Ever since the 2008 financial crisis, regulators around the world have been working to close the loopholes that gave rise to it. The financial services industry has, as a consequence, had to deal with a steep increase in compliance costs, and to dedicate an escalating amount of resources and bandwidth to ensure effective compliance.
Almost all these new regulatory measures are data-intensive, requiring financial institutions around the world to analyse vast amounts of data and report them to regulators in a structured manner. Liquidity reporting obligations require them to calculate their liquidity and funding ratios with frequent (sometimes daily) periodicity; financial stability regulations require disclosures of counter-party exposures and institutional structures; stress-testing and risk-assessment regulations require them to analyse risk data and qualitative information. The key to complying with these regulations is efficient and automated data aggregation and analysis. In today’s world, this is practically impossible without the deployment of technology.
Even though the financial sector has used technology for decades, most banks are saddled with legacy solutions, comprising multiple (usually incompatible) systems cobbled together over years of acquisitions and haphazardly integrated across jurisdictions. As regulators begin to demand more granular compliance information, these systems have started to buckle.
A number of start-ups are working on solving these very problems (not just in the financial sector, but more widely across the board) by applying modern cloud-based computing technologies that make compliance less complex and capacity-intensive. This is the emerging area of RegTech, a field that, while still nascent, promises to transform both the manner in which regulated sectors operate as well as the way we currently think about regulation.
Early RegTech start-ups are focused on simply improving the way in which compliance is managed by breaking down statutory obligations into easily understandable workflows and automating those aspects of reporting for which data is readily available. Most RegTech solutions today rely on being supplied with structured data. In time, the technology will improve to the point where it is capable of analyzing vast dumps of unstructured data to extract the specific output required to meet the regulatory requirements.
Processing data in a reliable, timely and efficient manner is at the core of the RegTech promise. And as these solutions start to become more widely accepted, they will deploy cognitive technologies and algorithmic analysis that will allow them to go beyond explicit reporting to address the more implicit nuances of regulation.
But even this is only a small part of the future that it offers. As we get more comfortable with algorithmic regulation, RegTech companies will mediate closer collaboration between the regulator and the regulated. This will eventually lead to the development of application programming interfaces (APIs) that programmatically stipulate the parameters required for compliance. API-driven compliance will allow regulated entities to connect their internal systems directly to the regulators’ and enable relevant compliance information on a real-time basis.
This is a significant departure from our current rules-based model that analyses historical data with little or no analytical overlay. It will eliminate the time lag between the date the evaluation period ends and that on which the regulator commences the assessment. Since the information is gathered directly from raw business data, there will be no scope for the regulator to apply discretion in interpretation or for mistakes to creep in on account of human fallibility. API-driven regulation will be data-acquisitive, leverage real-time information and incorporate algorithms and analytics for instant compliance.
It will also change the way we legislate. Regulators will need to have a clear vision of their regulatory purpose in order to build usable APIs. And if that purpose evolves—as we know it will with changing circumstances and priorities—the regulator will have to intelligently tweak the algorithm. Since the APIs connect the regulator directly to raw company data, they will no longer try to hoover up all the data they can gather. Instead, they will have to learn to fine-tune their APIs to hone in on the specific information that is necessary for their regulatory purpose.
There are a number of issues that will need to be addressed before this vision becomes a reality. We will need to mandate principles of data protection and data security, particularly as it relates to the exchange of client information. It will also take some effort to harmonize data requirements from multiple regulatory agencies and standardize definitions and key regulatory concepts to avoid having to create different solutions to provide the same data to multiple regulators.
But most importantly, we will need to change our prescriptive approach to legislation and learn, instead, to articulate our regulatory purpose in the form of principles that can be translated into self-correcting algorithms that achieve the results we currently rely on regulation to deliver.
Rahul Matthan is a partner at Trilegal. Ex Machina is a column on the intersection of technology and law.