"Technological innovation has the power to create new services for consumers but also to reshape financial market structures. […] The whole value chain is being impacted by fintechs as well as by bigtechs, which are introducing almost every day new ways to pay, to provide credit, to get insurance and, of course, to invest within capital markets. By doing so, they are also modifying the financial ecosystem that we supervise and may contribute to an increase or a shift of risks in the financial system."
Denis Beau, first deputy governor of the Bank of France, November 2019
Respondents to the fourth fintech, regtech and the role of compliance survey once again came from the spectrum of financial services firms across all geographies, from G-SIFIs to technology start-ups. G-SIFIs were asked to identify themselves to enable comparison between themselves and other, smaller, firms.
The report provides unparalleled insight into how financial services firms' risk and compliance functions are responding to the digital and technological transformation. Individual fintech, regtech, insurtech and suptech solutions are omitted but rather the main points for firms and their boards and risk and compliance functions to take into account when considering the use of technology-enabled solutions.
Where the appropriate permission was received, quotes (some anonymized) from both respondents and practitioners have been included to highlight specific issues.
The results of this year's survey show a growing maturity in approach from financial services firms. Some firms are developing technology solutions in their in-house labs, others are buying up fintech and/or regtech start-ups but, despite investment in IT infrastructure and specialist skills, there remains a fair degree of caution about the widespread adoption of technology.
Technology and its associated potential risks have become important topics for regulators, who are considering everything from regtech sandboxes to cyber risk and the financial stability implications of "bigtech" entering the financial services marketplace. Regulators are encouraging the use of technology and see the potential benefits for customers, but they remain concerned about the possible risks and challenges, particularly where they could compromise the required "good customer outcomes". This holds true in the day-to-day use of IT as well as for the adoption of new forms of technology. Firms have suffered headline-making IT incidents and outages leaving customers often unable to access their accounts or at risk of loss when their data has been corrupted or stolen.
Fintech regulatory and policy developments are seeking to balance the possible benefits against the need to protect customers and ensure financial stability. Equally, firms are on notice that while innovation is a good thing it must not be at the expense of the customer.
How can regulators, government or supra-national bodies help more with the development of fintech/regtech?
The top three areas where regulators, government or supra-national bodies (such as the Financial Stability Board) can help more with the development of fintech and regtech were cited as being: clear messaging on regulatory expectations, engaging with the industry and more support for innovation in terms of incentives and encouragement.
A critical element of the clear messaging on regulatory expectations is the need for cross-border consistency of approach. Numerous memoranda of understanding have been signed between regulators, and bodies such as the Global Financial Innovation Network (GFIN) have been created to facilitate the engagement between firms and regulators and create a framework for cooperation between regulators themselves.
The challenges faced by regulators and firms alike are made all the more profound by a dearth of specialist technical skills, particularly those needed to combat cyber-attacks and build cyber resilience. The depth of the issue was shown in an International Monetary Fund survey of 40 developing jurisdictions which revealed that 92.5% face skills shortages in cyber-security regulation and supervision. "Anecdotal evidence points to a similar situation in advanced economies," the IMF said.
"As the pace of technological change increases it requires regulators to adapt to a new landscape and devise new ways of working together. There are still many areas to look at and in many ways our work is just beginning. We expect future challenges to include understanding and working with data privacy and data-sharing requirements across many jurisdictions and regulators. Global Financial Innovation Network (GFIN), GFIN – One Year On, June 2019
"…This lack of readily-available solutions throws up a further challenge — we need to develop the solutions ourselves, in-house. This means we need access to people who can actually build these new tools and make sense of the vast amounts of data that we ingest, people who have certain skills that haven't necessarily been sought by regulators in the past. We can identify the skills we may need, but behaviours and attitudes are equally important."
Nick Cook, director of innovation at the UK Financial Conduct Authority, June 2019
BUDGET AND SKILLED RESOURCES
Firms need to invest and reinvest in the specialist skills needed to rise to the challenge of developments in fintech, insurtech and regtech innovation and digital disruption. For the risk and compliance function 67% of firms have widened the skill set with 16% choosing to invest in specialist skills. There was some regional variation with 71% of firms in the United States and Canada and 70% of firms in Australasia reporting a widening of skill sets, compared with 59% of firms in the Middle East and 61% of firms in the UK and Europe.
A quarter of firms (26%) reported they had yet to widen the required skill set but knew it was needed. Time is running out for firms if they fail to invest in appropriate skills for their risk and compliance function. Firms will be unable to get the best out of possible solutions or to avoid the worst of the risks if they lack appropriately skilled resources, preferably in-house.
The percentage of G-SIFIs who have specifically invested in and or appointed people with specialist skills at board level has grown significantly from 2% in 2018 to 21% in 2019. At the same time, the number of G-SIFIs which have, to some extent, widened the skill set at board level has also increased (32% in 2018 to 52% in 2019). This is in contrast to the wide population of firms where a third (32%) know that investment in specialist skills is needed but this has not yet happened. The adoption of technology should be considered a firm-wide issue and must not be left to the IT function.
Firms should consider upskilling the board (and other areas of the firm) to be a priority to help to ensure well-informed decisions are made and technology risks are managed. In a world where accountability regimes are proliferating, senior individuals must have the requisite skills to discharge their responsibilities.
From a regional perspective, more than half (54%) of firms in the UK and Europe have widened the skill set at board level (10% invested in or appointed specialist skills, 44% widened the skill set to some extent) which may, at least in part, be due to the roll-out of the UK Senior Managers and Certification Regime. Asia is close behind with 53% (10% invested in or appointed specialist skills, 43% widened skill set to some extent) with North America at 43% (11% invested in or appointed specialist skills, 32% widened skill set to some extent).
Thomson Reuters Regulatory Intelligence's 10th annual report on the cost of compliance showed that firms expected budgets to continue to grow with those expecting a significant increase rising from 9% in 2017 to 16% in 2019. It may be that the expected increase in compliance budget is seen to cover the need for regtech solutions as 31% of firms reported they lacked a budget for regtech.
"…When we look at successful examples of technology adoption, it’s not just about state-of-the-art technology. It’s about how you manage the change – especially changes to mindsets. It takes time and effort to convince people that a new technology is worth the cost, the effort or the potential risk.”
Eddie Yue, Chief Executive of the Hong Kong Monetary Authority, November 2019
More than a third of firms (38%) expect their firm's budget for regtech will grow in the coming year with a further quarter (23%) expecting their budget will remain the same. The budget expectations are higher for G-SIFIs with almost half (48%) expecting their regtech budget to grow and a further quarter (25%) expecting their budget to remain the same. G-SIFIs are investing the most to be able to reap the potential benefits of technology and also have the most to gain, given the likely size and complexity of their risk and compliance responsibilities.
"Regulatory and supervisory technologies are developing in response to various demand and supply drivers. On the demand side, regulatory pressure and budget limitations are pushing the market toward an increased use of automated software to replace human decision-making activities. This trend is reinforced by supply drivers such as increasing computing capacity and improved data architecture. Market participants are increasingly using new automated tools in areas such as fraud detection, regulatory reporting and risk management, while potential applications of new tools for regulators include greater surveillance capacity and improved data collection and management. With these new tools come challenges and risks, notably operational risk. However, with appropriate implementation and safeguards, regtech and suptech may help improve a financial institution's ability to meet regulatory demands in a cost-efficient manner and help regulators to analyse increasingly large and complex datasets."
European Securities and Markets Authority report on trends, risks and vulnerabilities No 1, February 2019
"Holding individuals and firms to account when IT failures happen is essential, not only to prevent individuals making the same mistakes again, but also to focus the attention of senior management on the risk of incidents and incident management. The regulators must use the enforcement tools at their disposal to hold individuals and firms to account for their role in IT failures and poor operational resilience. The regulatory mechanisms to ensure accountability for failures must have teeth, and equally as importantly, be seen to have teeth."
UK Treasury Select Committee report: IT Failures in the Financial Services Sector, October 2019
INCREASING ROLE OF TECHNOLOGY AND THE ROLE OF PERSONAL LIABILITY
The fundamental difficulty for regulated firms' IT systems is that failures in those systems will be, with some inevitability, systemic in nature, at least for the firm. A small error in the system may have a disproportionately large effect, particularly if the firm's own assurance processes fail to uncover the error for an unreasonable length of time.
In November 2019, the UK Prudential Regulation Authority (PRA) fined several Citigroup companies a total of £43.9 million for breach of the regulatory reporting requirements. Citigroup had failed on many occasions to submit accurate information in its returns. Its reporting system was inadequate, the regulator's investigation found.
The firm failed to apply appropriate human resource to the problem, particularly after it was uncovered. In such cases, the issue is the firm's relationship with the regulator rather than with customers, markets or competition. Systemic problems in any of these constituencies are likely to yield an enhanced risk of regulatory action.
It is easy to see how an area such as regulatory reporting could fail to come top of a firm's resourcing priorities; for the firm this is a routine back-office matter of little, if any, importance to the "bottom line". The regulator, however, needs accurate information to perform its function in safeguarding the financial system. A failure to provide information of acceptable quality will inevitably lead to sanction, particularly where the firm is substantial in size.
Some might suggest this case is not relevant to IT systems as such because for Citigroup this was a largely manual system, albeit supported by technology. It was therefore subject to human error. All systems are subject to human error, to varying degrees. Even the most sophisticated fintech or regtech solution will fall apart at its weakest link and that will always be the result of human interaction, perhaps in initial coding or in erroneous input.
In October 2019, the UK Treasury Select Committee published a report entitled "IT Failures in the Financial Services Sector" which noted the greater prevalence of IT incidents in financial firms. Not all such incidents have any effect on customers or markets and those that do attract significant media coverage. Firms clearly do not plan their errors, so have no control over the size of detriment an error may cause. Any system incident must therefore be treated as a serious concern because it will be taken as an indicator of the firm's approach to IT generally.
The select committee lamented the absence to date of enforcement against individuals, particularly senior managers, for IT failings. It asked regulators to consider whether changes to "requirements or standards" are needed to hold individuals accountable. If incidents continue to occur, without individual sanction, then the committee and parliament "will have to consider whether the powers it has given to the regulators are fit-for-purpose". This is highly likely to happen in the future.
When asked which part of compliance and regulatory risk management is most likely to be affected by regtech, 14% of firms selected evidencing the discharge of personal liability. This is a significant increase compared with previous years, where personal liability was given less priority than other areas such as onboarding and KYC, financial crime and compliance monitoring. Regionally, Australasia led the way with 22% of firms selecting evidencing the discharge of personal liability most likely to be affected by regtech.
"Regulation is not seen as a barrier but some firms stress the need for additional guidance on how to interpret current regulation. Firms do not think regulation is a barrier to [machine learning] deployment. The biggest reported constraints are internal to firms, such as legacy IT systems and data limitations. However, firms stressed that additional guidance around how to interpret current regulation could serve as an enabler for [machine learning] deployment."
Bank of England, Machine Learning in UK Financial Services, October 2019
This use of technology is conceptually wider than managing individuals' responsibility for technology. It amounts to the use of technology to support the apportionment of personal responsibility. It will make the actions of individuals transparent. For example, a digital signature by an individual will confirm that person has completed certain acts. A confirmation could amount to an attestation to support a senior manager in meeting their own required standards.
The majority of firms said the applicability of the relevant regulatory regimes in their jurisdiction was clear enough to make decisions about creating regtech and fintech solutions. Some firms, however, see ambiguity in regulatory interpretation and approach, data protection and privacy, cloud systems, know your customer (KYC), customer due diligence (CDD), anti-money laundering (AML), and cryptocurrencies.
As part of the survey respondents were asked, "Is the applicability of the relevant regulatory regime in your jurisdiction clear enough for firms to make decisions about creating and consuming regtech and fintech solutions?" Here is a selection of their responses:
…I think the picture is quite clear, but some boards of directors of some companies are afraid to venture into some areas of technology and therefore they turn to reject the idea…
…The regime is very clear, it's more about finding the right regtech solutions that are fit-for-purpose today and in the future given the size and scope of obligations and new obligations coming through…
…Regulation is changing, and it creates a gap between when the models are developed and when they can be implemented…
…Regulators struggling to keep up with fintech as financial services regulations was mainly written before the fintech began. Use of Big Data requires changes in laws on fairness of use, privacy, protection and enforcement. Cyber security, cloud services, data residency and privacy overlay AML/KYC obligations. In short, many daunting and intersecting areas of compliance…
…Regulatory clarity is required particularly for small medium-sized business operations…
…Regulatory interpretation is subjective and needs more interaction and clarification from regulators.…
…Yes, the regulations are clear enough. Ambiguity exists in the interpretation and execution of the regulation based on legal or business interpretation of specific components of a regulation…
What solution have you introduced/are in the process of introducing and to meet what compliance need?
The top three solutions being used by firms were to meet the following compliance needs:
- KYC and onboarding tools
- AML and sanctions compliance
- Market surveillance activities (e.g. trade and transaction monitoring)
This year, the survey was extended to ask firms what is holding them back from deploying fintech or regtech solutions. More than a third (34%) of firms said lack of investment, closely followed by lack of in-house skills (27%) and concerns around information security and data protection (22%). For G-SIFIs, 37% said lack of in-house skills was the foremost reason holding them back from deploying fintech or regtech solutions.
Other areas identified as holding firms back from deploying fintech or regtech solutions include alignment to business strategy, lack of executive buy-in from the board, and cost. Those firms where deployment is in progress are investigating solutions as they develop in the industry.
Some 14% of firms and 12% of G-SIFIs have made a deliberate strategic decision not to deploy fintech or regtech solutions. It is likely such a decision will need to be kept under review. To the extent that fintech/regtech fulfils its promise of greater efficiency, firms which fail to embrace it will be at a competitive disadvantage. Caution is a viable approach as the market's hidden hand determines which technology solutions will survive and fail.
If your firm has not yet deployed fintech or regtech solutions, what is holding you back?
"Given the rapid pace of innovation and the markets supporting it, taking a principles-based approach to regulating digital assets and other fintech products would permit a period of development and observation. After we fully understand the outcomes and potential risks of digital assets, it may be appropriate to adopt more tailored and targeted rules, or a more balanced combination of principles and rules. What we don't want to do is take a heavy hand and snuff out innovation altogether."
Dr Heath P Tarbert, chairman and chief executive of the U.S. Commodity Futures Trading Commission, November 2019
Read the full report here and subscribe to our page updates for upcoming extract releases.