In highly regulated industries, there are seemingly endless regulatory and compliance requirements and activities, and they often are inseparable from the underlying risk management activities themselves, including those for third parties.
Since the 2008 financial crisis, the U.S. has arguably become the most complex and costly jurisdiction for regulatory compliance. An article published by World Economic Forum on enterprise risk management points out that banks are “less experienced with non-traditional threats such as cyber risk, strategic risk, operational risk, regulatory risk and legal risk. Making matters trickier, these risks aren’t easily quantified.” The authors also note that “the growth in such risks is virtually unprecedented in the history of banking. This puts a premium on firms’ abilities to make connections and to recognize the complex whole is far greater than the sum of its parts.”
The financial services sector leads the pack in terms of the amount of regulation it is subject to, including the compliance challenges, regulations and laws in near and far-flung jurisdictions, as well as the cost and complexity of compliance, risk management and governance practices. This sector is not alone is the endless struggle to balance costs and compliance. Healthcare, oil and gas, and the tech sector are also struggling with the cost and complexity to managing sector-specific risks and compliance.
To complicate matters, operations extend far beyond their own perimeters. Critical third parties, essential to the success of the “extended enterprise,” amplify the complexity, challenges and rewards.
Strong Growth in RegTech Investment
The Institute of International Finance defines RegTech as the “use of new technologies to solve regulatory and compliance burdens more effectively and efficiently.”
When it comes to RegTech, short for Regulatory Technology, let’s start with some facts. According to KMPG’s report “There’s a Revolution Coming: Embracing the challenge of the new RegTech (2019),” financial institutions spend $780 billion annually on compliance activities; have paid more than $300 billion in fines since 2008; and devote 10% to 15% of their workforce to governance, risk and compliance activities, with an average 7,000 people per institution performing this work.
The complexity and costs associated with risk management, compliance and governance are grossly understated because of the immaturity of third-party risk management practices, which are intended to identify, assess, manage, and control risk and compliance.
The good news is that where there are challenges there are also opportunities. It isn’t surprising that among the many innovations that are changing the world, RegTech is one of the hottest, with 2018 investment reportedly at $3.7 billion. Most of the current investment is directed at solving the cost and complexity of compliance in the financial services sector. This focus will likely fan out into many sectors once some of the use cases are proven and RegTech is adopted.
Automating Compliance is Key
The broad definition and pace of change leaves the door open for broad interpretation and confusion about what is a RegTech solution and what is not. Current investments are concentrated on regulatory reporting, risk management, identify management and control, compliance and transaction monitoring. Cybersecurity solutions are not generally considered RegTech because compliance is not a primary objective.
Powered by cloud computing, APIs, robotics process automation (RPA), cognitive automation (a more realistic term than AI), big data analytics and blockchain, RegTech is the path to automating compliance activities. Once successfully implemented, these enabling technologies will handle tasks like aggregating risk data from multiple sources; normalizing, gathering and analyzing the data; creating risk metrics; monitoring; and predictive analysis and testing for applicable regulations and laws.
A predominant area for RegTech investment is regulatory reporting, with some interesting collaborative “3P” projects or public/private partnerships guiding the way. Another is compliance to Know Your Customer/Anti-Money Laundering laws and regulations, an exceptionally labor-intensive requirement that is intended to prevent terrorist financing and transformation of monies earned from illegal activities into “clean” money. Likewise, surveillance and conduct monitoring, which consists of transaction monitoring, can identify and exploit suspicious patterns or trends by linking structured and unstructured data.
Slow Adoption Rates
RegTech implementations are highly complex, which will slow adoption. Nick Cook, Director of Innovation at Financial Conduct Authority, the U.K.’s primary financial services regulator, cautions: “Many RegTech firms struggle to make the essential step from proof of concept to proof of value. Without this latter proof the path to production and deployment is a long, uncertain and an often aborted one.”
Your company’s extended enterprise, internal operations, plus critical third parties, is the operational reality. This extended enterprise – a vast ecosystem of third, fourth, fifth and sixth parties – far exceeds the size and scale of the internal operations in almost every company.
This is the time to invest in third-party risk management to make risk-informed decisions for the extended enterprise. A programmatic approach to third-party risk management is an essential prerequisite to realizing the full benefits of your firm’s investments in RegTech solutions.
Linda is the creator of SIG University's Certified Third Party Risk Management Professional program. View the curriculum guide to learn more about the program and enroll your team to earn an industry-recognized certification.
Linda Tuck Chapman: Advisor. Educator. Author. Expert. Linda is a recognized subject-matter expert, trusted advisor, published author and popular speaker. As former Chief Procurement Officer in three major banks, her clients benefit from her experience, expertise and pragmatic approach.
Linda is creator/professor of the “Certified Third Party Risk Management Professional” (C3PRMP) for SIG University, based on her book “Third Party Risk Management: Driving Enterprise Value”, available on Amazon. Her expertise is frequently profiled in industry-leading publications such as The RMA Journal, Wall Street Risk Journal and Future of Sourcing, strengthened by her extensive network, professional associations and SIG University.