By Kevin Okell, Director, Altus Consulting
As the dust settled on the 2008 financial crisis, the reckless behaviour of a few individuals and organisations became clear. The outcry from the public and media alike led to a global call for governments and regulators to clamp down and call those responsible to account. Since then we have seen some of the biggest penalties ever levied against corporations for a variety of failings along with an influx of new and tougher regulation. Several global banks have picked up fines of more than a billion dollars, and it is clear that regulators are keen to show that they will come down hard on poor practices.
The amount of post-crisis regulation is staggering; the number of rules changes that global financial institutions must track on a daily basis has trebled since 2011, to an average of almost 200 revisions a day (according to Thomson Reuters).
It is not only the volume of regulation that is stretching UK compliance resources but also its reach. MiFID II (Markets in Financial Instruments Directive II), FATCA (Foreign Account Tax Compliance Act) and GDPR (General Data Protection Regulation) all originated overseas but have placed enormous strain on financial services in the United Kingdom. HSBC, for example, increased the number of its compliance staff globally from 1,750 to 7,000 between 2007 and 2016. And there is no sign of the rate of regulatory change slowing down soon.
Dealing with this quantity of new regulation would be costly and cumbersome for any industry but is especially difficult for established players in the financial-services sector, which must cope with the continuous flow of new regulation against the backdrop of a complex landscape of largely legacy technology. The FCA’s (Financial Conduct Authority’s) post-implementation review for RDR (Retail Distribution Review) reported that final compliance costs were in the region of £355-625 million across the UK’s major life and pensions providers, with the largest share incurred for technology changes.
In an attempt to survive the rising regulatory tide, large financial-services organisations have adopted a broadly consistent approach to deal with regulatory change, which consists of six distinct stages:
Monitor the output from regulators,
Review the content and decide whether it affects the business,
Impact analysis to understand the parts of the organisation that need to change…
then to the last three stages, which deal with planning, building and implementing the necessary changes.
For our whitepaper “Regulation Is Eating the World”, we undertook a survey amongst 35 of our financial-services clients to establish how much time is spent on each of these stages. The results were striking and showed that almost as much time (40 percent) is spent on understanding the changes required as on implementing them (“Regulation Is Eating the World”, Altus). The reasons for this inefficiency are various.
Most firms lack a systemised way of monitoring the output from regulatory bodies and agencies, making this a time-intensive task for compliance teams. With an average month now seeing more than 4,000 regulatory revisions on topics that can range from product suitability to liquidity reporting, reviewing these changes requires herculean efforts, which then need repeating as regulation inevitably evolves through the consultation process.
The review and impact-analysis stages are critical, and to ensure they are effective, those dealing with business change typically develop numerous views of the current business and technical architecture. From a project perspective, this is time well spent, but, unfortunately, the results rarely find their way into any corporate memory, so the work gets repeated by every significant change programme, adding to costs and timescales each time.
With regulatory changes almost always tackled as individual projects, typically aligned to the regulator’s publishing schedule, firms can be running a number of regulatory-change programmes at any one time. Without a consolidated picture of regulatory impact, firms inevitably miss the potential to join the changes up.
The consequences of all of this inefficiency are clear to see in ballooning compliance costs, but it cannot go on, and, inevitably, many firms are turning to technology for a solution. Regtech (regulatory technology), defined by the FCA as “new technologies developed to help overcome regulatory challenges in financial services”, has evolved to address the strain on firms’ staffing resources.
There are more than 600 regtech solutions in the UK, according to the RegTech Markets Directory, and $2.3 billion of venture-capital funding has already flowed into this embryonic sector. However, on closer inspection, it becomes clear that many of these solutions are more concerned with automating familiar regulated activities than on revolutionising the way regulatory change is managed. That’s not to say some of that new technology isn’t exciting, with many examples of artificial intelligence (AI), biometrics and behavioural analytics being put to novel new uses in the name of compliance. But the bigger problem remains.
Fortunately, whilst big data and biometrics have been grabbing the headlines, quiet but steady progress has been made by a range of solutions that do focus on improving the management of regulatory change. This sub-category of regtech can help reduce the cost of regulatory change, in particular the 40 percent of time spent understanding and assessing regulation. Technology from a range of vendors is being developed to improve all stages of the regulatory-change lifecycle:
Monitor: Although notification services designed to alert subscribers to changes in regulation aren’t new, what has changed more recently is their ability to cover a much broader range of regulation thanks to the development of new technology, which detects changes automatically.
Review: More recent offerings in the review stage are beginning to harness the power of machine learning to produce searchable rulebooks that can keep users updated on regulatory changes related to their specific areas of interest. This massively reduces the amount of material compliance experts need to trawl through.
Impact: The challenge here for regtech is not just to understand new regulation but to analyse its impact on the organisation to which it applies. Some offerings in this market provide the ability to link regulation to a firm’s policies, and control and automatically see the impact of change at this level. Others are looking to go further by integrating the way a firm manages risk and compliance into its core processes.
Plan: One of the biggest challenges for large, established organisations is to understand their own operations and technology landscape in a way that allows the impact of regulation to be readily understood and changes to be carefully planned. Mapping regulation to functions, policies and controls is all well and good, but ultimately the rules apply to actual business activity, and firms need a robust model of their business that describes this and the technology that supports it. We are beginning to see a few examples that bundle real financial-services sector models with an analysis capability, and which could be combined with other technologies available. These offer the potential to bridge the gap to real operations and technology and enable a joined-up approach to planning change across silos.
Build and implement: Having made the necessary changes to embed the right controls in systems and processes, the final step is to ensure those controls continue to perform consistently and reliably. Although this step has been often neglected, there are new technologies emerging to manage the complex task of staying on top of the full spectrum of policies, procedures and controls.
Regtech vendors are working hard to enable regulated firms to understand long-form regulatory text via a combination of artificial intelligence, machine learning and natural language processing. Meanwhile, a few progressive organisations, led by the FCA, are making great strides to help from the other end of the regulatory telescope. The FCA is undergoing an extensive programme of restructuring its regulatory handbook to add consistent structure, meta data and tagging, which should enable it to be processed by much more powerful data-driven solutions.
The FCA has even more ambitious goals, though, and has begun to investigate model-driven, machine-executable regulation (MDMER). For machine-executable regulation to work, however, more than just a technology revolution is required. Also required is the FCA to change its spots on principles-based rules and to define testable outcomes that a system can understand. Encoding a test for any statement saying a firm must take “reasonable” or “suitable” steps will simply not work, however much computing power is devoted to the task.
If we did reach a point at which the majority of regulatory compliance was automated, the next logical step would see an interactive regulator with real-time visibility and supervisory presence in the financial-services network. For regulators to be effective in that new role, they themselves would have to introduce a range of new capabilities into their operations. They would need to become data scientists and programmers instead of compliance professionals with encyclopaedic knowledge of the handbook. If they succeed in this change, they could be empowered to make real-time decisions based on actual transactions and intervene to shape future regulation accordingly.
In order for this regulatory epiphany to occur, the FCA would need to accept that any mistakes in the coded rules were its responsibility, which would be a huge departure from its current position. But if that did happen, the benefits could be enormous. Not only would firms be able to automate the act of regulatory compliance as part of their day-to-day business, they would also have a testable framework on which to innovate and change without fear of retrospective punishment.
Maybe one day we will see a self-service regulator, who gets to observe the whole financial system in real-time and fine-tune it for the benefit of everyone. But before any of that can happen, our current regulatory system needs trimming down. The good news is that a slicker way of managing regulatory change is within reach, thanks to some of the less esoteric regtech offerings. Real-time intervention from regulators may be some way off, but a combination of automated monitoring, AI-based interpretation and an engineered model of financial-services business will bring a step-change in the right direction.