Patrick Armstrong, Senior Expert of the European Market and Securities Authorities (ESMA), described the the latest feedbacks in the field of Regtech and Suptech at Paris Dauphine University, Paris, 27 November,
A number of supply-based developments and demand-based needs are combining to potentially transform the way financial institutions comply with regulation and supervisory authorities oversee market participants.
The use of technology for compliance and supervisory monitoring predates the financial crisis of 2007. However, a new regulatory landscape in response to the crisis has been a catalyst for greater use of technology. The use of new technology in this context evolves on a continuous basis and may soon lead to radical changes in compliance and supervision work. Foremost among the technological drivers are the widespread use of cloud computing, the increased acceptance of Application Programming Interfaces (APIs) and advances in the fields of Artificial Intelligence and Machine Learning (AI/ML). Cloud computing allows for the use of an online network of hosting processors, increasing the scale and flexibility of computing capacity.
APIs comprise rules and an interface for communication and interaction between different software programmes. AI is the theory and development of computer systems able to perform tasks that traditionally require human intelligence. ML, a form of AI, is a method of designing a sequence of actions to solve a problem that optimise automatically through experience and with limited or no human intervention.
RegTech and SupTech are developing in response to various demand and supply drivers. Demand is linked to regulatory changes and the need of market participants and supervisors to process large amounts of data. Supply factors primarily focus on advances in technology.
The regulatory requirements placed on market participants have increased greatly over the past ten years. While many of these regulations came in response to the known market failures that led to and exacerbated the crisis, others reflect the increasingly complex nature of global financial services. Failure to comply with the regulations has significant consequences, which has in turn led to large spending increases on compliance and risk management programs by firms. Examples include increased reporting and compliance obligations implemented pursuant to the Dodd-Frank Act in the US and within the EU the Markets in Financial Instruments Directive (MiFID II).
- There is a continued push for efficiencies and cost savings, particularly for back-end and legacy systems as well as for labour-intensive processes.
- As the financial services sector becomes increasingly digitalized and data-driven the advantages of technology-driven compliance monitoring compared to less automated alternatives have become more and more evident. The increased volume of information needed to monitor and evaluate regulatory compliance provides challenges for enterprise data governance, but also opportunities to use the information for better risk management. Examples include developments in stress testing and enhanced risk monitoring.
- Government-driven mandates in some countries have led firms to implement technologies such as APIs and more effective authentication methods. An example is the Payment Services Directive 2 (‘PSD2’) in the EU.
- ESMA believes the move towards a more data-driven and pro-active approach will enhance monitoring of the financial sector and help ensure better outcomes for market participants and consumers. As we move to this more intense data driven supervisory process, supervisors and regulators need to adapt. Failure to do so risks the undermining of the many years of work involved in implementing the regulation.
- Recent years have seen a sharp drop in the costs of computing power and storage. This enormous increase in capacity is acting as an important catalyst for AI/ML tools, which are extremely data-intensive. Many of these tools are at the heart of the RegTech/SupTech renaissance and could not be deployed in a non-digital infrastructure. For example, cloud computing provides remote access to servers on which large amounts of data can be stored.
- Improved digitalised data architecture that minimizes interoperability, reduced redundancy and allows for improved communication among data centres.
- Advances in AI and Big Data offer new capabilities. For example, pattern-recognition using machine learning algorithms has wide applications, including in monitoring markets for potential misconduct.
RegTech applications by market participants
Regulatory pressure and budget limitations are pushing the market towards an increased use of automated software to replace human decision-making activities. AI/ML tools are often used to implement such automation, with the calibration of the tools based on the recognition of patterns and relationships in large amounts of structured or unstructured data (Big Data). This section examines the most relevant RegTech technologies used in such contexts.
AI and machine learning
AI/ML techniques can be used to find patterns in large amounts of data from increasingly diverse and innovative sources. AI is a broad field, of which ML is considered a sub-category. Financial firms are exploiting such technologies in the following contexts: (1) customer-focused (or ‘front-office’) uses such as credit scoring, insurance, and client-facing chatbots; (2) operations-focused (or ‘back-office’) uses, including capital optimisation, model risk management and market impact analysis; (3) trading and portfolio management in financial markets.
‘Big Data’ is used broadly to describe the storage and analysis of large and/or complicated data sets using a variety of data elaboration techniques. AI/ML tools are generally used in a Big Data environment, allowing the implementation of new data management platforms that can capture, store and analyse enormous volumes of structured and unstructured data. Financial firms can feed the new converged data platforms with a variety of data sources:
- Internal sources: customer data are a primary form of proprietary internal data, along with data on all internal operations (assets, liquidity, loans, payments, etc.). Whether from internal or external sources, personal data are subject to strong privacy safeguards under EU legislation. Many datasets are unstructured, making them difficult to work with using traditional infrastructure.
- External sources: a myriad of third-party specialized data providers offer data related to specific contexts, typically via open real-time software interfaces and with standardised query methods.
This large amount and variety of data can be exploited by financial firms with Big Data technologies to improve business, assure regulatory compliance and analyse trends. Some common RegTech applications by banks and financial services firms are:
- Fraud detection: banks and financial firms use analytics to recognise fraudulent transactions.
- Reporting: regulations require financial firms to report specific business data to authorities.
- Risk management: regulatory schemes require firms to manage a variety of risks in a proper way (e.g.: liquidity risk, operational risk).
SupTech applications by regulators
Regulators are increasingly harnessing the benefits of technology. For example, compliance reporting has frequently not been efficient as desired. Financial institutions often need to submit information in response to ad hoc requests from regulators. The non-machine-readable data submitted by financial institutions makes the application of data analytics by regulators difficult and time consuming. In turn, some regulators have been investigating how FinTech can be used to make supervision more effective, improve surveillance and reduce the compliance requirements imposed on financial institutions.
Potential applications of AI/ML
An area of interest for regulators is the application of AI/ML. Authorities such as the ECB and the US Federal Reserves are using Natural Language Processing, a form of AI, to help them identify financial stability risks.
Another potential application of AI/ML is to detect trade syndicates in the securities market. Collusive behaviour and price manipulation can be especially hard to detect using traditional methods. Rule based systems, such as transaction monitoring systems, have very high false positive rates, bringing extra costly work to both exchanges and regulators.
Another challenge which AI/ML tools may help tackle is complicated network analysis, especially when the network is large and changes over time. Finally, a challenge for the application of AI/ML arises when a potential misconduct case is detected. At present, external human experts are required to verify that such cases warrant further investigation.
As experts are costly to employ and very limited in number, regulators would benefit from any potential extension of AI/ML technologies to this context. Recent attempts to use machine learning to detect potential cases of market abuse show some promise. Some regulators, such as the UK FCA, have been exploring how best to analyse large data sets to study suspicious trading behaviour. In this context, AI/ML tools may help identify cases of collusion to manipulate share prices or circular trading to create a false impression of market interest.1 Such tools can be tested with market data to generate better detection results from below three aspects:
- Compared to the high false positive detection rate from traditional rule-based surveillance systems, machine learning based surveillance systems have, through mathematical optimisation techniques, been able to reduce false positive rates.
- Some regulators are employing technological tools to reduce the need for humans to manually conduct complicated network analysis. This approach involves analysing years of raw order book data with modern network analysis techniques. The benefit of this system is not only in processing big volumes of data, but also in detecting complicated network relationships across long time periods and often involving substantial numbers of participants.
- Machine learning approaches, especially semi-supervised machine learning algorithms, can handle certain cases for which human experts’ judgement has traditionally been required. In particular, NLP2 technology could be used to automatically analyse the historical case document and extract meaningful information on which machine learning algorithms can operate.
Preliminary work by authorities using Big Data processing systems has made clear that many years of transaction data and even order book data can be analysed. However, further improvement and refinement of these ML based systems is needed, due to the limited availability of training cases. Other challenges include how to make machine learning detect unknown misconduct and how to interpret the results from the machine learning algorithms.
To students of financial innovation, the emergence of RegTech seems a predictable response to the post-crisis regulatory agenda. It is a clear example of what the “regulatory dialectic” whereby regulatory action on the part of public authorities is met by a private sector response designed to ameliorate the impact of the regulation, off balance sheet financing such as such as SPVs and CDOs are such examples that contributed to the recent financial crisis. In some cases, this response may aim to side-step regulations, which may prompt the authorities to tighten the regime further. In other cases, market participants respond to manage their regulatory requirements more efficiently. RegTech fits in to the latter scenario, designed to help firms adapt to regulation in an effective, cost efficient manner.
Risks and challenges for regulators and market participants
Improving data collection and management
A critical step in transforming financial supervision is improving data collection. Currently, the prevalent approach to data collection by regulatory authorities is periodically collecting data in the shape of standard reporting templates. Much current focus is on creating reporting templates rather than the primary data constructing the desired reports. Regulatory reporting can be challenging for financial institutions and is often resource-intensive.
Increasingly regulatory authorities are exploring opportunities to automate the regulatory processes and create reporting utilities. These are centralised structures that act not only as a common database of reported granular data but also as a repository of the interpretation of reporting rules in a format that is readable by computers. RegTech is therefore offering an alternative and a move away from templates and manual procedures. In the move to a data driven supervisory or compliance process, cleanliness and accessibility of the underlying data is paramount. The use and accuracy of such tools as AI/ML relies upon the strength of the underlying data. This means that prior to the use of data, regulators and supervisors must have in place the appropriate procedures and systems to ensure that the data they receive is
of good quality. One possible solution to achieve this is to develop machine-readable regulations, in particular in the field of regulatory reporting. Indeed, the use of IT solutions can help regulators to standardise and codify the information they receive from market participants, making it easier to manage and use the data.
In the wake of the financial crisis, much of the global regulation implemented is highly dependent on technology. Failure on the part of market participants to adapt to the newer digitalized infrastructure presents business risk that may separate winners from losers in the coming years. As well, failure to adapt to a more automated regulatory compliance process may leave participants with platforms ill-suited for the current regulatory framework.
For their part, many in the regulatory community are moving increasingly to a data driven supervisory process. To process such data, regulators need to invest in the technological tools and human skills that will allow them to effectively analyse the results.3 In turn, regulators must migrate to a digital based supervisory process; only then can they cope with the volume of data they will soon receive.
As both regulators and market participants move to a digitalized architecture, risks related to cyber resiliency must become a core part of their supervisory and compliance strategies respectively. Indeed, as market participants and regulators become increasingly interconnected through regulatory reporting, security risks increase. In addition, reliance on APIs, cloud computing and other new technologies facilitating increased interconnectivity could potentially make the system more vulnerable to cyber-threats and expose large volumes of sensitive data to potential breaches. A related form of operational risk arising from a move to greater use of data and risk management tools via third-party providers is concentration risk. Regulators and market participants will therefore need to devise and implement appropriate strategies to manage these operational risks. To this end, it is important that market participants and regulators cooperate to promote effective management and control of cyberrisk and to enhance cyber-resilience.
Risks from strategic incentives
One risk which authorities should bear in mind when developing automated detection tools is the possibility that malicious agents may learn to frustrate the tools by adapting their behaviour.
For instance, market participants could in theory learn what types of behaviours that are likely to cause a flag in a SupTech monitoring system. Using such information, firms might be able to structure their regulatory returns in such a way as to remain undetected. Separately, as firms develop their expertise in RegTech, their systems may become able to identify potential regulatory loopholes.
Just as FinTech is introducing changes to the way in which market participants offer their services, so too RegTech and SupTech will alter the way in which financial institutions and regulators respectively comply with the rules and supervise markets. In so doing, these technologies have the potential to reshape the
relationship between regulators and market participants.
For example, technologies such as APIs are facilitating more efficient filing of regulatory data by market participants, while regulators are looking to develop AI/ML tools to enhance their market surveillance and to improve their capacity for fraud detection. Inevitably, new technological abilities bring with them new challenges and new sources of risk, notably including operational risk.
Nonetheless, provided they are implemented correctly and monitored effectively, RegTech tools have the
potential to improve a financial institution’s ability to meet regulatory demands in a cost-efficient manner.