Q&A: How IBM aims to support innovation in the fintech sector
FinTech Futures recently spoke with Prakash Pattni, managing director for financial services digital transformation at IBM, to discuss the role the company plays in the fintech ecosystem, the shifting ‘fintechs versus banks’ paradigm, the looming threat of Big Tech, the regulatory balancing act facing fintechs and the promise and concerns around quantum computing.
FinTech Futures: IBM is a massive blue-chip tech giant. How does it fit into the fintech ecosystem? What sort of role does it play?
Prakash Pattni: There are a few things that we’re doing in this space. Most of our clients want to work with fintechs but they’re also aware of some of the risks of doing that, so they’re coming to us to help them partly ‘de-risk’ the fintech ecosystem.
For example, venture builder firms we’re working with who are at the stage where they haven’t picked a platform, we will work with them. We’ve got other big banks saying, “I’ve got a stable of fintechs and I’ve invested in them, but I can’t actually get them onboarded because they don’t meet my security requirements. Can you come and help us in that regard?”
We’re also running a bunch of start-up programmes as well, helping fintechs navigate this, but we also provide a lot more help in terms of the regulations and things that they won’t necessarily have enough skills for. There’s a whole suite of things we’re doing in the fintech space that people might not necessarily expect us to be doing.
You mentioned de-risking the fintech ecosystem, is that for more traditional legacy financial institutions or for any company that wants to get involved in the sector?
In the regulated industry space, we have very strong financial services, but we also work with healthcare and manufacturing and telco and governments as well. Any industry where there’s regulations where we have a strong understanding in that space, and we have a lot of history and background and experience.
It’s not just the fintechs, there’s a lot of other start-up organisations. One of the areas that we have focused on is where they’re dealing with sensitive data. Some of it’s financial, some of it’s healthcare.
The paradigm of fintechs versus banks, fintechs being the disruptors and upstarts, it seems to be over. Recently, that versus mentality has given way to a new kind of arrangement. What’s your take on the state of that relationship? How do traditional FIs and fintechs work together these days?
We’re having probably four or five conversations every single week with different banks and fintechs at least, and you’re right, 10 years ago, they were seen as threats. Now, I think they’ve realised that they can’t do everything, the banks know they can’t be good at everything and fintechs are really good at one or two things.
So, the banks are now working with these fintechs to really precisely solve specific problems that they have. Most of the banks we’re working with will have a stable of 30, 40, 50 plus fintechs they’re working with and collaborating with.
But I think they’re also starting to see the threat isn’t the fintechs, it is Big Tech trying to come into the space. Apple Pay, Venmo and other such providers, I think their focus has shifted quite a lot. I think it’s just much more collaborative.
Are fintechs feeling the heat from Big Tech, as much as perhaps banks and legacy financial institutions are?
Not yet, but there is a growing awareness. We recently ran a roundtable with fintechs and banks and the overarching theme for both of them was Big Tech was the next threat. But I think fintechs are realising it’s probably easier to work with big banks than with Big Tech. I think you’re seeing the market move in such a way where Big Tech is forcing these two entities to collaborate just from a survival instinct perspective.
The enemy of my enemy is my friend. Where there is still friction between fintechs and banks and FIs do you see opportunities for collaboration that have still yet to be capitalised on?
Yes. The friction points we’re seeing is less about whether to work together, it’s more about how they work together. We’re seeing that banks’ processes haven’t caught up, they’re still treating fintechs with the same legal and procurement processes that they would the IBMs of this world.
They haven’t got armies of lawyers, so we’re hearing from them that it just takes too long. For a bank to start to onboard and use a fintech, they just make it quite hard for them. So, we’re working on that in the space. We’re partnering up with another fintech that’s looking at solving the legal procurement side of things, we’re helping them solve the security compliance, regulatory side of things and so together we can remove these friction points.
Banks and fintechs still fail to work together, but I’m not seeing any more of the “we shouldn’t be working with them” mentality. It’s really much more how do we get this working efficiently as opposed to working with them at all.
Fintech is a rapidly evolving space, and it can be hard for regulators and governments to keep up. How can agencies and regulators and governments ensure they don’t choke innovation, but also make sure that they regulate financial services appropriately? What’s that balancing act in your mind?
One of the things I’ve noticed is this growing awareness of the risks, particularly second and third order effects, where there’s a cascade effect. For example, banks using a number fintechs and these fintechs are all sitting on the same cloud. Then that cloud provider goes down, which now will take out the call processing for a number of banks, for example.
On hackers, one of our security groups conducted a study and they found that vulnerabilities have increased, and more bad actors are taking advantage of these. Thinking about the supply chain risk or the surface area attacks, all of that has led to an increased awareness of the risk.
We’ve seen a lot of the regulators were talking to set up digital sandboxes and places for fintechs to go and play in a safe, secure way before they move. Some of that’s working, it’s a bit hit and miss at the minute, if I’m honest. There’s a lack of industry standards, everyone’s doing it slightly differently. There’s lots of barriers and we’ve been doing a lot of work with the regulators.
We’ve also set up an industry council made up of around 70 banks. We’re trying to help solve these problems with the regulators and create standards and simple ways of doing things so they can focus on the innovation. Personally, I still think there’s a fair way to go in terms of all the industry bodies and regulators working together to address this problem.
Regulations really need to be holistic and structural and the whole system needs to be standardised to a certain extent. Is that what you’d like to see more of?
Regulators will tell you ‘what’ you must protect, what you must keep secure, but won’t tell you how to deal with lots of different solutions.
I think they’re trying to not be overly prescriptive because that will choke innovation, but a level of prescriptiveness to get more clarity in terms of standards, so it’s not so open to interpretation, that would make sense. That’s what we’re doing, trying to get some of that prescriptiveness built in.
You mentioned hostile actors, bad actors. What sort of issues security-wise do you see cropping up again and again? Fintechs and banks, financial services, when they’re trying to transform digitally, what’s their biggest headache?
Most of the banks are using the cloud for their digital transformation activities and so therefore we’re seeing more bad actors targeting the cloud. Often, it’s about misconfiguration issues. If you have an object stored on the cloud, somewhere where you’re keeping your data, instead of locking it down and only making it accessible to certain approved people by default, it’s open and people aren’t securing it. You see people running bots that just scour the internet for objects that are unencrypted and open and they get access to the data. So, there’s an issue with setting up privileged access rights.
Another big one has been around vulnerabilities. I mentioned our external study. That found ransomware was the top attack vector, followed by supply chain vulnerabilities, followed by phishing, and then vulnerability exploitation. Around 20,000 vulnerabilities in different systems are discovered every year, and people have to go and patch all of this stuff. If they don’t, you’ve left an access point for someone, and they exploit that vulnerability. These are just some of the challenges.
Cloud used to be the shiny new toy of the industry. Now, it’s very much commonplace, everybody’s on the cloud. Today, we have technologies such as artificial intelligence and machine learning. And now even newer tech such as blockchain and distributed ledger technology, and, of course, quantum computing, which sounds really interesting. Can you talk to that progression from cloud to AI to ML to DLT to quantum computing?
Cloud is really good for the classic technology environment, taking what you are running in your own data centre and running it in a much more efficient way on the cloud. That’s become mainstream, it’s been going for 10-15 years now, nearly.
AI/ML is also getting pretty mature. I think that some of the early promise wasn’t realised because they were struggling with some of the ‘real-timeness’ of it. There’s often talk about using AI in a customer-facing way, where, for example, you’re in a shop and they want to be able to give you a discount. This is where artificial intelligence would come in. You see it with services such as Netflix, running algorithms that tell you what films to watch. A lot of these customer-facing applications have been restricted by computational power and access to data in a real-time way. That’s largely getting solved and technologies such as 5G will accelerate that even further.
When it comes to distributed ledger technologies, I’d say they’re a little bit less mature. A few years ago, people were aware of Bitcoin and things like that. But now you’ve got digital assets, you’ve got companies using DLT to map their supply chains. You have central bank’s looking at central bank digital currencies (CBDCs). I think we’re at the stage now where people are asking, “what do we do with this technology?”, figuring out the applications of this technology and its uses.
Applications for quantum computing are at an earlier stage, the technology’s just about maturing to the point where it’s becoming useful, and now we’re starting to work out what the applications are. We’ve got some ideas about areas where we think this will be really powerful, but it’s not going to take over just yet. There will be very specific types of solutions that it supports.
All of these technologies are at different levels of maturity, and they will solve different problems. Every company from a digital transformation point of view is looking to adopt some or all of them.
On quantum computing, can you tell me a couple of what those applications are going to look like?
The areas where people think it will have the most impact is going to be on applications such as drug discovery, the development of new materials. In drug development, you’re looking at all of these different interactions. It’s like a very complex maze that you’re trying to solve and computationally speaking, it’s very intensive regarding the number of resources that you need. So, for those types of problems, it’s really good.
There are also people looking at what they call optimisation problems. From a financial services perspective, we spend a lot of time running computations over risk, which drives how much capital banks need to hold. If you’re able to do better risk management, you can hold less capital and therefore invest. They often run what they call grid farms for big Monte Carlo simulations. The regulators will say, “you must be able to prove to me you’re not going to go under if this black swan event happens”. And that’s really where a lot of this time and effort is spent. In financial services, that’s where you’re going to start to see a lot of the applications of quantum come about.
I understand that with quantum computing, it might be able to break encryption. Obviously, that might be an issue for financial services. Are you concerned about that?
Yes. They call it quantum safe. Today’s algorithms are based on what I call factoring and quantum computing is brilliant at navigating that.
A traditional computer would try to break in by looking at every combination of a solution to try and break the algorithm. Quantum can do it in parallel, and so it can be done in minutes where classical computers may take hundreds of years. There are concerns that a lot of the data that regulators require us to hold – whether that’s for seven years, 20 years, and is still valuable – that even though it’s encrypted, there is the view that in a few years quantum will be able to break it and they’ll be able to gain access to it.
The NIST Institute, the National Institute for Standards, has been worried about this and they’ve been running a programme to identify quantum safe algorithms. Three of the four they have identified were built by IBM, so we have developed quantum safe algorithms, and we have also built quantum safe solutions into our latest mainframe technology.
People don’t realise that this has been almost 50 years in the making, quantum computing, so there’s been a lot of thought that has gone into this and people have been working on these solutions for a while now.
That’s reassuring. Moving on, B2B and B2C in fintech are generally two separate business models. But they often overlap. How do you see the fintech space developing over the next five years for both consumers and businesses? And do you see applications and solutions migrating from one to the other and vice versa?
I think a lot of fintechs that have been picking up on customer pain points are more in the B2C model. Buy now, pay later (BNPL), a lot of start-ups, a lot of those in the payments space, for example. This is where all the innovation is taking place because payments are the tip of the spear in terms of how a customer interacts with this technology, and this is where we see a lot of growth.
We’re also seeing a lot more of Big Tech coming in and embedded finance solutions, where people no longer have to enter their credit card details on Airbnb, for example. You enter those details once and you don’t even think about it anymore. That’s creating a lot of disintermediation between the banks and the client, or customer. We have a situation now where the data is moving from client to Airbnb, not client to the bank to Airbnb. As fintechs are evolving we are seeing a lot more of that disintermediation.
Banks are waking up to it, saying they don’t know what their clients are doing anymore. Data is obviously gold in this space, and they can’t run their algorithms against that data anymore, so that’s where people are starting to get worried. But it’s still in that stage where some are still wondering if it’s real or not.
You represent the EMEA region, can you speak to some of the aspects of fintech that are particular to EMEA compared to other regions around the world?
In the digital asset space, at least in EMEA, it has grown massively compared to perhaps some of the other regions. Not just Bitcoin and digital currencies, but more broadly, we’re seeing little pockets of activity in areas such as Switzerland and Germany.
We’ve seen quite a lot of fintechs that are working on addressing the unbanked, especially in Africa and the Middle East and in countries such as India, compared to Singapore or in North America, for example.
Because these populations are mobile-first, they’ve not had to build or rely on a banking infrastructure and local bank branches, for example. So, we’re seeing a massive shift in fintech development that addresses mobile banking and therefore dealing with the unbanked and reducing that significantly. Those two strands, digital asset adoption and penetration, and mobile-first baking addressing the unbanked, those are very common issues across the various types of industries and technologies we are seeing.