In this post, we describe two examples of technology being used by businesses to evade regulations and frustrate regulators – a phenomenon that we call “anti-RegTech”.
But first, what is “RegTech”? RegTech generally refers to the use of technology by businesses to help comply with regulatory requirements more efficiently. It has largely been welcomed by regulators across the globe. But, as with all technological innovations, RegTech can be used for both legitimate and illegitimate purposes.
Uber and “greyballing”
Uber’s ride sharing app presents an interactive map to its users that displays all available cars in a given location. But last month the New York Times revealed that Uber had been presenting an altered map to certain users, replete with phantom cars that would not accept rides.
Uber claimed that this “greyballing” technology was used for market testing and promotions.
However, Uber’s ride-sharing services remain illegal in many jurisdictions – most recently, five Uber drivers in Hong Kong were fined and banned from driving for one year. By greyballing regulators and law enforcement, Uber could arguably prevent them from gathering the evidence necessary for legal action.
This is largely down to the fact Uber had the ability to selectively greyball specific users. Users to be greyballed were allegedly identified using geolocation data, credit card details and social media profiles. Collating this data, Uber was apparently able to determine which users were likely to be regulators or law enforcement based on whether, for example, their credit card was linked to a police credit union, or the amount of time that they spent inside transport department buildings.
Volkswagen and “defeat devices”
In the late 2000s, Volkswagen developed a strategy to sell diesel cars in the United States using the high fuel efficiency of their engines as a key selling point.
The problem for Volkswagen was that adjusting their engines to meet stringent US emissions standards greatly decreased their vehicles’ fuel efficiency.
The manner in which Volkswagen “solved” this problem was revealed in 2015, when the US Environmental Protection Agency (EPA) issued a notice of violation to Volkswagen, stating that the company had installed “defeat devices” in its cars.
These devices could detect when a Volkswagen vehicle was being tested by the EPA, and would automatically reduce the engine output in order to meet the EPA’s emission standards. When back on the road, the defeat device would deactivate, reverting to full engine output.
The difference in emissions was striking. In real-world driving, some Volkswagen models produced forty times more nitrogen oxides than their test results showed. In such circumstances, it is difficult to claim that the technology’s purpose was anything other than to intentionally overcome EPA testing and circumvent emissions standards.
The fallout was huge (to say the least): Volkswagen’s CEO resigned, and senior managers have been indicted. In addition, the company has agreed to pay US$4.3 billion in fines, and reached a US$15 billion settlement with consumers. The reputational damage is harder to measure, but no less severe.
Given the early stage of RegTech development, it is unclear how much of an issue anti-RegTech will be going forward. But, as the use of technology in the regulatory space increases, so too does the commercial incentive to manipulate that technology, or create other technologies to evade regulation. This might include, for example:
- an algorithm that divides up large money transfers into smaller transactions, so as to fall under money laundering trigger amounts;
- an app that manipulates social media profiles, to dupe Know-Your-Customer checks; or
- a program that facilitates tax evasion by randomly and minutely altering a merchant’s sales records, leading to an under-reporting of income.
How regulators police anti-RegTech is also unclear. The Uber and Volkswagen cases demonstrate that keeping the lid on large-scale regulatory avoidance is difficult. Nonetheless, more drastic measures, including mandatory software examinations by regulators (beyond those already being undertaken), may become the norm if anti-RegTech becomes a widespread phenomenon.
What are the legal issues?
There isn’t generally a law against anti-RegTech, but there are several ways in which anti-RegTech can breach local law and regulation, depending on the facts. For example:
- fraud, misrepresentation etc – where an element of deceit is involved;
- actual breach of law – for example, market misconduct, tax evasion, money laundering or sector-specific laws such as environmental protection;
- accessorial liability and complicity by aiding, abetting etc an offence;
- breach of ancillary legal protections – for example, the use of “matching” technology in breach of local privacy laws; and
- breach of regulation – involving a breach of the standards of conduct imposed by a regulator on its licensees. We would expect this to be the case in anti-RegTech applications used by a regulated financial services company (or its agents).
There could be a range of other risks.
What you need to think about
This is a case of “Know-Your-Technology”. It is not enough to have one legitimate purpose, if the technology can (and is) being used for regulation-defeating purposes.
The key questions to ask include the following:
- What tools is my business using, or proposing to use?
- Does it have a legitimate purpose that we can demonstrate?
- Does it have any other purpose(s) that could be perceived as evading regulation, or possible unintended uses? What are the issues?
- How are we managing that risk? For example, can we apply appropriate blocks or conditions? Do we need to give our Tech people a steer on the parameters of what is okay and what is not?
- Do we need to include anything in our agreements with IT professionals and outsourcing contracts?
Investigations and enquiries from regulators must also be carefully handled. They are very easy to lose control over, particularly when press coverage is involved and staff involved in regulatory communications are not across the technical and legal specifics.