Highlights
RegTech, solutions that address regulatory challenges through innovative technology, is expected to grow dramatically, with global demand projected to reach $118.7 billion by 2020. This demand is being driven by a growing cyber threat, an explosion in business and technology innovation, and a changing regulatory landscape (motivated in part by the other two drivers). This CTO Corner discusses how RegTech differs from past investment in regulation technology, and the opportunities and issues it presents.
The Opportunity
RegTech innovations promise to reduce the cost of compliance, the number incidents of failure to comply, and associated fines. But the bigger potential gain will be better managed risk through cultural change that will allow an enterprise to use these tools to be more agile and adaptive. This will allow risk to be managed at lower overhead and likely lower capital reserve levels. These same tools will enable business operations to run more efficiently, and profitably.
Take-away
It is important to create an organizational culture capable of applying these new RegTech tools from the bottom up. RegTech tools will be integral to the enterprise processes, not just treated as a compliance conformance check list. This includes comprehensively monitoring and managing risk using quantitative metrics and behavioral analytics, and anticipating issues rather than fixing them afterward. If these changes can be effected, it will likely lead to greater transparency and a better understanding of what makes good security and risk management.
Although incumbents and technology companies have invested in regulatory solutions for years, the term RegTech has emerged as a new “hot” buzzword. Global demand is projected to reach $118.7 billion by 2020, with close to 55% in consulting and business services.[i] RegTech is used to describe a set of start-up, and some established, companies with solutions that address regulatory challenges through innovative technology. This CTO Corner discusses RegTech, why it is exploding now, how it differs from past regulatory technology solutions, and what it means for the financial services industry.
Factors creating the perfect storm for this technology segment to innovate and thrive,especially in the financial services sector, include:
- Regulatory compliance has become more difficult and more expensive. Intensification of financial regulation post-2008 financial crash, has resulted in an explosion of regulations globally, with many idiosyncrasies that vary between jurisdictions. The regulatory landscape is further complicated by the increasingly complicated, overlapping and ever expanding variety of products and services being offered[ii]. Recent political events (Brexit, Trump’s presidency)[iii] are creating new uncertainties in the regulatory landscape. These events could spur the growth of RegTech as they will likely increase the complexity and costs of doing business across borders.
- The cyber threat is growing. Advances in volume, sophistication and nature of the threat (cybercrime[iv], terrorist, and nation-states), increasingly targeted at critical infrastructure sectors, has resulted in a perceived need for more regulation at state[v], national[vi], and global[vii] levels.
- New technology-driven business innovations drive a perceived need for additional new regulation. Robo-advisors, crypto currencies, self-driving intelligent cars, drones, smart devices, smart contracts, distributed ledger systems, and other new innovations, introduce uncertainties and new attack vectors, causing regulators to consider additional new regulations.[viii]
- Advances in technology make possible new approaches and strategies for security and risk management. The broad and cheap availability of cloud computing combined with new sources of data from networked sensors and social networks, advances in “smart” technologies such as machine learning and prediction, artificial intelligence, and advanced authentication technologies like biometrics, and behavioral analytics provide solutions with the necessary agility to keep up with the continuous change that characterizes the current threat and regulatory environment, and makes possible more real-time actionable reporting.
- Regulatory “sandboxes” encourage innovation in security and risk management. Some regulators are taking an active role in fostering business and technology innovation. UK’s Financial Conduct Authority (FCA) and The Monetary Authority of Singapore (MAS) have both set up a regulatory “sandbox” to provide a “safe place” for fintech companies to test services and business models before being offered to a consumer without having to worry about regulation.[ix] The regulatory sandbox concept is designed to make it easy to test breakthrough thinking, which encourages the adoption and testing of new RegTech tools, fostering innovations in enterprise security and risk management.
There are already over 120 identified RegTech start-ups, and that number is growing, with many incorporated outside the US.[x] They can be grouped into the categories illustrated below.
RegTech Categories
1) Market surveillance – These tools enable firms to monitor participants and to identify nefarious behavior based on trading data, money transfers, market information, newsfeeds, chats and email. They combine advanced data analytics with behavioral science to provide faster, more efficient ways to manage conduct. Challenges include the need to limit the number of false alarms without unduly sacrificing the ability to detect valid market abuses, and aggregating chat and voice communication across multiple channels and converting them into usable data. These tools could be extended to other transactions such as money transfers, mortgages and loans. They can also be used to assess employee and business unit performance.[xi]
2) Regulatory Reporting – Regulatory reporting involves taking information from different source databases and combining them to get one complete dataset. As many of these data sets are error prone and incomplete, tools have been developed to resolve inconsistencies in the source information. Many of these products also monitor regulation to ensure they are using up-to-date reporting formats.[xii]
3) Stress Testing/Capital Planning – These tools enable financial services firms to build test scenarios to manage risk, calculate capital requirements and stress test balance sheets. They can help reduce the required capital ratios of banks by proving to regulators that the firm has adequate reserves. Since conducting stress tests requires using data that is often contained in separate databases on multiple systems, with incomplete information, they also require data quality tools and initiatives.[xiii]
4) Fraud Detection – Solutions to protect against external and internal fraud are closely related to tools for identity verification, and suspicious activity alerts. They enable an organization to use multiple dynamic data sources (behavioral, transactional and social), and sophisticated analytics to validate the individual making a transaction or opening an account, and to monitor and detect all kinds of fraudulent activities.[xiv]
5) Controls Automation – These tools automate interpretation, application and oversight of regulatory rules and internal security and risk management processes, flagging potential issues.[xvi]
6) Cybersecurity/Data Privacy risk management of 3rd party vendors and partners – Specific regulatory cybersecurity provisions and vendor obligations put the onus on financial institutions to take responsibility for their vendor’s systems as well as their own.[xvii] These tools address this need to monitor external third party vendors and partners that operate outside the firm’s perimeter.
7) Risk Management – Traditional risk management at financial services is often focused on front-end operations such as trading limits and value at risk calculations. New tools allow firms to better address these risks as well as operational risks from middle and/or back office functions. They provide advanced data analytics and visualization to reduce the time to analyze risk parameters, and allow firms to spend more time acting on insights.[xviii]
8) Customer Due Diligence (CDD)/Know Your Customer (KYC) – These tools make client acceptance more efficient by reducing the manual work this often entails. This includes accurately linking names from multiple sources that differ due to differences in spelling and local language, a process that currently makes the onboarding and monitoring slow and often incomplete. Many of these solutions take advantage of the growing role of mobile (there are over 5 billion mobile phone users in the world today) by capturing the digital footprints created by mobile devices to verify the user’s identity for KYC and identity verification purposes. Unique identifiers or blockchain technology have a potential role here.[xv]
9) Communication Monitoring – Today’s world of multi-channel communication (Whatsapp, Facebook Messenger) leads to headaches for compliance officers due to the difficulty of tracking all communications. Apart from ensuring that any communication is in line with internal guidelines, regulation increasingly requires firms to store all client communication. To satisfy such requirements, firms should be able to integrate and monitor various communication channels or migrate account managers to controlled universal messaging environments.[xix]
10) Other – There are also emerging technology start-ups that address regulatory issues involving compliance training, model management, violation analytics and internal audit.[xx]
Machine learning and Artificial Intelligence are key technologies. Although many products are focused on automating the more routine compliance tasks and reducing risks associated with meeting compliance and reporting obligations, some are already designed to help make more informed risk choices, providing actionable insights about the compliance risks faced and how to mitigate and manage them. Machine learning and Artificial Intelligence (AI) are already helping firms keep up with the challenge of changing regulations. They are also key technologies to assist in creating a form of dynamic oversight, allowing real-time changes based on live events, providing needed intelligence and automation to learn and adapt to changes in the threat and regulatory environment. For example, the ability to change capital requirements based on real market events instead of adjusting for historical events. An issue with AI is how these smart learning applications can be monitored to ensure they have not gone rogue or become misinformed.
Building Risk Management from the bottom-up. It is important to create an organizational culture capable of applying these tools from the bottom-up, where sound risk management practices are built into the enterprise processes, and not just treated as a compliance conformance check list. This includes more comprehensively monitoring and managing risk, using quantitative metrics, advanced analytics, and machine learning to anticipate issues rather than fix them afterward. It is important to understand that risk can never be eliminated entirely, and know how to limit behavioral or conduct risk. NY Fed President Bill Dudley recently spoke on this topic.[xxi] He made the key points that enhanced risk management and compliance begins with company culture, it can’t be mandated from the top-down but must be cultivated and adopted from the bottom of the organization on up. The result is a more disciplined and measurable approach, greater transparency, and a better understanding of what makes good risk management.
RegTech can remove barriers to entry by helping to level the playing field for established and new entrants in the financial services industry. While new regulations are designed to bring transparency and stability to the financial sector, the practical costs and logistics invested in understanding and complying with them is massive. There are hundreds of legislations, jurisdictions and regulators across the globe that make it difficult for companies to navigate their compliance regime. For example, the lack of harmonization of in-country data privacy hinders development of a global compliance program, especially for companies transacting and expanding across borders. RegTech can help all companies address these compliance challenges.
Need to update existing core legacy systems and processes. To maximize the benefit derived from RegTech solutions, it is important that the enterprise put in place processes and systems that makes it easy to aggregate data from multiple sources by minimizing data errors and inconsistencies across enterprise data silos, and taking needed actions in a timely manner through built-in controls and processes. Although cloud-based RegTech solutions can be overlaid on top of existing legacy systems, achieving the above goals will require some overhaul and update of existing legacy core systems and processes.
Need for Framework and Open APIs. As the number of RegTech solutions grow so will the need for a RegTech Framework based on open APIs. Such a framework would allow the various solutions to talk to each other and allow easier access to information from multiple sources. It also would allow Financial Service firms to avoid vendor lock-in and to add/substitute new RegTech solutions as they become available.
Conclusion
As the task of risk management grows along with the number and complexity of regulations, the need for new strategies and tools that enable risk management and regulatory compliance to be more agile, adaptive, and executable in real-time, increases in urgency. RegTech will enable regulatory cost savings but more importantly will enable organizations to optimize their cultures to more dynamically manage risk. Events will occur but there will be less chance of catastrophic failures, at lower overhead, and enterprises potentially lowering capital reserve requirements. These same tools will enable operations to run more efficiently and more profitably. FI’s will likely need to update their core legacy processes and systems to mitigate errors and inconsistencies across data silos and to enable real-time responses, taking full advantage of these tools. A framework with open API’s is needed to prevent vendor lock-in and allow for easy incorporation of new RegTech offerings. Finally, with the introduction of a more disciplined and measurable approach, we will see greater transparency and a better understanding of what makes for good risk management. It is not more regulation that is needed but the right culture imbued with a greater understanding of the risks and how to manage them. With RegTech enabling more efficient, enterprise wide risk management, regulator harmonization on finer compliance details such as language, definitions and oversight processes can further improve firms’ abilities to effectively manage risk while protecting consumers and their critical systems.
[i] https://medium.com/@LetsTalkPayments/international-regtech-companies-defining-the-100-billion-dollar-industry-c3e1d826d015#.kny7waalm, https://letstalkpayments.com/international-regtech-companies-defining-the-100-billion-dollar-industry/
[ii] https://hbr.org/2015/10/how-smart-connected-products-are-transforming-companies, https://ec.europa.eu/epsc/sites/epsc/files/strategic_note_issue_7.pdf, http://www.explainingthefuture.com/nic.html http://www.patriciabromley.com/BromleyMeyerBlurring.pdf
[iii] http://www.reuters.com/article/us-britain-eu-banks-idUSKBN15P1HY, EU financial services chief warns U.S. against unpicking bank rules, https://www.ft.com/content/7dc9a004-c6c4-11e6-8f29-9445cac8966f, Business faces ‘confusion’ over post-Brexit regulation, CBI warns
[iv] https://www.wsj.com/articles/credit-card-fraud-keeps-rising-despite-new-security-chipsstudy-1485954000
[v] http://www.natlawreview.com/article/new-york-revamps-proposed-cybersecurity-regulation-financial-services-and-insurance
[vi] https://www.nist.gov/news-events/news/2017/01/nist-releases-update-cybersecurity-framework, https://www.dlapiper.com/en/us/insights/publications/2016/02/cybersecurity-2015s-top-legal-developments/, http://www.corporatecomplianceinsights.com/increasing-cyber-attacks-prompt-regulations/
[vii] http://www.cyberdefensemagazine.com/eu-regulation-to-impose-rules-on-firms-to-improve-cybersecurity/
[viii] http://www.nortonrosefulbright.com/knowledge/technical-resources/blockchain/
[ix] https://www.fca.org.uk/publications/documents/regulatory-sandbox, https://www.fca.org.uk/firms/fintech-and-innovative-businesses, http://www.mas.gov.sg/Singapore-Financial-Centre/Smart-Financial-Centre/FinTech-Regulatory-Sandbox.aspx
[x] https://www.linkedin.com/pulse/100-regtech-startups-follow-jan-maarten-mulder, https://www.cbinsights.com/blog/regtech-regulation-compliance-market-map/https://medium.com/@janmaartenmulder/regtech-is-real-and-120-startups-to-prove-it-6b396d94dd8c#.o8576j1zi, https://www.linkedin.com/pulse/regtech-real-120-startups-prove-jan-maarten-jm-mulder-1, https://www.cbinsights.com/blog/regtech-regulation-compliance-market-map/
[xi] Ancoa (contextual surveillance and analytics with actionable alerts) http://ancoa.com/, Sybenetix (behavioral profiling algorithms to address Market Abuse Regulation requirements) http://www.sybenetix.com/.
[xii] Fintellix (multi-country regulatory reporting), http://fintellix.com/, http://www.vccircle.com/news/technology/2015/05/05/exclusive-banking-analytics-startup-fintellix-hits-road-raise-15m-series, Modality (product performance, scenario and stress testing, tern sheet generation). http://www.modelity.com/products-a-services/modelity-structures/
[xiii] http://algosave.com/,http://www.axiomsl.com/resource-center/press-releases/2015/10/07/axiomsl-announces-ifrs-9-partnership-with-algosave, https://www.ayasdi.com/, https://www.suade.org/, http://www.entrepreneurcountryglobal.com/zoo/item/an-interview-with-suade-ceo-diana-paredes, http://www.percentile.co.uk/
[xiv] http://www.netguardians.ch/, https://riskident.com/en/, https://www.crunchbase.com/organization/trustev#/entity
[xv] https://tradle.io/, https://complyadvantage.com/, https://www.fenergo.com/, Passfort is a security keychain device that allows you to generate, store and manage unique and secure passwords for all your digital services and apps,
[xvi] http://www.capnovum.com/, http://continuitycorp.com, http://droitfintech.com/, http://www.quarule.com/
[xvii] http://endsecurity.com/, https://www.alyne.com/en/
[xviii] http://www.algodynamix.com/
[xix] https://www.novastonemedia.com/, https://www.qumram.com/
[xx] https://thefinesdatabase.com/Public/AboutF2, http://www.irishtimes.com/business/technology/corlytics-completes-1m-funding-round-1.2253157, https://www.imandra.ai/
[xxi] https://www.newyorkfed.org/newsevents/speeches/2015/dud151105.html
