Lessons from the rapidly evolving regulation of digital banking

Regulators seeking ways to balance protection of customers’ interests, financial institutions’ risks, and their other policy objectives for digital banking can learn from early regulatory experiences.

For regulators weighing digital banking’s benefits and risks, the challenge is to find the right balance between supporting innovation and protecting consumers. In addition, some jurisdictions, including Singapore and Malaysia, have used licensing regimes to support broader policy ambitions, such as boosting financial inclusion or increasing competition in specific segments. Currently, most jurisdictions apply existing banking laws and regulations to digital start-ups and fintechs. However, several jurisdictions have opted to build regulatory frameworks specifically for digital banking.

Sidebar

In this article, we describe how these frameworks have evolved amid variations in ownership structures, capital and financial parameters, and physical offerings. We then compare ways that frameworks differ from one market to another, as well as highlight some commonalities across digital banks. Regulators may use this overview of global practices to identify which frameworks and processes are best suited to their own market.

Digital banking and regulation today

Digital banking is present almost everywhere in the world, with incumbents, fintechs, and new digital banks offering accessible and efficient banking experiences (see sidebar “What is a digital bank?”). Given the relative immaturity of the digital-banking business model, regulators have awarded few (two to eight) licenses at a time. Just five years after launch, Tencent-backed WeBank serves 200 million people, and Alibaba-supported MYbank has more than 20 million small and medium-size enterprises (SMEs) as customers. In China, digital banks now have a 5 percent share of the market for unsecured consumer loans. South Korea’s KakaoBank, launched in 2017, attracted more than ten million customers in its first year. In June 2021, the company announced plans to raise $2.3 billion in an initial public offering.

Sidebar

There is no uniform formula or proposition. Business models—as expected—are often aligned with licensing conditions, which guide how banks can launch and develop. UK digital bank Monzo started as an e-payments player, in line with its license, and later broadened its offering when it obtained a full banking license. China’s MYBank and the United Arab Emirates’ Anglo-Gulf Trade Bank focused from the start on lending and trade finance, respectively, as their banking licenses permitted.

In addition, the adoption and acceptance of various technological developments by regulators across geographies have allowed incumbent banks to modernize while setting the ground for digital banks and fully digital offerings to emerge. The following innovations and regulations enable or enrich digital offerings—both by traditional players and digital banks:

  • Electronic know your customer (e-KYC) enables fully digital onboarding, with stand-alone analytics checking customers’ identities and conducting anti-money-laundering checks. Regulators can tailor identification methods based on their preferences (Exhibit 1).
  • E-signature allows customers to validate most types of transactions remotely.
  • Open banking offers network effects and fosters data sharing for better customer assessment and remote or automatic third-party transactions.
  • Ecosystem opportunities help nonbanks compete and allow consumers to benefit from broader and more personalized services.
  • Cloud hosting can resolve three pain points for banks: infrastructure scaling, access to next-generation application architecture solutions, and the need to meet local regulations, such as those concerning local data hosting and protection. The cloud also lowers barriers to entry by eliminating the need for upfront hardware purchases.
Banking regulators can choose from existing processes for customer identification.
We strive to provide individuals with disabilities equal access to our website. If you would like information about this content we will be happy to work with you. Please email us at: McKinsey_Website_Accessibility@mckinsey.com

Many digital banks have leveraged their core characteristics to establish a niche presence. China’s first virtual bank, aiBank, a joint venture between China CITIC Bank and tech player Baidu, for example, offers financial solutions to underbanked younger customers and loans to small and microbusinesses in remote areas. PAO Bank in Hong Kong provides SME customers with loans of up to $260,000 (HK $2 million) in just five business days. Pakistan’s Telenor Microfinance Bank, a joint venture between mobile communications company Telenor and Ant Financial (now Ant Group), offers digital financial services to millions of previously unbanked citizens.

Licensing approaches vary by markets

Digital-banking regulation has generally evolved gradually. Regulators appreciate digital banking’s potential benefits in terms of inclusion, competition, and customer experience. Still, many regulators have been careful to avoid encouraging opportunism or a free-for-all that would undermine trust and financial stability. 1

Digital regulators tend to follow one of two models:

  1. A specific digital-banking license. Regulators in jurisdictions including Chinese Mainland, Hong Kong SAR, Malaysia, the Philippines, Saudi Arabia, Singapore, South Korea, and the United Arab Emirates have created digital-specific licenses, often including terms that specify what products are allowed, which segments digital banks should target, and what physical presence is permitted. Under South Korea’s digital license, for example, KakaoBank was able to offer a full range of products at launch.

    In contrast, under Singapore’s digital license, there is a foundational period with limits on the amount of deposits the bank can take. Setting up a digital licensing framework will take time, but it ensures that regulators have the appropriate oversight of digital-banking activities to ensure compliance. From the licensee perspective, the license offers clear guidelines on operating and—if designed with the intent—allows it to provide a broader range of products than it could under, for example, an e-payments license.

  2. A traditional banking license. Many countries—the United States and some European countries, for example—regulate digital banks with standard banking licenses. In these cases, digital banks often start with an alternative license, such as e-payments or e-wallets, and then seek licenses for new services as they develop. For example, in 2018 Brazil’s NuBank obtained a financial institution license for offering retail banking services; as of mid-2021, however, it has not obtained a full banking license. The United Kingdom’s Revolut launched with an e-payments license and received a Lithuanian banking license in 2018, allowing it to operate as a full bank in the European Union.

On a regional basis, Asia has been relatively active in licensing digital-banking business models (Exhibit 2). India’s and Australia’s licenses include terms imposing a low cap on deposits or exclude lending from the allowed activities. In the latter case, the licenses were not full digital-banking licenses, so in India, the licensed firms are called “payments banks.” At the other extreme, China Mainland, Hong Kong SAR, and South Korea permit digital banks to offer a full suite of products and allow nonbanking ownership and unlimited deposits.

Asian regulators have been early granters of licenses to digital banks.
We strive to provide individuals with disabilities equal access to our website. If you would like information about this content we will be happy to work with you. Please email us at: McKinsey_Website_Accessibility@mckinsey.com

As mentioned earlier, central banks in Chinese Mainland, Hong Kong SAR, Malaysia, Saudi Arabia, Singapore, South Korea, and the United Arab Emirates have used digital-banking licenses to help them achieve broader objectives. Malaysian regulators, for example, state that their goal is “expanding meaningful access to and promoting responsible usage of suitable financial solutions to unserved and underserved segments.” 2 Chinese regulators were among several to target an improved customer experience and increase financial inclusion, especially for underserved segments such as SMEs, taking advantage of digital banks’ relatively low cost base.

Dedicated digital licenses can open markets to new players where traditional banking licenses are limited. By contrast, in countries with a good stock of available traditional licenses, technology players more often are buying small traditional banks and turning them into digital banks or simply adding lending and payments products to their ecosystems. In Indonesia, for example, Sea Group’s e-commerce arm Shopee bought local lender Bank Kesejahteraan Ekonomi, intending to transform it into a digital-only operator. Finally, where a digital-banking license or a standard banking license was not available, some fintech players and big techs expanded organically—adding financial products such as lending or payments, but without taking deposits or offering a complete banking solution.

Regulators also play a critical role in shaping the context in which banks—both digital and traditional—execute their business plans. For example, with a regulatory framework that enables fully digital onboarding and operations, banks may be better able to reduce the costs of onboarding new customers. Or, in a market where the central bank puts in place mechanisms to support data flow, simplify credit scoring, and encourage open banking through common API standards, banks may find it easier to focus on data access to support their risk-management activities.

Regulators play a critical role in shaping the context in which banks—both digital and traditional—execute their business plans.

Understanding regulatory frameworks

The design phase for new digital-banking frameworks is, of course, critical. By setting requirements on ownership, shareholding structure, and the fit and proper criteria for owners and managers, regulators determine what types of players can enter the market. The framework design has some common elements in three broad groups:

  • eligibility, conditions relating to ownership (share structure), business plans, risk-management requirements, exit plans
  • permissible activities, covering special provisions during the foundational phase, board and management plans, product and customer-segment targets, minimum levels of paid-up and risk-based capital, and sufficient access to liquidity
  • presence, including provisions regarding the physical locations, branches, ATM coverage, and agent networks

Regulators have around 15 common criteria. Applicants need to fulfill these defined criteria but will have freedom in the approach used to achieve them (for example, freedom to partner with any technology company). Singapore requires that at least one entity in the applicant group have a track record of three or more years in operating a business in the technology or e-commerce field. Additionally, the framework defines permissible product offerings for digital banks. In the United Arab Emirates, the Abu Dhabi Global Market (ADGM) regulator has issued licenses for the SME and corporate segments. Meanwhile, regulators in Hong Kong do not permit digital banks to require a minimum account balance, and China’s digital banks do not take direct cash deposits.

A standard licensing provision concerns physical presence, setting out limitations regarding branches and access to ATM and agent networks. In general, regulations reflect the fact that digital banks, by definition, do not have an extensive physical presence. Chinese Mainland, Hong Kong SAR, Malaysia, Saudi Arabia, Singapore, South Korea, and the United Arab Emirates allow digital banks to access agent networks, which can be used for cash deposits. In contrast, Singapore, which is also targeting a cashless society, does not allow digital banks to access ATM networks.

Usually, the time from publication of the regulatory framework until digital banks begin operations is around two years (Exhibit 3). Singapore’s regulators, for example, announced in June 2019 that they would issue licenses, and the licensed digital banks are expected to launch in early 2022, following a delay related to COVID-19.

Once a digital-banking regulatory framework is announced, it takes about two years for banks to start operations.
We strive to provide individuals with disabilities equal access to our website. If you would like information about this content we will be happy to work with you. Please email us at: McKinsey_Website_Accessibility@mckinsey.com

The timeline for issuance is typically as follows: When the regulator has announced the issuance of licenses, it calls on interested parties to submit their applications within a limited period. After closing the application window, the central bank’s licensing committee assesses the applications based on the minimum eligibility criteria and assessment framework defined and approved by the board of directors or equivalent body. Then it allows a certain amount of time for the successful applicants to build their banks. This usually occurs under the supervision of a central-bank team, which supports and monitors banks after a launch.


A dedicated regulatory framework for digital banking sets out the core digital-banking structure and permissions, and it determines how many licenses are to be granted. Regulators typically share application guidelines and requirements, timelines, and frequently asked questions. Also, they often use assessment frameworks and scoring systems.

Digital and traditional banks face similar risks, including operational and credit risks. Thus, the transition to digital banking leaves in place the primary regulatory mission: focusing on credit and counterparty risks, capital adequacy, risk management, and compliance. The European Central Bank, for example, mandates “same activity, same risks, same supervision and regulation.” Similarly, the Monetary Authority of Singapore (MAS) has no special supervisory requirements for digital banks. Still, there are sometimes nuances in emphasis for activities and operating models such as straight-through processing or scoring for customers with little or no credit histories. There also may be differences in focus. MAS, for example, conducts slightly more frequent off-site supervision during the foundational period. Bank Negara Malaysia also engages more frequently during the initial period, and it exempts start-ups from stress testing.

While digital banking has become part of many people’s daily lives, this business model is relatively new. Globally, digital and traditional banks are subject to the same regulations, but some jurisdictions have developed regulatory frameworks specifically for digital banks. For countries considering this route, we see value in reviewing the efforts of markets that have tackled the dual challenges of seeking to ensure the financial system’s safety and to protect customers’ interests and of using digital-banking regulation to achieve broader policy aims.

Explore a career with us

Related Articles