Bigtechs in finance: forging a new regulatory path

Agustín Carstens is the General Manager at the Bank for International Settlements

Bigtechs and data

We at the BIS have been closely following large technology firms (bigtechs) and their advances into finance1. Bigtechs’ reach extends across a wide range of industries, with existing core businesses grounded in e-commerce and social media, among others. From this base, they have expanded into finance.

To understand how bigtechs can easily make forays into finance, one must grasp the key role of data. Indeed, bigtechs have fully embraced the centrality of data in the digital economy. This is what distinguishes them from other firms. It also shapes their unique characteristics. Let me mention those that are particularly relevant for policymakers.

First, bigtechs can overcome limits to scale in financial services provision by using user data from their existing businesses. Their business model revolves around users’ direct interactions and the data generated as a by-product of these interactions.

They use that data to offer a range of services that exploit the inherent network effects in digital services, a phenomenon where more users attract ever more users. In this way, bigtechs can establish a substantial presence in financial services very quickly through what we call the ‘data-network-activities’ (DNA) loop.

Second, bigtechs collect different types of data from the various business lines they straddle2. They are uniquely positioned to combine that data to uncover patterns and insights that can help them improve their services or offer new ones3.

This combination of different types of data across sectors carries efficiency gains and is key to bigtechs’ provision of digital services.

Third, bigtechs are unrivalled experts in data management and analysis. They devote significant resources to developing or acquiring state-of-the-art technologies. After all, access to large troves of data generates value only if you also have the technological capabilities to analyse it and monetise it.

Bigtechs have been pioneers in leveraging artificial intelligence techniques for this purpose4. To be sure, these capabilities have high fixed costs, but once that is overcome the marginal cost of handling more data is negligible.

Therefore, bigtechs benefit from significant economies of scale in their use of data. For other firms, reaping the benefits of such economies of scale is a tall order.

Data management is thus at the core of bigtech activities, and the financial sector is all about managing information. Coupled with bigtechs’ relentless drive to expand, their growing and already substantial footprint in financial services should come as no surprise.

Moreover, the trend towards greater digitalisation, which the COVID-19 pandemic has accelerated, has allowed bigtechs to fortify their market positions even further.

Public policy challenges

Given their size and customer reach, bigtechs’ entry into finance could trigger rapid change in the industry, generating both opportunities and challenges. The potential benefits of bigtechs’ entry into finance include improved customer outcomes, increased financial market efficiency and enhanced financial inclusion.

For example, BIS research has shown that access to innovative (QR code-based) payment methods provided by bigtechs helps micro firms build up credit history, and the use of bigtech credit can ease access to bank credit5. And there are many more examples.

But it’s not all roses in the garden. The economic features that make bigtechs powerful in lowering costs and supporting financial inclusion also create new challenges for policymakers6.

First, data governance. Bigtechs have large amounts of personal data, and their use comes with a trade-off between data efficiency and privacy. While detailed data may help align products on offer with consumer preferences and lower costs, there are risks to consumers, especially when sensitive data are shared.

Moreover, bigtechs can engage in price discrimination, making consumers worse off7. Restricting the use of data may help, but could have costs for allocative efficiency8.

Second, competition is at threat in the presence of bigtechs. While bigtechs can initially bring greater competition, network effects allow them to quickly build positions of dominance in specific market segments, for example by increasing user switching costs or raising barriers to entry.

And the resulting concentration dynamics have a direct effect on market contestability and consumer welfare. Thus, new entry may not increase market contestability. Moreover, in the case of network industries market failures and externalities may arise.

Last, but certainly not least, there are important financial stability considerations which fall squarely within the mandates of central banks and financial regulators. Let me elaborate on specific concerns around the financial stability risks arising from bigtechs in finance.

One concern centres on bigtechs’ potential systemic importance. Financial services currently represent a relatively small part of bigtechs’ overall activities, but this can change rapidly through the DNA loop. They may quickly become ‘too big to fail’.

This gives rise to concerns about the emergence of dominant firms with excessive concentration of market power and a possibly systemic footprint in the financial system.

A second concern is emerging around the risks from substantive interdependencies inherent in bigtech activities9. These arise between bigtech entities because they share data and provide relevant services to each other. They also share technological platforms and applications and use a common payment infrastructure10.

Meanwhile, interdependencies with outside parties arise from joint ventures with financial institutions in providing financial services. These partnerships can entail an opaque distribution of responsibilities that diffuses accountability and hinders adequate oversight. They also have the potential to intensify operational, reputational and consumer protection risks as well as moral hazard issues.

Then there is a third concern around the role of bigtechs as providers of critical services. Financial institutions have come to heavily depend on bigtech technology services, and this is exacerbated by bigtechs’ tendency towards market concentration.

While these services bring many advantages, the widespread dependency on them is forming single points of failure, and hence creating new forms of systemic risk at the technology services level. This type of risk is particularly evident in the market for cloud computing, which is highly concentrated and now dominated by a handful of bigtechs11.

As a consequence, disruptions in the operations of one bigtech could have a substantial impact on the financial system12. In other words, greater operational risks can translate into greater financial stability risks, especially when critical services are highly concentrated.

The concerns I have just discussed are aggravated by shortcomings in the current regulatory approach, which is not fully fit for purpose to deal with the unique set of challenges arising from bigtechs’ entry into financial services.

Innovation never rests, as recent advancements in artificial intelligence and the emergence of quantum computing make clear. But I am confident that the international community will find ways to address current and coming challenges

The current regulatory approach and its shortcomings

Most financial activities in which bigtechs engage are governed by sectoral regulations. And the existing ones can at best partially address the risks I outlined earlier.

These regulations are grounded on the main supervisory concerns in each sector, be they the protection of depositors, policyholders or investors. They were not designed with bigtechs in mind and therefore are not geared towards possible spillover effects across all the activities bigtechs perform, or their potential systemic relevance.

And yet they determine the applicable regulatory treatment for bigtechs’ financial activities, the width of the regulatory perimeter and the reach of supervisory oversight.

Importantly, such regulations tend to follow an activity-based approach, where providers must hold licences for specific business lines13. Activity-based regulation constrains an activity on a standalone basis by imposing restrictions on how it can be performed.

It does not vary according to the type of entity that performs the activity. It also does not consider possible spillover effects from other activities performed by the same entity14.

In contrast, entity-based regulation constrains a combination of activities at the entity level by imposing restrictions on an entity’s characteristics that affect the likelihood and repercussions of its failure. Such combinations of activities affect an entity’s resilience.

The financial stability risks of such combinations cannot be addressed by constraining individual activities, without any controls on the critical interactions across bigtech entities and their activities. In short, a purely activity-based framework for regulation is ill suited to address the policy challenges bigtechs pose.

Forging a new regulatory path

Without a doubt, a regulatory re-think is warranted, and we need a new path to follow. One that considers the key role of data in bigtechs’ DNA-based business model. One that strikes the right balance between benefits and risks.

We at the BIS have argued for some time now that we have to go one step further and regulate bigtechs directly15. More concretely, we need to consider how best to complement existing activity-based rules under sectoral regulations with group-wide entity-based requirements that would allow authorities to address financial stability risks emerging from the interactions between the different financial and commercial activities that bigtechs perform16.

It is high time to move from theory to practice and consider tangible options for regulatory actions. Now let me attempt to put forward a blueprint for thinking about what such options could look like.

Recent BIS publications have identified three regulatory approaches that could serve as a basis for a new regulatory framework for bigtechs in finance17.

First, the restriction approach would prohibit bigtechs from engaging in regulated financial activities. It follows the logic inherent in the traditional separation of commerce and banking that prevails in many jurisdictions.

This approach radically alleviates financial stability concerns as bigtechs would be left only with their non-financial business lines. Yet it would deprive them from using big data to solve asymmetric information problems, for example assigning credit scores to small and opaque firms that do not have collateral18. It would therefore remove the numerous benefits that bigtech services in finance have brought.

Second, the segregation approach would require a bigtech’s financial services to be grouped together under the umbrella of a financial holding company. This financial subgroup would have to meet prudential and other requirements. And it would be ring-fenced to mitigate the potential for contagion effects from non-financial to financial activities.

This could be achieved by banning the use of common group-wide technological platforms and any form of data-sharing between the financial and non-financial parts of the bigtech group.

This approach is conceptually simple, increases the transparency of a bigtech’s organisational structure and facilitates oversight. Yet it would prevent bigtechs from realising synergies and economies of scale, and from generating insights from data generated across sectors.

It would therefore come with some of the shortcomings of the restriction approach. In all likelihood, this would lead – at least some – bigtechs to exit financial services altogether.

Third, the inclusion approach would make bigtechs with significant financial activities subject to group-wide requirements on governance, conduct of business, operational resilience and, only when appropriate, financial soundness.

This is because most bigtech risks are not strictly related to their financial soundness but their data-driven business model. Requirements would be levied on the group as a whole, including the bigtech parent.

This approach is tailored to existing business models. It acknowledges the fundamental role of data within bigtech groups and their tendency to use them to achieve dominant market positions.

As such, it would not prevent bigtechs from making efficient use of data collected from different activities, like the previous two approaches, as long as they observe sound data governance principles and effective pro-competition rules on a group-wide basis.

However, the inclusion approach is more complex than the segregation approach, as it requires effective monitoring of global groups that conduct a large variety of activities.

The segregation and inclusion approaches are to some extent mutually compatible, and in practice a combination of both may be desirable. Such a holistic approach could combine a prudential sub-consolidation of the financial part of a bigtech group (as under the segregation approach) with group-wide requirements on governance, conduct of business and operational resilience (as under the inclusion approach). Importantly, it would avoid efficiency losses in the use of data that (too) tight ring-fencing measures could cause.

Regardless of the approach chosen, the implementation of any comprehensive entity-based regulatory framework for bigtechs is beset with challenges and raises a host of practical questions.

One is how to ensure effective cooperation and information-sharing between financial, data and competition authorities at the local and crossborder level.

Another is whether any one authority has the expertise required to serve as lead supervisor for global groups that engage in a wide set of data-driven financial and non-financial activities.

Yet another is about enforcement and extraterritoriality, especially when bigtech services are performed by entities incorporated in foreign jurisdictions. This, together with unavoidable political considerations, may also explain why progress towards a new framework has been slow19.

And, I’m afraid to say, as we are working on devising an adequate policy response to bigtechs, challenges will continue to emerge. Innovation never rests, as recent advancements in artificial intelligence and the emergence of quantum computing make clear. But I am confident that the international community will find ways to address current and coming challenges.


To support the search for answers, a thorough international policy debate is essential. After all, international standards are the only way to shape a consistent policy response. As the saying goes, policymaking is poetry, implementation prose. But before we can even think of implementation, we need to consider the right policies.


1. The BIS and the Financial Stability Board (FSB) define bigtechs as large companies whose primary activity is digital services. See BIS, “Big tech in finance: opportunities and risks”, Annual Economic Report 2019, June, Chapter III; and FSB, FinTech and market structure in financial services: Market developments and potential financial stability implications, February 2019.

2. For example, bigtechs with a dominant presence in e-commerce collect data from vendors, such as sales and profits, combining financial and consumer habit information. Bigtechs with a focus on social media collect data on individuals and their preferences, as well as their network of connections. Bigtechs with search engines do not observe connections directly, but typically have a broad base of users and can infer their preferences from their online searches.

3. Data from e-commerce platforms can be a valuable input into credit scoring models, especially for small and medium-sized enterprise and consumer loans. Bigtechs with a large user base in social media or internet search can use the information on users’ preferences to market, distribute and price third-party financial services (like insurance).

4. For example, bigtechs leverage sophisticated artificial intelligence-based tools as part of their credit scoring systems. They have also invested in emerging technologies such as quantum computing. See JC Crisanto, J Ehrentraud, M Fabian and A Monteil, “Big tech interdependencies – a key policy blind spot”, FSI Insights on policy implementation, no 44, 2022.

5. T Beck, L Gambacorta, Y Huang, Z Li and H Qiu, “Big techs, QR code payments and financial inclusion”, BIS Working Papers, no 1011, 2022; and K Croxson, J Frost, L Gambacorta and T Valletti, “Platform-based business models and financial inclusion”, BIS Working Papers, no 986, 2022.

6. A Carstens, “Regulating big tech in the public interest”, speech at the BIS conference “Regulating big tech: between financial regulation, antitrust and data privacy”, 6–7 October 2021; and F Boissay, T Ehlers, L Gambacorta and HS Shin, “Big techs in finance: on the nexus between data privacy and competition”, BIS Working Papers, no 970, 2021.

7. See O Bar-Gill, “Algorithmic price discrimination: when demand is a function of both preferences and (mis)perceptions”, University of Chicago Law Review, no 86, 2019.

8. See Boissay et al, op cit.

9. See Crisanto et al, op cit.

10. Bigtechs’ ecosystems rely on common technological infrastructures including physical (servers, computers, facilities, hard drives etc.) and non-physical (software, applications, cloud structures, data lakes etc.) elements that support the storage and transmission of data, and other operations of bigtechs.

11. The top four providers (Amazon Web Services, Microsoft Azure, Google Cloud and Alibaba Cloud) control around 70% of the global market across all sectors. See Synergy Research Group, “As quarterly cloud spending jumps to over $50B, Microsoft looms larger in Amazon’s rear mirror”, 2022.

12. Two significant outages of bigtech services in 2021 substantiate the argument that these operational vulnerabilities are not merely a theoretical consideration.

13. The exception is banking and insurance. See A Carstens, S Claessens, F Restoy and HS Shin, “Regulating big techs in finance”, BIS Bulletin, no 45, 2021.

14. See F Restoy, “Regulating fintech: what is going on and where are the challenges?”, speech at the ASBA-BID-FELABAN XVI Banking public-private sector regional policy dialogue “Challenges and opportunities in the new financial ecosystem”, Washington DC, 2019; F Restoy, “Fintech regulation: how to achieve a level playing field”, FSI Occasional Papers, no 17, 2021; and C Borio, S Claessens and N Tarashev, “Entity-based vs activity-based regulation: a framework and applications to traditional financial firms and big techs”, FSI Occasional Papers, no 19, 2022.

15. See Carstens, op cit.

16. See Restoy, op cit.

17. See J Ehrentraud, J Evans, A Monteil and F Restoy, “Big tech regulation: in search of a new framework”, FSI Occasional Papers, no 20, 2022.

18. See L Gambacorta, Y Huang, Z Li, H Qiu and S Chen, “Data vs collateral”, BIS Working Papers, no 880, 2020.

19. A few jurisdictions have started to insert entity-based rules in their regulatory framework to cope with selected risks presented by bigtechs. See JC Crisanto, J Ehrentraud, A Lawson and F Restoy, “Big tech regulation: what is going on?”, FSI Insights on policy implementation, no 36, 2021; and F Restoy, “The digital disruption: the role of regulation”, speech at the virtual conference by the Asia School of Business and BIS “Digital disruption and inclusion: challenges and opportunities”, 2022.

I would like to thank Iñaki Aldasoro, Juan Carlos Crisanto, Johannes Ehrentraud, Leonardo Gambacorta, Fernando Restoy and Raihan Zamil for their input. This article is based on a speech delivered at the BIS conference ‘Big techs in finance – implications for public policy’ Basel, Switzerland, 8–9 February 2023.