As it turns out, the New York Department of Financial Services (NYDFS) essentially agrees with the argument, as seen by its investigation into the recent Twitter hacks. In the “Twitter Investigation Report,” the department recommended creating a “systemically important” designation for large social media companies, like the designation for critically important bank and non-bank financial institutions.
If you’re wondering why the New York’s financial services regulator was directed to conduct an investigation into the hack of a California-based social media platform, recall that NYDFS licenses Coinbase, Gemini and Square – all companies affected by the Twitter hack that resulted in losses of approximately $22,000 worth of bitcoin by their customers.
Considering the complex web that binds social media companies with financial companies, the economy, markets and politics, it ultimately wasn’t all that surprising to see a state regulator thrown into the mix. Even Gov. Andrew M. Cuomo noted, “This type of hack by con artists for financial gain can also be a tool of foreign actors and others to spread disinformation and – as we've witnessed – disrupt our elections.”
As the Twitter report highlights, more Americans are getting their news from social media. I originally argued that if certain social media institutions were to fail today, their failure would pose a significant threat to society due to their outsized influence, size, reach, society’s co-dependence on them and “their power to shape the interpretation of public events.” In other words, any changes to the way SISMIs operate could lead to rippling effects across the globe. After all, they are centralized companies with highly distributed users and employees.
NYDFS points out that because no regulators have the authority to uniformly regulate internet-based social media platforms or to oversee their cybersecurity concerns, they recommended:
- Creating a "systemically important" designation for these companies; i.e., labeling social media companies that cross a certain threshold so as to subject them to further regulatory oversight
- Establishing an expert agency to oversee designated SISMIs
- A new regulatory framework for SISMIs
Some complications arise from the imposition of a new regulatory framework. In the U.S. alone, any novel framework would need to factor in President Trump's executive order on online censorship, the upcoming Federal Communications Commission rulemaking regarding Section 230 of the Communications Act, considerations around ever-changing state privacy laws and a proposed federal data privacy bill, Securities and Exchange Commission regulations for public companies, antitrust and related laws and regulations enforced by the Department of Justice and the Federal Trade Commission – the list goes on.
Outside of the U.S., setting standards that work well across borders or even harmonizing the laws of various nations is not easy, nor can it be done in a reasonable amount of time. Just look at the Principles for Financial Market Infrastructures (PFMIs) – a series of global standards that apply to systemically important financial market infrastructures that took over a decade to implement.
Governments around the world have proven they can respond aggressively to social media: Thailand signed an order last week allowing authorities to ban media deemed threatening to national security in response to pro-democracy protests, and Iran implemented a five-day nation-wide shutdown of the internet last year. New global standards may be both necessary and appropriate for SISMIs, yet the changes were needed yesterday and will not magically coalesce tomorrow.
If a new regulatory framework for SISMIs is introduced, we may see an exodus of companies and businesses from certain regions as they engage in regulatory arbitrage. We saw this occur in 2015 when the introduction of the BitLicense resulted in numerous cryptocurrency platforms leaving New York. Similarly, many businesses chose to block European visitors from their websites, shut down completely or restructured operations in response to the introduction of the European Union's General Data Protection Regulation (GPDR) in 2018.
We experienced the latter phenomenon this year in the decentralized finance (DeFi) space as significant volumes of liquidity started to move from centralized exchanges onto DeFi protocols and decentralized exchanges. For many, the attraction was the unstoppable, non-custodial and decentralized nature of the platforms, but for the regulators and enforcement agencies they present “new and unique challenges”.
The Twitter hack and NYDFS Twitter report highlighted an obvious need for a tailored approach to cybersecurity and SISMIs, but also unearthed a larger issue – SISMIs are not only too big to fail, they may also be too big to effectively regulate on both a domestic level and international level.
Also hidden in the report is the idea that cryptocurrencies like bitcoin may no longer exist solely within the realm of payments, finance, and trade. It may not be long before we realize that cryptocurrencies have also become embedded into society and economy.
The NYDFS proposals are an important starting point for regulators, policymakers and governments around the world to consider. It is also a warning for the rest of us who continue to use and rely on these centrally controlled, soon-to-be-designated platforms, that Big Brother may be coming to town. In the interim, we may have few options except to trust SISMIs to, among other things, act neutrally and protect our data and the security of their platform. As we take a collective leap of faith, I only hope the gap is shorter than it looks.