In this follow-up to a recent piece extolling the benefits of regtech, ACA Technology’s Burt Esrig provides insight into the state of enforcement in the financial services industry and why regtech is no longer optional.
The adoption of regulatory compliance technology (regtech) has increased in recent years and the reason is clear: not only has the financial industry’s regulatory framework become more complex and difficult to navigate, but the cost of noncompliance has also risen significantly.
According to the U.S. Securities and Exchange Commission’s (SEC) Enforcement Division’s (the Division) 2018 Enforcement Annual Report, 490 standalone actions were issued in FY 2018, 63 percent of which involved investment advisory issues, securities offerings and issuer reporting/accounting and auditing collectively, with others relating to broker-dealer misconduct (13 percent), insider trading (10 percent) and market manipulation (7 percent).
The Division’s Cyber Unit became fully operational in FY 2018, further demonstrating the SEC’s continuing focus on cybersecurity. The Cyber Unit’s investigations led to 20 enforcement actions for cyber-related misconduct, including cases related to initial coin offerings (ICOs) and digital assets.
In the U.K., the Financial Conduct Authority (FCA) continues to focus on the Market Abuse Regulation, increasing its scrutiny of firms’ market abuse risk, trade surveillance and controls, particularly at buy-side firms, leading to significant enforcement activity.
This regulatory focus has served as a driving force for firms to invest in technology that helps meet compliance obligations not only more efficiently, but also more effectively. In order to appreciate the challenges regtech is looking to solve, it is important to look at the cost of noncompliance and how it has evolved in recent years.
The Regulatory Reach is Ever-Expanding
One of regtech’s biggest impacts is that it has made record storage easier and more efficient. When it comes to regulation, this basic technical capability has provided the means to expand powers of surveillance and enforcement. Greater transparency obligations have armed regulators with the information needed to investigate cases of noncompliance. Equally, new regulations promulgated over the last several years – covering everything from market abuse and data privacy to cybersecurity, best execution, inducements, anti-money laundering, bribery and corruption – have broadened the regulators’ scope of responsibility.
Although the pendulum has started to swing away from overly prescriptive rules toward a more principles-based approach, this is not likely to reverse the demand for regtech solutions. Looking at regulatory fines and investigations over the last couple of years shows a number of examples on both sides of the Atlantic that demonstrate regulators are enforcing these new areas of responsibility.
More Regulatory Scrutiny, More Enforcement Actions
In the world of ever-increasing data privacy regulations, the U.K.’s Information Commissioner’s Office (ICO) in 2018 issued the first enforcement action related to the EU General Data Protection Regulation (GDPR), against a Canadian data analytics firm for allegedly violating GDPR and the U.K. Data Protection Act (DPR).
The FCA has a record number of market abuse investigations open currently, with enforcement actions coming through for a range of offenses on both the sell side and buy side.
Electronic communication surveillance also continues to be a focus for regulators in both the U.S. and U.K. as a form of preventing and detecting financial crime within firms. The SEC, FCA and Financial Industry Regulatory Authority (FINRA) have all issued enforcement actions that serve to remind firms across the industry of the need to allocate appropriate resources to continuously enhance their monitoring programs.
In the realm of cybersecurity compliance, the SEC’s Cyber Unit in 2018 brought the first case against a public company for failing to properly inform investors about a cyber breach, as well as the first enforcement action against a firm for violations of the Identity Theft Red Flags Rule. For the latter case, the charged broker-dealer/investment adviser agreed to pay a $1 million fine.
Also in 2018, the Commodity Futures Trading Commission (CFTC) ordered a registered futures commission merchant (FCM) to pay a $100,000 fine for their alleged failure to supervise their IT provider’s implementation of key provisions in their information systems security program (ISSP).
A Broader Trend
These examples paint a clear picture across the industry: Investment management firms face broader obligations, closer scrutiny and harsher enforcement than ever before.
This analysis is backed by aggregate statistics. The SEC’s Enforcement Division ordered $3.945 billion in disgorgements and penalties in FY 2018, an increase over FY 2017. In addition to the 20 standalone cases brought by the SEC’s Cyber Unit in FY 2018, the fiscal year ended with more than 225 cyber-related investigations in the pipeline.
What the Future Holds
Globally, there are still many recently introduced regulations whose impact has not yet been fully realized across the industry. In Europe in particular, MiFID II has not so far been tested when it comes to enforcement. With GDPR having come into force on May 25, 2018, regulators are ramping up their enforcement activity related to GDPR noncompliance, presumably with more to come. However, both sets of regulations are far-reaching in their scope, as well as in their extraterritorial nature and potential severity of penalties.
At the same time, initiatives such as the FCA’s Senior Managers and Certification Regime (SM&CR) (due to be extended to all investment management firms later this year) will further emphasize the need for individual accountability and professional competence. And while the current U.S. administration has signaled its desire to reduce the regulatory burden on firms, it has not yet made a material difference to the obligations of investment management firms themselves.
The Regtech Imperative
Participants in financial markets across the globe – individuals and institutions alike – face an ever-higher bar when it comes to the standards of behavior. To enforce those standards, regulators continue to seek greater transparency (through regulations such as MiFID II) and are introducing new surveillance systems (such as the consolidated audit trail in the U.S.).
Broadly, regulators regard technology as a key part of the industry’s roadmap (as detailed by FINRA’s recent report on regtech and the FCA’s 2018/19 business plan). In addition, regulators are investing in their own technological capabilities to better perform their supervisory duties.
In the U.S., the SEC can analyze large amounts of trading data using its own National Exam Analytics Tool (NEAT), as well as review specific market activities using its Market Information Data Analytics System (MIDAS).
In the U.K., the FCA employs its Market Data Processor (MDP) System to analyze trading records for suspicious activities as well as interface with the European Securities and Markets Authority’s (ESMA) transaction Reporting Exchange mechanism (TREM) to exchange transaction reports with other national competency authorities (NCAs).
Technology has a clear role to play in compliance, and this will continue to evolve and grow. With IT contributing to the closer regulatory scrutiny of investment firms and regulators expecting firms to be able to produce large and specific data sets on demand, regtech is no longer optional.
From helping to capture and disseminate the impact of new rules, train and monitor employee behavior, store records, submit reports and manage certifications, registrations and attestations, regtech will continue to deliver a high return on investment to firms and their compliance teams by reducing risk, lowering compliance costs and increasing efficiency.
This piece was originally shared on the ACA Compliance blog and is republished here with permission.
Burt Esrig is the Managing Director of 
