Procuring and using regtech for compliance: risk and opportunity

Regtech – or regulatory technology – automates, streamlines and improves an organisation’s ability to discharge its compliance obligations. 

But while it offers numerous benefits, it can be difficult for companies to quantify the costs saved by replacing existing processes against the upfront capital and outsourcing risk associated with procuring a regtech solution.

Regtech started taking off as a concept from early 2016, and is now part of mainstream lexicon (at least in business circles). It is generally used to refer to technology used by organisations to manage or meet regulatory compliance obligations – including reporting on events such as transactions under anti-money laundering and counter-terrorism financing (AML/CFT) laws and connecting with data ecosystems, such as the data sharing regime under the consumer data right (CDR) or Australia’s upcoming digital identity ecosystem – but is sometimes also used to refer to technology used by regulators to undertake regulatory and supervisory activities (sometimes also called ‘supervisory tech’ or ‘suptech’). 

While the case for regtech is clear, it can be a hard internal sell. Some organisations find it difficult to gain traction to invest in systems that manage compliance, as opposed to systems that contribute more directly to revenue-generating operations – the use case for regtech is sometimes easier to sell where it addresses ‘new’ compliance obligations, such as the obligations of banks (and soon energy and telecommunication organisations) under the CDR. Further, many organisations have sophisticated programs to manage outsourcing risk which impose requirements prohibitive to regtech providers, which are often start-ups and small businesses with limited existing clients. 

How to ‘de-risk’ regtech arrangements

How can organisations gain the assurance they need to procure regtech with confidence? AUSTRAC’s Expectations of RegTechs publication includes the following recommendations for organisations procuring regtech:

• verify that the regtech provider has an understanding of the relevant Australian regulatory framework, as well as the specific products and services provided by the procuring organisation;
  
  
• clearly understand the regulatory obligations that the regtech addresses (and the regulatory obligations that the regtech does not address);
  
  
• ensure that any solution originally developed for a jurisdiction outside Australia meets the requirements of Australia’s regulatory framework;
  
  
• verify that the regtech provider will provide ongoing support for the solution; and
  
  
• ensure that there are processes to keep up-to-date with changes in compliance obligations, regulatory guidance and industry trends.

A further consideration is that it may be difficult to negotiate an indemnity or liability cap that covers an organisation’s exposure to compliance breaches. Even if this was included in the contract negotiation, given that potential fines may be in the order of millions or even billions of dollars, a regtech provider may not be able to satisfy a claim under an indemnity or for significant liability. 

We recommend that organisations seek to de-risk regtech arrangements by:

1. Ensuring they have full visibility of the entire ‘solution stack’ when conducting due diligence in respect of a regtech solution and its provider before procurement. Identify all third parties (including related entities) who will provide any part of the solution, whether technology or services, and ensure inclusion of appropriate subcontracting obligations in the contract with the provider.
   
   
2. Requiring the regtech provider to hold adequate insurance to cover the quantum of most anticipated claims.
   
   
3. Including rights to audit the regtech, or otherwise requiring the regtech provider to demonstrate the regtech’s compliance, and exercising those rights regularly. Organisations should be keen to identify and require the provider to remedy any compliance breaches at the earliest possible stage.
   
   
4. Requiring the provider to provide regular reports about the regtech’s activity, and scrutinising those reports. Where the regtech replaces existing manual compliance processes, verify that the reports demonstrate similar or better compliance results than pre-regtech processes.
   
   
5. Including a ‘change in law’ clause and actively monitor for changes in law, regulatory guidance and industry developments that might affect the regtech solution (or require the provider to do so). A number of areas of law, including cyber security and AML/CTF, require organisations to be aligned with improvements in security and risk monitoring. This means that a regtech solution that meets legislative requirements at the procurement date will become non-compliant if, over a number of years, those improvements are not made.
   
   
6. Including a comprehensive list of the parties’ respective responsibilities in relation to compliance obligations. This should ensure that the ‘limits’ of the solution are fully articulated and understood, and your organisation knows when a particular activity or issue is ‘passed over’ to it (such as notifying individuals of an eligible data breach of personal information).

What happens when regtech goes wrong?

While regtech can be used to manage a wide range of compliance obligations, recent learnings largely come from regtech used to meet AML/CTF obligations. Given the sophistication of those seeking to exploit Australia’s financial system, it is crucial that organisations carefully consider whether regtech alone is sufficient for them to detect financial crime. 

While the processes deployed to identify and manage risk will be unique to each organisation, best practice to ‘future-proof’ any business mandates the importance of:

• Training - regtech is part of the solution, but the risk of human error when software is implemented or a failure to understand how regtech operates exposes a company to the risk that data obtained is inaccurate and, in turn, that regulatory reporting is deficient.
  
  
• Resourcing – even the most robust AML/CTF program will stand to fail unless supported by a strong internal team and sufficient processes to track operational performance, provide assurance and permit management oversight.
  
  
• Agility – respond to red flags which emerge from new products, adapt to new forms of criminal activity and treat your AML/CTF program as a ‘live’ document that grows with the innovation of your organisation. 

Moreover, it is imperative that when regtech detects an issue, be it systemic or otherwise, there are systems in place which ensure clear reporting of the problem, the reporting extends across various arms of the business and that senior management and the board are equipped with the information they need to have proper oversight and discharge their obligations. 

***

The Senate Committee on Australia as a Technology and Financial Centre has been investigating and reporting on regtech and fintech since September 2019. It has released three issues papers and two interim reports, and is due to issue its final report by 30 October 2021. 

The work of the Committee is broad, and has included recommendations on technology enablers (such as encompassing digital means in laws about meetings and signatures), taxation arrangements to encourage the development of regtech and specific regtech areas such as digital identity, the CDR and financial platforms. 

If the Committee’s recommendations in the final report are adopted by government, then the road ahead for regtech (and its adopters) looks promising.

This article was originally co-authored by Helen Clarke.