Seen as an offshoot of Fintech, RegTech is defined by the UK's Financial Conduct Authority (FCA) as "the adoption of new technologies to facilitate the delivery of regulatory requirements". The financial crash of 2008 led to increased regulation of financial services. and the patchwork of resulting national and international laws has placed an enhanced compliance burden on firms. RegTech solutions are helping to ease the pain by assisting firms to keep abreast of new requirements and integrate the capacity to comply with them into their existing systems.
What characterises RegTech solutions?
The components used in RegTech solutions aim to enhance speed, minimise risk and reduce the cost of regulatory compliance. They are invariably cloud based. This allows data to be stored, kept secure and manged remotely, leading to cost benefits, reliability, quicker results and flexibility. This in turn plays into RegTech solutions' critical selling point – agility. Traditional solutions to the compliance burden have involved either bespoke systems which can become quickly outdated, or off-the-shelf solutions which need customisation and regular updating and can be cumbersome due to lack of flexibility. Cloud-based solutions offered by RegTech providers have the advantage of being able to manipulate data sets and re-organise them as required for different customers or when regulatory requirements change, with data analytic tools and biometrics used to make sense of vast quantities of data and technologies like blockchain being used to keep data secure. They don't have to be entirely new solutions and are often integrated into existing systems but can facilitate real-time compliance and risk assessment.
What are the main current applications of RegTech?
While the range of businesses sheltering under the RegTech umbrella is wide (especially depending on how you define what constitutes RegTech), current applications focus on a number of key areas including:
- Fraud prevention – these solutions monitor transactions in real time in order to analyse them and identify and prevent fraud: examples include IdentityMind Global which provides an analysis platform to identify and reduce fraud, Trustev which scans transactions in real time to determine their authenticity, and Elliptic which identifies illegal Bitcoin activity and provides proof of identity for Bitcoin users (see our previous article).
- Identity verification – also part of the fight against fraud, technologies are used both to complete 'Know your Customer' (KYC) checks and to ensure that information is used by the right person. For example, Tradle uses blockchain technology to speed up the KYC process, and CheckRecipient uses AI to identify emails with unusual recipients and sensitive content in order to prevent them being sent to the wrong person, and also tracks employee emails. Trulioo is an example of a real time identity verification solution.
- Regulatory compliance – this is a key application of RegTech and there are a number of regulatory reporting solutions such as Cappitech and OSIS and IPC available. Suade is a tool which interprets the regulatory framework in the context of its individual clients, and then offers management tools and compliance solutions to facilitate reporting.
- Cybersecurity – one of the greatest threats faced by financial institutions is cyber attack. Unsurprisingly, there are a number of businesses operating in the cybersecurity for financial institutions space, such as DarkTrace and Passfort.
- Risk analysis – AlgoDynamix is an example of a risk analytics company which uses algorithms to scan real-time sources, analyse market behaviour and then predict pricing to manage risk. Risk assessment is also used in the context of compliance, for example, by Corlytics, and Credit Benchmark is an example of a solution which collates and anonymises credit risk estimates from global banks.
- Risk management – Percentile and AQMetrics are among those providing risk management solutions.
Who stands to benefit?
In addition to the RegTech providers themselves, clearly financial institutions have much to gain from RegTech. Being able to deliver regulatory compliance in a shorter timeframe at a reduced cost cannot be anything other than attractive. The ability to exploit data for a variety of purposes including identifying systems issues, fraud and abuse, and the requirements to implement security measures which sit alongside that, can also help early adopters gain a competitive advantage.
Professional services firms are important players in the RegTech ecosystem. They can help inform product development with their knowledge of business and regulator concerns and connect suppliers with customers.
It is not just businesses which stand to benefit, however; customers will also appreciate being able to step through regulatory requirements like KYC with ease and are likely to grow increasingly sensitive to security issues. Firms using the most up to date technology and able to offer advanced cyber risk protection will be sought after.
What do the regulators think?
Regulatory bodies are often seen as being slow to keep up with technology but in the area of financial services regulation at least, many regulators are not only keeping up, they are facilitating growth.
The FCA recognises that RegTech will be a key tool in delivering regulatory compliance, transparency and achieving faster and more granular responses, all of which should help avoid a financial crisis like that of 2008 in future. To promote innovation in regulatory compliance solutions, reduce regulatory barriers to entry and improve outcomes for consumers, the FCA launched Project Innovate in October 2014, a hub to help new and established businesses introduce innovative financial products and services to the market. In November 2015, the FCA announced plans for a regulatory sandbox which launched in May 2016, and allows businesses to test innovative products, services, business models and delivery mechanisms in a live environment free from some of the usual regulatory consequences or obligations (see our article for more). This initiative is much emulated, with the European Commission recently announcing plans for a similar EU regulatory sandbox.
The Bank of England has its own Fintech accelerator which, among other things, is intended to help it find suitable RegTech solutions to assist it in carrying out its regulatory functions. In March 2017, it announced its decision to work with MindBridge AI to develop a proof of concept. MindBridge AI detects author anomalies in financial transactions and reports using data science, machine learning and AI. The Bank is intending to use it to analyse the quality of regulatory data input and it is not alone in targeting this area. French regulator, the Autorité des Marchés Financiers (AMF), is developing a system which uses Big Data to capitalise on the transaction reports required under MiFID II and analyse trader behaviour and market transactions in real time. The FCA is also reported to be working on developing a machine learning (AI) tool for these purposes.
The Bank of England is also carrying out a proof of concept with Ripple to demonstrate the synchronised movement of two different currencies across two different real-time gross settlement systems. The aim is to show how this can reduce settlement risk and improve the speed and efficiency of cross-border settlements.
It is not just the financial services firms which have been affected by the enhanced compliance burden, regulators have also had to cope with the combined pressures of an increased workload and reduced budgets, so it is no surprise that they are riding the crest of the RegTech wave.
What are the barriers to further developments?
There are a number of issues which will need to be addressed by the industry for the sector to reach its full potential
One of the strengths of RegTech solutions is their ability to allow for different systems and cross-border differences in regulatory environments, but there can be little doubt that more harmonised and interoperable systems would facilitate the industry's development. The FSA is consulting on barriers to entry and steps are already being taken to reduce unnecessary barriers, for example, in relation to open APIs (see our article for more), as industry and law makers wise up to the benefits.
Despite the broad enthusiasm of the regulators, there has been insufficient investment by them to enable them to cope with the potential volume of data submissions, for example under MiFID II. Banks will also have to invest further in order to realise their aims of shedding risk and cost and minimising human error, not to mention becoming comfortable with potential liability issues. This means there is some way to go before systems, solutions and regulation to work together.
One of the most significant issues for the RegTech industry to wrestle with (in addition to the obvious financial services regulations) is data protection. In the EU, use of personal data is governed by the Data Protection Directive 1995, to be replaced by the General Data Protection Regulation (GDPR) which will apply from 25 May 2018. The GDPR governs the use of personal data and, among other things, introduces a right for individuals to object to profiling. While there are exceptions to some of the GDPR requirements where certain personal data-related activities are required by law, RegTech solution providers and their customers will need to ensure that they take the GDPR into account. Some of the more advanced applications of RegTech which use data analytics to assess risk in relation to individuals, will need to be particularly careful to ensure they comply with the GDPR where applicable and may need to look to techniques like anonymisation.
There are also question marks over some of the technology being used in RegTech. Distributed Ledger Technology like Blockchain, for example, which is used to create a secure, shared ledger or database to record and track transactions and assets, has enormous potential in the world of financial services, not just in RegTech. However, it is not without issues. It relies on huge processing power and can only cope with a limited number of transactions per hour (seven Bitcoin transactions per second, compared with 1736 transactions processed by Visa America per second). Another issue for regulated firms which the FCA is currently seeking feedback on is how they allocate responsibilities and permissions for shared systems. This is all the more important because while it is undoubtedly difficult to tamper with, the technology is not, in fact, invulnerable to cyberattack; malware has been used successfully to alter data held on distributed ledgers.
A great benefit of RegTech solutions is that they are adaptable but that does not mean they are immune to technology becoming outdated or unfit for purpose. They will have to develop rapidly to keep abreast of new ways of committing crime.
What does the future hold?
The initial phase of RegTech solutions has focused on regulatory compliance and fraud prevention. As the key RegTech technologies like AI, data analytics and data visualisation develop, we can increasingly expect products which provide greater levels of analysis, not only of risk, but of performance, using existing information to extrapolate ever further into the future.
Products used to provide scenario analysis, forecasting and modelling and to complete required 'stress tests' will be further developed to produce faster and more detailed results.
Data analytics will also increasingly be used in a predictive context for targeted risk analysis in relation to individuals (where biometrics will come into greater play) and more broadly for internal modelling to be used to develop strategy and report to regulators.
Another application ripe for further development (although businesses like Sybenetix already operate in this area) is so-called 'conduct monitoring'. This takes risk analysis to a highly sophisticated level, combining data about the behaviour and personalities of individual traders, with aggregated market data to identify potentially illegal activities and, more worryingly perhaps, to assess performance.
As ever, with disruptive and emerging technologies, the ability to flourish depends not just on a willingness to innovate but on the ability to operate within the law. Just because RegTech solutions are designed to facilitate regulatory compliance, does not mean that they are immune from regulator scrutiny. Having said that, regulators and financial institutions alike are persuaded of the potential benefits of a developing RegTech sector.