Regtech rising: Automating regulation for financial institutions

by White & Case LLP

White & Case LLP

Regulatory compliance is timeconsuming and expensive for both financial institutions and regulators. The volume of information that parties must monitor and evaluate is enormous. The rules are often complex and difficult to understand and apply. And much of the process remains highly labor-intensive, when even the most automated solutions are often incompatible with other systems and, even today, most still depend heavily on manual inputs.

As a result, costs have risen significantly for financial institutions in recent years. According to Federal Financial Analytics, a policy analysis firm, the six largest US banks spent US$70.2 billion on compliance in 2013, twice the US$34.7 billion spent in 2007.1 In 2015, the Financial Times estimated that some of the world’s largest banks each spent an additional US$4 billion a year on compliance since the financial crisis.2

We now have regtech, which has emerged to address these and other challenges. An outgrowth of fintech, regtech uses digital technologies— including big data analytics, cloud computing and machine learning—to facilitate regulatory compliance. Among other things, regtech applications automate risk management and compliance processes, enable companies to stay abreast of regulatory changes around the world, facilitate regulatory reporting and support strategic planning.

A growing number of companies and regulators use regtech solutions to increase the efficiency and effectiveness of compliance while reducing costs. Regtech may also prove essential to regulating emerging fintech applications that are difficult to monitor or manage under legacy regimes.

Organizations must be vigilant about managing the risks of implementing regtech solutions. The space is evolving rapidly, and regtech could bring significant change to the financial services sector in relatively short order, potentially transforming how regulators and financial institutions operate and interact. Some basic guidelines can help organizations capture the benefits while navigating what may often be new and unfamiliar terrain.

Financial Institutions Are Leading The Way

For now, the vast majority of regtech solutions are focused on helping financial institutions manage compliance. By some counts, more than 100 startups3 already provide regtech solutions, and many financial institutions are building proprietary systems in-house. At this early stage, most of the attention is focused on three broad areas: modeling and forecasting; identity validation; and real-time monitoring and behavioral analytics.

More than 100 startups already provide regtech solutions.

Modeling and forecasting

Data is the lynchpin of compliance, and companies need robust systems that efficiently gather, structure and present data for regulatory assessment. Compliance and reporting standards have risen significantly since the financial crisis. Most large banks operate under multiple sets of rules that require capital and liquidity reporting, recovery and resolution planning and stress testing—including those stipulated in the Basel Accords, the EU Solvency Directive and the US Dodd–Frank Act.

These and other regimes also require financial institutions to conduct sophisticated scenario modeling and analysis forecasting to evaluate and plan for the possible effects of adverse events on their businesses. These exercises are often extremely complex.4 To carry out these new regulatory requirements and directives, an institution must collect data and engage expertise from every corner of its organization to understand how a multitude of factors could affect its businesses.

One large financial services company used software from Ayasdi, a machine intelligence and analytics company, to assess the impact of more than 2,600 variables on each of its business units. Analysis revealed which variables would most affect each unit’s monthly revenues, and the company used those variables when developing risk management and strategy initiatives. As part of this effort, the company ran statistical tests to validate the models' predictions before submitting its strategic risk management plan to regulators.5

Identity validation

Regulations in a number of areas— including anti-money laundering (AML), sanctions and taxes—require detailed customer due diligence practices that can be significantly enhanced by technology solutions. Evolving know your customer (KYC) rules are particularly critical, requiring institutions to verify the identity of customers, clients or business partners, as well as their beneficial owners, whether they are actual or legal persons.

This is a complex and timeconsuming challenge requiring analysis of information from private and public sources, often codified in different languages and in a variety of formats. Many rules are set by international bodies and apply uniformly across borders, but other rules differ significantly from country to country.

Financial services providers are taking a variety of approaches to identity verification and validation. Some regtech providers currently operate as utilities to aggregate data from sources worldwide. Trulioo, an ID verification company, provides access to information collected in 50 countries from a range of sources—including government agencies and public record keepers, credit bureaus, utilities, consumer marketing firms, mobile and device service providers (including app developers) and cyber channels (including profiles from social media platforms). TransparINT, a real-time data intelligence platform, aggregates information about financial crimes and AML compliance from global media sources.

Blockchain is already a proven means of identity verification in the cryptocurrency context. Regtech providers, such as Tradle, are developing systems for using blockchain in other financial contexts, including for KYC purposes. Other innovative methods, such as biometric validation, including facial, voice, fingerprint and iris recognition, have already been deployed in many contexts. These technologies are evolving rapidly and they will be used in an increasing variety of applications and contexts in the future.

Real-time monitoring and behavioral analytics

Participants in financial markets must comply with Securities and Exchange Commission Rule 15c3-5, which sets credit and capability thresholds on trading activity in the US. In Europe, the Markets in Financial Instruments Directives set complex requirements for investors and intermediaries. And derivatives are separately—and strictly—regulated in the US, Europe and elsewhere.

A number of regtech providers focus on financial market compliance, using many of the techniques that are already used in the payments context to support compliance with AML, anti-terrorist financing and other sanctions regulations. Fundapps automates shareholder disclosures and flags potential problems related to areas such as disallowed assets, holdings that exceed regulatory limits and assets that require specific disclosures. OpenGamma enables traders to select a central counterparty to clear over-the-counter derivative transactions.

Some areas are more difficult to monitor because quantitative data is hard to come by. This is particularly true when the ability to identify questionable conduct depends on insight into human behavior or decision-making processes; thus, the ability to identify rogue trading situations or automate the processing of customer complaints is particularly challenging. Sybenetix, a behavioral analytics company, uses algorithms to do behavioral profiling that enables it to identify possible misconduct. Starling Trust Sciences, a predictive analytics company, applies the principles of behavioral economics and uses techniques such as network and Big Data analytics to identify risks based on insights into culture and behavior patterns within organizations.

Compliance also depends on staying informed about legal, regulatory and compliance changes, which can be particularly challenging for global financial institutions with operations in multiple countries, each with their own rules. A number of providers are focused on helping companies prepare for legal, regulatory and compliance changes. Helm Solutions not only provides companies with real-time alerts about compliance issues, it also alerts companies about changing regulations that affect their businesses.

Regulators Are Taking The Mantle

Regtech offers many of the same benefits to regulators as it does to financial institutions. Yet, it appears that few regtech providers have emerged to serve the significant needs of regulators.

Vizor, one of Ireland's fastestgrowing companies, develops technology for financial regulators that automatically monitors financial institutions to determine whether they are meeting regulatory requirements. Vizor serves several central banks, as well as bank regulators in England, Canada, Ireland, Saudi Arabia and more than a dozen other countries.

Another rapidly developing area involves the use of smart contracts, which may provide regulators with real-time oversight of an array of automated financial transactions. For example, automatic triggers could alert regulators when a bank exceeds thresholds set in its capital model (such as capital ratios based on realized or projected losses), enabling them to automatically initiate predetermined responses.

Regulators are also experimenting to develop more efficient regulatory structures that account for and are strengthened by regtech innovations.

Smart contracts may provide regulators with real-time oversight over an array of automated financial transactions.

In 2014, the UK Financial Conduct Authority (FCA) sparked a blaze of regtech investment by ordering regulatory agencies with oversight of financial institutions to identify technologies that will support compliance efforts. The FCA then launched Project Innovate to help companies bring innovative financial services and products to market. In its first year, Project Innovate supported 177 companies, and it is on track to support twice as many companies in its second year of operation.6

In 2016, the FCA debuted its "regulatory sandbox," a space where financial services companies are encouraged to test new products without regulatory consequences. The initiative will enable regulators to work out how to apply rules to new offerings without stifling innovation.

Other countries have also taken steps to support fintech and regtech innovation. The Australian Securities and Investment Commission launched an innovation hub to help fintech startups navigate the country's regulatory system, and Japan's Financial Services Agency launched a fintech support desk. The Monetary Authority of Singapore is in the process of developing a regulatory sandbox, and a variety of US regulatory authorities—such as the Federal Reserve, the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency—are actively considering how to adapt to the emerging fintech era.

What to Look Out For

Despite the tremendous promise of regtech, there are good reasons for companies and regulators to exercise caution in its pursuit. All players in the space should develop clear perspectives about how to manage five broad categories of risk to minimize their exposure and maximize the potential benefits of their regtech endeavors: uncertain development paths; provider reliability; increased regulatory scrutiny; limited judgment; and privacy.

Uncertain development paths

Regtech systems are evolving rapidly, which can make it difficult for financial institutions or regulators to commit to a particular technology or course of action. Companies that invest in one approach may need to abandon it in favor of another down the line as new technologies emerge and new standards take shape and are implemented. It is also difficult to predict how regulations will evolve as the fintech space matures. Financial institutions that pursue strategies not aligned with future regulatory schemes might have to change course, perhaps at significant cost.

Provider reliability

When a company selects a technology provider, it also selects a partner—and that comes with third-party risk. Regtech partners often have access to sensitive information and are charged with carrying out critical tasks. It is critical to conduct careful due diligence on every potential regtech partner to ensure their systems are secure and protected against cyberattacks and data breeches. It is also critical to check that each potential partner has a strong values-based culture, ensuring that it will not abuse access to sensitive information and will carry out all operations to the highest standard.

Increased regulatory scrutiny

Companies that implement and rely on fintech and regtech solutions to gather additional data may also be required to share such information with regulators, even if the data was expected to remain private. Systems that provide regulators with greater access to data may also invite greater scrutiny, enabling regulators to analyze such information however they see fit. Moreover, relationships with regulators could get even more complex as machine learning gains traction, particularly if regtech systems develop the ability to select which data to gather and share with regulators on their own. Regulators may also face additional risks in gaining access to greater volumes of data, particularly if they are held responsible for analyzing such information to identify violations or emerging issues within institutions or across the financial system.

Limited judgment

Algorithms are very effective in making routine decisions and are improving rapidly when it comes to handling more complex decisionmaking tasks. Eventually, algorithms may be as good as or better than people at making complex judgments and accounting for nuance, but, for now, algorithmic processes are still catching up. While these processes can be extremely efficient, they can also replicate errors at extreme speeds that may be difficult to manage when something goes wrong. Thus, it is important to emphasize that people must remain involved in the regulatory compliance process. At a minimum, financial institutions and regulators should build gates into their systems that enable people to conduct checks and exercise judgment in complex scenarios. Regtech adopters and providers must be vigilant to avoid being complacent and ceding too much control to technology too soon.

Regtech adopters and providers must avoid ceding too much control to technology too soon.


Any time an organization collects data about individuals, it must take steps to ensure it does not violate privacy rules. This can be particularly difficult because rules often vary by jurisdiction. Moreover, privacy standards are evolving rapidly in response to innovations that have dramatically increased the power of technology to gather and analyze personal data. For example, the newly published EU Global Data Protection Regulation significantly raised privacy standards for companies that operate in the European Union, regardless of whether they are based there.7 Technologies that systematically monitor individuals to identify security threats or regulatory and legal violations may present privacy risks, including those that gather and analyze personal data about consumers and employees. Companies should regularly evaluate their regtech practices to ensure they do not violate privacy rules in any relevant jurisdiction in which they may be deemed to operate.

Although the regtech era is just getting started, financial institutions and regulators are already reaping tangible benefits from implementing regtech solutions. As the space matures, regtech will become prevalent throughout the financial services industry and an increasingly important aspect of the regulatory process. Early adopters that manage the risks and challenges of regtech could gain competitive advantages that set them apart.

Download PDF of the full report.

1 "The Regulatory Price-Tag: Cost Implications of Post-Crisis Regulatory Reform," Federal Financial Analytics; see also: "Nuns With Guns: The Strange Day-to- Day Struggles Between Bankers and Regulators," The Wall Street Journal
2 "Banks Face Pushback Over Surging Compliance and Regulatory Costs," Financial Times
3 "100 RegTech startups to follow," LinkedIn Pulse
4 "Regtech in Financial Services: Solutions for Compliance and Reporting," Institute of International Finance
5  Citigroup case study, Ayasdi
6 "FinTech Week Speech: Christopher Woolard Chats Up RegTech Innovation," Crowdfund Insider
7 "Unlocking the EU General Data Protection Regulation: A practical handbook on the EU’s new data protection law," White & Case

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© White & Case LLP | Attorney Advertising

Written by:

White & Case LLP

White & Case LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.