Marc Gilman
More posts from Marc Gilman
Technology has been used to manage regulatory risk since the advent of the ledger book (or the Bloomberg terminal, depending on your reference point). However, the cost-consciousness internalized by banks during the 2008 financial crisis combined with more robust methods of analyzing large datasets has spurred innovation and increased efficiency by automating tasks that previously required manual reviews and other labor-intensive efforts.
So even if RegTech wasn’t born during the financial crisis, it was probably old enough to drive a car by 2008. The intervening 11 years have seen RegTech’s scope and influence grow.
RegTech startups targeting financial services, or FinServ for short, require very different growth strategies — even compared to other enterprise software companies. From a practical perspective, everything from the security requirements influencing software architecture and development to the sales process are substantially different for FinServ RegTechs.
The most successful RegTechs are those that draw on expertise from security-minded engineers, FinServ-savvy sales staff as well as legal and compliance professionals from the industry. FinServ RegTechs have emerged in a number of areas due to the increasing directives emanating from financial regulators.
This new crop of startups performs sophisticated background checks and transaction monitoring for anti-money laundering purposes pursuant to the Bank Secrecy Act, the Office of Foreign Asset Control (OFAC) and FINRA rules; tracks supervision requirements and retention for electronic communications under FINRA, SEC, and CFTC regulations; as well as monitors information security and privacy laws from the EU, SEC, and several US state regulators such as the New York Department of Financial Services (“NYDFS”).
In this article, we’ll examine RegTech startups in these three fields to determine how solutions have been structured to meet regulatory demand as well as some of the operational and regulatory challenges they face.
Know Your Customer and Anti-Money Laundering
Know Your Customer (“KYC”) and Anti-Money Laundering (“AML”) rules require banks (both investment banks and retail banks) to perform due diligence on customers throughout the client relationship. In order to comply with these rules, banks must vet basic identity details of potential clients (“know” the customer), analyze the sources of money used to fund accounts (surface money-laundering activities), and actively monitor trading activity.
These validations are performed to check for connections to terrorist groups, identify governmental relationships, and flag inclusion on global sanctions lists.
As you might imagine, these rules began to proliferate post-9/11 when concerns about financing of suspected terrorist organizations were paramount.
Several RegTechs developed tools to facilitate data collection, validation and reporting efforts to streamline client onboarding. Given that the processes to obtain information about a client’s identity have historically been manual affairs — juggling offline spreadsheets and documents from private and public sources — using technology to reduce these disconnected practices has been productive.
Opus developed workflow functionality tailored to meet bank compliance obligations — from validation of individual and corporate identities to reporting that demonstrates the rigor of its data-collection process. The end-to-end platform condenses the KYC process into a singular workflow. Hummingbird is also focused on case management and organizing traditionally disparate diligence processes. Both platforms integrate data from existing systems and unstructured data from sources like documents and spreadsheets — dragging ancient processes into the future. Fenegro created indexes of global KYC rulesets and designed its platform to collect information and vet potential clients based on these rules engines.
Others like Pega have taken Robotic Process Automation technologies and adapted them to the KYC domain. The flexibility of a platform like Pega has enabled it to become a sort of RegTech-by-extension. Pega used its industry-specific expertise to effectively create a RegTech silo within its existing product offering. However, the success of a startup attempting to extend existing technologies into the financial services sector is dependent on its ability to understand the applicable regulatory environment, translating legal mandates into valuable tools.
Some applications support AML efforts by performing real-time monitoring of OFAC restricted lists, reviewing suspicious transaction data, and creating auditable reports. This can change the way compliance teams structure and execute their programs. Kharon and Verafin are focused on leveraging dynamic data to provide screening, risk scoring and active monitoring to comply with AML mandates.
It’s difficult to identify and curtail AML and KYC violations and money laundering more broadly with software alone. The UN Office of Drugs and Crime estimates that $800 billion to $2 trillion is laundered on an annual basis, while less than 1% is recovered by law enforcement. Although such a problem seems ripe for disruption, attempts to meaningfully solve the problem have failed. While there’s no shortage of startups and incumbents entering the space, technology has had limited impact on investigation and prosecution efforts.
Electronic Communications and Supervision
Systems that provide communication capabilities and corresponding oversight functionality are important tools for financial services firms subject to onerous capture, retention and supervision regulatory requirements. The SEC has articulated an (overly?) broad rule requiring regulated broker-dealers to capture and retain communications related to their “business as such.” From a practical perspective, this mandate has historically meant that broker-dealers were likely to save all electronic communications, regardless of whether they actually contained content the SEC would deem relevant under the “business as such” standard.
Regulatory expectations around messaging, coupled with the staid dominance of platforms like Bloomberg and Microsoft Messenger-Lync-Skype, have presented opportunities for startups.
Symphony, a RegTech that grew out of an internal project at Goldman Sachs, recently raised $165 million in funding, and has the backing of both the VC community and large financial institutions. Symphony provides a compliant messaging platform for internal and external communications with related archiving and oversight mechanisms aligned to SEC and CFTC requirements. You might call Symphony a “RegTech plus” in the sense that its core regulated messaging features have grown to include broader collaboration tools.
Symphony, a messaging app that’s been a hit with Wall Street, raises $165M at a $1.4B valuation
In addition to requirements to capture and retain content, regulated entities must also perform risk-based reviews of communications to ensure that customer complaints, trade instructions and other issues can be detected, escalated and remediated. Several legacy platforms occupy the supervision space. However, as communication expands to multipurpose tools like Zoom, RingCentral and Microsoft Teams (the so-called Unified Communications as a Service or “UCaaS” applications), the risks of using these platforms at scale without measurable supervision is rapidly increasing.
Although regulators have been wary of expanding supervisory obligations to video and audio content, a rethinking may be necessary to protect consumers and market transparency. As part of Dodd-Frank reform efforts, the CFTC mandated voice recording for employees engaged in conversations about swaps, and several other global regulators such as the UK’s Financial Conduct Authority have imposed telephone recording requirements across increasingly diverse sets of investment products through MiFID II and the Market Abuse Regulation.
However, these voice recording requirements are relatively limited at present. If an inappropriate investment recommendation or the improper disclosure of personal information like an account number of national identification number is shared verbally, through a whiteboard session, or a document transfer, should it really be treated differently than an email or instant message? Regulators have been silent on these emerging UCaaS platforms, but their growing adoption may force them to change their posture.
RegTechs focused on surfacing regulatory risks in audio and video content are emerging (full disclosure: I work for one such RegTech called Theta Lake). These RegTechs are using machine learning to supplement transcription techniques and identify regulatory and information security risks in content, whether spoken or shown. RegTechs in this space need to understand the communication and supervisory requirements of US and global regulators as well as employ creative thinking to anticipate potential reforms. A synthesis of existing and prospective regulation is necessary for developing efficient and meaningful products that will provide financial services firms with insights into the risks of these new UCaaS tools.
Information Security
Finally, given increasing regulation related to privacy and information security such as the EU’s General Data Protection Regulation (GDPR), the NYDFS’ Cybersecurity Requirements for Financial Services Companies, and California’s Consumer Protection Act (CCPA), RegTechs are helping financial institutions manage their systems and processes to align to these new rules.
RegTechs are facilitating NYDFS compliance through integrated solutions that manage both the organizational elements of the regulation such as the appointment of a Chief Information Security Officer and maintenance of compliance policies and procedures. Other platforms are offering solutions that facilitate technical compliance by providing oversight of network status, management of data leakage risks and data governance capabilities.
Digital Guardian offers an integrated dashboard that provides the ability to monitor regulated information on networks and employee machines, performing network and endpoint data loss prevention (DLP), as well as reporting on network and user activity. Other platforms such as STEALTHbits and Lepide offer similar consoles and functionalities for compliance with the CCPA and the NYDFS Cybersecurity Regulation.
Common among NYDFS Cybersecurity Reg, GDPR and the CCPA are requirements to catalog internal data sources, permit correction and deletion of customer data, and understand how data is shared with third parties. Data governance solutions like Collibra and Informatica have developed RegTech-like features that have changed the way firms approach the extensive data governance requirements of these new regulations.
Given that cybersecurity mandates around network and information security are part and parcel of burgeoning US state regulation and international law, RegTechs such as those mentioned above have extended offerings to encompass these new regimes. If global uniformity of cybersecurity laws begins to take shape, incumbent RegTechs able to adapt their platforms for global requirements and lingering jurisdictional nuances will be well poised to expand their market share.
Conclusion
The examples above only scratch the surface of the breadth of FinServ RegTechs and the problems they have been deployed to address. Looking at the ten years since the financial crisis, the sophistication and complexity of the financial services technology stack have grown dramatically, primarily to keep up with corresponding regulatory evolution.
There’s no shortage of FinServ regulatory problems that need further examination. Challenges range from those discussed above, to serving the unbanked and underbanked, and ensuring that investment recommendations are appropriate (Reg BI RegTech, anyone?). While regulators have become more proactive — many are establishing innovation groups and sandboxes for experimentation — we’re still in the infancy of the RegTech age. Or, if you can indulge a longer view, the current environment probably just looks like another point along an eternal technology development continuum.
Comment