CHAPTER SEVEN

REGULATORY TECHNOLOGY (REGTECH)

7.1 Introduction to Regulation Technology

7.1.1 Overview of Regulation Technology

Regtech is the management of regulatory processes within the financial industry through
technology. The main functions of regtech include regulatory monitoring, reporting, and
compliance.

Regtech, or RegTech, consists of a group of companies that use cloud

computing technology through software-as-a-service (SaaS) to help businesses comply with
regulations efficiently and less expensively. Regtech is also known as regulatory technology
(Frankfield & Estevez, 2020).

7.1.2 Drivers of Regulation Technology

Regtech is a community of tech companies that solve challenges arising from a technology-
driven economy through automation. The rise in digital products has increased data
breaches, cyber hacks, money laundering, and other fraudulent activities.

With the use of big data and machine-learning technology, regtech reduces the risk to a
company’s compliance department by offering data on money laundering activities
conducted online—activities that a traditional compliance team may not be privy to due to
the increase of underground marketplaces online.

157
Regtech tools seek to monitor transactions that take place online in real-time to identify
issues or irregularities in the digital payment sphere. Any outlier is relayed to the financial
institution to analyze and determine if fraudulent activity is taking place. Institutions that
identify potential threats to financial security early on can minimize the risks and costs
associated with lost funds and data breaches.

Regtech companies collaborate with financial institutions and regulatory bodies, using cloud
computing and big data to share information. Cloud computing is a low-cost technology
wherein users can share data quickly and securely with other entities.

A bank that receives huge amounts of data may find it too complex, expensive, and time-
consuming to comb through. A regtech firm can combine complex information from a bank
with data from previous regulatory failures to predict potential risk areas that the bank
should focus on. By creating the analytics tools needed for these banks to successfully
comply with the regulatory body, the regtech firm saves the bank time and money. The bank
also has an effective tool to comply with rules set out by financial authorities (Frankfield &
Estevez, 2020)

158
Source: Deloitte Regtech Universe (2018) – From Business needs to Regtech Features

7.1.3 Regulation Technology Stakeholders

● Regulators

● Banks and other financial services providers (MFBs, Finance Houses, Fintech firms,

etc.)
● Regtech Service Providers

159
7.2 Regulation Technology Enablers
Regtech operates in various spheres of the financial and regulatory space. Several projects
that regtech automates include employee surveillance, compliance data management, fraud
prevention, and audit trail capabilities.

A Regtech business cannot just collaborate with any financial institution or regulatory
authority as it may have different goals and strategies that differ from the other parties. For
example, a regtech that seeks to identify credit card fraud in the digital payments ecosystem
may not develop a relationship with an investment firm concerned with its employees’
activities online or the Securities and Exchange Commission (SEC) whose current issue
may be an increase in insider trading activities.

Some example of notable regtech companies and the tools they have created include:

● Identity Mind Global: Provides anti-fraud and risk management services for digital

transactions by tracking payment entities.

● Trunomi: Securely manages the consent to use customer personal data.

● Suade: Helps banks submit required regulatory reports without disruption to their

architecture.
● Silverfinch: Connects asset managers and insurers through a fund data utility to

meet Solvency II requirements.

● PassFort: Automates the collection and storage of customer due diligence data.

● Fund Recs: Oversees how data is managed and processed by the fund industry.

7.2.1 Cloud Computing (IaaS, PaaS, SaaS)

Cloud computing is the on-demand availability of computer system resources, especially

data storage (cloud storage) and computing power, without direct active management by
160
the user. The term is generally used to describe data centers available to many users over
the Internet (Wikipedia).

▪ Infrastructure-as-a-Service (IaaS)- This is the most common service model of cloud

computing as it offers the fundamental infrastructure of virtual servers, network,
operating systems and data storage drives. It allows for the flexibility, reliability and
scalability that many businesses seek with the cloud and removes the need for hardware
in the office. This makes it ideal for small and medium sized organizations looking for a
cost-effective IT solution to support business growth. IaaS is a fully outsourced pay-for-
use service and is available as a public, private or hybrid infrastructure.

▪ Platform-as-a-Service (PaaS) - This is where cloud computing providers deploy the

infrastructure and software framework, but businesses can develop and run their own
applications. Web applications can be created quickly and easily via PaaS, and the
service is flexible and robust enough to support them. PaaS solutions are scalable and
ideal for business environments where multiple developers are working on a single
project. It is also handy for situations where an existing data source (such as CRM tool)
needs to be leveraged.
▪ Software-as-a-Service(SaaS)- This cloud computing solution involves the deployment of
software over the internet to various businesses who pay via subscription or a pay-per-
use model. It is a valuable tool for CRM and for applications that need a lot of web or
mobile access – such as mobile sales management software. SaaS is managed from a
central location so businesses do not have to worry about maintaining it themselves and
is ideal for short-term projects. (Leading Edge, 2020).

161
Based on deployment Cloud Computing can be deployed in three main environment which,
are also known as cloud deployment models. Businesses can choose to run applications on
public, private or hybrid clouds – depending on their specific requirements environment.

▪ Public Cloud - A public cloud environment is owned by an outsourced cloud provider

and is accessible to many businesses through the internet on a pay-per-use model. This
deployment model provides services and infrastructure to businesses who want to save
money on IT operational costs, but it is the cloud provider who is responsible for the
creation and maintenance of the resources.

Public clouds are ideal for small and medium sized businesses with a tight budget
requiring a quick and easy platform in which to deploy IT resources. Advantages of
Public Cloud include: Easy scalability, No geographical restrictions, Cost effective,
Highly reliable and Easy to manage. The major disadvantage is that it is not considered
the safest option for sensitive data

▪ Private Cloud - This cloud deployment model is a bespoke infrastructure owned by a

single business. It offers a more controlled environment in which access to IT resources
is more centralized within the business. This model can be externally hosted or can be
managed in-house. Although private cloud hosting can be expensive, for larger
businesses it can offer a higher level of security and more autonomy to customize the
storage, networking and compute components to suit their IT requirements. Advantage
include: Improved level of security, Greater control over the server and Customizable.
The disadvantages are Harder to access data from remote locations and Requires IT
expertise.

▪ Hybrid Cloud - For businesses seeking the benefits of both private and public cloud
deployment models, a hybrid cloud environment is a good option. By combining the two

162
 models, a hybrid cloud model provides a more tailored IT solution that meets specific
business requirements. Advantages include Highly flexible and scalable, Cost effective
and Enhanced security. The disadvantage is Communication in network level may be
conflicted as it is used in both private and public clouds (Leading Edge, 2020).

7.2.2 Artificial Intelligence

Artificial intelligence is useful in Regtech and the following areas have been identified:

- Stress Testing for Financial Forecast Models

- Automation for Tracking and Monitoring of Regulatory Changes
- Machine Learning for Enterprise Email Filtering

7.2.3 Blockchain and Distributed Ledger Technology

Blockchain is one of the technologies that is used to drive the RegTech revolution. Benefits
include increased transparency due to a distributed ledger, faster and more cost effective
through automation, enhanced security through cryptography, and improved record-keeping
– RegTech companies apply it to several use cases (Planet Compliance, 2020).

Use cases for DTL and Regtech include

- Anti-Money Laundering, Client Onboarding and Fraud Prevention

- Monitoring
- Record Keeping
- Regulatory Fund Management

163
 7.2.4 Other technologies

Other technologies used in Regtech include:

- Artificial Intelligence
- Machine Learning
- Big Data & Analytics
- Process Automation
- Cloud Computing
- Internet of Things (IoT)
- Smart Contracts
- Visualization Solutions
- Application Programing Interface

7.3 Compliance Challenges in Regulation Technology

• Risk Management

RegTech, and a related concept called supervisory technology (SupTech), are becoming
more commonplace as financial institutions and their regulators embark on digital
transformations for compliance and operational risk management. More targeted
than FinTech, RegTech are technologies, tools, and systems deployed to meet regulatory
obligations. Similarly, SupTech is the use of innovative technology by government
supervisory agencies to support digitizing reporting and regulatory processes.

The convergence of RegTech, SupTech, and responsible innovation is motivating some

financial institutions to work on a Digitized Risk Management (DRM) strategy that creates a
164
roadmap to a more technology enabled compliance function. A well-defined DRM program
can help financial institutions build a platform comprised of data and interdependent
technology systems and tools that support the people, business processes, modeling
techniques, and governance routines of the compliance function (Deloitte 2020).

• Stress Testing
Stress testing is a computer simulation technique used to test the resilience of institutions
and investment portfolios against possible future financial situations. Such testing is
customarily used by the financial industry to help gauge investment risk and the adequacy
of assets, as well as to help evaluate internal processes and controls. In recent years,
regulators have also required financial institutions to carry out stress tests to ensure their
capital holdings and other assets are adequate (Kenton & Scott, 2020).

Stress testing was first introduced as a reaction to the last financial crisis. The European
Banking Authority (EBA) Regulation (EU) No 1093/2010 empowered the EBA to prepare a
framework for EU-wide stress tests in the banking sector, which are expected to be carried
out every two years, the next in 2020.

Stress testing denotes a simulation of times of financial insecurity or instability. The

resilience of finance market participants is tested by implementing scenarios specified in
regularly updated guidelines (for example, a substantial credit default). The institution’s
reaction to the specific scenarios (e.g. covering losses with highly liquid assets) is measured
and reported.

165
The stress-test results are used to identify and close potential security gaps in the financial
system to prevent another transnational economic crisis. In addition, risk assessment
requirements have risen for all banks – for example, through the Minimum Requirements for
Risk Management and the Supervisory Review and Evaluation Process (SREP) - and stress
testing is now expected to form an integral part of internal risk management for all banks -
even for those that do not participate in the EBA stress-testing exercise (Bearing Point,
2020).

In summary:

● Stress testing is a computer-simulated technique to analyze how banks and

investment portfolios fare in drastic economic scenarios.

● Stress testing helps gauge investment risk and the adequacy of assets, as well as to

help evaluate internal processes and controls.

● Regulations require banks to carry out various stress-test scenarios and report on

their internal procedures for managing capital and risk.

• Regulatory Reporting
Regulatory reporting is simply the submission of raw or summary data required by
regulators to evaluate a bank's operations and its overall health which thus determines the
degree of compliance with required regulatory provisions. The salience of this issue
increased dramatically after the 2008 financial crisis as both the volume and complexity of
regulation increased to prevent a repeat of the subprime mortgage meltdown. In response
to the ever-evolving regulatory landscape, many financial institutions have implemented
automated processes to generate required reports more efficiently (Regpac, 2019).

166
Regulatory reporting is crucial in reducing the smoke and mirrors between the regulator and
the regulated. The data gathered ensures the regulator understand banks, inter alia, liquidity
management, asset liability management, foreign exchange exposure and risk management
to give an overall impression of its financial health. Once the data is gathered and analyzed,
if the regulator recognizes an 'unhealthy bank' - one that is overly exposed to risk - then
mitigating measures can be implemented before disaster potentially strikes.

Regulatory reporting has a lot of challenges especially the complexity of the reports,
meeting Basel specifications and various regulators and templates. The challenges with
regulatory reporting include:

- Multiple sources of information: there is no single source of information that

banks can utilize to form the necessary reports. Banks must aggregate data from
across the group and across jurisdictions which increases complexity.

- Inaccuracy of data: due to the multiple sources of information used to gather

information including financial statements, risk reports and submissions for
capital adequacy, financial institutions need reconciliatory systems to cross-
check and verify data.

- Multiple report formats: different jurisdictions often require different formats of

report and within these different jurisdictions, different report formats are required
for different reporting aspects. The flexibility thus required by banks is frequently
beyond the organizational systems inherent to the bank itself.

- Talent shortage: banks now require capabilities that are diverse and typically
beyond the traditional role of financial service employees. The complexity of the
167
 reporting process is now beyond the ability of human cognizance which now
requires machines to do much of the 'heavy-lifting' thus now requiring data
scientists and software engineers.

• Client on-boarding and Know Your Customer (KYC): Identification of client and
legal persons
As fraud increasingly becomes digital and global, the regulatory environment is increasingly
stringent for ID verification, along with being costly and weighty. Leveraging RegTech
solutions such as Digital ID verification can meet these requirements in a simpler and more
cost-effective manner (Holland, 2016).

Everything related to Know Your Customer (KYC), Anti-Money Laundering (AML), etc. is
called Regtech. And so is digital onboarding. New developments in AI helped digital
onboarding to mature, resulting in a better end-to-end onboarding process, trusted by
supervisors. What this shows is that digital onboarding is no longer just a marketing and
sales feature, but also a compliance feature.

This ‘end-to-end onboarding trusted by a supervisor’ means that a lot more attention is
given to providing a superior and compliant way to onboard your customers. Perhaps banks
should start considering a layered KYC process, with different levels of sophistication
depending on the product the consumer is willing to buy.

KYC is no longer a unique well-identified process, but a layered mechanism which asks
customers for additional information when it is required to intensify the customer relationship
(Coeckelbergs, 2020).

168
 • AML and CFT: Payment transactions’ monitoring, tracing and auditing
Money laundering and the financing of terrorism are financial crimes with economic effects.
AML/CFT controls, when effectively implemented, mitigate the adverse effects of criminal
economic activity and promote integrity and stability in financial markets (IMF).

Regtech solutions hold promise to improve the ability, speed and efficiency of FIs in
analyzing and sharing data for the purpose of detecting and reporting financial crime and
complying with associated regulations. More specifically, new technologies can allow for:

- More effective detection of suspicious transactions and activities through

increasingly accurate detection systems and technologies for faster, more
secure and more efficient data sharing.
- Reduced human error due to automation of part of the process.
- Increased security of interactions between FIs and their clients, thus reducing
vulnerability to fraud.
- More efficiency at FIs as costs of compliance are brought down.

Ultimately, it is important to note that benefits of implementation of these technologies are

system-wide, and certainly not limited to FIs: Authorities largely rely on FIs to gain
intelligence on money laundering and illicit financial activities. Adoption of regtech can also
benefit financial inclusion as it lowers barriers to access to the financial system and
mitigates incentives for financial institutions to derisk by allowing for better risk management
(IIF, 2017).

169
 • Conduct monitoring (bribery/corruption risk, market surveillance, customer
protection)

RegTech solutions improve transaction monitoring by offering (Katernal, 2020):

- Intelligent email protection.

- Transaction-based regulatory reporting.
- Market surveillance solutions based on contextual data analytics to prevent
risks of market abuse, fraud, and operational shortcomings.
- Risk management tools to track entities involved in every transaction.
- Innovative financial products based on cryptographic technologies,
cryptocurrencies, and the blockchain.

• New regulation identification and related impact analysis

New regulations emerge from regulators, it is therefore important to communicate regularly
with various regulators to know when new regulations are released and their impact on the
fintech ecosystem. Appendices 1 & 2 have the Fintech related policies and licenses by the
Central Bank of Nigeria.

• Data protection compliance and other applications

Data Protection Compliance is the need to comply with legal requirements regarding data
processes. The Data Protection Directive was adopted in 1995 and applies to all EU

170
Member States. Countries had the scope to introduce the requirements into their own laws,
which led to some differences between countries (GDPR Associates, 2019).

The General Data Protection Regulation (GDPR) is a regulation in EU law on data

protection and privacy in the European Union (EU) and the European Economic
Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas.
The GDPR's primary aim is to give control to individuals over their personal data and to
simplify the regulatory environment for international business by unifying the regulation
within the EU (Wikipedia, 2020),

Prior to the GDPR, the EU followed the requirements of the Data Protection Directive
95/46/EC that protects individuals regarding the processing of personal data and its free
movement. The Data Protection Act 1998 was enacted to bring the Directive requirements
into British law. The Act concerns personal data, which is any data that can be used to
identify a living individual. The legal requirements include the need for personal data to be
processed fairly and lawfully, to be accurate and up-to-date, to have measures in place
against accidental loss or destruction and for personal data only to be transferred to
countries with adequate levels of data protection in place (GDPR, 2019).

In January 2019, the Nigeria Data Protection Regulations ("NDPR") was issued by the
National Information Technology Development Agency ("NITDA"). This document was later
revised and made public for stakeholder input and discussion in September 2020. NITDA's
duty is to ensure that organizations comply with the provisions of the NDPR and protect the
personal data of people.

171
The NDPR provides that organizations that process two thousand or more personal data of
persons are required to give report to NITDA on or before the 15th March annually.
However, due to the COVID-19 pandemic, NITDA has made a declaration extending the
audit deadline of organizations for the year 2020 from March 15, 2020 to May 15, 2020
(Bola-Balogun & Adeleke, 2020).

7.4 Practice Questions

1. What are the three main functions of RegTech?

Ans: Regulatory monitoring, reporting, and compliance.

2. What consists of a group of companies that use cloud computing technology through
software-as-a-service (SaaS) to help businesses comply with regulations efficiently and
less expensively.
Ans: RegTech

3. RegTech firms save time and money for financial institutions by doing which of the
following?
Ans: The creation of analytics tools for compliance with regulatory bodies.

4. Blockchain technology has driven the RegTech revolution through which of these
benefits?
Ans: Increased transparency due to a distributed ledger & enhanced security through
cryptography.

172