We live in a world of increasing regulation. In fact, by the time you get halfway through this article, a new regulatory update would probably have been made somewhere in the world.
Regulations have exploded along with increasing social complexity, punctuated by events such as the collapse of Enron and the Global Financial Crisis that provided glaring moments of clarity and collective action to rein in humankind’s opportunistic excesses.
Rather than despair, humans have taken to innovation to find ways to cope with the ever more complex morass of rules. What has emerged is RegTech, an abbreviation for regulatory technology, which simply refers to the use of technology that helps organizations comply with their regulatory obligations.
This article is a study of RegTech, its history and its various forms and guises. We will look at the future of RegTech, winding up with an opinion on what role new technological advancements like artificial intelligence will play in its evolution.
Table of contents
Defining rules and regulation
Regulations are simply rules that communities adopt to protect the rights and safety of citizens and to support the functioning of society.
Rules evolve to reflect changing social norms. In feudal societies, for example, regulations served the vested interests of the nobility. Feudal laws focussed on the mutual obligations of vassals and their lords, on the protection of property, on restrictions on trade, on restrictions on hunting, and restrictions on religious practices.
Rules evolve to reflect changing social norms
As wealth increased and society became more open, the number of “stakeholders” in society increased. Feudal restrictions were eased and other regulations took their place. Citizens assumed a greater sense of entitlement and demanded higher levels of protection. Regulation increasingly served the needs of the many rather than the privileged few.
Business regulations, for example, slowly changed from protecting monopoly interests to preventing practices that might harm employees, consumers or the environment.
These days, regulations increasingly hold businesses accountable for their actions, and strive to ensure fairness and transparency in their dealings with stakeholders. The rise of ESG investing reflects the changing political power of different stakeholders within society.
In a pluralistic society, regulation is an evolving political process. Different groups seek to impose or abolish different regulations. Special interest groups seek to capture the regulatory process.
Politicization adds to complexity since political priorities will always overshadow business priorities in a political process and because compromise always adds complication.
Rise of regulatory complexity
As a consequence, anyone with real-world experience will affirm that regulators often appear to care little about the complexity of the regulatory environment they create. This is due to the imperative of compromise.
Units performing regulatory compliance within companies are also responsible, albeit passively, for increasing regulatory complexity. Increasing complexity enhances the importance of the compliance and HR functions within a company. Since these units are not responsible for generating revenue, they are unaffected by increasing complexity.
Regulators often appear to care little about the complexity of the regulatory environment they create
Rather, complexity allows these fiefdoms to grow in size, prestige and remuneration. Importantly, this means that those with the greatest contact with regulators from within business have the least incentive to oppose regulatory complexity and regulatory costs.
Finally, technology has vastly increased the ability of regulators to process and monitor data in support of regulatory oversight. As a consequence, the volume and complexity of data demanded by regulators increases every year.
Meanwhile, technology creates opportunities for new forms of fraud, cybercrime, and data breaches. In turn, this requires new standards and regulations to protect businesses and consumers. Thus, when innovation accelerates, regulation follows.
Businesses in heavily regulated industries face a constant battle to stay abreast of ever-changing regulation standards that can vary widely across regions and indeed across different business units. Companies in finance, gaming, healthcare, energy, transport and infrastructure are heavily affected. Social media may be next.
History of RegTechAs you might imagine, regulatory compliance is expensive. Business managers must balance this cost against the risk of significant business disruption, onerous non-compliance fines, or possibly even failure, in the event of a serious regulatory breach.
For many years, businesses contended with increasing regulatory compliance demands by adding resources to compliance and HR functions. Increasing complexity was matched with increased spending.
Two events, however, changed the regulatory landscape forever. The first was the failure of Enron in 2001, which led to the Sarbanes–Oxley Act of 2002. The second was the financial crisis of 2008.
The Sarbanes–Oxley Act related to accounting practices. It was a watershed event because it made the officers and directors of public companies personally liable for regulatory accounting breaches. It did not take long before regulators in other fields sought the same level of accountability. In one foul swoop, regulatory compliance became vastly more important to business leaders than it ever had been before.
The Sarbanes-Oxley Act was a watershed event because it made the officers and directors of public companies personally liable for regulatory accounting breaches
The 2008 financial crisis exposed epic fraud and mismanagement in the global financial industry. It led to a surge in global financial regulation to improve risk management, reporting and standards in the industry.
Between 2008 and 2016, there was a 500% increase in regulatory changes in developed markets. The pace has barely slackened. A new regulatory update is made every seven minutes, according to Thomson Reuters’ 2018 Cost of Compliance Report.
At the same time that this regulatory frenzy was under way, fines for non-compliance began to explode. In 2017, Boston Consulting Group estimated that banks globally paid US$321 billion in fines between 2008 and 2016 for regulatory failings that ranged from money laundering to market manipulation and terrorist financing. This number has subsequently slowed.
Nevertheless, Fitch estimates that bank fines remained considerable at US$7 billion in 2022. According to SteelEye’s Fine Tracker, global regulators hit all industries including financial services with record fines in 2022.
Onerous regulation in combination with accelerating regulatory change and increasingly stiff fines for non-compliance, weakened the innovative spirit of banks globally, especially in areas connected to risk of money laundering. Reluctance to innovate exacerbated weakness in their business models due to outdated legacy systems, leaving the sector weakened and exposed to disruption.
Rise of technology that underpins RegTech
At the same time, a raft of new technologies with particular usefulness in finance were coming to fruition: blockchain, artificial intelligence, cloud computing, big data, mobile technology and automation, which all spell the eventual demise of traditional banking as we know it.
Taken as a group, these technologies can be applied to an endless array of finance applications including mobile banking apps, digital wallets and robo advisers for consumers, payment processing platforms, fraud detection, blockchain-based solutions for smart contracts and decentralized markets, credit scoring platforms, risk management and process automation in the finance industry.
The possibilities for digital finance are endless and the pace of innovation in the finance industry has accelerated dramatically. All players are under intense pressure to become more agile, offer new services with better connectivity and deeper digital solutions. Every vertical within finance is challenged with fresh solutions from new players. Even the backbone of the banking industry, the payments system, is under threat.
The enormous data generation associated with finance means that the scope for AI application within finance is vast and the rate of innovation is likely to accelerate, especially as blockchain technology improves.
Given the speed of these changes, the global regulatory framework has fragmented and fractalized, increasing in complexity and diversity faster than enterprises can adapt.
RegTech was born into this confusing and wonderful innovative tsunami from about 2011 onwards.
The term “RegTech” was first coined in 2015 by the Financial Conduct Authority, the chief regulator of banks in the UK.
Although RegTech began as a branch of FinTech, it is not exclusive to finance. RegTech services the needs of all regulated industries.
Estimates of the size and growth rate of the RegTech industry vary widely. There are as yet few public RegTech companies and so estimates of the industry size depend on surveys of VC firms.
A report by Fortune Business Insights suggests the global RegTech market was valued at US$10.5 billion in 2022, and projects it will grow to US$60.8 billion by 2030, representing a CAGR of 24.9%.
What is RegTech?
Let’s get back to the original question, what is RegTech? Thus far we have discovered that RegTech originated as a type of FinTech but can apply to any industry. The name is an abbreviation of regulatory technology.
We also know that demand for RegTech grew due to onerous changes in the regulatory landscape in global finance and other industries following the collapse of Enron in 2001 and the global financial crisis of 2008.
RegTech emerged as a way to leverage cloud technology through software-as-a-service (SaaS), big data analytics, artificial intelligence, blockchain, and robotics to automate and streamline the way that businesses manage regulatory compliance.
Traditional regulatory compliance involves keeping up to date with new or changed regulations, mandatory reporting, risk management, data analysis and sharing the impact of changes with employees or customers.
Data-analysis functions can be difficult to grasp. Basically they serve to monitor risk and identify risk situations based on delivered data. Examples of data analysis might include efforts to detect fraud, tax evasion, or money laundering. They also serve to monitor pollution, the level of contaminants in food, for example, or the presence of toxic materials in toys.
Technology-driven solutions in all areas of industry have led to a vast increase in the volume and complexity of data available for analysis and regulators are not shy about demanding access to this data. Technology applications in finance and e-commerce, particularly applications relying on consumer data to produce digital products, have led to more laws on data privacy, usage and distribution.
This has created complications in the regulatory space, particularly in relation to data privacy, consumer protection, identity management and control. Regulations are continually evolving to control illegal or dangerous activities such as money laundering, prevention of terrorism, fraud, identity theft and other types of cybercrime. These are all areas that need RegTech.
Benefits of RegTech
Organizations have a choice. They can either let their compliance and HR units grow exponentially or they can seek RegTech solutions that leverage technology. Most of the functions associated with regulatory compliance are repetitive, can be highly labor intensive and can be streamlined and automated at relatively low cost.
According to a 2018 report by Medici, “an end-to-end RegTech implementation promises 634% in ROI realisable over a three-year period.”
In short, the potential benefits can be large. Equally important, adoption of RegTech solutions gives power back to business managers from inhouse compliance and HR units, allowing them to seek compliance solutions that will actually assist profit generation.
Data generation associated with automated compliance solutions can give management access to data that might not have been previously available.
Working with RegTech companies also gives management insight into how big data, AI, machine learning and blockchain can be used to enhance risk management and strategic decision making. In many cases, RegTech will give management their first meaningful exposure to these technologies.
Types of RegTech
The best way to understand how RegTech is currently applied is to look at examples of actual RegTech companies. There are hundreds of RegTech companies out there offering a multitude of services.
Most RegTechs begin with some exposure to the finance sector because financial regulations change so frequently in comparison to regulations in other industries, thereby creating strong demand, and because funding channels for FinTech are so well established.
The majority of RegTechs target one of three areas: regulation compliance, data security and crime prevention or market integrity
That said, we are seeing an increasing number of pure-play RegTech start-ups in other industries, especially healthcare and infrastructure.
In 2021, the City of London issued a report which provided a taxonomy of RegTech as it applies to finance. The report identified eleven separate categories of RegTech.
Figure 1: The taxonomy of RegTech
Source: The City of London Corporation
As a general rule, most RegTech companies focus on just a few of these elements. The three most popular groupings for start-ups have been:
-
Cyber identity and privacy, coupled with financial crime;
-
Regulatory and compliance management, coupled with regulatory data & information management, regulatory risk analytics & calculations, and regulatory reporting (non-financial)
-
Market integrity transparency
Thus, the majority of RegTechs target one of three areas: regulation compliance, data security and crime prevention or market integrity.
The compliance function tends to rely on AI, machine learning and automation. Cloud-based services are used but in general the data remains with the financial institution.
Data protection and crime prevention relies on shared data. It uses big data in the cloud coupled with AI, machine learning and advanced forms of encryption. Blockchain may have a future role here as well. Market transparency solutions tend to rely on blockchain.
These same groupings that we see in finance are also applicable to healthcare, gaming and eCommerce. Infrastructure RegTechs tend to be highly industry specific because utilities, airports and ports, for example, have unique requirements.
It should also be noted that the larger accounting firms also offer cloud-based compliance solutions especially for financial reporting, tax compliance and ESG reporting. In many cases these solutions are white-labelled from smaller RegTech companies.
Top RegTech companiesSome of the better recognized RegTechs are listed below. This only scratches the surface, and we intend to revisit these companies in a fuller study later.
- Idology: Founded in 2003, it’s one of the oldest RegTechs. The company is a global provider of identity verification and document authentication solutions that help businesses fight fraud, maintain KYC compliance and tackle anti-money laundering regulations while complying with regulations such as the Bank Secrecy Act (BSA), the EU’s Payment Services Directive (PSD2), and the General Data Protection Regulation.
- Confluence Technologies: A global technology solutions provider that helps investment managers solve complex investment data challenges. While not a pure-play RegTech, it offers a range of solutions that help organizations automate their compliance processes, optimize efficiency, and control. It is shaping up to be one of the largest RegTechs serving the funds management industry and a major player assisting ESG reporting.
- ThetaRay: Founded in 2013, the company uses automated big-data analytics for the finance industry. Its main offering is a platform for AML risk management focused on correspondent banking. The company also offers a solution to analyze risks associated with cross-border payments.
- Sift: This company, founded in 2011, provides a cloud-based platform for fraud prevention and detection across more than 34,000 online channels. Sift uses machine learning and behavioral analysis to identify anomalies in user behavior, such as unusual spending patterns or login attempts. The platform is used by Finance companies, FinTechs, and basically any firm that conducts eCommerce.
RegTech will evolve over time as new technologies emerge and new regulations are introduced. One way to think about the future of RegTech is to look at the current state of the compliance industry and imagine how it will change in the future.
According to PwC, global compliance and regulatory spending in the finance industry alone is estimated to be about US$270 billion. Some 10-15% of the workforce is engaged in regulatory compliance, analysts working in compliance spend 90% of their time on data collection and organisation but only 10% on data analysis; and the volume of regulatory change grew at more than 15% CAGR between 2008 and 2022.
Global compliance and regulatory spending in the finance industry alone is estimated to be about US$270 billion
By 2030, we imagine that total spending on regulatory compliance will increase even though RegTech will reduce costs. Spending will increase because spending on RegTech promotes efficiency and because workforce cuts will likely be slower than expected to preserve redundancy.
Nevertheless, by 2030, we expect compliance will be less than 10% of the workforce and that analysts will spend more than 60% of their time on data analysis. The volume of regulatory change will continue to grow, but probably at a slower pace than in recent years.
Current trends in RegTechSome of the current trends in RegTech include open banking, open finance, regulatory sandbox and embedded supervision.
-
Open banking allows third-party providers to access bank customers’ financial data through application programming interfaces (APIs). Open banking can enable more personalized and convenient services for customers, but also poses challenges for regulators who need to ensure data security and privacy.
-
Open finance is the same as open banking except it also applies to other sectors such as insurance, pensions, health care, and payments. Open finance aims to create a more interoperable and inclusive financial system by allowing different providers to share data and offer products across platforms.
-
A regulatory sandbox allows fintech companies or other entities to test their innovative products or services in a controlled environment with minimal regulatory oversight. Regulatory sandboxes can help foster innovation and competition in the financial sector by reducing the risks and costs associated with full-scale testing.
-
Embedded supervision is a regulatory framework that might one day be employed in decentralized markets using blockchain. Regulators refer to these markets as Distributed Ledger Technology (DLT) markets.
The concept of embedded supervision was first floated in a working paper issued by the Bank for International Settlements in 2019. This paper argued that compliance in decentralized markets could be automatically accomplished by directly reading the market’s ledger.
Such a framework relies on secure data sharing, secure identity recognition and advanced encryption. It would virtually eliminate the need for firms to collect, verify and deliver data. Embedded supervision is particularly applicable in the finance, healthcare, and energy industries.
Distributed ledgers are already being used in healthcare, for example, to share patient records, clinical trials, and to track the provenance of drugs through the supply chain to prevent counterfeiting.
Thus, while most RegTech startups tend to emphasize AI and machine learning, it is possible that blockchain and advanced encryption could eventually form the core of some RegTech solutions.
The speed of innovation in the various technologies will largely shape the future of RegTech
What could be better than sharing Know Your Client (KYC) data on a ledger that all stakeholders, including regulators, can share. Data is entered once and only updated once if there are changes. This is one simple example.
As with financial reporting, we know that many companies have a strong incentive to manipulate their regulatory reporting. In cases where data cannot be verified using a shared ledger, there is potential for fraud and AI and machine learning would still be indispensable.
The speed of innovation in the various technologies will largely shape the future of RegTech. The RegTech solutions adopted will also partly influence the way that markets evolve. Customer expectations will evolve as RegTech solutions take hold and this will also influence RegTech evolution.
AI in RegTechAt the present time, AI, machine learning, data analytics and blockchain are all expected to play a significant role in the evolution of RegTech. Eventual development will far exceed the immediate task of automation.
Adaptive algorithms will eventually be able to undertake activities such as predictive analytics, interpreting new regulations, and real-time reporting. As AI improves, we should expect to find that AI will eventually be used to draft regulations to make them more efficient.
Since innovation in AI is likely to be exponential, whereas that in blockchain is likely to be sequential, it is likely that AI will be the core technology driving RegTech evolution. It will still sit atop the market ledger in the case of decentralized markets.
It is likely that AI will be the core technology driving RegTech evolution
Most of the repetitive functions undertaken by humans in compliance will be automated. To varying degrees, AI augmented RegTechs will continuously monitor regulatory updates, report their impact on existing processes and automate the necessary adjustments.
It will undertake real-time trade surveillance with real-time alerts, automatically analyzing trading data, employing algorithms to detect suspicious patterns or market abuse.
It will also use algorithms to refine anomaly detection, providing more accurate identification of possible compliance breaches, flagging potential risks while ensuring strict compliance with AML regulations and minimizing the risk of financial fraud.
It will automate regulatory data verification, rectify errors caused by data mishaps,ensure timely compliance and reduce compliance-related risks. It will employ biometric authentication and behavioral analysis to verify user identities, and reduce fraudulent activities through real-time monitoring and adaptive access controls. It will continuously analyze transaction data to detect subtle anomalies and potential risks of money laundering
In short, the future of regulatory compliance to 2030 is about AI-augmented RegTech. DLT markets and embedded supervision will likely follow.