Podcast transcript: How opportunities and challenges are evolving in the RegTech space
33 min approx | 20 March 2021
Hello everyone, and welcome to EY’s Compliance and Conduct podcast on RegTech challenges and opportunities. My name is Sajedah Karim and I’m a partner in financial services Risk based in London (Ernst & Young LLP). I’m joined today by Mike Zehetmayr, who is our EY compliance and regulatory technology leader, and Andrea Lapomarda, who is an associate partner in our financial risk practice based in Milan (EY Advisory S.p.A). Andrea is also our Italy RegTech lead. We’ll be discussing the current challenges and opportunities in this space.
The reason we want to do that is because we’ve seen a huge amount of change in the RegTech agenda over the last few years with changes in relation to investment, in relation to regulatory response, in relation to market response, and today myself, Mike, and Andrea will be talking about each of those evolutionary points as well as what we expect to see going forward.
So, without further ado, I’m going to jump into question-and-answers with Mike and Andrea. To begin with, Mike, if I can ask you, given the extent of evolution we’ve seen, what’s your take on the market response, particularly in relation to investment we’ve seen and investment we’re seeing now?
Great to be here. Thanks, Saj. So, what we’ve seen is an evolution away from discrete-point solutions that are very focused on solving a particular business problem, whether that be, I need something that’s going to monitor for anti-money laundering (AML) or I’m going to add another aspect of financial crime. It might be market abuse. Historically, what we’ve seen is what I call islands of data being developed to monitor those types of compliance activities or regulatory activities.
What we’re seeing is that people are now looking at a life cycle of a product or a life cycle of a client and how that life cycle covers a number of different compliance activities or regulated activities to build up a set of understanding and an impression of, what are the areas that people need to be able to monitor or to survey and to take a view as to whether they’re compliant or they meet with the regulatory obligations within those activities or services or the products that are being delivered to the client?
Why is that happening? The reason that’s happening is that we’ve been on a journey around digitizing manual processes. Many of our listeners that listen to this podcast will have been involved in automation of processes using robots or by digitizing what were historically manual processes from a physical process into a digital process.
Examples of that we’ve seen are things like monitoring and surveillance. So historically in financial crime you’ve had people monitoring market abuse. They’ve looked at segregation of client monies. They’ve looked at AML. What we recognize now and why we’re building up integrated solutions is, you’re seeing signals within each of those which are linked and historically they haven’t been able to bring those together into an end-to-end view of what is the potential risk and how you respond to that.
Now, historically the focus has been on bringing that data together into things like workflow or bringing them into some form of case management. Now what we’re seeing is that tools are developing where they are able to take signals from a particular area. So, let’s say market abuse. They take the data out of that. They’re able to combine that within monitoring or things like anti-money laundering or segregation of client moneys and they’ll be able to identify and bring those signals together where you’ve got two potential weak signals within two areas, bring them together, and say, actually that now is a strong signal. It’s something we need to be able to look at in more detail.
That is being accelerated because of the world we’re living in at the moment now. Prior to COVID-19, this journey was happening anyway, but with the pandemic and us moving to a much more virtual world, people having to engage in activities not in their normal place of work or under the normal levels of control or potential supervision, we are now having to very quickly bring those signals together. So, if anything, the world we’re living in not only is impacting the way we live but is also impacting the way that regulatory technology and RegTech is going to be used to be able to bring that data together to be able to provide those insights.
Now, there are a number of organizations out there, EY included, who are investing significantly in developing that capability. The reason why we’re investing in that is because to be able to understand what you comply with; you need to be able to have the regulation. If you can digitize the regulation, you can then start digitizing what the obligations are and then linking that back to the controls.
Now, why is that important? The reason it’s important is, if you digitize the controls and you can say, well, that’s how that links to the regulation, then you can start embedding those within your digital engagement with your customers and within the life cycle of the products and life cycle of the relationship with the customer and you can start proactively monitoring that.
So when you pick up the phone as a salesperson to be able to contact somebody in another country to be able to engage with them within a business conversation, rather than you having to read something to say, am I permitted to be able to do that, do I need to have a chaperone, all very relevant now that in the UK we’ve just gone through Brexit, what happens is, when you pick up the phone, the system in front of you says, you’re normally registered to be able to engage in.
Your licence is in Zurich. You’re in London for whatever reason because you’re having to work out of London. For you to be able to engage in that conversation, you need to have a chaperone. So, the systems, the data are cognizant of the processes and the life cycle of the customer and where you are to be able to help you do your job better before you engage rather than historically look back at it. That’s how we’ve been doing it in the past.
Yes. Thank you, Mike. I guess the potential for this kind of solution is so wide-ranging and could be really powerful. I really like the way you described it there as bringing multiple signals together. I think that is exactly what we’re seeing as a trend. Andrea, I’d like to get your view on the same piece, please, and perhaps with a bit more of a focus on how the market is responding to all of this change.
Yes. Thanks, Saj. First of all, I think that it’s important to stress that 2020, as already said by Mike, has been a real tipping point in the market because, due to the pandemic situation, there has been a real shift maybe in the cultural way of approaching compliance by our clients and by financial institutions so that there has been a lot of increase of interest in adoption of new technologies and approaches within the market. I think that now, more than ever, compliance functions must learn how to tackle these new challenges, with regard to the new situation, the operational frameworks.
In this context we issued a specific research report together with Medici at the end of July 2020. This report, called RegTech Top 21, basically explored the evolution of the RegTech market at the global level. Just to give you an idea, we mapped more or less 250 start-ups and RegTech companies all around the globe. Just to give you some figures about the research, we estimated that the global RegTech market value by 2025 will be something above $55 billion. We identified three main hubs in the RegTech space, basically the UK, London in specific, US, Luxembourg at the EU level, but we also identify a specific increasing interest and increasing investment in the market within RegTech companies basically in the Asia-Pac spaces.
The other important thing is, as already said by Mike, there are a lot of vertical sectors where the RegTech solutions are maybe more mature like AML and counter-financing terrorism, but we also have seen that there are a number of verticals. We mapped more or less seven verticals where a lot of interest in the market is now increasing like market surveillance or the regulatory reporting or the regulatory change management spaces.
What we have also seen is, there are three main approaches that basically financial institutions adopt when approaching the RegTech solutions. The first one is the standard market solution adoptions in some way, basically trying to scout the market to find any existing solutions useful to address a specific need of the financial institution, sometimes leveraging on a market accelerator or incubator. There are a lot of these solutions in the market at the moment. Also, we have constructed our specific fintech and RegTech accelerator in partnership with Medici called Magnifico.
A second approach is to basically go to a big-four advisory technology company to find any asset developed by these companies to address specific vertical needs, also to have a specific tailored solution to respond to specific needs of our clients. Also, we as EY, as already mentioned by Mike, constructed and developed specific assets in some specific RegTech spaces.
The third way is basically to leverage directly on their technological department. Even in this case, a lot of times financial institutions need support from technological partners or functional partners to address and to find the most valuable solutions to address their needs.
Last but not least, the research showed also that those different approaches are related also to the different maturity levels of the market solutions within the different regions. The main constraints are related to different regulatory approaches and also to the possibility to leverage on specific language constraints. Just to give you an example, it’s easier obviously to approach the regulatory change management and the regulatory mapping using AI solutions within the UK or US market because basically you can leverage on standard English-language solutions, but there are several problems in the scalability of those solutions within other markets where the English language is not the primary language.
Basically, I think that this is the current state of the art, but I would like to make a question to you, Saj. In your point of view, what are the regulators doing in this space in the different countries?
Yes. Thank you, Andrea. I think before I answer that, some of the things you’ve just said there around, for example, in 2025 the size of this market will be $55 billion. That just really puts it in context. I think some of the comments you’ve made as well around some of the challenges around English not being a primary language and what that means for various solutions. We’ve seen that play out in some of the work that we’ve done with clients as well and I think it’s a really important point, so thank you for all of your comments there.
Then on the regulatory point of view, what have I seen regulators do? I think there’s a real vast range of examples we can draw on here. So, the UK as a starting point has initiated a number of tech sprints and data sprints. Now, these are examples of work where the regulator looks at industry-wide issues that directly harm customers. So, for example, we’ve had a tech sprint on money laundering and there’s one that we’re looking at now with the regulator in relation to access to money for those more vulnerable females actually. So industry-wide issues that bring together in one tech sprint or one data sprint players from across the market, so firms, RegTech providers, academics, and regulators, who all collectively look at how we might be able to solve some of these bigger issues through tech and data solutions.
Equally, we’ve seen the Global Financial Innovation Network (GFIN) be set up. So clearly this is beyond EMEIA but absolutely includes EMEIA regulators. This is a forum which brings together regulators from across the globe to work through issues which are about how you regulate developments in data and technology solutions. Everybody, I think, listening to this podcast will be familiar or will have heard of various solutions such as digital regulatory reporting, which is a solution taking the rules from the regulator and making them machine-readable so that they are easier to process when you get to the firm level.
Equally, we’ve had sandboxes pop up across the different regulators in EMEIA. These are, I guess, areas where firms who want to test RegTech solutions can do so within a regulatory environment but without all of the sanctions that might apply if they were outside of the sandbox. In the UK we’ve very recently seen the development of the digital sandbox, which, as well as what they’ve previously done, is also looking at enabling synthetic data to be manipulated across different players so various individuals can test data within the sandbox.
I think what we’ve also seen are trends where regulators are thinking about their own data because clearly they receive lots and lots of data and they’ve been looking at what RegTech they can use within their own parameters to order and organize that data, including consideration of, for example, FX (foreign exchange) of data and data use.
We’ve seen developments around crypto assets and regulation of Bitcoin and regulation of payment services and AI, and we’ve seen guidance from various types of regulator as well. So, we’ve had the Information Commissioner’s Office in the UK issue guidance around regulating AI and across Europe we of course have recently had the Digital Markets and Digital Services Acts being issued as well.
So, I think to your question, Andrea, there is a lot going on in the regulatory space and, I think more importantly, there is so much more to come. I think one of the challenges that firms will have is how they navigate all the different sets of regulation from all the different bodies who are setting regulation. I think one of the things that regulators will need to do is think through how they can quickly develop guidance which enables innovation that enables them to regulate this space effectively.
I think given all of that context that we’ve all given there on the regulatory environment, how markets are responding, and how we’ve seen this whole agenda evolve, Andrea, if I could come to you again, please, and just ask you to talk about the challenges and opportunities given everything that’s been discussed just now.
Yes. Thanks, Saj. I think there are a lot of opportunities also considering the current external situations because, as I said before, the situation is forcing financial institutions and their compliance functions to rethink their operational frameworks and their way to work and to use and leverage on the data and information that are available.
There are a lot of opportunities in automating repetitive tasks with technology to harness the human potential for high-value activities in decision-making processes. There is a lot of space in leveraging secure and efficient collaboration tools to allow operational continuity and real-time document editing with the operational teams so to have a more structured way of working.
There’s a contribute to highlight overlooked or invisible risks threatening the organization by means of advancing the analytic models. There’s an incredible opportunity of embedding compliance within operational processes, supporting banks and financial institutions in general in reducing the impact arising by respecting new or maybe updated regulations.
But even as a lot of opportunities can be caught within the market, there are still a number of challenges to be faced. First of all, the need to evolve from a full legacy IT framework to a more “open banking” approach. There’s absolutely a need to reduce the timeframe for the implementation of RegTech solutions from the proof of concept (POC) to the business-as-usual space. From an internal point of view for the banks, there’s an incredible need to reinforce the competencies on new technologies within the compliance functions, also to be able to evaluate best solutions for any specific need, because most of the time within the compliance functions there are not adequate skills not only to implement something new but also to evaluate if something new in the market is usable or not for the compliance function.
There’s also need to overcome the cultural change, embracing the new way to comply and to approach the control duties as Mike said before because at the moment there is still a resistance within the compliance functions to change their old way of working, their ancient way of working based on manual controls and manual activities.
In conclusion, we may say that for the RegTech companies the main need is maybe to consider that the “one-size-fits-all” approach maybe is not working so good in the market, also considering the language constraints as I said before, so that maybe they should be able to approach every client with a more tailored solution. Maybe this is the main challenge for the RegTech start-ups and companies.
At the same time, I think the financial institutions cannot waste any more time. They absolutely need to pass the fear to be the first mover and obviously their consequent comfort zone in that in order to become faster, not to stay in the comfort zone, to be a fast or smart follower as they have done at the moment. So, I think these are the main challenges and more is yet to come, as you said before, about the regulators.
Andrea, again, really powerful comments there. I think this point around first mover versus fast, smart follower is key and one of the trends that we’re beginning to see is organizations collaborating and the move to the use of utilities. Mike, I know you’ve been heavily involved in some of those developments and I’d love to get your view on this as well.
Yes. Even outside RegTech, the role of collaboration and the sharing of capital investment has been building up pace partly based on the cost constraints that we operate within but also the return-on-capital challenges many of our clients are facing.
Now, if you can connect that back with the digital disruption that we talked about both within our organizations but also how we engage with our clients, which has been evolving through new entrants into the market but also being accelerated from a COVID-19 perspective, there’s a recognition that particularly in this area there’s a role for utilities or collaboration to be able to drive standardization around data taxonomies, data standards, and potentially ultimately through to the investing in and building up of a standardized utility to be able to support a particular activity. That is a pace that is increasing.
In the nearly 30 years of working in this industry I’ve been involved in a number of standing up utilities or running utilities. I think one of the really important things that we as participants in the industry need to be aware of is, a utility is based on delivering a standardized service at a cost that is based on a utility service. It’s around adhering to common standards. It’s about sharing the investment and bringing something together, so you don’t have to bear the full cost together as individuals to stand it up.
But many of these ventures in the past have failed because when you get down to the nub of it about where you’re sharing what is either the legal risk or the operational risk or potentially the financial risk, you can’t get an agreement across different participants as to standardizing around what those risks are. I think that rather than focusing on just the data, and that might sound odd for a technologist to say, don’t focus on the data. Don’t focus on the technical solution. Actually, focus on what it takes to be able to get a common view of the risk that you’re trying to mitigate first and foremost. If you focus on that, the rest of it will follow. It may not be easy, but it’ll follow. So that’s one of the things that I would encourage people to think about.
There’s another aspect that I would like to encourage people to think about, which is, in the past when utilities had come to market, often you have a leading organization that is providing the drive, providing the vision to be able to bring this to life and deliver it. Often there’s a view that the technology or the solution that I’ve developed in my own organization is the basis under which that will deliver that utility in the future.
Now, often the systems or the solution that’s been developed for one organization at its very core has been designed for one solution and has not been designed to be able to… Either from a resiliency perspective, from a data-sharing perspective, from a data confidentiality perspective, it hasn’t been set up for a multi-tenanted utility which has to be designed for an operational resilience to be cognizant of that that it may be systemically important for a number of organizations. Therefore, in many cases you have to start from first principles, which sometimes can be a shock from a capital investment perspective, which is, you have to invest from scratch to be able to bring these things together. Again, it’s useful to be cognizant of that.
What we’re also seeing is that, particularly aligned to RegTech, the breadth of the regulatory compliance and the considerations that are coming in are accelerating. So, what we are starting to see is that where we have historically focused very much on financial compliance and financial regulation, that is now bleeding into other forms of compliance and regulation.
So many of you will have been both delighted but also very aware of the increasing importance of ESG (Environmental, Social and Governance) and sustainability. If you look at that world, which again, particularly for financial services, is an area which is relatively new for us in the asset and wealth management area… Ethical investments and sustainability has been something which asset management and wealth management organizations focused on, but in insurance it’s relatively new and then in banking again it’s becoming increasingly important, but if you look at the environment we have to operate in, there are 1,700 different ESG frameworks out there and 360 different accounting standards. Some of those are becoming mandatory.
Being in a position which you can then make sure that you are confident that you are complying with and meeting all the different frameworks or the different disclosure standards is a real challenge in the market today and that’s additive to just, I say just, to the financial compliance and the regulation that we already need to comply with. The world is becoming more complicated and more challenging and therefore the need to be able to digitize to be able to use regulatory technology, what we call RegTech or suptech, to be able to digitize that, to be able to embed that within the processes, within the systems, and within the controls we have and we’re developing is going to become critical going forward.
And that’s what we’re investing here within EY. So, we have invested within the regulatory compliance management platform. That is a platform which digitizes the regulations and defines what the obligations and the interpretations of those are so that we can then implement that within our client’s organization, but we can also use it for ourselves. It helps us as far as our own business to be able to make it fast and more efficient but also more auditable but also deliver the benefit to our clients much faster.
Mike, thank you very much for that. I think with some of these trends, sometimes it feels as though it will take a very long time to get there, but what I have certainly seen in RegTech over the last three or four years is, some of this stuff is just inevitable and everybody will get there. So going back to what you said earlier, the bringing together of multiple signals, the fact that the market, as Andrea was saying, is going to be 55 billion by 2025, we think, the fact that utilities are beginning to show their heads and, I guess as you’re saying, the types of things that need to be resolved to make those work are being worked through, this stuff is going to happen.
I think in conclusion for this podcast, we thought RegTech was a growth area three or four years ago and I think that we’re saying that it absolutely remains a growth area and in fact it’s only going to get bigger faster. I think some of the traditional challenges that we’ve seen over the last few years such as adoption, business cases, working through business risk context, not just looking at the data connections, continue to be issues that need to be overcome, but we’re also very rapidly beginning to see new opportunities and challenges.
I think one of the biggest ones for me and one of the most immediate is something that I hear from clients around the fact that AI and their use of AI is going to increase enormously over the next 24 or so months and with that comes the need to be able to control, monitor, and, where necessary, rewind and abort decisions that have been made.
There’s something here about ecosystem as well. So only last week we’ve begun to see Twitter and Facebook ban users from using their sites. So, the way in which we control, monitor, rewind, abort, and the ecosystem of players who may have a say in that, I think, will also be radically different in the next two to three years.
So, a lot to go for in this space, a lot to think through and work through together as an industry and with regulators, RegTech providers, and firms alike. I think I’d like to just end by saying, Andrea and Mike, thank you very much for all of your really insightful comments and we will see everybody at the next podcast.