Fintech 2024

Critical Areas for Product Development and Regulatory Advocacy in 2024 and Beyond

Last year was the fifth anniversary edition of this practice guide, which meant an essay summarising where we had been and peeking into the future. It is still available here so you can see if any prognostications have become reality yet. It also includes links to all prior essays so you can evaluate my thinking on a more overarching basis.

This year, a review of critical areas where fintechs should focus their regulatory advocacy efforts seems in order. There is a natural tension between the goals of fintech and the goals of regulators. This tension is good! It forces fintechs to remember “first principles” such as customer/consumer protection, market integrity, operational excellence and cybersecurity. The tension also forces regulators to understand that there are many ways to accomplish those first principles goals and that technology continues to evolve and be used creatively to provide goods and services used in all areas of commerce, recreation and communications. There are often many ways to achieve a goal and no one alone – not a single company or a single regulator – should be in the business of deciding what is best for everyone else. The flowering of different methodologies more often than not recognises the different preferences that different segments of the market have. Yes, that is a lot of “different” in one sentence in order to drive home the point.

Even if we all agree on first principles (I suspect we do not), there are second and third order principles to consider as well. Below, this essay will highlight a number of areas I consider critical for all fintechs to consider as they work on product development and have conversations (formal or informal) with regulators and policy makers. You may have other thoughts and I would love to hear them, so please reach out on LinkedIn for a conversation.

How should the law treat assets created by code?

Blockchain solves three hard problems in computer science:

• how to get a disparate group of computers to agree on a common dataset;
• how to create digitally unique items; and
• how to establish and transfer ownership of digitally unique items.

The difficulty of these problems should not be underestimated; computer scientists since the 1960s discussed them and tried to find solutions (or improve on the existing solutions to the first problem). The Satoshi Nakamoto White Paper provided the most elegant solution to all three: blockchain. And since its arrival, computer scientists and others have continued to iterate on that original solution, bringing us the multitude of blockchains, smart contracts and other developments that we see today.

The sensible token classification system I developed and wrote about in the 2022 edition of this essay fleshes out how the solving of the second and third hard problems has resulted in a world full of crypto-assets and how to categorise them. The term “tokenisation” is used most commonly to describe the process of creating a “crypto-asset” digital representation of something (asset, item, bundle of rights, etc) on a blockchain.

The result is a technology that allows us to create assets by using just code and no other inputs. The token did not exist yesterday and now, through the launch of the blockchain or smart contract, staking, mining, or other means, it comes into existence, completely new.

How should the law and regulation treat these new creations? We might look by analogy to concert tickets. Beyoncé or Taylor Swift decide to go on tour and tickets are created from nothing. Non-fungible tokens (NFTs) might be the best way to create those digital tickets. But the concert ticket only gets us so far because on the blockchain the asset might not have a single creator due to the distributed nature of the consensus mechanism. Indeed, the word “create” might not even be the right one because programming and launching code might not be the act of “creating”.

This question is as important as the question in last year’s essay about how to regulate autonomously functioning code. We are in an era where software functions on its own. We do not have good legal or regulatory frameworks for autonomously functioning code or for the spontaneous generation of assets on-chain. As artificial intelligence (AI) continues to expand in capabilities, there seems little doubt that it will start generating items on the internet out of nothing more than code.

Tech company versus financial services company

Today, all financial institutions are technology companies. There is no getting around it. I have been making this point for 20 years, and pretending otherwise is not sensible. As my very first essay for the very first Fintech Global Practice Guide explained when defining “fintech”, it really encompasses just about everything that financial institutions do because all of their activities use technology.

This paradigm should prompt us lawyers to ask whether the fact that a company provides financial services with technology instead of some other type of services should result in differing treatment from a legal and/or regulatory standpoint. The answer to this question might lead to differing standards for software development, different levels of responsibility for technology implementations and updates, and differing liability when things go awry. By and large, regulators and policy makers have enforced such a difference, through requirements on regulated entities to register and be examined, to implement policies and procedures around their software development and technology deployment, and in particular anti-money laundering regulations, which predominate anywhere financial instruments and payments can be found.

This distinction is starting to crack in several ways. First, financial regulators and supervisors have long arms that reach into technology providers who do development and deployment for regulated financial services firms. Second, anti-money laundering standards are starting to apply to a broader range of businesses, not just financial institutions and financial instruments. Third, privacy standards that began in financial services are also expanding to many more businesses (or, in the case of Europe and the GDPR, all businesses).

These trends probably impact traditional tech companies more than traditional financial institutions. But they are exacerbated as more and more types of trading and markets appear on the internet, driven by gaming, DeFi (decentralised finance) and other technologies. The solutions are not readily evident because the legal and regulatory frameworks do not fit comfortably with the way the law has developed for technology providers, who can, for example, disclaim most or all liability for malfunctions, something financial institutions cannot do. Without input from both tech and financial services, regulators are unlikely to converge on workable solutions.

Access to markets

The internet is making all markets into online marketplaces. Tokenisation of assets on blockchains (that is, the creation of a digital representation of an asset via blockchain technology) is accelerating this process. Without physical boundaries and trading floors, not only do assets trade on a worldwide basis but all asset types can trade in the same place (on the same exchange, whether centralised or decentralised).

This development will have many implications, not least of which is how to think about market integrity, which includes ensuring that all peoples who want access to a marketplace can get it. These cross-border, cross-asset markets defy traditional notions of trading venues. They should also prompt regulators and others to think about the major permissioning question: should we allow sandboxes that are created by technology where people can take their own risk? Before you put a pre-emptive halt to this line of inquiry, remember that although we place limits on people’s access to markets in financial instruments, the same is not true for many other types of items, such as collectibles. In both examples, people stand to lose money and often in great amounts (at least as a percentage of their wealth).

Market integrity is a larger topic and I participated in a small way in the initiative by Gibraltar to develop market integrity principles for these global, multi-asset markets and their intermediary participants. You can read that principle and the others here. As these markets develop, more thought should be given to their integrity.

The primacy of privacy

Sometimes it seems like privacy is like the weather: lots of people talk about it but nobody does anything (apologies to Mark Twain). To some, it seems like an obvious first principle. Others barely give it a thought. The 2021 essay argued that financial information should be treated like all other financial assets and kept under proverbial lock and key, to be taken only with explicit consent each time or due process (a concept from the US Constitution that has equivalents in many jurisdictions).

As encryption and technologies like zero-knowledge proofs improve, there will be better and better ways to maintain digital privacy and anonymity. But governments and others might have a legitimate interest in pushing back the veil to see and/or use that information. Even the person using those technologies for their own privacy might lose the ability to see and/or use the information and need a means to recover it. There is a balance to be struck.

Not many people seem to be working on that balance. Rather, the absolutists on both sides hold sway, at one end arguing that privacy should bend to all government needs, especially law enforcement (including anti-money laundering) and national security (including countering terrorism) and at the other claiming that privacy and anonymity are one and same (and inviolate).

There may not be a simple solution, which is why we need lots of product development focused on privacy and access to information so that managing these issues can be calibrated to different situations. I envision a dial that lets a person adjust their privacy in accordance with chosen gradients to fit the circumstances.

These questions become even stickier as AI becomes hungrier for data and inputs. One of the main reasons I still start everything from scratch myself is that I do not want to divulge information that becomes inputs to AI and used for who knows what purposes. I would rather it just scrape the finished product!

There is a temptation to think of product development and policy advocacy as entirely separate functions within a company. This is a mistake. New products and services can offer solutions to policy problems without the need for new laws and regulations. And as technologies continue to advance, the ability to fine-tune and allow users to create their own customisation improves. Let us try to build together.

***

This article has been written in Lee A. Schneider’s personal capacity and reflects only his personal views and not those of Chambers and Partners, Ava Labs or anyone else. The author’s views do not constitute legal, investment, tax or any other type of advice.