Financial Stability Review – April 20254.2 Focus Topic: Looking at Digitalisation through a Financial Stability Lens

Digital transformations affect all facets of the financial system and the provision of financial services, including customer interactions, operational processes, information security, and workforce planning. In this context, ‘digitalisation of finance’ refers to the adoption of technology in the financial sector to transform systems, processes, business models and resource allocation.¹ While digitalisation has led to efficiency gains and improvements in service delivery to customers, and can enhance risk management, it has also introduced vulnerabilities that have the potential to threaten financial system stability. Addressing digitalisation vulnerabilities is a priority area for the Council of Financial Regulators (CFR) and for international policymakers, including the Basel Committee on Banking Supervision, the Financial Stability Board, and central banks globally.²

This Focus Topic discusses the implications of digitalisation for financial stability in Australia, using the framework described in 4.1 Focus Topic: A Conceptual Framework for Assessing Financial Stability. Within this framework, digitalisation is viewed as an external factor that influences the context in which the financial system operates. External factors can improve system resilience, exacerbate existing vulnerabilities, or expose new ones − or some combination of these. Using three mature technologies as examples, this Focus Topic identifies commonalities in how key vulnerabilities are impacted by digitalisation as part of the RBA’s ongoing analysis of emergent threats to Australian financial system stability.

Digitalisation is changing the Australian financial system.

Digitalisation in the financial sector has accelerated in recent years. This can be seen in the rise of fintechs, innovations from the COVID-19 pandemic, and advancements in artificial intelligence (AI).³ As a result, the Australian financial services landscape is changing quickly, and financial institutions are making significant investments to upgrade their technology platforms and technical capabilities.⁴ At the same time, new financial sector entrants, taking advantage of the digitally induced reduction in barriers to entry, are intensifying competition in some market segments.

The impact of digitalisation spans a wide range of financial services and gives rise to potential benefits alongside trade-offs. Using three of the more mature digital technologies as examples, the following sections explore some of the direct and indirect implications of these technologies on the financial system. While not new technologies, they have seen significant advancements that have led to increased adoption and enhanced capabilities, as well as the introduction of new vulnerabilities within the financial system. The impact of these mature technologies illustrates the types of vulnerabilities that might arise from the use of new and innovative technologies, such as AI and distributed ledger technology.

Technology #1 – Mobile banking apps

Online and mobile banking applications have enabled a transition away from in-person banking for customers. While mobile banking apps have been available in Australia for over a decade,⁵ recent developments in machine learning, generative AI (GenAI) and cloud services, coupled with the roll out of fast payments platforms, have expanded the functionality and availability (24/7) of services and accelerated the speed of transactions. Financial institutions continue to improve their apps in response to consumer preferences, as most Australians now rely on online and mobile banking to interact with their banks.⁶

This digital transformation offers numerous benefits, but it also introduces a range of vulnerabilities into the financial system. Mobile banking can enhance financial inclusion by expanding access to, or even the availability of, certain services for digitally connected individuals.⁷ However, the shift towards digital banking services has contributed to a decline in physical bank branches in Australia, reducing service availability for individuals who are not active participants in the digital economy. Residents in regional areas have been particularly affected by branch closures.⁸ Mobile banking provides almost instant access to banking services, removing some of the frictions that once slowed deposit withdrawals.⁹ While this efficiency gain benefits bank customers in most cases, it may increase the speed of bank runs in some circumstances. During the 2023 banking failures in the United States and Switzerland, the rapid spread of news through social media channels may have also contributed to the unprecedented speed of deposit withdrawals from impacted banks.¹⁰ Bank liquidity regulations that took effect after the global financial crisis were not calibrated for runs of this speed.

Technology #2 – Application Programming Interfaces

Application Programming Interfaces (APIs) are a set of rules that enable secure data sharing between software applications, either within a financial institution’s own systems, or with external parties.¹¹ For example, mobile banking relies on internal APIs to connect a bank’s app with its core banking systems.¹² Similarly, open banking initiatives use APIs to securely share data between financial institutions and third parties. In Australia, as part of the Consumer Data Right initiative, open banking is intended to help customers to access and compare new financial products and services, and to promote competition within the financial system.¹³

APIs also facilitate partnerships between financial institutions and third parties, which can bring benefits for customers but also create vulnerabilities in the financial system. Business models such as Banking as a Service (BaaS, the provision of banking services from licensed banks through non-bank intermediaries)¹⁴ and embedded finance (integrating banking services into non-financial platforms, such as ‘buy now pay later’ options within a retail shopping app)¹⁵ can improve customer experiences. Banks may face competitive pressures in responding to new market entrants, or reputational and operational risks if they engage in a partnership that fails or experiences a data breach.¹⁶ Moreover, as banks increasingly collaborate with non-financial firms, these relationships add interdependencies, complexity and opacity to the financial ecosystem, which can increase operational risks and make it harder to monitor and assess vulnerabilities.¹⁷ These considerations can also apply more broadly to financial institutions wherever digitalisation facilitates a change in market structure.

Technology #3 – Cloud services

Cloud computing allows for the more efficient use of computer processing resources and lowers the cost of IT infrastructure. There are three main deployment models: public cloud, where cloud resources are delivered by a third-party provider to a large number of customers over the public internet; private cloud, where the cloud resources are supplied to and used by a single organisation; and hybrid cloud, a combination of the two.¹⁸ Public cloud services are typically provided by a small number of large technology companies globally, who host their clouds in interconnected data centres around the world.¹⁹

Australian financial institutions, including banks, insurers, and clearing and settlement facilities, are migrating their services onto public cloud platforms, which brings both benefits and risks.²⁰ As a result, these institutions may see improved system resilience, lower IT infrastructure costs, and an increased ability to scale up or implement new services.²¹ Customers can access services hosted on the cloud more quickly and benefit from new service offerings. However, cloud migrations need to be carefully managed to ensure they do not result in increased operational risk for individual institutions during the transition to the cloud – for example, business processes may change and cloud-based services may be incompatible with on-premises systems.²² Financial institutions also need to ensure cloud providers are appropriately managing operational risks – including service reliability and information security – when these services are in place. This requires careful planning – for example, using geographically diverse cloud locations may provide additional resilience for business continuity and prevent correlated failures, but institutions may then be exposed to legal or regulatory restrictions if the data are hosted in external jurisdictions.²³ Increasing dependence on a small number of cloud providers could also see multiple financial institutions disrupted simultaneously in the event of a single cloud outage.

Digitalisation matters for financial stability.

The mature technology examples illustrate some of the ways in which different technologies can transform the financial system, offering benefits to financial institutions and their customers, while also introducing some vulnerabilities. Identifying and addressing how digitalisation impacts financial stability has been the focus of global central banks and regulators in recent years. Digitalisation has a clear and direct impact on the operational risk of individual financial institutions, but the examples also show that there may be broader impacts for financial system stability:

• Relationships between entities are becoming more complex and opaque, and dependencies on critical third-party providers are increasingly concentrated. This can include dependencies on offshore service providers, national infrastructure and other providers outside the scope of financial regulation. As linkages and interdependencies expand internationally and outside of the financial system, domestic financial authorities may have less visibility and influence over how risks are managed. The concentration of dependencies can also increase the probability of an incident having a system-wide impact, such as the 2024 Crowdstrike incident.²⁴
• Digitalisation increases the speed at which financial services can be provided, as well as the speed at which shocks are transmitted through the financial system. With information flows travelling faster and external linkages increasing, risks may materialise more quickly and spread more rapidly through the global financial system than they have historically.
• Behavioural responses to shocks may change as digitalisation allows retail consumers to participate more directly in the financial system.²⁵
• Digitalisation increases technological complexity. This requires specific expertise and upskilling to ensure staff can manage the increase in operational risk, including through the technological change process.
• Operational risks can amplify financial risks. For example, if the automation of transaction processing were disrupted during a crisis, it could not only hinder market functioning but also disrupt liquidity flows across the system, amplifying financial instability.²⁶
• Digitalisation increases the potential for operational incidents, with institutions being more vulnerable to cyber-attacks, technological outages and reputational risk if data integrity is compromised.²⁷ Frequent cyber incidents and attacks, correlated outages, disruptions at systemically important institutions, along with potential exposure of private data, could erode the reputation of financial institutions and weaken trust in the system.

CFR agencies are focused on building resilience in Australia.

CFR agencies are working together to improve the resilience of the Australian financial system as it becomes increasingly digitalised. Work is ongoing across the CFR agencies to understand and address the implications of the continuing digitalisation of the financial system. As part of this work, the RBA continues to assess vulnerabilities arising from digitalisation at a macro level, using the framework set out in 4.1 Focus Topic: A Conceptual Framework for Assessing Financial Stability, to identify the vulnerabilities that may have a systemic impact and the factors that support the resilience of the financial system by dampening the negative impact of any shocks. This assessment includes taking into account actions taken to date by the CFR agencies to address the impact of digitalisation on operational risk, such as closing regulatory gaps and increasing oversight, and testing system resilience. One of these actions involves the introduction of a new prudential standard, CPS 230, which is aimed at ensuring that entities regulated by the Australian Prudential Regulation Authority are resilient to operational risks and disruptions.²⁸ The RBA’s regular assessments of net vulnerabilities in this area help to inform the CFR work program in a rapidly evolving digital landscape.