AustLII Home | Databases | WorldLII | Search | Feedback

University of New South Wales Law Journal Student Series

You are here:  AustLII >> Databases >> University of New South Wales Law Journal Student Series >> 2019 >> [2019] UNSWLawJlStuS 10

Database Search | Name Search | Recent Articles | Noteup | LawCite | Author Info | Download | Help

Wang, Amy --- "The Role Of Regtech In Augmenting Regulatory Compliance: Regulating Technology, Accountability And Liability" [2019] UNSWLawJlStuS 10; (2019) UNSWLJ Student Series No 19-10


THE ROLE OF REGTECH IN AUGMENTING REGULATORY COMPLIANCE: REGULATING TECHNOLOGY, ACCOUNTABILITY AND LIABILITY

AMY WANG

The financial services industry in the years following the global financial crisis has been faced with rapid regulatory change partly in response to findings of corporate misconduct and non-compliance. Compliance challenges have since become more complex and businesses struggle to meet their many local and extra-territorial regulatory obligations. Following in the steps of the financial and legal technology sectors, regulators are turning to technology as a solution to improve efficiency, reduce the risk of human errors and improve compliance standards overall. Regulation technology or ‘RegTech’ refers to this new category of technologies used to address regulatory requirements across various industries.

While RegTech in its many forms, from expert rule-based systems for compliance automation to artificial intelligence for reporting and compliance analysis, has the potential to revolutionise a regulator’s job, it comes with its own set of legal challenges. A growing reliance on technological solutions for compliance management requires new responses externally and internally within a business or institution to manage the liability risks of systematic errors and ensure the accountability of decision-making. This paper explores regulatory and corporate governance frameworks to address these challenges of adopting RegTech solutions and encourage best practices for regulators to augment regulatory processes. This will be discussed in light of the growing demand for RegTech solutions against the backdrop of financial regulatory change and uncertainty in the UK and in response to findings of the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry in Australia.

I INTRODUCTION

Regulations apply across every industry and our lives are regulated by laws, policies and standards on a day to day basis. Regulatory frameworks are established with the aim of ensuring best practices, mitigating adverse side-effects and ensuring stability by enforcing legal rules.[1] Businesses, institutions and commercial markets are often subject to extensive and stringent regulatory requirements because of their potential to affect consumers and the economy on a larger scale. These regulatory obligations are enforced in various manners, often internally, involving lawyers and compliance teams implementing corporate governance practices and externally, by supervisory bodies applying regulatory oversight to industries. When legislative change and the volume of regulatory obligations begin to outpace a compliance team’s ability to cope with their obligations or there are insufficient oversight and accountability measures in place, it creates greater risks of misconduct, malpractice and non-compliance. This has been the case most noticeably within the financial services industry following the aftermath of the global financial crisis in 2008 as well as more recently, in Australia given the findings of the latest Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry.[2]

Given the digital transformation that is occurring across many sectors including the financial services and legal industries, organisations are turning to new technologies to solve these challenges. Digital technologies are increasingly being relied upon for being more efficient, capable and consistent in their ability to complete mechanical tasks once completed manually by humans. Financial technology (‘FinTech’) and legal technology (‘LegalTech’) are just two examples of the convergence between disruptive technologies and industry knowledge and services. Regulatory technology or ‘RegTech’ is one of the latest sectors to enter the space of industry-specific technology in recent years and holds great potential for transforming traditional regulatory practices.

This paper first introduces the definition and scope of RegTech solutions followed by a contextual overview of the growing demand for RegTech in recent years across Australia and the UK in Part II. Part III identifies current legal challenges and risks to the mainstream adoption of RegTech solutions including a lack of regulatory guidance and standardisation for new technologies, the liability challenges caused by systematic errors and the allocation of accountability for autonomous, decision-making systems. Finally, Part IV looks at broad frameworks and principles to address these challenges at the level of regulation by public authorities and at the corporate governance level for private businesses to encourage the successful integration of new technologies as a tool to augment day-to-day business rather than replace human oversight or decision-making completely.

II INTRODUCING REGTECH

RegTech is defined by the Institute for International Finance (IIF) as “the use of new technologies to solve regulatory and compliance requirements more effectively and efficiently”.[3] However, as the RegTech market is described as still a “young” market, with many ventures existing for five years or less[4] there are varying definitions for what the term encompasses. More narrow definitions of RegTech tend to distinguish between more advanced and agile technological solutions from older, more inflexible systems.[5] This is based on the fact that the use of technology for regulation purposes is not a recent introduction, rather, regulators have been using technology since the 1980s, particularly in the US, to enforce market integrity in the securities markets and monitor cross-border electronic payment systems.[6] Most of these systems however, have now been labelled as legacy systems which have since become outdated. They are instead being replaced by a range of ‘newer’ systems developed using cloud-based computing, artificial intelligence (AI), natural language processing (NLP), big data analytics, robotics process automation, distributed ledger technology, application program interfaces (APIs) and biometrics.[7]

Moreover, because many of these new solutions are offered as software-as-a-service to businesses, by RegTech companies, the term ‘RegTech’ may also refer to this group of new firms creating and implementing such agile technologies and services.[8] While it is difficult to draw a line between ‘older’ and ‘newer’ solutions as agile solutions eventually become outdated, this paper will employ a comparative use of the term ‘RegTech’. This covers the range of technologies, including those listed above, which help to overcome regulatory challenges for businesses more efficiently and effectively than existing capabilities.[9] The focus is on improving the agility of processing, speed of reporting and monitoring, integration of technological solutions and quality of analytics using big data.[10]

Having initially emerged as a subset of FinTech, RegTech solutions have largely been implemented in the financial industry but ultimately have the potential to benefit any sector in which regulatory compliance requires significant operational resources.[11] As a result, most of the following examples will be from the financial services sector but it should be noted that RegTech is increasingly being employed in the public sector by government agencies as well as other industries including healthcare and pharmaceuticals, telecommunications, transportation, fast-moving consumer goods and energy and resources. Moreover, while RegTech also has the potential to help policy-makers and supervisory bodies who oversee and enforce industry regulations, the main use of RegTech solutions in this paper will focus on internal regulators and compliance teams within businesses and institutions.

III THE DEMAND FOR REGTECH

The demand for the application of technological innovations to compliance and reporting has grown significantly in recent years since the global financial crisis (GFC) in 2008. The GFC was one of the first factors driving the need for new RegTech solutions in the financial industry and represents a turning point for growth of the sector.[12] The economic crisis which affected millions of people, businesses and institutions around the world resulted in the adoption of a wave of new regulatory regimes domestically and internationally in an effort to strengthen the global financial system and mitigate the potential for future crisis.[13] The misconduct and poor behaviour of those implicated severely affected consumer perceptions of trust and security in the industry and so the role of the regulator became more visible and demanding.[14] This has caused the rate of international regulatory change to increase at a rapid pace in the last ten years.

For businesses, carrying out compliance and supervision obligations in response to greater regulatory complexity has become a significant challenge leading to higher costs and resource expenditure to not only meet regulatory obligations, but also to keep up with the pace of change. For both internal compliance teams and supervisory bodies, this has required greater attention to detail, precision and frequency in data reporting, aggregation and analysis.[15] Thomson Reuters estimated in 2017 that US$80 billion was being spent on regulatory compliance across the financial industry and this is set to rise by 50% to US$120 billion by 2022.[16] Moreover, in terms of the volume of regulatory regimes for financial institutions to navigate, it is estimated that by 2020 there will be 300 million pages of regulations in existence, with stricter enforcement including fines for non-compliance also rising accordingly.[17] In the UK where London is often seen as the ‘home of RegTech’[18], the recent implementation of several substantial pieces of European legislation such as the Markets in Financial Instruments Directive II (MiFID II)[19], the Payments Service Directive 2 (PSD2)[20] and the General Data Protection Regulation (GDPR)[21] in 2018 are presenting new challenges for businesses that will further drive the development of RegTech.[22]

In Australia, on the other hand, the demand for RegTech is expected to rise significantly within the next few years as a result of findings from the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry (‘Royal Commission into Banking’) which published its final report in February 2019.[23] The Commission identified significant damage to consumers and businesses as a result of severe misconduct by financial institutions including irresponsible lending practices, fraud, forgery, overcharging, theft, market manipulation, money laundering, procurement scams and privacy breaches over a ten-year period.[24] The commission made 76 recommendations which included warnings for financial institutions to reform their culture, governance and remuneration practices.[25] In response, many industry regulators and financial institutions have announced that they are turning to technology as a preventative solution.[26] With boards and senior executives held primarily responsible for this culture of greed and non-compliance in addition to a lack of effective oversight by regulators,[27] technology is perceived as an objective and trusted alternative.[28] Commonwealth Bank of Australia (CBA) is an example of this shift to regulatory technology after investing in a RegTech pilot project in the UK using NLP and AI technology and recently installing their head of governance and assurance onto the board of the RegTech Association. This is said to be in response to the $700 million fine paid by CBA in June 2018, the biggest fine in Australian corporate history, for breaches of anti-money laundering and counter-terrorism financing laws.[29]

The broad range of RegTech solutions therefore present a way for regulators and compliance teams to enhance current regulatory processes and meet obligations in a more productive, efficient and inexpensive manner. Current solutions on the market can be broadly broken down into five categories by the regulatory issue they target.[30] Firstly, regulatory reporting can be significantly improved through the automation of capital assessment, tracking, monitoring and reporting work using big data analytics and machine learning. These work alongside APIs, NLP technologies and cloud-based technologies for data distribution and system interoperability.[31] Secondly, risk management tools using machine learning predictive analytics allow for the forecasting and assessment of operational and regulatory risks within a company by creating self-improving and more accurate methods to evaluate risk exposure and anticipate future threats.[32] Thirdly, for identity management and compliance, the use of biometrics, NLP technologies and cryptography can improve efficiency and security for due diligence and Know Your Customer (KYC) procedures.[33] Fourthly, there is technology facilitating the cataloguing and real time tracking of current compliance requirements and alerting companies of upcoming regulations, with the future potential for ‘machine-readable’ legislation that allows new regulations to be seamlessly interpreted and incorporated into a company’s compliance system.[34] Lastly, blockchain, cryptocurrency and other distributed ledgers are facilitating transaction monitoring allowing for real-time monitoring and auditing to improve anti-money laundering and anti-fraud screening and detection.[35]

IV THE LEGAL CHALLENGES OF REGTECH

While RegTech holds the potential for many benefits in terms of increased efficiency and a reduced risk of human error, it is not without its own set of legal risks and challenges. As a relatively new sector, the disadvantages and risks currently posed by a future widespread adoption of RegTech solutions have yet to be comprehensively explored. As with any new disruptive technology that has the potential to affect many stakeholders, their development often outstrips the pace of legal reform and regulatory governance creating a lack of standardisation in their development, use and oversight. What is unique about RegTech however, is the circular nature of its role in mitigating liability risk and ensuring accountability and yet, the use and responsibility given to the regulatory technology itself inherently contains issues regarding the risk of systematic errors, liability and accountability. If RegTech is truly the solution to optimising regulatory systems and increase transparency and accountability in our institutions, then these challenges will need to be addressed.

A Regulatory Uncertainty

As the IIF describes, “the RegTech market is still in its infancy with no dominant, widely used solutions yet emerged and financial institutions often still unfamiliar with new RegTech solutions”.[36] Part of this reason is due to a lack of regulatory guidance and standardisation of products and services across the board. Current laws and regulations governing financial institutions predate many new technologies. For precedent, the introduction of FinTech created a number of regulatory gaps in financial regulations and legislators have only just begun to reactively address these issues, sometimes decades after the technology has already been in use.[37] For example, ‘robo-advice’ or digital advice technology has been used by financial managers since the early 2000’s and grew significantly in capability and popularity after the GFC.[38] In Australia, however, comprehensive regulatory guidance on robo-advice was not introduced by ASIC until 2016 despite the increasing risks associated with the lack of human involvement and lack of training and competence standards for digital advisors.[39] These situations ultimately create the risk for regulatory arbitrage and the moving of activities to unregulated environments to avoid regulatory scrutiny was an underlying factor of the GFC.[40] Experts and scholars have already pointed out areas where regulatory reform is needed to identify the kind of compliance new technologies require, such as, regulatory coordination for digital identify verification schemes on the cross-border use of eIDs and eSignatures for digital on-boarding and transactions.[41]

In general, regulators have yet to actively collaborate with financial institutions and RegTech providers on mutually agreed standards to drive the agenda forward.[42] This lack of clear regulatory endorsement around common approaches and solutions for RegTech thus dampens confidence in the sector. For financial officers and in-house compliance teams, “a big challenge is getting assurances from the regulator that these solutions are ‘safe’.”[43] Without a sort of ‘quality check’ in place, financial institutions may not have sufficient in-house expertise to critically assess the robustness of advertised RegTech solutions nor have the relevant criteria to follow to choose an optimal solution for their operating system.[44] Another issue is the rapid pace of regulatory reform in the financial industry creating uncertainty about the exact reporting requirements and policy and regulatory technical standards across jurisdictions. This makes it difficult for RegTech firms offering specific regulatory solutions to help their clients implement the new requirements when they are still lacking clarity as to how compliance with particular regulations is required. This is evident in the UK, particularly, where the uncertainty around Brexit has left RegTech firms and financial institutions unsure as to how EU regulations such as MiFID II will operate and whether there will be regulatory equivalence for financial services supervision under the same rules.[45]

B Systematic Errors and Technological Liability

A major benefit of implementing technological solutions is the belief that it reduces the risk of human error in detecting compliance breaches however, that is not to be confused with the assumption that RegTech offers a fool-proof solution. Rather, when underlying codes and platforms of a RegTech solution contain even a small error, this has the potential to create widespread erroneous outcomes that lead to liability risks on a much larger scale than that caused by an individual human error.[46] According to Colaert, “automation involves an enormous operational risk’ because RegTech only produces the desired effects so far as the system is correct; if the system is incorrect, all subsequent results will also be incorrect”.[47] For example, a RegTech solution for anti-money laundering that contains a flawed transaction monitoring program will lead to systematic non-reporting of suspicious transactions until the error is picked up.[48]

Notwithstanding programming or coding errors, with the substantial use of big data and analytical tools in RegTech the input of poor quality or incorrect data from incompatible or outdated IT systems also puts compliance systems at risk.[49] In Australia, the Centrelink ‘robo-debt’ incident in 2016 is an example of this type of systematic error where incorrect data was used, causing systemic miscalculations when an online compliance intervention (OCI) system was introduced to automatically send out debt recovery letters. By using data from the Australian Tax Office of an individual’s average earnings over their entire employment period calculated into a fortnightly rate instead of extrapolating data of actual fortnightly earnings by obtaining individual wage records, over 70,000 Australians incorrectly received debt notices[50] which had significant carry-on effects.[51]

Implementing RegTech and compliance solutions that carry this risk of systematic error, therefore results in a key question as to who is at fault or liable when such incidents of technological malfunction occur and produce a large number of victims when the technology itself has no legal personality. Is it the business or institution who implemented and used the technology, the RegTech firm that created the software, a contractor who inputs or sources the data, the customer who provides incorrect data or the compliance officer who failed to oversee and identify the error that should be responsible? The answer to this question will necessarily depend on the nature of the error itself and may be made even more complex when multiple parties are involved in the chain of causation. Taking the Centrelink Robo-debt example again, there is debate on whether full responsibility for the miscalculations remains with Centrelink for not obtaining all necessary information to accurately calculate debts or partial responsibility fell to the payment recipients to submit regular wage records.[52] For RegTech firms that are currently unregulated and unsupervised and typically in smaller start-up stages of development, the risk of facing a myriad of strict liability claims or class actions from affected clients will inevitably stifle innovation and development in the industry.[53] Therefore, many RegTech firms will be seeking waivers for liability as a condition for selling their software and the question of risk liability will therefore most likely fall onto the company or institution who has implemented the software and who must be aware of the inherent risks.

C Decision-Making Accountability

The role of regulatory oversight and in-house regulatory or legal teams often serve as one of the final lines of defence for a company to prevent non-compliance and catch misconduct before it can have public ramifications. It necessarily involves making a number of final decisions and as human intervention is increasingly seen as a liability to be replaced by technology, the issue which arises is where the locus of responsibility lies in such a regulatory environment. RegTech has the potential to innovate from merely a tool to augment decision making into autonomous programs which can make decisions independently, learn and evaluate reasons for making final decisions using machine learning and cognitive computing.[54] This is combined with the fact that the ‘automaticity’ of such systems which are fast and often, invisible, prevent human input, intuition or intervention in the performance of their designated tasks.[55] This raises new challenges for businesses and institutions which must legally account for these decisions, including ensuring mechanisms of redress and prevention should certain results turn out to be unacceptable or undesirable.[56]

Particularly in the financial services industry, which is essentially a “services sector” that demands a degree of human contact between the financial institution and their clients, there are concerns over this technological ‘dehumanisation’ effect.[57] For example, the EU’s MiFID KYC provisions[58] require bank employees to take due care towards customers, inquiring into their knowledge and experience, investment objectives and financial situation. However, this is increasingly being transformed into an automated, online process where customers fill out questionnaires that are processed and analysed automatically by a system that then pairs the customer with an appropriate investment product based on an algorithmic setting.[59] This lack of human input poses concerns for consumers seeking the assurance that the advice they receive has been personally optimised and verified to the standard of care prescribed by regulations as customer due diligence and personalised investment advice is being increasingly replaced by ‘robo-advice’ tools. Other risks include that financial institutions approach regulations as a box-ticking exercise, rather than as a means to inform their risk assessment of an individual business relationship and the potential for error in a client-facing role can lead to financial mis-selling of products and claims of negligence.[60]

V SOLUTIONS

This section aims to present some key ideas that will allow regulators, supervisory bodies and in-house compliance teams to develop strategies and guidance for best practices going forward to facilitate the adoption of RegTech solutions.

A Adaptive Regulation and Compliance by Design

As a developing market, a key concern for supervisory bodies seeking to regulate this space will be the need to balance innovation with risk. To address issues around the lack of guidance and standardisation of RegTech solutions, regulators will need to carefully consider the necessity, scope and timing of legislative reform.[61] While the specific proposal of new regulatory requirements or frameworks are beyond the scope of this paper, it is clear that this will require a transition to a regulatory model that is proactive and capable of rapid adaptation for effective prudential supervision of changing developments in technology.[62] Adaptive approaches to regulation are described as “relying more on trial and error and co-design of regulation and standards”.[63] It should also facilitate faster feedback mechanisms allowing regulators to evaluate policies against set standards and subsequently revise regulations.[64] Alongside this, legislative and regulatory regimes will need to consider mechanisms for redress for victims of RegTech-related errors and attributing liability. Proposed suggestions have included strict liability for RegTech firms and developers,[65] utilising negligence claims within tort law,[66] imposing a registration system for artificial intelligence and robotics technologies[67] and a compulsory insurance scheme.[68]

Most importantly, to restore trust and confidence amongst consumers, regulatory bodies must actively collaborate with other industry players including regulators and regulatory experts, technology and software developers, institutions and businesses, investors and existing RegTech ventures. Specialists from other unexpected fields may also play a role such as sociologists and anthropologists for creating client profiling tools and KYC questionnaires and economists for building internal risk rating systems in accordance with the Basel capital standards.[69] This requires creating a platform for engagement and dialogue for supervisors to understand technology innovation and assess whether existing rules, policies and guidance are restricting innovation and the adoption of RegTech solutions.[70] It should also be an opportunity for businesses to feel comfortable sharing information about technology and compliance challenges in a way that is not detrimental to their relationships with compliance and enforcement authorities.[71] This would further promote awareness and confidence in RegTech solutions for potential users and investors and improve general understanding of the technologies’ capabilities and benefits in addition to their risks and legal challenges.

One way that industry and regulatory cooperation is being effected is at the design and development stage of RegTech through the creation of ‘regulatory sandboxes’. As regulatory change to date has largely been reactive and supervisory bodies struggle to keep on top of innovation and technological developments,[72] a solution is for supervisory bodies to intervene at an earlier stage where they can ensure compliance and optimisation by design. A regulatory sandbox is “a ‘safe space’ in which businesses can test innovative products, services, business models and delivery mechanisms without immediately incurring all the normal regulatory consequences of engaging in the activity in question”.[73] Regulatory sandboxes allow regulators to collaborate with entrepreneurs more efficiently and at a lower cost to ensure that appropriate consumer protection safeguards and compliance measures are built in to new solutions.

The UK’s Financial Conduct Authority (FCA) is a leader in this space having launched the first regulatory sandbox for FinTech and RegTech in 2016[74] and announced the creation of a global sandbox called the ‘Global Financial Innovation Network’ in 2018.[75] The regulatory sandbox has since accepted 89 businesses providing a range of innovative solutions over two years for developing and testing and after its first year of operation, 90% of businesses in its first cohort were continuing toward a wider market launch.[76] More than 20 other countries have since followed the FCA’s lead in implementing regulatory sandboxes including the Australian Securities and Investments Commission (ASIC) in 2017. ASIC’s Innovation Hub, RegTech Liaison Forum and regulatory sandbox are promising examples of initiatives taken by regulatory bodies supporting innovation and taking a proactive role in development and regulation.

B Corporate Governance and Education

Ultimately, the question of responsibility and accountability that poses a risk to the implementation of RegTech solutions is one that mostly concerns businesses and institutions as the end-users of the technology. The way that RegTech will be integrated into a business’ compliance function will affect how businesses deal with their regulatory obligations, identify risks and amend deficiencies in current compliance procedures and guidelines. Depending on the extent of responsibility and autonomy a RegTech solution is imbued with, their role will potentially affect all areas of the business from low-level employees to in-house regulators and senior management. A re-evaluation of existing models of corporate governance may therefore be in order for many businesses to adapt to an increasingly technologized system and adopt appropriate internal control functions that are attuned to the particularities of RegTech compliance systems.

Traditional corporate governance frameworks and guidelines in the financial services industry are often based upon the “three lines of defence”[77] and tools such as management oversight and sign-off processes. As the Basal Committee on Banking Supervision outlined, the business is divided into three broad roles. Firstly, the business line including most employees have responsibility for managing the risk that occurs in conducting their day-to-day activities. Then an internal risk management and compliance function forms the second line of defence whose main purpose is to identify, monitor and report risk for the business as a whole and lastly, an internal or third-party audit function aims to provide assurance to the board that the overall governance framework is effective, and that policies and processes are being adhered to.[78] When cases of misconduct arise, such as those identified in the Royal Commission into Banking, they often stem from wrongdoings and non-compliance at the bottom coupled with a lack oversight and audit functions that lead to top management and the business as a whole being held responsible. Even with the introduction of RegTech in the second and third lines of defence, they would provide limited results and benefits to businesses if this same model and quality of oversight and accountability is maintained.

Therefore, when adopting RegTech solutions, businesses should consider a more integrated and centralised compliance risk assessment and reporting framework. RegTech experts recommend implementing a standardised taxonomy for compliance risk mapping and monitoring and establishing a cross-functional technology governance structure that involves an interdisciplinary group involved in the testing and implementation of RegTech tools. [79] Businesses will also need to clearly identify whether new RegTech tools are compatible with existing operational and compliance systems to limit the potential for systematic errors and ensure high quality, accurate data management.[80] For developers, RegTech systems must be able to correctly take into account a sufficiently broad range of variables and be tailored to the needs and particularities of the business which intends to use the system.[81] This would include periodic system tests and updates to ensure that the system is adequately taking account of market evolutions, regulatory developments and new insights as well as a function for ad hoc controls to make adjustments when an error or discrepancy is discovered.[82]

Most importantly, human intervention and supervision should remain a key function in the management and governance of RegTech tools with a particular focus on regular testing and audits. This may involve heightened review measures and supervision plans that include more frequent checks with users of RegTech tools and an overall ‘trust but verify’ approach to integrating technology into accountability frameworks.[83] While RegTech solutions have advanced monitoring and reporting functions, the goal of an additional human check is to detect evidently erroneous output and verify the integrity of information and input sources. Particularly in the area of automated decision-making technologies, systems should be able to generate reliable evidence to verify the system is functioning correctly by providing an audit trail and detailed records for regulators. This would subsequently allow regulators to understand how, to what extent, and why misconduct occurred, as well as who, or what part of a system, is responsible for them for the purposes of legal accountability.[84] Regulatory judgment based on experience will continue to have a central role to play as reliance on even the most advance machine learning and cognitive computing tools will lack the necessary human discretion, empathy and reasoning ability for troubleshooting. For instance, data analytics can produce signals of unusual financial and transactional activity, but human judgment is still needed to determine whether specific trends are sufficient cause for concern to warrant regulatory intervention and what that intervention may require.

This can be enhanced by investing in education and training in technological literacy for all potential users of the technology. Regulators and business professionals will often lack the technical skills to comprehensively understand a complex RegTech system’s capabilities, limits or logic and written operational instructions may not be sufficient. This would therefore present challenges, for example, if a regulator was required to audit a specific output or decision generated by an AI-algorithm that uses advanced methodology or logic. Businesses should invest in widening the skill set of employees to accommodate developments in disruptive digital technologies such as FinTech and RegTech in addition to shifting the desired skill sets for the next generation of new employees. A more technologized workplace also requires proportional IT resources and support frameworks and ensuring that the technical expertise is available in-house to work collaboratively in compliance teams is necessary for expanding the role of RegTech. It may subsequently involve a redefining of the traditional roles of employees within compliance teams who replace repetitive, manual processes with technology caretaker duties[85] and will be required to learn how to work alongside technologies to maximise them as a tool to improve productivity. In fact, rather than replace humans and steal jobs, RegTech has the most value for regulators in freeing up their time to focus on more higher-level tasks requiring lateral thinking and problem solving at a strategic and commercial level.[86]

VI CONCLUSION

While the belief that technology will do a better job than humans in accomplishing a task is often a reason behind financial institutions turning to RegTech as a solution in the wake of misconduct reports and rapid regulatory change, this will only be effective if sufficient mechanisms for managing legal responsibility, liability and accountability are in place. Ultimately, RegTech cannot be seen as a failsafe solution to replace human intelligence and judgment nor to completely prevent human errors and eliminate the possibility of corruption or misconduct across the industry. Rather, disruptive technologies will provide the most benefit to regulators as a tool to augment current processes and systems with clear compliance risk assessment and reporting frameworks in place. This should be further supplemented with cross-industry collaboration initiatives between authorities and compliance teams to achieve standardisation of technology and deployment as well as the encouraging of investment in education and technological literacy for those seeking to implement new RegTech solutions.


[1] Bronwen Morgan and Karen Yeung, An Introduction to Law and Regulation: Text and Materials (Cambridge University Press, 2007).

[2] Commonwealth of Australia, Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry (Final Report, 2019).

[3] Kristen Silverberg et al, ‘RegTech in Financial Services: Technology Solutions for Compliance and Reporting’ (Report, Institute of International Finance, March 2016) 2 <https://www.iif.com/Publications/ID/1686/Regtech-in-Financial-Services-Solutions-for-Compliance-and-Reporting>.

[4] Ibid 23.

[5] Veerle Colaert, ‘RegTech as a Response to Regulatory Expansion in the Financial Sector' (2018) K22:1-32, 5 <https://ssrn.com/abstract=2677116>.

[6] Douglas W Arner, Jànos Barberis and Ross P Buckey, ‘FinTech, RegTech, and the Reconceptualization of Financial Regulation’ (2016) 37 Northwestern Journal of International Law & Business 371, 397; Deloitte, ‘RegTech is the New FinTech: How Agile Regulatory Technology is Helping Firms Better Understand and Manage Their Risks’ (Article, 2015) <https://www2.deloitte.com/content/dam/Deloitte/ie/Documents/FinancialServices/IE_2016_FS_RegTech_is_the_new_FinTech.pdf>.

[7] FINRA, ‘Technology Based Innovations for Regulatory Compliance (“RegTech”) in the Securities Industry’ (Report, Financial Industry Regulatory Authority, September 2018) <http://www.finra.org/industry/technology-based-innovations-regulatory-compliance-regtech-securities-industry> .

[8] Colaert (n 5) 5.

[9] FCA, ‘Call for input on supporting the development and adopters of RegTech’ (Feedback Statement No FS16/4, Financial Conduct Authority, July 2016), 3 <https://www.fca.org.uk/publication/feedback/fs-16-04.pdf>.

[10] Deloitte, ‘RegTech is the New FinTech’ (n 6).

[11] George Nguyen, ‘REGTECH: A few Things In-house Lawyers Should Know' (2017) 28(4) The Australian Corporate Lawyer 32.

[12] Arner, Barberis and Buckey (n 6) 374; Lawrence G Baxter, ‘Adaptive Financial Regulation and RegTech: A Concept Article on Realistic Protection for Victims of Bank Failures’ (2016) 66(3) Duke Law Journal 567.

[13] FINRA (n 7) 3.

[14] Koen Vanderhoydonk, ‘Ten Years After the 2008 Financial Crisis: The Rise of regtech!’, Business Reporter (online), 1 November 2018 <https://www.business-reporter.co.uk/2018/11/01/ten-years-after-the-2018-financial-crisis-the-rise-of-regtech/#gsc.tab=0>.

[15] Arner, Barberis and Buckey (n 6) 388.

[16] Thomson Reuters, ‘How RegTech Can Transform Your Regulatory Compliance’ Thomson Reuters Legal <https://legal.thomsonreuters.com/en/insights/articles/how-RegTech-can-transform-your-regulatory-compliance>.

[17] Fraser Tennant, ‘The Future of RegTech: A Skyrocketing Industry?’, Financier Worldwide Magazine (November 2017).

[18] Ian Allison, ‘London Leads the Way in RegTech Innovation’ Newsweek (online, 14 April 2017) <https://www.newsweek.com/london-leads-regtech-innovation-583697>.

[19] Regulation (EU) No 600/2014 of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Regulation (EU) No 648/2012 [2014] OJ L 173/84.

[20] Directive 2015/2366/EU of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC [2015] OJ L 337/35.

[21] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L 119/1.

[22] Thomson Reuters, ‘Cost of Compliance 2018 Report: Your Biggest Challenges Revealed’ (Report, Thomson Reuters Legal, 2018) <https://legal.thomsonreuters.com/en/insights/articles/cost-of-compliance-2018-report-your-biggest-challenges-revealed>.

[23] Commonwealth of Australia (n 2).

[24] Ibid; Commonwealth of Australia, Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry (Interim Report, 2018); James Frost, ‘Banking Royal Commission Publishes a Decade of Banking's Dirty Laundry’, Australian Financial Review (7 November 2018).

[25] Commonwealth of Australia (n 2).

[26] James Eyers, ‘Banking Royal Commission: RegTech Software a Pathway for Post-Hayne Compliance’, Australian Financial Review (1 February 2019).

[27] Commonwealth of Australia, Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry (Interim Report, 2018).

[28] James Eyers, ‘Australia's RegTech Sector is Primed for Take-Off’, Australian Financial Review (14 August 2018).

[29] James Eyers, ‘CBA joins RegTech Group to Improve Compliance’, Australian Financial Review (23 September 2018); Matthew Doran and Michael Janda, ‘Commonwealth Bank to Pay $700m Fine for Anti-money Laundering, Terror Financing Law Breaches’, ABC News (4 June 2018).

[30] Deloitte, RegTech Universe <https://www2.deloitte.com/lu/en/pages/technology/articles/RegTech-companies-compliance.html>.

[31] Chris Lim, RegTech: Revolutionising Regulatory Compliance, EY <https://www.ey.com/au/en/industries/financial-services/ey-financial-risk-and-regulatory-compass-RegTech-revolutionising-regulatory-compliance>; Silverberg et al (n 3).

[32] Deloitte, RegTech Universe (n 30); Silverberg et al (n 3) 4.

[33] Ibid.

[34] Ibid; FINRA (n 7).

[35] Silverberg et al (n 3) 4.

[36] Ibid 5.

[37] Mike Rebeiro, ‘Risks and Rewards’, International Financial Law Review (London, 21 September 2017); Christa Feltham, ‘From FinTech to RegTech and LawTech’, Michelmores (online, 5 June 2018) <https://www.michelmores.com/news-views/news/FinTech-RegTech-and-lawtech>; Colaert (n 5) 4.

[38] Aparna Narayanan, ‘As Robo Advisors Go Viral, Where Do Traditional Money Managers Go?’ Investor’s Business Daily (online, 27 June 2016) <https://www.investors.com/etfs-and-funds/etfs/fund-industry-wakens-from-slumber-to-take-on-digital-advice-upstarts/>.

[39] Australian Securities and Investments Commission, Regulation 255 Providing Digital Financial Product Advice to Retail Clients (at 30 August 2016).

[40] Arner, Barberis and Buckey (n 6) 403.

[41] Silverberg et al (n 3) 19.

[42] Lim (n 31).

[43] Tennant (n 17).

[44] Colaert (n 5) 20.

[45] ‘The Top 5 Challenges Facing Fast-Growing RegTech’, CEO Today Magazine (online, 19 March 2018) <https://www.ceotodaymagazine.com/2018/03/the-top-5-challenges-facing-fast-growing-RegTech/>.

[46] Peter Walker, ‘RegTech Errors Could Create “Systematic Risk”’ FStech (online, 18 July 2018) <http://www.fstech.co.uk/fst/Academic_Warning_RegTech_Solution_Risk.php> .

[47] Colaert (n 5) 12.

[48] Ibid.

[49] Deloitte, ‘RegTech is the New FinTech’ (n 6).

[50] Terry Carney, ‘The New Digital Future for Welfare: Debts Without Legal Proofs or Moral Authority?’ (2018) UNSW Law Journal Forum 1, 2; Doug Dingwall, ‘Centrelink Spending More on “Robo-Debt”, Nearly One Million Letters Sent’, The Sydney Morning Herald (7 February 2019).

[51] See Shalailah Medhora, ‘Over 2000 people Died after Receiving Centrelink Robo-debt Notice, Figures Reveal’, ABC News (online, 18 February 2019) <https://www.abc.net.au/triplej/programs/hack/2030-people-have-died-after-receiving-centrelink-robodebt-notice/10821272>.

[52] Carney (n 50).

[53] Colaert (n 5) 20.

[54] Rebeiro (n 37).

[55] Deborah G Johnson and Thomas M Powers, ‘Computer Systems and Responsibility: A Normative Look at Technological Complexity’ (2005) 7(2) Ethics Information Technology 99, 105.

[56] Emerging Technology from the arXiv, ‘AI Can Be Made Legally Accountable for Its Decisions’ (2017) MIT Technology Review <https://www.technologyreview.com/s/609495/ai-can-be-made-legally-accountable-for-its-decisions/>.

[57] Colaert (n 5) 26.

[58] Regulation (EU) No 600/2014 of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Regulation (EU) No 648/2012 [2014] OJ L 173/84, art 25.

[59] Sanjay Podder et al, ‘RegTech for Regulators: Re-architect the System for Better Regulation’ (Paper presented at the World Government Summit) <https://www.worldgovernmentsummit.org/api/publications/document?id=5ccf8ac4-e97c-6578-b2f8-ff0000a7ddb6>; ‘The RegTech Association Response to ASIC Report 523: ASIC’s Innovation Hub and Our Approach to Regulatory Technology’ (Submission, The RegTech Association, 3 July 2017) <https://RegTech.org.au/resources/Documents/170703_RTA%20submission%20to%20ASIC%20report%20523_Final%20(1).pdf>.

[60] Alison Lui and George William Lamb, ‘Artificial Intelligence and Augmented Intelligence Collaboration: Regaining Trust and Confidence in the Financial Sector' (2018) 27(3) Information Communications Technology Law 267, 273; Colaert (n 5) 26.

[61] Lyria Bennett Moses, ‘Recurring Dilemmas: The Law's Race to Keep up with Technological Change’ (2007) 2007(2) University of Illinois Journal of Law, Technology Policy 239.

[62] Baxter (n 12).

[63] WIlliam D Eggers and Mike Turley, ‘The Future of Regulation’ (Report, Deloitte Centre for Government Insights) <https://www2.deloitte.com/content/dam/insights/us/articles/4538_Future-of-regulation/DI_Future-of-regulation.pdf>.

[64] Ibid.

[65] Benjamin John, ‘Technology and Liability: Innovation in the Legal Profession’ Law in Society (online, 23 October 2017) <https://www.lawinsociety.org/technology-and-liability-innovation-in-the-legal-profession/>; Colaert (n 5) 20.

[66] ‘Artificial Intelligence – Seven Legal Questions’, Talking Tech (Brian Harley, 2017) <https://talkingtech.cliffordchance.com/en/emerging-technologies/artificial-intelligence/ai-7-question-podcast.html>.

[67] Committee on Legal Affairs, European Parliament, Report with Recommendations to the Commission on Civil Law Rules on Robotics (2017) 2; Rebeiro (n 37).

[68] Committee on Legal Affairs, European Parliament, Report with Recommendations to the Commission on Civil Law Rules on Robotics (2017), 49–59; Benjamin John, ‘Technology and Liability: Innovation in the Legal Profession’ Law in Society (online, 23 October 2017) <https://www.lawinsociety.org/technology-and-liability-innovation-in-the-legal-profession/>.

[69] Colaert (n 5) 14.

[70] Lim (n 31).

[71] Silverberg et al (n 3) 24.

[72] Bennett Moses (n 61) 269.

[73] FCA, ‘Regulatory Sandbox’ (Report for Her Majesty’s Treasury No 005147, Financial Conduct Authority, November 2015), 1 <https://www.fca.org.uk/publication/research/regulatory-sandbox.pdf>.

[74] FCA, ‘Regulatory Sandbox Lessons Learned Report’ (Report Financial Conduct Authority, October 2017) <https://www.fca.org.uk/publication/research-and-data/regulatory-sandbox-lessons-learned-report.pdf>.

[75] FCA, ‘Global Financial Innovation Network (GFIN)’ (Consultation Document No 005779, Financial Conduct Authority, August 2018) <https://www.fca.org.uk/publication/consultation/gfin-consultation-document.pdf>.

[76] FCA (n 74).

[77] Basel Committee on Banking Supervision, ‘Corporate Governance Principles for Banks’ (Guidelines Bank for International Settlements, July 2015) <https://www.bis.org/bcbs/publ/d328.pdf>.

[78] Basel Committee on Banking Supervision (n 77).

[79] EY, ‘Innovating with RegTech: Turning Regulatory Compliance into a Competitive Advantage' (Report <https://www.ey.com/Publication/vwLUAssets/EY-Innovating-with-RegTech/$FILE/EY-Innovating-with-RegTech.pdf>; FINRA (n 7).

[80] FINRA (n 7).

[81] Colaert, (n 5) 13.

[82] Ibid 15.

[83] Carney (n 50) 13.

[84] Deven R Desai and Joshua A Kroll, ‘Trust But Verify: A Guide to Algorithms and the Law’ (2017) 31(1) Harvard Journal of Law & Technology 1.

[85] Johnson and Powers (n 55) 106.

[86] Nguyen (n 11).


AustLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback
URL: http://www.austlii.edu.au/au/journals/UNSWLawJlStuS/2019/10.html