Counting the volume of in force regulation hardly sounds exciting, but it was the necessary starting point for the Federal Government’s deregulation agenda. The results were startling to say the least.
It turns out that two years ago, the Federal regulatory footprint consisted of about 1,800 acts and over 83,200 subordinate instruments and quasi-regulations. And that doesn’t include state and territory regulation or global regulation that impacts on Australian businesses.
Deloitte Access Economics puts the cost of compliance with Federal and State regulation at $95 billion p.a. and - even more disturbing –the cost of complying with self-imposed red tape at an additional $160 billion. That’s $28,000 per household. According to Deloitte, compliance workers are now an alarming one in every 11 workers in Australia!
While the Federal Government reports some progress in reducing the cost of compliance through its deregulatory agenda, it appears to be taking three steps forward and 2.9 steps back as new regulation continues to proliferate.
The problem isn’t limited to Australia. Thomson Reuters’ 2015 Cost of Compliance survey reported that regulatory fatigue was expected to increase globally due to snowballing regulation. Firms were facing difficulties finding and retaining suitably skilled compliance staff due to increased stress and potential personal liability. And regulatory matters are reportedly consuming disproportionate amounts of board time, from correcting non-compliance and preventing further sanctions, to implementing structural changes to meet new rules.
Financial services bears its fair share, probably a disproportionate share, of this burden. Indeed, managing regulation and compliance is one of the biggest challenges for financial services businesses today. It’s all very well to aspire to offer world-best customer service, but in many areas, attempts to do so are stymied by compliance and reporting obligations.
So its little wonder that businesses are increasingly turning to technology to help solve the problem. We’ve seen two distinct waves of regulatory technology development – and we are on the cusp of a third and even more exciting wave.
Wave 1 – Governance, risk and compliance programmes
Governance, risk and compliance (GRC) programmes are a ‘linear’ response to the proliferation of regulatory requirements (that I fondly think of as ‘list and tick’). They offer an online database of regulatory obligations. More advanced applications offer users the ability to customise the obligations to their unique business requirements, add internal business rules, allocate responsibilities and capture reports on the progress and success (or otherwise) of compliance efforts. Worthy Australian providers include CompliSpace, SAI Global and LexisNexis.
Modelled on enterprise risk management tools, these systems have become essential to businesses operating in complex environments to help catalogue and manage the ever increasing regulatory burden.
One thing they don’t do is reduce that burden.
All those tasks still need to be allocated to someone. And policies, procedures and tools still need to be developed. Employees need to be trained, supervised and monitored. Regular internal and external audits need to be undertaken to check that the policies and procedures are working. And periodically, the entire system needs to be reviewed for effectiveness. It’s exhausting just to think about!
The other thing they don’t do is detection.
List and tick programmes are only as good as the data that users contribute. If a person falsely self-certifies, if an overworked compliance manager ‘fudges’ a monitoring report (just this once!), if a regulatory obligation gets missed or misinterpreted - the assurance reports on which boards rely so heavily could be compromised.
Are they useful? Absolutely. Are they effective to prevent or deter regulatory breaches? Only in the same way that an inventory is useful to tell a business how much stock it has on hand.
Wave 2 – Surveillance
The excesses that led to the GFC, the financial planning and insurance scandals and even the alleged bank bill swap rate rigging are testimony to the fact that the comfort that boards and compliance teams have taken in Phase 1 GRC programs is somewhat misplaced.
After the GFC, in response to the need to prevent such catastrophic market failures going forward, a new wave of surveillance tools emerged.
For example, NASDAQ’s SMARTS surveillance technology, which ASIC began using in 2010, enabled regulators and trading marketplaces to analyse trends in market data and identify suspicious trading activity such as insider, high-frequency and algorithmic trading. Today, ASIC has the capacity to continuously monitor suspicious trading patterns that can indicate market misconduct in real time. Because ASIC will investigate and, as we have seen, prosecute such conduct, trading houses can ill afford not to invest in similar technologies.
The downside of these technologies is that the sheer volume of data produced by these systems can create unmanageable overload. It’s all very well to know about a problem but if you have so many that you can’t effectively deal with them, the information is of limited use.
There is a clear scope for further development of trading surveillance using artificial intelligence which mimics the way the human brain works. Together, data mining, pattern recognition and natural language processing have the ability to distinguish conduct which poses serious risk of non-compliance. This advanced intelligence will help regulators and compliance workers to make better informed and faster choices about prioritising, mitigating and managing regulatory risk. Everyday compliance tasks like fraud detection, currency monitoring and reporting to regulators are increasingly being automated.
Wave 3 – Prevention, rather than cure
Wave 3, which is in its early stages, is being driven by the fact that Wave 2 technologies can only focus on real time or after-the-event detection and reporting. This inevitably requires considerable compliance resources to monitor, manage and rectify problems once detected. The challenge has been exacerbated by social media which has exponentially expanded what needs to be monitored.
When 9% of our workforce is engaged in compliance work, we have surely reached an inflection point. Diverting ever more productive resources into regulatory activity doesn’t make economic sense. And the deregulation agenda is hardly likely to solve the problem in any timely fashion. So there appears to be a golden opportunity for more innovative technology solutions.
What might they look like? Well, an ‘ounce of prevention’ has been worth a ‘pound of cure’ since the expression was coined by English jurist, Henry de Bracton in 1240. It’s time for technology to turn its attention to prevention. Real time. Before the event. And as operational processes are increasingly being automated, compliance requirements can and are increasingly being built into the technology.
The exciting advance offered by Wave 3 technologies is the ability to deploy artificial intelligence and other machine-learning techniques within process gateways so that breaches can be detected when, or even before, they occur and rectified before completion of the activity.
Wave 3 technologies, or regtech as they’re now known, will enable firms to detect and manage regulatory and other risks before they even occur. Although Anti Money Laundering – Counter Terrorism Financing identification and verification currently appear to be the most well developed applications, a number of novel applications are evolving out of stealth mode as artificial intelligence capabilities are advancing.
Regulators worldwide are watching these developments with interest. In the UK, the Financial Conduct Authority has called for input on how regtech can deliver outcomes that improve efficiency, transparency and collaboration. The Bank of England has announced an accelerator to work with fintech firms on its unique challenges. And a global regtech capital markets conference is taking place in London in July to debate the need for a 'regtech commons'. Closer to home, ASIC is about to establish a dedicated regtech team and AUSTRAC is actively reaching out to fintech startups.
In a world where poor conduct can be detected and prevented at source, we might even see an acceleration of the deregulatory agenda!
Claire Wivell Plater of The Fold Legal is a leading financial services and credit lawyer. She actively advises both digital and ‘analogue’ businesses on commercial and regulatory issues and is a member of the Federal Treasurer’s Digital Advisory Group.