2.1 Moral Hazard

A moral hazard is where one party is responsible for the interests of another, but has an incentive to put his or her own interests first. Inadequate control of moral hazards often leads to socially excessive risk-taking and excessive risk-taking is certainly a recurring theme in the current financial crisis.Footnote ⁴ Similarly, technology itself is neutral, but the R&D and application processes will inevitably be intervened and affected by corresponding entities; the interest demand and values of fintech companies and financial institutions will be inevitably packed into certain fintech along with codes. Although fintech could overcome and solve the market frauds for information asymmetry by itself, in the application process of fintech, the developers and users of fintech may be engage in dishonest behaviours based on their own interests. By relying on the “technology black box,” fintech companies may implement unauthorized search or use of user data, set unfair algorithms, or have other behaviours harming the interests of financial consumers; the new-type transaction methods emerging by relying on fintech may also become a hotbed for market frauds due to insufficient information disclosure and incomplete appropriateness management, so as to breed new-type moral hazards.Footnote ⁵

2.2 Technical Risk

The technical attributes of fintech itself determine that it is difficult to completely eliminate technical risks due to its incompleteness and vulnerability of technology, and fintech will inevitably generate technical leaks in the process of R&D, application, operation, and maintenance because it involves many entities with varying technical capabilities. This opens consumers and other participants up to new vulnerabilities ranging from identity theft to closely targeted advertising and fine-grained price discrimination.Footnote ⁶ Meanwhile, fintech may have vulnerability due to the negative effect or technical characteristics of its underlying technology, so as to generate technical risks. Fintech’s technical incompleteness attribute and network-security threat and other inherent defects, as well as the algorithm black box and real-time data processing or other technical characteristics, may all become important causes to lead to technical risks.

2.3 Legal Risk

Fintech is changing finance in fundamental ways, from investment management to capital raising to the very form of currency itself.Footnote ⁷ The application of fintech will hasten the birth of new-type financial-transaction models and brand new rights and obligations structures; due to the lagging and incompleteness of changes to the legal system, it is easy to cause non-adaptation and non-co-ordination between fintech innovation and legal-system operation, so as to produce legal risks. Specifically, under the strict access control of the financial industry, fintech companies are unable to directly put fintech into use without obtaining corresponding financial-business admissionFootnote ⁸; while the entity status and rights and obligations of fintech companies in the financial legal system are unclear so far, their participation in financial activities may face uncertainty in legal evaluation. Meanwhile, because the application of fintech will transform the traditional financial-transaction model, no matter whether it is AI-Advisor based on an artificial-intelligence algorithm or the issuance of tokens based on blockchain technology, they all have different degrees of deviation from the existing regulatory system; under the circumstance that the legal system and regulatory rules are not updated in a timely way, the application of fintech will also have certain compliance risks. Besides, once the fintech with highly integrated technology and business has any technical failure in the application process, which causes harming of financial consumer interests, it would usually be difficult to have a clear division of legal liabilities between the technical entity and the business entity, so it is also easy to cause disturbance in bearing legal liabilities.

2.4 Systematic Risk

The term “systemic risk” is a widely used, poorly understood concept. Systemic risk generally refers to the probability that economic shocks in one part of a financial system can lead to shocks in other parts of that system.Footnote ⁹ Although the application of fintech is still at the preliminary stage, it will still generate a huge potential influence on the macro-financial stability.Footnote ¹⁰ Because fintech companies have the characteristics of being small, dispersed, and closely interconnected, having weak internal governance, insufficient prudential regulation, etc., fintech companies are currently wandering within the grey area of financial regulation, which causes their intrinsic attributes of lacking risk-control capability but actively engaging in risk-taking behaviours. Meanwhile, the application model of fintech also provides the soil and path for the generation and transmission of systematic risk; on the one hand, because fintech is usually realized based on the Internet-technology and network system, once any link has problems due to technical fault or malicious attack, it will cause the failure and risk of the entire system; on the other hand, as fintech needs to widely interconnect with the traditional financial industry, the individual risk of business failure or technical failure is also extremely vulnerable to generating a domino or Herd-behaviour effect and transmitting this to the entire financial system. When fintech obtains market importance due to its high-speed development and huge scale, or when the traditional financial system widely depends on the technical supply of certain fintech, there will be the possibility of causing systematic risk, damaging financial stability.Footnote ¹¹

From the perspective of system theory, the generation mechanisms of various risks of fintech have their intrinsic continuity and hierarchy. The essence of fintech is the profound integration between technology and finance—it has the dual attributes of information technology and financial business, but technology is the core content of fintech and business is the application field of fintech; these two aspects have different risk-generation mechanisms and risk modalities, while new risk forms are derived due to the integration of the two. The authors believe that fintech risk has three levels: intrinsic risk, application risk, and derivative risk. Intrinsic risk is a risk of fintech generated from its technical essence: it is a static and isolated risk generated from fintech’s own technical defect, which is mainly reflected as technical risk. Application risk is the risk generated when fintech is actually applied to the financial industry: it is a dynamic risk generated in the process of technology enabling financial business and due to the interaction between technology and business, which is mainly reflected as moral hazard or legal risk. Derivative risk is the risk caused by the transformation that the application of fintech brings to the market structure and risk structure of the financial industry: it is a type of indirect secondary risk, which is mainly reflected as systematic risk. Because fintech has multiple levels of risk in its structure, risk governance targeting fintech also needs to be established on the basis of the effective division of the risk hierarchy and have a scientific response by integrating the generation mechanism and transmission path of different levels of risks. Specifically speaking, it is necessary to establish a targeted and co-ordinated risk-governance rule system from the technical base of fintech to the application model of fintech, then to the business scope of fintech.

Law plays a key role in the risk governance of fintech. First, the legal system restrains the scope and degree of fintech innovation. Although fintech innovation is established on the basis of technological advancement and market demand, the legal system can regulate the fintech innovation spontaneously promoted by the market through market access and other related measures, so as to restrain the innovation degree and application field within a scope of controllable risk, as well as avoid the risk generation and transmission caused from technical failure and market failure in spontaneous fintech-innovation processes. Second, the legal system restrains the behaviours of fintech-innovation entities. The fintech-innovation entities, including the R&D entities and application entities, are the main drivers of fintech development; whether their behaviours are prudent and compliant or not will have a key influence on the generation of fintech risks to a certain extent. Restraining the behaviours of fintech-innovation entities through the legal system, enforcing the bottom line of risk prevention throughout fintech R&D application, and ensuring responsible fintech innovation could effectively restrain the fintech risks caused by reckless innovation under the self-interest motivation of market entities. Third, the legal system specifies the regulatory system and regulatory standard of fintech innovation. The dual attributes of technology and business easily enable fintech to hide in the grey area of regulation, using the legal system to establish and improve the regulatory framework of fintech, specifying the regulatory entity and its regulatory powers and duties, refining the corresponding regulatory measures and rules, which set an energetic regulatory base for implementing sufficient and rational regulation on fintech and for effectively preventing, monitoring, and handling various fintech risks.

3.1 Current Situation and Trend of China’s Fintech Development

Currently, China is one of the countries with the fastest development, most active innovation, and widest application of fintech. According to the “2018 Report of Global FinTech Innovation Centers,”Footnote ¹² China accounts for four out of seven fintech-innovation centres in the worldFootnote ¹³; in the top ten fintech enterprises in terms of financing amounts in 2018, Chinese enterprises took seventh place.Footnote ¹⁴ In the top 100 fintech enterprises issued by KPMG in 2018, Chinese fintech enterprises conquered four places in the top ten, in which Ant Financial, JD Financial, and Du Xiaoman Financial ranked the first, second, and fourth places, respectively.Footnote ¹⁵ According to a survey by Accenture, global investments in fintech reached $53.3 billion; the Chinese investment amount increased by nearly nine times compared with the same period in the previous year and reached $25.5 billion, which almost levelled with the global total investment amount in 2017.Footnote ¹⁶

From the subdivided sectors of fintech, the technical-application fields of electronic payment, P2P lending, Internet insurance, big-data credit investigation, AI-Advisor, blockchain, etc. all achieved remarkable development. In 2018, banking financial institutions processed 175.192 billion e-payment transactions with an amount of ¥2,539.7 trillion; non-banking payment institutions had 530.61 billion vs. online-payment transactions with ¥208.07 trillion, increasing by 85.05% and 45.23%, respectively. The NUCC (Nets Union Clearing Corporation) platform processed 128.477 billion transactions with an amount of ¥57.91 trillion.Footnote ¹⁷ The scale of online-payment users reached 600 million and the scale of mobile online-payment users reached 583 million.Footnote ¹⁸ The P2P lending platforms went through rapid growth before market adjustment; currently, there are 6,580 platforms with a lending balance of ¥1.2 trillion.Footnote ¹⁹ The Zhima Credit of Ant Financial, the Tencent Credit Investigation of Tencent Company, and other big-data credit-investigation systems developed by large tech companies have begun to take shape and played an important role in the credit evaluation and risk control and other related aspects of Mybank, Webank, and other online bank-loan businesses. In May 2018, the Baihang Credit Investigation Co., Ltd, established under the leadership of China Internet Financial Association, was established; big-data credit investigation took another step in development. The Internet insurance business has been developing rapidly; technologies such as mobile interconnection, big data, artificial intelligence, blockchain, etc. have accelerated their integration; in the insurance industry, online insuring and intelligent insurance compensation have become a new normal.Footnote ²⁰ Internet financeFootnote ²¹ has been developing steadily; as of December 2018, the scale of Internet-finance users has reached 1.51 trillion.Footnote ²² “YuEbao,” with the monetary market fund as the object, reached the scale of ¥1.13 trillion by the end of 2018 and reached ¥1.93 trillion at its peakFootnote ²³; it is estimated that the Internet-finance scale will reach ¥16.74 trillion by 2020.Footnote ²⁴ Besides, blockchain has accelerated its application in the financial industry; ABS products based on the blockchain industry have been issued.Footnote ²⁵ With the accelerated promotion of fintech R&D and application, fintech will realize a bigger scale and higher depth of transformation to China’s financial industry.

The rapid development of China’s fintech industry has mainly benefited from the following aspects of causes. First, China’s Internet industry has been developing extensively. The huge netizen scale and the massive data generated from the use of the Internet provided a user base and a data base for the application of fintech. BATJFootnote ²⁶ and other large Internet enterprises growing in the Internet wave have taken technological advantage under the constantly exploring business layout to actively set foot in fintech. All these set a great foundation for the development of the fintech industry. The second cause is the demand for the transformation and upgrading of the Chinese financial market. With the constant deepening of reform and the opening-up and continuous development of the financial market, the Chinese financial industry urgently needs to find growth dynamics and innovation schemes to enhance competitiveness; under the demand for enhancing financial-service quality and strengthening innovation capability, fintech provided the exact possibility and opportunity for the Chinese financial industry to exert a late-mover advantage.Footnote ²⁷ Third is the energetic support of the Chinese government for the fintech industry. While the market has shown great passion for the explosive development of fintech, the government and regulatory authorities also actively adopted various measures to support the development of fintech.Footnote ²⁸ Beijing, Shenzhen, Changsha, Chengdu, and other cities all issued special policies to support fintech and provided energetic support and guarantees from various aspects for the rapid development of the fintech industry.

3.2 Retrospection and Introspection of Fintech-Risk Events

The development of fintech is in the ascendant; the market maintains exuberant passion and expectation for the application of fintech in the financial industry. However, the various risk events that have erupted in the process of China’s fintech development have reflected the special risks of fintech while enabling the financial industry and enhancing the opening and degree of inclusiveness of the financial industry and, to a certain extent, warned of the importance and urgency for fintech-risk governance.

The “Everbright Fat Finger” incident was a symbolic risk event at the early stage of China entering the fintech era. On 16 August 2013, the arbitrage strategy system used by the Strategic Investment Department of Everbright Securities caused massive orders due to program error, which caused drastic fluctuations in the Chinese securities market. The process of that event was as follows. When using the arbitrage strategy system, the trader found that an individual share’s declaration and order placement was unsuccessful, so he used the “Re-order” function of the system but, because the function was not verified by the actual quotation, the program mistakenly wrote the “buy 24 constituent stocks” as “buy 24 groups of ETF constituent stocks.” As a result, 26,082 sums of unexpected market orders were instantly and repeatedly generated. While the order-execution system had no effective verification control over the funding amount targeting high-frequency trading of market orders, the massive unexpected market orders above were directly sent to the stock exchange, which caused the Shanghai Securities Composite Index to rise by 5.96% within one minute.Footnote ²⁹ The mistaken orders caused nearly ¥7.2 billion of fund position shortage, the trader team chose to short sell stock index futures hedging to hedge the risk over the liquidity risk brought to Everbright Securities due to the hedging error. Finally, Everbright Securities and related principals were recognized by the CSRC (China Securities Regulatory Commission) as using insider trading; they were fined and received lifetime market-ban measures.Footnote ³⁰ The Everbright Fat Finger incident was actually a operation risk and market risk caused by a quantitative-transaction program; the original intention of the programmed transaction was to enhance transaction efficiency by technical means, but a technical defect causes technical risk, which further transmits to the financial market through business activities and causes financial risk. Technology is the foundation of fintech; the security and stability of technology will directly affect the application effect of fintech and may have an impact on the entire financial market. The Everbright Fat Finger incident should become a warning case in the development of fintech.

With the continuous development of fintech, P2P lending has gradually emerged in China. The P2P model that connects funding supply and demand through an Internet platform and eliminates information asymmetry between borrowers and lenders received a wide welcome and attention from the market at the beginning; since 2007, various P2P lending platforms such as PAIPAI Lending, Lufax, and Hongling Venture Investment have all of a sudden been released to the market. However, due to the lack of effective legal regulation, many P2P platforms had dissimilation when developing businessFootnote ³¹; some platforms had an ineffective review of borrowers’ information, which caused many borrowers to use false ID information to obtain loans. Meanwhile, the lack of risk control and capability has caused many bad debts because borrowers used loan funds against regulation and were unable to repay loans; some P2P platforms directly forged borrowing demands to develop a “fund pool” business and absorbed social funds for external projects or usury. The dissimilation of P2P lending is actually fraudulent behaviour implemented by P2P platforms, borrowers, and other related market entities by taking advantage of the P2P technology and model, which reflects the moral hazard of fintech in the application process, meaning that, no matter how neutral the underlying technologies and transaction models are, fintech still has the risk of being abused. The “E-Zubao case” became the most typical and most painful case concerning the moral hazard of the Chinese P2P industry. Since 2014, E-Zubao illegally absorbed a huge amount of public funds through the method of making up financing projects using high interest as baitFootnote ³² and, by adopting the method of refinancing and self-guarantee, etc., it actually absorbed over ¥50 billion of funds involving over 900,000 investors. The funds absorbed by the E-Zubao platform were used for the senior management’s squandering, advertising and marketing, and investments outside; it was a typical Ponzi scheme. Although the responsible persons of E-Zubao received criminal sentences, the hundreds of thousands of investors still cannot withdraw their swindled investments to this day. With the “exposure” of some platforms, investors had group panic, which further led to a collective squeeze in the P2P industry, causing the explosion of systematic risk in the entire industry; the P2P platforms that were normally operating went under as a result.Footnote ³³ According to the data of P2P Eye, as of June 2019, the number of problematic P2P platforms reached 5,462 and the number of normal platforms was only 1,118.Footnote ³⁴

3.3 Underlying Threats on Fintech and Its Impact on the Market

Besides the Everbright Fat Finger incident and E-Zubao case mentioned above, China’s fintech industry also had an Internet cash-loan issues, ICO fundraising fraud, and other similar incidents in the development process, which all reflected the risk-related problems that cannot be ignored in the application process. Because of the technical risk, moral hazard, legal risk, and systematic risk generated from improper application of fintech will, to different extents, generate an impact on financial consumers and the entire financial market, as well as affect the normal operation of the financial system.

The direct consequence of fintech risk is affecting transaction safety, although fintech could implement accurate risk measurement and highly efficient transaction execution on financial transactions through “technological rationality” and “data rationality” and could, to a certain extent, enhance the security of transactions. However, the incompleteness of fintech could to a certain extent affect its stability and reliability, and easily cause the deviation of financial transactions. Meanwhile, fintech may generate a subjective loophole in R&D and application, which could provide a bleeding ground for financial fraud and market manipulation. These subjective and non-subjective factors may all cause the financial transactions implemented by relying on fintech to face uncertainty, so as to affect transaction security.

Fintech risk may also affect market stability through trans-industry transmission and its own wide application. Fintech usually realizes efficiency enhancement through its scale effect, which means the application of fintech needs to penetrate into various links of financial transaction and needs to control various big data. Once there is risk in the fintech-operation process, it will inevitably cause horizontal risk transmission within the same industry and has vertical transmission in a transaction process, so as to cause risk expansion. Meanwhile, the fintech companies and the financial institutions using fintech may obtain systematically important status due to the high penetration of fintech; the financial-relations network established on the Internet enables the systematic risk of Internet finance to have not only the basic characteristics of complexity, fast contagion, wide effect, etc., but also new forms such as “too connected to fail” and “too fast to fail.”Footnote ³⁵ Besides, the “long-tail clients” of fintech are mostly vulnerable groups; once the risk erupts, it will generate a huge impact on the overall stability of the financial market.Footnote ³⁶

Moreover, fintech risk will cause new challenges to the protection of financial consumer rights and interests. On the one hand, fintech has not changed the essence of financial transactions; the rights and interests of financial consumers also face the traditional financial market’s various infringements in the era of fintech. Unlike more established players in finance, who have large stakes in the orderly continuation of current structures, fintech firms are incentivized to focus on short-term gains at the expense of potentially value-creating, but long-term, activities.Footnote ³⁷ On the other hand, fintech risk will bring new problems to financial consumers. For example, fintech relying on Internet and big data will bring potential hazards to the personal-information security of financial consumers and may cause the leakage or abuse of personal information. The network-security problem of fintech may also cause the asset security of financial consumers to have potential hazards.Footnote ³⁸ Besides, the electronization and datamation of the financial-transaction process will result in the hiding of infringement behaviour and cause more difficulty for financial consumers to seek relief for their rights.

4.1 Three Paths of China’s Legal Governance of Fintech Risk

Due to the relatively early start and rapid development of fintech in China, market practices have been continuously forcing the regulatory governance to respond to fintech risk. Although China currently has not legislated regulation targeting fintech, the regulatory authorities have been actively developing the formation of corresponding regulatory rules and have gradually formed an institutional system on the legal governance of fintech risk. In this process, targeting the fintech of different business attributes, market scales and risk types, and their application, China has formed three different paths of legal governance.

4.2 Cause of Swinging Risk-Governance Models

Although we can find certain laws from the three different legal-governance paths above, meaning the different governance methods adopted after classifying fintech by their application depth, risk degree, and influence strength in the financial market, however, such law is only an induction in theory and has not been recognized in the system. In fact, the regulatory authorities currently are still relatively random in the governance of fintech risks, and wobble and swing among the three paths of suppression, indulging, and response. The generation of such dilemma may be due to the following reasons.

First, fintech regulatory goals are difficult to co-ordinate. No matter whether fintech has essentially changed the business type of traditional finance, it has become a consensus in the industry that fintech represents the direction of financial development in the future. Energetic promotion of fintech innovation is currently a common behaviour in various countries—countries such as the UK and Singapore are actively providing a favourable system and policy environment for the creation of a fintech-innovation centre.Footnote ⁴⁹ Although the rapid development of China’s fintech industry is mainly based on spontaneous innovation of the market, the government and regulatory authorities will inevitably take the fintech industry into consideration when developing industrial control and financial regulation, which requires providing a relatively relaxed and friendly regulatory environment for fintech. However, financial regulation cannot deviate from its basic goal of preventing financial risks, under the reality of objective existence of the inherent risk, application risk, and derivative risk of fintech; it is necessary to prudently impose rational control on fintech, so as to ensure risk-prevention goals, which requires imposing strict regulation on the R&D and application process of fintech. However, how to effectively co-ordinate between the two goals of realizing industrial development and risk prevention is an issue that is difficult to overcome for regulatory authorities; just like the long-term swinging and cyclical law of regulatory authorities between security and efficiency, regulatory authorities also can only seek the dynamic balance of regulatory goals through constant attempts, which forms differentiated regulatory attitudes on fintech with different types and risk situations.

Second, the allocation of regulatory power of fintech is unclear. Confined by China’s current financial regulatory system of divided management and separated supervision, fintech innovation in various subdivided sectors of the financial market faces regulation from different regulatory departments. The People’s Bank of China regulates currency issuance, payment settlement, and the financial-market infrastructure, and is responsible for macro-prudential regulation; the CBIRC (China Banking and Insurance Regulatory Commission) formed after the merger of CBRC and CIRC (China Insurance Regulatory Commission) will regulate the fintech of the banking industry and insurance industry, and the CSRC will regulate the fintech of securities and futures industry. Besides the central financial regulatory authorities, local financial regulatory authorities also exercise regulatory power over the industrial development and risk governance of fintech in their respective jurisdictions; for example, P2P-lending platforms are regulated by local financial regulatory authorities. However, with the constant emerging of cross-industry and cross-market financial services, the financial institutions and financial businesses constantly integrate with each other, and the forms and contagion of risks become more complex. Likewise, the technical complexity and system relevance of fintech make financial businesses reflect more virtual and blurry characteristics; financial risks become more hidden. Simply speaking, the traditional financial-regulation system established under the institutional regulation idea will cause chaos and obscurity for the fintech regulatory power. Under the circumstance of unclear regulatory-power allocation and a lack of effective regulation and co-ordination, there will be disunity of the regulatory scale and governance path because each department acts on its own regulatory policy.

Third, the perception of fintech risk is insufficient. Although the fact is that fintech will accelerate the business risk, spillover has been widely acknowledged by the regulatory authorities and financial industry, and the risk attributes of fintech have also received supposed attention.Footnote ⁵⁰ There has not been a consensus so far on how risks are generated, how they are transmitted, how big the degree is, and what impact they will have on financial security and stability. Fintech risks may appear in a manner beyond expectation of the industrial cycle. Due to the insufficient perception of fintech risks, the regulatory authorities will have non-uniform and incomplete expectations of fintech risks, therefore choosing different regulatory degrees and governance paths. For example, the indulging path was adopted at the beginning for P2P lending, because the regulatory authorities were not fully aware of the potential huge moral hazard and the systematic risks that may be derived from the P2P industry; only after those risks erupted did they begin to adopt response-type path measures to impose strict regulation. While, for equity-based crowdfunding, regulatory authorities believed that it may cause investors to face huge risks due to the difficulty in the authenticity of information disclosure and the relatively big difficulty in the investors’ participation in corporate governance, they imposed restriction with the excuse of the public-issuance system in the Securities Law without fully considering to what extent technologies such as big data and blockchain are able to solve the foresaid risks.Footnote ⁵¹ The insufficient perception of fintech risks greatly restrained the regulatory authorities’ imagination of fintech development and, to a certain extent, caused fintech regulation to slip towards the two extremes of excessive regulation and insufficient regulation.

Lastly, the fintech-risk-control tools are incomplete. Although the regulatory authorities have high alert over fintech risks, confined by the lack of risk-control tools, their regulatory means are still relatively solitary, which is having screening and control on fintech innovation through market access and imposing continuous supervision through filing and registration. This kind of “either permit or ban” policy tool tends to make fintech fall into either black or white rigid evaluation and will cause difficulty in the rational response of fintech risks due to the lack of a continuous regulatory mechanism and refined regulatory measures. In fact, besides policy tools, information tools and technological tools could both play a benefiting role in fintech-risk governance. Information tools can have effective antecedent regulation with minimum intervention and minimum regulatory costs.Footnote ⁵² In the process of fintech innovation, the generation and flow of information have their own characteristics; adoption of information tools can become an important path to optimize financial regulation and prevent risks.Footnote ⁵³ Imposing information-disclosure obligations on fintech R&D entities and application entities, promoting information disclosure of regulatory authorities, and the establishment of a public credit-information platform are effective means to use information tools to establish risk governance.Footnote ⁵⁴ Facing the technical essence of fintech, the technical regulation and R&D of regulatory technology is still at the exploration stageFootnote ⁵⁵ and the technical tools for handling fintech risks are still not mature yet. Against such a background, the lack of available tools for regulatory authorities also affects the formation of a consistent and continuous risk-governance path.

4.3 What Kind of Fintech Risk Governance Does China Need?

Following the trend for the prosperous development of fintech and accelerated application in the financial industry, the Chinese regulatory authorities are continuously exploring the mechanisms and methods to effectively govern fintech. For China, targeting the legal governance of fintech risks shall not only meet the demand of the fintech-industry development and transformation and upgrading of the financial market, but also effectively guarantee financial stability and the lawful rights and interests of financial consumers, as well as creating a well-balanced relationship between innovative development and risk prevention. Specifically, China’s legal governance of fintech risk needs to meet the requirements in the following aspects.

First, it needs to be innovation-friendly. The development and application of fintech are actually based on technological innovation; such innovation is born from technological advancement and market demand, but it cannot survive without a good policy-system environment. For the governance of fintech risks, sufficient room should be reserved for fintech while preventing risks.Footnote ⁵⁶ On the one hand, the scale of risk governance must be controlled within a proper scope. Although the application of fintech has various risks, if the governance is implemented with the attitude of being excessively destructive towards risks, it will inevitably suppress the development of the fintech industry and cause loss of the first-mover advantage of China’s fintech. This means that it should strengthen tolerant regulation, raising risk tolerance within the scope of controllable risks, so as to provide fintech with the opportunity of making mistakes. On the other hand, a more flexible and dynamic regulatory method shall be adopted for risk governance. The implementation of indifferent risk governance and by rigid regulatory means without consideration of fintech’s own characteristics and risk level is actually financial regulation’s suppression of market innovation. The regulatory thinking needs to be transformed from the “order-control-type regulation” into the “adjustive regulation” with co-ordination between principle-based regulation and rule-based regulation,Footnote ⁵⁷ responding to the co-ordination of interest in fintech development with more flexible regulation, so as to guarantee fintech innovation with more friendly financial regulation.

Second is effective regulation. Guaranteeing innovative room for fintech does not mean relaxing the regulation of fintech, but rather having rational regulation in a more scientific and effective method. For the effective regulation of fintech risks, first, it requires a complete governance framework as the base, which requires China to straighten out the regulatory system of fintech, specify the division of powers and collaborative mechanism of the regulation that various regulatory authorities impose on fintech, and avoid having regulatory racing and a regulatory vacuum caused by blocks in the regulatory system. Meanwhile, it shall require fintech enterprises, financial institutions, and other fintech-application entities as well as industrial associations and other social groups to actively participate in fintech-risk governance, so as to form a comprehensive and multilayered risk-governance framework. Second, more scientific governance strategies are needed as a means. Considering the technicality and innovativeness of fintech, effective risk governance on it should not rigidly apply to the governance strategies of traditional financial risks, but transform technological rules into legal rules, ensuring uniformity between technological rationality and legal rationality; meanwhile, it is necessary to adopt a regulatory sandbox and other methods to effectively evaluate and control risks under the precondition of reserving innovative room. The implementation of the effective legal governance of fintech risk is a systematic subject under exploration; this relies on continuous reference and exploration in practices by the regulatory authorities in different countries.

Third is bottom-line security. Risk is normal in financial markets; fintech risk is an inevitable and normal phenomenon on both technological and business levels. In the process of fintech-risk governance, the regulatory authorities need to establish a correct sense of risk and implement targeted handling on various fintech risks on this basis. Generally speaking, we need to maintain certain tolerance on fintech risks, so as to provide trial-and-error opportunities and experimental room for the innovation and development of fintech; meanwhile, we must also hold the bottom line of not having systematic risk. When fintech is applied to key areas in the financial infrastructure or the innovative business models obtain, by relying on fintech, a relatively large scale and involve many financial consumers, it may result in fintech risk being transmitted to the entire financial market, generating systematic risk; this requires high attention and effective control. However, when the fintech risk is not enough to cause systematic risk of entirety, effective governance measures can be adopted to control known risks, while, for unknown risks, it requires relatively flexible and soft governance mechanisms for evaluation and intervention; it is not appropriate to ban with unworthy rigid measures. Briefly speaking, the governance of fintech risks shall hold the bottom line of risks and maintain certain tolerance of controllable risks on this basis.

Fourth is the whole-process coverage. The application of fintech has its own life-cycle; risks may be generated from the R&D to the application processes. While, from the composition of fintech risks, either the inherent risk of technology itself or the application risk in integration with financial business or the derivative risk generated from the interaction process with the entire financial system would all to a certain extent affect the overall level and market reflection of fintech risk, and the various risks are not isolated, but interconnected and interactional. Briefly speaking, risks exist in the various links of fintech operation and various risk elements have certain interactive relations. Therefore, the legal governance of fintech risks cannot be confined to a single link, but must cover the whole process from fintech R&D to application from the systematic perspective. Specifically, not only the process of financial institutions applying fintech to the financial-service industry requires risk governance; the process of fintech companies or financial institutions developing fintech R&D also needs to be included into the scope of risk governance. Not only the business model of fintech needs risk governance; the underlying technology of fintech and its realization scheme also need to be included into the perspective of risk governance.

5.1 Transformation from Passive Response to Active Intervention

The suppression-type path is too rigid, the indulging-type path lacks constraint, and the response-type path is lagging too much, all of which to a certain extent affects the actual effect of fintech governance. On the whole, the current three paths of fintech-risk governance are all passive responses to risks, meaning that they are treating risks as a result, preventing fintech risks from the outside. But risk governance is never only about prevention; it needs to be adopted actively on the intervening path, while integrating the inherent law of risk generation and transmission, actively intervening in various links of fintech R&D and application, adjusting risks from an internal mechanism as the objective, so as to effectively eliminate and slowly release risks.

The so-called intervention-type path refers to targeting fintech risks, where the regulatory authorities shall actively evaluate and judge risks, implement refined institutional arrangement in advance based on the inherent mechanism of the generation and transmission of fintech risks, eliminate the risk elements in the fintech-application process, and cut off the transmission path of fintech risks, so as to realize a good risk-governance effect. The characteristics of the intervention-type path lie in the following: (1) activeness: in the fintech-risk-governance process, the regulatory authorities are not passively responding to risks, but actively adjusting and intervening with risks on the basis of the correct perception of risks, meaning that the logic of risk governance is no longer confined to the prevention of risk and handling of risk, but rather actively cutting into the generation and transmission process of risks and forming effective control over risk generation; (2) foresight: the active intervention of fintech risk requires regulatory authorities to have clear advance judgment on the composition and mechanism of risks, and be able to accurately perceive the conflict between fintech-market development and the legal system, so as to form a prospective risk-governance scheme; and (3) refinement: the intervention-type path means that the regulatory authorities shall implement scientific and delicate adjustments on the key nodes and key elements of the generation and transmission of fintech risks and implement “surgical-type” refined measures for risk governance by reducing intervention in the market activities of the fintech industry to the minimum, meaning no more adoption of collective banning or a complete indulging attitude when handling risks, but intentionally getting to the root of risk for adjustment.

The intervention-type risk-governance path is the inevitable choice under the background of the continuous development of China’s fintech industry and continuously maturing regulation. Compared with the suppression-type path, the governance of fintech risks in a more open regulatory attitude can provide opportunities and room for the development of fintech, benefiting the promotion of fintech-market cultivation while controlling risks. Compared with the indulging-type path, advance intervention into the fintech innovative application process with more active and effective regulatory control can lead to the identification, prevention, and handling of risks in advance, avoiding risk events caused by the reckless application of fintech and effectively protecting the financial security, rights, and interests of financial consumers. Compared with the response-type path, the governance of fintech risks in the form of advance intervention, meaning using rational policies and systems to constrain the behaviour of fintech-innovation entities on the basis of fully identifying and evaluating fintech risks, restraining high risks in a more active manner, tolerating and managing controllable risks, so as to form a positive incentive on market entities, generates a good effect of risk governance.Footnote ⁵⁹ To sum up, the intervention-type risk-governance path is an ideal scheme to effectively balance innovation and safety, fully co-ordinate regulatory incentive and market law, and comprehensively cover the fintech-innovation process and risk life-cycle.

Based on the intervention-type risk-governance path, financial regulatory authorities need to reform the framework and mechanism of fintech-risk governance in the following aspects: (1) updating of regulatory ideas: on the basis of the correct perception of fintech risks, transform from passive avoidance of risks to active management of risks, transform from result-oriented-type risk governance to process-oriented risk governance. The financial authorities should not “collectively” ban the innovative applications of fintech due to worry about risks and should not ignore risk governance and indulge in the reckless innovation of fintech because the risks are not obvious, but shall maintain active yet prudent risk control and continuous regulation on various innovative applications of fintech. (2) Innovation of regulatory means: market access, filing management, and other means in the traditional model could play an important role in risk prevention, but risks not only occur at the inlet of fintech innovation, but also occur in the whole process of fintech R&D and application; therefore, risk governance should be implemented through information disclosure, technical rule, and standards, as well as other information tools and technological tools. Meanwhile, the forces of industrial associations, fintech companies, and financial institutions on the front line of fintech innovation should be relied on to form the risk-governance network that closely coordinates with administrative regulation. (3) Specify the key issues for regulation: financial regulation shall delicately intervene into the generation and transmission process of fintech risks, find the key risk elements and paths as well as implement targeted intervention. Fintech risks subjectively come from the fintech developers and appliers and other innovation entities, so their innovative behaviour needs to be constrained. Fintech risks objectively come from the technological loopholes of fintech itself and the business model in the financial-business-integration process, so it needs to include fintech business risks in the regulatory perspective.

5.2 Mining and Optimization of Local Resources

With the emerging of fintech on a global scale, various countries have been energetically promoting fintech development while sparing no effort in exploring the mechanisms and measures of the risk governance of fintech. In the process of swaying and swinging towards the path of a Chinese-style fintech-risk governance, it seems to transform into an intervention-type governance.Footnote ⁶⁰ The special stage that the Chinese financial market and financial regulations are in, as well as China’s special political, economic, and legal system, can provide abundant local resources for the risk governance of fintech.

First, the financial-regulation reform currently being implemented in China will provide solid institutional resources for the intervention-type governance of fintech risk. China’s traditional “one bank of three commissions” is gradually changing under the reversed pressure of market-innovation activities; the cross-industry co-operation of the financial market and new-type financial instruments and business models are becoming increasingly frequent, causing the traditional system in the past that considered financial institutions and industry as the regulatory objects to find it difficult to effectively handle the new changes brought by financial innovations.Footnote ⁶¹ Against such a background, China’s financial regulation is actively transforming from institutional regulation to functional regulation. On the one hand, the regulatory ideas begin to emphasize “essence over formality” and “penetrating regulation,” meaning paying more attention to the business essence of financial activities to effectively handle the increasingly hidden and complex financial innovations.Footnote ⁶² On the other hand, the financial-regulation system is also having active adjustment; in March 2018, based on the institutional-reform scheme of the State Council, the CBRC, and the CIRC merging into the CBIRC, the optimization of a multiparty regulatory pattern is underway.Footnote ⁶³ With the further reform and improvement of the regulatory system, financial regulation will become more efficient, the power allocation and power and duty boundaries between different regulatory authorities will become clearer. For the governance of fintech risks, the powers and duties of regulatory authorities will become clearer in financial-regulation reform; the regulatory thoughts and regulatory means will be further upgraded, so as to provide a benefiting regulatory framework guarantee and support for intervening in fintech-risk governance in a more active, more positive, and more effective manner.Footnote ⁶⁴

Second, China’s mature innovation pilot experiences will provide flexible mechanism resources for the intervention-type governance of fintech risks. In the practice of China’s reform and opening-up, policy pilots were used to implement reforms of an exploratory and experimental nature within a certain scope prior to legislation, which was a unique phenomenon in China’s policy-implementation process.Footnote ⁶⁵ Local governments would, based on the superior governments’ policy goals, design the district or department’s unique policy contents or tools driven by innovation competition.Footnote ⁶⁶ In the case that there is good effect with the deepening of a pilot, such a policy pilot would be popularized nationwide in the form of legislation or an administrative order. Such policy pilots and the “regulatory sandbox” are currently widely recognized and adopted for fintech regulation in various countries. Even though they are different in approach, they are equally satisfactory in result. The regulatory sandbox originated from the UK and was about providing a safe testing environment and regulatory pilot zone for fintech innovations with destructive potential and many risks.Footnote ⁶⁷ Its essence was to provide fintech innovation with the mechanism and environment for trial before operation. While China’s innovation pilots, such as a free-trade zone, independent innovation pilot zone, registration system, and other pilot experiences, are to give institutional relaxation and convenience within the regulated scope and could confine risks within a certain scope, they completely have the possibility of being applied to the fintech field. Such innovation pilot experiences actually provide a Chinese-style regulatory sandbox system with a sufficient policy basis and experience basis.Footnote ⁶⁸ In fact, six ministries and commissions including the People’s Bank of China issued the Notice Regarding Development of FinTech Application Pilot in 2018,Footnote ⁶⁹ which required the development of fintech-application pilots in over ten provinces and cities such as Beijing, and required exploration of the tools and means of risk prevention from the aspect of technological security. The application of innovation pilot experiences, on the one hand, provides a relatively relaxed path and room for the development of fintech and, on the other, provides experience preparation and mechanism resources for regulatory authorities to intervene in the governance of fintech risks.

Third, China’s strong administrative mobilization ability provides strong policy resources for the intervention-type governance of fintech risks. Although the emergence of China’s fintech industry was a spontaneous product of the market and the Chinese government and regulatory authorities have been fully respecting the decisive role of the market in resource allocation, and although the government would make an effective intervention in the market when necessary, the governance of fintech risks also needs the government’s intervention and regulation. Besides the regulation of fintech innovations according to laws and regulatory rules, Chinese regulatory authorities can intervene in various links of fintech-risk governance through its strong administrative mobilization ability.Footnote ⁷⁰ On the one hand, the regulatory authorities can constrain the robust application of fintech at the macro level through their planning and guidance of industrial development, and standardize the behaviours of fintech-innovation entities through policy-signal instruments.Footnote ⁷¹ For example, the Beijing Zhongguancun Management Committee, the Beijing Municipal Financial Work Bureau, and the Beijing Municipal Committee of Science and Technology jointly issued the Beijing Municipal Planning for Promotion of FinTech Development (2018–2020),Footnote ⁷² which decided the overall layout and arrangement of fintech-industry development in Beijing City. Although this plan was not a binding normative document, it proposed to profoundly research and effectively identify and prevent the potential risks brought about by fintech activities, and promote the regulatory innovation and construction of a risk-prevention system; it can encourage and promote the innovation of regulatory authorities and market entities in fintech-risk governance. For another example, the People’s Bank of China issued the Announcement Regarding the Prevention of Token Issuing and Financing Risks,Footnote ⁷³ which announced the risks of blockchains and ICOs, and sufficiently declared the risks’ key points and regulatory attitude to society, so as to effectively block risks through policy-signal instruments. On the other hand, the regulatory authorities can mobilize industrial associations to implement the front-line governance of fintech risks, and form an alternative scheme of administrative intervention, further expanding the intervention force and path of risk governance. Based on the business-instruction relations with the regulatory authorities, industrial associations can have self-disciplinary regulation on the R&D and application behaviour of fintech-innovation entities under the collective arrangement by the regulatory authorities. For example, the National Internet Finance Association (NIFA), established based on the Instructive Opinion Regarding Promotion of Healthy Development of Internet Finance,Footnote ⁷⁴ was an organization that developed industrial self-discipline under instructions by regulatory authorities; the association played an active and effective role in the aspect of risk governance of the P2P industry. Generally speaking, under the strong administrative mobilization, through the planning and guidance of policy-signal instruments and the redeployment and integration of a market supervisory force, it could provide abundant policy guidance and regulatory resources for the intervention-type governance of fintech risks.

5.3 Improvement and Innovation of the Governance Model

In the transformation process of fintech from passive response to active intervention, the governance of fintech risks needs to sufficiently mine local resources while absorbing the overseas regulatory experiences, integrate the generation mechanisms, transmission paths, and key elements of fintech risks, and innovate the methods and strategies of risk governance, so as to form a more refined and targeted intervention-type governance model. For the legal governance of fintech risk, its key also lies in the establishment of an active and dynamic fintech-risk-governance system using the legal system to enable intervention-type governance, specifying the legal status and governance rights of the intervention entity, the institutional basis and legal effect of intervention means, and the governance key and standard composition of the intervention object.

First, specify the scope and powers and duties of the intervention entity, constructing the multiparty co-governing regulatory system of fintech risks. In the operating process of fintech, the entities with the ability to monitor risks, slowly release risks, and handle risks all can and should become the entities of intervention governance, so as to form a multilevel governance entity structure from different strengths and different dimensions. The law needs to identify the intervention entities on different levels and clearly grant them the right to intervene in fintech risks to different extents and their exercising rules—specifically, (1) improve the administrative regulatory-power allocation of fintech-risk governance. As mentioned above, the unclear allocation of fintech regulatory power has greatly confined the risk-governance effect. Against the grand background of financial-regulatory-system reform, it is necessary to further specify the allocation of fintech regulatory power and emphasize solving problems such as the disunity of risk-governance standards caused by dispersed regulatory entities and a regulatory vacuum. The authors believe that it is necessary to, through the top-level design of a regulatory framework and co-ordination between different regulatory authorities, specifically delegate the risk governance of fintech in divided sectors to corresponding regulatory authorities. Fintech, with universal applicability, system importance, and business vagueness, should be regulated by the People’s Bank of China. Besides, because local financial regulatory authorities have a relatively strong implication for local interest and the possibility of regulatory capture, it is not appropriate to fully delegate fintech regulatory power to the local authority, but to reserve the formation of regulatory rules for the central authority, and the local financial regulatory authorities can only exercise the power of industrial planning. (2) Grant and guarantee the regulatory power of industrial associations and other self-disciplinary organizations. Although the China Banking Association, the Securities Association of China, and other related organizations have legal bases such as the Law on Banking Supervision and the Securities Law, the NIFA and the various fintech associations established in different places currently do not have a clear legal base. From the R&D and application scope of fintech, the banking associations and securities associations, with members comprising mainly banking financial institutions and securities financial institutions, are obviously find it difficult to cover all the fintech-innovation entities, as they cannot comprehensively participate in the intervention governance of fintech risks. Although the self-disciplinary regulatory powers mainly come from Articles of Associations and the consensus of members, as front-line self-disciplinary organizations, the NIFA and FinTech Association and other industrial self-disciplinary organizations also need to obtain the power and authority of fintech-risk governance through clear legal authorization. (3) Encourage various fintech activity participants to implement social regulation. The core of social regulation lies in a corresponding incentive mechanism and responsibility-assigning mechanism, which promote social entities to participate in financial regulation and increase the supply of regulatory resources through the socialization of financial regulation.Footnote ⁷⁵ In the fintech industry, technicians, business personnel, financial consumers, or even news media may find and perceive risks in fintech. In designing a corresponding incentive mechanism through the legal system, they are enabled to report and reveal risks as well as propose risk solutions in a timely manner, so as to include these entities in the system of risk governance and form a co-operative governance pattern of co-ordination and interaction of various subjects.Footnote ⁷⁶

Second, improve the rules and system of intervention means, construct the framework for the rules of fintech risks’ intervention governance. For implementation of the intervention governance of fintech, on the one hand, it is necessary to use rules as tools and means, use clear and predicable rules to guide and standardize the R&D and application activities of fintech-innovation entities, and ensure responsible fintech innovation. On the other hand, it is also necessary to use system rules to provide the legal basis for intervention governance and reasonably constrain the degree and method of intervention, preventing unjustifiable intervention of fintech innovation. Because the means and methods of intervention have a hierarchy in intensity, it is necessary to establish the rules and institutional system that are suitable for the intensity of the constraint of intervention-governance means. (1) Form and improve the legal system of fintech-risk governance. For the moment, China has not formed special laws and administrative regulation on fintech-risk governance yet; the regulation of certain types of fintech applications according to department rules on lower effect levels is unable to provide sufficient legal-system resources for the intervention governance of fintech risks. The authors believe that it is necessary to pass laws with binding force to specify the behavioural model and legal consequences of fintech R&D entities and application entities, so as to clarify the scope of fintech regulation. For example, fintech can be included in the existing regulatory framework clearly based on the essence of financial business and include fintech in financing outsourcing in the regulatory scope, handling the risks in various fintech innovations with regular licence management and continuous regulation.Footnote ⁷⁷ Besides, it shall regulate the information-disclosure obligation in the fintech-application process, requiring the fintech-innovation entities to fully disclose related information and reveal risks, so as to ensure that financial consumers use fintech-related services under the precondition of fully understanding the basic mechanism and logic of fintech.Footnote ⁷⁸ (2) Fully use “soft-law” norms to guide fintech risks. Public policies, recommended standards, self-disciplinary rules, and other related “soft laws” could actually play a role in risk governance in the fintech-operation process.Footnote ⁷⁹ Soft-law norms could form relatively soft regulation on the generation of fintech innovation that is still in the growth period, avoid the negative influence of an excessively rigid legal system in deviation from market laws and technological laws at the time of intervention risk governance, and could effectively fill up the risk exposure brought about by institutional loopholes against the current background that the mandatory legal system is not complete yet. Therefore, the legal governance of fintech risks needs rational use of the “rule of soft law,” effectively guaranteeing that the regulatory authorities use window instructions and policy guidance to intervene in the whole process of fintech innovation, as well as discovering, avoiding, and handling risks in a timely way, while comprehensively using mandatory standards and recommended standards to guide fintech-innovation entities in developing innovative activities based on the basic requirements of market unity and security priority.

Finally, clarify the scope and key of intervention object, and find the institutional breakthrough point of intervention governance. The legal governance of fintech risk relies on legal implementation including legislation, law enforcement, and judicial means, while the formation and improvement of law could to a great extent decide the scope and effect of intervention governance. For diversified, hidden, and complex fintech risks, the paths and objects of legal governance are a multitude of things and many of them are still in an unknown state; they must be stably promoted based on the strategy of “emphasizing the keys and point-to-area.” At the current stage, for intervention-type legal governance of fintech risks, it urgently needs to get hold of the “nose” of risk governance, meaning finding the key of intervention governance, improving the related legal systems with targets, making a breakthrough for the subsequent construction of the institutional system of comprehensive fintech-risk governance in the future. Although the innovative applications of fintech are emerging endlessly, two main factors are relatively stable: the first is the underlying technological scheme that fintech relies on; the second is the fintech-innovation entity, including R&D entities and application entities. Therefore, innovation for the legal-governance model of fintech risks at the current stage can have two types of institutional design surrounding the two main elements: (1) the technology-oriented type of governance model, meaning the legal-system design with technology as the object of the intervention governance and surrounding “how to govern technology.” The essence of fintech lies in the integration between finance and technology; besides traditional risks, the risk of fintech is nothing more than the risk of technology itself and the risk caused in the application process due to technical defect or technical characteristics. From the logic of risk generation, it will be necessary to implement effective technology governance in the fintech R&D and application link; ensure the security, stability, and adequacy of technology schemes through establishment of institutional rules that are suitable for technological laws; and find the best way to avoid technological loopholes and defects, so as to have the effect of preventing and controlling risks. For example, the requirement for technological argumentation on the innovation entities of fintech could be imposed, requiring them to perform prudent notice obligation in the R&D and application of fintech; the filing review system of fintech’s technical scheme could be specified, to ensure the technological legitimacy and security of fintech through the regulatory authority’s supervision of the technological scheme.Footnote ⁸⁰ The pressure-test mechanism and standard for fintech application could be set, regularly implementing evaluation and warning of the risks of fintech operations. Besides, it may play the governance role of regulatory technology in fintech application, providing a corresponding institutional environment for the “governance of technology with technology.” (2) Entity-oriented-type governance model, meaning considering the fintech-innovation entity as the object of intervention governance, constraining the innovative behaviours of R&D entities and application entities, so as to ensure “responsible fintech innovation.” The R&D entity and application entity are the promoters and practitioners of fintech innovation; their role penetrates through the entire process of fintech operation, and their comprehension of fintech risks is the most direct and most comprehensive. Meanwhile, the R&D entity and application entity have relatively strong motivation and interest incentives to promote fintech innovation, but usually tend to become the direct makers of risks due to conflicts of interest and incentive deviation. Therefore, the fintech-innovation entity should become the key object of risk governance and specify its behavioural rules and legal liabilities through establishment and improvement of the legal system while forming effective behaviour constraints. The entity-oriented-type governance model includes the market access, innovation rule, legal liability, and other aspects of fintech, the innovation entity; specifically, such a model requires specifying the access condition and regulatory thought with the fintech company and financial institution as the R&D entity and application entity, respectively, to set rational room and boundaries for the innovative behaviours of the corresponding entities. Meanwhile, it is necessary to establish the rules that innovation entities should follow based on the principles of enhancing efficiency, increasing inclusiveness, preventing risks, and protecting the interests of consumers, and to specify the bottom line of fintech-innovation behaviours and the obligations of the innovation entity; besides, it also needs to accurately define the legal-lability allocation of innovation entities, and specify their legal liabilities after causing risk and damage results due to purposeful action or negligence.