Erik Thedéen: FinTech and cyber threats – what impact do they have on financial stability?

The rate at which household debt is increasing has slowed the past three years. The two amortisation requirements that FI introduced contributed to this change. But the low interest rates entail risks. The debt of commercial real estate companies has been increasing sharply, and the banks have large exposures to the sector. FI decided today to raise the capital requirements for bank loans for commercial real estate. Erik Thedéen also noted that cyber threats are a challenge facing society as a whole, and cooperation is needed on a broad front.

  • Date: 2020-01-28
  • Speaker: Director General Erik Thedéen
  • Meeting: Public hearing in the Committee on Finance regarding financial stability

Erik Thedéen participated on 28 January in the public hearing in the Committee on Finance regarding financial stability. The hearing focused on the current status of financial stability and the potential impact of FinTech and cyber threats. Participants in the hearing included not only Erik Thedéen but also the Minister for Financial Markets and Housing Per Bolund, the Governor of the Riksbank Stefan Ingves and the Director General of the Swedish National Debt Office Hans Lindblad.

Introduction

Financial stability is key for the Swedish economy, and at Finansinspektionen (FI) both the change in the potential threats to the financial market and the pressure on the market to change have led us to adapt our method of working and our priorities.

Before I go into our view on financial stability, I would like to clarify something about FI's supervision. We have recently received criticism for what we call "communicative supervision". This criticism is based to a large extent on misunderstandings and misinterpretations. Let me explain.

A fundamental aim of FI's supervision is to ensure that financial firms follow regulations. These regulations are designed to achieve the goals of financial stability and good consumer protection. The best measure of effective supervision is therefore compliance with the rules. Communicative supervision must be viewed from this perspective. A prerequisite for being able to do things in the right way is knowing what the rules are. Communication aims, in other words, to explain what the rules mean and what FI expects from the firms. Since this decreases the risk of non-compliance with the rules, it helps achieve the goals of the supervision. It is thus a supplement to regular supervision. This aim is well-summarised by the Swedish Tax Agency's motto, "it should be easy to do the right thing," for paying taxes.

This method of working with communication and dialogue has existed for a long time, and it is an established working method among supervisory authorities around the world.

What is new is that FI has begun to use more channels to reach out to the firms. FI introduced consultation and decision memorandums a decade ago to explain what FI wanted to achieve through its regulations and general guidelines. This has progressed to the publication of "Q&A" on FI's website to guide firms applying for authorisation. Another channel is our FI Forums, which are public meetings (that can also be streamed online) at which FI's experts present new regulations for the institutions' experts. One example of this is when we held an FI Forum in February 2019 on how to apply the exemptions from the contingency mechanism (PSD II). The exemptions are complex, and we provided information about, for example, how to apply, what the processing procedure was like, and what conditions needed to be met. We also publish supervision reports with observations from our supervision that we want to share with all institutions so they can adapt their behaviour. There is no drama in this.

Our critics have also asserted that FI replaced its normal supervision and sanctions with communicative measures. If this were true, it would be dramatic, but it is incorrect. Functional supervision includes both. If a supervisory investigation indicates serious deficiencies, FI is obligated to intervene with a sanction, in other words take legal action against the institution. This occurs also – just like before – in accordance with regulations and under the rule of law. But this does mean that it is always easy to decide which measures are appropriate, not only in terms of the choice between a closing letter and a sanction, but also, if the choice falls to the latter, which sanction is appropriate. But who has ever said that financial supervision is easy?

To put it briefly: Compliance is the aim of supervision and thus the measure of success. And in this work, both communicative supervision and regular supervisory investigations – with and without sanctions – play a natural role.

Status of financial stability

Let me now talk about financial stability. In FI's financial stability report in November, we stated that the economy is slowing and interest rates are expected to remain low for a while. The marginal increase we have recently seen in market rates does not change the fact that interest rates are exceptionally low. These low interest rates have contributed – and will continue to contribute – to upward pressure on both asset prices and debt. FI therefore has needed to react to mitigate the risks associated with increasing indebtedness. This work has borne fruit, and the rate at which debt is increasing has slowed and is 6.5 per cent instead of 8.1 per cent at the peak in 2017.

The most important driver behind this slow-down is that the rate at which household debt is increasing has slowed over the past three years. The two amortisation requirements that FI introduced contributed to this change. The households subject to the amortisation requirements are buying slightly less expensive homes and amortising a little more. A healthier amortisation culture has been established. This is good for resilience and stability. The pressure from low interest rates remains, however, and in the autumn the increase in house prices began to pick up speed again. There is a risk that rapidly rising house prices will block weak groups from entering the housing market and force more home buyers to take on excessively large loans. In other words, there continues to be cause for FI to monitor the development of household debt.

But even if the amortisation requirements helped slow the growth in lending to households, the low interest rates are creating challenges in other areas. For example, the debt of non-financial firms has increased more rapidly in recent years, in particular for commercial real estate firms. The major banks have large exposures to real estate firms; they constitute 16 per cent of the banks' lending to the public. At the same time, the real estate sector is sensitive to the interest rates. It is our assessment that the major banks' resilience to risks associated with lending to the commercial real estate sector must improve. FI therefore decided today to raise the capital requirements for bank loans for commercial real estate as previously communicated. The measure is expected to increase the major Swedish banks' capital requirements by between SEK 4.5 and 5 billion per bank. This can be put in relation to the major banks' total capital requirements, which amount to around SEK 120–150 billion per bank, and their profit, which amounted to around SEK 20 billion per bank in 2018.

Another area where the challenges from low interest rates is also visible is pension companies. The financial position of these companies is current stable, but they are facing major challenges from the low interest rates, which in the long run could threaten their financial strength.

Low interest rates make it more difficult for companies to generate the return they need to be able to fulfil the guarantees pledged to future pensioners. In order to achieve a return that corresponds to their financial guarantees, they may be tempted to take greater risk and hope that, for example, shares will give a high return. However, high risk means that the assets also can fall more in value. If this happens, weak companies may find themselves in a position where they cannot fulfil their promises. There must therefore be a link between how much capital the companies are holding and the risks they are taking.
The interest rates that are currently being used to calculate how much capital needs to be set aside today to meet future commitments contain assumptions that long-term rates are significantly higher than the current market rates. There is therefore a risk that not enough is being set aside for future commitments, which could lead to lower pensions in the future.

It is sometimes said that we do not need to pay much attention to the risk of rising interest rates since most experts appear to agree that interest rates will remain low for a long time. And it is then natural – and not very risky – for debts to increase and actors to take large risks. But we cannot predict the future. A few years ago, not many experts predicted the low interest rates we are currently experiencing. The point of departure for FI's measures must be to protect financial stability even if the unexpected occurs. We must build resilience in the financial system. Because there one thing we know for sure – that unexpected events will occur in the future as well.

FinTech and cyber threats – what impact do they have on financial stability?

FinTech and cyber threats are important and complex areas that change quickly. We see new and growing risks linked to financial stability.

The ongoing transformation within the financial market related to innovation and FinTech are impacting FI's goals and assignments in a number of ways. From a consumer perspective, simple and cheap solutions that meet the needs of consumers are positive.

But innovations can also be fuelled by new actors who are seeking to conduct similar activities as the banks but without being regulated like a bank. They are therefore circumventing the aim of the regulations to some extent. This can be problematic from the perspectives of financial stability, money laundering, and consumer protection, and we therefore need to be on our toes.

For the established financial institutions, new actors' financial services could mean greater competition for, for example, deposits from households and firms. Greater competition is fundamentally good since it gives customers access to better and cheaper services. However, there are also challenges and risks. One example is greater competition on the market for deposits. Because deposits are an important, and normally stable, source of financing for the banks, the increased competition and mobility introduces risks for financial stability. This may mean that banks will rely more on market funding, which increases their sensitivity to market shocks, but it may also mean that it will be easier for banks' customers to withdraw their money and move it out of the banking system. This increases the risk for a run on the banks as well as potential liquidity issues in the banking sector if the market's confidence in one or several banks were to fail.

Major Swedish banks currently have satisfactory resilience, which in part is driven by good profitability. FinTech may challenge the banks' business models. This leads to greater competition, which can be good for consumers, but it can also make the banking sector less profitable. It is therefore important for banks to maintain satisfactory resilience to counterbalance reduced profitability.

FinTech is both a consequence of and a driver behind today's digitalised financial market. Digitalisation is fundamentally positive, but it is also associated with new risks for the financial system. Sweden is a forerunner in terms of innovative firms that are enabling digitalisation of previously manual processes in society. This is good, but it also creates challenges since sometimes we have no one else to share our experiences with. One example is the lower use of cash in Sweden compared to many European countries and how to handle the increased risk of not having a means of payment if the digitalised payment system were to fail. Another critical risk is that the cyber attacks against financial firms are increasing in both number and sophistication. Financial institutions are subject to constant intrusion attempts, overload attacks, and other types of fraud in which various actors attempt to sabotage financial services and steal, manipulate or spread sensitive information about the institution and its customers.

Cyber attacks are a threat to financial stability largely because the financial markets and firms are closely interconnected, for example via transaction handling and dependence on the same infrastructure. A problem for one market participant can quickly become a problem for all market participants.

There are a number of reasons why cyber threats augment this risk. The most important is that financial services as a whole are dependent on technological systems that are globally interconnected, and these systems are often highly complex, not very transparent, and to a large extent reliant on the internet. The same technological solutions and software are also often utilised. In other words, technological development makes an already strongly interconnected financial system even more interconnected.

Cyber incidents can arise with short notice and potentially affect many activities at the same time. It can also be difficult in any given case to determine when, where, how and why the shock occurred.

Most experts appear to take the position that the risk of systemic attacks primarily comes from state-sponsored actors and established organised crime, which could use cyber attacks against critical infrastructure for a greater intent. Qualified experts also have different views on the extent to which cyber threats are actually a systemic threat. However, there is no doubt that FI and other competent authorities need to continue to develop their understanding of how this risk is developing.

While cyber threats have increased, though, the situation is not overly pessimistic. Knowledge has increased among both financial institutions and competent authorities. Investments and other measures taken with the intention of increasing resilience are also being made. Here, it is important to emphasize that the financial institutions themselves are responsible for adequately protecting themselves against cyber attacks and having the ability to handle a situation in which a cyber attack occurs. The institutions also face strong incentives to ensure that their own business can continue, but it is not clear if they fully consider the effects on the financial system as a whole.

This is where FI comes in. FI's role is to contribute with a systemic perspective – to move the emphasis away from the individual institution and consider the entire financial market – to secure financial stability. For example, this can mean mapping the dependence on third-party and cloud service providers, thus being able to identify concentration risks where many financial institutions are dependent on a single provider.

It can also mean identifying activities that are needed on a general level to promote the entire financial system, for example the need for enhanced operational cooperation between financial institutions in the event of incidents and attacks.

No system is stronger than the weakest link in the chain. This is why FI also performs risk-based supervision of individual financial institutions' operational risks, and IT, information and cyber risks in particular. This means identifying on a broad scale how multiple institutions manage specific information and cyber risks, but also conducting targeted investigations into individual institutions and holding regular bilateral meetings in the ongoing supervision that focuses on with how the institutions manage risks, deficiencies and threats and how they plan to handle incidents. At the same time, we must be humble. Cyber attacks are a serious threat that is highly prioritised, and we are working to build up capacity for handling this challenge. But this is a large and complex assignment.

At the same time, I want to once again emphasise that the actual work for cyber security must occur at the financial institutions. FI's role is to monitor that the institutions are being responsible and doing what is necessary. For this purpose, communication in the supervision is an important means. By supplementing institution-specific investigations with, for example, public supervision reports, FI Forums, and the publication of information on fi.se, FI can guide institutions and show them what is expected. This enables us to have a broad and direct impact on the sector. And if we find serious deficiencies, we naturally will not hesitate to impose sanctions.

There are several challenges related to the ongoing transformation of the financial market and the increasing threat of cyber attacks. One significant challenge is that cyber threats are not specific to the financial market. Instead, we are seeing that all key sectors in the society are exposed, and that the threat is increasing. FI's supervision targets financial institutions, and we are working to ensure that financial institutions will cooperate at an operational level regarding incidents and attacks. But financial institutions, in turn, use different suppliers, for example for cloud services. Cyber attacks against suppliers – who are active in a completely different sector in the economy – can therefore cause problems in the financial system. This is thus a much bigger matter, and cooperation is needed both internationally and nationally between various authorities and sectors as well as in collaboration with the Government. We are all dependent on one another, and a holistic approach is required in the work to prevent cyber attacks. Internationally, FI is participating in the work on these matters in, for example, the European Banking Authority (EBA) and the European Securities and Markets Authority (ESMA). In these forums, we are producing common European regulation for cyber risks and exchanging knowledge and experiences within this area. Nationally, the cooperation occurs within the framework of the Financial Sector's Private/Public Coordination Body (FSPOS). We also support the Government's initiative to establish a national cyber security centre and look forward to a partnership. To the extent that new legislation or resources are required, the Parliament also plays a key role in the important work to make Swedish society more robust.