资源描述
0 WP/21/105 Central Bank Risk Management, Fintech, and Cybersecurity by Ashraf Khan and Majid Malaika IMF Working Papers describe research in progress by the author(s) and are published to elicit comments and to encourage debate. The views expressed in IMF Working Papers are those of the author(s) and do not necessarily represent the views of the IMF, its Executive Board, or IMF management.1 2021 International Monetary Fund WP/21/105 IMF Working Paper Monetary and Capital Markets Department and Information Technology Department Central Bank Risk Management, Fintech, and Cybersecurity Prepared by Ashraf Khan and Majid Malaika Authorized for distribution by Jihad Alwazir and Herve Tourpe April 2021 Abstract Based on technical assistance to central banks by the IMFs Monetary and Capital Markets Department and Information Technology Department, this paper examines fintech and the related area of cybersecurity from the perspective of central bank risk management. The paper draws on findings from the IMF Article IV Database, selected FSAP and country cases, and gives examples of central bank risks related to fintech and cybersecurity. The paper highlights that fintech- and cybersecurity-related risks for central banks should be addressed by operationalizing sound internal risk management by establishing and strengthening an integrated risk management approach throughout the organization, including a dedicated risk management unit, ongoing sensitizing and training of Board members and staff, clear reporting lines, assessing cyber resilience and security posture, and tying risk management into strategic planning. Given the fast-evolving nature of such risks, central banks could make use of timely and regular inputs from external experts. JEL Classification Numbers: G32, G34, G38, E50, E58, K23, O30. Keywords: fintech, cybersecurity, central banking, financial supervision, law, technical assistance Authors Email Addresses: AKhan4imf, MMalaikaimf The authors are grateful for input from Ricky Satria, Yosamartha, Ronggo Gundala, Irman Pardede (Bank Indonesia), Ralph Ansumana (Bank of Sierra Leone), Jean Goetzinger (Central Bank of Luzembourg), Roman Hartinger (National Bank of Ukraine), review comments from Ben Norman (Bank of England), Gabriel Andrade (Bank of Portugal), Paul Woods (Central Bank of Ireland), Jihad Alwazir, Herve Tourpe, Bachir Boukherouaa, Gani Gerguri, Sanjeev Matai, Elie Chamoun, Lott Chidawaya, Stephen Swaray, Rudy Wytenburg, Parma Bains, Rangachary Ravikumar, Inutu Lukonga, Tanai Khiaonarong, Ryan Rizaldy, Gabriel Soderberg, Marianne Bechara, Juan Sebastian Viancha, Kathleen Kao, Nadine Schwartz, Victoria Bakhtina (IMF), and data assistance from Marc Engher. Danica Owczar provided invaluable administrative assistance. All remaining errors are our own. IMF Working Papers describe research in progress by the author(s) and are published to elicit comments and to encourage debate. The views expressed in IMF Working Papers are those of the author(s) and do not necessarily represent the views of the IMF, its Executive Board, or IMF management.2 READING GUIDE for IMF Working Paper on Central Bank Risk Management, Fintech, and Cybersecurity If you are interested in: (Sub)section(s) Pages 1 General discussion of fintech and (central bank) risk management I, II 69 2 Specific recommendations for central banks V 5155 3 Operational findings from technical assistance on central bank risk management, fintech, and cybersecurity III.A 919 4 Findings from IMF surveillance (FSAP/AIV) on (central bank) risk management, fintech, and cybersecurity III.B, III.C 1925 5 Concrete fintech/cybersecurity risk examples for central bank policies, functions, and organization IV 2551 6 Selected central bank case examples of fintech developments and risk management Appendix II 60713 CONTENTS PAGE Glossary .5 I. Introduction .6 II. FintechDefinition, Principles, and Risk Management .7 III. The IMFs Involvement with “Fintech” and Risk Management .9 A. Technical Assistance: Advice on Fintech in the Context of Risk Management .10 B. IMF AIV: Fintech, Cybersecurity, and Risk Management References .19 C. IMF FSAP .23 IV. Fintech and Central Bank Risk ManagementExamples .25 A. Monetary Policy and four (4) country cases (Indonesia, Luxembourg, Sierra Leone, and Ukraine); 2) Informal interactions on fintech with heads of risk management departments of several central bank members of the International Operational Risk Working Group (IORWG); 3) Participation in the EUs Fintech Risk Management Project;3F 4 and 4) Findings from the IMFs Article IV (AIV) database and from selected Financial Sector Assessment Programs (FSAP). Section II will provide a definition and overview of “fintech” and related developments relevant for central bank risk management. Next, Section III will examine to what extent IMF technical assistance by MCM Central Bank Operations and ITD/Digital Advisory, as well as IMF surveillance has covered possible links between central bank risk management, fintech, and cybersecurity. Building on this, Section IV analyzes in more detail how specific fintech developments affect central bank risk management (focusing on strategy and policy risk, as well as operational risk). Finally, Section V draws conclusions and recommendations for central banks to consider. Appendix I lists relevant risk management details of the Bali Fintech Agenda (BFA); Appendix II provides several country case examples. II. FINTECHDEFINITION, PRINCIPLES, AND RISK MANAGEMENT Fintech, in the definition of the Bali Fintech Agenda (BFA), relates to “the advances in technology that have the potential to transform the provision of financial services spurring the development of new business models, applications, processes, and products.”4F 5 Similarly, 3 Due to the confidential nature of those TA cases, the names of the central banks involved are not mentioned. Instead, the paper has used anonymized findings from the TA reports, discussions with, and feedback from the respective central banks as the foundation for this paper. The TA cases took place between 2018 and 2020. The TA missions were all led by IMF HQ staff from MCM and ITD, and comprised external experts on risk management, strategic planning, governance and organization, from various central banks. 4 See fintech-ho2020.eu/. Staff from MCM participated in several meetings of the EU Fintech Risk Management Project, and engaged with participants (academic institutions, central banks, financial supervisors, and fintech firms). 5 BFA, p. 12.8 the Financial Stability Board (FSB)5F 6 defines fintech as “technologically enabled innovation in financial services that could result in new business models, applications, processes or products with an associated material effect on financial markets and institutions and the provision of financial services.” Both definitions cover the extensive use of data by (and technological advances to) financial services, and leverage the explosion of Big data on individuals and firms, advances in AI/ML, computing power, lowering capital cost, cryptography, distributed computing and the reach of the Internet. The strong complementarities among these technologies give rise to an array of new applications touching on services from payments to financing, asset management, insurance, and advice. This creates the possibility of entities driven by fintech emerging as competitive alternatives to traditional financial intermediaries, markets, and infrastructures.6F 7 Fintech-related technologies have broad effects on a range of financial services. Figure 1 below demonstrates how AI, Big data, Distributed Computing, cryptography, and mobile access internet influence financial services from payments, to saving and lending, risk management, and financial advice (the latter could include components of consumer protection and financial inclusion as well). Figure 1. Major Technologies Transforming Financial Services Source: IMF, 2017, Fintech and Financial Services: Initial Considerations. IMF Staff Discussion Note 17/05. Washington, D.C.: International Monetary Fund. 6 fsb/work-of-the-fsb/financial-innovation-and-structural- change/fintech/#:text=The%20FSB%20defines%20FinTech%20as,the%20provision%20of%20financial%20s ervices. 7 IMF, 2017, Fintech and Financial Services: Initial Considerations. IMF Staff Discussion Note 17/05. Washington, D.C.: International Monetary Fund.9 Risk management has been identified as relevant to fintech developments. The IMF/WB Bali Fintech Agenda (BFA)7F 8 highlights the necessity for central banks and supervisors to examine risk management components of fintech. BFA Principle IX (Ensure the Stability of Domestic Monetary and Financial Systems, see Appendix I) stresses that fintech “offers central banks the opportunity to explore new services, while having to consider new risks.” It focuses on policy aspects relating to Central Bank Digital Currencies (CBDC), payments systems, as well as financial stability aspects, including the lender of last resort-role of central banks. The BFA includes a specific focus on risk management of fintech. Principle X (Develop Robust Financial and Data Infrastructure to Sustain Fintech Benefits, see Appendix I) stresses that “effective governance structures and risk-management processes are important to identify and manage risk associated with the use of fintech. The greater reliance on such technologies leads to new operational risks and more interdependencies among service providers that may threaten the operational resilience of financial and data infrastructures.” This includes risks related to outsourcing, as Principle X refers to third-party service providers, and the fact that many of these providers “fall outside the regulatory perimeter,” which would require “increased emphasis on managing operational risks and ensuring robust outsourcing arrangements.” These risks may reach such significant levels that require the development of a specific vendor risk management framework. Principles IX and X are focused on fintech-related risks for financial institutions. However, the risk management aspects of the principles hold for central banks to a large extent as well, as the next sections will explore. III. THE IMFS INVOLVEMENT WITH “FINTECH” AND RISK MANAGEMENT The IMF has been involved with “fintech” over the past decades. Though the concept of “fintech” was not necessarily used as such, much of the IMF work in surveillance, policy development, and technical assistance relates to technological developments in and of the financial sector, including of central banks and their risk management.8F 9 IMF technical assistance (TA) covers all the areas that the IMF works on. As noted, this paper looks at TA provided by the IMF in the context of central bank operations (central bank risk management, governance, internal organization, and cash currency management) and digital advice (in particular, cybersecurity). 8 IMF/WB, 2018, The Bali Fintech Agenda. IMF Policy Paper. Washington, D.C.: International Monetary Fund. 9 The IMF, of course, also assists countries by providing financial support through loans. As part of these lending operations, the IMFs Finance Department conducts Safeguards Assessments. The Assessments examine, i.a., the internal control framework (including risk management) of the central bank. However, given the highly confidential nature of Safeguards Assessments, this paper does not look at possible fintech and cybersecurity findings based on Safeguards Assessments.10 The paper also examines IMF surveillance findings. Surveillance involves the IMF monitoring risks to domestic and global stability. The Fund does so by means of consulting with its member states, which is often referred to as the Article IV (AIV) discussions. These discussions with country authorities focus on exchange rate issues, monetary, fiscal, and regulatory policies, as well as macro-critical structural reforms. Lastly, the IMF also gauges stability and soundness of the financial sector and assesses the financial sectors potential contribution to growth and development. The IMF does so by means of its Financial Sector Assessment Program (FSAP), of which selected findings are also presented in the paper In these three modalitiesTA, AIVs, FSAPsattention for fintech and cybersecurity, and to a certain extent (central bank) risk management, is visible and made concrete, as the following subsections will highlight. A. Technical Assistance: Advice on Fintech in the Context of Risk Management TA by MCM and ITD on fintech and central bank risk management has increased since the publication of the BFA. In the period 20182020, MCM (in several cases together with ITD) provided central bank risk management TA, as well as bilateral advice to and discussions with central banks in all regions of the world, with a distinct fintech focus. As Figure 2 shows, most TA and informal interactions in the period 20182020 on fintech and central bank risk management took place with central banks in the European and Middle East and Central Asia regions, and on the topics of (1) central bank risk management in general (including Business Continuity Management, BCM), followed by (2) fintech organization (i.e., relating to the central banks internal organization of fintech-related activities, for instance, by considering the setting up of a dedicated fintech unit), (3) central bank cybersecurity, and, in two cases, (4) developments of digital payments in the context of central bank risk management and cash currency management.9F 10 10 Of course, this is not indicative of IMF TA on digital payments separate from central bank risk management.11 Figure 2. Central Bank Risk Management, Fintech, and Cybersecurity Source: authors. The main categories of questions raised by the respective central banks related to the following fintech components (see Figure 3 below): Figure 3. Main Fintech Issues Discussed in the Context of IMF Risk Management TA Source: IMF staff. 1 6 5 1 2 WHD EUR MCD APD AFR 6 8 4 2 Fintech Organization Risk Management (general) and b) Early security assurance research/activities for fintech adoption. RMD 6-18 months Source: IMF.15 Table 2. Example: IMF TA Recommendations on Central Bank Strategic Planning, Risk Management and Cybersecurity # Theme Recommendation Actor(s) Time Frame 1 Strategic Planning Appoint central bank nonexecutive members (and provide support for their nonexecutive responsibilities), in line with IMF Safeguards Recommendations. Governor to highlight the necessity asap 2 Adjust the Strategic Objectives to express how the central bank intends to deliver the priorities in the Strategic Plan. Undertake a thorough review of the strategy planning and monitoring procedures based on the information shared by the mission and re-consider what strategic planning information is made public. Governor (sponsor), Risk Management Dep
展开阅读全文