Can Regulators Keep Up with Innovation?

Michael Magrath, January 20, 2022

Disruptive technologies like AI, cryptocurrency, biometrics and blockchain have taken the world by storm, but fintech regulations have struggled to keep pace. While technological advancement is often propelled by the private sector — such as big tech, startups and venture capital funding — regulatory change is constrained by lengthy and convoluted legislative processes.

Although the growth of these innovative technologies is exciting, the absence of regulatory clarity can have grave consequences, from the legal to the ethical. Criminals have taken advantage of rapid digitalization — which opens more attack vectors — to carry out fraud, which has soared amidst the COVID-19 pandemic and its accompanying shift online. Unregulated AI and biometric technologies can facilitate racial discrimination and illegal surveillance, and the cryptocurrency industry, which operates in a regulatory grey area, is rife with fraud and scams.

Meanwhile, banks struggle to navigate this complex and ever-changing landscape. The adoption of innovative technologies will boost banks’ profits, attract new customers and spur competition, but it must also be met with appropriate cybersecurity, data protection and anti-money laundering standards.

As AI Funding Surges, AI Regulation Lags

Nowhere is this clash between speedy innovation and regulatory change more evident than the case of AI, one of the world’s fastest-growing industries. According to a report by the Organization for Economic Co-operation and Development (OECD), AI startups received over $75 billion in venture capital funding in 2020.

By 2030, PwC predicts that AI could contribute $15.7 trillion to the global economy, with China and North America leading the way. The U.S.’s progress in regulating AI has been stalled amidst divergent approaches, however, most notably with the transition from the Trump administration to the Biden administration. Still, 2021 has brought progress. The U.S.’s first AI czar, Lynne Parker, has been tasked with focusing on the societal risks stemming from AI, and the White House’s Office of Science and Technology Policy is seeking to establish a bill of rights for an automated society.

In March, a group of financial regulators issued a request for information (RFI) seeking input on financial institutions’ use of AI, including machine learning. A few months later, the National Institute of Standards and Technology (NIST) issued an RFI soliciting feedback on a draft artificial intelligence risk management framework, a voluntary guidance on strengthening trustworthiness in AI.

Even in jurisdictions with AI regulations already in the legislative process, however, the development of AI technology will continue to outpace regulatory change. The European Commission’s proposed AI regulation seeks to establish a legal framework for the development and use of AI technology through a tiered approach to risk. Like the EU’s General Data Protection Regulation (GDPR), the AI regulation has the potential to spur on global copycat standards, but this could take a while.

The legislation must first proceed through the EU’s ordinary legislative process, an often-lengthy procedure consisting of multiple readings, interinstitutional negotiations and conciliation. Once passed into law, a two-year application period will follow, which would end by 2024 at the earliest. By this time, AI will have already developed exponentially. Even more, the AI regulation has some blind spots. For one, the risk classification scheme covers risks to individuals, not organizations.

Regulatory Uncertainty Continues to Hamstring Cryptocurrencies

Cryptocurrency and blockchain projects are similarly soaring in popularity. 2021 took top cryptocurrencies like Bitcoin and Ether to new highs as people across the world gravitated toward the ease of crypto transactions and the allure of steep returns. Crypto services are often more accessible to unbanked individuals than traditional financial accounts due to remote account opening and fewer regulatory requirements. Crypto can also simplify transactions — especially cross-border ones like remittance payments, which are infamous for being slow and expensive. It is especially popular in jurisdictions with low public confidence in central banking, high inflation and general instability, like Venezuela and Nigeria.

This surge in usage has caused governments to worry about crypto’s role in illegal activity and its threat to monetary authority, but regulatory activity has so far failed to keep up with the rapidly accelerating industry. Regulators have struggled to formulate a cohesive response as priorities clash, legislative processes lag and an influential pro-crypto internet culture continues to encourage investment.

One of the biggest roadblocks to regulation is crypto’s technical architecture — its decentralized and distributed nature makes it uniquely transnational, leaving it difficult for a single jurisdiction to impose regulations. International collaboration and standards will be crucial in establishing an enforceable crypto framework, especially regarding increasingly international crime like money laundering and the financing of terrorism.

Indeed, divergent regulatory approaches have proven confusing and often unworkable. In the U.S., various authorities and states have charged forward in developing crypto regulations, which has created a fragmented approach across the country. The Securities and Exchange Commission (SEC), Internal Revenue Service (IRS) and Commodity Futures Trading Commission (CFTC) have yet to even agree upon a definition for cryptocurrency.

Elsewhere, countries have instituted bans that have proven unfeasible — or at least deeply unpopular. The Nigerian central bank tried cracking down on crypto in early 2021, but investment continued to skyrocket, leaving the state to consider the development of a regulatory framework instead. In April, Turkey banned crypto as a means of payment for goods and services, and investors fear the move is another effort by President Recep Tayyip Erdogan to consolidate power.

This regulatory uncertainty remains the biggest challenge to the crypto industry as firms struggle to understand compliance requirements and balance those with innovation initiatives. In response to increased oversight and regulatory demands, however, crypto investors have been largely undeterred. Many have called for a right to financial privacy or quickly regrouped to find regulatory loopholes, leaving regulators to face even more challenges.

A Handful of Industry Standards Look to Solidify in 2022

Despite the above, 2021 brought a host of new and encouraging regulations to the arena, and 2022 will be a key year as industry standards coalesce. In October 2021, the Financial Action Task Force (FATF) expanded transactional reporting requirements for virtual asset service providers (VASPs), and many jurisdictions have applied AML requirements to VASPs and imposed tax reporting requirements on crypto assets. (Some states, like El Salvador, have taken a more accommodating approach.)

In 2022, the European Commission’s recently proposed Markets in Crypto-Assets (MiCA) regulation and its AML/CFT legislative package will be two to watch. MiCA applies consumer protection and transparency standards to crypto exchanges, while the AML/CFT legislative package seeks to create a more harmonized, integrated approach across the E.U. in addressing financial crime.

As the E.U. is often the globe’s vanguard in setting standards, as it has been with the GDPR, its AI regulation, MiCA regulation and AML/CFT legislative package could be instrumental in laying the foundation for what’s to come. Although the U.S. is increasingly keen to regulate AI, will it fall in line with international standards?

Amid interregional and international efforts to standardize approaches to anti-money laundering and data protection, the United States has lagged in its digital identity and data protection standards.
Social Security numbers cannot be digitally linked and are susceptible to fraud. The REAL ID Act of 2005 has still not been fully implemented. The Department of Homeland Security (DHS) has repeatedly delayed the implementation date (the newest deadline is May 23, 2023), and states have battled technical glitches and miscommunication.

Some have even shown hesitancy to implement federal law, highlighting a long-simmering tension in the American federal system. And without adequate and comprehensive data protection standards, digital identity initiatives are fraught with privacy concerns. Indeed, although the rest of the world has rushed to emulate the E.U.’s GDPR, the U.S. has yet to enact a national data protection framework.

A few states have passed data protection laws, influenced in part by the GDPR, and other state laws are in the legislative process. As fraud and financial crime become progressively sophisticated — and the world more globalized and digitalized — the U.S. must cultivate multilateral ties, adopt digital identity and data protection standards and more readily support firms burdened by compliance requirements.

Meanwhile, banks are left to navigate the delicate tension between digital transformation and an ever-changing regulatory environment. According to our October 2021 research findings conducted by Arizent, on behalf of OneSpan, 48 percent of bank leaders and executives report that industry regulations have slowed progress in banks’ digitalization. Smaller banks especially struggle with compliance.

On the other hand, banks are readily adopting innovative technologies like digital remote identity verification and biometrics for compliance purposes. Going into 2022, compliance and emerging technologies are still top of mind. Banks in the U.S. are principally concerned about digital currency, while banks in France and the U.K. are most concerned about compliance with AML requirements.

As the technology and financial crime landscapes undergo fast-paced developments, regulations and standards will have to constantly evolve to accommodate these changes. What can banks do to ensure compliance?

Our recent research also found that 55 percent of the respondents report that technology providers have been useful in navigating the demands of both innovation and compliance. Furthermore, international organizations like FATF must provide updated guidance, interregional and international organizations must be strengthened, and national governments must make regulatory clarity a priority — from establishing definitions to streamlining previously disparate regulations.

Although the growth of the global digital economy is fraught with challenges, a balanced, methodical and cohesive approach to its regulation is possible. If done well, the positive implications — from tackling ML/FT, promoting financial inclusion and supporting pandemic recovery — are endless.

Top 5 Digital Fraud Prevention Trends and Predictions for 2022

Top 5 Digital Fraud Prevention Trends and Predictions for 2022

Learn the top fraud prevention trends and predictions shaping the 2022 business landscape, including cryptocurrency fraud and AI regulation.

Read More

This article, written by Michael Magrath, VP of Global Regulations and Standards at OneSpan, was first published on CCI on January 6th, 2022.

Michael Magrath is responsible for aligning OneSpan’s solution roadmap with standards and regulatory requirements globally. He is Co-Chair of the FIDO Alliance’s Government Deployment Working Group and is on the Board of Directors of the Electronic Signature and Records Association (ESRA).