The theme of today’s Summit, Bridging innovation and resilience in finance, brings out the duality of innovation for finance. On one hand, innovation can positively impact the financial industry in terms of the level and quality of service and risk management. But on the other hand, it also introduces significant new risks that we need to be aware of and build the ability to manage effectively.

Indeed, related questions have regularly featured in international regulatory discussions in recent years. These include: “what are the impacts of innovation?”, “any risks that regulators or banking supervisors should be particularly concerned about?”, and “how can the industry and supervisory community effectively work together to deliver those changes in a safe and sound manner?”

Discussions in this regard have intensified following last year’s US/Europe banking turmoil, which had distinct “tech” elements. For one, many of the banks involved were considered more “digital savvy” in that they primarily serviced technology firms or those from the digital assets industry. The crisis was also exacerbated by a range of technology-related factors, such as higher levels of banking digitalisation, which enabled near-instant fund movements of a significant scale, and social media, which accelerated the spread of negative sentiment.

The HKMA participates actively in the international groups at the forefront of these discussions. I myself am involved in a lot of those regulatory dialogues, particularly in relation to the Financial Stability Board and the Basel Committee on Banking Supervision (BCBS). For instance, the Basel Committee is looking at the lessons that we can learn from the March 2023 turmoil, particularly surrounding topics like interest rate risk in the banking bank, and how innovation and technology has changed the landscape for banks. 

Drawing all this together, I will provide a high-level overview of what banks can expect to be on the supervisors’ radar, with focus on three aspects of resilience in particular. The first aspect is the impact of innovation or digitalisation on liquidity risk management. The second is operational resilience. And the third is in terms of customer impact.

On the first aspect of liquidity risk management, one of the most shocking aspects of last year’s banking turmoil was how fast the affected banks collapsed. Silicon Valley Bank (SVB) closed within two days after the public started to run and Signature Bank followed another two days after. Less than two weeks after SVB’s failure, it was announced that Credit Suisse would be sold to UBS.

This was markedly different from past episodes of banking stress. For instance, SVB’s management expected that the bank would have lost some $140 billion or 85% of its deposit base over two days if it had not been shut. By comparison, the US regulators estimate that the failure of Wachovia in 2008 included about $10 billion in outflows over eight days, while the failure of Washington Mutual in 2008 included $19 billion over 16 days.

How do we explain these changes in market dynamics? Certainly, banking digitalisation and innovation have become far more prevalent, and depositors could now move their funds almost instantaneously and with just one “click”. 

Banks’ financial intermediation role involves maturity transformation. Therefore, liquidity risk will always exist in the banking model. And so, a pertinent question is whether there is still a viable business model for banks under this kind of “new normal” environment?

I would argue that banks can certainly continue to thrive under this “new normal”, provided that banks and banking supervisors can collectively ensure that liquidity risk management is significantly enhanced.

Firstly, banks need to accept that banking digitalisation is here to stay, and will significantly impact liquidity risk management. They should critically review their liquidity risk management practices and ensure regularly that those practices continue to remain adequate in this “new normal”.  In particular, banks should satisfy themselves that their contingency funding arrangements will allow them to obtain sufficient liquidity at very short notice, including to access central bank liquidity support facilities.

Banks also need to dedicate greater efforts to monitoring social media. Having observed the role of social media in the banking turmoil in 2023, the HKMA has tried out some engines to predict whether certain keywords and the way those keywords are spreading would lead to potential problems. We actually back-fitted that into the SVB case and the results were very interesting. I would not go into the details, but it is apparent that social media will perhaps be a very important liquidity risk management tool going forward.

Banking supervisors also need to play our part, including to guide banks in making related changes. For instance, if access to central bank liquidity facilities requires stronger assurances, then we need to work together with banks to ensure that the facilities are tappable at short notice. 

Supervisors should also look “inward” and ensure that we can effectively deal with bank runs or bank stresses that may unfold within a matter of days, if not a matter of hours. At the HKMA, we have done an internal review following the banking turmoil to look at our resolution functions, how they interact with the supervisory functions, and we are undertaking work to enhance our optionality when it comes to resolution functions.

And finally, in the longer term, I do think that we need to reflect all of these considerations in the context of international standard settings.

From financial resilience in liquidity risk management, let’s move to “operational resilience”—another “buzzword” that has gained prominence within the international regulatory community. While “operational resilience” has traditionally played “second fiddle” to financial resilience, supervisors are increasingly finding the two of comparable importance.

As past incidents have shown, an operational disruption can materially impact confidence in a bank, and even have knock-on effects on its financial resilience. As an example, in 2018, a UK bank experienced a major IT disruption which resulted in almost two million of its online and mobile customers being locked out of their accounts. The issue persisted for some time, with certain customers reporting an inability to make payments or access key accounts for almost a month. According to the UK Financial Conduct Authority, the failure resulted in a loss of GBP 330 million [$419 million] for the bank, including consumer redress, rectification and associated remediation resource costs of GBP 125 million [$159 million]. 

It is true that we have not seen any major systemic banking crisis sparked by an operational disruption or operational incident so far. That said, I think the landscape will become even more difficult to manage going forward for two reasons. Firstly, banks are all trying out new technologies. This will significantly change the technological landscape and challenges that they face. Secondly, when banks start adopting novel technologies, they would usually start off by relying on external service providers. Therefore, their dependencies, including on third-party, fourth-party and nth-parties, will increase multi-fold right away.

Supervisors and banks alike are trying to address this issue of dependency, and we do hope that banks will start to look at this as a major priority, probably within the operational resilience framework under the Basel Committee’s Principles for Operational Resilience issued in 2021. Hong Kong introduced that framework in 2022, and we expect banks to confirm sufficient operational resilience no later than May 2026. We are now working very closely with banks on this.

So far, we have focused on the “non-malicious” side of technological advancements. But what about when “malicious” actors enter the mix? The landscape becomes very complex, in particular for customers. 

There is growing evidence that criminals are indeed exploiting digitalisation to commit digital fraud at a greater scale and scope. Taking Hong Kong as an example, the HKMA received over 1,200 fraud-related banking complaints in 2023, more than double the number for 2022. The same trend was observed in the number of deception cases reported to law enforcement agencies in the same year.

Supervisors and banks are keen to put a stop to this trend. Fraud—whether digital or not—could lead to losses not just to customers, but potentially banks as well. And in very extreme cases, there could even be banking stability or financial stability angles to it.

We have to recognise that the fight against fraud cannot be fought by any institution or agency alone. It must be a collaborative effort. In the case of Hong Kong, the HKMA, HKAB and the law enforcement agencies have been launching various initiatives to alert the public to fraud trends, advise the public on what they should not do, and to elevate our ability within the banking system to detect problematic transactions, so that we can intercept and frustrate those fraudulent fund transactions as early as we can.

We even launched the Anti-Scam Consumer Protection Charter (the Charter) last year. The Charter consists of a set of Principles which Participating Institutions commit to uphold in order to help the public better safeguard their sensitive personal information and financial information. The Charter has entered version “2.0” this year with more Participating Institutions. It now basically covers all the key financial services sectors, as well as a variety of commercial sectors, including food and beverage, logistics, transport, travel and the like.

Despite all these efforts, criminals will continue to evolve as we put up new safeguards. So, I would really urge all the bankers here—whether you are from Hong Kong or not—to join hands with the supervisors and law enforcement agencies. We need to work closely together to frustrate these kinds of fraudulent transactions.

Although I have so far been talking about the resilience risks of innovation, I don’t want you to leave with the impression that banking supervisors or central banks are always regarding innovation as both “doom and gloom”.

This is not the case. We recognise that innovation can also bring about a multitude of benefits. These benefits extend far beyond just those related to consumer experience. Let me share two examples. 

The first one is Supervisory Technology (Suptech), which is helping us conduct supervisory work in a more focused manner and reduce the supervisory burden on banks.

The second one is more close to my heart, and that is SME lending. While SMEs with limited track record have typically faced difficulties obtaining loans from banks and needed to rely on collateral to access financing, technology initiatives—like the HKMA’s Commercial Data Interchange (CDI)—are giving banks access and the ability to consider alternative data that can support an SME’s loan request. The CDI has been quite successful since its launch in October 2022 and is a clear example of how technology can enhance the ecosystem and not just introduce new risks.  

So this brings me to my final point. In recognising the “duality” of innovation, how can we maximise the benefits of innovation while managing the associated risks prudently?

At the HKMA, we use a risk-based and technology-neutral approach to supervising innovation. In practice, this means that we need to accept that technology may not always deliver as envisaged, and that our supervisory response function needs to be measured.

In the process, we have been using the idea of “sandboxes”. Taking the opportunity, I’m pleased to share that the HKMA is actively exploring with a partner organisation, the establishment of a brand-new sandbox on generative artificial intelligence (GenAI), and that we aim to launch it in the latter part of this year. The sandbox will provide support from both technical and regulatory perspectives and enable banks to test out their generative AI solutions in a more risk-controlled environment. 

At the end of the day, “resilience” is a common goal shared by banks and supervisors. Despite all of the challenges mentioned, I have every confidence that we will be able to join hands to capture the benefits of innovation in a safe and sustainable manner.

Hong Kong Monetary Authority - Opening Keynote on “Innovation and resilience – What’s on supervisors’ radar?” at The Asian Banker Summit 2024 (hkma.gov.hk)