Regtech rising: Automating regulation for financial institutions
Financial institutions and regulators that harness the opportunities and manage the risks of adopting regtech solutions will reap big rewards.
Stay current on your favorite topics
Regulatory compliance is timeconsuming and expensive for both financial institutions and regulators. The volume of information that parties must monitor and evaluate is enormous. The rules are often complex and difficult to understand and apply. And much of the process remains highly labor-intensive, when even the most automated solutions are often incompatible with other systems and, even today, most still depend heavily on manual inputs.
As a result, costs have risen significantly for financial institutions in recent years. According to Federal Financial Analytics, a policy analysis firm, the six largest US banks spent US$70.2 billion on compliance in 2013, twice the US$34.7 billion spent in 2007.1 In 2015, the Financial Times estimated that some of the world’s largest banks each spent an additional US$4 billion a year on compliance since the financial crisis.2
We now have regtech, which has emerged to address these and other challenges. An outgrowth of fintech, regtech uses digital technologies— including big data analytics, cloud computing and machine learning—to facilitate regulatory compliance. Among other things, regtech applications automate risk management and compliance processes, enable companies to stay abreast of regulatory changes around the world, facilitate regulatory reporting and support strategic planning.
A growing number of companies and regulators use regtech solutions to increase the efficiency and effectiveness of compliance while reducing costs. Regtech may also prove essential to regulating emerging fintech applications that are difficult to monitor or manage under legacy regimes.
Organizations must be vigilant about managing the risks of implementing regtech solutions. The space is evolving rapidly, and regtech could bring significant change to the financial services sector in relatively short order, potentially transforming how regulators and financial institutions operate and interact. Some basic guidelines can help organizations capture the benefits while navigating what may often be new and unfamiliar terrain.
Financial Institutions Are Leading The Way
For now, the vast majority of regtech solutions are focused on helping financial institutions manage compliance. By some counts, more than 100 startups3 already provide regtech solutions, and many financial institutions are building proprietary systems in-house. At this early stage, most of the attention is focused on three broad areas: modeling and forecasting; identity validation; and real-time monitoring and behavioral analytics.
More than 100 startups already provide regtech solutions.
Modeling and forecasting
Data is the lynchpin of compliance, and companies need robust systems that efficiently gather, structure and present data for regulatory assessment. Compliance and reporting standards have risen significantly since the financial crisis. Most large banks operate under multiple sets of rules that require capital and liquidity reporting, recovery and resolution planning and stress testing—including those stipulated in the Basel Accords, the EU Solvency Directive and the US Dodd–Frank Act.
These and other regimes also require financial institutions to conduct sophisticated scenario modeling and analysis forecasting to evaluate and plan for the possible effects of adverse events on their businesses. These exercises are often extremely complex.4 To carry out these new regulatory requirements and directives, an institution must collect data and engage expertise from every corner of its organization to understand how a multitude of factors could affect its businesses.
One large financial services company used software from Ayasdi, a machine intelligence and analytics company, to assess the impact of more than 2,600 variables on each of its business units. Analysis revealed which variables would most affect each unit’s monthly revenues, and the company used those variables when developing risk management and strategy initiatives. As part of this effort, the company ran statistical tests to validate the models' predictions before submitting its strategic risk management plan to regulators.5
Regulations in a number of areas— including anti-money laundering (AML), sanctions and taxes—require detailed customer due diligence practices that can be significantly enhanced by technology solutions. Evolving know your customer (KYC) rules are particularly critical, requiring institutions to verify the identity of customers, clients or business partners, as well as their beneficial owners, whether they are actual or legal persons.
This is a complex and timeconsuming challenge requiring analysis of information from private and public sources, often codified in different languages and in a variety of formats. Many rules are set by international bodies and apply uniformly across borders, but other rules differ significantly from country to country.
Financial services providers are taking a variety of approaches to identity verification and validation. Some regtech providers currently operate as utilities to aggregate data from sources worldwide. Trulioo, an ID verification company, provides access to information collected in 50 countries from a range of sources—including government agencies and public record keepers, credit bureaus, utilities, consumer marketing firms, mobile and device service providers (including app developers) and cyber channels (including profiles from social media platforms). TransparINT, a real-time data intelligence platform, aggregates information about financial crimes and AML compliance from global media sources.
Blockchain is already a proven means of identity verification in the cryptocurrency context. Regtech providers, such as Tradle, are developing systems for using blockchain in other financial contexts, including for KYC purposes. Other innovative methods, such as biometric validation, including facial, voice, fingerprint and iris recognition, have already been deployed in many contexts. These technologies are evolving rapidly and they will be used in an increasing variety of applications and contexts in the future.
Real-time monitoring and behavioral analytics
Participants in financial markets must comply with Securities and Exchange Commission Rule 15c3-5, which sets credit and capability thresholds on trading activity in the US. In Europe, the Markets in Financial Instruments Directives set complex requirements for investors and intermediaries. And derivatives are separately—and strictly—regulated in the US, Europe and elsewhere.
A number of regtech providers focus on financial market compliance, using many of the techniques that are already used in the payments context to support compliance with AML, anti-terrorist financing and other sanctions regulations. Fundapps automates shareholder disclosures and flags potential problems related to areas such as disallowed assets, holdings that exceed regulatory limits and assets that require specific disclosures. OpenGamma enables traders to select a central counterparty to clear over-the-counter derivative transactions.
Some areas are more difficult to monitor because quantitative data is hard to come by. This is particularly true when the ability to identify questionable conduct depends on insight into human behavior or decision-making processes; thus, the ability to identify rogue trading situations or automate the processing of customer complaints is particularly challenging. Sybenetix, a behavioral analytics company, uses algorithms to do behavioral profiling that enables it to identify possible misconduct. Starling Trust Sciences, a predictive analytics company, applies the principles of behavioral economics and uses techniques such as network and Big Data analytics to identify risks based on insights into culture and behavior patterns within organizations.
Compliance also depends on staying informed about legal, regulatory and compliance changes, which can be particularly challenging for global financial institutions with operations in multiple countries, each with their own rules. A number of providers are focused on helping companies prepare for legal, regulatory and compliance changes. Helm Solutions not only provides companies with real-time alerts about compliance issues, it also alerts companies about changing regulations that affect their businesses.
Regulators Are Taking The Mantle
Regtech offers many of the same benefits to regulators as it does to financial institutions. Yet, it appears that few regtech providers have emerged to serve the significant needs of regulators.
Vizor, one of Ireland's fastestgrowing companies, develops technology for financial regulators that automatically monitors financial institutions to determine whether they are meeting regulatory requirements. Vizor serves several central banks, as well as bank regulators in England, Canada, Ireland, Saudi Arabia and more than a dozen other countries.
Another rapidly developing area involves the use of smart contracts, which may provide regulators with real-time oversight of an array of automated financial transactions. For example, automatic triggers could alert regulators when a bank exceeds thresholds set in its capital model (such as capital ratios based on realized or projected losses), enabling them to automatically initiate predetermined responses.
Regulators are also experimenting to develop more efficient regulatory structures that account for and are strengthened by regtech innovations.
Smart contracts may provide regulators with real-time oversight over an array of automated financial transactions.
In 2014, the UK Financial Conduct Authority (FCA) sparked a blaze of regtech investment by ordering regulatory agencies with oversight of financial institutions to identify technologies that will support compliance efforts. The FCA then launched Project Innovate to help companies bring innovative financial services and products to market. In its first year, Project Innovate supported 177 companies, and it is on track to support twice as many companies in its second year of operation.6
In 2016, the FCA debuted its "regulatory sandbox," a space where financial services companies are encouraged to test new products without regulatory consequences. The initiative will enable regulators to work out how to apply rules to new offerings without stifling innovation.
Other countries have also taken steps to support fintech and regtech innovation. The Australian Securities and Investment Commission launched an innovation hub to help fintech startups navigate the country's regulatory system, and Japan's Financial Services Agency launched a fintech support desk. The Monetary Authority of Singapore is in the process of developing a regulatory sandbox, and a variety of US regulatory authorities—such as the Federal Reserve, the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency—are actively considering how to adapt to the emerging fintech era.
What to Look Out For
Despite the tremendous promise of regtech, there are good reasons for companies and regulators to exercise caution in its pursuit. All players in the space should develop clear perspectives about how to manage five broad categories of risk to minimize their exposure and maximize the potential benefits of their regtech endeavors: uncertain development paths; provider reliability; increased regulatory scrutiny; limited judgment; and privacy.
Uncertain development paths
Regtech systems are evolving rapidly, which can make it difficult for financial institutions or regulators to commit to a particular technology or course of action. Companies that invest in one approach may need to abandon it in favor of another down the line as new technologies emerge and new standards take shape and are implemented. It is also difficult to predict how regulations will evolve as the fintech space matures. Financial institutions that pursue strategies not aligned with future regulatory schemes might have to change course, perhaps at significant cost.
When a company selects a technology provider, it also selects a partner—and that comes with third-party risk. Regtech partners often have access to sensitive information and are charged with carrying out critical tasks. It is critical to conduct careful due diligence on every potential regtech partner to ensure their systems are secure and protected against cyberattacks and data breaches. It is also critical to check that each potential partner has a strong values-based culture, ensuring that it will not abuse access to sensitive information and will carry out all operations to the highest standard.
Increased regulatory scrutiny
Companies that implement and rely on fintech and regtech solutions to gather additional data may also be required to share such information with regulators, even if the data was expected to remain private. Systems that provide regulators with greater access to data may also invite greater scrutiny, enabling regulators to analyze such information however they see fit. Moreover, relationships with regulators could get even more complex as machine learning gains traction, particularly if regtech systems develop the ability to select which data to gather and share with regulators on their own. Regulators may also face additional risks in gaining access to greater volumes of data, particularly if they are held responsible for analyzing such information to identify violations or emerging issues within institutions or across the financial system.
Algorithms are very effective in making routine decisions and are improving rapidly when it comes to handling more complex decision-making tasks. Eventually, algorithms may be as good as or better than people at making complex judgments and accounting for nuance, but, for now, algorithmic processes are still catching up. While these processes can be extremely efficient, they can also replicate errors at extreme speeds that may be difficult to manage when something goes wrong. Thus, it is important to emphasize that people must remain involved in the regulatory compliance process. At a minimum, financial institutions and regulators should build gates into their systems that enable people to conduct checks and exercise judgment in complex scenarios. Regtech adopters and providers must be vigilant to avoid being complacent and ceding too much control to technology too soon.
Regtech adopters and providers must avoid ceding too much control to technology too soon.
Any time an organization collects data about individuals, it must take steps to ensure it does not violate privacy rules. This can be particularly difficult because rules often vary by jurisdiction. Moreover, privacy standards are evolving rapidly in response to innovations that have dramatically increased the power of technology to gather and analyze personal data. For example, the newly published EU Global Data Protection Regulation significantly raised privacy standards for companies that operate in the European Union, regardless of whether they are based there.7 Technologies that systematically monitor individuals to identify security threats or regulatory and legal violations may present privacy risks, including those that gather and analyze personal data about consumers and employees. Companies should regularly evaluate their regtech practices to ensure they do not violate privacy rules in any relevant jurisdiction in which they may be deemed to operate.
Although the regtech era is just getting started, financial institutions and regulators are already reaping tangible benefits from implementing regtech solutions. As the space matures, regtech will become prevalent throughout the financial services industry and an increasingly important aspect of the regulatory process. Early adopters that manage the risks and challenges of regtech could gain competitive advantages that set them apart.
1 "The Regulatory Price-Tag: Cost Implications of Post-Crisis Regulatory Reform," Federal Financial Analytics; see also: "Nuns With Guns: The Strange Day-to- Day Struggles Between Bankers and Regulators," The Wall Street Journal
2 "Banks Face Pushback Over Surging Compliance and Regulatory Costs," Financial Times
3 "100 RegTech startups to follow," LinkedIn Pulse
4 "Regtech in Financial Services: Solutions for Compliance and Reporting," Institute of International Finance
5 Citigroup case study, Ayasdi
6 "FinTech Week Speech: Christopher Woolard Chats Up RegTech Innovation," Crowdfund Insider
7 "Unlocking the EU General Data Protection Regulation: A practical handbook on the EU’s new data protection law," White & Case
This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2016 White & Case LLP