Monday, Sep 21, 2020

Cloud Computing, Banking-as-a-Service, and Open Banking

Outsourcing and data sharing arrangements have the potential to change how financial services are designed and delivered. While these arrangements can provide financial services with opportunities for greater efficiency and competitiveness, they may also increase risks, such as strategic risk.

The CoP discusses the implications of cloud computing, Banking-as-a-Service, and open computing for financial supervisors.

 

Read the full transcript

Salvador Chang:              

Good morning, good afternoon and good evening to all connected to the webcast. My name is Salvador Chang, Program Director of Toronto Center. Welcome to our Webcast today on FinTech Issues for Supervisors, Cloud Computing, Bank-as-a-Service, and Open Banking. This is an invitation from the Toronto Center of FinTech-RegTech-SupTech Community of Practice, TC FRS CoP, which is a community with the objective to exchange knowledge and collaborate on identifying priorities, gaps and solutions from the discussion of content, approaches [inaudible 00:01:05].

The members are policy decision makers and officials who have regulatory or supervisory functions related to FinTech, including payments, eMoney, digital credit, digital insurance, crowdfunding platform, data and market infrastructure, and in the implementation of innovations [inaudible 00:01:25]. If you're one of them and you're interested in being a member, please send me an email.

Today, we're going to be talking about data. Outsourcing and data sharing arrangements, have the potential to change how financial services are designed and delivered. This is a driver behind all sorts of new developments on cloud computing, Banking-as-a-Service and open banking. It's important to understand how these new arrangements bring opportunities for greater efficiency and competition, but on the flip side, how they raise other concerns and risks. We also need to understand their implications on financial supervision.

To discuss all these topics, let me welcome Denise Dias. Denise is a Financial Center expert in the areas of policy, regulation, and supervision. Denise provides regulatory strategy advice to financial firms operating in developing and emerging countries, and technical assistance and advice to financial authorities on innovation, inclusion, consumer protection and SupTech. She's a member of Toronto Center's Banking Advisory Board, and she has acted as a Financial Inclusion Consultant in over 25 countries for international organizations, such as CGAP, The World Bank, the USAID, EADB, UNDP and the Digital Frontiers Institute.

She was a Market Conduct Examiner at the Central Bank of Brazil, where she played a key role in assigning the market conduct [inaudible 00:02:56]. She also held several other positions at the Central Bank of Brazil over a period of 12 years, in the bank supervision and licensing department.

Before passing the floor to Denise, I will just remind you the rules of the webcast. Please write your questions using the chat option that you have, or you can find at the bottom of your screen. Your microphones will be muted, and we will address your questions at the end. The session will be recorded and made available for download. Thank you very much. Well, thank you very much, Denise, and welcome again. I will like to pass the floor to you so we can start our discussion right away. Thank you.

Denise Dias:                     

Thank you, Salvador. Hello everybody. Good morning, good evening, good afternoon. The objective here today is really to raise a few issues. These are pretty much relatively new topics, so we don't have answers for everything. I know a few of you have already experienced with these topics as a supervisor topic, but mostly as a regulation topic. And these markets both cloud computing, Banking-as-a-Service, and open banking, they're still emerging practices in the regulated financial sector, although they might be much more developed especially cloud computing, in other sectors, outside the financial sector.

Today, although we're ... I can receive all kinds of questions I cannot guarantee I can't respond all the questions. And Toronto Center is also going to publish very soon, a paper, Toronto Center Notes on Cloud Computing, and its consequences for supervisors. So, keep your eyes open for that one.

This is our agenda. It pretty limited, supervisory issues in cloud computing. We're going to spend more time with cloud computing, but then just finalizing to raise a few questions, that's Banking-as-a-Service and open banking waves. And then for those who want to stay, we can stay for a discussion, for sharing experience plus sharing questions.

I'm not sure you can see actually my whole screen, is that fine? So, where is this all coming? It's part of this whole FinTech developments that we're seeing across the world. It's really on the core of everything. It's really about unlocking the potential of digital data. And today financial services are not any more limited by financial data. So, financial services are using a whole range of data that is available out there and especially on the internet, but not only on the internet.

So it's about unlocking the potential of data for market development, for market innovation, for competition, but also for financial inclusion. So, we hope that innovation leads to greater access and usage by the segments of the society, which are excluded from the financial sector today. What these wave of FinTech innovation and developments have brought to us as supervisors. It's new business models, new data strategies by financial institutions, to respond to also new customer expectations. And these expectations are very much related to their relationship with devices.

So, customers now they expect immediacy, very fast responses to their financial needs and also personalization of financial services. In a way it's very, very different from a decade ago where financial services would just have standardized propositions to the client and not really interact with the client in terms of providing personalized products, but the technology today actually allows for that.

Not only the technology to manage data in a different way, but also technology to understand the data that people are generating all the time, and this data is becoming available online. So, the technology to gather data, and process data, and produce business intelligence out of this data, is very important. Let's take a little time. Salvador. I think my computer is just acting on me right now.

 

In that context, cloud computing is very important because it's about sharing infrastructure. It's the pool of resources. Institutions, not only in the financial sector, but all kinds of entities, corporations, and even people, normal people like you and me, we're using cloud computing on a daily basis, or sharing infrastructure with other customers, and this infrastructure is being built and managed by usually large corporations, which we're going to call in this presentation as CSPs or Cloud Service Providers.

This is vital for financial institutions too, not only to remain competitive, but also to carry on their risk management in this new environment where there is no way that for them not to use digital data for their own business purposes. It's just to emphasize the importance of cloud computing, it's really here to stay, there is no way regulators and supervisors can just say, "I don't like this, and I don't want this to happen." It's necessary for the financial sectors to evolve and also it's necessarily for new types of business models too.

So we see cloud computing in cloud outsourcing specifically as an enabler for this new environment, but also for competition and content stability, because in a way, cloud computing is what gives startups the possibility to actually compete. Because otherwise, they would need to have the capital to invest in very expensive IT and data infrastructure. And alternatively, they can actually start right now without that infrastructure, without even having some expertise in programming. For example, they can outsource all these services to CSPs, to cloud service providers.

It's about the on-demand services that cloud computing offer. This is the importance for competition from content stability, for institutional diversity. Because of that, cloud computing is also considered an enabler of innovation because it offers scalability, mobility of services, and agility using the data that is being handled by the cloud provider.

And of course, potential consequence of that is great efficiency, also greater productivity and cost effectiveness. That's one of the most important outcomes of cloud computing for incumbent institutions, for the large institutions that are already in the market, and are well established. There are also potential benefits in terms of risk mitigation.

Depending on the cloud computing service provider that the financial institutions choose, they can actually enhance their cybersecurity framework, for example, or their defenses. Because the large cloud computing service providers, they're usually more capable of dealing with cyber threats than small institutions or startups, or even, they might be better at that than even large financial institutions.

And as we saw with the whole COVID situation, cloud computing can have a very fundamental role in increasing resilience. Cloud computing has been showing its value in terms of being part of business continuity plans, and also ensuring resilience of institutions. Many types of institutions, including regulatory agencies, just all of a sudden switched to a work from home environment, many times this was powered by cloud computing.

There are many benefits, but we know that everything that has benefits has also risks. And cloud computing can have risks at a micro level. It's important to understand the risks for individual institutions under your regulatory and supervisor perimeter, but also to understand cloud computing risks at the system level.So, there are macro prudential considerations in cloud computing.

The risks for institutions, you might know this very well, of course there are operational risks in any type of outsourcing, there are risk of data loss due to failures of the CSP, or deletion or disaster at the CSP, there's that deletion of data. We also wonder about physical security of the cloud, because data is not in the cloud. There is no real cloud, there are actually data centers somewhere. There are many data centers scattered around many countries.

So, there are also physical considerations, physical security, but also mainly cybersecurity, because the cyber crimes they now know that these large cloud providers, they're handling a huge amount of data from many sectors, including the financial sector. So they might see cloud providers as an interesting target.

And of course, although some cloud providers can enhance risk mitigation and risk management, some of them can also, to the contrary increase the risks business continuity, resilience, disaster recovery. And one of the most interesting things to think about is the level of dependency of an institution on cloud providers, and especially on the large ones, because sometimes it not only provide the cloud service, but also they provide all the types of services to the institution.

And some characteristics of their services can actually lock the institutions on the contract, and make it very difficult for them to switch to another cloud service provider. So, usually there could be, for example, very little room for data and application portability, especially if the financial institution is using Software as a Service from the cloud provider.

Also some people are questioning the capacity, the ability and expertise of financial institutions to conduct due diligence on cloud service providers. And after contracting, the capacity and ability and limitations that the financial institutions could face in assessing on an ongoing basis, the cloud providers. How they're managing the risks, whether they're adhering to the contract that they have signed with the cloud provider.

And this is related to the fact that it's not only clouds, the data management that is distributed so the data could be in several countries at the same time. So the financial institutions might not have the ability to visit many data centers. But also because the cloud providers might be handling data from many other clients, so there might be concerns with the privacy and the security of that data too. So there are limitations there in the audit and access rights from financial institutions.

But the thing is that, not moving to the cloud might be a greater risk. So I think many people would agree that there is no other option. Nobody's actually questioning whether financial institutions will shift to the cloud. Some of them, even internationally, active banks are already shifting to the cloud, looking at the long term, to be actually completely on the cloud, so it's a complete shift.

So the question is not whether this is going to happen, the question is how it's going to happen, how fast, and the role of very large cloud providers which I'll talk about a little bit. So there are operational risks with not shifting, so using legacy systems and rely on all old technology can be riskier than shifting, but also strategic risks. As I said, I began this talk on talking about the business and their strategy in the new environment, if financial institutions do not shift, they might actually lose their competitiveness.

There are also some issues that are actually raised specifically with the large cloud providers. You might know that the cloud computing market is quite concentrated in some large providers, most of them based in the U.S. There are some specific issues, both on the micro level and on the macro level. At the institution level, there is already some evidence that institutions might have less bargaining power with these global cloud providers.

So, they might be less able to customize and get some flexibility in the contracts because the contracts are highly standardized. But at the same time, the financial institutions, they're required by many regulations, either cloud regulations, or outsourcing regulations, to have some customized clauses, some minimal clauses in their contracts. There has been some limitations. There are some obstacles for customization and flexibility in the contractor clauses.

And also as I mentioned, the access and audit rights of the supervisor, but also as the outsourcing institution are not guaranteed. There are many physical questions on doing physical audits, but also even remote audits on the traditional ways, for example, vulnerability tests or penetration tests. These things may be a little bit more difficult when there is a very large cloud provider, especially in the public cloud, when you're sharing infrastructure with so many other actors and so many other clients.

And I mentioned the risk of high high level of dependency on a single vendor, and at the same time being locked in, in this vendor, because of the types of services provided, but also because it's not always easy to shift data from a cloud provider to another one. Because there's no data portability, always. Other issues are, data location becomes an issue, some regulators, some supervisors are quite worried about where the data is sitting, and where the data is being transferred from and to.

Sometimes the concerns are about the political risks in other countries, sometimes there's a concern about whether the supervisor has any type of relationship with the supervisor in the country which is hosting the data, and this is related to data sovereignty issues. Most of the cloud providers are based in the U.S. and there are people who argue that the U.S. government would have the right to access the data from host country citizens that is sitting on the cloud, even if the data is sitting in a foreign country and not in the U.S.

And there are also concerns with the level and the ability of the supervisor in the host country to access the data of any U.S. cloud provider, without going through a whole range of agreements with the U.S. government. So there are many issues there. Some supervisors are actually pushed through some data localization requirements. And I just bring the question here, is that the right solution?

Data localization, data replication in the country, or other kinds of requirements on cloud service providers that's give the comfort to supervisors that data sitting in their own borders, are these good solutions or not? We're not sure yet. We do know that an increasing number of countries are thinking about this, but this could actually have some negative impacts on cloud computing services across the world.

Other very interesting issue is the potential systemic risk with the very large cloud providers. So, what if most of your systemic institutions, banking, insurance and other institutions are relying on the same cloud provider? It's the risk of concentration, not only at the institutional level, because that can happen very easily, but also at the system level, due to the concentration of the global market. And what to do with that?

If a cloud provider is providing service to most of your systemic institution and to your non-systemic institution, and all of a sudden a cloud provider decides to leave the country because development took some decision, such as data localization, what happens to your institutions? It could be a major issue. And what to do with this? There's some discussion going on in terms of thinking about regulating cloud service providers as if they were critical infrastructure.

Just like an RTGS can be considered a critical financial infrastructure, cloud computing providers would be considered a critical infrastructure, but this is not easy. So, this discussion is going on, both in the U.S. and also in Europe. But who would designate these cloud providers as critical infrastructure? And would they be a critical infrastructure for the financial sector, or would they be critical strategic infrastructure for the country covering many sectors?

And if they're covering many sectors, who will be actually doing this designation and overseeing this critical infrastructure? So many issues there. And if someone like in the U.S. is doing that, what does it mean for you as a host country, as a recipient of the services of cloud service providers in the U.S.?

The Institute of International Finance, they do ... there is a nice paper that they did in 2019 about this, and they actually present other alternatives to designating cloud service provider as critical infrastructure. They say that maybe you can deal with the situation by using the existing third party management regulations. For example, if you identify through that regulation, that there's a cloud provider that is systemic to your financial sector, you could actually have rights to audit and to impose regulations on this cloud provider. Or, you can deal with the same using the same kind of mindset.

You can use your current frameworks for large exposure, so it's quite normal for prudential supervisors to have rules on limiting large exposures on credit, for example, on credit cost exposures. But what if we can use the same concept to deal with cloud providers?

And also the Institute of International Finance, they also say that it could be that we could combine regulatory reactions with industry reaction. So, from an institution's strategic point of view, you could, as a supervisor, require them to have a more risk-based approach. So, for large institutions, you wouldn't be allowing them, for example, to be solely dependent on one cloud provider. So, it could be a multi-vendor solution strategy, or also a multi-cloud, not only public cloud, but hybrid clouds.

And as the emerging regulations, if you have seen the European proposals from the European Securities and Markets Authorities, but also the insurance authorities in Europe, they both are proposing the institutions themselves to examine the market and the level of concentration in the market of cloud computing. So they would take that into consideration when they are conducting the due diligence and also on the ongoing risk management.

And also, the  Institute of International Finance, they also argue for industry-based solution to increase the data and application portability, so institutions wouldn't be locked in, in specific vendors. They could quickly shift their data and their applications to another cloud service provider. These are more technical solutions, but if they come to the market, they would actually increase the resilience of the system, operational resilience.

And just to put a question out there. If there are so many cross-border regulatory issues, we know that if countries come up with their own solutions to these questions, and we still have the same few cloud providers, most of them in the U.S. how to solve this inconsistency that's bound to happen? Should standard setting bodies come to the fore and actually have a more specific guidance to this question? Should supervisor's led by the U.S., probably because they host most of the important cloud providers, should there be a working group or some coordination?

Because there are many questions. We don't know what's going to happen, for example, if the U.S. regulates, so what happens to you in your country regarding the American cloud providers? There are many open questions still, but there's certainly a need for a greater coordination, some kind of actually concrete coordination in this.

And one of the advices here, it's not to rush. Cloud computing is still emerging. It's still not the ... The systemic institutions have not totally shifted to the cloud. They will, most likely, but is still early in the day. So, there's time still to talk to other peers to try to find solutions for the cross-border issues, but also for the national issues. So really avoiding premature responses to this.

This is on-cloud computing. I just want to touch very quickly on two other issues that are related, but I will be very brief on that. One is on the modularization of financial services.

I'm putting these two topics here, just to give you food for thought. There are many things to think about cloud computing and the systemic institutional-based risks, but modularization is a very interesting topic, although I am not going to talk about business models, I'm not an expert in this. There might be people in the call who are, but the reality is that the financial services are getting broken down. The value chain is being broken down. Various actors are coming to the value chain with their specialization.

It's a very much higher level degree of specialization and a lot of third parties providing parts of the traditional services. So you barely can find today a bank that does everything that our banking business used to do in the past. They would be outsourcing, they would be partnering with other institutions in many pieces of the puzzle. And this brings some very interesting questions about who, you as a supervisor, who do you really care about?

And I just want to bring Banking-as-a-Service because it's such an interesting case of this modularization, in my view. And it raises so many interesting questions for regulators and also supervisors. If you look at banking as a stack of things ... This is from 11:FS. It's an institution that deals with Banking-as-a-Service and they have a publication about this.

I got their publication and just put here in the slide. On the left side, you see the brand on the top and the license holder, what we call bank. It's the institution that has a banking license. The license holder does not necessarily provides all this, and usually ... Not usually, but in most case the license holder on a Banking-as-a-Service model will not be dealing with the client.

So the brand does not relate to the license holder. The brand is the customer of the Banking-as-a-Service service. The brand can be a company, it can be even Amazon. Let's say if Amazon wants to provide banking services, they can take a module of banking services, each module from a different institution. It could be completely outsourced to various numbers of institutions. And then you have the institution that is holding the license here on the bottom. And supposedly this is the institution that you supervise. But if this is all broken down, what kind of control does the license holder has?

On risk management, on product design, on the consumer risks. What kind of liability does it hold? Solarisbank is a banking in Germany, and it's one example. There are other examples. I just took this one because of what they're right here. I find this really interesting. Solarisbank defines itself as the tech company with a banking license. Would you as a supervisor be comfortable with this? They don't say, "I am a technology savvy bank. I'm saying that I am a technology company with a bank license. I got a bank license and you can use it."

This is Banking-as-a-Service, but this is really extreme. Of course there are established banking institutions that they are also providing Banking-as-a-Service. One example of very relevant to mother America is BBVA, which is a Spanish bank. They do provide Bank as a Service center. There are other examples. But maybe the new ones, the technology companies that got a banking license to provide Banking-as-a-Service might be the most extreme cases for you to ... That phrase there's interesting questions about the effectiveness of the prevalent approach to supervising outsourcing.

I'll put some questions here for you to think about. If everything is modularized and the license holder is not anymore who actually owns the other processes or many of the processes, it really varies according to the company and to the model. But it's going to be a reality that they will not own everything that the banking business used to do in the past. So, who is really outsourcing to whom? Isn't it the brand that is dealing with the consumer, who is actually the owner of the business?

And what does that mean to you? And what about the other parts of the business? Who is actually managing the overall risk of this business? And who should it be looking at this as an overall business at all? Can you try to modularize your supervision itself? Does that work? What happens to enterprise risk management? It's quite complicated questions actually. I actually would like to learn a little bit more of what supervisors are doing with this.

I'm not sure how many of you were dealing with this today, but these models do exist in a few countries, but the approach so far has been the traditional approach to outsourcing. You have the licensed to entity and the regulations of course, puts all the responsibility for risk management and third party risk management on the license holder. But in a way it's kind of an artificial approach if you think about, because they don't really own everything. They might have only ownership and control over certain parts of the banking business.

Interesting things out there. The questions are pretty much. Is the current approach to outsourcing adequate to deal with modularization? And how can regulation and supervision adapt? Because you can't simply say, I don't want this. Because actually you need to balance the problems that you face as a regulator and supervisor with the benefits that these models actually provide. And how can technology help you as a supervisor? If you're, for example adopting newer approaches to this, and for example, if you start looking at all the parts of the module and not only the license holder, can you actually use technology to help you use your resources in a better way?

And last question again how can the standard setting bodies help in send it up to the stage for supervisors to deal with modularization? And last but not least, I just want to raise a few questions about open banking. Open bank is still also an emerging practice. There are open banking by the industry without any involvement by the regulator and the supervisor. But I want to talk about the open banking when there's regulation and policy involved, because that's when, for example, you would be concerned about the supervisory implications of that.

Open banking regimes are the ones where there's some kind of regulation or some kind of policy. So, you're setting some criteria, some requirements on the open banking is keen participants. And just to remember that open bank is probably just the first step in a process of opening data. Open banking is usually the start point, because that's a heavily regulated industry. So the sharing of data in many countries, or even all countries will start with the banking sector, but it's very likely that's going to go through a progression of open finance to all financial sectors, and then open data to try to include data from non-financial sectors.

This is particularly important for financial inclusion because excluded people do not have much financial data. So, if you want to include them and using data to get to know the excluded people, you probably need to also think about open data. What is the role of the supervisor in all this? I would be concerned for example, with the liability aspects. When financial institutions are sharing and getting data, where does their liability stop? When they hit the button to send the data? And who is actually going to answer for anything that happens with the data of the client? Because this can be very sensitive data.

And data protection and cyber risk, who takes care of the cyber risks and cyber risk management in the data sharing schemes? There needs to be a governance, there needs to be some kind of agreements between the participants on these types of risks and who oversees. And what is the role of the supervisor? If you're putting aspects of open banking on the regulation on written policies, so you want to know if the implementation schedule is on track, the governance of the schemes, and if the different interests of the participant, especially banks and non-banks small firms and big firms, if there is a balance there and the supervisor could have a role there.

Also the technical standards. If there are technical standards in the regulation, you probably will need to go into the implementation of those standards as a supervisor. And some more practical issues, such as discrimination in data sharing, such as denying some data sharing based on very dubious reasons, and also the pricing rules of the scheme. And then there are the new players that are really almost specialized in open banking.

The account information, service providers or AISPs, and the payments initiation service providers or PISPs. These are already regulated in Europe. And I know a few countries are thinking about regulating them. How are you going to supervise them? What you're going to focus on? And who is going to supervise them?

This is all I have to share. I'll just leave a few questions out there. I'm happy to discuss these questions, but have a look at them, and I hope they give you some food for thought. And I'm sure a few of you, I saw the list of participants and I'm sure a few of you will actually have much more advanced thinking already on the regulation and supervision of these three topics. Thank you very much.

Salvador Chang:              

Thank you, Denise. I have a few questions from the audience, and thank you very much for taking the time to write down these questions outside from the very one of the last questions. How does open [inaudible 00:40:10] interacts, or open banking [inaudible 00:40:13] or interacts with the GDPR personal protection laws?

Denise Dias:                     

Yes. It's a big question for people actually operating in the EU because GDPR is quite strict in terms of protection of data. For example, the consent management needs to be very clearly set up in the open banking scheme. So, if you're allowing third parties to access data from the financial sector, there needs to be explicit client consent. One question about consent it's, actually it could be more interesting is whether consent works for the client, of course.

We're worried about the client. So, is it okay to have those very general and long consent texts before a client is actually consenting to give access to banking data, or insurance data, or payments data? There are emerging theories about changing the consent mechanism for the consensual work, especially for poor people who might not really be sophisticated enough to understand the legal text of the consent page.

And also there are other questions about whether you provide consent once as a client, and you have the ability to eliminate that data sharing, to disconsent, to have the very easy means to eliminate it, to terminate consent and to consent. So it's a both ways. It doesn't mean that you give consent once, you're just locked in into that relationship. All those procedures need to be very useful for the customer to comply with the data protection regulations.

Salvador Chang:              

Thank you, Denise. There is another question which is very specific. Do you know any central bank where regulated that has improved the banking license to an entity that adopted Banking-as-a-Service?

Denise Dias:                     

Yes. The one that I showed to you is from Germany, the Solaris, and there are others there. And then in the UK, there are Banking-as-a-Service too. And I also mentioned the Spanish bank, which is a traditional bank, BBVA, but also has a Banking-as-a-Service service. These are two models of Banking-as-a-Service. They exist, but there is no license for Bank as a Service. It's just a banking license. It's just a normal banking license.

Salvador Chang:              

There are a couple of questions related to cloud computing and CSPs. The first one, and I will read both at the same time making this just a single question. One is, whether the regulation and supervision of CSPs would correspond to the country where the infrastructure is hosted, would it be requirement in order to harness the speed? They're both considering that the regulators or supervisors of other countries are [inaudible 00:43:41] financial institution to a CSPs are being monitored by a supervisor.

Denise Dias:                     

Sorry, I didn't really hear the end. You spoke very softly.

Salvador Chang:              

Yes. Basically the question is whether the regulation and supervision of a CSPs correspond to the country where the infrastructure is hosted, that way the regulators would be [inaudible 00:44:11] by the services contracted by a financial institution are being monitored by a supervisor or not.

Denise Dias:                     

Right now, there's no one really regulating CSPs as such. So there is no CSP regulation out there. What is the approach right now? The approach is that you have in your own countries regulations about outsourcing, or even sometimes regulation about cloud computing outsourcing. The problem is that you might have the limitations that I talked about to audit, to change the contract, to force termination of service, to impose certain things that are maybe easier to impose in a local outsourcing to any other service, it doesn't need to be cloud.

The cloud computing service providers in the U.S., they're not regulated as cloud computing provider, they're not regulated in that sense. If they become regulated in the U.S., we don't know how that's going to happen. If they're going to be regulated as a financial market infrastructure, following the CPMI standards for financial market infrastructure. But those standards don't really fit so well into cloud services. We don't know the answer for this. We don't know if there's going to be internationally agreed framework for these cloud providers.

If only the home country, U.S., Germany will be the ones responsible for doing the assessment of security, for example, which is what's sometimes matters the most for supervisors, they are most concerned of, we don't know. There is no answer for this yet. That's why a few countries are actually getting so nervous with this, that they're imposing data localization requirements or certain other requirements on cloud service providers, which might be counter productive actually.

Salvador Chang:              

Good. Thank you. There's a question here related to the fact on, are there examples of open banking finance achieving the financial inclusion promise, or we still hoping?

Denise Dias:                     

Yes. I said that in general, we're still hoping. Also because open banking is very new. We need to remember that. Most of the countries do not have open banking as a national scheme or as a system scheme. Most countries will have one or the other example of some kind of open APIs for example. Like, a bank has opened its APIs for developers, for FinTechs, I don't consider that's open banking. Open banking is very, very new.

And it's mostly happening right now as they scheme in developed countries, which are not so worried about financial inclusion. But there are some interesting products that open banking has already encouraged, such as those products that help the customer manage the savings a little better. But this isn't really for customers who are already are in the financial sector, they might be underserved.

But the excluded people as I said, if they're not in the financial system, they don't have banking data, they don't have financial data to share. You need to go a little one step up, which is open data. Share the other data that these people are creating in the digital world.

Salvador Chang:              

Good. Thank you. I want to make the final question, which actually came first, but it is a more general question. There are some ideas about using insurance as a protection for consumers in case of a FinTech going insolvent, or unable to fulfill its obligation, which would facilitate regulation and supervision. Do you have any thoughts on that?

Denise Dias:                     

Oh, that's interesting. The problem with insurance is that insurance only provides you financial consolation. You would have insurance when something already happened, and then you have the insurance coming. Is that enough for you? Would you be okay with that? For example, cyber insurance, if we're talking about cloud computing again, and there is a major disruption in a cloud computing provider that is serving all your systemic institutions and somehow you got the institutions to get insurance.

That only means that they will get some money. The insurance will not solve the problems that the disruption will cause to the customers and to the economy, for example. You could impose insurance if you can, but it doesn't really solve problems.

Salvador Chang:              

Excellent. Well, thank you very much, Denise. I tried to put all the questions. Some of them were actually answered in other answers that you provided. And for those who ask whether these slides will be shared, what we will share is a complete recording of this webcast. So the complete recording with the audio as well, and the video will be in our web page. Let's put a close to this call and thank you very much, Denise. [foreign language 00:50:02].

Denise Dias:                     

Welcome.

Salvador Chang:              

Thanks. Thanks for all your support and your help. And it's been very interesting, and thank you all. Okay.

Denise Dias:                     

Thank you. Bye.

Salvador Chang:              

Bye. Take care. Bye.