The Future of Regulation in the Digital World

Written by

Technology adoption and digital innovation has revolutionized the current commercial environment – from driverless cars and drones delivering goods to digital payments, innovation is pushing ahead at a significantly faster pace than regulation.

Regulators in the financial services industry have indicated that they do not wish to stifle innovation from financial technology (fintech) companies, but equally they acknowledge that new risks are created with new products and systems. The big question supervisors and lawmakers need to address is whether more regulation is required, or if current regulation is sufficient to respond to new digital business models and when should it be applied in an ever-changing and expanding marketplace.

Historically, in the financial services sector, regulators have stepped in only after a watershed moment has occurred to prevent a repeat of specific events. Regulation needs to be more future-looking in this rapidly-changing environment but it also needs to strike a careful balance between “stifling innovation” too early in the process and using regulation to ensure that risks are being managed that will enable the industry to flourish.

Regulators need to balance protecting consumers with enabling effective and efficient markets to operate for the benefit of those same consumers and the broader economy. Over-regulated markets stifle competition and create barriers to entry. New entrants may not be willing to launch their innovative and disruptive ideas if there is little profit to be made.

The alternative though is an unregulated market where the harm to individual consumers can significantly outweigh the benefits gained from innovation, or where the lack of regulation creates a barrier in itself due to issues associated with the establishment of trust between counterparties.

Consider the driverless car industry as an example. Applying too much regulation at the early stages of its development could result in increased costs that make it prohibitive for new market entrants to pilot their ideas and bring solutions to market quickly.

However, with inappropriate controls and safety measures in place, the industry as a whole may suffer a lack of confidence if serious safety concerns are not addressed early in the product lifecycle. Rather than introduce new regulation specifically targeted at driverless cars, the car industry’s well-established safety measures, regulatory guidelines and standards on road safety could be adapted and updated to consider risks associated with the new digital technologies coming to market.

In the financial services sector, the peer-to-peer lending market in the UK is another great example of an innovative and disruptive business idea that has grown rapidly by achieving an appropriate balance between protecting individual consumers, and helping them to better understand the risks associated with their engagement with the market. While regulation was very light touch to start, this industry was rapidly put back into control as it grew through new entrants and consumer demand.

In the UK, consumers are highly protected already but regulations do need to evolve with shifts in the market. One case in point being the emergence of the payday lending industry several years ago, which was followed by changes in regulation forcing firms to better assess affordability and to curb some of the more extreme excesses associated with this business model. This has now led to significant adjustments to how short-term credit is provided and the demise of a number of firms operating in this space.

There have been other failures, such as the PPI scandal in the UK. Although digitization and innovation cannot be blamed for this specific case, it does highlight that many products in the financial and digital world are now virtual as opposed to physical.

Another key area for consideration is the thorny subject of data privacy and data protection. Often consumers are giving away significant personal data to third parties where they have a tenuous relationship in exchange for mobile entertainment (free mobile apps), digital services or as a result of purchasing goods via digital channels. This data enables the consumer to be located in the physical world and to be targeted for follow on promotional activity as well as potentially becoming available to others for more nefarious uses.

Data such as postal address, email address, date of birth, payment card details, internet behavioral patterns etc. are all extremely valuable, and consumers are right to be concerned about how their data is used beyond the original transaction. Regulations already exist in relation to data privacy and data protection and work is ongoing to strengthen existing provisions – most notably in relation to European regulations and the General Data Protection Regulation (GDPR).

The global payments cards industry has established a clear set of data security standards (PCI DSS) for payment details, which are enforced through commercial penalties and contractual liabilities. These have been in place for around 10 years with compliance actively monitored through annual assessments undertaken by qualified assessors. Most other regulations do not come with this level of active monitoring.

Global application of this regulation, which emerged directly from the industry itself as opposed to direct government intervention, also represents an interesting case study in how the interests of both consumers and industry participants can be addressed when reduction of losses through fraud prevention acts as a focal point.

Despite the fact that many financial services companies feel that they are subject to much higher levels of external scrutiny, this isn’t necessarily reflected in the effectiveness of the internal controls they have established. Few organizations are likely to be able to state with a high degree of confidence that they meet all of the obligations of the current data protection rules.

Lack of a requirement for independent assessment in this area by regulators is undoubtedly a factor here, as is the level of penalties associated with breaches. The benchmark is about to be raised much higher however in relation to GDPR and the penalties that could be applied will be much more significant. Organizations will therefore need to focus on this or suffer the consequences in terms of penalties impacting their bottom line. Those organizations embarking on digital transformation programs need to ensure that they have factored in data privacy considerations at an early stage or they may find data privacy becomes a significant disruptor to their business model.

The level of consumer protection supplied by regulation varies massively across industries. Those that have operated in the digital world for some time have evolved mechanisms to establish trust between counterparties through effective identification of individuals and registration of businesses operating in the market. Many that have not are operating like the Wild West, where anything goes and caveat emptor needs to be scrawled in red paint wherever contracts are implied and payments are exchanged.

Consumers need to be able to better recognize the risks they are facing while governments gear up and step in to address the most significant emerging risks where self-regulation proves to be ineffective.

Many of the risks identified above are not new. These risks exist in the physical world to a greater or lesser extent. There is a danger of overreaction and a rush to implement poorly thought through laws and regulations.

Consumers, manufacturers and service providers do need to be better educated however about the risks of cross border transactions and impacts on consumer safety. They need to assess whether existing laws and regulations are required to be modified to reflect a changing world so that existing rules can be extended into the digital world and be enforced across national boundaries in similar ways to international extradition agreements. This will take some time to emerge and become established in the same way that anti-money laundering regulations have taken some time to promulgate around the globe.

As the digital revolution continues to evolve, companies producing digital products and offering digital services will need to be held more accountable for failures that occur in the products and services provided to consumers. This is of particular importance if those products impact the safety and general rights of consumers, such as the developers of software on driverless cars.

While regulations exist in different industries to protect consumers in many situations, further consideration will be required to reflect the new risks to consumers in the digital world and be updated accordingly. This is not a revolutionary change but it is evolutionary and will require attention from lawmakers and regulators.

What’s hot on Infosecurity Magazine?