One of the legacies of the global financial crisis of 2007–8 was an avalanche of regulation changes to improve risk management and safety in the sector.

But companies have battled – and often failed – to keep up with the fast-shifting legal landscape. While some players deliberately try to circumvent the law, the ever-evolving regulations have meant that even acts carried out in good faith could fall foul of the regulators. Since 2007, global financial institutions have been fined over US$50bn, according to analysis by Fenergo – and US$10.4bn sanctions were imposed in the year to August 2020 alone.

And as financial firms have increasingly digitised their services, so it has made sense for them to place greater reliance on tech to do their compliance heavy lifting. With challenges including know your customer (KYC), risk management, tax management, trade monitoring, compliance, and reporting, companies are embracing such tech as artificial intelligence, data analytics, blockchain and cloud-based software subscription platforms.

“We’ve seen compliance go in 15 years from a back-office function to having a seat at the table,” says Joanna Wands, head of UK and Europe at AsiaVerify, a company based in Singapore that helps global companies automate UBO (ultimate beneficial owner), KYC and KYB (know your business) processes. “We’ve moved on from a deregulation culture in the early 2000s that meant ‘let’s do anything and everything’. That’s been a positive change for financial firms.”

Just another buzzword?

In 2022, the global regtech market size was US$7.74bn, and by 2030 it is projected to reach US$53.37bn, a compound annual growth rate of 23.92%, according to data from Verified Market Research.

Over the past 15 years, legislation has been introduced at an unprecedented rate. One of the most immediate changes after the financial crisis came in 2010 when then US president Barack Obama announced an overhaul of the US financial regulatory system. The Dodd–Frank Act, 848 pages of legislation, introduced several regulatory agencies to eradicate the behaviours that had sparked the crash. These included the Financial Stability Oversight Council, which monitored the stability of major firms and had the authority to break up over-large firms to mitigate systemic risk, the Consumer Financial Protection Bureau, which prevented predatory mortgage lending, and the Securities Exchange Commission.

Most major institutions install suptech alongside regtech Across the pond, the EU already had the Markets in Financial Instruments Directive (MiFID), which built transparency into stock trading, but a 2018 update called MiFID II expanded its scope to include, among others, structured deposits issued or sold by credit institutions and some packaged retail investment products. With other legislation such as the General Data Protection Regulation (GDPR), these changes all meant that investing in tech to stay compliant was not just desirable for many firms but essential. In the UK, Brexit has not stemmed the tide of new financial regulation, with both GDPR and MiFID regulations being subsumed into UK law.

How and where does regtech help?

Regtech is a valuable tool in several areas, including employee compliance, surveillance of market abuse, and ecommerce surveillance. It can, for instance, instantly cross-reference emails, text messages, voice calls, trading patterns, and market data. This enables it to flag up suspicious activities and make links and connections that even a dedicated team of humans might miss altogether.

Lack of ecommerce surveillance, as highlighted in our previous article on ‘Creating an ethical culture’, saw 16 Wall Street banks fined a total of US$1.8bn in September 2022 after their staff persistently discussed deals through texts and WhatsApp messages on their personal devices. SEC chair Gary Gensler said that in “failing to honour their record-keeping … obligations” the transgressors had failed to maintain trust. Or rather, had failed to use the software required to prevent such wrongdoing.

Regtech will be able to anticipate legislation Joanna identifies a “huge opportunity” for financial services firms to save on crime prevention costs through the adoption of regtech. But software to detect suspicious activity, market manipulation, and investor exploitation has to cover so many areas – including order management systems, telecoms and trading platforms – that most of the major institutions install a higher level of tech for supervisors (suptech) alongside the regtech to ensure smooth running of all the different strands. Suptech has previously been used by outsourced firms to monitor and supervise a client’s regulatory compliance but many larger firms are bringing both in-house and the terms are gradually becoming interchangeable.

So, what exactly does the technology do? Data processing is just the beginning – the real advances are in artificial intelligence and machine learning. This is invaluable even in something as simplistic as reading and understanding all the regulations. For instance, the annually updated US Code of Federal Regulations contains 50 titles, each containing between 10 and 20 chapters, and those chapters can each contain as many as 600,000 words. Just one such chapter would take the average human around 38 hours to read, never mind absorb and understand.

However, AI and machine learning enables robots to read the regulations and not only track for updates but to immediately spot any actual or potential transgressions – and in time will have so much knowledge and understanding that they will inform humans. “Machine learning won’t just identify what companies need to do now,” says Joanna, “but monitor macro trends and see what’s coming down the track, which will enable humans to take proactive steps to stay ahead of the game. In this way, regtech will also be able to anticipate legislation around factors such as ESG.”

New kids on the block(chain)

Innovation in automated compliance is taking place worldwide, with regtech, perhaps unsurprisingly, dominated by start-ups. Of the 100 firms listed in FinTech Global’s most recent annual list of the most influential regtech players, two-thirds were launched in the past decade and 31 have been trading for no more than five years.

A UK-based example is REGnosys’s compliance management software Rosetta, which doesn’t just model data but models the logic for how that data should be sourced and fed into other data. In Chile, a monitoring system called Ceptinel has a suspicious activity alerts dashboard ordered according to criticality. In Israel, a reporting mechanism called Cappitech offers a ‘reconciliation’ process to highlight inaccurate and incomplete transaction reporting data between a company’s trading records and the Cappitech platform. And Canadian auditing error tracker MindBridge assigns risk scores to all transactions and compares company data with 28 rules-based tests, statistical methods, and machine learning techniques.

The tech is varied and wide-ranging, from blockchain, which operates shared, encrypted, immutable ledgers with no central authority, and records every single minor transaction to guarantee complete transparency, to big data and machine learning, which reduces the risk to a company’s compliance department by offering data on, for example, money laundering activities conducted online. In this example, a traditional compliance team might not be able to detect such activities, especially if they’re happening in ‘underground’ marketplaces online. There is such a range of tech that some companies, such as Switzerland’s E*Finance Consulting Reply, even act as a broker to steer those requiring regtech to the most appropriate solutions.

Regtech can instantly recognise suspicious activity, and pause or cancel transactions But the proliferation of start-ups potentially causes another trust issue, as the world’s major financial firms are being asked to entrust the safety of billions of dollars of assets into the hands of embryonic businesses, which throws up significant security risks for the institutions. “But regtech can highlight discrepancies in money movement very quickly,” argues Joanna Wands, “and can sanction and block transactions and file disclosures to regulators.”  

In particular, the technology can raise dozens, if not hundreds of different types of red flags: a transaction inconsistent with an economic profile; a customer with multiple bank accounts or foreign accounts; a company that has received a high amount of capital/assets compared to its size or market value with no logical explanation; a transaction of unusual size, nature, frequency; parties in a transaction tied for no apparent commercial reason; and dozens more discrepancies. Whereas the vast amount of data would make it difficult for a human to cross-reference and suspect illegal behaviour, regtech in the form of AI and machine learning can instantly recognise suspicious activity, pausing or cancelling transactions while simultaneously alerting the institution concerned.

The influence of regtech start-ups has prompted many established financial institutions to fund and develop their own solutions, either through internal investment or by partnering with emerging regtech firms. This route is encouraged in a 2021 City of London report, which points out that regtech could save 0.05% of total compliance costs, cutting the annual cost of compliance for Britain’s top five banks by a combined £523m.

Partners in crime-busting

The need for the entire sector to embrace regtech to improve public trust is already leading to collaborative, rather than competitive, investment by the major financial institutions. HSBC Asset Management and Deutsche Bank are two high-profile investors in London-based global regtech firm TAINA, Barclays has partnered with London-based ClauseMatch, and Goldman Sachs has invested in UK compliance technology firm ComplyAdvantage.

But there are challenges. The software is costly and though regtech has been around in some form for over a decade, its take-off now carries the pitfalls of a young market with different technologies, meaning a risk in companies backing the wrong horse. The relative naivety of those buying into such solutions is highlighted in a 2021 report by the European Banking Authority, which cites technology’s benefits of “enhanced risk management, better monitoring and sampling capabilities”, but warns of challenges within financial institutions and regtech providers relating to quality, security, and privacy of data, integration with incompatible existing systems, lengthy and complex due diligence and, not least, “limited awareness of regtech solutions”. 

There are other challenges too. As AI and machine learning become more embedded in compliance, it then potentially becomes the work of a robot to make a judgement call on what is ethical behaviour. Laws and regulations might be written in black and white, but it’s often possible to follow the spirit of a law while flouting it, and on the flip side, acting completely legally but simultaneously unethically, such as by ‘window dressing’ – selling large-loss stocks and buying high-flying ones near the end of a quarter so these are presented as a fund’s holdings and falsely improve the apparent performance of a fund to present to clients or shareholders. It’s an unethical practice but a legal one – would a robot automatically do it, and would it be aware it was risking the fund’s reputation?

Finding a global solution

Implementing regtech across different cultures and jurisdictions is both a challenge and an opportunity. “In the region where we work there is more acceptance of compliance and less questioning of rules in general,” says Joanna, with regtech promoted “as more of an equaliser with Western businesses”.

She explains that large, established retail banks already have major regulatory infrastructure – for example, core banking and transaction monitoring systems – which tend to be hard to update because they’re so mission-critical. But fintechs, while often just as regulated as banks, have the advantage of “starting with a clean slate” by building their own tech stacks using the most up-to-date technology available. This in turn has permitted fintechs to embrace cost-effective cloud solutions that can be more easily upgraded and adapted as needs change. “This agility is the advantage for fintechs, not the regulation,” she adds.

In Asia, the ability to launch fintechs with more cost-effective infrastructure has meant countries such as Vietnam are now home to burgeoning fintech hubs. According to Statista, as of September 2022 there were 263 fintechs operating in Vietnam. In Joanna’s view, the need for these firms has developed in tandem with the need for better payments infrastructure for cross-border payments, particularly remittances for overseas workers. “Foreign exchange and clearing was historically expensive through the banks,” she says, but “the technology, and emergence of this [fintech] sector allows workers to keep more of their money, which is significant in these developing economies.”

According to Joanna, the emergence of fintechs in developing countries like Vietnam becomes a net positive in the context of fighting financial crime globally, since these jurisdictions get brought more in line with the established, global regulatory environment. "Ultimately, they [fintechs] want to work with the global banks,” she adds.

Regtechs, meanwhile, are majority unregulated, something Joanna claims is “great for tech but maybe not as good or easy for fighting crime”. For the moment, most controls on the activities of regtechs stem from the needs of buyers (for example, banks), who will require them to have sufficient working capital and cyber security standards. For now, Joanna believes that regulators should take a step back and consider how the operating environment is likely to change over the next few years, and how tech can continue to help.  

Maintaining at least some level of human oversight of regtech’s mundane tasks may help a company continue to tackle financial crime, and the evolving techniques of criminals. However, greater human oversight also heightens the risk of human error, that could, in turn, lead to more unethical calls or inappropriate behaviour. For example, if an individual is determined, no organisation can completely eradicate the danger of, say, insider trading. “We take a holistic view of the company,” says Joanna. “Alongside the automated compliance there should be a compliance culture, where people are encouraged to do the right thing and report the wrong thing, and those who do break the rules are sanctioned.”

That culture always comes from the top – which means, ultimately, an organisation’s behaviour is governed by humans, not robots. But for companies who have the will to act legally, ethically, and responsibly, regtech is likely to be a firm friend.