requires those firms to report those risks to regulators and to disclose them to customers. Although theoretically salutary, self-monitoring would have been insufficient because, as discussed, the financial institutions that sponsored re-securitization transactions often grossly misjudged their risk. This illustrates the importance of the framework’s recommendation that regulators also should implement a system of third-party expert monitoring. Although those monitors did not exist when re-securitization transactions were first implemented, the FSOC now exemplifies such a possible monitor.
Once they identify the risks of securitization and re-securitization, regulators should consider how, if at all, to regulate those risks. To that end, they first should examine whether those risks are sufficiently similar to existing risks to be controlled by existing regulation (and, if so, whether the scope and application of that regulation technically covers the risk). If those new risks cannot be controlled by existing regulation, regulators should examine how to cost-effectively control them.
The author has separately examined how to cost-effectively control the risks of securitization and re-securitization. In response to the global financial crisis, the European Union’s simple, transparent, and standardised (STS) regulation incentivizes straightforward securitizations, in contrast to the complex and leveraged re-securitizations, as an effective funding channel to the economy. It does this not by prohibiting re-securitization or other innovations on securitization; rather, it motivates parties to engage in straightforward securitizations by reducing regulatory capital requirements for investors therein. The STS proposal is reasonable because it motivates the beneficial transactions (straightforward securitizations) without prohibiting experimentation and financial innovation.
3. Comparing that Framework-derived Regulation with the Actual Regulation. The actual regulatory responses to securitization and re-securitization fall into four categories: increasing disclosure, requiring risk-retention, reforming rating agencies, and imposing capital requirements. As observed, however, the overall effectiveness of these regulatory responses is unclear. For example, the purported requirement to increase disclosure disregarded that parties always were required to (and did) disclose the relevant information. The risk-retention requirement simply reflected the existing common practice. The rating-agency reforms were valuable, but rating agency abuses may not have been responsible for the securitization and re-securitization failures that contributed to the global financial crisis. And the imposition of capital requirements has been characterized as punitive and illogical.
In contrast to those actual, albeit questionable, regulatory responses, this article’s regulatory framework suggests more targeted and cost-effective responses to securitization and re-securitization—focusing primarily on re-securitizations which created the critical risks. The first such response, using regulatory sandboxes, is admittedly insufficient because it would not have revealed re-securitization’s risks. Nonetheless, observing that insufficiency illustrates the limitations of using regulatory sandboxes as a tool. Requiring the sponsors of re-securitization transactions to self-monitor for risks would similarly have been insufficient because the sponsors misjudged the risks. Again, however, observing that insufficiency illustrates the importance of regulators implementing a system of third-party expert monitoring.
Because existing regulation cannot control re-securitization’s risks, this article’s framework calls for examining how to cost-effectively control those risks. That examination favors regulation along the lines of the EU’s STS approach, which incentivizes straightforward securitization transactions by reducing regulatory capital requirements for investors therein. Sponsors are more likely to understand risks associated with straightforward transactions, and investors are more likely to understand disclosures about those risks. The STS approach is flexible, however; it does not prohibit experimentation with re-securitization or other potential future innovation. The benefits of the STS approach are therefore likely to be significant, whereas the costs should be modest.
No single regulatory framework or approach is always perfect, however. Financial innovations can evolve incrementally, for example, without critical recognition of increasing risk. In examining the origin of the global financial crisis, Professor Judge thus argues that the narrow focus of market participants and regulators on the latest incremental developments prevented them from viewing the “big picture.” This suggests that any framework for regulating financial innovation should be supplemented by a framework for mitigating the potentially systemic consequences of failing to control an innovation’s risks. Designing that second framework involves a separate analysis.
C. Applying the Framework in a Cross-Border Context
Financial innovation creates risks that can cross national borders, especially for products and services that are widely used internationally. Controlling those risks requires cross-border regulation.
Coordinating that regulation can be difficult. Due to their decentralized nature, for example, DeFi activities cannot always be linked to specific jurisdictions. Coordinating multiple, and potentially conflicting, legal frameworks could generate high costs. Furthermore, the interaction of conflicting legal frameworks could create uncertainty about the enforceability of contracts governing those activities.
If all potentially relevant jurisdictions had uniform laws, the inability to link an activity to specific jurisdictions should be inconsequential. To achieve such uniformity, policymakers have devised two strategies.
The traditional strategy is to enact a multilateral convention or treaty (the terms being synonymous), which represents an agreement or compact among nations under which each such nation is bound to adhere to the convention’s requirements without requiring further action by its legislative body. A more recent, and arguably more innovative, strategy is to formulate a model law for governments to enact uniformly as domestic law in their jurisdictions. Model laws are thus sometimes called uniform laws.
Treaties are more formal than model laws. Treaties are binding upon contracting states and may only be modified or denounced by a treaty amendment. Although this binding feature provides greater certainty that treaty-bound nations will follow through on their commitments and not renege as political winds shift, some nations may see that as a disadvantage, especially if they are experimenting with the regulation. Moreover, the expectation that a treaty needs widespread consensus can significantly delay, if not also discourage, its adoption. That delay makes a convention particularly unsuitable for innovative financial products that might require regulators “to move faster to contain the risks.”
Financial innovation involves experimentation, which requires flexibility. The more relaxed nature of a model-law strategy can provide that flexibility. Model laws may be amended or denounced unilaterally by a nation without violating international law. Furthermore, the less formal process of developing and enacting a model law can promote open communication. A model-law strategy can also minimize delay because it becomes effective for each nation as soon as that nation enacts the uniform text.
Therefore, if consensus develops around an approach for regulating financial innovation (such as this article’s proposed framework or any other appropriate scheme), regulators should consider pursuing a model-law strategy to enact that approach. To that end, however, they should be cautious. Although regulatory uniformity is important, it might inadvertently increase systemic risk by decreasing the flexibility and resilience of the financial system. Professor Romano argues, for example, that the Basel II capital requirements contributed to the global financial crisis by globally correlating faulty rules. Furthermore, in our “rapidly changing financial system,” there also is “a very real danger that the wrong rules will be” coordinated.
Conclusion
FinTech’s innovations can provide valuable and potentially revolutionary new economic benefits, including greatly expanding financial inclusion. At the same time, the radical transformational consequences of these innovations are threatening to disrupt traditional finance and jeopardize the stability of the financial system.
These tensions between FinTech’s benefits and costs raise a fundamental but not fully answered question: How should the law regulate financial innovation? This article seeks to answer that question by building a systematic framework for analyzing how FinTech-driven innovations in particular, and financial innovation in general, should be regulated. In that process, the article introduces readers to basic FinTech-related concepts such as crypto-assets, blockchain, smart contracts, and DeFi. It also clarifies and simplifies the confusing terminology, which makes FinTech appear more complicated than it is.
The article is both descriptive and normative. It begins building its framework by analyzing actual precedents for regulating financial innovation and then comparing normative regulatory models. Thereafter, the article integrates these precedents and models into a regulatory framework which it applies to FinTech-driven innovations and financial innovation more generally, thereby testing the framework’s ability to cost-effectively control the risks of those innovations. That testing confirms that the article’s framework, or at least a more systematic normative framework for financial regulation than currently exists, should help regulators to devise appropriate and cost-effective rules for regulating financial innovation. That, in turn, should improve the prevailing process for regulating financial innovation, which has been compared to “regulating in the dark.”
In closing, it should be noted that this article seeks to build a substantive regulatory framework. From a more procedural perspective, financial regulators should be cautious lest premature regulation restrict innovation and impose transaction costs without effectively controlling harm. In the context of examining existing and future stablecoin regulation, several central bankers from the Bank for International Settlements and the Federal Reserve Bank of New York recently elegantly described this perspective.
Even though different jurisdictions are at different stages of examining how to regulate stablecoins, they believe “there is value to experimentation among approaches” to show which policy choices are more efficient. Effective regulation, they observe, almost invariably entails some trial and error. Furthermore, any stablecoin regulation should be based on evidence of problems that actually require new regulatory solutions.
Even where new regulation is needed, there also is a question of timing. Early regulation can run the risk of being underinclusive or overbroad. The latter, for example, can impose unnecessary costs, such as the expenses of preparing and implementing a supervisory program, developing employee expertise, and updating examination and training manuals as well as databases for receiving, analyzing, and storing information. For these reasons, they suggest that policymakers initially might consider more principles—than rules-based regulation, deferring granular decisions about implementation to the regulators. That can be controversial, however, entrusting unelected officials “with choices that could have significant consequences for an industry, its customers, and perhaps the broader economy.” Accordingly, a “first choice facing policymakers should be whether regulation should wait until it is truly needed.”