13 Sep Fintech Vortex Series: CyberSecurity and RegTech – Best practices in compliance reporting
Companies face growing requirements in compliance reporting, especially in the financial service industry. How can regulation technology (regtech) help reduce the costs?
By Erin B. Taylor, Senior Researcher at Holland FinTech
Companies facing cybersecurity and compliance problems share a key concern: compliance reporting. Since the global financial crisis of 2008, the volume of new regulation, legislation, and directives on compliance requirements has grown substantially. An initial wave of supervisory intervention to stem malpractice in financial markets was quickly followed by legislation aimed at mitigating cybersecurity issues and protecting consumers’ privacy.
All these initiatives have generated reporting requirements, which impose temporal and monetary costs on businesses. In response, companies operating in fintech have developed regulation technology (regtech) to make the compliance reporting process swifter, cheaper, and more adaptable. At the up-and-coming Fintech Vortex on the 26th September, these developments will be discussed via the CyberSecurity and RegTech track. Here we give a brief overview of some key issues.
Regtech for oversight and cybersecurity
Regtech refers to the use of technology to make meeting regulatory reporting more efficient. Regulatory technologies automate formerly manual reporting processes, using software and infrastructure (such as cloud computing and data analytics) to collect and analyse data, and to automatically send reports to the appropriate regulators.
Compliance reporting requirements cover a wide range of areas, including risk management, transaction monitoring, identity management control, financial instruments, anti-money laundering, valuation, payments reporting, finance liquidity reporting, and risk analytics/reporting.
Applying technology to meeting regulation requirements saves time and cost for businesses, while ensuring regulators get quality information in a timely fashion. According to the Financial Times, the larger banks, including J.P. Morgan, HSBC, and Deutsche Bank, spend well over $1 billion per year each on regulatory compliance and controls. Fines also provide a strong incentive to adopt regtech solutions: Thomson Reuters estimates that between 2008 and 2015, twenty of the world’s biggest banks paid £235 billion in fines and compensation.
Regtech solutions are used by financial service providers to meet the requirements of a range of legislation. In the wake of the global financial crisis of 2008, regulatory bodies around the world crafted further legislation addressing regulatory oversight issues. In the EU, legislation is laid down by both European Union authorities, such as the European Banking Authority (EBA) and the European Central Bank (ECB), as well as national bodies. Relevant EU legislation includes the Markets in Financial Instruments Directive II (MiFID II) and the European Markets Infrastructure Regulation (EMIR).
While banks are the main institutions affected by regulatory reporting requirements, all institutions offering financial services are subject to regulation. Even institutions that do not offer financial services as their core business may be subject to compliance and reporting requirements, especially with relation to cybersecurity. The Institute for International Finance reports that regtech could also be used for identification of management issues, including monitoring a financial institution’s internal culture and behaviour, and identifying new regulations that apply to the business.
In the EU, of particular relevance to cybersecurity are the Directive on Security of Network and Information Systems (the NIS Directive), the General Data Protection Regulation (GDPR), the second Payment Services Directive (PSD2), and Know Your Customer (KYC) requirements. The Cybersecurity Strategy for the European Union represents an on-going effort to tackle issues as they arise, issuing guidelines for legislation on a range of topics, including internet payments security.
The various legislation and directives emerging from EU authorities can be confusing for businesses, since they are laid down by a variety of sources, cover a wide range of issues, change frequently, and are subject to interpretation. How can regtech help?
Making use of regtech
The key to using regtech to meet compliance needs efficiently is to choose a flexible system. Standardisation and compliance are works in progress, so it is crucial that companies adopt flexible solutions. Technologies being applied to regtech include cloud computing, cryptography, biometrics, cloud security, mobile security, advanced authentication, built-in encryption, and so on
Many regtech solutions are now provided by startups, either working alone or in collaboration. According to CB Insights, from 2012-2017, venture capital funding to RegTech start-ups totalled approximately USD 2.3 billion. Let’s Talk Payments provides a useful overview of some key companies providing regtech solutions in Europe.
For regtech in the Netherlands, Let’s Talk Payments lists BWise (software solutions for risk management, internal audit, and compliance), Open Risk (training and risk analysis tools to the broader financial services community), and OSIS (credit risk analysis). Also in the Netherlands are ComplianceWise and DPA Compliance & Risk (both providing compliance software).
Startup-generated solutions often meet the flexibility requirement well, since they tend to be modular rather than all-encompassing. They can be designed to solve a suite of problems, or they can be tailor-made. For example, a Finextra white paper, Building Regtech into your Fintech Strategy, describes how regtech has been used to reduce the impact of due dilligence requirements on the customer onboarding process.
While technology mitigates many of the headaches associated with compliance, it can never reduce the costs risks to absolute zero. SMEs especially face the problem of meeting the rising cost of compliance, which no amount of technological innovation can resolve. And, as attendees noted at our recent Fintech Meets the Regulators event, compliance is a matter of interpretation. Legislators and law enforcement in one jurisdiction may consider a company to have met compliance requirements, but authorities in another district may disagree. Staying abreast of current best practices will help your company to demonstrate – both to authorities and customers – that it has thoroughly considered its compliance requirements and responsibilities.
Incorporating regtech into your business can help reduce costs and risks, but it requires familiarity with both the technology and the regulatory landscape. Fortunately, there are many professionals available to help. The CyberSecurity and RegTech track at the Fintech Vortex will both showcase the latest technologies and provide an opportunity to discuss best practices with professionals in the industry.
Want to learn more about Holland FinTech and the Cyber Security and RegTech firms in our network? Join us at our FinTech Vortex event in the Hague on September 26th, 2017. Tickets available here.