The Regulators Are Optimising Their Use of Data. Are You?

Evolution of RegTech

It was only six years ago ^[1] that the term “SupTech” ^[2], or supervisory technology, was introduced and started gaining prominence in the regulatory world. In reality, however, the use of technology and data science for supervisory purposes has been evolving over decades. Regulators have historically collected financial statement information from the institutions they supervise. For example, in 1981, the U.S. prudential regulators began publishing the Uniform Bank Performance Report (UBPR), which allows for the comparison of a financial institution to its peer group and offers easy identification of outliers. This information is used by U.S. regulators to help set supervisory priorities.

A recent report issued by the Cambridge Centre for Alternative Finance (Cambridge Report) highlights the progress made by regulators in collecting and using data to supplement and target their supervisory agenda since the market crash of 1987, which prompted regulators to start digitising their operations to improve transparency and risk management. ^[3] The report, which is based on a survey of 134 financial authorities across 108 jurisdictions, looks at the evolution of SupTech. In addition to the market crash of 1987, it identifies four key catalysts for driving the regulators’ data strategy:

• The 2007-08 global financial crisis and the industry’s adoption of fintech to respond to new regulatory reporting requirements and make their operations more efficient;
• The emergence of blockchain technology, APIs and cloud computing and the capabilities they offer;
• The formal adoption of SupTech as a term and concept; and
• The COVID-19 global pandemic, when regulators were largely forced to abandon onsite supervision and manage 100% remotely.

The regulators’ path to making better use of data parallels that of the financial services industry itself, but there are new signs (e.g., the formation of the GFiN SupTech Special Unit) that the regulators may be gaining momentum.

Examples of regulators’ data strategies

Recognising the need to use technology and data better to inform supervision, 71% of regulators globally report having SupTech initiatives and 50% indicate they already have at least one SupTech application in operation, according to findings in the Cambridge Report. To date, most use cases center around consumer protection and prudential supervision. 

Some regulators have publicly shared their data strategies. In 2020, the UK Financial Conduct Authority (FCA) set out its intentions “to make better use of data to spot and stop harm faster.” ^[4] In its update in 2022, the FCA confirmed that this included a significant transformation to build intelligence and data services; develop scalable technology, platforms and tooling; and manage data. Once the FCA achieves its stated ambition of becoming a data- and intelligence-led regulator, regulated firms will be interacting with cloud-based platforms and analytics capabilities, supported by the FCA’s data lake, data science tooling and decision hub.

Other regulators, such as the Hong Kong Monetary Authority (HKMA), are developing their data strategies alongside a wider strategy to encourage all banks to “go fintech.” In its Fintech 2025 strategy, the HKMA recommends a fully digital approach to operations as well as the adoption of a related SupTech programme with an initial focus on AML/CFT supervision — a programme that is proactive and targeted, data-driven, collaborative, and people-focused. ^[5] The Monetary Authority of Singapore (MAS) also has an established SupTech programme that focuses on analytics of Suspicious Transaction Reports and reviews firms’ trade data by leveraging algorithms and statistics to analyse datasets. The MAS also has other SupTech initiatives in use and under development, such as identifying conduct risk indicators.

The European Central Bank (ECB) has set out its Digitalisation Blueprint with an action plan focused on developing innovative SupTech solutions through engaging with ecosystem partners, other regulators and academia. Its objective is to build out common platforms and tools for SupTech (including 14 SupTech tools already implemented). The ECB reports high demand for such tools across the European banking supervisors. The Digitalisation Blueprint also focuses on providing supervisors with the “capabilities and mindset to fully leverage the potential of SupTech.” ^[6]

Various U.S. regulatory bodies have developed and are enhancing SupTech tools and approaches. As examples, the U.S. Securities and Exchange Commission (SEC) uses advanced technologies to identify trade surveillance and market abuse risks. The Federal Deposit Insurance Corporation (FDIC) is pursuing a regulatory reporting strategy that would allow “on-demand” monitoring of banks versus point-in-time examinations, such as reviewing trade data prior to supervision exams, identifying potential insider trading before major equity events and detecting issues in high-frequency trading. ^[7]

And it’s not just regulators in the major financial markets that are embracing SupTech. One interesting case, which has been reported by the World Bank and is noted in the Cambridge Report, involves Rwanda. The World Bank describes this as an “example of how a whole country has embraced SupTech.” Rwanda has an ambitious financial inclusion agenda which led to high demand for accurate, high-frequency data to monitor financial inclusion progress. With the expansion of the financial services market in 2009-10 through the authorisation of new savings and credit cooperatives and mobile network operators, the National Bank of Rwanda (NBR) was challenged to keep pace with its expanding supervisory mandate. Its solution was to partner with a UAE-headquartered technology firm to develop an electronic data warehouse system to automate and streamline the reporting processes that inform and facilitate supervision.

The warehouse went live in 2017. Implementing this approach was not without challenge since not all of the local institutions were at the early stages of their own data journeys. But the shared financial inclusion goal provided the motivation for both the NBR and industry to support this effort. The NBR’s continued commitment to its SupTech agenda is clear: In 2022, the NBR hosted training for representatives from 24 countries on leveraging financial inclusion data to drive inclusive policy development. ^[8]

So, what is the potential of SupTech?

For both the regulators and the financial services industry as a whole, the potential benefits of SupTech include increased efficiency and effectiveness of the supervisory process. With that promise comes a shift away from outdated, one-size-fits-all templates and manual procedures in favor of data push and data pull approaches that make use of structured and unstructured data. These approaches not only strengthen supervision, but also reduce its cost and burden. For financial institution customers, SupTech also holds the promise of better customer protection.

The Cambridge Report highlights 13 thematic areas of focus (plus a catch-all category) for SupTech initiatives, ranked in order of expected impact: ^[9]

The results are not surprising given that regulatory focus remains intense in the highest-rated areas and each of these topics currently has a significant amount of regulatory reporting and other associated documentation for review by supervisors. Other areas, such as financial inclusion monitoring and digital assets, may need a high degree of SupTech to enable effective supervision since traditional documentation or reports may not be easily available.

Implications for financial institutions

Financial institutions will, on balance, welcome the greater use of SupTech for market monitoring, supervision and regulatory risk analysis, as well as to enable efficient regulation. Once implemented, SupTech will allow regulators to increase their supervisory focus on key and emerging risks, act proactively, and introduce required regulatory changes in a timely manner. It should also allow regulators to manage the cost of regulation and react quickly to changes in the market. Quicker risk identification could help reduce the costs of remediation and look-back reviews.

There may also be business implications in the form of greater market monitoring. For example, in retail consumer markets, regulators may identify problematic pricing policies, continued sales of underperforming funds or high balances in savings accounts with very low interest rates. Financial institutions will be challenged to justify, or change, their strategic and business decisions.

In addition, with the increased use of SupTech by the regulators, financial institutions can expect an increase in regulatory demand for data. Regulators will be ramping up both regular and ad hoc data requests and increasing focus on the timeliness, completeness and accuracy of submissions. Thus, financial institutions will need to ensure that processes and controls over the compilation, review and submission of regulatory reports are streamlined, and that quality data is readily available and accessible. “This can be particularly challenging for multinational financial institutions, as well as those with multiple regulators and multiple legal entities that need to submit reports,” comments Fiona King, Citibank Europe Plc, UK Branch Head for Citi.

Of course, this trove of data and analytics will also be invaluable to the financial institution’s compliance team in areas such as risk identification and assessment, monitoring and testing, and reporting. We expect SupTech to drive greater adoption of RegTech solutions, including, for example, continuous or real-time monitoring and the use of artificial intelligence for regulatory risk mapping to machine-readable rulebooks. Greater automation will be both available from vendors and required to enable rapid responses to regulator queries and requests for information. Just as important, financial institutions will need to consider the analytics they need to identify any risks or trends in advance of the regulatory submission and review.

We also expect this increased focus on SupTech and RegTech to drive more internal and external data analytics by financial institutions, for business as well as compliance reasons. For example, analytics might be used to provide insights into areas where controls are failing or customer responses are delayed, or to highlight other indicators of culture or conduct risks.

The challenge for Compliance teams

The success or failure of Compliance teams in guiding the institution in a data-led supervisory environment will depend, first and foremost, on the quality and availability of the institution’s own data. Compliance, therefore, should be a vocal advocate for an organisational data strategy that:

• Operates under a consistent data governance framework.
• Breaks down silos between structured and unstructured data.
• Invests in data analytics and the resources (data engineers, data scientists, visualisation specialists and artificial intelligence/machine learning experts) necessary to optimise use of data.
• Shares data and educates the organisation on the appropriate use of data.

Where an institution’s data strategy falls short of meeting these goals, Compliance should forewarn management and the board of directors of potential regulatory challenges that may result from the institution not being able to provide complete and timely information in response to a regulator’s request.

Even in institutions with mature data management practices, it’s important to remember that SupTech will not always get it right and the data alone may not explain the business context adequately. Compliance teams will play a critical role in understanding the data provided to regulators and how it will be interpreted. Ideally, this means Compliance analyses this data on a continual basis and explains its implications to management, who then decides on any needed course corrections. Minimally, it means Compliance should analyse the data contemporaneously with it being provided to the regulators and prepare management with the questions that might be expected.

Compliance teams that maintain strong relationships with regulators should be able to provide background information on the firm’s business model, customer base and risk management practices, and be ready to explain and address anomalies. This means that Compliance teams will need their own data experts and will need to upskill their team members to think beyond technical compliance and consider the big picture.

In closing

Will the continued evolution of SupTech mean that, someday, all financial institution supervision is performed by bots? As appealing as that may sound to some financial institutions, we don’t think that will be the case. We are still firm believers — as we think the regulators are — in the importance of human judgment.

What we do envision is a far more dynamic supervisory environment in which regulators will be able to respond more quickly to market and individual institution developments. Their response will be based on the availability and their interpretation of more voluminous and timely data than they have been able to collect in the past. Financial institutions that are unable to meet these regulatory data challenges will find themselves at a significant disadvantage.