Bank of America is being sued for $120 million after failing to flag large deposits into small accounts, which were cleared a few days later. Previously, U.S. Bank was fined $600 million for failing to flag and report suspicious activity according to anti-money laundering (AML) requirements.
These are big banks making these mistakes, and they aren’t the only ones making headlines for regulatory blunders. According to John Epperson, principal at Crowe LLP, that goes to show that the current approaches to regulatory and compliance technology (RegTech) aren’t working.
There have been substantial investments in technology by financial services organizations – in particular, a spike in RegTech investments from traditional banks. Banks spent $100 billion on RegTech solutions last year, and $6 billion has been invested by venture capitalists since 2008.
Yet, Epperson says, despite all the money flying around, the problem is far from solved. Organizations are still struggling to extract the value and promise that RegTech has to offer.
In a recent webinar with Karen Webster, Epperson explained why it’s time to take a more strategic view of RegTech, asking not only what your organization can do to appease regulators, but how to make RegTech deliver a competitive advantage for the organization, too.
Although there are RegTechs delivering value, Epperson noted that it’s always the failures that make headlines – and that can lead to various concerns among those who may otherwise wish to take advantage of the technologies and capabilities in the marketplace.
There are thousands of providers in the market, Epperson said. That kind of volume makes it hard to know where to start, and it’s difficult to sort through it all. Organizations rightly want to know: What’s the risk? What if this provider is less established than others in the space? Will adding another platform to dozens of existing platforms break something else?
On top of that, there’s the sales challenge: “We can implement the best tech in the world and solve complex challenges,” said Epperson, “but we also have to sell it to regulators and prove it’s working – that it’s mitigating a compliance or regulatory function.”
There are a few common reasons that an organization may choose to implement a RegTech solution.
First, many organizations are continually increasing their spend on meeting regulatory and compliance requirements, yet continuing to encounter fines and penalties despite their best efforts. To them, the whole system feels out of control. Enforcement is not on their side, and their processes grow more and more inefficient as they tack on more platforms to try and mitigate the problem.
Second, there’s a demand for more meaningful connections – that is, even though organizations are putting a lot of money into creating a risk management data center, that data is only being used within the four walls of regulatory and compliance demands.
Third, the growth of digital environments and channels is flattening the global ecosystem, which makes international players subject to more jurisdictional laws, including nation-specific AML rules. And, of course, there's the regulation on everyone’s mind: The European Union’s General Data Protection Regulation (GDPR), which affects how anyone doing business with the EU can store and use consumer data.
Fourth, there’s a growing consumer demand for more frictionless experiences – no one wants to fill out, say, a 100-page mortgage application, and people are increasingly protective of their sensitive data. That conflicts with organizations’ compliance needs, as they require a certain level of information to meet the standards. There is a need for compliance activities that don’t burden the consumer, Epperson said.
Finally, new products in the market create new risks, and it’s happening so fast that regulators can’t keep up. Often, they are trying to squeeze these new products and risks into existing regulatory categories rather than creating new compliance standards and categories to accommodate them.
A Cultural Shift Is Needed
Epperson said the biggest gap is in basic processes. There’s the potential to automate simple workflows and decision-making processes, and doing so could free up organizations to focus on addressing other pieces of the regulatory challenge.
But perhaps even more challenging, he said, is the need for a cultural shift within the space. Innovation of products and services is happening faster than ever before, meaning that organizations must also move more nimbly – and that requires them to think differently about meeting the requirements.
Epperson noted that teams must become multi-disciplinary. Risk and compliance teams should not be the last ones to see what the organization is working on, but should be at the table from the beginning. And there should be a dedicated team ready to address new issues as they arise, which he said makes the organization nimbler.
In short, more than technology is needed to solve this complex and ever-growing challenge.
“The technologies are great,” said Epperson, “but something must change to take advantage of RegTech. Strategy, culture, organization and process can be some of the most stifling factors. You need a collaboratively defined strategy that includes business, risk, compliance and regulatory channels.”
Drawing the Roadmap
Before introducing RegTech, Epperson said organizations must realize they can’t just flip a switch. They must sunset their existing applications and transform into a new one. Dependencies, project management, communication and coordination will all be factors. Thus, a coordinated roadmap is necessary – indeed, Epperson said, it's the most important function of any RegTech investment.
To draw the roadmap, organizations must first consider the capabilities available to them and the outcomes they hope to achieve – again, thinking beyond just checking off the regulatory and compliance boxes. They must align their specific needs with the available features and the organization’s overall strategy.
Consider, for instance, how RegTech can help to drive customer experience or reduce friction. It could potentially create a competitive advantage, enabling the organization to serve a new market or provide new products and services, either today or tomorrow, that will give it an edge.
Finally, through it all, Epperson said organizations must bear in mind that it’s not just about solving their business issues – they will also have to sell their decisions to regulators, providing more significant justification and documentation than would otherwise be needed.
“This is the second or third most complicated integration your organization can undertake,” Epperson emphasized. “In a traditional technical alignment view, you’ve got scoping and requirements, design and development, installation and testing, and deployment. There’s more than that to RegTech. It takes a strategic view of how you align business tasks with regulatory functions. The more complex the tech, the harder that is to do.”