Regtech to the rescue?

If banking’s compliance fraternity had a coat of arms like those made for the knightly orders of old, it might include the following heraldic devices:

• An hourglass, almost out of sand, to symbolize how compliance officers are nearly always facing some issue with inadequate time.

• A stack of papers depicting the vast body of fine print they must be up on.

• A stack of $100 bills burning to symbolize ongoing and rising costs of compliance.

• A mythical beast with 1,000 eyes that symbolizes their need to look in many different directions at once.

• A scroll at the bottom with the Latin equivalent of, “What will Washington think of next?”

Probably way too much to fit on a shield.

Yet all those images, and others any banker could add, do not exaggerate the challenges facing banking. For many institutions, the regulatory vat has been overflowing for some time. Gridlock in Washington only underscores that nothing meaningful will change soon on the “supply” side of compliance.

But there’s a consensus that something has to change. That something may be the industry’s compliance solutions. And regtech may be the answer if the industry goes in with open eyes.

More people isn’t the answer

“We’ve gotten to the point where financial institutions can’t just throw more FTEs at the problem anymore,” says Andrew Sandler, a veteran banking attorney and chairman and executive partner at Buckley Sandler LLP. “There needs to be an alternative solution.”

Capturing the cost of compliance in money and human capital has been a challenge. One provider of compliance technology solutions, Continuity, has offered its Banking Compliance Index since 2013. In the first quarter of 2017, the index dipped for the first time since Continuity launched it. It meant that less than one extra full-time employee was needed to cope with the quarter’s regulatory changes, and the firm indicated that the slowdown was likely an aberration. Volume was affected by a combination of factors, including the transition to a new administration and the uncertain status of certain regulatory posts and organizations.

“Nobody’s popping the champagne corks yet,” Pam Perdue, Continuity executive vice-president and chief regulatory officer, allowed when the firm announced the dip. “One down quarter does not make a trend line.”

Even if nothing new came out of Washington for a couple of years, however, the challenges of compliance risk management remain daunting. Many facets of regulation won’t go away, and the evolving nature of banking and financial services today drives more and more work.

“Hiring lots of people is just not sustainable,” says Monica Summerville, senior analyst at TABB Group, a London-based firm that has studied regtech.

“Often, fintech is a solution looking for a problem,” says Summerville. “But regtech reflects a pressing need.”

What Is regtech?

Different people define it differently. A good overall definition comes from the United Kingdom’s Financial Conduct Authority, which many credit with coining the concept. In a white paper issued last year, FCA stated: “RegTech is a subset of FinTech that focuses on technologies that may facilitate the delivery of regulatory requirements more efficiently and effectively than existing capabilities.”

That’s a concise definition of a trend that grows broader and deeper, changing as you read this article. Regtech—we’ll use that spelling in this article—is spawning all kinds of activity in financial services—from a growing number of companies to newly formed associations to brand-new conferences and strong investor interest. Regtech is, and will be, applied to traditional compliance challenges, for sure, but it also may drive new ways of promulgating and analyzing regulations themselves.

One example, cited later on, monitors employee interactions on digital channels.

In time, regtech may redefine what compliance officers do all day; how they relate to the rest of their organizations; how much and what kind of expertise a bank must have on staff; and how the three lines of defense—line-of-business front line; compliance; internal audit—will evolve in practice.

Tech’s role grows cheaper and deeper

This new science builds on an open secret about compliance: Many aspects of this quintessential banking responsibility have long depended on technology.

“The marriage of compliance and technology goes back many years,” says Timothy Burniston, executive vice-president, advisory services and regulatory relations at Wolters Kluwer Financial Services. “But back then, it was for mechanical operations.”

That use of technology in compliance will continue to expand. But regtech will morph technology’s role into areas previously considered the province solely of human brains. Regtech will include elements of artificial intelligence, augmented intelligence, robotics, cognitive computing, machine learning, and more. It’s quite conceivable that regulators will expand their own use of technology.

One of the biggest bets placed on regtech was last year’s purchase of Promontory Financial Group LLP by IBM, specifically to bring IBM Watson, the supercomputer, into the compliance world. Watson is being trained by Promontory experts to learn how to read, comprehend, and analyze regulations to augment human compliance efforts. And that is just the beginning. 

The foundations of today’s regulatory regime were laid when data processing and analysis were comparatively cumbersome, highly specialized, and very expensive, notes Jo Ann Barefoot, a former regulator and consultant and a longtime regulatory guru. Now, there is more computing power in an iPhone than in a whole block of the old mainframe computers, and low processing costs have made much possible in the realm of big data and analytics than was the case previously, says Barefoot. The API—application programming interface—is redefining how software is built. Barefoot’s belief in this new science manifests itself in her own decision to found start-up Hummingbird Regtech, Inc. Initially, the firm will bring out regtech to assist bankers with Suspicious Activity Reports (SARs), but Barefoot sees great potential in other areas, as well.

“Today, there’s not a piece of data someone doesn’t like,” says Richard Riese of SMAART.COnsulting, and a former senior federal regulator and ABA compliance official. Yet that very ability to crunch data to our heart’s content affects the gut and the brain. One compliance officer states that data overload is general now and that simply absorbing all the raw information coming to his desk robs him of sleep.

A growing part of regtech is based in the cloud, something that requires a comfort level throughout the bank, but especially in information technology, where bank data allowed outside of the bank’s firewall can cause twitchiness, according to banking attorney Sandler.

“Most of the really good stuff out there is cloud-based,” says Sandler, who is involved in both a regtech firm and a proposed regtech conference. By contrast to IT officials, he says, “the regulators are getting much more comfortable with cloud-based solutions.” One of the benefits of the cloud, discussed in the FCA white paper mentioned earlier, is that tapping it can reduce costs and make innovative solutions and advanced computing more accessible.

Early days in Regtech Land

A creative tension is already developing in American regtech. On the one hand, there are solutions out there or in development that come from software engineers—the “techs.” These players have their roots in fintech—players who think they can bring a new eye to long-standing problems. Established information technology and software companies also are striving to be part of this.

One example is Barometer, a regtech service unveiled by D+H, which is designed to test how well bank staff understands various compliance responsibilities. (A major Canadian bank collaborated in its development.) The technology, offered in subject-specific modules, presents scenarios to employees whose reactions are evaluated.

On the other hand, there are regtech ventures run by veterans like Barefoot and Sandler who come from deep regulatory roots—the “regs.” Sandler’s regtech company, Asurity Technologies, representing a merger of three players in regtech, will offer technology assisting in mortgage document preparation, fair lending, and redlining, with more areas of coverage planned. Major consulting firms also play both active and advisory roles.

“I see a lot of fintech firms who want to get into the regulatory space, who think they can do it better, and, in fact, may be able to do so,” says Dan Soto, a longtime regulator who is now chief compliance officer at Ally Financial. “Just trying to keep up with who is out there and what their capabilities are is challenging.”

“A lot of the people who come in with smart ideas have never worked in a bank,” says Accenture’s Samantha Regan, managing director—finance and risk and North American practice lead. “There needs to be some alignment to help solve banking clients’ problems. It’s very much early days. But we do see a lot of interest.”

But Soto appreciates the developing battle between the new techs and the seasoned regs because it is raising the bar, in his view. “I actually don’t mind the creative tension,” says Soto.

Getting past the wow factor of regtech applications, Soto goes to the heart of what the compliance fraternity most desires out of the regtech: that it will “bolt on” to good processes.

“Ultimately, what you want is to be able to stop things before they become bigger problems,” says Soto. The closer to real-time compliance a bank can get, the fewer 60-day-old surprises will be found, for example.

Indeed, Barefoot compares the potential for some forms of regtech to those continuous blood pressure cuffs patients are fitted with. These devices periodically inflate automatically, take a reading, and relay the data to physicians for ongoing monitoring.

“We’re at the forefront of a very significant integration of technology to improve the effectiveness of compliance and to drive down the cost of compliance,” says Sandler. “Regtech is a new term, but it’s not a new concept. But we are at an inflection point in terms of finding more profoundly effective solutions.”

Remembering the point

One must beware of a bandwagon effect with new technology. SMAART.COnsulting’s Riese warns that banks buying regtech must separate the fancy from the essential. “They’ll have to be clear on how well it performs,” he explains, “and on how much of what they see is eye candy.” In the wake of the Wells Fargo sales scandal, points out Riese, banks need regtech solutions that assure upfront compliance and reflect a “zero defects” aspiration.

Indeed, getting compliance right proves more crucial than ever. Subas Roy, global regtech leader at EY out of London, recently took on the post of executive chairman of the brand-new International RegTech Association, which plans to establish branches internationally.

Roy says that one of the group’s goals is to encourage what he calls “innovations in trust.” In the wake of the financial crisis, trust must be rebuilt and compliance regtech can help, he believes. Many don’t see compliance as a competitive matter, but more a shared responsibility in financial services that can improve conditions for everyone. Roy says one of the group’s goals is neutrality, and, perhaps, that is one reason for its formation in Switzerland.

What does regtech look like?

Regtech has become a large category encompassing compliance defined beyond “classic” bank compliance types. For example, one leading regtech category, coming out of the securities trading space, involves market surveillance. While that isn’t something most banks handle, similar techniques are developing to deal with conduct surveillance. Every bank has officers, directors, and staff whose conduct can get the bank into trouble. Could such regtech have formalized the rumors of bad sales practices at Wells Fargo, brought it down to hard numbers, and, perhaps, saved the giant major reputational damage?

Estimates of regtech providers vary with the source and each source’s definition. Bain & Company partner Matthias Memminger says the management consulting firm has over 200 providers worldwide on its radar—mostly based in the United Kingdom and Europe, for now. Others set the number at 400 or more.

Here is a very general categorization of regtech, drawn from work by FCA, Bain & Company, and many interviews. The mix promises to evolve as technology and regtech applications mature.

• Automating compliance awareness. The sheer volume of compliance developments that staff must be aware of grows more staggering.

Beyond the simple volume of rules and proposals are interpretations, legal settlements, enforcement orders, regulatory speeches, news developments, and more.

Accenture has developed a prototype chatbot that answers questions about corporate expense account policies to demonstrate regtech’s “answer man” possibilities. The hope for this type of regtech is to automate not only the acquisition of relevant knowledge, but also the analysis and guidance of what activities will be affected by new developments. One way to think of this would be if a bank’s compliance program were a giant Excel spreadsheet that would update globally as new developments poured in.

The IBM Watson effort mentioned earlier is another example. A less-complex solution already out there is Continuity’s RegAdvisorPro, which combines human expertise to comb the Federal Register for developments applicable to banks. The firm says the technology can reduce regulatory reading time by 90%.

Burniston, formerly a top regulator at four federal banking regulatory agencies, sees the challenge today as being not only aware of what’s changing, but acting on the knowledge. Regtech that addresses this “is something that institutions are finding more and more use for,” he says.

At the far end of this facet of regtech is technology that would convert the text of regulations into actionable computer code. Consider how much the industry now depends, when racing to comply with a new rule with a tight deadline, on internal IT and on how quickly vendors can make their products compliant. The raft of Consumer Financial Protection Bureau mortgage rules coming out of the crisis was a stinging recent example.

• Risk and compliance monitoring. Monitoring has long been part of the compliance discipline—tracking to prevent “structuring” in anti-money laundering compliance, for example—but regtech raises the bar.

This is in response, in part, to tech’s overall explosion raising the stakes. Take the many ways financial services people communicate digitally now, including social media streams and more. Qumram, based in Germany, for example, watches over the many digital platforms employees use to record and monitor behavior.

“Every touch point needs to be documented,” says Qumram CEO Patrick Barnert. “Think about a flight recorder recording everything about a flight. That is how our product works.” He likes to compare it to the classic recording of customer communications long used by call centers for voice traffic. Qumram can search for interactions, and could be used to investigate deceptive marketing complaints.

Monitoring increasingly will be a risk management tool. “You need to have a holistic view of your data to have a holistic view of the risk,” says TABB’s Summerville. Banks live in silos, but risk crosses those lines.

• Regulatory reporting. Bankers spend hours filing reports with regulators. The idea is to automate much of the process.

Classical anti-money laundering reporting is one example, notably the SARs filed with FinCEN. Dilip Krishna, managing director at Deloitte & Touche LLP, says that he draws a line between “old regtech” and “new regtech” in this area. The latter tracks, monitors, aggregates, and flags, for example. But then the compliance loop must be closed by intensive human involvement. The bane of the “false positive,” for example, must be sorted out by human investigators, with much of the data tossed out after review. More automation of this latter function, and of the reporting follow up, involves regtech.

This is the aim of Hummingbird’s initial regtech product, under development. One of the principals at the firm, Matthew Van Buskirk, began developing streamlined, automated approaches to BSA/AML while at an international consumer payments fintech. Today, Hummingbird research indicates that regtech can reduce the drudge work from three to four hours per SAR to about 45 minutes—and soon much less. In part, this is through making SAR elements visual. “The human brain is so good at recognizing visual patterns,” says Barefoot. The product will be able to draft aspects of SARs, subject to human review. Initially, the technology will engage in automated “cut and paste” of key SAR data into a template of the official form.

At the far end—for now—of the reporting facet is use of blockchain technology. The ability to provide controlled access to a shared base of information, ideally “immutable”—incapable of being changed once recorded—has been a dream of those who see the blockchain, in time, providing regulators a real-time view of what is going on in markets and other activities. The idea is to see what is happening, not what happened.

One element of this that may come along sooner is a means of improving the industry’s ability to share data. Some compliance vendors already provide manual “sharing spaces” under intra-industry sharing permissions in federal law. There is hope, for instance, for shared know-your-customer capabilities that would lessen the need for each company serving a customer to have to verify customer information.

Speaking of spotting patterns: These broad facets of regtech have a point of commonality, notes David Skanderson, a former bank compliance official now with Charles River Associates, an analytics firm with a specialty in fair-lending analysis for banks and fintech lenders.

“There’s an element to compliance that looks like a funnel,” says Skanderson, vice-president in the firm’s financial economics practice. Right now, the compliance officer is swimming in the data pouring through that funnel. Regtech holds the promise, he says, “of narrowing down what a human needs to look at.” In a sense, he explains, this follows on efforts in areas such as fair-lending compliance. “The more you can structure the lending process to take the human element out of the places it isn’t really needed, the more you can solve the risk of the appearance of someone having discriminated.”

Regtech can allow compliance staff to concentrate on higher-value tasks. We examine the impact of regtech on the profession in the box on the facing page.

Can regtech be a problem?

Already, says Ally Financial’s Soto, “there are so many entrepreneurs building capabilities, and you have to look at these options and see if they fit your strategic plans.”

The question is, as more regtech relies on “thinking” technology that can even “learn,” are there risks?

“Absolutely,” says Deloitte’s Krishna. “There are always risks.”

Take robotics, one of the tech forms that is driving regtech. “The risk there is around the robot being pretty stupid at the end of the day,” says Krishna. It’s the old, “garbage in, garbage out.”

Krishna points out that artificial intelligence and cognitive computing rely on training based on data. Banks will have to be careful that regtech used for rendering decisions isn’t taught with samples that are too small, for instance, or the technology could lead to bad decisions. Quality control will be essential.

Soto says an ongoing challenge in using regtech will be ensuring the data streams feeding it begin clean and stay so. This is fundamental when more and more will be in the hands of technology. Compliance staff must keep watch, see when something is changing, and intervene if necessary. “Before you launch any regtech,” he warns, “you have to test, test, and test some more. It’s crucial.”

The human element also must account for factors no regtech knows by itself. Take the AML Analytics Solution by Fuzzy Logix. This advanced analytics technology overlays a bank’s existing databases—for the sake of speed and to reduce the need for separate systems and storage—to detect a handful of potentially suspicious transactions. However, “local knowledge” helps. Company officials point to one international application where communication with compliance staff resulted in building in the knowledge that that country’s wedding season generates a huge spike in high-value financial transactions. This reduces false positives.

Another regtech firm, Trulioo, offers a solution for electronic identity verification that helps confirm identities of people whose births are undocumented. It relies on both traditional ID sources as well as nontraditional ones, such as social media.

Scott Pearson, partner at Ballard Spahr LLP, works with banks and other players on compliance issues, and heads the firm’s marketplace lending task force. He sees the potential help regtech may bring, but notes how quickly rules change and that there is a danger of obsolescence. He suggests that regulators will not accept regtech as a black box they will leave unopened, but instead may ask to see the code underlying the tech.

Is regtech for you?

Overall, experts see regtech infiltrating all U.S. bank sizes. As the costs of compliance impact financial performance, they see the transition as irresistible, inevitable. Who wants to tell stockholders or analysts that management thinks old, expensive ways are good enough?

SMAART.COnsulting’s Riese likes to compare regtech to car backup cameras. Initially, they were only installed on high-end autos, but as the technology became cheaper and mainstream, it expanded into less-expensive models. So smaller banks should benefit quite soon.

The largest banks are seen as having more money to try things out and are ahead, but Krishna suggests their size and complexity, and their legacy systems, hinder rapid adoption. Smaller banks should be able to implement regtech more quickly as offerings improve.

“The benefits of using regtech will be humongous for smaller banks,” says International RegTech Association’s Roy. The American banking system’s size makes a huge market for developers, he adds.

A wrinkle is American regulators. In the United Kingdom, FCA has been a catalyst for regtech and very public—fintech over there is as much an economic movement as a regulatory one. With the exception of some aspects of the Comptroller’s responsible innovation and fintech push, U.S. regulators have not publicly played much of a role. “Our regulators are very careful not to declare winners and losers in the marketplace,” says banking attorney Sandler. And there will be attention paid to regtech, he says, along the lines of regulators’ concerns about vendor management.

Yet regulators themselves may, in time, find regtech tools that will improve their performance, some suggest.

Jo Ann Barefoot adds: “The riskiest thing the regulators could do is not change. If they don’t, they won’t catch risks that are emerging, with the old tools.”

This is part of an online version of a cover story on regtech from the June-July 2017 Banking Exchange magazine. Other parts of the report include:

• What happens to all those compliance people?

• What about "squishy" compliance?

• IBM Watson takes on compliance