Bigtech Regulation

Introduction
Technological Disruption in Finance
• Technology is reshaping every part of finance — from the instruments we
trade to how we make payments.

• We now see digital currencies, real-time settlements, mobile payment apps,

and robo-advisors.
• Traditional players like banks and insurers are being displaced or redefined
as tech firms step in.
 Introduction
Big Techs’ Entry into Financial Services
• Large tech companies like Google, Tencent, Amazon, and Meta are entering
finance through various services.

• They already dominate digital payments, especially in Asia (e.g., Alipay,

WeChat Pay).
• Some Big Techs are now expanding into lending, insurance, and wealth
management — and could soon launch stablecoins or DeFi platforms.
• The COVID-19 pandemic accelerated the shift to digital financial tools,
making Big Tech entry faster and broader.
Introduction
 Introduction
Big Tech Business Model Features
• Big Techs run multi-service platforms (like Google + YouTube + Google Pay
or Tencent + WeChat + WeBank).

• These platforms create network effects: the more users join, the more
valuable the platform becomes.
• They gather massive data from e-commerce, social media, and messaging
— which they use to offer tailored credit, insurance, or investment products.
• Their financial services are often offered via licensed subsidiaries or through
partnerships (e.g., Apple Card via Goldman Sachs).
 Introduction: Big Techs in
Financial Services
Emerging Risks
• Big Techs can pose systemic risks due to:
• Cross-sector interdependencies – their operations connect commerce,
communication, and finance.
• Market concentration – just a few firms may dominate entire financial service
sectors.
• Cloud and data reliance – many banks rely on Big Tech cloud services (e.g.,
AWS, Google Cloud).

• Current regulations focus on single legal entities, not the entire Big Tech
group, which means interconnected risks may be overlooked.
 Why Do We Regulate?
• The core purpose of regulation is to fix market failures — situations where
free markets don’t lead to the best outcomes for society.
• In finance, regulation ensures:
• Fair competition
• Consumer protection
• Market integrity
• Financial stability
 Why Are Big Techs Special?
• Big Techs (e.g., Google, Amazon, Tencent) have unique business models:
• Use huge datasets from e-commerce, search, social media
• Offer bundled financial + non-financial services
• Enjoy network externalities — more users = more power
 Direct Provision of Financial
Services
• Big Techs provide payments, lending, insurance, etc., often without a full
banking license.
• These are offered through:
• Subsidiaries (e.g., PayPal, Apple Card)
• Joint ventures with banks (e.g., white-labeled services)

• Risks:
• Blurred responsibilities between tech and bank
• Mixing regulated + unregulated activities
• Unlicensed banking-style functions (e.g., credit underwriting)
• Stablecoin risks: Loss of trust in digital tokens could destabilize payment
systems
• Example: If a stablecoin fails to maintain its peg to a fiat currency, it could trigger
panic in digital payment ecosystems
 Reliance on Big Techs by
Financial Institutions
• Banks and insurers depend on Big Tech for:
• Cloud hosting
• AI tools and data analytics
• Cybersecurity services

• Risks:
• Operational risk from cyberattacks or service outages
• System-wide failures if a major provider (like AWS) goes down
• Vendor concentration: Too few tech providers = fragility

• Example: A cyberattack on a cloud provider could disrupt dozens of banks

at once.
 Market Concentration and
Competition Risks
• As Big Techs grow, they:
• Attract more users → generate more data → offer better products → attract
even more users.
• This is called a self-reinforcing loop or data-network-activity (DNA) loop.

• Risks:
• Market dominance in payments, lending, and even cloud services
• Anticompetitive behavior, like locking in users or tying services
• Lower consumer choice and weaker market competition

• Example: A platform might offer a payment wallet only usable on its own e-
commerce site, excluding other services.
 Why Traditional Tools Aren’t
Enough
• Typical financial regulation uses prudential tools like:
• Capital requirements (how much a bank must hold)
• Liquidity rules (ensuring enough cash to survive shocks)

• BUT: Big Tech risks are different

• Not about financial weakness — they’re often highly profitable
• The concern is their business model and conduct:
• Inter-group data sharing
• Internal tech reliance
• Lack of accountability across services
 Global Policy Response
• Some regulators (e.g., EU, China, US) are introducing rules to:
• Monitor tech-finance interdependencies
• Limit platform dominance
• Strengthen operational resilience

• Still, most regulation today is fragmented and focused on individual

activities, not on Big Techs as complex groups.
 The Current Regulatory
Approach
Overview: A Patchwork of Rules
• Big Techs are regulated in many policy areas:
• Finance: licensing rules (banking, insurance)
• Technology: cloud services, operational risks
• Data protection: GDPR, privacy laws
• Competition law: dominance and anticompetitive practices

• BUT: These rules are often fragmented and reactive, not designed for Big
Tech's complex structure.
 Financial Regulation: Sectoral
and Fragmented
• Big Techs must comply with financial sector rules for the activities they
perform:
• Banking licenses for deposit-taking
• Insurance licenses for underwriting
• Payment licenses for mobile wallets and e-money

• Applies to individual legal entities (subsidiaries), not to the group as a

whole.

• Example: Apple Card is regulated as a credit card product offered via

Goldman Sachs, not as part of Apple’s broader ecosystem.
Limited Group-Level Supervision
• Regulators generally don’t supervise Big Tech groups on a consolidated
basis.
• Some exceptions exist where prudential rules restrict risky group-level
interactions (e.g., EU’s CRR for banks).
• Supervisors may consider group risk exposure, but this is still case-by-case,
not systemic.
 Licensing Gaps in Credit and
Unregulated Activities
• Some financial activities by Big Techs (like credit underwriting) often don’t
require a license.
• Even where licenses are needed:
• Rules focus on consumer protection, not prudential soundness.
• There’s no limit on combining regulated (e.g., payments) and unregulated
activities (e.g., online retail or data services).

• Example: BNPL (Buy Now Pay Later) services may operate with less
oversight than traditional lenders.
 Tech Services to Financial
Institutions
• Big Techs provide cloud computing, data analytics, and AI scoring tools to
banks and insurers.
• These services are critical, but not directly regulated.

• Risks:
• Cyberattacks
• Service outages
• Vendor lock-in and overreliance

• Most jurisdictions manage this under outsourcing/operational risk rules, not

direct Big Tech regulation.
• EU’s DORA (Digital Operational Resilience Act) will create specific
obligations for tech providers critical to financial stability.
 Competition and Market
Dominance
• Big Techs can dominate through network effects and data monopolies.
• China: Introduced rules to prevent abuse (e.g., SAMR’s platform regulation).

• EU: Digital Markets Act (DMA) creates ex ante rules for "gatekeepers" (e.g.,
Google, Apple).
• US: Several bills propose entity-specific rules to curb anti-competitive
behavior.
• DMA requires Big Techs to share data with third parties and prevent unfair
self-preferencing (e.g., promoting own apps in search results).
 Problems with the Current
Approach
• Regulatory approach is still piecemeal:
• Treats risks individually rather than systemically
• Misses interactions across financial and commercial services within a group

• Solo-entity focus ignores how group-level data sharing, tech use, or

subsidies can create risks.
• Unregulated activities + regulated services = blind spots for supervisors
 Why Rethink Regulation for Big
Techs?
• The current sectoral (activity-based) approach isn't enough.
• Big Techs create new risks by mixing:
• Regulated financial services (e.g., payments, lending)
• Unregulated services (e.g., cloud, e-commerce)

• Their business model is integrated — risks come from interactions between

services.
• A new framework is needed to protect public policy goals, especially
financial stability.
 The Need for an Entity-based
Approach
• Looks at the entire corporate group, not just the licensed subsidiaries.
• Helps regulate the links between financial and commercial services.

• Complements existing activity-based rules by covering the "gaps" in

oversight.
• Example: If a Big Tech owns both a shopping app and a digital bank, entity-
based rules allow regulators to monitor how the two interact (e.g., using
purchase data to decide who gets loans).
 Three Types of Entity-Based
Controls
Restriction Approach
• Blocks financial institutions from doing certain commercial activities.

• Prevents overlap between banking and non-financial business.

• Example: In the United States, traditional banks cannot run supermarkets or
e-commerce platforms.
• Effective but too rigid for Big Tech — could limit innovation and financial
inclusion.
• This approach is not recommended for Big Tech.
 Three Types of Entity-Based
Controls
Segregation Approach
• Separates sensitive financial activities (like lending, deposits) from riskier
non-financial ones.

• Creates “firewalls” between business lines.

• Example: In China, large tech groups must form a Financial Holding
Company (FHC) for their financial activities, subject to capital and risk rules.
• Goal: contain risk within silos and avoid cross-contamination.
 Three Types of Entity-Based
Controls
Inclusion Approach
• Creates a new regulatory category for the whole Big Tech group.

• Allows regulators to:

• Oversee both regulated and unregulated activities
• Impose group-wide rules (e.g., governance, resilience, data handling)

• More flexible and tailored to Big Tech's mixed structure.

• Example: A Big Tech like Amazon offering loans, cloud hosting, and
payments could be treated as one regulated "consolidated group" under this
model.
Three Types of Entity-Based
Controls
 Compatibility and Flexibility
• These three approaches aren’t all-or-nothing — they can be combined:
• Segregation for operational risk containment
• Inclusion for oversight across the group

• The key is to adapt based on risk, size, and services of the specific Big
Tech.
 Why Not Restriction?
• Although restriction eliminates many risks, it's too blunt.
• Would:
• Ban Big Techs from regulated financial services
• Limit innovation and competition
• Reduce consumer choice and inclusion

• Not favored by regulators — seen as overly intrusive

 What Is the Segregation
Approach?
• The segregation model says Big Techs should legally separate their
financial and non-financial activities.
• Financial services must be grouped under a Financial Holding Company
(FHC).
• That FHC would be subject to prudential rules (like capital and risk
management) on a group-wide basis — but only for the financial arm.
• Analogy: Think of an FHC as a protective “vault” around all the finance-
related parts of a Big Tech group.
 Why Segregate?
• To prevent risk from spreading between the tech and finance sides of the
business.
• To protect:
• Operational resilience (e.g., tech failures shouldn’t hurt financial stability)
• Data governance (e.g., no cross-use of sensitive financial data)
• Business conduct (e.g., reduce conflicts of interest)
 Degrees of Segregation: From
Light to Strict
• Segregation can range from loose firewalls to strict ring-fencing:
• Light: Governance rules and oversight
• Medium: Limited financial or data interactions between business lines
• Strict: No tech-sharing, no common platforms, and full “Chinese walls” (strong
internal separation)

• Chinese walls = strict internal barriers that prevent information flow between
departments or entities.
 Strict Ring-Fencing Measures
• Separate governance: No control from tech side over financial arm.
• Ban on intragroup transactions (e.g., no tech firm loans to its bank arm).

• No shared cloud infrastructure or AI tools across units.

• Ban or strong limits on data sharing between financial and non-financial
units.
• Goal: Reduce internal risk transmission and stop Big Techs from using
financial data to dominate other markets unfairly.
 Global vs Jurisdictional
Implementation
• Global FHC:
• All financial activities worldwide are grouped and regulated as one unit.
• Easier to apply international standards, but harder to set up and enforce globally.

• Jurisdictional FHC:
• Country-specific or regional FHCs.
• Must comply with local rules.
• Could require restrictions on interaction with foreign parts of the Big Tech group.

• Example: A U.S. regulator might require Amazon’s U.S.-based financial

operations to be isolated from AWS or its India-based lending platform.
 Benefits of the Segregation
Approach
• Easier to supervise than inclusion (fewer cross-sectoral complications).
• Creates clarity and simplicity in group structure.

• Reduces systemic risk from tech-finance linkages.

• Aligns with models already used in banking and insurance supervision.
 Drawbacks and Limitations
• Chinese walls may not hold in times of stress or crisis.
• Weakens Big Tech’s core strength: network effects, data synergies, shared
platforms.

• Could discourage innovation and reduce incentives for Big Techs to enter
finance.
• May end up having similar effects as a full restriction model (i.e., pushing
Big Techs out of finance altogether).
• Big Picture: Segregation might work well for safety — but at the cost of
efficiency, innovation, and competition.
What Is the Inclusion Approach?
• Group-wide regulation that covers:
• The Big Tech parent company
• All subsidiaries, both regulated (e.g., fintechs, wallets) and unregulated (e.g.,
cloud, retail, logistics)

• Unlike segregation, it doesn’t isolate the financial arm but monitors all
interdependencies across the group.
• Goal: Adjust regulation to fit Big Tech’s actual business model while
preserving innovation and managing risks.
 How Does Inclusion Work?
• Financial activities may still be grouped in an FHC (Financial Holding
Company).
• BUT: Oversight extends beyond the FHC, monitoring:
• Data sharing
• Common tech infrastructure
• Cross-subsidiary transactions and risks

• Comprehensive but complex: Harder to implement than segregation and

could create regulatory burdens, especially if the financial services side is
relatively small.
 Lessons from Financial
Conglomerate Regulation
• What Are Financial Conglomerates?
• Groups active in two or more financial sectors (e.g., banking + insurance).
• First regulated in the 1990s via the Tripartite Group, later evolved into the Joint
Forum.

• Focus areas included:

• Capital adequacy
• Intragroup risk exposures
• Contagion risk
• Manager qualifications
• Transparency and ownership structures
 Lessons from Financial
Conglomerate Regulation
Key Takeaways from the Conglomerate Experience
• Showed the importance of:
• Cooperation across supervisors
• Group-wide monitoring
• Transparency in ownership and management

• But: These models didn’t anticipate groups with dominant commercial (non-
financial) arms like Big Tech.
 European Union – FICOD
• Applies to financial conglomerates that span banking, securities, and
insurance.
• Covers:
• Capital adequacy
• Group-wide risk controls
• Intragroup exposures

• Limitations:
• Doesn’t apply to non-financial parts of the group.
• Misses data/system-sharing risks unique to Big Techs.
• Built for bancassurance models, not tech-finance hybrids.
United States – BHC/FHC Model
• Regulates bank holding companies and financial holding companies.
• Requires:
• Consolidated capital
• Risk limits
• Oversight by the Federal Reserve

• Drawbacks:
• Only applies if a bank is involved.
• Doesn’t fit Big Techs without banks.
• No rules for cross-sector dependencies (e.g., cloud + credit).
 China – FHC Regime
• Regulatory Bodies: People’s Bank of China (PBoC), China Banking and Insurance
Regulatory Commission (CBIRC)
• Required major tech firms (e.g., Ant Group, Tencent) to set up Financial Holding Companies
(FHCs) for all financial services arms.
• Tight data controls under Cybersecurity Law and Personal Information Protection Law
(PIPL).
• Real-time reporting of cybersecurity incidents and third-party service risks.
• Stricter rules on credit scoring and digital lending – licensing now required for consumer
finance platforms.
• Example: Ant Group’s IPO halted due to regulatory concerns over group structure and risk
management.

• Key Risk Areas Addressed:

• Group-wide financial risk
• Consumer data misuse
• Market dominance and systemic risk
 China – FHC Regime
• Pros:
• Doesn't require a bank to qualify
• Limits non-financial activities to 15% of FHC’s assets, otherwise
• You may be denied an FHC license
• You may be forced to restructure
• Regulatory scrutiny will intensify

• Cons:
• Excludes payment services
• Doesn’t fully regulate interactions between FHC and non-financial arms
 HKMA’s Regulatory Approach to
Big Techs
Activity-Based Regulation (Primary Approach)

• Big Tech firms in HK are regulated based on the specific financial services
they provide:
• Stored value facilities (SVF) like AlipayHK are regulated under the Payment
Systems and Stored Value Facilities Ordinance (PSSVFO).
• Digital banking (e.g., ZA Bank, WeLab) must hold virtual banking licenses under
the Banking Ordinance.
• Lending or wealth management activities trigger licensing under Securities and
Futures Ordinance or Money Lenders Ordinance.

• Example: AlipayHK holds an SVF license but is not regulated as part of

Alibaba Group.
 HKMA’s Regulatory Approach to
Big Techs
Functional Regulation for Tech Services

• Big Techs offering services to financial institutions (like cloud hosting, AI

credit scoring) are not directly regulated as critical third parties — but their
impact is monitored through outsourcing and operational risk rules.
• The HKMA has issued outsourcing guidelines that:
• Require banks to assess and manage risk from tech vendors.
• Give regulators “right of audit” over major outsourced services.
HKMA’s Regulatory Approach to
Big Techs
Cybersecurity & Operational Resilience (Emerging Focus)

• HKMA has introduced:

• Cybersecurity Fortification Initiative (CFI) and
• Guidelines on Technology Risk Management, covering cloud, APIs, resilience
testing.

• These begin to mirror DORA-style resilience regimes, but still focus on

regulated institutions, not the Big Tech providers themselves.
 HKMA’s Regulatory Approach to
Big Techs
No FHC Framework or Group-Level Regulation (Yet)

• Unlike China, Hong Kong does not require Big Techs to form Financial
Holding Companies (FHCs).
• There is currently no regulatory framework that:
• Applies at the group level (e.g., to Alibaba or Tencent as a whole).
• Controls cross-subsidiary risks, data sharing, or financial-commercial
interlinkages.

• However, HKMA and SFC acknowledge the growing systemic importance of

Big Techs and have signaled interest in broader oversight.
China – FHC Regime
 Gaps in Current Approaches
• Scope: Existing frameworks don’t capture tech-driven groups with large
non-financial businesses.
• Licensing: Some Big Tech financial services (e.g., payments, BNPL) are
lightly regulated or excluded.
• Supervision: Focus is on prudential health, not cross-sector risk dynamics
(e.g., how cloud failures affect lending).
• Data Use: No standard controls on data sharing across
regulated/unregulated entities.
 Pros and Cons of the Inclusion
Model
• Advantages
• Tailored oversight of Big Tech business models
• Encourages safe innovation while managing systemic risks
• Captures risks from interconnected platforms and data flows
• Promotes transparency across complex group structures

• Challenges
• Complex to supervise — requires knowledge of both finance and tech
ecosystems
• Risk of over-regulation if the financial arm is small
• Existing rules are not fully built for tech-finance hybrids
• Implementation varies widely across jurisdictions
 Why a New Regulatory Category
for Big Techs?
• Current regulation isn’t designed for Big Techs that offer financial services
but aren't primarily financial companies.
• Traditional frameworks focus on: Banks, insurers, investment firms

• Prudential soundness (capital, liquidity)Big Tech risks are different:

• Operational risks, data misuse, interdependencies, and rapid scalability

• Goal: Create a new regulatory framework for Big Tech Financial Groups
(BTFGs) that:
• Covers the whole group
• Addresses both regulated and unregulated financial activities
• Focuses on governance, conduct, resilience, and group structure
 Three Layers of Oversight
• BTFG Parent
• Rules focus on how it governs and oversees the whole group.
• Controls data sharing, internal governance, and coordination across business
lines.

• Regulated Subsidiaries
• Continue to follow existing rules (e.g., banking, insurance, payments).

• Intermediate Entities (e.g., FHCs)

• Organize financial activities, subject to subgroup supervision.

• Example: A Big Tech with e-commerce, cloud, and a digital wallet would
need regulation at all 3 levels — but tailored to the role each plays.
 Scope of Application: Who
Counts as a BTFG?
How to Identify a BTFG
• A Big Tech may be classified as a BTFG if it shows significant involvement
in financial activities, including:
• Traditional regulated services (e.g., banking, insurance, securities)
• Other regulated activities (e.g., payments, stablecoins, wallets)
• Unregulated but financially relevant services (e.g., BNPL lending, digital asset
platforms)
 Scope of Application: Who
Counts as a BTFG?
Setting Thresholds
• Thresholds help determine when a Big Tech becomes a BTFG.

• These could be:

• Relative (e.g., >20% of revenue or assets from financial services)
• Absolute (e.g., >$5 billion in financial assets)

• Best to use a multiple-threshold approach to account for different business

models and balance sheets.

• Challenge: Big Techs can restructure to stay just below thresholds, so

regulators need flexibility.
 Scope of Application: Who
Counts as a BTFG?
What Happens After a Firm is Labeled a BTFG?
• The BTFG parent (even if not directly offering financial services) becomes
subject to:
• Group-wide rules
• Behavioral standards
• Risk governance expectations

• These rules aim to limit financial-commercial interdependencies without

overregulating non-financial subsidiaries.
• Exception: Tech subsidiaries that serve the financial sector (e.g., cloud
computing arms) may also be regulated due to systemic risk potential.
 What Are Group-Wide
Requirements?
• These are rules applied to the entire Big Tech Financial Group (BTFG) —
especially the parent company.
• They go beyond individual subsidiaries and look at the interconnected risks
across the group.
• The goal is to make sure risks don’t "leak" from one part of the group to
another (e.g., from cloud services to lending).
 Why Focus on the BTFG
Parent?
• The parent company often oversees and coordinates both financial and
non-financial arms.
• Even if it doesn’t directly offer financial services, it:

• Sets strategy
• Allocates capital
• Controls tech and data infrastructure

• So regulating the parent helps control group-wide risks at the source.

• Analogy: Regulating the parent company is like monitoring the general of an
army — not just individual soldiers.
 Core Areas of Group-Wide
Requirements
Governance and Oversight
• BTFG parents must have clear, transparent decision-making processes.

• Requirements may include:

• Defined roles and responsibilities across the group
• Independent oversight for risk management and compliance
• Board accountability for the conduct of subsidiaries

• Goal: Prevent the parent from “turning a blind eye” to risky behavior in its
financial arms.
 Core Areas of Group-Wide
Requirements
Intragroup Transactions and Dependencies
• Controls on:
• Lending between entities
• Cross-subsidization
• Shared tech infrastructure

• Regulators may require:

• Clear reporting of all financial flows within the group
• Restrictions on using financial subsidiaries to fund risky commercial ventures

• Example: A payment company shouldn’t finance a failing e-commerce arm

without oversight.
 Core Areas of Group-Wide
Requirements
Operational Resilience
• Group-wide requirements to ensure:
• Continuity of critical functions (even during cyberattacks or outages)
• Proper testing of business continuity plans
• Use of secure IT infrastructure (especially when tech services are provided to
banks)

• Example: If a Big Tech’s cloud platform hosts banking systems, a failure

could disrupt entire markets.
 Core Areas of Group-Wide
Requirements
Conduct and Consumer Protection
• Big Techs must ensure:
• Fair treatment of financial consumers across platforms
• Avoidance of conflicts of interest
• Clear disclosure of product risks

• Scenario: A Big Tech shouldn’t use its shopping app to push financial
products without proper warnings or terms.
 Core Areas of Group-Wide
Requirements
Data Governance and Sharing
• Clear boundaries on:
• How customer data is used across services
• Preventing unauthorized use of financial data for commercial gain

• May include:
• Data localization requirements
• Limits on automated decision-making using shared customer data

• Analogy: Think of a firewall between financial data and online shopping

habits.
 Core Areas of Group-Wide
Requirements
Application to Subsidiaries
• Subsidiaries (e.g., payment firms, insurance units) continue to follow
sectoral rules.

• Group-wide rules complement, not replace, those obligations.

• Regulators ensure:
• Group-wide compliance doesn’t undermine existing regulations
• Parent company supports regulated subsidiaries (e.g., via capital or governance
structures)
 Core Areas of Group-Wide
Requirements
International and Cross-Border Supervision
• BTFGs operate globally, so coordination is critical.

• Supervisory tools may include:

• Information-sharing agreements between countries
• Lead supervisor models where one regulator coordinates oversight

• Regulators must agree on:

• Home vs host responsibilities
• Enforcement mechanisms for group-wide rules