Abstract
Purpose
The paper’s aim is to consider how best to formulate sturdy regulatory frameworks for RegTech and SupTech. The paper appraises how key features of EU and UK regulatory and policy initiatives can contribute to a functional framework for RegTech and SupTech.
Design/methodology/approach
The paper refers to the most comprehensive empirical findings within the EU and the UK on RegTech and SupTech, including reports released by the European Banking Authority and the Bank of England. As data is only gradually becoming available about the true rate of adoption of RegTech and SupTech, the paper identifies salient areas that warrant analysis from emerging findings. In light of the relatively restricted sources of empirical data, the article’s methodological approach is directed towards the most wide-ranging and detailed sources that are currently available at EU and UK levels.
Findings
The paper reveals distinct variations in how the EU and UK have pursued regulatory approaches towards RegTech and SupTech growth. However, there are many shared features in the respective approaches. The paper argues that a regulatory framework should ideally be imbued with overarching strategies and policy objectives, as well as with practical measures through innovation facilitators, such as sandboxes. Yet, legislative (top-down) intervention will be the significant ingredient in guaranteeing legal clarity for RegTech and SupTech.
Originality/value
By understanding the nuances in EU and UK approaches, the paper advocates for pragmatic reasoning when formulating a regulatory response. The importance of the article is in its focus on the elements of EU and UK regulatory approaches that are most capable of guaranteeing clarity on standards relating to RegTech and SupTech. The paper makes a vital contribution to existing commentary by determining how a balance can be struck between “top-down” and “bottom-up” types of regulation (i.e. should regulation be entirely concerned with industry-driven standards, such as codes of conduct?).
Keywords
Citation
McCarthy, J. (2023), "The regulation of RegTech and SupTech in finance: ensuring consistency in principle and in practice", Journal of Financial Regulation and Compliance, Vol. 31 No. 2, pp. 186-199. https://doi.org/10.1108/JFRC-01-2022-0004
Publisher
:Emerald Publishing Limited
Copyright © 2022, Jonathan McCarthy
License
Published by Emerald Publishing Limited. This article is published under the Creative Commons Attribution (CC BY 4.0) licence. Anyone may reproduce, distribute, translate and create derivative works of this article (for both commercial and non-commercial purposes), subject to full attribution to the original publication and authors. The full terms of this licence may be seen at http://creativecommons.org/licences/by/4.0/legalcode
1. Introduction
In the years since the Global Financial Crisis (GFC) of the late 2000s, financial technology, or FinTech, has conveniently materialised as a means by which banking and financial services internationally could be transformed. As well as seamless provision of services for customers, substantial cost savings should result for regulated financial institutions as the current market incumbents. In spite of the expectations surrounding FinTech firms as the fresh market entrants, it is notable that market incumbents are continually specified as being the major beneficiaries of technology’s impact on finance. The same could be anticipated for supervisory authorities, so long as technology can be prudently put to good use by authorities. In looking towards future technological developments in finance, an emphasis is increasingly being placed on “RegTech”, as the use of technology by financial institutions for regulatory purposes (such as compliance with reporting requirements), and, by extension, on “SupTech”, as the use of technology by authorities for supervisory functions.
The aim of this article is to consider how best to formulate a sturdy regulatory framework for RegTech and SupTech. Data is only gradually emerging about the rate of adoption of RegTech and SupTech applications. Indeed, much of what is understood to be innovation in FinTech generally is at a very early or nascent stage. The article cannot therefore account for all possible empirically verifiable developments within EU and UK banking sectors. Nonetheless, this article refers to the most comprehensive reports and statistics which are currently available relating to RegTech and SupTech (particularly through the European Banking Authority, the Bank of England and the Financial Stability Board).
The article proceeds to analyse features of the EU and UK regulatory approaches towards RegTech and SupTech. The UK has garnered a reputation internationally for cultivating regulatory techniques which are designed to foster technologies to an advanced level. Rather than assessing the approaches taken in individual EU Member States that may not have experienced the same degrees of growth in RegTech and SupTech, an examination of EU-wide regulatory and policy initiatives represents the most logical point of comparison. There are distinct variations in how the EU and UK have pursued their regulatory approaches, and have refined their stances, towards the growth of RegTech and SupTech. However, there are many shared features in the respective approaches.
The article begins by comparing EU and UK policies towards RegTech and SupTech. As a context for this comparison, the UK was quick to implement practical regulatory mechanisms and the UK possesses a more fully fledged RegTech sector by contrast to the EU. However, the EU has steadily worked towards building a cohesive architecture of policy goals, accompanied by strategies and legislative proposals. The second section of the article describes particular technologies that are becoming characteristic of present-day RegTech and SupTech. The article recognises the limitations to the uptake of RegTech among regulated institutions and the discernible barriers to the growth of SupTech for supervisory authorities. Yet, the capacity for sustained technological innovation in regulatory reporting, compliance, due diligence and supervisory activities cannot be underestimated. Regulation will need to adapt flexibly in tandem with how RegTech and SupTech applications manifest themselves.
Having identified the salient areas of RegTech and SupTech that warrant analysis in emerging research findings and data, Section 4 of the article appraises how key features of EU and UK regulation can contribute to a functional framework for RegTech and SupTech. It will be argued that appropriate “top-down” legislative intervention is necessary for regulatory consistency, for the formation of formalised guidance and for requirements for governance and institutional conduct. A pragmatic balance can be struck by ensuring the presence of sandboxes and other regulatory supports.
2. EU and UK policies towards RegTech and SupTech
This section gives an overview of EU and UK developments in RegTech and SupTech policy initiatives. Although there are variations in the regulatory stances, the features of the EU and UK approaches indicate the aspects which could be most crucial to a balanced regulatory framework.
2.1 EU developments
Since the European Commission’s FinTech Action Plan of March 2018, the most prominent EU-level initiative of recent times is the Commission’s Digital Finance Strategy 2020, which consisted of three regulation proposals [on markets in crypto-assets, on a distributed ledger technology (DLT) pilot regime for financial market infrastructures and on digital operational resilience for the financial sector] and a separate Retail Payments Strategy. Although the Commission’s Strategy is patently directed towards digital finance, there are no aspects of the strategy which have expressly focused on RegTech and SupTech. RegTech and SupTech should be understood as being distinct from digital finance or FinTech generally. Within the strategy, “RegTech” is defined simply as “regulatory technology, a subset of fintech, that focuses on technologies that may facilitate delivery of regulatory requirements more efficiently and effectively than existing capabilities”. As another sub-set of FinTech, “SupTech” is defined as the use “of innovative technology to support supervision” and, in so doing, to facilitate supervisory authorities “to digitise reporting and regulatory processes” (European Commission, 2020, p. 13). Nonetheless, in the period since the strategy’s release, there have been more direct endeavours by EU authorities to analyse RegTech and SupTech.
The European Banking Authority (EBA) analysis of RegTech in the EU financial sector is the most comprehensive empirically grounded EU-level report on the current state of technological adoption by financial institutions. Within the EBA analysis, RegTech is given a more elaborate interpretation as “any range of applications of technology-enabled innovation for regulatory compliance and reporting requirements implemented by a regulated institution (with or without the assistance of [a] RegTech provider” (EBA, 2021a). The RegTech study was complemented with several other reports over the course of 2021.
The EBA’s study of the cost of compliance with supervisory reporting requirements (EBA, 2021b) sought to produce recommendations on how to reduce reporting costs by 15%–24% for regulated institutions, especially for small and non-complex institutions, and encouraged the wider use of technology within reporting processes. Following two years of preparatory work, the EBA released its final report on the feasibility of integrated reporting under Article 430C of the Capital Requirements Regulation (CRR) (Regulation (EU) No. 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms and amending Regulation (EU) No 648/2012) (EBA, 2021c). As an additional step towards the contemplation of advanced technological innovations in regulatory processes, the EBA published a discussion paper on machine learning (ML) for internal ratings-based models in the calculation of regulatory capital for credit risk (EBA, 2021d).
Within its RegTech analysis, the EBA’s overall recommendations express the need for convergence of regulatory standards, backed by the knowledge-gathering activities of the European Forum for Innovation Facilitators (EFIF) and of national regulatory sandboxes and innovation hubs. From the EBA’s perspective, the harmonisation of RegTech frameworks can be enabled by a “monitor, assess and adapt” approach (EBA, 2021a, p. 78). Long-term options could include the establishment of a centralised EU database of RegTech solutions and the certification of providers’ RegTech solutions (EBA, 2021a, p. 79).
While these reports are primarily related to RegTech, the European Commission has not neglected issues concerning SupTech. The 2021 Strategy on Supervisory Data in EU Financial Services identifies five main areas for improvement: consistency and harmonisation of reporting requirements; data sharing and use among national and EU supervisors; legislative processes and instruments; governance; and technology. The precise recommendations on technology stem from a necessity to allow for “automated, straight-through data processing in all areas”, including RegTech and SupTech, which is presently being impeded by insufficient standardisation of data across the EU (European Commission, 2021, p. 3). The Commission’s Strategy on supervisory data builds upon the 2020 Data Strategy (which proposed a dedicated common European financial data space). It is intended that a report will be prepared by 2024 to share best practices.
Progress towards machine-readable and machine-executable requirements is envisaged as a principal feature of the work ahead for the European Supervisory Authorities (ESAs) [the EBA, the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA)] as well as the European Central Bank (ECB). It should come as little surprise that the same considerations are being raised in UK studies.
2.2 UK developments
As the epitome of the UK’s practical measures in regulating for innovative technologies, the Financial Conduct Authority (FCA) sandbox has been active since 2016 in allowing FinTech firms the opportunity to trial products, services and solutions without being subject to regulatory sanctions. RegTech is central among the innovations being tested within the FCA sandbox. Indeed, the frequency of RegTech-related activities is evident from the successive cohorts of accepted entrants since the introduction of the sandbox (FCA, 2022). From 2016 to 2018, the Bank of England’s FinTech accelerator engaged significantly with the testing of SupTech use cases, a pattern which was also demonstrated in the tech sprints organised through the collaboration of the Bank of England and the FCA during the same period. There can be little doubt as to the UK’s commitment to making practical supports available for FinTech firms and regulated institutions. By comparison to the EU’s determination in releasing overarching strategies and policy aims in the space of two years, the UK has not exhibited such a decidedly “high-level” attitude towards devising interlinking policy and regulatory strategies.
A call to action of sorts was given through the 2019 “Future of Finance” (van Steenis) review and report on the outlook for the UK financial system. Aside from the immediate challenges presented by Brexit, the report sought to discern longer term trends and to note striking traits of the financial industry. As elements with substantive potential, the report stated that the UK’s data economy could be worth £95bn by 2025 and that greater use of ML could generate an efficient 20% increase in firms’ financial performance (Bank of England, 2019a). In view of estimates that the UK banking industry was burdened with annual reporting costs of between £2bn and £4.55bn, it was stated that better efficiency and compliance could be delivered if the Old Testament-length rulebook of the Prudential Regulation Authority (PRA) was to be made machine-readable (Bank of England, 2019a, p. 3). Data standardisation and the avoidance of fragmented, or siloed, data collection and processing processes were also chief concerns of the review. The Bank of England’s response to the report was not merely positive, but ambitious, in prioritising the design of a “world-class” RegTech strategy and data strategy and the conversion of the PRA rulebook to a machine-readable format over three to five years (Bank of England, 2019b, Priority 4).
Subsequent to the report, the FCA and the Bank of England oversaw the Digital Regulatory Reporting project, involving collaboration with financial institutions such as Barclays, Credit Suisse, HSBC, Lloyds and NatWest. As an ominous indication of the patience that would be required, the Phase 2 pilot of systems of mortgages and derivatives digital reporting concluded that, rather than having an industry-wide roll-out, digital regulatory reporting was likely to be more appropriate for some domains than others (FCA-Bank of England, 2018, p. 37).
In spite of the practice-oriented characteristics of UK developments, the UK approach is not radically different to that of the EU. Forward-looking planning is certainly not dissuaded, as exemplified by the Bank of England’s 2021 plan on “Transforming Data Collection from the UK Financial Sector” (preceded by discussions with industry stakeholders during 2020). The plan proposes three key reforms:
to define and adopt common data standards;
to modernise reporting instructions; and
to integrate reporting towards a more streamlined and efficient approach to data collection.
The plan does acknowledge that its realisation will entail multi-year and multi-phase use cases. The achievement of the planned milestones is to be hastened by a core team of Bank of England and FCA staff along with a majority of representatives from firms from whom data is regularly collected for supervisory purposes.
The practical successes of the UK’s regulatory approach are borne out by the expansion of the FCA sandbox to “always open” acceptance of year-round applications and by the permanent introduction of a digital sandbox (initially piloted in early 2021). These changes were recommended by the 2021 Kalifa Review of UK FinTech, which also specified the need for measures to support partnering between market incumbents and FinTech and RegTech firms. In echoing the Bank of England plan – and EU-level statements – the Kalifa Review reinforced the value of having a comprehensive jurisdictional FinTech strategy, composed of a data strategy and the development of common data standards (Innovate Finance, 2021).
By nurturing its sandbox programme, it could be asserted that the UK opted to place an onus on pragmatism ahead of policy. In economic terms, it worked. As observed in the Kalifa Review, the UK ranks third globally both for the presence of unicorn technology firms and for investment in emergent technologies (Innovate Finance, 2021, p. 97). The question which arises is whether coherent plans, strategies and – in time – legislative proposals can ever be fully sacrificed in favour of the quicker gains that could conceivably be yielded by sandboxes and innovation hubs. Without there being policy, regulatory and legal frameworks in place to support measures such as sandboxes, there is the plausible risk that practical initiatives could eventually be left running empty. This is especially the case if the rate of RegTech and SupTech adoption transpires not to be as dramatic as might have been expected.
3. Implications of RegTech and SupTech growth
This section highlights observed patterns regarding specific instances of RegTech and SupTech applications, as well as acknowledging the limitations and obstacles to their uptake. It is by realising the implications of current RegTech and SupTech adoption that regulatory responses can be tailored accordingly to reflect the practical realities of the growth in these technologies.
3.1 Push or pull: specific technologies and patterns of usage
It is not only official reports from the EU and the UK, which are prone to declaring the advent of an unprecedented wave of RegTech and SupTech innovations. As just one example from academic commentary, Arner, Barberis and Buckley (2017, p. 391) claim that “RegTech represents more than just an efficiency tool and rather is a pivotal change leading to a paradigm shift in regulation”, which should eventually be treated as “a foundational base underpinning the entire financial services sector”.
RegTech and SupTech are highly internationalised. As demonstrated by Cambridge Centre for Alternative Finance findings, over one-third of surveyed RegTech vendors are present in five or more jurisdictions. Although Europe has a number of crucial financial centres (such as Luxembourg, Switzerland and Ireland), almost two-thirds of the surveyed vendors are physically present, or have a significant market share, in the UK. The primacy of the UK market is even further accentuated when considering that only about a half of those RegTech vendors have a US presence (CCAF, 2019; Figure E2).
For all of the globalised qualities of RegTech and SupTech, the empirical evidence intimates that, firstly, there are lingering supply-and-demand issues and, secondly, the technologies being used for reporting and supervision are not quite as indicative of cutting-edge innovation as could be imagined. A concentrated market for RegTech is inferred by the EBA’s 2021 analysis in reporting that some 39% of RegTech providers have less than six financial institutions as clients. The largest of the RegTech providers are based in the UK (EBA, 2021a, pp. 13–15). Providers of RegTech solutions are more inclined to specialise in know-your-employee, third-party due diligence services and regulatory screening. However, from the demand side, most RegTech solutions (at 33%) are ultimately applied by financial institutions for fulfilling anti-money laundering and counter-terrorist financing requirements, followed by fraud detection methods (EBA, 2021a, p. 12). The most common underlying technologies for RegTech are spread particularly across data transfer protocols and cloud computing, while there are marginally lower proportions for predictive data analytics and ML (EBA, 2021a, p. 20).
The EBA findings corroborate findings on SupTech from the Financial Stability Board (FSB) in a 2020 study. If anything, the outcomes of the FSB study depict a more emphatically conservative scene for technology adoption. It was found that Excel is the most commonly used tool for data analysis by supervisory authorities (FSB, 2020, Graph 12, p. 23). Data science competency within authorities did not stray far beyond Excel and SQL (structured query language) (FSB, 2020, Graph 7, p. 16). As at least some glimpse of the possibility of more advanced applications, it was recognised that supervised ML (by means of training models using inputted data sets) is deployed among authorities (FSB, 2020, p. 26). Artificial intelligence (AI) was projected by participants in the FSB research to be the predominantly deployed SupTech tool within three to five years. Cloud computing and DLT/blockchain were categorised as the next most likely candidates for SupTech adoption (FSB, 2020, Graph 16, p. 28). Furthermore, the FSB study conveyed that the use of RegTech and SupTech tools became more conspicuous in the periods of remote working during the COVID-19 pandemic (FSB, 2020, p. 28).
These findings reveal a rather less revolutionary picture than the proponents of RegTech and SupTech could hope for. On the other hand, there is heightened awareness of the steps that should be taken to assimilate technologies into regulatory and supervisory activities, which should boost cost-savings and effective delivery of services. As the levels of reporting gradually increase, the “push” of data towards central databases, or data lakes, can threaten to overwhelm supervisors’ ability to constantly enter encrypted data manually using off-the-shelf software. As a comparably more sophisticated concept, the option of application programming interfaces (APIs) would allow for automated, database-to-database transmission of granular data at the request (“pull”) of supervisory servers (FSB, 2020, pp. 32–33). AI/ML methods would be even more pioneering. For now, empirical findings evince that AI/ML is a “next-generation” development, but one which would not be greeted with surprise by supervisory authorities and regulated institutions over time (di Castri, Hohl, Kulenkampff and Prenio, 2019).
According to World Bank research, there are signs of a growing supervisory confidence in authorities’ gathering of unstructured data (including through email format), even through some authorities’ monitoring of alternative or “non-traditional” data (from social media sources, consumer sentiment analyses, geolocational information and from Web scraping) (World Bank, 2021). As of now, one instance of advanced analytics which authorities – including the ECB and the FCA – have attained some experience of is natural language processing (NLP). NLP permits receipt of vast quantities of text and speech data, to algorithmically create topic models, analyses or summaries. However, NLP poses its own challenges, especially in necessitating regular updating, or “fine-tuning”, at least annually, so as to retain consistency and transparency (World Bank, 2021, p. 10). Such technical and resource-related problems can be an expected difficulty with core RegTech and SupTech technologies – but, as discussed below, this is along with the regulatory and legal concerns which must be confronted.
3.2 Limitations and obstacles
Regulated institutions and supervisory authorities can act as petri-dishes for the adoption of innovative technologies. At the present time, empirical findings disclose persisting limitations and obstacles to RegTech and SupTech adoption. The interoperability of fresh RegTech and SupTech platforms with existing, or legacy, databases is an initial practical hurdle to be surpassed. Implementing new models of RegTech and SupTech can give rise to concerns over data security and vulnerability to cyber-threats, particularly where systems are reliant on cloud computing (Beerman, Prenio and Zamil, 2021, para. 32). Most RegTech solutions have conventionally been cloud offerings (about two-thirds as reported in CCAF, 2019, p. 9).
For any institution or authority, there is a “build or buy” decision to be pondered before establishing a RegTech or SupTech model. The decision is essentially whether to retain, or to build, on-premises structures or to deploy, or bring in, largely cloud-based software-as-a-service tools (EBA, 2021a, p. 24). For supervisory authorities, there can be a preference for use of on-premises systems, where possible (CCAF, 2019, p. 63; World Bank, 2021). Even following the changes to practices caused by COVID-19-related restrictions, research shows that supervisors understandably maintain support for on-site inspections, rather than embarking on a comprehensive shift towards remote and digitalised monitoring (Beerman, Prenio and Zamil, 2021, para 36).
Once a technological application is adopted by a regulated institution or supervisory authority, a technological application would have to be embedded within organisational systems and processes for its benefits to be reaped, as reiterated by the EBA’s analysis of EU RegTech. The EBA concludes that these considerations of organisational governance, requiring oversight and dedicated compliance officers, are very much connected to adequate information and data-sharing processes (EBA 2021a). However, in practice, holistic strategies within organisations are not commonplace, including for supervisory authorities. There is a general absence of organisational-specific SupTech strategies, overseen by chief data officers, within supervisory authorities internationally (FSB, 2020, Graph 27, p. 65). From a regulatory perspective, it strengthens the rationale for encouraging enhanced sectoral standards. As elaborated on below, “bottom-up” standardisation still requires clear “top-down” intervention to give guidance on how organisations should adjust their governance and oversight procedures around RegTech and SupTech tools.
Top-down clarity would lessen the doubts and concerns which can appear internally within institutions and authorities. Empirical findings reported by the Bank of England show how the basic purposes of collecting certain data (personal or otherwise) are not always comprehended, either inside or outside the Bank. It was also reported that participants felt that a disproportionate focus on tactically meeting short-term deadlines was a disincentive to making necessary long-term investments in more efficient reporting processes. (Bank of England, 2021, p. 17). Moreover, most firms participating in the Bank of England research were very sceptical as to how functional a common data input portal, or a pull model of real-time data collection, could be in the short- to medium-term. For instance, participants articulated their apprehension about larger firms’ dominance, about data security and about accountability in the event of data breaches. (Bank of England, 2021).
Perhaps, one of the most profound drawbacks is the dearth of advanced technological expertise among the staff of regulated institutions and of supervisory authorities. If a decision is taken to deploy a RegTech or SupTech system, it is probable that the assistance of data scientists will be necessary. This, in turn, leads to doubts about the viability of having a centralised unit within an institution or authority, or of integrating data scientists across several departments (World Bank, 2021, p. 30).
The expense associated with new systems can be substantial. Even when the initiative turns out to be successful, the costs of onboarding users within, say, a financial institution’s newly introduced RegTech platform can be daunting (CCAF, 2019, p. 53). For small and non-complex institutions, the operating costs can especially diminish the overall progress of RegTech development. Aside from the prohibitive costs, interest in providers’ services could be sharply hindered by perceptions that certain technologies are not sufficiently mature or are ill-suited to an institution’s business model (EBA, 2021b, 4.4.2, pp. 52–53). Most tellingly, it should be noted that EU financial institutions’ IT budgets divert relatively small amounts towards RegTech solutions. The EBA’s findings show that RegTech expenditure is below 20% of the total budget of half of the surveyed financial institutions and that less than €100,000 is spent on implementation and operation of RegTech solutions by some 70% of respondents (EBA, 2021a, p. 17).
For SupTech, somewhat traditional market limitations have been identified, whereby there are few prospective vendors and few clients prepared to spend considerable resources. As a practical illustration provided by di Castri, Hohl, Kulenkampff and Prenio (2019) (para 40, p. 15), the FCA’s trialling of automated digital regulatory reporting processes had to involve separate tech sprints, because there were no available providers of analogous services in the market at the time.
All of these types of factors are “internal” in nature. An external factor, such as the complexity or rigour of a legal and regulatory framework, is not being identified in the latest EBA empirical evidence as being a “material obstacle” (EBA, 2021a, p. 77). However, as contended in the next section, law and regulation has a far more important role to play than might be implied by the views of institutions and authorities.
4. Best of both worlds?
This section evaluates the necessity for regulatory intervention to provide clarity in respect of technologies which, rather paradoxically, are supposed to help regulation, supervision and compliance. This intervention should incorporate aspects from the EU and UK approaches. Regulation should thereby ensure consistency between expressed rules and the practical realities of RegTech and SupTech adoption.
4.1 Regulating for what is supposed to help regulation?
Formulating the most suitable and balanced regulatory framework for RegTech and SupTech requires a recognition of up-to-date patterns in adoption and usage. By the same measure, regulation needs to have future-proof qualities in being able to pre-empt, and to evolve with, technological innovations. The characteristics of the technologies that are driving RegTech and SupTech processes have very real transformative potential for financial services, especially in expediting existing processes and reducing costs. If these technological examples are “not science fiction” and are “available today” (Coeuré, 2020), it is paramount that regulated institutions, supervisory authorities and, indeed, lawmakers, are aware of the opportunities and risks emanating from RegTech and SupTech. As evident from the preceding section of the article, there are diffuse examples of technologies that could be deployed. The irony is that the demand for legal and regulatory certainty – including through legislative intervention – is for technologies which, by their nature, are supposed to be in the interests of assisting regulation and supervision.
Technology-enabled compliance can only achieve what the technologies are meant to do “on the tin”. When technologies are depended on for reporting, due diligence and supervisory purposes, there are blind spots which can constitute latent, but potent, sources of risk for financial stability. Undue attention, or “misplaced focus”, could be placed on areas that are easily measured or quantifiable (FSB, 2020, 9.2, p. 32). As cautioned in academic commentary, the dangers of overreliance on technology derive from dehumanisation of regulatory and supervisory procedures (Packin, 2017). The concerns are particularly articulated with regard to the use of AI in finance (for example, by Buckley, Zetzsche, Arner and Tang, 2021). The lack of transparency which seems intrinsic to automated or algorithmic processes is variously referred to as a “black box”, or an interpretability or explainability, problem (FSB, 2020, 9.1. p. 32; Buiten, 2019).
When technologies are shorn of human oversight and accountability, regulated institutions and supervisory authorities may not be able to explain how data collection is operating. The paradox is that the breadth of data which is being processed by institutions and authorities is a by-product of the post-GFC increase in the scale of regulatory requirements. The contemporary increase in regulation is basically the spur for RegTech and SupTech (Batista and Ringe, 2021). As a vivid representation of how regulatory burdens create demand for technological services, it has been calculated that there was a 500% increase in regulatory changes in developed markets between 2008 and 2016 (ROFIEG, 2019, p. 61).
For Bamberger (2010), the layers of opacity are a consequence of reliance on forms of technology which inherently cannot be neutral. Coding and programming are shaped by a variety of legal and extra-legal factors, which is an argument that bolsters the “code is law” perspective famously advanced by Lessig (1999). Issues of transparency and oversight are relevant to technologies for both RegTech and SupTech, which endorses the view of Batista and Ringe (2021) that RegTech and SupTech must be treated “hand-in-hand”. The explainability dilemma surrounding algorithmically centred processes becomes more acute in scenarios where technologies might be contributing to creditworthiness assessments (CWAs) (EBA, 2021a, pp. 66–72). The threat of bias, discriminatory outcomes and the resulting reputational damage for institutions is even more pronounced because of the varieties of data being processed.
The fragmentation of data sources (even encompassing alternative data from social media or geolocational sources) can be a reason for the vacillation of institutions and authorities in adopting novel technologies. A prevalence of siloed data collection and storage practices could preclude the short-term likelihood of pull models of data gathering, such as common input portals, APIs or more advanced AL or ML techniques. At EU level, expert group recommendations were previously issued to the Commission in a 2019 final report, which stressed the need to resolve ad hoc and uncoordinated regulatory frameworks for RegTech and SupTech (ROFIEG, 2019, p. 62). The potential for arbitrage is elucidated through an example given of a financial conglomerate, which has subsidiaries in several jurisdictions, being unable to launch the same reporting solution across the group because of contrasting jurisdictional requirements and expectations (ROFIEG, 2019, p. 62).
Among the recommendations of the EU expert group’s final report were the standardisation of legal terminology and classification of actors, services, products and processes (Recommendation 10), and the drafting of strategies on human- and machine-readable legal and regulatory language (Recommendation 11). The desired effect would be to avoid a Tower of Babel of disparate definitions and standards.
A myriad of standards and definitions for data will simply generate “semantic inoperability” for applying technologies to compliance purposes (Butler and O’Brien, 2019). Shortcomings in data standardisation signify that any regulatory efforts could end up being as siloed and fragmented as the collected data. From a UK vantage, the fractured terminological difficulties are equally as palpable. As reported by the Bank of England, ostensibly straightforward terminology (such as “total lending amounts”) can be subject to multiple definitions by firms across sectors (Bank of England, 2021, 3.1., p. 15). As the EU and the UK share the same concerns over standardising the data sources for RegTech and SupTech, the anxieties are also clearly the same in finding the most effective regulatory response for these burgeoning technologies.
4.2 Why standards matter: the case for legal intervention
To summarise the challenges presented above, in addition to the unfamiliar nature of the underlying technologies, transparency around RegTech and SupTech is eroded by the complexity of data sources, data collection and storage in modern financial services. How can a carefully calibrated intervention succeed in providing regulatory clarity and consistency?
In principle, striving towards data standardisation appears to be the correct course of action by accounting for “attributes, terminology, structure, relationship and format” of various examples of data (Cristanto, Kienecker, Prenio and Tan, 2020, para 20). In practice, placing standards around data – through legislative provisions, if necessary – could prove to be extremely difficult. Difficulties result from the sheer range of possible data sources which can be used by regulated institutions and supervisory authorities for data collection and processing. Tagging and other means of classifying data can be thwarted in these circumstances. The failings arise not only because of the range of sources of undifferentiated data, but also because of how adept certain technologies, such as NLP, can be in ingesting huge quantities of data.
As difficult as it would be for legislation to stipulate how multiple forms of data could be standardized, this should not be taken to mean that overall legal measures for RegTech and SupTech cannot be introduced. The emphasis may not be so much on the data being collected by regulatory and supervisory technologies. Instead, the emphasis must be on the governance and conduct of those responsible for the technologies. As Bamberger (2010, p. 737) asserts, “[r]obust disclosure regarding risk-management systems must include not only technical specifications, but also information regarding the ways in which technical systems involve human beings”. The degree of human oversight for technological processes must be such that responsibility can be taken by individuals where this responsibility has been delegated.
Top-down legislative guidance is focal to the subsequent creation of consistent sectoral standards for transparency, oversight and accountability in the use of RegTech and SupTech tools. As well as the centralised databases proposed by the EBA’s 2021 RegTech report, the formal certification of RegTech and SupTech solutions would serve to instil greater transparency and accountability.
To consider how the law can promote standards of institutional behaviour, examples are given in the recent EU legislative proposals for a regulation on digital operational resilience for the financial sector (“Digital Operational Resilience Act” (DORA) (COM(2020) 595 final) and for a regulation laying down harmonised rules on AI (“AI Act”) (COM(2021) 206 final). By proposing minimum uniform obligations and requirements (as in the manner of the DORA proposal), operational standards in the use of RegTech and SupTech applications could be captured within specific legislation. By proposing activities that are high, medium or low risk (as in the manner of the proposed AI Act), institutions and authorities could be assured of greater clarity on the purposes to which RegTech and SupTech can be put. From the path which is already been carved out by these EU legislative proposals, it would not be a radical additional step for the Commission to propose RegTech and SupTech legislation with direct effect across EU Member States.
The most favourable regulatory framework should combine legislative provisions with practical support measures, such as sandboxes, and with industry-oriented initiatives, such as codes of conduct. In devising this combination, it should be appreciated that there are merits to the EU and UK approaches over the past couple of years. As underscored by the FCA’s work and by the subsequent expansion of the digital sandbox pilot, sandboxes can be a decisive element within a jurisdiction’s regulatory framework for FinTech at large. Arner, Barberis and Buckley (2017, p. 411) reckon sandboxes to be one of “the best ways” to support future RegTech development. In reporting on the empirical findings for EU RegTech, the EBA recommends that the expertise of innovation facilitators, such as national sandboxes, be leveraged to foster collaboration and dialogue between institutions, providers and authorities (EBA, 2021a). Indeed, the potential for harmonisation is shown in provisions within the proposed AI Act (in Title V of the Regulation proposal) for sandboxes in EU Member States that should be aimed at supporting AI innovation. The activities of Member States’ sandboxes are to be coordinated by a designated European AI Board. These measures add to previous EU recommendations and proposals for more coordinated approaches across Member States when establishing sandboxes (see especially ESAs, 2018).
As indicated by the DORA and AI Act proposals in the EU, it is not enough to rely exclusively on practical supports. Legislative intervention affords the kinds of bright-line rules needed to alleviate the ambiguities related to the technologies and the ambiguities related to the organisational practices around these technologies. Outside of law, umbrella strategies (for instance, in relation to data) can also help to cohesively unite strands of different policy objectives. Partnerships – or even informal networking – between financial institutions and technology providers can also be mutually beneficial, although statistics show limited participation by financial institutions in partnerships of this nature (only 11% of the surveyed financial institutions in EBA, 2021a).
This article’s viewpoint is that an amalgamation can be achieved, based on aspects of the EU and UK approaches. As portrayed in this article, both approaches obviously have overlapping features. While the UK has evidently committed to refining practical supports at industry level, it is the EU’s progress towards overarching, but interlinked, strategies and legislative proposals that is highly instructive. It signals that there could be future legislative enactments which are specific to RegTech and SupTech, but which can be introduced in conjunction with flexible, industry-level initiatives such as sandboxes.
5. Conclusion
In addressing the question as to how regulation should respond, the article argues that there should be timely legal intervention – ideally through legislative standards for RegTech and SupTech – which can be founded on coherent accompanying policy strategies and on flexible mechanisms, including sandboxes. This article has focused on the EU and UK examples of policy developments to reveal features of the approaches taken by both jurisdictions. The framework being envisioned here is a blend of both the EU and UK approaches, but the argument is primarily influenced by the current EU impetus towards broader and complementary agendas (as encapsulated by the Digital Finance Strategy and the Commission’s respective Regulation proposals).
The article identified specific technologies which are characteristic of RegTech and SupTech (be they “push” or “pull” in their means of collecting data). Through the patterns of usage discussed in the article, it was noted that regulated institutions and supervisory authorities can have “build or buy” decisions to make when adopting particular examples of technologies. The article described limitations and obstacles to the implementation of RegTech and SupTech solutions, which extend to ambiguities pertaining to the opaque, or “black box”, nature of the technologies. The article proceeded to argue in favour of express top-down guidance on how best to devise applicable standards, which should be accompanied by discrete practical measures such as regulatory sandboxes.
In moulding a consistent regulatory regime for RegTech and SupTech, the main objective of legislative intervention should be to delineate standards, obligations and requirements for regulated institutions, supervisory authorities and RegTech and SupTech providers. The DORA proposal and the AI Act proposal show how frameworks are being formulated (subject to subsequent amendments) in an EU setting. Legislation could stipulate the certification or conformity of RegTech and SupTech applications. Requirements could be made for regular reviews of implemented systems to test for vulnerability to cyber-threats. The appointment of designated compliance officers within departments of regulated institutions and supervisory authorities should be obligatory in boosting the explainability of technology-enabled processes. As is the case for the DORA proposal, standard contractual provisions between institutions or authorities and RegTech or SupTech providers can be central to any legislation. For any jurisdiction, the allocation of liability for failures or security breaches of RegTech and SupTech systems would also be a long-overdue clarification.
By being framed within legislation, these requirements would ensure consistency. Yet, express rules and the words of policy documents ought to be matched by cognisance of the empirical realities of RegTech and SupTech use. Data is still only gradually emerging on the rates of adoption. Although this article developed its arguments on the basis of the leading empirical reports available thus far in the EU and the UK, regulators need to keep informed of changing patterns in, firstly, the types of technological solutions being used and, secondly, the uptake among regulated institutions and supervisory authorities. Regulation therefore needs to be in a position where it can respond clearly and consistently to innovations in RegTech and SupTech.
References
Arner, D., Barberis, J. and Buckley, R. (2017), “FinTech, RegTech and the reconceptualization of financial regulation”, Northwestern Journal of International Law and Business, Vol. 37 No. 3, p. 371.
Bamberger, K. (2010), “Technologies of compliance: risk and regulation in a digital age”, Texas Law Review, Vol. 88 No. 4, p. 669.
Bank of England (2019a), Future of Finance, Review on the Outlook for the UK Financial Sector: What It Means for the Bank of England.
Bank of England (2019b), “New economy, new finance, new bank. The bank of England’s response to the van Steenis review on the future of finance”.
Bank of England (2021), “Transforming data collection from the UK financial sector: a plan for 2021 and Beyond”.
Batista, P.M. and Ringe, W.-G. (2021), “Dynamism in financial market regulation: harnessing regulatory and supervisory technologies’ 4”, Stanford Journal of Blockchain Law and Policy, Vol. 1.
Beerman, K., Prenio, J. and Zamil, R. (2021), “SupTech tools for prudential supervision and their use during the pandemic”, Financial Stability Institute Insights on Policy Implementation, Bank for International Settlements, No. 37.
Buckley, R., Zetzsche, D., Arner, D. and Tang, B. (2021), “Regulating artificial intelligence in finance: putting the human in the loop”, Sydney Law Review, Vol. 43 No. 1.
Buiten, M. (2019), “Towards intelligent regulation of artificial intelligence”, European Journal of Risk Regulation, Vol. 10 No. 1, p. 41.
Butler, T. and O’Brien, L. (2019), ‘“Understanding RegTech for digital regulatory compliance”, in Lynn, T., Mooney, J., Rosati, P. and Cummins, M. (Eds), Disrupting Finance. Fin-Tech and Strategy in the 21st Century, Palgrave Studies in Digital Business and Enabling Technologies, Palgrave Macmillan
CCAF (2019), “The global RegTech industry benchmark report”.
Coeuré, B. (2020), “Leveraging technology to support supervision: challenges and collaborative solutions’ speech at Peterson institute for international finance”, Financial Statement Event Series.
Cristanto, J., Kienecker, K., Prenio, J. and Tan, E. (2020), “From data reporting to data-sharing: how far can Suptech and other innovations challenge the status quo of regulatory reporting?”, Financial Stability Institute Insights on Policy Implementation, Bank for International Settlements, No. 29.
di Castri, S., Hohl, S., Kulenkampff, A. and Prenio, J. (2019), “The SupTech generations”, Financial Stability Institute Insights on Policy Implementation, Bank for International Settlements, No. 19.
EBA (2021a), Analysis of RegTech in the EU Financial Sector, EBA/Rep/2021/17.
EBA (2021b), Study of the Cost of Compliance with Supervisory Reporting Requirements, EBA/Rep/2021/15.
EBA (2021c), Report on a Feasibility Study of an Integrated Reporting System under Article 430C CRR, EBA/Rep/2021/38.
EBA (2021d), “Discussion paper on machine learning for IRB models”, EBA/DP/2021/04.
ESAs (2018) ESMA, EBA EIOPA, “Report-FinTech: Regulatory sandboxes and innovation hubs ”, JC, p. 74.
European Commission (2020), “A digital finance strategy for the EU”, COM(2020) 591 final.
European Commission (2021), “Strategy on supervisory data in EU financial services”, COM(2021) 798 final.
FCA-Bank of England (2018), “Digital Regulatory Reporting. Phase 2 Viability Assessment”.
FCA (2022), “Regulatory sandbox”, available at: www.fca.org.uk/firms/innovation/regulatory-sandbox, (accessed 12 January 2022).
FSB (2020), “The use of supervisory and regulatory technology by authorities and regulated institutions”, Market Developments and Financial Stability Implications.
Innovate Finance (2021), Kalifa Review of UK Fintech.
Lessig, L. (1999), Code and Other Laws of Cyberspace, Basic Books, New York, NY.
Packin, N. (2017), “RegTech, compliance and technology judgment rule”, Chicago-Kent Law Review, Vol. 93 No. 1.
ROFIEG (2019), “Expert group on regulatory obstacles to financial innovation ‘30 recommendations on regulation’, Innovation and Finance”, Final Report to the European Commission.
World Bank (2021), “The next wave of SupTech innovation. SupTech solutions for market conduct supervision’ technical note”.
Corresponding author
About the author
Dr. Jonathan McCarthy is a Lecturer at the Law School, University College Cork. Jonathan’s research interests relate primarily to the regulation of technological innovations in finance, financial regulation and issues of corporate and commercial law. His work on these research topics has been published in international, European and national journals. Jonathan teaches undergraduate and postgraduate law modules at UCC. He also engages in the supervision of PhD and postgraduate research. He is a graduate of UCC, having achieved his PhD degree in 2018 and previously completing his LLM and BCL degrees at UCC.