Reflections on Financial RegTech in 2020: New Initiatives, Opportunities and Challenges to 2030 - a UK Perspective

Page created by Lorraine Hanson
 
CONTINUE READING
Reflections on Financial RegTech in 2020: New Initiatives, Opportunities and Challenges to 2030 - a UK Perspective
1

Reflections on Financial RegTech in 2020:

   New Initiatives, Opportunities and
 Challenges to 2030 - a UK Perspective
Reflections on Financial RegTech in 2020: New Initiatives, Opportunities and Challenges to 2030 - a UK Perspective
2

Preface                                                                                          3
1   Introduction                                                                                 4
2   The challenge of defining the business problem that RegTech addresses                        4
3   The scale of the business problem                                                            5
4   The challenge of the regtech business case to 2020 and why it is now beginning to change     6
5   The RegTech picture 2010-2020                                                                7
6   Key emerging technology directions 2020-2030                                                 8
    Systems architectural directions                                                             9
      Cloud-native data management and data lakes                                                9
      Utilities                                                                                 10
      Big data, Big Tech, Social Media Analysis (SMA) and the rise of the oligopolists          12
    Individual technologies                                                                     14
      Natural Language Processing                                                               14
      Homomorphic Encryption                                                                    14
      Federated learning                                                                        15
      Network Analytics                                                                         15
      Distributed ledger technology (DLT)                                                       16
      Improved digital ID and verification – biometrics                                         16
7   The new paradigm in 2030                                                                    17
8   Recent UK government and regulator initiatives                                              19
9   Overcoming barriers to change – 2020-2030                                                   20
    Civil liberty groups and data privacy laws                                                  20
    Cross-jurisdictional data exchange, legal framework standards, and government support       21
    Rogue states, transparency and offshore tax havens                                          22
    Banks and data companies                                                                    22
10 Re-evaluation of the business case for RegTech                                               23
11 The record of the global agencies in AML and getting to the root of the problem              24
12 The role of financial regulators and other national agencies in the RegTech ecosystem – SupTech
   25
    SupTech in a global context                                                                 25
    SupTech in the UK                                                                           26
13 Final thoughts                                                                               28
Glossary of terms                                                                               30
3

Preface
Since I first stepped off a plane in San Francisco in 1985 to undergo some ‘tech training’ with
Tandem Computers (a fault-tolerant computer systems supplier to financial institutions), the
operating environment of the financial sector and the deployment of technology inside that
environment has long held a fascination for me. This interest was to a large extent reignited by the
fall-out from the global financial crisis of 2008-9, and more recently through my involvement with a
financial RegTech company (Encompass Corporation).

Both these experiences have opened my eyes to the way financial markets and financial regulation
work and with it a growing sense of frustration about just how impotent current global structures
are in truly facing up to the problem of financial crime.

This paper is an introduction to that world and a journey through the regulatory jungle from a UK
perspective. It describes the current operating framework of financial regulation in the UK and
begins to examine some of the initiatives that could be taken over the next decade using new
technologies and new ways of thinking to finally get a grip on the problem for the good of society.
4

1       Introduction
Financial RegTech may be defined as the application of technology to the field of Financial
Regulation1.

This paper charts the main developments in Financial RegTech since its inception, details the likely
changes that will take place over the next ten years, and highlights emergent trends and
developments that would capitalise on the availability of digital technology. It examines the business
drivers behind the rise of RegTech solutions and offers pointers to the likely initiatives that will
emerge.

Also highlighted are some of the challenges that need to be faced, the highly complex nature of the
problem being addressed, and how new concepts such as big data and utilities are likely to play an
increasingly important role in RegTech developments.

Finally, it outlines a future RegTech operating model for the UK where the regulatory authorities
have become pro-active participants in the overall RegTech ecosystem, working alongside the banks
in a joint assault on financial crime.

The paper’s primary aims are therefore to

    •    critically assess the nature of business problem behind RegTech – that of financial crime and
         its sources
    •    examine how technology may be deployed to significantly reduce that problem
    •    consider some of the institutional and global barriers to change that will be encountered
         along the way
    •    recommend a way forward for the next 10 years by outlining potential joint initiatives that
         incorporate both the private and public sector working together for the greater good.

There are several pathways open to policy makers when looking at tackling financial crime – for
example, implementing tax policies that lead to an overall reduction in tax evasion activities,
especially off-shore, more aggressive policing of drugs, terrorist, human trafficking and cyber-
criminal networks and so forth. This paper is concerned solely with the impact that technology could
have within the overall financial ecosystem in the quest to reduce financial crime.

2       The challenge of defining the business problem that
        RegTech addresses
The best technology solutions have as their basis a clearly defined business problem that needs
addressing. From that business problem comes a high-level systems’ requirements specification,
from which engineers then build the solution.

For RegTech, the question is – what is the business problem? Is it building product to make
regulatory reporting and compliance more productive, or is it building product to catch money
launderers? Is it constructing systems and processes to improve a financial institution’s knowledge
of the client or is it putting in place systems to identify money laundering and fraud? Is it working on

1 This paper is solely concerned with the impact of RegTech on the financial sector – there are several other regulated
sectors e g transport, utilities, health, pharmaceuticals where some of the concepts and technologies discussed in this
paper may have application, but this is beyond the scope of the current paper.
5

your own to improve your internal systems, or is it working in collaboration with other institutions to
build a better overall solution? If it’s the latter, to what extent are you prevented from getting to the
source of the problem without breaking data privacy laws? In truth, the answer to these questions is
‘all of the above’, and so the easiest way to approach the business problem from a technology
perspective is to distil it down to the two key business challenges that RegTech is trying to address -
and that is knowing your customer (KYC) and anti- money laundering (AML), the twin cornerstones
that were identified as being at the root of the problem by regulatory authorities worldwide after
the financial crisis of 2008-9. Whilst the term RegTech was coined in 2015, technology has been
deployed in this area since the late 1980’s.

It is worth spending a moment on KYC and AML – are they separate entities or linked? Is one a
subset of the other? What is true is that neither are new concepts and have existed in one form or
another for centuries – the old banker cry of ‘what collateral do you offer’ to anyone asking for a
loan is a variant on KYC – why lend anyone money if you don’t really know that person? Equally,
criminals, the proceeds of crime and money laundering have existed since the beginnings of a global
banking system if not before. The Financial Crisis of 2008-9 simply accelerated the prominence of
both KYC and its sister entity AML by defining them in a more formal sense.

Whilst from a conceptual definition perspective the two concepts are undoubtedly linked (did you
really perform accurate KYC processes if it turns out that the client is subsequently identified as a
money launderer?), from a technology perspective there are important differences between the
two. KYC can be viewed as a static entity – the information on a form (digitised or not) is accurate at
a point in time. AML on the other hand is a dynamic entity, and in many ways much more elusive to
control – money laundering cannot be identified on a digitised form at a point in time. It is a process
flow. So, from a technology perspective, it is one thing to digitise and bolster the up to the minute
details on anyone engaging in financial transactions, but how do you deploy technology to identify
and potentially stop something that is happening in ‘real-time’? This is a formidable challenge the
solution to which is has only recently become potentially viable.

In this paper, I argue that while significant strides have been made in KYC over the last ten years,
real AML is still in its infancy – much work needs to be done if any material impact is to be made in
this area with the role of the State forming a critical component of the emerging technology
ecosystem over the next ten years.

3         The scale of the business problem
Just as the definition of RegTech is made more difficult by the breadth of the business issues being
addressed, the definition of its scale in financial terms also meets similar boundary challenges. On
the one hand, it is relatively easy to include any proceeds of financial crime when the source was
source was the supply of drugs, prostitution, terrorism, human trafficking or fraud, but does money
laundering and financial crime also extend to tracking and estimating the value of the assets salted
away in offshore low-tax havens each year, or to estimating the lost value in the outbreaks of flash
trading that have intermittently impacted the world’s stock markets (where computers beat the
cycle time of stock market systems, remain hidden from view and make millions for their
operators)2?

The Financial Action Task Force (FATF) was established at the G7 meeting in 1989 to develop a
coordinated international response to money laundering and financial crime. FATF does not itself

2   https://scholarship.law.duke.edu/cgi/viewcontent.cgi?article=1211&context=dltr
6

provide figures but The World Bank, the IMF, the EU and others all publish their own estimates of
what they consider to be the total global figure of all activities related to money laundering and
financial crime. The estimates vary here, from large to very large, with the consensus being that 2%-
5% of global GDP is laundered every year within the global financial system – somewhere between
£ 2 tn-£5tn3.

To put these figures in context, £5tn is the GDP of the Japanese economy, £3tn is the GDP of the UK
economy lost to AML and financial crime every single year – so both the scale of the issue and the
potential prize is enormous in financial terms.

4         The challenge of the RegTech business case to 2020 and
          why it is now beginning to change
Following on from this comes the issue of convincing financial institutions (FI) that it is in their best
interests financially to invest wisely in RegTech solutions. This is harder than it may seem, because
enormous as the prize may be, unless they can translate that ‘external win’ into how it may benefit
them individually, they are unlikely to throw money at the problem. To compound matters, there is
a much greater likelihood that banks will be fined by the regulators for being ‘non-compliant’ in
regulatory reporting than being explicitly complicit in aiding money laundering activities, so their
focus thus far has been on staying within regulatory guidelines at all costs. This is borne out by the
statistics on both side of the Atlantic. Of the total number of fines (£3.55bn) levied by the FCA from
2013-20194, more than 92% were related to issues of non-compliancy in reporting, not following
previously agreed policy process or not treating customers fairly. Only 7.5% represented fines
related to specific money laundering disclosures, though they were for large amounts (Deutsche
Bank £163m in 2017 and Standard Chartered Bank £102m in 2019).

Across in the USA, the picture is similar, focused on fines for non-compliance, with, again, AML
sanctions standing out for their size, including the largest ever AML fine levied by regulatory
authorities – US$1.92bn issued by the SEC to HSBC in 2012 related to activities with Mexican drug
cartels5. So, when money laundering is discovered, the fines are eye-wateringly large, but they are
few and far between, and the outcome has been that FIs generally have been more focused on
keeping on the right side of the regulators rather than on individual quests to track down the
perpetrators of financial crime.

This has been long recognised by the FCA itself. In a July 2013 report, they stated:

      The root cause of these problems is often a failure in governance of money laundering risk, which
      leads, among other things, to inadequate anti-money laundering resources and a lack of (or poor
      quality) assurance work across the firm.

      This often focuses on whether processes have been followed rather than on the substance of
      whether good AML judgements are being made6.

3   https://www.imf.org/external/pubs/ft/fandd/2018/12/imf-anti-money-laundering-and-economic-stability-straight.htm
4   https://www.fca.org.uk/news/news-stories/2019-fines
5This has recently (October 2020) been topped by the $2.9bn fine imposed on Goldman Sachs by the SEC and Department
of Justice for the Bank’s involvement in the 1MDB Malaysian scandal
6   https://www.fca.org.uk/publication/corporate/anti-money-laundering-report.pdf
7

All of the above has created significant hurdles for the RegTech sector. With few exceptions, the
banks’ mantra has been, ‘what is the minimum we have to do to keep the regulator happy and
remain compliant?’ and this philosophy has determined the path of RegTech activity, which has
been concerned with building a product that automates and improves efficiencies within this overall
existing structural set-up.

This is best illustrated by looking at SARs. SARs (Suspicious Activity Reports) are issued in the UK by
banks and other FIs to the National Crime Agency. In 2019, for example, 460,000 SAR notices were
raised – the figures are very large indeed and there is no relation between the fines levied for AML
(two in total in the last seven years) and the volume of SARs posted. On the contrary, the large
number of SARs raised simply reflects the need to report anything suspicious in case it turns out to
be fraudulent which would automatically generate a fine under the Proceeds of Crime Act (2002)
and worse, might generate criminal proceedings against the directors of the FI responsible for AML.
The clear implication is that the volume of SARs raised is as much to do with banks understandably
protecting their own interests as there being any form of co-operative working between bank and
regulator in the fight against money laundering.

The conclusion of the foregoing is that current banking and other FI systems environments are
simply inadequate to arrest money laundering proactively, despite the fact globally banks spend
somewhere between 2%-5% of total annual revenues on their overall risk and financial crime
divisions7, despite the FCA being fully aware of the issue, and despite the fact that somewhere less
than 5% of SARS are actively investigated by the NCA. A new technology-focused approach will be
required if any headway is to be made in this area. There is consensus that this the case and there
needs to be a change in the financial ecosystem structure to make any serious impact on reducing
financial crime8.

Before discussing what technologies could play a leading role in such an ecosystem and what
changes also need to happen at government level to accommodate this it is worthwhile reviewing
the RegTech picture over the last decade

5       The RegTech picture 2010-2020
In its simplest form, RegTech is the application of technology to improve the efficiency of regulatory
compliance. By implication, and as highlighted above, it also involves focussing on KYC and AML.
Since the financial crisis, technology deployment can typically be found in one or more of the
following areas:

    •    regulatory reporting
    •    Identity management and control
    •    risk management
    •    compliance adherence
    •    transaction monitoring

7https://www.mckinsey.com/~/media/McKinsey/Business%20Functions/Risk/Our%20Insights/Financial%20crime%20and%

20fraud%20in%20the%20age%20of%20cybersecurity/Financial-crime-and-fraud-in-the-age-of-cybersecurity.ashx
8https://www2.deloitte.com/content/dam/Deloitte/global/Documents/Financial-Services/gx-fsi-iif-financial-crime-report-
ap7.pdf
8

There are already many RegTech companies in existence - Encompass9, for example, has developed
technology that assists FIs with efficient and more accurate onboarding and remediation of clients
by having electronic access to many of the world’s largest data registries, and embedding those data
searches electronically into the bank’s onboarding Policy process. As a result, improvements are
made in the identity management and control component of the process as well as ensuring
enhanced levels of compliance by instantiating controls as code and the provision of an auditable
electronic audit trail.

Other companies provide efficient workflow engines that improve the productivity of the regulatory
journey, whilst others automate and improve the necessary reporting output standards required by
the regulator. In their ongoing research study, Deloitte (2020) have identified 362 RegTech
companies globally who fit into one of the five categories listed above10 .

During this first phase of RegTech, the technical focus has been on improving and automating
processes, on the basis that the technology provides the client a product or service that is fully
compliant with the regulatory rules in play. It is also vital that technology provides an electronic
audit trail to prove that the process agreed with the regulator (FCA in the UK) has been followed. An
investment bank must make sure there are no breaches to any of the regulated guidelines on
liquidity, that risk-weighted assets (RWA) are within set bounds and that capital adequacy ratios
remain within the guidelines set. For a commercial or corporate bank, it’s about making sure that
due process for onboarding new business clients or remediating existing clients has been followed
on the basis agreed with the regulator and being able to prove that such a process was followed.
Finally, in the case of a retail bank, new customers should be properly identified and verified, and so
forth. These regulatory tasks come with a plethora of electronic forms and audit trails, which are
held by the banks, and produced on request to the regulator.

What technology has brought to this environment in the last decade is the automation or process
improvement of these tasks – be that in regulatory reporting, risk management, identity verification,
transaction monitoring or general compliance. The technologies deployed incorporate data
analytics, robotic process automation, and some limited machine learning, but the important
concept to grasp is that all of these technology improvements are taking place under the restrictions
of a bounded framework of existing regulatory infrastructure which is, in the main, analogue, or
paper-based at its core and is no longer fit for purpose.

To further complicate matters, banks and other FIs within the UK jurisdiction operate in a ‘silo’
environment where data and transaction flow sharing is generally prohibited or discouraged due to
privacy laws (such as GDPR). While good progress has been made in the area of KYC (a static entity),
little impact has been made on the area of AML and financial crime overall, as money laundering is a
dynamic entity which also doesn’t respect jurisdictional boundaries. This is the big challenge for
regulators and banks alike over the next ten years. Fortunately - as will be discussed below - there is
whole new window of technology-driven opportunity opening up which brings with it some positive
signs for the future.

6         Key emerging technology directions 2020-2030
To bring an easier understanding of the complexities of the what’s evolving in the technology world
of RegTech, it is useful to split developments into two categories – those related to systems

9   https://www.encompasscorporation.com
10   https://www2.deloitte.com/lu/en/pages/technology/articles/regtech-companies-compliance.html
9

architectural change from an infrastructural perspective – such as cloud computing, big data, data
lakes and utilities – and those related to the technologies that typically sit within these new
environments and bring with them new ways of solving regulatory problems, such as natural
language processing (NLP), blockchain, homomorphic encryption, federated learning, and others.
And, of all these initiatives – structural or individual – the singular most important thread is what
BigTech (the large global technology players) is doing within financial services, and what the
implications are for banks and RegTech.

Systems architectural directions
Cloud-native data management and data lakes

Excepting a minority of digital start-up banks in the UK, all bank transactional payment systems sit
within data management technologies dating from the enterprise architecture era (1980s/1990s).
The stability and security advantages of this era’s technologies do come with a considerable cost:
the need for strict change control procedures and policies which limit the windows available for
insertion of new functionality to just a few hours every month. And this limits banks’ scope for agility
and opportunities to innovate. Just as current regulatory processes still have their origins in an
outdated analogue world, so current bank core systems mirror a similar pattern, sacrificing flexibility
and innovation for a highly prescriptive architecture which is also no longer fit for purpose.

Banks, their system architects and software developers are turning their attention to cloud- native
architectures as a path to customer- focused continuous innovation where new code can be
deployed as and when the business needs to adjust to threats and opportunities in the external
environment. Rapid innovation in the data management layer of cloud-native architectures,
particularly in NOSQL11 technologies, creates opportunities for banks to stream transactional data
from their core systems into secondary architectures. These include data lakes, which use NoSQL
technologies to store data in their native formats, whether these are structured, semi-structured or
unstructured.

Assuming the bank maintains sound governance that ensures data entering the lake is cleansed and
classified, then analysts, data scientists and software developers can find and access data for
transformation and downstream processing by predictive algorithms of machine learning.

This approach allows banks to gain an accurate picture of their customers spending, loan, preference
patterns and to identify transactional patterns indicative of financial crime.

The importance of this two-speed architecture and data lake concepts is well captured in the
following extract from a recent McKinsey paper on the future of monitoring risk in banking.

      The supporting IT infrastructure and data could take a variety of forms, although the most
      recent trends lean toward a “two- speed architecture” and data lakes. A two- speed
      architecture decouples the bank’s IT architecture into a slower, reliable back end (e.g., the
      bank’s core IT systems, often the legacy systems) and a flexible, agile front-end that is
      customer-facing. A data lake gathers and stores all types of data, structured and
      unstructured, internal and external. Data entering the bank need not follow strict rules (as
      would be required of data entering an enterprise data warehouse). Instead, the users of the
      data define the rules when they extract the data from the lake. By combining this flexibility
      with Google-like search technology, the data lake provides banks with a step-change that
      helps them leverage their data for multiple purposes, ranging from marketing to risk to

11   https://www.mongodb.com/nosql-explained
10

      finance. The scope and flexibility of the system help banks use big data tools for complex
      data investigation and analysis12.

The availability of cost-effective access to vast amounts of cloud-based computing power is also a
very significant development. Both Amazon and Microsoft through their AWS and Azure offerings
now offer easy and cost-effective access to any Bank or FI that wishes to build its own cloud- based
environment. In addition, these companies and others – in particular Google – provide a large range
of tools to help with the creation of efficient big data repositories resident in the cloud. Google has
created several innovative tools, including the capability of easily building a high-performance
machine learning environment using Tensor Processing Units (TPUs)13.

Utilities

Utilities are technology platforms accessible by member banks and other FIs that offer reliable up to
the minute data information on individuals and companies, their directors, shareholders and
ultimate beneficial owners (UBO). The primary purpose of a utility is to serve as a single repository
of commonly used KYC or AML data of customers which can be used by all participating financial
institutions. The data inside a utility is ‘authenticated’ and can be relied upon a being true and
accurate having gone through an agreed confirmation process by all members of the utility. Utilities
are now emerging on a regional basis worldwide.

There are initiatives underway in India, Singapore, Hong Kong, Scandinavia, Holland, and other
jurisdictions. There are two main types – a KYC utility and an AML utility. The former, the more
common type, holds current static information on individuals and companies, the latter also tracks
transactional data for these companies to spot potential crime/money laundering activities and is a
much more ambitious project as it requires to track vast volumes of financial transactions with
inbuilt algorithms trained to identify suspicious financial movements. Such an initiative is currently
underway in Holland with 5 of the country’s main banks14.

The typical utility-style model is illustrated below.

12https://www.mckinsey.com/~/media/mckinsey/dotcom/client_service/risk/pdfs/the_future_of_bank_risk_management.

ashx
13   https://cloud.google.com/tpu
14   https://www.corporatecomplianceinsights.com/aml-utility-fincrime-compliance/
11

Encompass is currently working on a utility initiative with the Nordic banks15. The Nordic utility is an
initiative from six banks across Scandinavia - Danske Bank, DNB, Handelsbanken, Nordea, SEB and
Swedbank – who have initiated a project with the aim of establishing a common KYC utility for the
Nordics. The key objectives of this utility are as follows:

     •   The delivery of a common banking standard on KYC
     •   A single point of entry and faster onboarding for the end customer
     •   Improved quality of end customer data
     •   Increased transparency towards clients and the supervisory authorities

The concept behind Utilities is sound - they split costs among participating institutions and profile a
single customer once on behalf of all banks. They also offer the potential of ‘data scale’ by
aggregating individual banks’ data, which, highlighted already, is a key component of the new
RegTech order. At the same time, their approach can improve the customer experience because
once the customer detail has been authenticated within the utility, these details no longer need to
be replicated by the customer as would be the case today in a standard KYC approach as the
customer moves from one bank application to the next in repetitive and time-consuming motion, in
each case effectively starting the application from scratch.

Even though there are an increasing number of bank utility initiatives underway, the disappointing
reality is that the only successful example of a working private utility to date is the SWIFT interbank

15https://www.nordea.com/en/press-and-news/news-and-press-releases/press-releases/2018/05-31-08h00-nordic-banks-
to-explore- common-kyc-joint-venture.html
12

global payment network. SWIFT has a successful shared data repository that holds profile data for
hundreds of respondent and correspondent banks.

The SWIFT KYC utility, available to SWIFT members, is useful for member correspondent/
respondent banking relationships, and reduces correspondents’ risk when dealing with respondent
banks in high-risk or sanctioned jurisdictions because the SWIFT utility validates where the money
goes, and that the recipient is acceptable. The utility, which is used by major correspondent and
respondent banks, is used primarily for the larger payments of larger corporations. There are around
11,000 SWIFT users today, which makes SWIFT a significant player in international corporate
payments.

It is worth asking the question, why are there no live bank utilities in operation today (with the
exception of SWIFT)? The answer is relatively straightforward - third-party utilities do not work
because of the conflict-of-interest issue between the operator and the member banks, and bank
joint-venture utility models also do not work because there is no current incentive for banks alone to
expend monies on these constructs, where there is no measurable benefit to the banks themselves16.
SWIFT works because there is a working economic model behind it for all participating members. In
the case of utilities established for consumers and businesses there are clear benefits to the
consumer or business customer (loan application for example only completed once), but other than
to improve levels of customer service or reduce levels of fraud and financial crime (a benefit to
society), what are the benefits to the banks themselves, and therefore why would banks pro-actively
create and fund such entities when no-one in higher authority is currently mandating their
existence? Proof of concept or pilot utility models are one thing (and there are plenty of examples of
these). Directly funding and operating a utility in live mode over a sustained period is a new and
expensive modus operandi for all banks and quite another thing altogether. The missing piece of the
jigsaw here is that utilities will only succeed beyond pilot phase if they are run by member banks
with active, as opposed to passive, Government support, a theme which will be discussed later in the
paper. Anecdotal evidence from the UK (UK Finance) would also suggest that the absence of a UK
pilot bank utility model is not because it hasn’t been discussed by the UK Banks (it has), it is simply,
and unsurprisingly, not something which is currently on the top of their ‘to do’ list.

There remains little doubt however that if banks were to ‘pool’ their static (KYC) and transactional
(AML) data into a utility-style set up with other banks there are immediate gains available to all
participants, in particular the smaller operatives, as well as to consumers and businesses and society
at large - this is one of the key technology underpinnings in support of the growth of utilities in the
financial sector for highly effective KYC and AML activities. And it could well prove to be the most
sensible defence strategy against what is beginning to emerge as a real and present threat to the
very existence of banks themselves, the rise of Big Tech and big data.

Big data, Big Tech, Social Media Analysis (SMA) and the rise of the oligopolists

One of the key technologies that will play an increasing role in RegTech over the next ten years is big
data. Big data simply means the capture, storage and ordering of many different information
sources on individuals and companies. This includes traditional forms of hard or structured
information such as personal data, company data, as well as new forms including videos, social
media posts, emails, texts, news clippings and other forms of ‘soft or unstructured information’. The
larger banks are already building their own Big data environments, but even big banks’ scale is

16https://www.mckinsey.com/industries/financial-services/our-insights/banking-matters/a-kyc-aml-utility-driving-scale-
efficiency-and-effectiveness
13

dwarfed in comparison to the tech giants, who have been building such constructs for the last ten
years. There are a handful of technology companies in the world that have access to big data in a
live form - Facebook, Amazon, Alibaba, Apple, Tencent and Google. Collectively they are known as
‘Big Tech’. Each of these companies has teams of data scientists experienced in building algorithms
that analyse and predict patterns of consumer behaviour within their client base. As highlighted
above, big data is needed because the larger the data set the more potential there is for impactful
machine learning and efficient predictive algorithms, the more accurate the results, and this
requirement for scale in data is a foundation stone of AI and machine learning17. Big Tech has an
unassailable advantage in this regard. The data sets of the largest banks in the world are only a
fraction of the size of Big Tech’s data sets, and although, for the moment, banks still hold the upper
hand in all forms of data related to corporate and institutional clients, for the rest of the client base,
including retail customers and SME’s, big tech already has a fuller customer profile at its fingertips
for a whole range of financial products.

Big data can assist Big Tech firms to analyse and predict human activity and patterns of buying
behaviour down to the level of the individual consumer, and because of their global reach can
further tune that behaviour by regional area, demographic category, age, skin colour, and a whole
host of other factors. The generic term used for this data analysis is SMA (social media analysis).
From a RegTech perspective, the important concept here is irregular and illicit financial transactional
behaviour can also be analysed in the same way18. Because of its experience in SMA and its all-round
ability to analytically comprehend big data, Big Tech may in fact be in pole position to lead the
charge in real-time analysis of criminal pattens of financial transactional behaviour, and this is
further exacerbated by the move to mobile payments over which Big Tech also has a stranglehold.

What big data and Big Tech has also done is to potentially render a generation of rules-based AML
detection software redundant at a stroke. Most industry commentators would agree that current
rules-based methods of monitoring AML transactions yield an 80%- 95% false-positive rate in
identifying suspicious activity19 . That’s a lot of wasted time for investigators and wasted money to
the management team currently resident within bank risk departments. Using machine learning
techniques such as path analysis and sequence analysis alongside social media analysis, analysts can
identify the patterns that criminals typically follow – this particular technology development will
undoubtedly form a critical component of the future of RegTech AML tracking.

Turning to the matter of market competition and Big Tech, only the technology giants have access to
the scale of big data required to construct meaningful predictive algorithms which will function in
real time. Barriers to entering this marketplace are formidable and a natural oligopolistic supply
situation therefore emerges where only the chosen few have the capability to play in this field.
Currently, they don’t have access to the scale of transactional data required to build AML predictive
algorithms, but it is only a matter of time, as a number of these Tech giants are already operating in
the financial Sector (Apple Pay, Alipay, Amazon Pay, Facebook, Google Pay). Whilst the operations
are currently focused on the retail sector, a few of the players are already offering loans to business
customers (Amazon, for example, offers loan finance to its merchant base in some countries). And
so, for banks, an existential threat begins to emerge. A number of commentators have already
highlighted the need for Big Tech to operate under the same regulatory rules and capital adequacy
ratios as the banks, otherwise it will simply emerge as the key originator and distributor of loans to
consumers and SMEs, funnelling off most of the profits, with banks reduced to utility providers

17   https://www.liebertpub.com/doi/full/10.1089/big.2013.0037
18   https://www.zencos.com/blog/aml-analytics-compliance-guide-decision-tree/
19   https://www.ibm.com/downloads/cas/WAGARKEM
14

whose role is to service the loan book. In a portent of what’s coming down the track for the UK
banking industry, Big Tech is already active in the UK financial sector – for example, Lloyds Bank has
recently signed a ten-year deal with Google to improve the ‘digital experience’ for Lloyds customer
base20.

Unsurprisingly, the IMF and other bodies are becoming concerned about the power of Big Tech in
the world of banking and cite the fact that, within the last ten years, two payment providers – AliPay
and We Chat- have come from nowhere to control more than 90% of the mobile payments market in
China21.

If there was ever a case for the banking industry to take stock, reflect, and create data scale through
new co-operative operating models such as KYC/AML utilities, then that case is for action now.

Individual technologies
Inside and around the new systems architectures will sit a range of individual technologies whose
primary purpose will be to address the main business challenges of the RegTech ecosystem.

The more notable innovations are outlined below.

Natural Language Processing

NLP excels at the automated analysis of huge quantities of unstructured data, and it is a powerful
resource for financial institutions as they combat fraud, money laundering, and criminal enterprise
generally. A number of technology companies are deploying NLP as part of the overall KYC/AML
customer profile. Typical use is in more quickly understanding the context and sentiment of articles
and other information related to the entity being reviewed during an extended customer due
diligence (CDD) review.

With NLP, it is about both the content and the context, as certain content might, taken alone, ring
alarm bells, but when viewed in context, it means something entirely different. NLP applies this logic
to its processing, taking context into account. This helps whittle down incidences which may
previously have been identified as fraudulent. In financial crime compliance and AML, NLP reads
new sources to find mentions of suspects or ‘bad actors’ and understands what those sources are
saying about the individuals concerned.

NLP can speed up the review process by over 60% by eliminating false positives from news analysis
on an individual22.

Homomorphic Encryption

Already highlighted, one of the largest impediments to progress in fighting financial crime is the
rules around data privacy and the sharing of financial data between respondent and correspondent
banks. These data privacy rules exist at both the intra and inter jurisdictional level. Excepting
national and international crime agencies such as Interpol, free data exchange is forbidden – either
of suspect customer or transactional details – and whilst there are variants to this model across the

20https://www.lloydsbankinggroup.com/Media/Press-Releases/2020-press-releases/lloyds-banking-group/lloyds-bank-
ing-group-announces-collaboration-with-google-cloud-to-accelerate-digital-transformation/
21   https://www.finextra.com/newsarticle/33952/imf-warns-of-big-tech-threat-to-financial-stability
22   https://www.ibm.com/downloads/cas/WKLQKD3W
15

world, the overall financial regulatory regime globally is not supportive. Homomorphic encryption
(HE) enables computations to be carried out on encrypted data without needing to decrypt it first
and so offers a way around this problem. This means a bank could theoretically encrypt sensitive
data, send it for processing outside its firewalls to a hybrid and/or public cloud to train and perform
predictions on ML models, and then receive it back without any unauthorised person seeing the
actual data or the results. Clearly, the potential for AML is self-evident – for example, in assessing
whether a stream of financial transactional data is likely to be criminal or fraudulent in nature.

This technology is gaining prominence and already has traction among regulators. In a RegTech
sprint organised by the FCA in 2019, several of the participants focused on pilot programs to
specifically test the capability of this technology23. While there remain issues around speed of
analytic calculation for data encrypted in this way, and no agreed set of operating and data
standards for HE, there is still good potential for this technology in RegTech24.

Federated learning

The daily tasks involved in maintaining regulatory compliance are highly routine and repeatable but
traditional legacy systems can flag up to 90% of flagged transactions as false positives, driving
unreasonable amounts of human review. Federated learning allows multiple parties (banks) to
collaboratively train a machine learning model without sharing their private data, and, as a result,
each bank can create models trained on a much larger set of data assets from all participating banks
in the network. The greater the number of participants, the more robust the outcomes (more shared
data). It works as follows - the host server (assume a bank utility set-up) distributes the trained model
to the member banks of the utility. The individual banks train the model on locally available data
(their client data). These models are then sent back to the host server instead of the data, where they
are averaged to produce a new model. The new model now acts as the primary model and is again
distributed to the member banks. This process is repeated until the model achieves a satisfactory
result. In every iteration, the model gets a little better than it already was. Thus, federated learning
gives birth to better intelligence whilst at the same time protecting client data and staying within the
bounds of data protection rules.

This type of system might be more appealing to regulators, as it would give all banks equal footing to
fight financial crime and is another justification for the development of a shared-bank utility model.

Network Analytics

Network analytics specifically focusses on identifying and forecasting connections, relationships and
influence among individuals and groups – it mines transactions, interactions and other behavioural
information that may be sourced from social media. In a financial crime context, banks can use
network analytics to identify links and patterns which traditional monitoring systems would not
identify 25. It is worth highlighting that Network analytics differs from SMA (Social Media Analytics) in
that the former is trying to identify patterns of financial transactional behaviour between connected
groups of individuals whereas the latter is concerned with identifying predictive patterns of
behaviour among individuals.

23   https://www.fca.org.uk/events/techsprints/2019-global-aml-and-financial-crime-techsprint
24 https://www2.deloitte.com/content/dam/Deloitte/lu/Documents/financial-services/lu-next-generation-data-sharinging-
financial-services.pdf
25https://www.mckinsey.com/industries/financial-services/our-insights/banking-matters/network-analytics-and-the-fight-
against-money-laundering
16

Distributed ledger technology (DLT)

In DLT each party in a transaction is assigned a cryptographic key and once the transaction is
approved by all participants in the network (say an issuing and correspondent bank) the transaction
is completed and an encrypted block is created. Data on the ledger cannot be altered easily, and any
data that is altered within a block can be tracked and monitored, preventing fraud and misuse.
Currently, for most financial institutions, data is stored in silo-based systems. A shared ledger
combines all data onto one platform (for example, a utility-style construct). This shared and
immutable ledger has an unaltered transaction history which could be shared with regulators. The
transparent nature of DLT could allow banks and financial regulators to communicate in real-time
with each other on the same network and whilst the block is added to the public ledger, the
transaction details within the block remain private due to the cryptographic keys assigned to each
party – hence addressing potential data privacy concerns. A variant of DLT is called blockchain,
which is the basis for current crypto currencies such as Bitcoin. A blockchain environment is
designed for parties that do not have knowledge of one another and is less likely to gain traction in
banking than other forms of permission enabled DLT constructs. A recent bank utility initiative in
Singapore ran into problems using a blockchain approach.

It is still early days in the DLT story. However, by 2030, it may form an important role in the RegTech
ecosystem. Currently, there are concerns around the amount of computer power that would be
needed to drive such a globally integrated distributed shared financial ledger set-up, but
interestingly, the largest and most influential technology supplier to the banking industry over the
last 30 years, IBM, is backing it26. Some commentators highlight potential savings of 30%-50% in
banking compliance costs by the implementation of a DLT/Blockchain style construct27. The UK
Government has also published a paper on the potential uses of DLT/blockchain28.

Improved digital ID and verification – biometrics

There has been much focus on technology solutions that can arrest financial crime at the starting
gate, and there are many solutions being trialled around improved digital ID.

One interesting development is in the field of biometrics, where face or finger printing detection
systems are becoming increasingly sophisticated and some of the larger banks are already offering
logon capability via voice, facial recognition or fingerprint recognition.

The largest live biometric implementation at scale is in India. The digital Identity Document (ID)
initiative has created the world’s largest biometric database. The national ID card system, known as
Aadhaar (translated as foundation) was introduced in 201029.

In summary, then, there are both infrastructural technology initiatives underway (utilities/data
lakes/cloud computing/big data) as well as a range of interesting individual technology innovations
(NLP/homomorphic encryption/ federated learning/Network Analytics/DLT/digital ID) that, taken
together provide a formidable range of options for materially improved KYC/AML tracking during
this coming decade. In the next section, I begin to sketch out what new operating models might

26   https://www.ibm.com/uk-en/blockchain
27   https://www.accenture.com/t20170120T074124Z w /us-en/_acnmedia/Accenture/Conversion-Assets/Do
28https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/492972/gs-16-1-
distributed-ledger-technology.pdf
29   https://medium.com/oxford-university/all-eyes-on-indias-biometric-id-experiment-3f01bdb17dca
17

begin to emerge when all of these technologies are added together to create a utopian digital world
of financial regulatory compliance with minimal financial crime.

7     The new paradigm in 2030
Imagine that it is 2030, and the analogue regulatory policies and rules have been left far behind.
Technologists have been given a free reign to design the optimum RegTech ecosystem and create a
new modus operandi deploying all of the technologies described in the last section. What will
emerge and what will that RegTech environment look like?
18

A possible scenario is outlined in lower section of Figure 1. In this world, regulations are issued
digitally in ‘machine readable code’, there is a newly agreed set of global standards and interfaces
19

for data sharing between financial institutions (both within and between different jurisdictions), and
the world of compliance is network connected together via an emerging set of regional utilities or
‘hubs’, which act as the true authenticated source of data for all. Different jurisdictional legal
systems have achieved harmony because everyone has agreed to the principle of ‘equivalence’
across financial products and financial contracts and rules, and every entity in the world has a
unique global identifier, or Legal Entity Identifier (LEI).

Criminals find it increasingly difficult to money launder crime proceeds through this network
because each of these utility hubs will be able to instantly identify known ‘bad players’ at the KYC
stage of the on-boarding process from live data reporting across all of the networked jurisdictional
hubs, and each of the hubs will additionally contain an array of predictive algorithms that will
instantly identify AML transactional patterns of money laundering both within and between hubs.
Criminal activity will either be stopped at the entrance gate to the utility, by effective biometric
exclusion, or arrested once inside the entity by a combination of these powerful predictive
algorithms and live interconnected KYC checks. A whole range of other complementary technologies
will also be working away in the background to support the overall ecosystem such as NLP, SMA and
network analytics. KYC and AML compliance will be integrated, automated and fully digitised.
Downstream of this, new technologies such as federated learning will suppress criminal activity
operating at scale in real time principally at the mobile/device level which by 2030 has become the
primary point of origin for most of the world’s financial transactions save those of large corporates
and Governments. Transactional data security – always of primary concern – is addressed via
deployment of widespread distributed ledger technology (DLT).

Banks will of course retain their own proprietary data sets for their own client service and marketing
purposes, and, if the KYC/AML shared utility concept fails to gain traction, they will need to build
their own ‘data repositories’ instead. For the first time, there is a real and material reduction in
financial crime and money laundering – even a 5% reduction in global AML (at £5tn) would result in
a net gain of £250bn each year to the global economy, equivalent to the size of Vietnam’s total GDP.

How realistically achievable is this? As will be outlined below, good progress is already being made
by banks, RegTech companies and regulators. A number of initiatives are already underway, and
much of the technology is in place too. However, there are also material obstacles to be overcome,
the majority of which are not in fact rooted in the limits of technology but in the requirement to
change the current status quo of current established order within the global financial system –
covering regulatory oversight, legal systems, political will, and others.

Before examining these obstacles, let us first examine the developments that are taking place at
Government level within the UK which show positive signs for the development of some of these
new digital pathways.

8       Recent UK Government and regulator initiatives
There are several initiatives underway worldwide that are moving in concert with the trends
emerging in improving the ecosystem and infrastructure around regulation. The UK is seen – through
the offices of the FCA – as being a global leader in this regard. Some of the recent steps being taken
in the UK include

    •    Promise of future rules and policy guidance from the FCA being released in ‘machine
         readable code’.
20

       •    Companies House UK – from January 2020, all registrations must include a mandatory entry
            on the UBO, and from September 2020, compulsory identity verification of directors will be
            introduced, with Companies House given more powers to query and remove false
            information working alongside the National Crime Agency (NCA).

       •    Sandboxes and Tech Sprints – the FCA is significantly increasing its focus on RegTech and in
            2019 held a series of Tech Sprints focused specifically on AML and financial crime30.

       •    The UK Joint Money Laundering Initiative (JMLI) – set up in 2015 is recognised as being a
            potential model for other countries in the fight against financial crime.

       •    The creation of the National Economic Crime Council (NECC) in 2018 has added another
            supervisory layer and further Government focus on monitoring financial crime.

       •    The Open Banking/PTSD2 initiative is underway and is being supported by the FCA – this will
            allow easier access, permission-enabled to Bank’s customer data by third party
            organisations, such as Fintech and RegTech companies.

       •    The Bank of England is being encouraged to review the possibility of building its own APIs to
            regulated firms to enable them to gather in data direct without having to request it, with
            associated delays31.

       •    The Bank of England is also being encouraged to consider the build of a ‘regulatory utility’
            which will provide a ‘data repository’ capability for deep analysis32.

       •    The FCA has appointed a new position of Director of Innovation in 201933.

9          Overcoming barriers to change – 2020-2030
We started the 2030 RegTech forecast with a detailed drill-down on some of the more important
technology components, including commentary on both infrastructural and individual technology
solutions that are available to deploy over the next ten years in order to improve KYC and attack
financial crime and followed that with a with a vision of what was possible in this new utopian world.
But the real world is a complex place, and, at times, disappointingly resistant to change, however big
the financial prize, and there are several challenges or barriers to change that need to be addressed
before the RegTech picture discussed in Section 7 above can be reached. Five barrier groups have
been identified, four of which are discussed below, with the final one (government/regulator
ownership) following thereafter in Section 12.

Civil liberty groups and data privacy laws
A number of laws and civil action groups have emerged over the last 30 years, whose primary
function is to protect the privacy and associated rights of individuals -in regulatory environments this
includes the EU Directive 2, GDPR and others, and this is further supported by a range of civil liberty
groups worldwide. This societal protection has been built with good intent – the privileges, privacy

30   https://www.fca.org.uk/events/techsprints/2019-global-aml-and-financial-crime-techsprint
31   https://www.bankofengland.co.uk/-/media/boe/files/report/2019/future-of-finance-report.pdf
32   https://www.bankofengland.co.uk/-/media/boe/files/report/2019/future-of-finance-report.pdf
33   https://radar.behavox.com/global-regulators-views-on-technology-innovations-and-expectations/
21

and rights and freedom of the individual is paramount in society, otherwise the end result is a
totalitarian state. The paradox here is that the very rules that protect the honest individual also
serve to protect the criminal individual, and so the intellectual challenge is how to square this circle.
Criminal groups exploit these rules for their own ends, do so with impunity, and it remains easy for
them to move money between individually ‘siloed’ financial institutions, or jurisdictional regions as
there is no way of easily cross-checking patterns of behaviour between individual banks or between
individual jurisdictions. Homomorphic encryption, federated learning and DLT could go a long way
towards addressing these concerns, because they are examples of smart technology circumventing
the status quo on data privacy but it will not be an easy journey, as witnessed recently on the back
of the Covid-19 contact tracing apps and the possibility of abuse by Governments in using these apps
to move towards a state-monitoring modus operandi. Expect the same reaction with Apps in the
future where a code is encrypted into the mobile phones of potential criminal operatives as a result
of an algorithm identifying the holder as a possible money launderer.

This is a challenge which will not go away but can be addressed by Governments firstly making their
own populations more aware of the massive scale of the financial crime problem than has hitherto
been the case and secondly by focussing on the potential upsides for everyone if such technologies
can be implemented safely whilst protecting the innocent.

Cross-jurisdictional data exchange, legal framework standards, and
government support
A new set of ‘data exchange’ rules will require to be established in order for this new RegTech
ecosystem to function beyond current private ‘in country’ arrangements. In addition, there are
different legal systems underlying regulatory regimes in different countries – for example, the legal
framework of the UK is different to that operating across the EU, and to carry this forward, a legal
framework working towards ‘equivalence’ between different legal jurisdictions may be required34.

One positive step here is that there is momentum underway to adopt Legal Entity Identifiers (LEI) as
a global standard for ultimate ownership identification of company entities. The FSB in the UK
reviewed this as an option in 201935, and it has also been highlighted as an important step towards
the achievement of common data standards in a recent Bank of England commissioned report36.

There is also need for agreement on common data structure formats and secure data exchange
protocols to be established so that all jurisdictions work towards the same goal with the same
structured data sets. In the UK, the European payments services directive (PSD2) and the UK
enactment through the Open Banking initiative provides for a set of bank-developed standard APIs
into the wider community. This initiative would form a starting foundation for further necessary
developments in the area.

In all of the above initiatives, there is a pressing need for global agencies (IMF/World Bank/ FATF) to
assume a leadership role and bring an element of convergence and agreement across legal, data
structural, data exchange and other jurisdictional boundaries that currently exist amongst all the
global participants.

34https://www.ukfinance.org.uk/sites/default/files/uploads/pdf/BQB12-Equivalence-in-a-fu- ture-EU-UK-trade-
framework-for-financial-services-final.pdf
35   https://www.fsb.org/wp-content/uploads/P280519-2.pdf
36   https://www.bankofengland.co.uk/-/media/boe/files/report/2019/future-of-finance-report.pdf
You can also read