Verena Ross’ speech at Consob conference: “The New Frontiers of Digital Finance”, 10 March 2023
Thank you to my colleagues at Consob for the invitation to speak, and for your hospitality. It’s a pleasure to be here with you at this event. The conference theme of frontiers in digital finance is a vivid one: we can imagine technology pushing back the boundaries of what is possible, enabling financial entities and investors to explore new ways of interacting and doing business. Historically, exploring frontier regions could be an exciting and fruitful task, but also a risky one. New territory can contain hidden dangers.
Today I will start by discussing some key technological developments and the benefits and risks they bring. One overarching risk – and an inescapable feature of the digital age – is cyber risk. At the cutting edge of technology and innovation, authorities need to promote a secure and resilient environment as far as possible. I will go on to set out how ESMA, the other ESAs and NCAs are working hard in this respect, and the challenges that lie ahead.
Digitalisation reshapes financial markets
Capital markets – and the wider financial sector – continue to undergo a digital transformation. Finance fundamentally involves storing and retrieving information; in particular, about ownership rights and obligations. Where Set featured image financial firms once had offices and depositories with stacks of paper in filing cabinets, they now have computer servers – either on site or remotely hosted – encoding financial and personal data in digital form. Across the wider economy, data generation, use and storage have grown exponentially for decades. The sheer scale is now hard to comprehend in ordinary terms. Roughly speaking, a single megabyte of data encodes something like the information found in a book. Across the globe, the equivalent of trillions of books are now created every hour, in various formats.1
Digital technology continues to shape the way capital markets operate and the way intermediaries provide financial services. Firms across the financial sector are increasingly linked digitally as they transact and communicate electronically. Technologies such as APIs enable data to be readily accessed across systems, including by third parties that provide analytics and compliance tools.
Digitalisation has fundamentally changed the nature of the consumer experience. For those consumers seeking in-branch financial services, digital technology is there behind the scenes, providing investment advisers with a wealth of information on different products and services at their fingertips. And increasingly, consumers are directly accessing such information via digital means. Smartphone apps make it is easier than ever – provided you are comfortable using such technology – to compare financial products or manage your portfolio.
The profile of firms providing financial services has evolved significantly in the last decade or so, powered by online technology. FinTech firms have entered the marketplace, often providing niche services. We have also seen large technology companies – BigTechs – provide certain financial services. And on top of that, financial entities increasingly rely on technology companies to provide their ICT services via the cloud. Taken together, these trends amount to a more complex financial services value chain and greater operational interdependency among firms.
At the same time, digital technology has powered the growth of online platforms in the financial sector. These platforms come in different shapes and sizes. They range from simple comparison sites, providing users with information on the price and key features of different financial services, to ‘ecosystem’ platforms that act as marketplaces for clusters of related products and services, provided by financial and non-financial firms. This aggregation of certain tools and services from an increasingly diverse range of firms – from FinTechs to traditional incumbents – paints a rather complex picture.
Certain new technologies increasingly have use cases and applications in capital markets. Artificial intelligence, or AI, has recently been in the news following the launch of ChatGPT last November. Generation and processing of natural language – including answering many questions in a pretty convincing way, as ChatGPT does – is just one variety of AI. In its various forms, AI is now used by some asset managers to inform or support their investment strategies, risk management and compliance. AI tools are also used to optimise trade execution and post- trade processes. The explosion in global data generation that I just mentioned has driven the development and uptake of AI in financial services.
Benefits and risks
What do these developments mean in terms of benefits and risks? Let me start with some of the benefits that we see.
Digitalisation of the financial sector and beyond has not happened by accident. For many years, firms have adopted digital technologies to reduce costs and to gain efficiencies. Digital transactions can be conducted faster than ever before, and vast amounts of information can be stored and retrieved with ease. Improvements in trading and in back-office processes are of major benefit to firms and investors alike.
Likewise, firms turn to third-party providers of ICT services to benefit from their expertise and capacity. Cloud providers, as specialists in their field, may be able to enhance operational resilience at firm level compared with in-house systems. And firms can realise major efficiency gains due to the scalability of cloud services. Rather than having to maintain systems with surplus capacity in case of peaks in usage, firms can access the processing and storage they need at any given time.
In addition to efficiency gains at firm level, investors enjoy some of the benefits of digitalisation directly. The growth of financial services platforms and online brokers brings greater convenience to many consumers, allowing them to access tailored services at the touch of a screen.
One technology with a diverse range of use cases is Distributed Ledger Technology, or DLT. Applied to financial instruments, it can make settlement cycles quicker, more efficient and more transparent, because it requires fewer intermediaries and enables greater automation. With these benefits in mind, the DLT Pilot Regime enters into application less than two weeks from now.2 The Pilot is designed to support the development of the trading and settlement of DLT- based financial instruments, enabling multilateral trading facilities (MTFs) and central securities depositories (CSDs) that use DLT to be established in a controlled environment. Provided they are operationally reliable, such projects have the scope to benefit markets and, ultimately, investors.
Under the pilot, NCAs will authorise and supervise firms, while ESMA will have an important coordination and convergence role. For example, ESMA will issue guidance on several aspects of the Pilot and will be able to give opinions on the national authorisations.
What about the risks from digital finance? Let’s start by thinking about investor protection. While investing or trading online might be convenient for many of us, it does not suit everyone. There is a risk that digitalisation could crowd out face-to-face provision of financial services, leaving some of us adrift. Investor education has a role to play in mitigating this risk but cannot resolve it entirely.
Even among enthusiasts for digital technology – perhaps especially among younger users of trading and investment apps – substantial risks are present. The flip side of greater convenience can be overly-frequent or overly-risky trading, as we saw especially during the boom in retail trading during the first lockdowns of the pandemic. With a greater range of offerings, we have also seen that more and more apps provide a gateway to the world of crypto investing.
Last November’s collapse of FTX, one of the most prominent crypto platforms, brought home the significant risks in the crypto sector to retail investors, in the EU and beyond. With other authorities, ESMA has been warning publicly for some time about these risks. Crypto assets are often not supported by any tangible value and their price is highly volatile. Most operate outside the scope of EU regulation, leaving consumers with no recourse if things go wrong.
The new MiCA regulation was developed before the scale and nature of the problems at FTX were known. Nonetheless, MiCA is an important milestone. Crypto Asset Service Providers will for the first time be subject to authorisation and supervision by NCAs. MiCA will give ESMA new product intervention powers, somewhat similar to those in MiFIR that we last used in 2018.
Having talked about various aspects of the new frontiers of digital finance, let me turn at the end of my remarks to one overarching risk that we all face, and one that is inextricably linked to digitalisation: namely, cyber risk.
Cyber risk is in part driven by the structural developments I mentioned earlier around online provision of financial services, reliance on vast datasets and growing operational interconnectedness across and beyond the financial sector. Digitally-based and highly interconnected financial infrastructures result in a greater ‘attack surface’ for malicious actors to target, and provide channels through which an operational incident may propagate.
At the same time, momentous and tragic events – I have in mind first the pandemic, and more recently Russia’s war of aggression in Ukraine – heighten the risk level. Managing cyber risk effectively and building digital operational resilience is vital not just for individual firms and authorities, but for the entire financial system.
Building digital operational resilience
The Digital Operational Resilience Act, or DORA, is now in force. It is designed to address the fundamental threat of cyberattacks and ICT disruptions in the EU financial sector.3 It replaces and improves on the previous patchwork of sectoral rules on ICT risk management, incident handling and resilience testing. DORA also recognises the reliance of financial firms on third party ICT service providers. Where third parties provide critical services, DORA mandates the ESAs to oversee their activities.
DORA will apply across the entire EU financial sector, and so the ESAs are jointly tasked with preparing for its implementation. An important part of this work will be to draft technical standards, bringing the technical precision needed for the new rules to operate as effectively as possible. To this end we have organised ourselves so that all the drafting can draw on the in-depth cross-sectoral expertise among colleagues within the ESAs and NCAs. We recognise the importance of gathering the views of industry stakeholders as an integral part of the process. We will seek feedback via public consultations and have already held the first ESAs public event on DORA.4
DORA sets stretching deadlines for the ESAs to issue these technical standards, which is why we are working so intensively from the outset. A still greater challenge will be to implement DORA once it enters into application, to make the EU financial sector more secure and resilient. The industry and we as their supervisors will have to adapt to many new practices and rules, and we will have to integrate DORA oversight into the existing supervisory processes. In addition, given the fast-changing nature of digital innovation, we will continually need to ensure we have the right supervisory skills for the job. DORA introduces a formal requirement for ESMA and the other ESAs to cooperate with our counterparts internationally to monitor and assess cyber risks. This will help us to further enhance our knowledge and expertise.
There is a lot to do in a short space of time, reflecting the fact that DORA is designed to address critical and urgent threats. I am confident that together at EU and national level we will rise to the challenge, and as supervisors will play our part in building digital operational resilience throughout the EU financial system. Of course, achieving DORA’s objectives will crucially depend on the endeavours of individual firms across the financial sector. We will support the industry as much as possible in this vital effort.
To sum up, when we survey the fronter of innovation in capital markets, we see a complex and fast-moving situation. Digital technology continues to reshape the financial sector, creating new interfaces and new connections between financial entities, consumers and third-party providers. Digitalisation brings many benefits, but also many risks – one of which is growing risk of cybersecurity threats to the financial sector. ESMA is working closely and intensively with the other ESAs, NCAs and other relevant authorities to promote digital operational resilience across the EU financial system.
Thank you for your attention.
1 Source: Desjardins, J. (2019), World Economic Forum in collaboration with Visual Capitalist, includes a forecast of 463 exabytes of daily data production by 2025. An exabyte equals one trillion megabytes.
2 Entry into application is 23 March 2023.
3 DORA entered into force on 16 January 2023 and will apply from 17 January 2025
4The ESAs hosted a public event on DORA on 6 February 2023. For details, seeJoint ESAs public event on DORA – Technical discussion (europa.eu)
Source – ESMA