Adopt a Regtech Culture with Compliance at the Epicenter

The Benefits and the Challenges

For compliance professionals, the opportunities presented by regulatory technology are plentiful, even though challenges exist. Several best practices can help ensure they are getting the most out of the tools they choose for their businesses.    

Regulatory technology (regtech) is a subset of financial technology (fintech) as well as of the larger cyber realm, and it offers compliance and risk departments in financial service institutions great benefits, while also introducing potential threats and challenges.

By all accounts, it looks like the benefits outweigh the latter concerns, but only a business with an effective compliance program will see that presumption play out.

Challenges for Firms

The challenges for firms range from the need to have the appropriate skill sets at all levels of the business — from the capacity to know what technology is needed, to evaluating possible tech solutions, to skillfully selecting and monitoring technology vendors. Plus, there will likely be a need to revamp legacy systems and implement internal rulebook changes.

Skill sets within compliance and risk departments need not match those in the IT department, but the selection of these tools must be an informed one, and the ability to use them and know when they are not functioning appropriately should become part of the compliance remit.

Cyber threats are incredibly challenging to insulate against, detect and contain – and they make for some of the worst kinds of publicity. The concern is borne out by the statistics regarding cyber attacks and their increasing incidence, cost and the breadth of corporate types as victims.

Regtech is supposed to make our lives easier, but when they are under attack by ransomware – which cybersecurity researchers estimate criminals used to haul in over $1 billion (USD) in 2016 – consumer data and money, plus market integrity, are compromised.

Another challenge in this arena revolves around assigning who does what in the selection, maintenance, auditing and updating of tools and in handling their breakdowns, plus any attacks on or misuse of them.

Another one is dealing with U.S. (and local) regulators that are just now assembling divisions to oversee cyber and all things “tech,” leaving businesses still trying to figure out what the regulators expect of them as they use the tools for key compliance tasks.

Benefits to Business

For compliance professionals, the opportunities presented by regtech are plentiful: They sift through data or offer information quickly, helping firms comply with regulations and laws, and enable those businesses to evidence their compliance. The ability to have such tools track ever-changing, global regulatory enactments that impact your business — from their proposal stage to their implementation – often more than justifies the cost of tools by making such the task far less time-consuming and efficiently compiled.

More specifically, they can scour watch lists and discern aberrant behavior; take a huge amount of regulatory detail and parse it down to what your firm needs; help build a new product or service and help test the compliance controls upon which a compliance program relies.

Individual jurisdictions are signing memoranda of understanding with each other and regulators are developing “sandboxes” to encourage innovation. And while each financial market and regulatory infrastructure has its own characteristics, regtech helps offer solutions that factor in these geographical and market nuances.

As regulators publish their policies and advertise their supervisory approaches to technology, several large financial firms have established dedicated teams to explore the technology, and some market participants have formed consortia to create industry standards.

Customers expect to use increasingly sophisticated tools that make investment-management more efficient, which is also spurring firms to create and refine them. But just as customers want easy access, they insist on having protections undergird them to safeguard their money and identities, and to ensure they are investing in products suitable for them.

Best Practices

There is no one-size-fits-all solution to regtech adoption, deployment and supervision.

Regulatory technology that is developed in-house can often be tailored precisely to the firm’s business and risk profile, but those developed by vendors may benefit from having people with broader skill set – people who have worked with an array of institutions and might know what offers a better solution. Firms need to consider whether one or the other — or some mixture of both solutions — works best for them.

To use regtech wisely, whether developed in-house or not, companies need to assess the skills they have internally and begin to remediate gaps as needed.

Again, this is not just an audit that should occur in the IT department; it needs to cover risk, compliance and internal audit as well. Even if much of the regtech solution comes from a vendor, someone (or several persons) needs to be able to appreciate what the business needs and be able to vet possible vendors and tools effectively.

Compliance and risk functions should be involved in all stages to ensure that a solution suits the business and actually improves the overall compliance soundness of the firm.

As noted above, many personnel will have a role and responsibility that will be split into clear lines of demarcation. But there must still be a clear owner for these technology solutions. If decision-making is too diffuse, such tasks as reporting to the regulator and other authorities, making statements to the public, and adopting new potential solutions will be slowed down to a crawl or delivered in inconsistent messaging.

To be sure, effective governance in a business using regtech dictates that there are clear lines of reporting and escalation to the board on all matters relating to the firm’s technology that tracks regulation.

At the board level, a cyber-risk tolerance should be established and reporting obligation spelled out, plus the board should spell out what it seeks in terms of regtech design and implementation — and what it sees as gauges of effectiveness.

These systems must be tested routinely for their efficacy and fitness as intended. The efficacy of any regtech tool must involve some inclusion of an independent third party that can get in under the hood and spot where any problems lurk or where improvements could be made.

Finally, as part of the process, there is always some need to consider how each tool could be eradicated when the firm no longer needs it in a secure fashion, with those actions taken overseen by experts and documented for the board and upper management.