The Regulators Are Optimising Their Use of Data. Are You? Download By Carol Beaumier and Bernadine ReeseConsider these questions: Can financial institutions manage effectively in a world where issues and breaches are known to regulators before the chief compliance officer or anyone else in the organisation even learns about them? Are Compliance departments — and the institutions they serve — prepared to keep pace with the regulators’ efforts to develop data-driven insights? Or will they find themselves continually on the defensive, struggling to react and respond to regulatory inquiries and challenges?A key point: It was only six years ago that the term “SupTech,” or supervisory technology, was introduced and started gaining prominence in the regulatory world. However, the use of technology and data science for supervisory purposes has been evolving over decades.By the numbers: 71% of regulators globally report having SupTech initiatives and 50% indicate they have at least one SupTech application in operation.Why it matters: For both the regulators and the financial services industry as a whole, the potential benefits of SupTech include increased efficiency and effectiveness of the supervisory process. With that promise comes a shift away from outdated, one-size-fits-all templates and manual procedures in favor of data push and data pull approaches that make use of structured and unstructured data.These approaches not only strengthen supervision, but also reduce its cost and burden.SupTech also holds the promise of better customer protection.The success or failure of Compliance teams in guiding the institution in a data-led supervisory environment will depend, first and foremost, on the quality and availability of the institution’s own data.The bottom line: We envision a dynamic supervisory environment in which regulators respond more quickly to market and individual institution developments. Their response will be based on the availability and their interpretation of more voluminous and timely data than they have been able to collect in the past. Financial institutions that are unable to meet these regulatory data challenges will find themselves at a significant disadvantage. Download Evolution of RegTechIt was only six years ago [1] that the term “SupTech” [2], or supervisory technology, was introduced and started gaining prominence in the regulatory world. In reality, however, the use of technology and data science for supervisory purposes has been evolving over decades. Regulators have historically collected financial statement information from the institutions they supervise. For example, in 1981, the U.S. prudential regulators began publishing the Uniform Bank Performance Report (UBPR), which allows for the comparison of a financial institution to its peer group and offers easy identification of outliers. This information is used by U.S. regulators to help set supervisory priorities.A recent report issued by the Cambridge Centre for Alternative Finance (Cambridge Report) highlights the progress made by regulators in collecting and using data to supplement and target their supervisory agenda since the market crash of 1987, which prompted regulators to start digitising their operations to improve transparency and risk management. [3] The report, which is based on a survey of 134 financial authorities across 108 jurisdictions, looks at the evolution of SupTech. In addition to the market crash of 1987, it identifies four key catalysts for driving the regulators’ data strategy:The 2007-08 global financial crisis and the industry’s adoption of fintech to respond to new regulatory reporting requirements and make their operations more efficient;The emergence of blockchain technology, APIs and cloud computing and the capabilities they offer;The formal adoption of SupTech as a term and concept; andThe COVID-19 global pandemic, when regulators were largely forced to abandon onsite supervision and manage 100% remotely.The regulators’ path to making better use of data parallels that of the financial services industry itself, but there are new signs (e.g., the formation of the GFiN SupTech Special Unit) that the regulators may be gaining momentum. There are at least two reasons for supervisors to adopt SupTech. First, the technology available today could help supervisors achieve greater efficiency and effectiveness in pursuing their goals. Second, without investing in technology, supervisors may be unable to deal with developments in the financial sector itself (such as the rise of fintech) and any possibly related expansion of their statutory mandates.www.torontocentre.org/index.php?option=com_content&view=article&id=83&Itemid=99programmes Examples of regulators’ data strategiesRecognising the need to use technology and data better to inform supervision, 71% of regulators globally report having SupTech initiatives and 50% indicate they already have at least one SupTech application in operation, according to findings in the Cambridge Report. To date, most use cases center around consumer protection and prudential supervision. Some regulators have publicly shared their data strategies. In 2020, the UK Financial Conduct Authority (FCA) set out its intentions “to make better use of data to spot and stop harm faster.” [4] In its update in 2022, the FCA confirmed that this included a significant transformation to build intelligence and data services; develop scalable technology, platforms and tooling; and manage data. Once the FCA achieves its stated ambition of becoming a data- and intelligence-led regulator, regulated firms will be interacting with cloud-based platforms and analytics capabilities, supported by the FCA’s data lake, data science tooling and decision hub.Other regulators, such as the Hong Kong Monetary Authority (HKMA), are developing their data strategies alongside a wider strategy to encourage all banks to “go fintech.” In its Fintech 2025 strategy, the HKMA recommends a fully digital approach to operations as well as the adoption of a related SupTech programme with an initial focus on AML/CFT supervision — a programme that is proactive and targeted, data-driven, collaborative, and people-focused. [5] The Monetary Authority of Singapore (MAS) also has an established SupTech programme that focuses on analytics of Suspicious Transaction Reports and reviews firms’ trade data by leveraging algorithms and statistics to analyse datasets. The MAS also has other SupTech initiatives in use and under development, such as identifying conduct risk indicators.The European Central Bank (ECB) has set out its Digitalisation Blueprint with an action plan focused on developing innovative SupTech solutions through engaging with ecosystem partners, other regulators and academia. Its objective is to build out common platforms and tools for SupTech (including 14 SupTech tools already implemented). The ECB reports high demand for such tools across the European banking supervisors. The Digitalisation Blueprint also focuses on providing supervisors with the “capabilities and mindset to fully leverage the potential of SupTech.” [6]Various U.S. regulatory bodies have developed and are enhancing SupTech tools and approaches. As examples, the U.S. Securities and Exchange Commission (SEC) uses advanced technologies to identify trade surveillance and market abuse risks. The Federal Deposit Insurance Corporation (FDIC) is pursuing a regulatory reporting strategy that would allow “on-demand” monitoring of banks versus point-in-time examinations, such as reviewing trade data prior to supervision exams, identifying potential insider trading before major equity events and detecting issues in high-frequency trading. [7]And it’s not just regulators in the major financial markets that are embracing SupTech. One interesting case, which has been reported by the World Bank and is noted in the Cambridge Report, involves Rwanda. The World Bank describes this as an “example of how a whole country has embraced SupTech.” Rwanda has an ambitious financial inclusion agenda which led to high demand for accurate, high-frequency data to monitor financial inclusion progress. With the expansion of the financial services market in 2009-10 through the authorisation of new savings and credit cooperatives and mobile network operators, the National Bank of Rwanda (NBR) was challenged to keep pace with its expanding supervisory mandate. Its solution was to partner with a UAE-headquartered technology firm to develop an electronic data warehouse system to automate and streamline the reporting processes that inform and facilitate supervision.The warehouse went live in 2017. Implementing this approach was not without challenge since not all of the local institutions were at the early stages of their own data journeys. But the shared financial inclusion goal provided the motivation for both the NBR and industry to support this effort. The NBR’s continued commitment to its SupTech agenda is clear: In 2022, the NBR hosted training for representatives from 24 countries on leveraging financial inclusion data to drive inclusive policy development. [8] Examples of current uses of data analytics by regulators:Identifying indicators of market abuse and insider dealingCredit risk assessmentsSanctions screening testing (against a given data file)Identifying scams onlineIdentifying and dealing with high-risk financial advertisingPredicting the risk of misconduct for financial advisers based on factors like working experience and misconduct historyAnd potential future uses:Identifying potential greenwashingLicensing Performing initial supervisory reviews So, what is the potential of SupTech?For both the regulators and the financial services industry as a whole, the potential benefits of SupTech include increased efficiency and effectiveness of the supervisory process. With that promise comes a shift away from outdated, one-size-fits-all templates and manual procedures in favor of data push and data pull approaches that make use of structured and unstructured data. These approaches not only strengthen supervision, but also reduce its cost and burden. For financial institution customers, SupTech also holds the promise of better customer protection.The Cambridge Report highlights 13 thematic areas of focus (plus a catch-all category) for SupTech initiatives, ranked in order of expected impact: [9]Consumer protection59%Prudential supervision58%AML/CFT/PF supervision46%Cyber risk supervision39%Securities supervision37%Payments oversight35%Financial inclusion monitoring31%Digital assets/cryptocurrencies24%Licensing 20%Insurance supervision20%ESG risk supervision17%Compliance assistance14%Competition monitoring8%Machine-executable regulation4% The results are not surprising given that regulatory focus remains intense in the highest-rated areas and each of these topics currently has a significant amount of regulatory reporting and other associated documentation for review by supervisors. Other areas, such as financial inclusion monitoring and digital assets, may need a high degree of SupTech to enable effective supervision since traditional documentation or reports may not be easily available. Customer protection can be enhanced by SupTech in the following ways:Social media and online analysis and monitoring for high-risk indictors (e.g., high-risk financial promotions, scams)Dark web monitoring for scams, fraud and other financial crimeUse of web scraping to identify high-risk financial products or indicators of poor product design and increased risk of poor customer outcomes Implications for financial institutionsFinancial institutions will, on balance, welcome the greater use of SupTech for market monitoring, supervision and regulatory risk analysis, as well as to enable efficient regulation. Once implemented, SupTech will allow regulators to increase their supervisory focus on key and emerging risks, act proactively, and introduce required regulatory changes in a timely manner. It should also allow regulators to manage the cost of regulation and react quickly to changes in the market. Quicker risk identification could help reduce the costs of remediation and look-back reviews.There may also be business implications in the form of greater market monitoring. For example, in retail consumer markets, regulators may identify problematic pricing policies, continued sales of underperforming funds or high balances in savings accounts with very low interest rates. Financial institutions will be challenged to justify, or change, their strategic and business decisions.In addition, with the increased use of SupTech by the regulators, financial institutions can expect an increase in regulatory demand for data. Regulators will be ramping up both regular and ad hoc data requests and increasing focus on the timeliness, completeness and accuracy of submissions. Thus, financial institutions will need to ensure that processes and controls over the compilation, review and submission of regulatory reports are streamlined, and that quality data is readily available and accessible. “This can be particularly challenging for multinational financial institutions, as well as those with multiple regulators and multiple legal entities that need to submit reports,” comments Fiona King, Citibank Europe Plc, UK Branch Head for Citi.Of course, this trove of data and analytics will also be invaluable to the financial institution’s compliance team in areas such as risk identification and assessment, monitoring and testing, and reporting. We expect SupTech to drive greater adoption of RegTech solutions, including, for example, continuous or real-time monitoring and the use of artificial intelligence for regulatory risk mapping to machine-readable rulebooks. Greater automation will be both available from vendors and required to enable rapid responses to regulator queries and requests for information. Just as important, financial institutions will need to consider the analytics they need to identify any risks or trends in advance of the regulatory submission and review.We also expect this increased focus on SupTech and RegTech to drive more internal and external data analytics by financial institutions, for business as well as compliance reasons. For example, analytics might be used to provide insights into areas where controls are failing or customer responses are delayed, or to highlight other indicators of culture or conduct risks.The challenge for Compliance teamsThe success or failure of Compliance teams in guiding the institution in a data-led supervisory environment will depend, first and foremost, on the quality and availability of the institution’s own data. Compliance, therefore, should be a vocal advocate for an organisational data strategy that:Operates under a consistent data governance framework.Breaks down silos between structured and unstructured data.Invests in data analytics and the resources (data engineers, data scientists, visualisation specialists and artificial intelligence/machine learning experts) necessary to optimise use of data.Shares data and educates the organisation on the appropriate use of data.Where an institution’s data strategy falls short of meeting these goals, Compliance should forewarn management and the board of directors of potential regulatory challenges that may result from the institution not being able to provide complete and timely information in response to a regulator’s request.Even in institutions with mature data management practices, it’s important to remember that SupTech will not always get it right and the data alone may not explain the business context adequately. Compliance teams will play a critical role in understanding the data provided to regulators and how it will be interpreted. Ideally, this means Compliance analyses this data on a continual basis and explains its implications to management, who then decides on any needed course corrections. Minimally, it means Compliance should analyse the data contemporaneously with it being provided to the regulators and prepare management with the questions that might be expected.Compliance teams that maintain strong relationships with regulators should be able to provide background information on the firm’s business model, customer base and risk management practices, and be ready to explain and address anomalies. This means that Compliance teams will need their own data experts and will need to upskill their team members to think beyond technical compliance and consider the big picture.In closingWill the continued evolution of SupTech mean that, someday, all financial institution supervision is performed by bots? As appealing as that may sound to some financial institutions, we don’t think that will be the case. We are still firm believers — as we think the regulators are — in the importance of human judgment.What we do envision is a far more dynamic supervisory environment in which regulators will be able to respond more quickly to market and individual institution developments. Their response will be based on the availability and their interpretation of more voluminous and timely data than they have been able to collect in the past. Financial institutions that are unable to meet these regulatory data challenges will find themselves at a significant disadvantage. If you can’t explain it simply, you don’t understand it well enough. Albert Einstein About the authors Carol Beaumier is a senior managing director in Protiviti’s Risk and Compliance practice and leader of the firm’s APAC Financial Services practice. Based in Washington, D.C., she has more than 30 years of experience in a wide range of regulatory issues across multiple industries. Before joining Protiviti, Beaumier was a partner in Arthur Andersen’s Regulatory Risk Services practice and a managing director and founding partner of The Secura Group, where she headed the Risk Management practice. Before consulting, Beaumier spent 11 years with the U.S. Office of the Comptroller of the Currency (OCC), where she was an examiner with a focus on multinational and international banks. She also served as executive assistant to the comptroller, as a member of the OCC’s senior management team and as liaison for the comptroller inside and outside of the agency. Beaumier is a frequent author and speaker on regulatory and other risk issues.Bernadine Reese is a managing director in Protiviti’s Risk and Compliance practice. Based in London, Reese joined Protiviti in 2007 from KPMG’s Regulatory Services practice. Reese has more than 30 years’ experience working with a variety of financial services clients to enhance their business performance by successfully implementing risk, compliance and governance change and optimising their risk and compliance arrangements. She is a Certified Climate Risk Professional. About Protiviti’s Compliance Risk Management Practice There's a better way to manage the burden of regulatory compliance. Imagine if functions were aligned to business objectives, processes were optimised, and procedures were automated and enabled by data and technology. Regulatory requirements would be met with efficiency. Controls become predictive instead of reactive. Employees derive more value from their roles. The business can take comfort that their reputation is protected, allowing for greater focus on growth and innovation.Protiviti helps organisations integrate compliance into agile risk management teams, leverage analytics for forward-looking, predictive controls, apply regulatory compliance expertise and utilise automated workflow tools for more efficient remediation of compliance enforcement actions or issues, translate customer and compliance needs into design requirements for new products or services, and establish routines for monitoring regulatory compliance performance. [1] Cambridge SupTech Lab (2022), State of SupTech Report 2022, Cambridge: Cambridge Centre for Alternative Finance (CCAF), University of Cambridge. Available at www.cambridgesuptechlab.org/SOS. [2] Leveraging a 2018 publication of the Bank for International Settlements (Innovative technology in financial supervision (suptech) – the experience of early users), SupTech is defined as the use of innovative technology by supervisory agencies to support supervision which is grounded in data collection and data analytics. [3] State of SupTech Report 2022, Cambridge: Cambridge Centre for Alternative Finance (CCAF), University of Cambridge. [4] Data strategy update 2022, Financial Conduct Authority, 24 June 2022: www.fca.org.uk/publications/corporate-documents/data-strategy-update-2022. [5] AML/CFT Supervision in the Age of Digital Innovation, Hong Kong Monetary Authority, September 2020: www2.deloitte.com/cn/en/pages/risk/articles/aml-cft-supervision-in-the-age-of-digital-innovation.html..html. [6] The SSM Digitalisation Blueprint: SRB Vision 2028, European Central Bank – Banking Supervision, 29 June 2023: www.bankingsupervision.europa.eu/press/speeches/date/2023/html/ssm.sp230629~1b6d3ba3d7.en.pdf. [7] From data reporting to data-sharing: how far can suptech and other innovations challenge the status quo of regulatory reporting?, Bank for International Settlements (BIS), 16 December 2020: www.bis.org/fsi/publ/insights29.htm. [8] “NBR-AFI Regional Training on Leveraging Financial Inclusion Data to Drive Inclusive Policy Development – Opening remarks by the Deputy Governor, National Bank of Rwanda,” Alliance for Financial Inclusion, 4 October 2022: www.afi-global.org/newsroom_speeches/nbr-afi-regional-training-on-leveraging-financial-inclusion-data-to-drive-inclusive-policy-development-opening-remarks-by-the-deputy-governor-national-bank-of-rwanda/. [9] State of SupTech Report 2022, Cambridge: Cambridge Centre for Alternative Finance (CCAF), University of Cambridge. Topics Risk Management and Regulatory Compliance