European Banking Authority Outlines Risks And Opportunities Arising From DLT

July 23

On 3 July 2018, the European Banking Authority (EBA) published a report outlining the prudential risks and opportunities arising from FinTech as part of its 2018 FinTech Roadmap.

The report includes useful guidance on the use of distributed ledger technology (DLT) for trade finance and CDD (although the EBA is keen to note that the report should not be considered to provide an exhaustive list of possible prudential risks and opportunities that may arise.)

Trade Finance

Trade finance processes are traditionally considered to be very labour-intensive and paperwork-heavy and the transfer of assets is perceived to lack transparency, with payments frequently delayed and prone to errors, resulting in high operating costs.

The EBA notes that a number of companies have been analysing whether or not DLT, and more specifically smart contracts running on a permissioned DLT, could streamline trade finance. However, it acknowledged that the use of DLT and smart contracts for trade finance still remains a prospective use case.

The risks and opportunities identified by the EBA in the context of DLT and trade finance are summarised below:

Prudential Risks Opportunities
Applicable law – there may be uncertainties around the applicable law as DLT nodes could be located in different jurisdictions whose laws may conflict with each other. Establishing the applicable jurisdiction is also critical if a dispute arises. Efficiency – DLT reduces the administrative burden and unnecessary waiting times e.g. automatically triggering other actions when pre-defined events occur such as the release of funds. DLT may also reduce the time parties are exposed to counterparty credit risk and reduce liquidity risk.
Forgery – the risk of forged papers could arise if not all transaction parties accept the use of digital documents. Reducing costs – eliminating manual processes and physical paper instruments could lead to cost efficiencies.
Compliance – there may be potential compliance issues in relation to sharing personal data, competition laws regulating joining consortia,  or  AML / CFT. Transparency – institutions could leverage the use of DLT to enlarge their customer base by offering a more convenient, efficient and transparent solution for customers.
Governance – a lack of adequate governance of the distributed ledger, including an absence of a central party to govern the platform or the expulsion of a party on the grounds of non-compliance, could lead to operational and reputation risks. Verification – storing documents in the ledger means their existence and integrity can be verified, possibly preventing duplicate financing and loss of documents.
Third parties – there may be an increased dependence on third parties which could lead to further potential risks including a concentration risk where multiple institutions rely on the same service provider. Resilience – transactions would be distributed and replicated in multiple nodes, therefore providing high availability as the platform would continue working even with some nodes not working properly.
Security – there could be an increased information technology security risk. The sums involved in trade transactions might incentivise internal and external fraud. Common view – all parties could share a common view of the ledger, levelling the playing field and potentially reducing disputes.
IT Challenges – code is distributed throughout the DLT, and correcting a mistake in every node could be challenging. Keeping all nodes updated and testing the changes could also be more complicated than in a centralised system.  DLT could also pose ICT availability and continuity risks. In addition, operational errors may be exacerbated by the fact that errors in the data or computer code could be quickly propagated throughout the DLT. End-to-end visibility – using DLT could make it easier for parties to spot transactions or patterns that may give rise to suspicions of money laundering, etc.
Fee reduction – the use of DLT may result in institutions being pressured to reduce fees and commissions on foreign exchange, -possibly impacting business risk. Reduce errors – automation could make the process less prone to errors by significantly reducing the possibility of human mistakes.
Reputational risk – a potential poor service, poor user experience and fines for non-compliance could negatively affect a firm’s reputation.  

Customer identification and verification processes

The EBA also comments on the potential use of DLT in AML / CFT compliance, particularly as part of customer identification and verification processes. This application of DLT aims to facilitate the CDD process, which can be quite complex, expensive and burdensome to institutions.

The EBA notes that the market is currently considering a number of digital identity solutions whereby institutions can share verified customer data with other institutions via DLT, but it’s early days. Accordingly, in the report, the EBA considers a theoretical use case involving a possible solution in which a number of institutions participate and have access to a distributed database of verification results of corporate customer data. The EBA also notes that while there are several major technology companies which have announced new alliances with start-ups, specialising in digital identity and attribute-sharing solutions based on DLT, all these initiatives appear to be at early stages and have not produced any tangible results so it has not been possible to assess their effectiveness when used in AML/CFT compliance.

The EBA recognises that the potential prudential risks with a DLT solution for CDD include compliance, forgery, governance, IT and third party dependence – consistent with the risks raised in the context of the trade finance use case detailed above. It also identifies various other risks as discussed in the table below. However, the EBA also recognises the potential benefits of DLT in the form of decentralisation, resilience and reduction of data integrity risk, plus various opportunities provided by DLT, as further outlined below.

Prudential Risks Opportunities
Compliance – there is a risk of relying on previous CDD processes performed by others where they are invalid or incomplete. This risk is exacerbated where institutions are based in different jurisdictions due to the differences in AML / CFT legislation. Leveraging previous CDD – institutions could potentially leverage the CDD applied by other jurisdictions, preventing duplication. Where the customer is considered high risk, any additional information required to meet enhanced CDD requirements may already have been added to the platform by another participating institution.
Uncertainty – there is a great deal of legal and regulatory uncertainty relating to digital identity and smart contracts. The legal status of both may differ between jurisdictions. This could lead to difficulty in assigning liability. The EBA also makes reference to potential competition law and data privacy concerns. Reducing costs – DLT could enhance customer experience and reduce operational costs and administrative burden for institutions as the updated CDD would be distributed in real-time between all participating institutions and increase transparency through a clear audit trail of customer records.
Security – a concentration of identity data may make the solution a target for hacking or cyber-attacks Sensitive information on external data stores could be leaked or inappropriately accessed, especially if not encrypted. Recovery networks may not be adequately managed or may be deceived or attacked to get others’ identities. If an identity is compromised, this may lead to impersonation and the legitimate owner may have trouble proving its own identity. In extreme cases, this could lead to the whole system being compromised and even an attack on end users’ devices. New business models – institutions could also be seen as data service providers, offering services such as certification of solvency, identity recovery services or validation of digital identities.
Reduce errors – automation could make the overall process less prone to errors by significantly reducing the possibility of human mistakes.
Sue McLean is a partner in the IT/Commercial Practice Group in Baker McKenzie's London office. Sue advises clients on technology, sourcing and digital media business models and deals, as well as the legal issues relating to the implementation of new technologies. Sue advises clients (both customers and suppliers) on a wide range of technology matters including outsourcing, digital transformation, technology procurement, development and licensing, m/e-commerce, cloud computing, AI, FinTech, blockchain/DLT, social media, data privacy and cybersecurity. Sue also advises on commercial agreements and the commercial, technology and intellectual property aspects of M&A transactions and joint ventures. Sue has experience across various business sectors, including the financial services, consumer, TMT, travel and life sciences industries. She regularly speaks and writes about the impact of disruptive technologies and has a regular blog for Computerworld.