Last year, he spoke of “upskilling” and “reskilling” both financial market players and CSSF staff, taking into account digitalisation and the arrival of regulatory technical standards associated with ESG, as well as how to get the financial market’s workforce to carry out new, higher value-added tasks in an increasingly demanding regulatory environment. This year, , director and member of the Commission de Surveillance du Secteur Financier (CSSF) executive committee responsible for IT, HR and finance, has a different idea.
Thierry Labro: This year, you’re talking APIs and co-designing?
Jean-Pierre Faber: We have worked with the ABBL [The Luxembourg Bankers’ Association], Alfi [Association of the Luxembourg Fund Industry] and some other major players in the financial centre to make them ‘alpha users’ and then ‘beta users’ in relation to technical solutions meant to facilitate the exchange of data by all parties involved. Since 2016, we have put in place our own means of communicating with the industry in terms of reporting. We have been asking ourselves the question of ‘how to facilitate exchange’ with the industry; this has led in particular to the introduction of our digital portals based on forms, the primary aim of which is to facilitate interaction with our supervised entities. This phase is now well under way.
We are going to implement, via pilots, new means of exchange with the industry based on S3 technology, thus facilitating the exchange of data via APIs between supervised entities and the CSSF. We need to obtain information on transactional data from financial market participants in the simplest and most dynamic way possible, even if the legal framework needs to evolve to enable us to achieve this.
How can we make reporting more efficient with the new ESG standards, Dora (Digital operational resilience act) and Mica (Markets in crypto-assets regulation)?
We’re not there yet, let there be no mistake. Our idea is to encourage the co-design of API solutions with industry in order to increase efficiency while controlling costs on both sides.
It may come as a surprise, but we favour prevention over repression.
Perhaps it should be said here that reporting is now done on a legal and regular basis...
We would like to move to an API-based data exchange model so that we can communicate directly with the industry: from a model where the industry provides us with data at regular intervals, as required by law, to a model where we can access it directly. Instead of waiting, we could notify an entity more quickly that this or that transaction potentially poses a problem and allow it to act directly.
I imagine that the entity will continue to assume responsibility?
We will never substitute ourselves for the entity’s responsibility. That is not our mission. But we could prevent rather than cure. It may come as a surprise, but we favour prevention over repression. We don’t get up in the morning with the intention of handing out fines or penalising entities that have problems. Ultimately, a sanction is a failure. It means that an entity does not have the right processes or governance in place to meet the needs of the regulations.
The CSSF faces the same challenge as the industry: to find the talent that will enable it to fulfil its missions in the best possible way. We have done and continue to do ‘upskilling’ and ‘reskilling’ of our teams, but the other consequence of an API model is that we could, with consolidated and anonymised data, give insights back to the industry and enable it to demonstrate elsewhere that Luxembourg is still an attractive, competitive and well-supervised location.
APIs are all well and good, but I imagine you’re also looking at the impressive development of artificial intelligence?
The artificial intelligence part is not negligible, it’s there. We have to work with it. We need to establish rules to avoid setbacks. We are no longer at the beginning of technological development. There are hundreds, if not thousands, of solutions for managing different operational problems, and we need to take advantage of them with discernment.
Read also
In a way, could the CSSF advocate the use of one solution rather than another? I imagine you’re going to say no, and yet it would be in the interests of companies to have a relatively unified system, which would mean, for example, accredited or certified software, whatever you want to call it...
The CSSF’s role is that of an observer, not an economic player. We have every interest in being able to access transactional data directly. But for that to happen, legislative rules need to evolve and there needs to be dialogue within the industry to create common tools to speed up the compliance process at a reasonable price. There is no point in duplicating solutions within the industry in Luxembourg, bearing in mind the risk associated with a ‘too big to fail’ solution.
But at the moment, when we talk to a number of companies, we can see that as they evolve, they are adding bricks of technology according to their needs, and because of the weight of the legacy, no one dares touch anything.
We need to continue to think about how we can prepare for the future and maintain the right conditions for the smooth development of the financial centre. We have a reporting system that is very expensive in terms of resources and has been in place for 10 years. Should we continue like this? The answer is no. We are saying to the industry: “If you are prepared to work in co-design mode, we can create a standardised process between you and us to optimise the reporting process.”
“All reporting can be simplified to the extreme, given the development of the technological solutions available to us today, while adjusting the legal framework,” said the CSSF’s Faber. Photo: Guy Wolff/Maison Moderne
Listening to you, it’s as if the law wasn’t designed with people who work in the operational side in mind...
We are continuing our dialogue with market participants and are studying with interest the points where the CSSF has the opportunity to change things. We believe that the role of the various working groups is to keep the operational side in mind. I think that organisations like ABBL and Alfi have a role to play in making the application of written legislation more operationally efficient.
What have you identified as something that needs to be changed?
All reporting can be simplified to the extreme, given the development of the technological solutions available to us today, while adjusting the associated legal framework. Everything can be transmitted instantaneously and not just in terms of regulatory deadlines.
The explosion in the cost of supervision with profiles such as compliance officers, who are few in number compared to requirements, is becoming prohibitive in the context of the financial centre’s business model.
Does--or could--the financial centre have an interest in this paradigm shift?
It depends where you are in the value chain. Those in the highest part of the value chain want to be informed as close as possible to the transaction that raises a concern. Conversely, further down the value chain, the employee who wants to do his job perfectly wants to be given the reports on time: he or she may feel threatened by solutions of this type. So we need to reassure them and develop their workstations so that they can be engaged in higher value-added tasks, namely the evaluation of exceptions, which these technological tools will make it possible to identify more quickly. We believe that this is the strict minimum.
At the same time, those who have to make the decisions are also at the top of the pyramid and don’t always want to make the wrong choice...
The effervescence of technological choices may seem disturbing. The speed of change is astonishing, and access to people who are properly trained and informed about the choice of implementing such technological solutions in operations is limited. In addition, the explosion in the cost of supervision with profiles such as compliance officers, who are few in number compared to requirements, is becoming prohibitive in the context of the financial centre’s business model.
We want supervision within the supervised entities to work well, so that at the end of the day all the players in the value chain can say that they have done an excellent job. Can we do better? Yes, certainly, I’m convinced of that. That’s why the co-design part with the industry and the APIs is so important. Ultimately, what I would like to see is a pooling of certain links in the value chain within the industry, on which we can build as part of our prudential supervision mission.
All the players in Luxembourg and internationally are asking themselves the question of how to bring AI into the operational side in an efficient and unbiased way; we need to do that too.
What is your view of the solutions that exist?
It depends on the players already present and those to come. We see players in the marketplace like iHub providing an answer to one part of the KYC [know your customer] chain. The same applies to KYT [know your transaction]. We need solutions of this type to pool the response to be provided to different bodies and to facilitate the delivery of key documents in an onboarding process, as in the maintenance of customer relations, and thus reduce compliance costs while guaranteeing the quality of the review to be carried out, which will remain the responsibility of the supervised entity.
Coming back to AI, do you already have any use cases? Any ideas?
We need to set some rules, decide what we want to do and what we don’t want to do at this stage of AI. We ourselves are currently working on a POC [editor’s note: a prototype] with artificial intelligence. We are supporting a pilot project for reading leaflets. We have identified some 150 key rules to be respected in a prospectus: the AI will tell us how many rules a submitted prospectus respects and where it needs to be improved.
If we manage to ‘industrialise’ such a review process by adding AI to the review chain, the prospectus could be validated in six or seven days, as opposed to the three weeks currently needed for a complete and up-to-date prospectus.
After that, we need to look at the execution of this prospectus in relation to these 150 key rules, and more particularly in the context of the investment policy. All the players in Luxembourg and internationally are asking themselves how AI can be used efficiently and without bias in the operational side of the business, and we need to do the same. The number of transactions involved cannot be handled by human agents. So we need the help of technology, as well as a review of our way of working from a procedural point of view.
Is Europe leading the way in the sense that everything to do with taxonomy or changes in legislation will serve as a framework for artificial intelligence solutions? Or do you see products arriving because they have managed to obtain millions of data sets from a large institution?
It’s too early to say, given that the data value chain is not in the hands of a single player. We are in a learning phase. We don’t have the perfect solution yet, but there are a number of startups that have mastered one end of the value chain with their respective solutions.
So what do we need to do? Exploit the new data supplied by the industry and the structures providing benchmarks. This is a consequence of the nascent nature of the regulations in their application, with recent publications and those still to come in the SFDR [Sustainable Finance Disclosure Regulation] framework, for example. This means that we, like other players in the market, are working with several ESG data providers to consolidate ESG data. This is a transitional phase of the model. Couldn’t we pool this data via a central purchasing group managed by associations such as the ABBL or Alfi, for example?
Do you have data stewards to qualify the data?
Yes, we do, but we need to develop them. We have noticed that, with the emergence of roles such as chief data officer, the industry is also recognising the importance of data in its review chains. We are doing the same. This enables us to adjust the risk profile and the response to be provided in terms of granularity in the prudential supervision to be applied to the supervised entity in question.
In this way, we can add our own data to the data from external suppliers and enrich the risk profiles as this data becomes available. This reinforces our risk-based approach, which we have been familiar with for some years now.
This story was first published in French on . It has been translated and edited for Delano.