06 October 2021
Regtech started taking off as a concept from early 2016, and is now part of mainstream lexicon (at least in business circles). It is generally used to refer to technology used by organisations to manage or meet regulatory compliance obligations – including reporting on events such as transactions under anti-money laundering and counter-terrorism financing (AML/CFT) laws and connecting with data ecosystems, such as the data sharing regime under the consumer data right (CDR) or Australia’s upcoming digital identity ecosystem – but is sometimes also used to refer to technology used by regulators to undertake regulatory and supervisory activities (sometimes also called ‘supervisory tech’ or ‘suptech’).
While the case for regtech is clear, it can be a hard internal sell. Some organisations find it difficult to gain traction to invest in systems that manage compliance, as opposed to systems that contribute more directly to revenue-generating operations – the use case for regtech is sometimes easier to sell where it addresses ‘new’ compliance obligations, such as the obligations of banks (and soon energy and telecommunication organisations) under the CDR. Further, many organisations have sophisticated programs to manage outsourcing risk which impose requirements prohibitive to regtech providers, which are often start-ups and small businesses with limited existing clients.
How can organisations gain the assurance they need to procure regtech with confidence? AUSTRAC’s Expectations of RegTechs publication includes the following recommendations for organisations procuring regtech:
A further consideration is that it may be difficult to negotiate an indemnity or liability cap that covers an organisation’s exposure to compliance breaches. Even if this was included in the contract negotiation, given that potential fines may be in the order of millions or even billions of dollars, a regtech provider may not be able to satisfy a claim under an indemnity or for significant liability.
We recommend that organisations seek to de-risk regtech arrangements by:
While regtech can be used to manage a wide range of compliance obligations, recent learnings largely come from regtech used to meet AML/CTF obligations. Given the sophistication of those seeking to exploit Australia’s financial system, it is crucial that organisations carefully consider whether regtech alone is sufficient for them to detect financial crime.
While the processes deployed to identify and manage risk will be unique to each organisation, best practice to ‘future-proof’ any business mandates the importance of:
Moreover, it is imperative that when regtech detects an issue, be it systemic or otherwise, there are systems in place which ensure clear reporting of the problem, the reporting extends across various arms of the business and that senior management and the board are equipped with the information they need to have proper oversight and discharge their obligations.
The Senate Committee on Australia as a Technology and Financial Centre has been investigating and reporting on regtech and fintech since September 2019. It has released three issues papers and two interim reports, and is due to issue its final report by 30 October 2021.
The work of the Committee is broad, and has included recommendations on technology enablers (such as encompassing digital means in laws about meetings and signatures), taxation arrangements to encourage the development of regtech and specific regtech areas such as digital identity, the CDR and financial platforms.
If the Committee’s recommendations in the final report are adopted by government, then the road ahead for regtech (and its adopters) looks promising.
This article was originally co-authored by Helen Clarke.
This article is part of our publication Continuity Beyond Crises: Staying ahead of risk in an evolving legal landscape. Read more here.
Authors
Special Counsel
Senior Associate
Tags
This publication is introductory in nature. Its content is current at the date of publication. It does not constitute legal advice and should not be relied upon as such. You should always obtain legal advice based on your specific circumstances before taking any action relating to matters covered by this publication. Some information may have been obtained from external sources, and we cannot guarantee the accuracy or currency of any such information.
Head of Technology, Media and Telecommunications