Regtech’s deepening role likely to spark greater regulatory scrutiny
Regulatory technology is attempting to push beyond just doing mundane compliance tasks faster, better and cheaper to move into more cognitive areas that are the traditional domain of human intelligence. By Justin Pugsley
Making this leap is not without its risks, but the fact that it is happening is hardly surprising.
According to Thomson-Reuters risk management solutions, the average big bank has to handle 185 regulatory changes a day, compared with 10 in 2004, each of which has to be interpreted and implemented, mostly by humans.
And the pace of regulatory change is unlikely to slow much in the foreseeable future.
Not only is there a much bigger body of financial regulation that now needs regular updating, but the regulatory agenda is itself moving deeper into functions focused on conduct, anti-money laundering (AML) and cyber risk. All of which is creating new challenges around interpretation and implementation.
Not keeping pace with regulatory change and regulators’ expectations can be extremely expensive. Boston Consulting Group calculates that banks have paid $321bn in fines since 2008 due to conduct breaches.
The sheer volume of data requirements flowing from new rules means banks cannot rely on traditional approaches anymore.
Damien Frennet, who does corporate development and shareholder relations at surveillance and analytics firm Ancoa, says Excel spreadsheets are not sufficiently powerful to process the enormous reporting requirements relating to the markets in financial instruments directive II, for example. The directive has a whole range of trade, pre- and post-trade requirements designed to enhance transparency.
Susanne Chishti, CEO at Fintech Circle, an angel investors network, says regulation is one of the biggest pain points for banks, prompting them to dramatically increase their compliance teams since the financial crisis. They are now looking to technology to reduce compliance costs.
Beyond the mundane
"There are always two goals with technology: one is to be compliant and the other is to be compliant at a lower cost," says Ms Chishti. She explains that regtech firms are now going further, such as developing solutions that influence people's behaviour. This is to reduce the occurrence of misconduct rather than trying to detect it after the event.
"Technology isn't a magic wand," says Alex Kwiatkowski, senior strategist for banking and digital channels at Misys, a software provider for banks. "Technology absolutely can play a role in [cultural] change. It can be an enabler and it can act as a catalyst for change as part of other measures.”
He believes that monitoring with greater accuracy and timeliness and the fact that a firm is investing in technology signals to employees its seriousness over driving better conduct.
"If you don't have the right people, and you don't train them and you don't have the policies then it doesn't matter if you have the right tools or not," says Mr Frennet.
Even around training, regtech firms are quickly cobbling together solutions, which can provide regulatory definitions and simulate their application in a virtual environment before putting them into practice in the real world.
"Software is being designed to help sift through layers of legislation, complex rule books, regulatory policies and positioning papers," says Ahsan Mallick, general council at SEI UK and executive sponsor at Codify, a London-based regtech incubator.
He explains that there is a focus on new interpretative tools allowing firms to develop more efficient compliance monitoring and implementation programmes, particularly as issues involving data are often a source of compliance failures. "This has the potential to be hugely meaningful to firms that struggle to comprehend and stay on top of changing regulations, products and business models," says Mr Mallick.
Regtech is already essential in areas such as anti-money laundering and know your customer (KYC), which banks find enormously labour intensive and error prone. It is important for monitoring market abuse and regulators are themselves using many of the same solutions adopted by banks. It is even playing a role in flagging data problems for BCBS 239 – a set of principles governing risk data aggregation and reporting.
But regtech firms have ambitions to go further. That discussion soon shifts to smarter technologies involving artificial intelligence (AI) and machine learning. Technology firms are hoping this will see them deliver even greater value to banks.
"New technology capabilities such as AI/machine learning are likely to see regtech extend the scope of what tasks can be automated, the extent of the data and information that can be considered, the accuracy of systems and the type of intelligent support solutions given to human experts," says Ian Horobin, head of compliance innovation & services at SWIFT.
Certainly, new sets of rules will emerge around these burgeoning developments, particularly as they promise to become pervasive within financial services.
If AI is to play a major role in credit making decisions for example, then regulators and banks must carefully simulate and address the new risks that will accompany its use.
For instance, poorly configured AI programmes could lead to decisions that alienate customers or get banks into trouble with regulators.
The regulatory focus in this space will be around the models or algorithms, which drive these programmes, their controls and parameters of operation.
Regulators already have considerable experience approving models for calculating credit and operational risk. They may soon start vetting the algorithms which drive AI-based or assisted decision making processes.
It can only be a matter of time before the Financial Stability Board, the Basel Committee on Banking Supervision and the International Organisation of Securities Commissions (IOSCO) start taking a much closer look at the systemic and market implications relating to these developments, according to industry sources.
They are already launching consultations and making recommendations around cyber risk. AI and machine learning are really a continuation of the digital journey being undertaken by banks.
To be able to more effectively move into areas dominated by human intelligence, regtech providers and banks are paying more attention to unstructured data, a potentially fertile ground for AI. This typically refers to data that is not pre-defined or organised. Banks, believe it holds promise for enhancing credit assessments and industry sources say a lot experimentation is being conducted around such activities.
In future, a bank could use AI programmes to detect changes in customers’ credit worthiness by tracking their social media interactions on say Facebook. Couple that with analysing their transaction data, such as changes in shopping habits, and it could be a way of detecting someone heading for financial difficulties. The bank can then adjust its lending policies to that customer or seek to help them before real problems emerge.
However, if not handled carefully, this could be a veritable can of worms for a bank, leading to reputational damage and regulatory sanctions, particularly if the programme misinterprets the customer’s circumstances and behaviour. Maybe the change in spending habits relates to the customer simply wanting to manage their household budget more effectively.
Recognising AI’s limits
“There are some constraints people need to be aware of in this area. For instance, if data is being mined to inform financial services products, consumers could seek to change their online behaviour to try and influence lending decisions,” says Jamie Woodhouse, managing director of finance and risk services at Accenture. “AI and machine learning programmes must be programmed to detect and adapt to that kind of behaviour.”
He says there is a need for audit trails or explainers to help humans understand how AIs reach their decisions, otherwise they could become black boxes, particularly when machine learning is involved. Also, AIs need considerable back-testing before being implemented.
Programmes, such as AI-powered chat-bots that may drive customer on-boarding or help customers with queries, would have to account for rules such as the EU’s general data protection regulation (GDPR), which has very strict requirements around data use.
“There’s great potential in these solutions, but you have to build in controls from the start, whether human or otherwise, to make sure you don’t have unintended consequences,” he says.
If not properly designed and controlled there could be an extreme scenario where AI-based programmes ended up mis-selling or making poor quality loan decisions on an industrial scale.
“Banks are aware of these issues and are rightly cautious, especially after the financial crisis,” says Mr Woodhouse.
However, there is a degree of scepticism as to how far AI can be applied.
“In areas where there is choice, a need for judgement or qualitative risk factors, then potentially AI may have a role to play both for the regulated and regulator," says James Phillips, regulatory strategy director at regulatory reporting and collateral management solutions firm Lombard Risk. "However, I don’t see it having added value where logical tools do just as well."
For instance, he sees machine learning as a go-faster version of a rules-based approach where a decision can be made because of input factors.
"I don't think you'll ever get to a point where everything is automated. You'll need the experience of a human to interpret the data to make sure something hasn't been missed," says Bruce Laing, a partner at Deloitte. “You want someone to have all the information at their fingertips and be able to look at all the data and to decide whether any changes really warrant a rating change.”
The fact that so much information could be automatically gathered and collated would still considerably enhance an employee's productivity. "Plus, they would have more information than in the past and will be able to reach better decisions," he says.
Another advantage of having such processes running in the background is that reporting can be done real-time as customer circumstances change rather than doing it every six to 12 months, creating an opportunity to catch problems early on.
However, even without AI banks still have plenty of scope to drive efficiencies within their businesses using traditional regtech solutions. Though there has been plenty of improvement for individual processes such as KYC, AML and account opening, there is scope to make the entire on-boarding process a lot more efficient.
"Clients are lost because it takes too long to do the on-boarding. There are a lot of communications inefficiencies internally within banks and with the client," says Thomas Soede, CEO at technology platform provider BiBox, which is owned by a consortium of banks.
He explains that better integrating these individual processes with each other would add up to big cost savings for banks.
Another benefit of properly sharing data between the various bank departments is that it makes it far easier to classify for regulatory purposes. “That lowers risk,” says Mr Soede. “You’re less likely to have mis-selling claims.”
Regulators join in
However, regulators are also increasingly having to turn to regtech solutions to do their jobs better. US and UK regulators have been particularly active in this area.
For example, in January 2017, the US Securities and Exchange Commission awarded a contract to Thesys forensics to build a tool to detect suspicious trading activity and to store data for forensic purposes in what will be one of the largest databases ever built.
Thanks to the vast data requirements related to Mifid II, the UK’s Financial Conduct Authority (FCA) last year selected data and digital specialists DataStax and Sopra Steria to provide it with a data processing platform.
For Mifid I, the FCA had been relying on Oracle databases, but found that they did not have the functionality to ingest and process the huge volumes of data to be generated under Mifid II.
It opted for a hybrid solution, which stores some data on-site due to its sensitivity and the rest in the cloud where storage and processing capabilities can be quickly expanded to meet their needs.
"There's a real-time analytics piece to this as well," says Tim Vincent, EMEA solution engineer team lead at DataStax, a database software firm. "That’s the ability to run more regulatory reports in much faster time than they could do previously and this enables them to react more quickly to regulatory breaches."
He explains that there is a real-time distributed analytics engine, which although not AI, is designed to detect unusual patterns in the data.
“We are seeing interest from other regulators around areas such as regulatory compliance so they can capture and analyse every trade and every position for every trader,” says Mr Vincent.
The more traditional approach is to aggregate trade positions, store them and then analyse them, which is more time consuming.
Also, regulators are increasingly looking for ways to collaborate and share data as banking and financial markets are global, meaning that misconduct is often a cross-border issue.
Meanwhile, regtech is already helping banks curb the number of compliance staff they need to recruit, particularly as banks are likely near peak prudential and market regulation. Indeed, media reports suggest that some banks are even looking to reduce headcounts now, with the Royal Bank of Scotland and UBS cited as examples thanks in part to regtech.
Though regtech has been around for decades in one form or another, it is still considered by investors to be less mature than the bigger fintech sector. However, it is evolving very quickly and the next five years should see many new developments, some of which are likely to include AI and machine learning, taking it to a whole new level.