Latest Products

Facing the RegTech Wave in Financial Crime

Wednesday 11 January 2017
Republished from the December 2016 edition of the Quarterly GRC Professional: The Rise of RegTech.

Though it has been stated that regtech is the new fintech, it is different in one fundamental aspect: it is not there to compete but to facilitate GRC frameworks in organisations and to make them more efficient.

According to Richard Gluyas at The Australian, Treasurer Scott Morrison said that “The automation of compliance with regtech has the potential to overcome individual foibles and human error in a way that provides the quantum leap in culture and compliance that our regulators, customers, policymakers and the community are increasingly demanding.”

This would suggest regtech has grown overnight. In fact, regtech simply means ‘regulatory technology’ and has existed in some form for many years.

“We have been developing what we have been developing for the last four years, way before even hearing the term regtech,” Anthony Quinn CEO of Arctic Intelligence.

He said that from his perspective, it is a good thing because finally, there is a platform to showcase what his company is doing and why they think regtech is important.

“We codify regulations, take them from the rule books of different regulations like AML, and then put them into our platform,” Quinn explained. “Then, we have people go through those and assess how their internal policies map against that particular external obligation, and what the risks are of getting it wrong. What are the potential consequences of failing to meet that compliance obligation?

“Broadly, what we are trying to do is apply smart technology to regulations to make it easy for regulators and regulated entities to comply with and identify where their gaps are so they can track, manage and report them,” Quinn added.

What has changed?
“Everyone realises compliance is a problem,” Quinn told GRC Professional. “It is an issue, and it is hard to do right.” He added that, at the moment, the trend is still in favour of regulated companies.

“If you look at the track record in Australia for enforcement action taken since the AML/CTF Act came into effect in ten years ago, there has probably been less than 15 enforceable undertakings,” Quinn said. “The biggest fine in Australia to date is $300 000. If you compare that to what has been happening overseas since 2008, banks have been fined $26 billion for non-compliance. So any Australian business that has a presence internationally—either from an AML perspective or an anti-bribery perspective—needs to sit up and take notice of those laws.”

He added that these are the kinds of international developments heading this way.

Quinn said that with developments like the Foreign Account Tax Compliance Act (FATCA) and the Common reporting Standard (CRS), where many countries around the world have agreed to share information, the implications are that there are now thousands of financial institutions in Australia with a new set of laws with which they must comply.

“You’ve got things like data privacy regulation, data retention regulations—all this stuff is coming in and driving complexity,” he said.

Challenge for reporting entities and regulators
Quinn believes there is still a lot of complacency amongst reporting entities—a huge challenge for regulators, who have the job of regulating 14,000 businesses.

“Even if AUSTRAC were able to visit half of 1% of those, doing 70 site visits a year, I think they would be doing well with the number of staff they have,” he said. Plus, regulators have their own challenges when it comes to getting regulated entities to comply. This is why governance is a major initiative under their information agenda.

“There is a massive gap in both the knowledge and the output being produced for risk assessments,” Quinn said. “And for audit assurance, there is masses of varying quality.”

He added there is an understanding this needs to change; thus, regulators and those like AUSTRAC and ASIC are working with industry to see what changes they can make.

“Regulators all have regtech as a high-priority initiative for government, and so that is another thing turning in our favour,” Quinn said. “Before, you couldn’t approach a regulator and say ‘I have some good technology we can start using for the benefit for your regulation’. They just would not have been open to that kind of approach. Now, we are actively talking to domestic and international regulators.” 

Currently, there is a big movement going on where people are looking at how they can achieve their compliance obligations—or, and from the regulators’ perspective, regulate all these reporting entities.

“People are getting more serious,” Quinn told GRC Professional. “Some foreign governments are getting more aggressive in terms of how they are enforcing the law. There is a lot of social media backlash, based on reputational point of view, that hits people instantly if they do something wrong, or if they are fined. The ‘culture’ of compliance is becoming more important.”

Singapore and regtech
“If you look at how Singapore set up their own fintech communities, they reached out to all the banks and said ‘what are your problems?’” Quinn said. “Then, they got about 200 problem statements from different regulated entities and distilled those down into 100 problems. One subset of those problems was around regulatory technology—so that could cover things like KYC, the same stuff we are doing with risk assessment and assurance.”

He continued that they looked at the problems with a real business need, and then tried to find entrepreneurs working on technologies that might solve those needs and problems.

Regtech and traditional companies

Quinn believes both regtech and incumbents in the financial industry can coexist. He highlighted that there is no reason why a big firm cannot use the technology of a regtech company to run independent assurance engagements.

“I think where you have a regtech company that is typically small, sometimes formed in the back of garage with a good idea that grows and grows and grows, then they have challenges of trying to sell their software into established companies, because there are numerous hurdles that a small company might have to overcome to be able to sell to a big organisation,” Quinn explained.

Quinn stated that sometimes, major corporations have attempted to create their own innovation spaces, but tough corporate cultures often fail to foster that creative culture of innovation. As a result, they have a low tolerance for failure.

Impact on ‘Regulatory Fatigue’ and the ‘Compliance Burden’
“Nobody likes compliance. Ten years ago, if I had pitched the fact that the banks have to comply with anti-money laundering laws—and I did…well, it is a pretty hard conversation when you go to a bank and say ‘you have to do all this new stuff’,” Quinn said.

He added people are already fatigued, and then they are asked to deal with a wealth of new laws and regulations. “Certainly, it is not getting any easier for regulated entities to comply with laws that are coming out, or those that are continually being updated and refreshed,” Quin explained.

It is important to remember, however, that there are those organisations that choose to hide behind this notion of being ‘fatigued’ as an excuse.

“For Tranche 2 laws for AML, now 10 in years in the making, they are still not introduced,” Quinn said. “You’ve had major lobby groups like the legal professional associations, the real estate associations, the accounting associations—you name it—fighting very hard and citing huge cost considerations, and burdens, and things like that.”

Quinn said he is sympathetic because often organisations have very tight budgets, and in many cases simply lack access to affordable advice and affordable technology.

That is where regtech comes in. “That’s why we are meeting with regulators to get them comfortable enough so that, when a regulated entity utilises the technology we are building, they are comfortable the output is compliant,” Quinn explained.

From a financial technology perspective, there is certainly the clear view that a more efficient way to face and meet compliance obligations exists. Quinn recognises the challenge of meeting new and updated compliance obligations, and this holds particularly true in an environment of limited resources, where organisations are still trying meet existing compliance regulations.

Having automated processes take over some of the more mundane tasks tackled by compliance managers will leave them with more time to dedicate to making decisions and adapting their GRC frameworks to face the new and updated regulations when they arrive.


Anthony Quinn, CEO of Arctic Intelligence