Before organisations wring their hands over the rise of red tape, they should look at the equally rapid rise of regulatory technology. It promises to strip the tedium and costs from compliance and reduce risk across whole economies. Even ASIC is excited at the potential.
By Beverley Head
Regulatory flux has become so extreme that one in three financial services businesses devotes one day a week just to track regulatory change. Thomson Reuters’ 2016 Cost of Compliance survey also reveals that 69 per cent of firms expect to spend more on compliance in 2017 than ever before.
Finance is one of the most heavily regulated sectors – but all businesses face compliance issues, from meeting Australian Securities and Investments Commission (ASIC) requirements to following workplace health and safety rules.
This rise in red tape explains the equally rapid rise of regulatory technology, or regtech, which is being developed to strip costs and risk from achieving regulatory compliance.
It explains why IBM recently bought risk management and regulatory compliance firm Promontory Group to train the Watson artificial intelligence engine about regulation and risk. It’s also why regtech start-ups are sprouting in accelerator hubs such as Stone & Chalk and BlueChilli.
ASIC ran its first regtech roundtable in February this year, exploring how technology can be applied to compliance, and identifying regulatory barriers to regtech’s deployment and how they could be overcome. Says Mark Adams, ASIC senior executive leader of strategic intelligence and coordinator of the ASIC innovation hub: “We see the opportunity to engage and promote the use of regtech in risk management and compliance.”
“Regtech solutions are the enablers, not the answer in itself.”
Advanced analytics, machine learning, artificial intelligence and blockchain technology are all demonstrating significant potential for “promoting efficient and effective risk management and compliance,” he adds.
However, there’s no one-size-fits-all compliance tool. “There is a complexity of tools,” says Adams. “One tool for everything is a nirvana – but no-one needs 25 tools.
“There is lots of investment in tools, for example, to support firms with their anti-money laundering, counter-terrorism funding and rogue trader needs. Big and small suppliers are making available tools to do monitoring and real-time risk assessments.
“This is a territory with a lot of providers … companies need to apply good practice and test tools – lots of testing and pilots.”
A listed company needing to comply with the US Sarbanes-Oxley regime will have differing regtech requirements to a small healthcare provider. Some organisations need to prove their anti-money laundering/counter-terrorism financing chops, while all need to ensure staff occupational health and safety and workplace training is up to date. Meanwhile, the looming introduction of mandated data breach notification will deliver a whole new raft of compliance obligations.
Effective financial risk management: Ensure your organisation recognises financial risk and has appropriate systems and processes in place.
Cutting compliance time and costs
Applied wisely, regtech can go beyond tick-a-box compliance and add real value and insight to a business. Regtech start-ups are also injecting competitive tension into an area that was once the province of the risk groups of the major audit firms.
Sean Webb is the CEO of regtech start-up Alex Solutions, but he previously worked with three of the four major firms in internal and external audit and compliance all over the world.
“To comply with compliance obligations requires people, process and technology,” he says.
“Regtech is there to enable corporations to effectively and efficiently comply with their obligations. We see our solutions as a way to accelerate compliance, but technology is just a tool. The outcomes will depend on how well the tool is used and embedded in processes, and how companies manage operational risk.”
“Applied wisely, regtech goes beyond tick-a-box compliance and can add value and insight to a business.”
Webb says one reason why regtech software is becoming more popular is that companies are struggling to manage the amount of data they collect. “It’s becoming increasingly hard to get a grip and handle compliance such as regulatory reporting and privacy.”
He believes regtech can support companies in managing data, while also having a “macro impact, which is the underlying intent of regulatory systems – to stabilise, and not open the market up to shocks.”
That’s perhaps the reason why there’s mounting enthusiasm for regtechs from corporates and regulators alike. Kevin Nixon, Deloitte’s global and Asia-Pacific lead at its Centre for Regulatory Strategy, says that just a year ago any discussion of regtech would elicit blank looks. Twelve months on and it is front of mind, as organisations explore how new technologies can be used to speed operations and entrench compliance in businesses.
“Everyone has regulatory challenges,” says Nixon, “but in financial services the growth in regulatory spend since the [global financial] crisis has been phenomenal and the business model has been impacted permanently.”
Financial services firms have had to bump up their budgets for compliance measures as firms respond to anti-money laundering and know-your-customer requirements (compliance and regulatory requirements to conform with Australia’s Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007), increased liquidity reporting and, from 2017, the new Basel III regulations impacting the international banking market.
Yet instead of manually reporting, organisations can use automated reporting solutions and harness blockchain and smart contract technologies to ensure transactions follow defined rules.
“With compliance in any financial services company, automated compliance reduces costs and increases efficiency,” says Nixon.
Who is using regtech?
In early 2017, IBM announced that it’s working with the US Food and Drug Administration to create a compliant and secure way to transfer health data. It’s also developed a blockchain-based asset custody system for the Postal Savings Bank of China that automates complex credit verification.
Closer to home, Australia’s multinational corporations with more than A$1 billion in revenues are going to have to produce country-by-country reports later this year that reveal their transfer pricing and intra-company arrangements. Wolters Kluwer’s CCH Integrator now includes a module for companies creating reports for the OECD’s Base Erosion and Price Shifting (BEPS) initiative. It automatically populates the reports from a central repository of corporate information to streamline and speed compliance.
“... the growth in regulatory spend since the [global financial] crisis has been phenomenal and the business model has been impacted permanently.” Kevin Nixon, Deloitte
That sort of automated data extraction is already attracting the interest of regulators. Also in the wings is machine readable regulation, which extracts data directly from corporate information systems to check compliance without the need for any human interpretation of figures.
While regtech holds great promise for bodies such as ASIC and corporates alike, Adams warns, “The risk of a tick-a-box approach in regtech would lead to complacency. This needs proper risk management and processes. Regtech solutions are the enablers, not the answer in itself.”
Data breach rules to shift
The Privacy Amendment (Notifiable Data Breaches) Bill 2016 was tabled in Australia’s federal parliament in October 2016 and, thanks to bipartisan support, is expected to come into force later this year or early next year. The legislation will require organisations to report any data breaches which could pose a risk of serious harm.
However, the first compliance challenge for many organisations will be knowing when their systems have been breached.
The 2016 IBM/Ponemon Institute Cost of a Data Breach study revealed that, on average, it took 201 days for an organisation to find out it had been attacked; for some organisations it was up to 569 days.
Australian start-up ResponSight is focused on early breach detection. Its CEO, Jeff Paine, was previously a director of PwC’s cybersecurity practice and is keenly aware of the rise of regtech. ResponSight, he says, is not strictly a regtech solution, although it provides the data insights required for compliance and meets the regulatory requirement of companies governed by Sarbanes-Oxley or the Payments Card Industry rules, which state organisations must use the most up-to-date technologies to protect themselves.
Paine says the challenge for regtech companies is to streamline and make affordable compliance for organisations of all scales. A second issue, he says, is “regulators are slow to move, professional services can be slow to move and financial institutions are notoriously slow to move,” which means regtech start-ups could take a while to flourish.
The brave new world of regtech
Accountants already face a broad array of compliance requirements, with more promised under the second tranche of Australia’s anti-money laundering (AML) legislation. The extension of AML to the profession is viewed as more of a “when” than an “if”, and regtech start-ups such as the ones listed here are already launching solutions to streamline compliance in this and other areas.
This enterprise asset data management solution gives executives visibility and an audit trail relating to corporate data. It reveals where customer data is held and who has access to it – important for meeting privacy and audit requirements.
Led by co-founder and director Joanne Cooper, Cloud Insurance will let consumers manage their digital rights by maintaining a time-stamped central register of any permissions that consumers provide to corporations regarding the use of their data. The audit trail is available to support regulatory and compliance tasks.
This online platform lets Australia’s 3.8 million blue-collar workers save and share trade licences and induction cards instantly. CoverCard solves a common problem for workers who have to produce induction cards, forklift driving licences and the like to carry out their work.
Developed to support document collection in the loan and mortgage sector, Ezidox has broader compliance applications for organisations where documents need to be collected, says CEO Geoff Kendall. He claims it could slash 50-90 per cent of the time taken to manually collect and submit documents.
The One Check start-up has developed a mobile identity management platform that takes a selfie, photographs identifying documents such as a driver’s licence, or asks the user to read a one-off script to prove that the person is who they say they are. Founder and CEO Stephen Ryan says it has multiple applications including helping meet AML and know-your-customer (KYC) requirements. KYC protocols are important for preventing identity theft, financial fraud, money laundering and terrorist financing. This process involves identifying the customer and verifying their identity using reliable, independent information.
This start-up focuses on administration and governance software for associations and non-profit organisations. Process PA’s cloud-based software automatically takes care of meetings, agendas, minutes, motions and action items.
Adam Poole, a lead auditor in safety environmental management, is the founder and CEO of Safety Compass. This work health and safety tool provides real-time safety support to workers by using augmented reality on a smartphone or other digital device to show how to handle specific equipment or situations. The audit trail associated with using the system streamlines and speeds safety audits – important when a safety auditor can cost A$1500 a day.
This start-up tackles KYC from a different angle. Eric Frost, Simple KYC’s founder and CEO, says the cloud-based tool can quickly identify individuals, even people involved in complex trust structures, and cut the manual processes generally required to identify and validate identity by 50 per cent.
ASIC requires investors to have a Qualified Accountant’s Certificate (also called a Sophisticated and Wholesale Investor Certificate) verifying their assets and/or income and signed by their accountant before they can invest more than A$500,000 in one deal or access certain types of investments, including pre-IPO capital offers, equity placements, private equity, hedge funds and other unlisted securities. Sophisticated Access lets accountants use Cygura to electronically certify their clients in minutes, creating a digital certificate their client can easily share with financial product providers.