Reflections on Financial RegTech in 2020: New Initiatives, Opportunities and Challenges to 2030 - a UK Perspective
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
1 Reflections on Financial RegTech in 2020: New Initiatives, Opportunities and Challenges to 2030 - a UK Perspective
2 Preface 3 1 Introduction 4 2 The challenge of defining the business problem that RegTech addresses 4 3 The scale of the business problem 5 4 The challenge of the regtech business case to 2020 and why it is now beginning to change 6 5 The RegTech picture 2010-2020 7 6 Key emerging technology directions 2020-2030 8 Systems architectural directions 9 Cloud-native data management and data lakes 9 Utilities 10 Big data, Big Tech, Social Media Analysis (SMA) and the rise of the oligopolists 12 Individual technologies 14 Natural Language Processing 14 Homomorphic Encryption 14 Federated learning 15 Network Analytics 15 Distributed ledger technology (DLT) 16 Improved digital ID and verification – biometrics 16 7 The new paradigm in 2030 17 8 Recent UK government and regulator initiatives 19 9 Overcoming barriers to change – 2020-2030 20 Civil liberty groups and data privacy laws 20 Cross-jurisdictional data exchange, legal framework standards, and government support 21 Rogue states, transparency and offshore tax havens 22 Banks and data companies 22 10 Re-evaluation of the business case for RegTech 23 11 The record of the global agencies in AML and getting to the root of the problem 24 12 The role of financial regulators and other national agencies in the RegTech ecosystem – SupTech 25 SupTech in a global context 25 SupTech in the UK 26 13 Final thoughts 28 Glossary of terms 30
3 Preface Since I first stepped off a plane in San Francisco in 1985 to undergo some ‘tech training’ with Tandem Computers (a fault-tolerant computer systems supplier to financial institutions), the operating environment of the financial sector and the deployment of technology inside that environment has long held a fascination for me. This interest was to a large extent reignited by the fall-out from the global financial crisis of 2008-9, and more recently through my involvement with a financial RegTech company (Encompass Corporation). Both these experiences have opened my eyes to the way financial markets and financial regulation work and with it a growing sense of frustration about just how impotent current global structures are in truly facing up to the problem of financial crime. This paper is an introduction to that world and a journey through the regulatory jungle from a UK perspective. It describes the current operating framework of financial regulation in the UK and begins to examine some of the initiatives that could be taken over the next decade using new technologies and new ways of thinking to finally get a grip on the problem for the good of society.
4 1 Introduction Financial RegTech may be defined as the application of technology to the field of Financial Regulation1. This paper charts the main developments in Financial RegTech since its inception, details the likely changes that will take place over the next ten years, and highlights emergent trends and developments that would capitalise on the availability of digital technology. It examines the business drivers behind the rise of RegTech solutions and offers pointers to the likely initiatives that will emerge. Also highlighted are some of the challenges that need to be faced, the highly complex nature of the problem being addressed, and how new concepts such as big data and utilities are likely to play an increasingly important role in RegTech developments. Finally, it outlines a future RegTech operating model for the UK where the regulatory authorities have become pro-active participants in the overall RegTech ecosystem, working alongside the banks in a joint assault on financial crime. The paper’s primary aims are therefore to • critically assess the nature of business problem behind RegTech – that of financial crime and its sources • examine how technology may be deployed to significantly reduce that problem • consider some of the institutional and global barriers to change that will be encountered along the way • recommend a way forward for the next 10 years by outlining potential joint initiatives that incorporate both the private and public sector working together for the greater good. There are several pathways open to policy makers when looking at tackling financial crime – for example, implementing tax policies that lead to an overall reduction in tax evasion activities, especially off-shore, more aggressive policing of drugs, terrorist, human trafficking and cyber- criminal networks and so forth. This paper is concerned solely with the impact that technology could have within the overall financial ecosystem in the quest to reduce financial crime. 2 The challenge of defining the business problem that RegTech addresses The best technology solutions have as their basis a clearly defined business problem that needs addressing. From that business problem comes a high-level systems’ requirements specification, from which engineers then build the solution. For RegTech, the question is – what is the business problem? Is it building product to make regulatory reporting and compliance more productive, or is it building product to catch money launderers? Is it constructing systems and processes to improve a financial institution’s knowledge of the client or is it putting in place systems to identify money laundering and fraud? Is it working on 1 This paper is solely concerned with the impact of RegTech on the financial sector – there are several other regulated sectors e g transport, utilities, health, pharmaceuticals where some of the concepts and technologies discussed in this paper may have application, but this is beyond the scope of the current paper.
5 your own to improve your internal systems, or is it working in collaboration with other institutions to build a better overall solution? If it’s the latter, to what extent are you prevented from getting to the source of the problem without breaking data privacy laws? In truth, the answer to these questions is ‘all of the above’, and so the easiest way to approach the business problem from a technology perspective is to distil it down to the two key business challenges that RegTech is trying to address - and that is knowing your customer (KYC) and anti- money laundering (AML), the twin cornerstones that were identified as being at the root of the problem by regulatory authorities worldwide after the financial crisis of 2008-9. Whilst the term RegTech was coined in 2015, technology has been deployed in this area since the late 1980’s. It is worth spending a moment on KYC and AML – are they separate entities or linked? Is one a subset of the other? What is true is that neither are new concepts and have existed in one form or another for centuries – the old banker cry of ‘what collateral do you offer’ to anyone asking for a loan is a variant on KYC – why lend anyone money if you don’t really know that person? Equally, criminals, the proceeds of crime and money laundering have existed since the beginnings of a global banking system if not before. The Financial Crisis of 2008-9 simply accelerated the prominence of both KYC and its sister entity AML by defining them in a more formal sense. Whilst from a conceptual definition perspective the two concepts are undoubtedly linked (did you really perform accurate KYC processes if it turns out that the client is subsequently identified as a money launderer?), from a technology perspective there are important differences between the two. KYC can be viewed as a static entity – the information on a form (digitised or not) is accurate at a point in time. AML on the other hand is a dynamic entity, and in many ways much more elusive to control – money laundering cannot be identified on a digitised form at a point in time. It is a process flow. So, from a technology perspective, it is one thing to digitise and bolster the up to the minute details on anyone engaging in financial transactions, but how do you deploy technology to identify and potentially stop something that is happening in ‘real-time’? This is a formidable challenge the solution to which is has only recently become potentially viable. In this paper, I argue that while significant strides have been made in KYC over the last ten years, real AML is still in its infancy – much work needs to be done if any material impact is to be made in this area with the role of the State forming a critical component of the emerging technology ecosystem over the next ten years. 3 The scale of the business problem Just as the definition of RegTech is made more difficult by the breadth of the business issues being addressed, the definition of its scale in financial terms also meets similar boundary challenges. On the one hand, it is relatively easy to include any proceeds of financial crime when the source was source was the supply of drugs, prostitution, terrorism, human trafficking or fraud, but does money laundering and financial crime also extend to tracking and estimating the value of the assets salted away in offshore low-tax havens each year, or to estimating the lost value in the outbreaks of flash trading that have intermittently impacted the world’s stock markets (where computers beat the cycle time of stock market systems, remain hidden from view and make millions for their operators)2? The Financial Action Task Force (FATF) was established at the G7 meeting in 1989 to develop a coordinated international response to money laundering and financial crime. FATF does not itself 2 https://scholarship.law.duke.edu/cgi/viewcontent.cgi?article=1211&context=dltr
6 provide figures but The World Bank, the IMF, the EU and others all publish their own estimates of what they consider to be the total global figure of all activities related to money laundering and financial crime. The estimates vary here, from large to very large, with the consensus being that 2%- 5% of global GDP is laundered every year within the global financial system – somewhere between £ 2 tn-£5tn3. To put these figures in context, £5tn is the GDP of the Japanese economy, £3tn is the GDP of the UK economy lost to AML and financial crime every single year – so both the scale of the issue and the potential prize is enormous in financial terms. 4 The challenge of the RegTech business case to 2020 and why it is now beginning to change Following on from this comes the issue of convincing financial institutions (FI) that it is in their best interests financially to invest wisely in RegTech solutions. This is harder than it may seem, because enormous as the prize may be, unless they can translate that ‘external win’ into how it may benefit them individually, they are unlikely to throw money at the problem. To compound matters, there is a much greater likelihood that banks will be fined by the regulators for being ‘non-compliant’ in regulatory reporting than being explicitly complicit in aiding money laundering activities, so their focus thus far has been on staying within regulatory guidelines at all costs. This is borne out by the statistics on both side of the Atlantic. Of the total number of fines (£3.55bn) levied by the FCA from 2013-20194, more than 92% were related to issues of non-compliancy in reporting, not following previously agreed policy process or not treating customers fairly. Only 7.5% represented fines related to specific money laundering disclosures, though they were for large amounts (Deutsche Bank £163m in 2017 and Standard Chartered Bank £102m in 2019). Across in the USA, the picture is similar, focused on fines for non-compliance, with, again, AML sanctions standing out for their size, including the largest ever AML fine levied by regulatory authorities – US$1.92bn issued by the SEC to HSBC in 2012 related to activities with Mexican drug cartels5. So, when money laundering is discovered, the fines are eye-wateringly large, but they are few and far between, and the outcome has been that FIs generally have been more focused on keeping on the right side of the regulators rather than on individual quests to track down the perpetrators of financial crime. This has been long recognised by the FCA itself. In a July 2013 report, they stated: The root cause of these problems is often a failure in governance of money laundering risk, which leads, among other things, to inadequate anti-money laundering resources and a lack of (or poor quality) assurance work across the firm. This often focuses on whether processes have been followed rather than on the substance of whether good AML judgements are being made6. 3 https://www.imf.org/external/pubs/ft/fandd/2018/12/imf-anti-money-laundering-and-economic-stability-straight.htm 4 https://www.fca.org.uk/news/news-stories/2019-fines 5This has recently (October 2020) been topped by the $2.9bn fine imposed on Goldman Sachs by the SEC and Department of Justice for the Bank’s involvement in the 1MDB Malaysian scandal 6 https://www.fca.org.uk/publication/corporate/anti-money-laundering-report.pdf
7 All of the above has created significant hurdles for the RegTech sector. With few exceptions, the banks’ mantra has been, ‘what is the minimum we have to do to keep the regulator happy and remain compliant?’ and this philosophy has determined the path of RegTech activity, which has been concerned with building a product that automates and improves efficiencies within this overall existing structural set-up. This is best illustrated by looking at SARs. SARs (Suspicious Activity Reports) are issued in the UK by banks and other FIs to the National Crime Agency. In 2019, for example, 460,000 SAR notices were raised – the figures are very large indeed and there is no relation between the fines levied for AML (two in total in the last seven years) and the volume of SARs posted. On the contrary, the large number of SARs raised simply reflects the need to report anything suspicious in case it turns out to be fraudulent which would automatically generate a fine under the Proceeds of Crime Act (2002) and worse, might generate criminal proceedings against the directors of the FI responsible for AML. The clear implication is that the volume of SARs raised is as much to do with banks understandably protecting their own interests as there being any form of co-operative working between bank and regulator in the fight against money laundering. The conclusion of the foregoing is that current banking and other FI systems environments are simply inadequate to arrest money laundering proactively, despite the fact globally banks spend somewhere between 2%-5% of total annual revenues on their overall risk and financial crime divisions7, despite the FCA being fully aware of the issue, and despite the fact that somewhere less than 5% of SARS are actively investigated by the NCA. A new technology-focused approach will be required if any headway is to be made in this area. There is consensus that this the case and there needs to be a change in the financial ecosystem structure to make any serious impact on reducing financial crime8. Before discussing what technologies could play a leading role in such an ecosystem and what changes also need to happen at government level to accommodate this it is worthwhile reviewing the RegTech picture over the last decade 5 The RegTech picture 2010-2020 In its simplest form, RegTech is the application of technology to improve the efficiency of regulatory compliance. By implication, and as highlighted above, it also involves focussing on KYC and AML. Since the financial crisis, technology deployment can typically be found in one or more of the following areas: • regulatory reporting • Identity management and control • risk management • compliance adherence • transaction monitoring 7https://www.mckinsey.com/~/media/McKinsey/Business%20Functions/Risk/Our%20Insights/Financial%20crime%20and% 20fraud%20in%20the%20age%20of%20cybersecurity/Financial-crime-and-fraud-in-the-age-of-cybersecurity.ashx 8https://www2.deloitte.com/content/dam/Deloitte/global/Documents/Financial-Services/gx-fsi-iif-financial-crime-report- ap7.pdf
8 There are already many RegTech companies in existence - Encompass9, for example, has developed technology that assists FIs with efficient and more accurate onboarding and remediation of clients by having electronic access to many of the world’s largest data registries, and embedding those data searches electronically into the bank’s onboarding Policy process. As a result, improvements are made in the identity management and control component of the process as well as ensuring enhanced levels of compliance by instantiating controls as code and the provision of an auditable electronic audit trail. Other companies provide efficient workflow engines that improve the productivity of the regulatory journey, whilst others automate and improve the necessary reporting output standards required by the regulator. In their ongoing research study, Deloitte (2020) have identified 362 RegTech companies globally who fit into one of the five categories listed above10 . During this first phase of RegTech, the technical focus has been on improving and automating processes, on the basis that the technology provides the client a product or service that is fully compliant with the regulatory rules in play. It is also vital that technology provides an electronic audit trail to prove that the process agreed with the regulator (FCA in the UK) has been followed. An investment bank must make sure there are no breaches to any of the regulated guidelines on liquidity, that risk-weighted assets (RWA) are within set bounds and that capital adequacy ratios remain within the guidelines set. For a commercial or corporate bank, it’s about making sure that due process for onboarding new business clients or remediating existing clients has been followed on the basis agreed with the regulator and being able to prove that such a process was followed. Finally, in the case of a retail bank, new customers should be properly identified and verified, and so forth. These regulatory tasks come with a plethora of electronic forms and audit trails, which are held by the banks, and produced on request to the regulator. What technology has brought to this environment in the last decade is the automation or process improvement of these tasks – be that in regulatory reporting, risk management, identity verification, transaction monitoring or general compliance. The technologies deployed incorporate data analytics, robotic process automation, and some limited machine learning, but the important concept to grasp is that all of these technology improvements are taking place under the restrictions of a bounded framework of existing regulatory infrastructure which is, in the main, analogue, or paper-based at its core and is no longer fit for purpose. To further complicate matters, banks and other FIs within the UK jurisdiction operate in a ‘silo’ environment where data and transaction flow sharing is generally prohibited or discouraged due to privacy laws (such as GDPR). While good progress has been made in the area of KYC (a static entity), little impact has been made on the area of AML and financial crime overall, as money laundering is a dynamic entity which also doesn’t respect jurisdictional boundaries. This is the big challenge for regulators and banks alike over the next ten years. Fortunately - as will be discussed below - there is whole new window of technology-driven opportunity opening up which brings with it some positive signs for the future. 6 Key emerging technology directions 2020-2030 To bring an easier understanding of the complexities of the what’s evolving in the technology world of RegTech, it is useful to split developments into two categories – those related to systems 9 https://www.encompasscorporation.com 10 https://www2.deloitte.com/lu/en/pages/technology/articles/regtech-companies-compliance.html
9 architectural change from an infrastructural perspective – such as cloud computing, big data, data lakes and utilities – and those related to the technologies that typically sit within these new environments and bring with them new ways of solving regulatory problems, such as natural language processing (NLP), blockchain, homomorphic encryption, federated learning, and others. And, of all these initiatives – structural or individual – the singular most important thread is what BigTech (the large global technology players) is doing within financial services, and what the implications are for banks and RegTech. Systems architectural directions Cloud-native data management and data lakes Excepting a minority of digital start-up banks in the UK, all bank transactional payment systems sit within data management technologies dating from the enterprise architecture era (1980s/1990s). The stability and security advantages of this era’s technologies do come with a considerable cost: the need for strict change control procedures and policies which limit the windows available for insertion of new functionality to just a few hours every month. And this limits banks’ scope for agility and opportunities to innovate. Just as current regulatory processes still have their origins in an outdated analogue world, so current bank core systems mirror a similar pattern, sacrificing flexibility and innovation for a highly prescriptive architecture which is also no longer fit for purpose. Banks, their system architects and software developers are turning their attention to cloud- native architectures as a path to customer- focused continuous innovation where new code can be deployed as and when the business needs to adjust to threats and opportunities in the external environment. Rapid innovation in the data management layer of cloud-native architectures, particularly in NOSQL11 technologies, creates opportunities for banks to stream transactional data from their core systems into secondary architectures. These include data lakes, which use NoSQL technologies to store data in their native formats, whether these are structured, semi-structured or unstructured. Assuming the bank maintains sound governance that ensures data entering the lake is cleansed and classified, then analysts, data scientists and software developers can find and access data for transformation and downstream processing by predictive algorithms of machine learning. This approach allows banks to gain an accurate picture of their customers spending, loan, preference patterns and to identify transactional patterns indicative of financial crime. The importance of this two-speed architecture and data lake concepts is well captured in the following extract from a recent McKinsey paper on the future of monitoring risk in banking. The supporting IT infrastructure and data could take a variety of forms, although the most recent trends lean toward a “two- speed architecture” and data lakes. A two- speed architecture decouples the bank’s IT architecture into a slower, reliable back end (e.g., the bank’s core IT systems, often the legacy systems) and a flexible, agile front-end that is customer-facing. A data lake gathers and stores all types of data, structured and unstructured, internal and external. Data entering the bank need not follow strict rules (as would be required of data entering an enterprise data warehouse). Instead, the users of the data define the rules when they extract the data from the lake. By combining this flexibility with Google-like search technology, the data lake provides banks with a step-change that helps them leverage their data for multiple purposes, ranging from marketing to risk to 11 https://www.mongodb.com/nosql-explained
10 finance. The scope and flexibility of the system help banks use big data tools for complex data investigation and analysis12. The availability of cost-effective access to vast amounts of cloud-based computing power is also a very significant development. Both Amazon and Microsoft through their AWS and Azure offerings now offer easy and cost-effective access to any Bank or FI that wishes to build its own cloud- based environment. In addition, these companies and others – in particular Google – provide a large range of tools to help with the creation of efficient big data repositories resident in the cloud. Google has created several innovative tools, including the capability of easily building a high-performance machine learning environment using Tensor Processing Units (TPUs)13. Utilities Utilities are technology platforms accessible by member banks and other FIs that offer reliable up to the minute data information on individuals and companies, their directors, shareholders and ultimate beneficial owners (UBO). The primary purpose of a utility is to serve as a single repository of commonly used KYC or AML data of customers which can be used by all participating financial institutions. The data inside a utility is ‘authenticated’ and can be relied upon a being true and accurate having gone through an agreed confirmation process by all members of the utility. Utilities are now emerging on a regional basis worldwide. There are initiatives underway in India, Singapore, Hong Kong, Scandinavia, Holland, and other jurisdictions. There are two main types – a KYC utility and an AML utility. The former, the more common type, holds current static information on individuals and companies, the latter also tracks transactional data for these companies to spot potential crime/money laundering activities and is a much more ambitious project as it requires to track vast volumes of financial transactions with inbuilt algorithms trained to identify suspicious financial movements. Such an initiative is currently underway in Holland with 5 of the country’s main banks14. The typical utility-style model is illustrated below. 12https://www.mckinsey.com/~/media/mckinsey/dotcom/client_service/risk/pdfs/the_future_of_bank_risk_management. ashx 13 https://cloud.google.com/tpu 14 https://www.corporatecomplianceinsights.com/aml-utility-fincrime-compliance/
11 Encompass is currently working on a utility initiative with the Nordic banks15. The Nordic utility is an initiative from six banks across Scandinavia - Danske Bank, DNB, Handelsbanken, Nordea, SEB and Swedbank – who have initiated a project with the aim of establishing a common KYC utility for the Nordics. The key objectives of this utility are as follows: • The delivery of a common banking standard on KYC • A single point of entry and faster onboarding for the end customer • Improved quality of end customer data • Increased transparency towards clients and the supervisory authorities The concept behind Utilities is sound - they split costs among participating institutions and profile a single customer once on behalf of all banks. They also offer the potential of ‘data scale’ by aggregating individual banks’ data, which, highlighted already, is a key component of the new RegTech order. At the same time, their approach can improve the customer experience because once the customer detail has been authenticated within the utility, these details no longer need to be replicated by the customer as would be the case today in a standard KYC approach as the customer moves from one bank application to the next in repetitive and time-consuming motion, in each case effectively starting the application from scratch. Even though there are an increasing number of bank utility initiatives underway, the disappointing reality is that the only successful example of a working private utility to date is the SWIFT interbank 15https://www.nordea.com/en/press-and-news/news-and-press-releases/press-releases/2018/05-31-08h00-nordic-banks- to-explore- common-kyc-joint-venture.html
12 global payment network. SWIFT has a successful shared data repository that holds profile data for hundreds of respondent and correspondent banks. The SWIFT KYC utility, available to SWIFT members, is useful for member correspondent/ respondent banking relationships, and reduces correspondents’ risk when dealing with respondent banks in high-risk or sanctioned jurisdictions because the SWIFT utility validates where the money goes, and that the recipient is acceptable. The utility, which is used by major correspondent and respondent banks, is used primarily for the larger payments of larger corporations. There are around 11,000 SWIFT users today, which makes SWIFT a significant player in international corporate payments. It is worth asking the question, why are there no live bank utilities in operation today (with the exception of SWIFT)? The answer is relatively straightforward - third-party utilities do not work because of the conflict-of-interest issue between the operator and the member banks, and bank joint-venture utility models also do not work because there is no current incentive for banks alone to expend monies on these constructs, where there is no measurable benefit to the banks themselves16. SWIFT works because there is a working economic model behind it for all participating members. In the case of utilities established for consumers and businesses there are clear benefits to the consumer or business customer (loan application for example only completed once), but other than to improve levels of customer service or reduce levels of fraud and financial crime (a benefit to society), what are the benefits to the banks themselves, and therefore why would banks pro-actively create and fund such entities when no-one in higher authority is currently mandating their existence? Proof of concept or pilot utility models are one thing (and there are plenty of examples of these). Directly funding and operating a utility in live mode over a sustained period is a new and expensive modus operandi for all banks and quite another thing altogether. The missing piece of the jigsaw here is that utilities will only succeed beyond pilot phase if they are run by member banks with active, as opposed to passive, Government support, a theme which will be discussed later in the paper. Anecdotal evidence from the UK (UK Finance) would also suggest that the absence of a UK pilot bank utility model is not because it hasn’t been discussed by the UK Banks (it has), it is simply, and unsurprisingly, not something which is currently on the top of their ‘to do’ list. There remains little doubt however that if banks were to ‘pool’ their static (KYC) and transactional (AML) data into a utility-style set up with other banks there are immediate gains available to all participants, in particular the smaller operatives, as well as to consumers and businesses and society at large - this is one of the key technology underpinnings in support of the growth of utilities in the financial sector for highly effective KYC and AML activities. And it could well prove to be the most sensible defence strategy against what is beginning to emerge as a real and present threat to the very existence of banks themselves, the rise of Big Tech and big data. Big data, Big Tech, Social Media Analysis (SMA) and the rise of the oligopolists One of the key technologies that will play an increasing role in RegTech over the next ten years is big data. Big data simply means the capture, storage and ordering of many different information sources on individuals and companies. This includes traditional forms of hard or structured information such as personal data, company data, as well as new forms including videos, social media posts, emails, texts, news clippings and other forms of ‘soft or unstructured information’. The larger banks are already building their own Big data environments, but even big banks’ scale is 16https://www.mckinsey.com/industries/financial-services/our-insights/banking-matters/a-kyc-aml-utility-driving-scale- efficiency-and-effectiveness
13 dwarfed in comparison to the tech giants, who have been building such constructs for the last ten years. There are a handful of technology companies in the world that have access to big data in a live form - Facebook, Amazon, Alibaba, Apple, Tencent and Google. Collectively they are known as ‘Big Tech’. Each of these companies has teams of data scientists experienced in building algorithms that analyse and predict patterns of consumer behaviour within their client base. As highlighted above, big data is needed because the larger the data set the more potential there is for impactful machine learning and efficient predictive algorithms, the more accurate the results, and this requirement for scale in data is a foundation stone of AI and machine learning17. Big Tech has an unassailable advantage in this regard. The data sets of the largest banks in the world are only a fraction of the size of Big Tech’s data sets, and although, for the moment, banks still hold the upper hand in all forms of data related to corporate and institutional clients, for the rest of the client base, including retail customers and SME’s, big tech already has a fuller customer profile at its fingertips for a whole range of financial products. Big data can assist Big Tech firms to analyse and predict human activity and patterns of buying behaviour down to the level of the individual consumer, and because of their global reach can further tune that behaviour by regional area, demographic category, age, skin colour, and a whole host of other factors. The generic term used for this data analysis is SMA (social media analysis). From a RegTech perspective, the important concept here is irregular and illicit financial transactional behaviour can also be analysed in the same way18. Because of its experience in SMA and its all-round ability to analytically comprehend big data, Big Tech may in fact be in pole position to lead the charge in real-time analysis of criminal pattens of financial transactional behaviour, and this is further exacerbated by the move to mobile payments over which Big Tech also has a stranglehold. What big data and Big Tech has also done is to potentially render a generation of rules-based AML detection software redundant at a stroke. Most industry commentators would agree that current rules-based methods of monitoring AML transactions yield an 80%- 95% false-positive rate in identifying suspicious activity19 . That’s a lot of wasted time for investigators and wasted money to the management team currently resident within bank risk departments. Using machine learning techniques such as path analysis and sequence analysis alongside social media analysis, analysts can identify the patterns that criminals typically follow – this particular technology development will undoubtedly form a critical component of the future of RegTech AML tracking. Turning to the matter of market competition and Big Tech, only the technology giants have access to the scale of big data required to construct meaningful predictive algorithms which will function in real time. Barriers to entering this marketplace are formidable and a natural oligopolistic supply situation therefore emerges where only the chosen few have the capability to play in this field. Currently, they don’t have access to the scale of transactional data required to build AML predictive algorithms, but it is only a matter of time, as a number of these Tech giants are already operating in the financial Sector (Apple Pay, Alipay, Amazon Pay, Facebook, Google Pay). Whilst the operations are currently focused on the retail sector, a few of the players are already offering loans to business customers (Amazon, for example, offers loan finance to its merchant base in some countries). And so, for banks, an existential threat begins to emerge. A number of commentators have already highlighted the need for Big Tech to operate under the same regulatory rules and capital adequacy ratios as the banks, otherwise it will simply emerge as the key originator and distributor of loans to consumers and SMEs, funnelling off most of the profits, with banks reduced to utility providers 17 https://www.liebertpub.com/doi/full/10.1089/big.2013.0037 18 https://www.zencos.com/blog/aml-analytics-compliance-guide-decision-tree/ 19 https://www.ibm.com/downloads/cas/WAGARKEM
14 whose role is to service the loan book. In a portent of what’s coming down the track for the UK banking industry, Big Tech is already active in the UK financial sector – for example, Lloyds Bank has recently signed a ten-year deal with Google to improve the ‘digital experience’ for Lloyds customer base20. Unsurprisingly, the IMF and other bodies are becoming concerned about the power of Big Tech in the world of banking and cite the fact that, within the last ten years, two payment providers – AliPay and We Chat- have come from nowhere to control more than 90% of the mobile payments market in China21. If there was ever a case for the banking industry to take stock, reflect, and create data scale through new co-operative operating models such as KYC/AML utilities, then that case is for action now. Individual technologies Inside and around the new systems architectures will sit a range of individual technologies whose primary purpose will be to address the main business challenges of the RegTech ecosystem. The more notable innovations are outlined below. Natural Language Processing NLP excels at the automated analysis of huge quantities of unstructured data, and it is a powerful resource for financial institutions as they combat fraud, money laundering, and criminal enterprise generally. A number of technology companies are deploying NLP as part of the overall KYC/AML customer profile. Typical use is in more quickly understanding the context and sentiment of articles and other information related to the entity being reviewed during an extended customer due diligence (CDD) review. With NLP, it is about both the content and the context, as certain content might, taken alone, ring alarm bells, but when viewed in context, it means something entirely different. NLP applies this logic to its processing, taking context into account. This helps whittle down incidences which may previously have been identified as fraudulent. In financial crime compliance and AML, NLP reads new sources to find mentions of suspects or ‘bad actors’ and understands what those sources are saying about the individuals concerned. NLP can speed up the review process by over 60% by eliminating false positives from news analysis on an individual22. Homomorphic Encryption Already highlighted, one of the largest impediments to progress in fighting financial crime is the rules around data privacy and the sharing of financial data between respondent and correspondent banks. These data privacy rules exist at both the intra and inter jurisdictional level. Excepting national and international crime agencies such as Interpol, free data exchange is forbidden – either of suspect customer or transactional details – and whilst there are variants to this model across the 20https://www.lloydsbankinggroup.com/Media/Press-Releases/2020-press-releases/lloyds-banking-group/lloyds-bank- ing-group-announces-collaboration-with-google-cloud-to-accelerate-digital-transformation/ 21 https://www.finextra.com/newsarticle/33952/imf-warns-of-big-tech-threat-to-financial-stability 22 https://www.ibm.com/downloads/cas/WKLQKD3W
15 world, the overall financial regulatory regime globally is not supportive. Homomorphic encryption (HE) enables computations to be carried out on encrypted data without needing to decrypt it first and so offers a way around this problem. This means a bank could theoretically encrypt sensitive data, send it for processing outside its firewalls to a hybrid and/or public cloud to train and perform predictions on ML models, and then receive it back without any unauthorised person seeing the actual data or the results. Clearly, the potential for AML is self-evident – for example, in assessing whether a stream of financial transactional data is likely to be criminal or fraudulent in nature. This technology is gaining prominence and already has traction among regulators. In a RegTech sprint organised by the FCA in 2019, several of the participants focused on pilot programs to specifically test the capability of this technology23. While there remain issues around speed of analytic calculation for data encrypted in this way, and no agreed set of operating and data standards for HE, there is still good potential for this technology in RegTech24. Federated learning The daily tasks involved in maintaining regulatory compliance are highly routine and repeatable but traditional legacy systems can flag up to 90% of flagged transactions as false positives, driving unreasonable amounts of human review. Federated learning allows multiple parties (banks) to collaboratively train a machine learning model without sharing their private data, and, as a result, each bank can create models trained on a much larger set of data assets from all participating banks in the network. The greater the number of participants, the more robust the outcomes (more shared data). It works as follows - the host server (assume a bank utility set-up) distributes the trained model to the member banks of the utility. The individual banks train the model on locally available data (their client data). These models are then sent back to the host server instead of the data, where they are averaged to produce a new model. The new model now acts as the primary model and is again distributed to the member banks. This process is repeated until the model achieves a satisfactory result. In every iteration, the model gets a little better than it already was. Thus, federated learning gives birth to better intelligence whilst at the same time protecting client data and staying within the bounds of data protection rules. This type of system might be more appealing to regulators, as it would give all banks equal footing to fight financial crime and is another justification for the development of a shared-bank utility model. Network Analytics Network analytics specifically focusses on identifying and forecasting connections, relationships and influence among individuals and groups – it mines transactions, interactions and other behavioural information that may be sourced from social media. In a financial crime context, banks can use network analytics to identify links and patterns which traditional monitoring systems would not identify 25. It is worth highlighting that Network analytics differs from SMA (Social Media Analytics) in that the former is trying to identify patterns of financial transactional behaviour between connected groups of individuals whereas the latter is concerned with identifying predictive patterns of behaviour among individuals. 23 https://www.fca.org.uk/events/techsprints/2019-global-aml-and-financial-crime-techsprint 24 https://www2.deloitte.com/content/dam/Deloitte/lu/Documents/financial-services/lu-next-generation-data-sharinging- financial-services.pdf 25https://www.mckinsey.com/industries/financial-services/our-insights/banking-matters/network-analytics-and-the-fight- against-money-laundering
16 Distributed ledger technology (DLT) In DLT each party in a transaction is assigned a cryptographic key and once the transaction is approved by all participants in the network (say an issuing and correspondent bank) the transaction is completed and an encrypted block is created. Data on the ledger cannot be altered easily, and any data that is altered within a block can be tracked and monitored, preventing fraud and misuse. Currently, for most financial institutions, data is stored in silo-based systems. A shared ledger combines all data onto one platform (for example, a utility-style construct). This shared and immutable ledger has an unaltered transaction history which could be shared with regulators. The transparent nature of DLT could allow banks and financial regulators to communicate in real-time with each other on the same network and whilst the block is added to the public ledger, the transaction details within the block remain private due to the cryptographic keys assigned to each party – hence addressing potential data privacy concerns. A variant of DLT is called blockchain, which is the basis for current crypto currencies such as Bitcoin. A blockchain environment is designed for parties that do not have knowledge of one another and is less likely to gain traction in banking than other forms of permission enabled DLT constructs. A recent bank utility initiative in Singapore ran into problems using a blockchain approach. It is still early days in the DLT story. However, by 2030, it may form an important role in the RegTech ecosystem. Currently, there are concerns around the amount of computer power that would be needed to drive such a globally integrated distributed shared financial ledger set-up, but interestingly, the largest and most influential technology supplier to the banking industry over the last 30 years, IBM, is backing it26. Some commentators highlight potential savings of 30%-50% in banking compliance costs by the implementation of a DLT/Blockchain style construct27. The UK Government has also published a paper on the potential uses of DLT/blockchain28. Improved digital ID and verification – biometrics There has been much focus on technology solutions that can arrest financial crime at the starting gate, and there are many solutions being trialled around improved digital ID. One interesting development is in the field of biometrics, where face or finger printing detection systems are becoming increasingly sophisticated and some of the larger banks are already offering logon capability via voice, facial recognition or fingerprint recognition. The largest live biometric implementation at scale is in India. The digital Identity Document (ID) initiative has created the world’s largest biometric database. The national ID card system, known as Aadhaar (translated as foundation) was introduced in 201029. In summary, then, there are both infrastructural technology initiatives underway (utilities/data lakes/cloud computing/big data) as well as a range of interesting individual technology innovations (NLP/homomorphic encryption/ federated learning/Network Analytics/DLT/digital ID) that, taken together provide a formidable range of options for materially improved KYC/AML tracking during this coming decade. In the next section, I begin to sketch out what new operating models might 26 https://www.ibm.com/uk-en/blockchain 27 https://www.accenture.com/t20170120T074124Z w /us-en/_acnmedia/Accenture/Conversion-Assets/Do 28https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/492972/gs-16-1- distributed-ledger-technology.pdf 29 https://medium.com/oxford-university/all-eyes-on-indias-biometric-id-experiment-3f01bdb17dca
17 begin to emerge when all of these technologies are added together to create a utopian digital world of financial regulatory compliance with minimal financial crime. 7 The new paradigm in 2030 Imagine that it is 2030, and the analogue regulatory policies and rules have been left far behind. Technologists have been given a free reign to design the optimum RegTech ecosystem and create a new modus operandi deploying all of the technologies described in the last section. What will emerge and what will that RegTech environment look like?
18 A possible scenario is outlined in lower section of Figure 1. In this world, regulations are issued digitally in ‘machine readable code’, there is a newly agreed set of global standards and interfaces
19 for data sharing between financial institutions (both within and between different jurisdictions), and the world of compliance is network connected together via an emerging set of regional utilities or ‘hubs’, which act as the true authenticated source of data for all. Different jurisdictional legal systems have achieved harmony because everyone has agreed to the principle of ‘equivalence’ across financial products and financial contracts and rules, and every entity in the world has a unique global identifier, or Legal Entity Identifier (LEI). Criminals find it increasingly difficult to money launder crime proceeds through this network because each of these utility hubs will be able to instantly identify known ‘bad players’ at the KYC stage of the on-boarding process from live data reporting across all of the networked jurisdictional hubs, and each of the hubs will additionally contain an array of predictive algorithms that will instantly identify AML transactional patterns of money laundering both within and between hubs. Criminal activity will either be stopped at the entrance gate to the utility, by effective biometric exclusion, or arrested once inside the entity by a combination of these powerful predictive algorithms and live interconnected KYC checks. A whole range of other complementary technologies will also be working away in the background to support the overall ecosystem such as NLP, SMA and network analytics. KYC and AML compliance will be integrated, automated and fully digitised. Downstream of this, new technologies such as federated learning will suppress criminal activity operating at scale in real time principally at the mobile/device level which by 2030 has become the primary point of origin for most of the world’s financial transactions save those of large corporates and Governments. Transactional data security – always of primary concern – is addressed via deployment of widespread distributed ledger technology (DLT). Banks will of course retain their own proprietary data sets for their own client service and marketing purposes, and, if the KYC/AML shared utility concept fails to gain traction, they will need to build their own ‘data repositories’ instead. For the first time, there is a real and material reduction in financial crime and money laundering – even a 5% reduction in global AML (at £5tn) would result in a net gain of £250bn each year to the global economy, equivalent to the size of Vietnam’s total GDP. How realistically achievable is this? As will be outlined below, good progress is already being made by banks, RegTech companies and regulators. A number of initiatives are already underway, and much of the technology is in place too. However, there are also material obstacles to be overcome, the majority of which are not in fact rooted in the limits of technology but in the requirement to change the current status quo of current established order within the global financial system – covering regulatory oversight, legal systems, political will, and others. Before examining these obstacles, let us first examine the developments that are taking place at Government level within the UK which show positive signs for the development of some of these new digital pathways. 8 Recent UK Government and regulator initiatives There are several initiatives underway worldwide that are moving in concert with the trends emerging in improving the ecosystem and infrastructure around regulation. The UK is seen – through the offices of the FCA – as being a global leader in this regard. Some of the recent steps being taken in the UK include • Promise of future rules and policy guidance from the FCA being released in ‘machine readable code’.
20 • Companies House UK – from January 2020, all registrations must include a mandatory entry on the UBO, and from September 2020, compulsory identity verification of directors will be introduced, with Companies House given more powers to query and remove false information working alongside the National Crime Agency (NCA). • Sandboxes and Tech Sprints – the FCA is significantly increasing its focus on RegTech and in 2019 held a series of Tech Sprints focused specifically on AML and financial crime30. • The UK Joint Money Laundering Initiative (JMLI) – set up in 2015 is recognised as being a potential model for other countries in the fight against financial crime. • The creation of the National Economic Crime Council (NECC) in 2018 has added another supervisory layer and further Government focus on monitoring financial crime. • The Open Banking/PTSD2 initiative is underway and is being supported by the FCA – this will allow easier access, permission-enabled to Bank’s customer data by third party organisations, such as Fintech and RegTech companies. • The Bank of England is being encouraged to review the possibility of building its own APIs to regulated firms to enable them to gather in data direct without having to request it, with associated delays31. • The Bank of England is also being encouraged to consider the build of a ‘regulatory utility’ which will provide a ‘data repository’ capability for deep analysis32. • The FCA has appointed a new position of Director of Innovation in 201933. 9 Overcoming barriers to change – 2020-2030 We started the 2030 RegTech forecast with a detailed drill-down on some of the more important technology components, including commentary on both infrastructural and individual technology solutions that are available to deploy over the next ten years in order to improve KYC and attack financial crime and followed that with a with a vision of what was possible in this new utopian world. But the real world is a complex place, and, at times, disappointingly resistant to change, however big the financial prize, and there are several challenges or barriers to change that need to be addressed before the RegTech picture discussed in Section 7 above can be reached. Five barrier groups have been identified, four of which are discussed below, with the final one (government/regulator ownership) following thereafter in Section 12. Civil liberty groups and data privacy laws A number of laws and civil action groups have emerged over the last 30 years, whose primary function is to protect the privacy and associated rights of individuals -in regulatory environments this includes the EU Directive 2, GDPR and others, and this is further supported by a range of civil liberty groups worldwide. This societal protection has been built with good intent – the privileges, privacy 30 https://www.fca.org.uk/events/techsprints/2019-global-aml-and-financial-crime-techsprint 31 https://www.bankofengland.co.uk/-/media/boe/files/report/2019/future-of-finance-report.pdf 32 https://www.bankofengland.co.uk/-/media/boe/files/report/2019/future-of-finance-report.pdf 33 https://radar.behavox.com/global-regulators-views-on-technology-innovations-and-expectations/
21 and rights and freedom of the individual is paramount in society, otherwise the end result is a totalitarian state. The paradox here is that the very rules that protect the honest individual also serve to protect the criminal individual, and so the intellectual challenge is how to square this circle. Criminal groups exploit these rules for their own ends, do so with impunity, and it remains easy for them to move money between individually ‘siloed’ financial institutions, or jurisdictional regions as there is no way of easily cross-checking patterns of behaviour between individual banks or between individual jurisdictions. Homomorphic encryption, federated learning and DLT could go a long way towards addressing these concerns, because they are examples of smart technology circumventing the status quo on data privacy but it will not be an easy journey, as witnessed recently on the back of the Covid-19 contact tracing apps and the possibility of abuse by Governments in using these apps to move towards a state-monitoring modus operandi. Expect the same reaction with Apps in the future where a code is encrypted into the mobile phones of potential criminal operatives as a result of an algorithm identifying the holder as a possible money launderer. This is a challenge which will not go away but can be addressed by Governments firstly making their own populations more aware of the massive scale of the financial crime problem than has hitherto been the case and secondly by focussing on the potential upsides for everyone if such technologies can be implemented safely whilst protecting the innocent. Cross-jurisdictional data exchange, legal framework standards, and government support A new set of ‘data exchange’ rules will require to be established in order for this new RegTech ecosystem to function beyond current private ‘in country’ arrangements. In addition, there are different legal systems underlying regulatory regimes in different countries – for example, the legal framework of the UK is different to that operating across the EU, and to carry this forward, a legal framework working towards ‘equivalence’ between different legal jurisdictions may be required34. One positive step here is that there is momentum underway to adopt Legal Entity Identifiers (LEI) as a global standard for ultimate ownership identification of company entities. The FSB in the UK reviewed this as an option in 201935, and it has also been highlighted as an important step towards the achievement of common data standards in a recent Bank of England commissioned report36. There is also need for agreement on common data structure formats and secure data exchange protocols to be established so that all jurisdictions work towards the same goal with the same structured data sets. In the UK, the European payments services directive (PSD2) and the UK enactment through the Open Banking initiative provides for a set of bank-developed standard APIs into the wider community. This initiative would form a starting foundation for further necessary developments in the area. In all of the above initiatives, there is a pressing need for global agencies (IMF/World Bank/ FATF) to assume a leadership role and bring an element of convergence and agreement across legal, data structural, data exchange and other jurisdictional boundaries that currently exist amongst all the global participants. 34https://www.ukfinance.org.uk/sites/default/files/uploads/pdf/BQB12-Equivalence-in-a-fu- ture-EU-UK-trade- framework-for-financial-services-final.pdf 35 https://www.fsb.org/wp-content/uploads/P280519-2.pdf 36 https://www.bankofengland.co.uk/-/media/boe/files/report/2019/future-of-finance-report.pdf
You can also read