Regulatory hurdles for Regtech
During the second half of 2016, ‘Regtech’ became the new buzzword in the financial industry. Whilst studies point us primarily towards the many advantages of regtech, potential risks are highlighted from a financial institution’s point of view. A much recited blocking point for the implementation of a regtech solution is, ironically enough, regulation and the hesitance of regulators to go along with the story.
Regtech is the implementation of regulatory and compliance standards via technology. Regulators admit seeing the many benefits provided by regtech, but as they play a very different role in the financial industry, they have to look at the bigger picture, namely the industry as a whole. Therefore, regulators consider different risks and consequences than the individual players within the financial industry.
Why regtech is equally important for the regulator
Regulators are not blind to the evolutions around them. They understand that since 2008, the compliance pressure on financial institutions has increased exponentially to the point where it is impossible for them to implement every regulation correctly and within the given timeframe. The increasing amount of fines to be paid because of infractions prove this evolution (cf. figure 1, US data).
As such, regulators understand that regtech has an important positive impact on the industry. Regtech can help lower the cost of compliance, improve the data quality and provide a safer environment and thus reduce the operational risk.
Next to that, “compliance by design” sounds like music to the ears of regulators. The idea of having a common platform to which both regulators and financial institutions can connect simultaneously and have access to (near) real-time data is groundbreaking. Moreover, the possibility to manipulate and analyze data whenever it fits the regulator, would be a serious step forward into rendering the entire compliance value chain more efficient. So why are regulators hesitant when it comes to implementing regtech?
Consequences and risks related to regtech
During a regtech event in Amsterdam (#Readyforregtech), the Dutch regulator gave its audience a unique inside into the consequences and risks they consider for the industry.
Although IT development and maintenance of systems are often outsourced along the compliance value chain, the data is largely processed locally. In case of issues, it is generally easy to enquire additional information, as financial institutions know exactly where, when and how their data was treated. When venturing into regtech, the line between who is responsible for link in the compliance value chain becomes blurred.
As such, the Dutch regulator used two examples to demonstrate the risks it sees.
The rise of big data has paved the way towards cloud solutions for data storage. The next logical step for cloud providers was to offer solutions that manage and treat the stored data for compliance and reporting purposes. The addition of self-learning algorithms was to ensure an ever evolving platform in line with the latest regulations.
However, when an error in calculation occurs within a cloud, the error will not solely impact a single bank, but it can potentially put at risk the entire industry. The magnification of failure, where a small error in coding can lead to an exponentially important risk at the end of the value chain, is a real concern for regulators. Especially if the error is not immediately evident and thus identified.
On top of that, financial institutions will always remain top targets when it comes to cybercrimes for financial gain. Moreover, on a worldwide scale, the Ponemon Data Breach study of 2016 found that the average cost per incident is approximately $4 million, up 29% since 2013. Once again, these numbers apply to a single organization. As more and more financial organizations store sensitive data on clouds, regulators foresee that a breach in cyber-security protocols will affect multiple institutions simultaneously, whilst rendering the potential gains for cybercriminals more important. Even more alarming is that certain studies predict that by 2026 there is a 1 in 7 chance that key cryptography tools will be broken.
The rise of AI
Anyone who followed the most recent World Economic Forum in Davos knows that AI was one of the hot topics this year. Regtech lends itself well to the incorporation of AI, whether to automate and improve risk calculations, finding relevant data autonomously or identifying key passages within legislative texts.
For financial institutions the gains are obvious, but regulators ask a different question: “Who is responsible for the provided data?” Financial institutions should at all times be able to explain how and which data they used as input to come to a certain result. Nevertheless, if interpretation, processing and calculations become unreadable to the financial institution, how will financial institutions maintain control over their own results? Also, if the entire process to deliver reporting is managed in a different country, to which the regulator has no access, they fear that important controls in the compliance value will fall through the cracks?
As AI application to finance is still relatively new, many questions arise: Can AI identify discrepancies in legislations? How are cloud providers and institutions going to manage the choices that AI makes for a system? What if the decisions AI makes for a system are not in line with the results envisioned by the regulator? How will financial institutions organize the day-to-day operational supervision?
The new too big to fail?
There are still many questions regulators would like to see answered before they give the all clear to regtech. That is why these three risks: the magnification of failure, cyber-security and the unclear locus of responsibility have the potential to destabilize the financial system in itself, leading to believe that regtech could also become the next too big to fail.
With time, as elaborated above, there is the threat of a new kind of systemic risk for the financial industry that is directly related to regtech, hence the question: “How to regulate regtech?”
Neither regulators, nor financial institutions, are able to provide a straightforward answer today. Much will also depend on how the market evolves in the coming years. However, as regtech offers advantages to both financial institutions as well as regulators, it is paramount that regulators stay on top of the subject. The ideal situation is that both regulatory standards and implementation of compliance via regtech develop together.
The increasing cost of compliance as well as the growing number of fines for infractions prove that financial institutions are struggling to implement new regulation correctly and within the given timeframe. That is why financial institutions are welcoming regtech solutions with open arms. Regulators will also need to take a long look in the mirror and determine how they will position themselves in the light of these innovations, because banks have already started taking action by jumping on the regtech train.
- “Quantum Computing: A New Threat to Cybersecurity”, Michele Mosca, 2016.
- “Banks likely to remain top cybercrime targets”, Marie Pettersson, 2012.
- “Ponemon, cost of Data Breach 2016 (infographic)”, IBM, 2016.
- “Mr regtech: de markt wil regtech maar kan de toezichthouder wel mee?”, KPMG, 2017.
- “Financial institutions. Fines, Penalties, and Forfeitures for Violations of Financial Crimes and Sanctions Requirements”, United States Government Accountability Office, 2016.
- Regtech has the power to bring financial institutions and regulators closer together by increasing the efficiency in data transfer and delivery, by means of near real-time data access.
- Regtech has the possibility to become the new too big to fail.
- Regulators should support the adoption of regtech. If not, they will miss the opportunity to ensure that regtech develops in a way that is also beneficiary for themselves.