RegTech’s Spillover: From Technological Infrastructure to the Epitome of Private Governance?

Conventional Understanding of RegTech

The Institute of International Finance (the “IIF”) defined RegTech (short for “regulatory technology”) as the use of technologies by the financial regulators and the regulated industries to solve their compliance tasks effectively and efficiently. Therefore, we talk about RegTech every time we invoke technology-meditated compliance – machine learning and robotics, cryptography, biometrics, distributed ledgers, and shared utilities – with a myriad of domestic and global data-laden regulations.

RegTech started as a compliance-driven segment of FinTech, a shorthand for the application of technology to finance and for the industry that provides this service.

Although any of the aforementioned actors can provide RegTech solutions, to date, the RegTech industry has been dominated by disruptive start-ups that provide agile, flexible, and versatile technology.

Several Examples of How the Financial Institutions Could Benefit from RegTech.

In the aftermath of the global financial crisis of 2008, prudential regulatory reporting, stress testing, and transaction monitoring have become the mainstay of the regulatory supervision. In the succinct report issued in 2016, the IIF identified several tasks that could be outsourced to different types of RegTech.

Such capital and liquidity reporting statutes, regulations, and soft law instruments as the Dodd-Frank Act (US),the Bank Recovery and Resolution Directive (EU), and the Basel Committee’s “Principles for effective risk data aggregation and risk reporting” require financial institutions to collect, compute, and report aggregated risk data from across the financial group. Stress testing and risk management procedures promulgated under Basel III international regulatory framework for banks and the EU Directive on the taking-up and pursuit of the business of Insurance and Reinsurance (“Solvency II”) require banks and insurance companies to model, analyze scenarios, and forecast the vast array of risks. Transaction monitoring the Financial Action Task Force’s recommended International Standards on Combating Money Laundering and the Financing of Terrorism & Proliferation (the “FAFT Standards”) and sanctions regimes enacted by the UN Security Council require banks to monitor (often in real-time) low-quality transaction metadata generated by payment systems.

Against the backdrop of data-driven regulatory supervision, global financial institutions could benefit from the resources offered by shared cloud platforms to store the data coming from their overseas subsidiaries and to compute the labor and intellectual capacity of their employees. Data mining algorithms that identify nonlinear and complex patterns could organize this data into consumable information and create accurate risk models. Transaction monitoring can be improved through real-time analytical capabilities of cloud analytics, “an integrated technology architecture that streams and fuses different data types at gigabyte to petabyte scale, powered by cloud computing power with advanced predictive analytical capabilities.”i 

Identity identification required by the FATF Standards could become more reliable and efficient through the use of biometrics technology (fingerprint and iris scanning, vocal and face recognition) and blockchain identity. For example, in the UK, the government is supporting e-identification through the “Verify” program, to which banks contribute by certifying the identity of their customers. In Canada, a private company SecureKey uses a third-party blockchain to enable consumers to assert the identity information using the providers that they trust (such as banks and governments).

The immutability of the blockchain holds great promise not only for identity verification but also for compliance. The watchdogs could join a financial institution’s blockchain in order to be granted a read-only, near real-time access to the audit trail of all transactions recorded on the blockchain. By getting direct and instant access to full transactional data, the regulators would play a more proactive and flexible role in the supervision process than envisioned by the traditional, command-and-control models of regulation.

Challenges of Regulating Finance through Technology

Undoubtedly, RegTech’s promise of efficient and affordable compliance appeals to financial institutions and regulators. At the same time, the alignment of “an established industry with many rules that pre-date smartphones, let alone blockchain or biometric identifiers” with new infrastructure and technology is a complex and gradual process. The current level of the financial industry’s engagement with RegTech firms remains relatively low, especially given the imminent need for agile technology-mediated solutions.

For instance, in such a major market for RegTech as the United States, the implementation of technology is delayed due to: the large scale and diversity of financial institutions, a complex and fragmented regulatory framework, and an unfamiliarity of financial regulators with the new technology. On top of that, the volatility of RegTech start-ups fosters mistrust in the new infrastructure on the part of financial institutions that are reluctant to expose themselves to potential financial and reputational risks. After all, the ultimate adoption of RegTech by the financial industry will require close cooperation amongst all the involved stakeholders – from RegTech companies to regulators, to legacy financial institutions, to consumers.

Rethinking Financial Regulation: From Command-and-Control to Adaptive Regulations

As argued by Lawrence Baxter, the implementation of RegTech will require rethinking the current command-and-control regulatory posture in favor of a more flexible approach that is aligned with the dynamic financial market. The framework for adaptive regulation can be built on the existing regulatory pillars – “systemic-risk regulation, enhanced regulation of individual institutions, and market transparency and fairness regulation.”ii

The foundations of adaptive regulation can already be found in such soft law instruments as Basel III and Solvency II, which, as mentioned above, represent an attempt by the regulators to ensure the adequacy of dynamic models of risk management through constant monitoring of financial institutions. Another example of adaptive regulation are stress testing requirements that determine whether an institution could withstand adverse conditions resulting from economic changes. Regulators will have to develop SupTech (their own methods of automated supervision) to develop adaptable regulations, and the RegTech industry once again might come to the rescue.

Rethinking Regulation of Technology: New Infrastructure

The so-called “relegated bank,” a front-end customer platform that combines a variety of services from different providers (i.e., money transfers, lending, deposits, etc.), is just one example of the growing maturity of the financial infrastructure. The ideal relegated bank scenario combines big data, cloud computing, and artificial intelligence to improve remote individual banking. In some instances, the RegTechs that provide relegated banking services will use incumbent banks for their banking licences, and “[t]he relegated bank may or may not keep the balance sheet risk of these activities, depending on the contractual relationship with the fintech company.”iii

While the ideal relegated bank scenario is a projection into the not too distant future, other customer-friendly payment platforms are flourishing in great quantity. For example, a privately developed platform, GovCoin, combines distributed ledger technologies and machine learning to add an additional layer of data and identity to benefit payments made by the UK’s Department of Work and Pensions (“DWP”). The claimants can receive and spend their benefit payments by using an app on their phones.

As was mentioned above, the financial institutions that no longer directly or exclusively own client relationships could benefit from cloud analytics to comply with the transaction monitoring regulations. However, the advent of front-end customer platforms means that not only financial institutions should align their approach to monitoring with the changing financial services market. Domestic regulators are now forced to rethink consumer protection arrangements. The financial watchdogs in the UK, Canada, Singapore, China, Hong Kong, and Australia have opted for an incremental approach to managing the influx of innovative infrastructure. The Financial Conduct Authority of the United Kingdom (the “FCA”) has recently unveiled a « regulatory sandbox » in which innovative infrastructure models are being tested with potential customers. According to the FCA’s Director of Strategy and Competition, Christopher Woolard, “[w]e refer to our regulatory sandbox as a safe space for firms to test new ideas without incurring all of the normal regulatory consequences… The safe part of the sandbox from a firm’s perspective is a clear understanding with the regulator of how the test is unwound if it does not work.”

Rethinking Regulation of Technology: Algorithms

The biggest challenge posed by RegTech is how to rethink a regulatory framework for finance and technology so as to ensure the accountability of machine learning algorithms that are transforming the way financial institutions approach reporting and compliance. These algorithms look for correlations between the inputted data and the inputted desired outcome and make a decision or, as Pedro Domingos explains, “in goes the data and the desired result and out comes the algorithm that turns one into the other.”iv This form of artificial intelligence is trained “by recursively evaluating the output of each algorithm against a desired result, allowing the machine to learn by making its own connections with the available data.”v

Machine learning raises a number of legal and ethical issues requiring serious consideration, such as: “verification and validation, decision-making transparency, minimising bias, increasing accountability, privacy and safety.” Although the regulatory approaches capable of dealing with technology are evolving, ironically, their progress depends on the level of technological development. Against this backdrop, the system of state regulatory supervision is gradually being replaced by multi-partisan, interdisciplinary cooperation.

While the debates are ongoing about the best regulatory regime to rectify the opacity of algorithms – from full transparency, to qualified transparency, to procedural regularity – restoring due process and the social licence of technology requires introducing human values and oversight into the picture. Generally, a machine that has been “trained” through exposure to data does not infer meaning the way the human brain does. Jenna Burrell identifies this problem as a “mismatch between the mathematical optimization in high-dimensionality characteristic of machine learning and the demands of human-scale reasoning and styles of interpretation.”vi This means that a result can only be explained if the trained model can be articulated and understood by a human. According to Goodman and Flaxman, it is reasonable to suggest that any adequate explanation would, at least, describe how predictions are deduced from inputs and answer questions about the likelihood of a certain result and the characteristics that play the biggest role in reaching the result. Currently, this type of explanation is limited, even if the source code of an algorithm is disclosed.

Is RegTech the New Epitome of Private Governance?

RegTech is not a term of art. The initial demarcation of RegTech from other hybrids, such as FinTech, LegalTech, and SupTech, was focused on its immediate and most obvious manifestations, while overlooking its disruptive potential. Meanwhile, RegTech has outgrown the financial realm and accompanies various forms of technology-mediated dealings “from monitoring corporations for environmental compliance to monitoring trucking companies for speeding infractions to tracking the global location of airliners on a real-time basis.”vii Although RegTech’s manifestations merit a separate inquiry, it seems fair to suggest that the omnipresence of regulatory technology may be an allegory for a new form of private governance. To borrow the idea of Karl Polanyi, paradigmatic shifts result in the appearance of new concepts that epitomize perceptions about a new social reality. In this instance, RegTech may be well-suited to embrace a form of governance that is facilitated and prejudiced by technology.

Governance through regulatory technology is an outsourced venture; hence, the nature of this governance is not new. Indeed, research on the implications of outsourced call-center government arrangements for the rule of law has been going on for years. Generally speaking, the privatization of governance through new technology and infrastructure (such as front-end multifunctional customer platforms), and other private agents has a chilling effect on democracy and accountability because it impedes direct interactions between the government and its citizens and between regulators and regulated entities. This implies that the institutions of government no longer consider the substantive dialogue with their constituents as their primary responsibility.viii

While the nature of this form of governance is not new, its autonomy from state political institutions in unprecedented. The delay in legal responses to innovation (as evidenced by the examples of machine learning and new infrastructure), a dearth of expertise in dealing with new forms of social interaction, and, oftentimes, a lack of awareness of the risks that they conceal contribute to technology losing its social licence, especially when major disruptions break out into the public discourse. This means that an array of responses to the challenges posed by human-machine interface should include the institutionalization of greater public participation in the regulation of technology. While multipartisan cooperation seems to be the way forward to legitimate technology, politicians and regulators will have to carefully wield their authority when deciding how to bring the relevant expertise to bear on future regulatory arrangements.

The Institute of International Finance, RegTech in Financial Services: Technology Solutions for Compliance and Reporting (2016) at 14.

ii L G Baxter, “Adaptive Financial Regulation and Regtech: A Concept Article on Realistic Protection for Victims of Bank Failures” (2016) 66:3 Duke Law Journal 567 at 592.

iii The Basel Committee on Banking Supervision, Sound Practices: Implications of fintech developments for banks and bank supervisors (Bank for International Settlements, 2017) at 19.

iv Pedro Domingos, The Master Algorithm: How the Quest for the Ultimate Learning Machine Will Remake Our World (New York: Basic Books, 2015) at 6.

v Kevin Petrasic, Benjamin Saul & Matthew Bornfreund, “The Emergence of AI RegTech Solutions for AML and Sanctions Compliance”, (25 April 2017), online: White&Case <>.

vi Jenna Burrell, “How the Machine ‘Thinks’: Understanding Opacity in Machine Learning Algorithms” (2016) 3:1 Big Data & Society at 3.

vii D W Arner, J Barberis & R P Buckley, “FinTech, RegTech, and the Reconceptualization of Financial Regulation” (2017) 37:3 Northwestern Journal of International Law and Business 373 at 385.

viii This idea is developed in great detail in Roderick A Macdonald, “Call-Centre Government: For the Rule of Law, Press #” (2005) 55:3 University of Toronto Law Journal 449.

Ce contenu a été mis à jour le 24 juillet 2018 à 13 h 40 min.