Cyberspace and Fintech Borders

By Dr. Rosa Lastra and Dr. Jason Grant Allen

Since the 1990s, the Internet has become the communications channel used for an increasing number of commercial and financial transactions, not least because it makes transacting across geographical distances quicker, easier, safer, and more affordable. Already in the 1990s, it became clear that the Internet was much more than just any communications channel, and various metaphors were employed to understand the nature of the new forum of human interaction it created. One of the most successful of these metaphors likens the Internet to a place—the metaphor of ‘cyberspace’. This posits the Internet as a venue in which objects, events, and actions exist in parallel to—and in some relevant sense apart from—the physical environment of the human parties interacting. 

Increasingly, it is becoming necessary for lawyers and regulators to deal with economic objects, events, and actions located in cyberspace as part of their daily work. This makes it necessary to work out their legal nature, treatment, and implications. This is especially true of developments in the financial use of cloud computing, distributed ledger technology (‘DLT’), and the growth in purely digital assets such as ‘cryptotokens’. For example, Internet-based financial services may present difficult questions relating to the place where a service was rendered, the situs of a virtual res (be it a bitcoin or a virtual sword), or even, in some jurisdictions, whether something like a bitcoin can be ‘owned’ at all. These sorts of questions are important, in turn, for the determination of applicable law to Internet-based financial activity and for the determination of competence among national regulators. A well-known example of the latter problem is the determination of bitcoins as ‘commodities’, ‘securities’, and/or ‘money’ in United States law. 

This is the context of our recent working paper, ‘Law and Borders II: Mapping the Third Border’. In this paper, we focus on the problems that the rise of Fintech could raise for conventional financial regulation, paying particular attention to the goal of financial stability. Our starting point is an observation developed in a 2010 paper exploring the causes of the 2008 Global Financial Crisis (‘GFC’). In that paper, Goodhart and Lastra introduced a ‘border problems’ metaphor to explain the difficulties of imposing effective regulation on financial services in a globalized financial system. They posited two borders: (i) the border between regulated and unregulated activities and entities, and (ii) the border between national jurisdictions. These borders are ‘crossed’, with potential implications for financial stability, when e.g. an unregulated entity starts providing financial services in the regulated market, or when an overseas financial services provider starts offering services to consumers in a marketplace regulated by a national authority. 

As Goodhart and Lastra explained, border problems played a role in the lead-up to the GFC, for e.g. through the partnership of a regulated with an unregulated entity offering novel products or services. The borders metaphor is useful because it highlights the operation of substitution effects in the financial services market: To the extent that financial regulation is effective, it makes the regulated activity less profitable (for example by imposing prudential limits or compliance expenses). There is, in consequence, a constant incentive to access regulated markets from an unregulated space. 

As the Internet provides an ideal communications channel for financial services provision that potentially circumvents both of these ‘borders’, we consider in this paper whether it makes sense to introduce a third border into the model: a border between the intuitive categories of ‘cyberspace’ and the ‘real world’. In the 1990s, in particular, it was common to present cyberspace not just as a place but as a place outside of the territorial jurisdictions of conventional (national) sovereigns. Much of the techno-libertarian ideology behind the ‘cryptocurrency’ movement, for example, is still imbued with the belief that agents transacting in cyberspace should be left to their own devices to develop their own normative orders. Whether one argues for the Internet as a virgin continent (to be brought under national jurisdiction), the high seas (conceptually or at least technically incapable of being brought under national jurisdiction), or merely an outgrowth of existing territories (for example where its physical architecture is situated), it seems to us to be necessary to grapple with a set of conceptual problems at the heart of the notion of ‘cyberspace’ and its relation to the ‘real world’ in the context of financial services. 

A more granular map of the ‘known borders’

To develop the borders metaphor, we first flesh out what is meant by ‘regulated’ and ‘unregulated’. Most often, we say that an activity is ‘regulated’ when it is not permitted unconditionally, i.e. when it is prohibited in certain circumstances. Most often, a regulated activity is subject to a general prohibition in the absence of a positive permission, such as a license. Sometimes we also mean that something is generally permitted but subject to oversight; we would suggest a distinction between ‘regulation’ and ‘supervision’ in this context. Likewise, when we refer to a ‘regulated entity’, we most often refer to one that has been granted such a positive permission to engage in a regulated activity. By ‘unregulated activity’, we suggest, is generally meant an activity that is not subject to any specific norms beyond the general law. We observe that the notion of a regulated activity also implies that the activity in question is possible in the first place. Technology (in this case, information and communications technology) makes new forms of interaction possible, which the law must then characterise as permitted, obligatory, or prohibited (and under what conditions).

As for ‘territorial jurisdiction’, we note that this term is often used as if it referred to an unproblematic category. In fact, it is quite difficult. We define a territorial jurisdiction as a geographically defined, but socially constituted, space in which certain rules (but not others) exist in force, and in which certain institutions (but not others) enforce them. Politico-legal entities such as nation states have borders that are made and unmade with the stroke of a pen. The upshot of our brief investigation of the ontology of the nation state is the insight that states are not part of the ‘real world’ in a straightforward, physical sense; the left bank of the Rhine is physically identical to the right bank, it is the invisible projections and beliefs of human communities that are different. These are recorded in durable form in declarations of independence, constitutions, and maps. This aspect of conventional social reality, then, has always relied on some technology (e.g. writing and mapmaking). 

A third border? 

We conclude that, while it does make sense to incorporate a third border into the model, doing so requires us to consider carefully how the conventional borders relate to the new border. Our analysis suggests that Goodhart and Lastra’s borders are conceptually joined; the second border—between national jurisdictions—is in one sense an extension of the first. An entity that is regulated (licensed) in Jurisdiction A may be unregulated (unlicensed) in Jurisdiction B; if that entity provides financial services to consumers in Jurisdiction A, it could equally be said that the first or the second of the borders have been crossed. However, we argue that the second border adds to the model by highlighting the specific difficulties associated with e.g. foreign entities engaging in nationally regulated activities. Likewise, the ‘third border’ we posit between ‘cyberspace’ and the ‘real world’ is reducible to the first, as well. An entity that claims to operate solely in cyberspace selling financial products to consumers in the United States, for e.g., would cross the ‘known borders’ as well as the border between ‘cyberspace’ and the ‘real world’. But we argue that the third border adds to the model by highlighting the specific difficulties associated with services offered within the context of a prima facie non-territorial communications environment. 

The Internet jurisdiction debate is brewing

This leads us into a more general exploration of jurisdiction, territoriality, and cyberspace. Much of our social world is already constituted in digital information repositories—the real novelty today is due to innovations like cloud-based computing and DLT, not the digital nature of economically relevant objects, events, and actions per se. Thus, we conclude that the ‘real world’—one seminal study from the 1990s refers to the ‘world of atoms’—is not a very helpful way of describing conventional social, economic, and legal reality, including nation states and their regulatory authorities. This suggests that we should re-examine the habit of contrasting novel Internet-based financial objects (such as ‘cryptocurrencies’) with ‘real world’ financial objects (such as cash or demand deposits or central bank reserves). Many of the latter are already in ’cyberspace’; the advent of novel Internet technologies such as cloud computing and DLT increase the urgency of existing conceptual problems, rather than presenting wholly new problems themselves. 

We identify Internet jurisdiction as a topic of debate that is going to increase in intensity over the coming decade. Surveying the different approaches observable today, ranging from ‘Californian techno-libertarianism’ to ‘Chinese digital authoritarianism’, we echo recent calls for a European ‘third way’. Such an approach emphasises the importance of national sovereignty in cyberspace, but also accords private and hybrid stakeholders a role in the governance of this new ‘realm’—and recognises legitimate individual interests such as privacy. In other words, while we accept some utility for the ‘place-ness’ metaphor implicit within the notion of ‘cyberspace’, we do not accept the kind of claim typical of the mid-1990s (and some contemporary literature) for territorial sovereigns to treat cyberspace as they would a foreign sovereign territory. Nor do we wish to see the Internet fractured into so many national or regional intranets. While we do not present a mature theory of Internet jurisdiction, we note that a conflicts/private international law analysis is insufficient on its own, and refer to recent accounts that explore the public and international public law interests that should also inform the emerging doctrine of Internet jurisdiction. In particular, we argue that conventional sovereigns must retain a role in the regulation of Internet-based financial services based on their consumer protection and financial stability mandates. By its very nature, financial stability challenges nationally-based regulations because risks to financial stability, like other systemic risks, can easily arise outside the regulated sphere. 

We conclude with the hope that our conceptual exploration of the nature of cyberspace is helpful to framing the broader debate, and with a number of concrete observations in the context of financial regulation specifically. First, we argue that the difficulty of policing the ‘third border’ speaks to regional and international cooperation. The expansion of harmonized jurisdictional spaces and increased cooperation between national regulators, we argue, will help to ameliorate the inherent difficulty of regulating Internet-based financial activities. In particular, we argue against a race to the bottom and emphasise the blindness of systemic risks to things like national borders. Secondly, we observe that territorial sovereigns will retain significant leverage over the Internet because the Internet has a physical infrastructure and because its users (even the techno-libertarian ones) have to live somewhere—preferable in a jurisdiction which respects their property rights. Thirdly, we observe the importance of identity—usernames, account numbers, private and public keys—in the practical functioning of a modern financial economy. Fintech generally works with identities that may or may not be clearly connected with a ‘real world’ identity such as a name or social security number. It is essential, we argue, for national regulators to insist on maintaining the link between the human actor and the online avatar that transacts in cyberspace. Fourthly, we argue that national regulators should be open to working with emerging self-governance frameworks in cyberspace, but that attention should be placed on the points of connection and intersection between national legal orders and these ‘zones’ of self-government in the Internet. Finally, we argue that national regulators should ‘fight fire with fire’ by using novel technology to monitor cyberspace. Most ‘Regtech’ innovation to date has occurred on the side of regulated entities, rather than regulators; we welcome efforts by regulators in the future to provide ecosystems in cyberspace with baked-in compliance. 

Wherever the next systemic shockwaves are going to originate, we close with the same warning that Goodhart and Lastra made in 2010: regulation usually follows crises counter-cyclically. While it is undesirable to stifle innovation, it is even less desirable to allow systemic risks to proliferate below the radar and to act only once they materialize. Regulation should occur pro-cyclically, and the time to respond pro-actively is now.

Dr. Allen is the Alexander von Humboldt Foundation Post-Doctoral Fellow, HU Berlin Großbritannien-Zentrum.  Professor Rosa Lastra  is the Sir John Lubbock Chair in Banking Law at the Centre for Commercial Law Studies (CCLS), Queen Mary University.