The compliance function was born in the French financial sector in the early 2000s to respond to problematics with a very strong legal emphasis. Following the 2008 crisis, regulatory constraints and fines imposed on financial services companies exploded.
To respond to this inflation, banks and insurance companies were forced to implement frameworks and tools specific to each of these regulations and therefore undergo major structural modifications. These new rules and regulations required a lot of manpower as well as in-depth developments every time regulations changed. These multiple evolutions have had major impacts on several business models and have deeply changed various business processes (financial security, market transparency, customer relationship, client protection …).
From 2012 onward, the ramping up of fines had totaled over 300B$ meaning banks were forced to implement remediation plans. Compliance frameworks became stronger and more reliable but were not always effective and optimized. With these evolutions came a need for more manpower and the new regulations resulted in an explosion in the number of alerts (international sanctions, politically exposed person, anti-money laundering, KYC, market abuse…).
Meeting regulatory requirements is therefore becoming a global concern for the financial sector, as it impacts the risk of sanctions, its’ operational efficiency, (in a context of falling NBI), and customer relations (in a context of digitalization and increased competition).
At the same time, during this era of digital generalization, more and more companies (startups) have started to offer innovative solutions to banks to help them meet compliance requirements whilst optimizing resources. These solutions are backed by technological developments such as RPA, BPM, ICR (Intelligent Character Recognition), predictive analysis models, blockchain, and many more. These are known as RegTechs.
The financial sector and the compliance function have become fully aware of the opportunities offered by new technologies in these areas. The effectiveness and efficiency of compliance departments are being reshaped for the better.
Nevertheless, the long and complicated road to a stable transformation is not easy to follow, and obstacles to overcome are not scarce. According to McKinsey’s study, one of the main issues that emerged was the lack of vision regarding where compliance is heading. Amid the rush to strategize and develop powerful technologies, the absence of perspective does not shed any light on the matter.
This guide offers you a presentation of Wavestone’s convictions and know-hows on three key areas for a successful transformation: What are the right use cases and associated ambitions, our RegTech RADAR, and how to manage a RegTech integration project
First, Identify Relevant Use Cases
Our Beliefs, by Romain Louzier, Financial Services Partner
Today, compliance is facing a wide range of challenges that are driving an in-depth transformation of the function. First of all, the compliance function must ensure that its institutions meet the ever-increasing regulatory requirements by strengthening its normative role and ensuring complete, permanent and reactive monitoring of its processes and systems. At the same time, it must improve the operational efficiency of its teams and control and reduce its operating and transformation costs.
Compliance must also reposition its role in the service of its customers and the institution’s businesses by taking regulatory changes as opportunities for progress. Finally, it must spread and embed the culture of compliance in businesses and natively in the transformation projects of financial institutions.
To meet these challenges, recent technological developments offer new opportunities that the compliance function must appropriate for itself and develop internally. It should also rely on the RegTechs ecosystem but understand that it is not the starting point for transformation.
Compliance processes must be fully integrated into the institutions’ business processes. In an end-to-end logic, banks and insurance companies must address their compliance processes in a cross-functional approach, whether they are identified as “business / first line of defense – LoD1” or “compliance / second line of defense – LoD2”. This new reality should make it possible to find both rationalization and digitalization solutions for more efficient integrated compliance
What is the bank's/insurance's ambition regarding each of the identified use cases?
Each of the use cases can be evaluated according to two axes and integrated into a matrix:
Business Value
What value do I bring to the bank (in terms of risk coverage, operational performance, improvement of customer relations, or creation of value)
It is up to each organization to define it, according to use cases, strategy, resources
Complexity
The goal is to identify all the constraints for the implementation of the use case: Legal / Data availability / Technology maturity / Change management
To be assessed in the light of the constraints specific to its organization, while seeking to open-up to the outside world to challenge itself
Trends and players in the market
Our Beliefs, by Ghislain de Pierrefeu, Machine Learning & Data Lab Partner
Artificial Intelligence, the new Eldorado of Technology… It seems that it is no longer possible today to sell a solution without stamping it as “AI”. Beyond this aberration, which emphasizes the technical dimension before the business value, lies a great heterogeneity of realities and very often a touching naivety about the ability to integrate algorithms (however brilliant they may be) into human ecosystems and in complex and poorly prepared IS.
This is especially true of RegTechs, which aim to revolutionize the regulatory and compliance fields that are, in essence, “conformers” and not inclined to pass over on key principles such as data protection, interpretability of results, robustness of algorithms…
It is rare to find RegTechs that have – beyond the algorithmic achievement – embraced all the dimensions of these kind of transformations and financial institutions therefore tend to favor controlled in-house solutions; however, some technological “nuggets” do exist and can be good accelerators for certain uses, and with a little hindsight, it is quite easy to separate the wheat from the chaff.
Profile of the RegTechs
Among the 70 Regtechs identified on the radar, we found that a third has less than 10 employees, another third between 11 and 50 employees, and the last third more than 50 employees. The average foundation year of the Regtechs is July 2010, and 90% of them have emerged after 2008 and the regulatory thrust.
There are 3 types of Regtechs: the specific ones with innovative software for specific needs like the monitoring of atypical market operations (trading/AML), the module ones who propose modules answering standard problems (reporting, browsing web etc.), and the extended ones with a very rich and extensive range of services offered.
What’s more, we can determine 5 main categories of solutions. The “Third Party knowledge” regroup all the solutions that allow the gathering of compulsory information on the customers (KYC/AML) or investors (Mifid2) and that ease digital onboarding. The “Anomalies detection” category refers to all the solutions that prevent from illegal flows (AML/EMB) or market failures (trading monitoring). The “Protection of personal data” range of solutions mostly enable companies to deal with personal data while being compliant with regulations such as GDPR. The “Reporting” ones offer facilitated and automated reporting with user-friendly visual presentations. And lastly, the “Process management” allows companies to better deal with their workflow, often with automated and visual solutions.
Regtechs are based on various technologies, especially IA (RPA, OCR, Machine Learning), Big Data, Blockchain and Fuzzy Logic. The main regulatory risks covered are AML (45%), KYC (42%), market abuse (26%) and sanctions and embargoes (16%).
What are the best ways for "Making"?
Our Beliefs, by Mathieu Couturier, Cybersecurity Manager at UK office
Regtechs make it possible to use new technologies such as machine learning or behavioral biometrics to address new challenges.The effective definition of the tooling strategy via RegTechs and the synergies with initiatives that can be carried out internally is an opportunity to be seized. Far from being in competition, internal solutions and Regtechs complement each other to capitalize on and increase internal expertise through the know-how and accelerators that Regtechs can offer.
Nevertheless, invariants are essential for these projects to succeed; choosing the most relevant actor, in relation to its present and future needs, and who respects the space requirements (Data security, RGPD, etc.); establishing its ability to provide quality data, in quantity and over time, especially when it is an artificial intelligence solution; finally, ensuring the proper project management, by not underestimating – as usual – the necessity of managing team change.
Key levers for success
The implementation of Regtechs are becoming a key factor to meet new challenges in terms of automation or increasing detection capabilities. However, beyond the realization of Proof Of Concepts, certain key success factors must be kept in mind to facilitate and successfully implement these solutions.
Conducting a pre-framing, gathering the prerequisites and identifying your strengths and weaknesses to choose the right RegTechs. The goal is to identify the uses case to be covered regarding their criticality, the maturity of the Regtechs market and the presence of sufficient data (6 to 13 months of history for fraud detection, for example) as well as the functional and technical requirements related to the uses case and the specificities of the organization. The outcome of this framework must enable the perimeters to be validated and the most appropriate Regtechs to be selected to meet them (this selection should preferably go through an RFI or RFP phase).
Leading a Proof of Concept. The realization of a Proof of Concept is a necessity, both for internal teams to familiarize themselves with the solutions and for Regtech to familiarize themselves with the data and specificities of the organization. The main objective is to validate a good functional and technological coverage of the solution, in particular for aspects related to artificial intelligence that must be challenged by internal data science teams (algorithms used, model training, variables used, etc.).
Preparing the industrialization and sustainability phase. From the PoC phase onwards, in order to limit the time to market, it is essential that a proper sharing and working environment is created with Regtechs as early as possible to deal with problematics such as IT constraints on the architecture (interaction with existing systems, SaaS or on-premise mode, etc.), on the implementation of the incoming or outgoing data flow (batch, real time, flow, etc.), the organizational processing methods, the processes and skills to maintain the solution and algorithms in operational condition and the methods to secure processing (GDPR, security and compliance).
The mobilization and coordination of the various teams and expertise is the cornerstone to ensure the successful integration of a Regtech over time.