Active involvement in the approach to fintech, regtech and insurtech, through greater transparency in governance structures, capacity and capabilities, persist as a challenge for risk and compliance functions.
Thomson Reuters Regulatory Intelligence has undertaken its fourth global survey to assess the impact of developments in regtech and fintech on the role, remit, and expectations of the compliance function in the financial services sector. The research represents compliance and risk practitioners around the world from almost 400 financial services firms.
This section looks at practitioners’ engagement with their firm’s approach to fintech, regtech and insurtech, and the top areas of compliance and regulatory risk management most likely to be impacted by regtech.
BOARD AND COMPLIANCE INVOLVEMENT
"…even today, insurers are able to carry out procedures such as risk assessments and claims processing without involving a single human being. However, the management board must not just shift responsibility to machines and algorithms as they can with certain work processes. The ultimate responsibility has to remain with the management board – with people. For this reason, we will not accept models that are presented to us as a black box."
Felix Hufeld, president of BaFin, June 2019
As aforementioned, the systemic implications for firms of their use of fintech and regtech mean it is important to consider their use at the strategic level of the firm. "Alignment with business strategy" was one of the most frequent responses given by firms for their delay in implementing technological solutions. This is comforting in showing those firms understand the need to engage with strategy.
It is to be hoped, though, this systemic awareness applies to all fintech or regtech solutions, including those in the back office. They may appear administrative and unrelated to the development of the business. The damage that may flow from a systemic problem even in the back office, however, suggests they may equally have strategic consequences.
The majority of firms reported their control functions have some involvement in the firm's approach to technology; a significant number believe more involvement is required. Full engagement was at 34% in Africa, compared with 28% in the United States and Canada, 27% in the Middle East and 21% in the UK and Europe. Full engagement in Asia was 17%.
Firms also reported their boards have some involvement, but 26% consider more involvement is needed. This figure is consistent worldwide, with between one quarter and one third of firms saying greater involvement is needed.
Regionally, the UK and Europe leads the way with 30% of boards considered fully engaged with fintech and regtech. In the United States and Canada 15% are fully engaged, with 21% in Asia and 26% in the rest of the world.
IMPACT ON COMPLIANCE
"ASIC can see a future where artificial intelligence including machine learning, text analytics, voice analytics and other technologies are a seamless component of financial services firms' business models.
A future where firms can record, store and analyse all communications with consumers using these tools.
This would provide firms with near to real-time insights, as well as after-the-fact insights on quality and compliance.
We believe this can in turn aid strategic business insight analysis and training and development and improve risk and compliance outcomes at scale — with greater efficiency and at a reduced cost."
James Shipton, chair of the Australian Securities and Investments Commission, September 2019
Compliance's involvement with its firm's development of regtech solutions will likely involve a number of viewpoints. First, there is a need to ensure the new system is properly coded at the outset. This is made difficult due to the risk of human misunderstanding between the firm and supplier, and also the possibility of error in delivering the agreed system.
Secondly, there will be a need to ensure the system is used as originally intended, bearing in mind it may not be fit for additional purposes that later arise. The changing use of a system requires control.
Third, there is a need to review the integrity of the system on a continuing basis. This should be more than establishing tolerances and looking for exceptional variances. A fundamental error in the system may not exhibit any suspicious variances; all of the output could be tainted by the same error.
Compliance is likely to be the driving force for the firm's regtech solutions since they will be perceived as of use primarily to compliance itself. It is important for firms not to regard regtech as the junior party to fintech. Although the latter may be seen as more commercially relevant, the consequences of getting regtech wrong will be equally systemic.
A total of 38% of firms have regtech under consideration with 33% saying it is already having an impact on the management of compliance; 17% of firms have already implemented regtech solutions. In Asia, 13% have implemented such solutions, while in Australasia 15% have done so. This increases for the UK and Europe (21%) and the United States and Canada (20%).
"Technology enables more transactions, among many more people, sometimes more anonymously. We have seen the emergence of new unregulated spaces like virtual assets. FATF recognises the significant benefits that financial innovation such as blockchain may deliver to the financial system and the broader economy - they have the potential to make certain financial services cheaper and faster, and to make them more accessible to people. However, virtual assets pose serious money-laundering and terrorist-financing risks that criminals and terrorists can exploit - and that they are already exploiting. We have seen cases of money laundering and terrorist financing using virtual assets, as well as attempts to use virtual assets to evade UN sanctions."
Xiangmin Liu, president of the Financial Action Task Force, September 2019
The top three areas within compliance and regulatory risk management most likely to be affected by regtech have remained consistent since 2018. This year, the top three areas were identified as:
- Compliance monitoring (68%)
- Onboarding and KYC (60%)
- Financial crime, AML/CTF, sanctions (58%)
It is perhaps unsurprising the first use of regtech is related to process automation in monitoring, onboarding, KYC and financial crime. This will free up compliance resource for tasks requiring judgement. Admittedly, some firms may have prioritized these process areas to reduce human resource in compliance. Firms nevertheless need to maintain the necessary skills to monitor the new regtech system itself. The employment of fintech is similar to an outsourcing arrangement. Regulators expect firms to maintain sufficient expertise to be able to second-guess outsource providers, and the same applies here. This resource can be maintained within the firm or bought in as and when needed.
Firms clearly see the efficiency and resourcing implications arising from use of fintech/regtech. It is, however, instructive that only 22% of firms believe more resources are needed to evaluate, understand and deploy fintech/regtech solutions. It is to be hoped this reflects an existing technological literacy in the firms, rather than a misunderstanding of the importance of those tasks. As noted elsewhere, failure to get fintech right first time may have costly consequences for the firm. Even if great effort is expended to get it right first time, there remains a need to ensure continuing adequacy and usage of the technology. Constant review is a necessity.
In December 2019, the Bank of England, PRA and FCA published co-ordinated consultation papers on new requirements to strengthen operational resilience in the UK financial services sector. The proposals make clear regulators' expectations that firms and financial market infrastructures are expected to take ownership of their operational resilience and that they will need to prioritise plans and investment choices based on their impacts on the public interest. If disruption occurs firms are expected to communicate clearly, for example providing customers with advice about alternative means of accessing the service. Under the proposals, firms and FMIs will be expected to:
- identify their important business services that, if disrupted, could cause harm to consumers or market integrity, threaten the viability of firms or cause instability in the financial system
- set impact tolerances for each important business service, which would quantify the maximum level of disruption they would tolerate
- identify and document the people, processes, technology, facilities and information that support their important business services
- take actions to be able to remain within their impact tolerances through a range of severe but plausible disruption scenarios.
"Operational resilience is not about protecting the reputation of your firms or the reputation of the industry as a whole. It is about preventing operational incidents from impacting consumers, financial markets and UK financial system."
Megan Butler, executive director of supervision at the UK Financial Conduct Authority, December 2019
To read the full report click here.