In the expanding universe of financial service technology firms, most are trying to capture a slice of the profit pools that banks and other financial institutions currently enjoy. One galaxy of fintechs, though, has begun to help banks manage one of their costliest and most troublesome activities: complying with regulations.

Banks could realize substantial benefits from working with regtech firms, including an enhanced experience for customers, more effective regulatory compliance and greater cost efficiency. Given the high stakes involved, however, banks should gain a better understanding of the options and make a careful assessment of their high-priority needs. Critically, they will need to bring regulators into the conversation before committing. And they must ensure that combining third-party technology and services with their internal processes does not create more system complexity.

Bain & Company has identified more than 80 emerging regtechs, and the rise of these firms should be welcome. Banks have been reducing their cost base for several years now, and have already harvested the easy gains. Many of the efficiency gains, moreover, have been offset by resources required to meet expanded regulatory requirements and to settle fines. We estimate that governance, risk and compliance (GRC) costs account for 15% to 20% of the total “run the bank” cost base of most major banks. And GRC demand drives roughly 40% of costs for “change the bank” projects under way.

While the cost of fines may have peaked in 2016 at a total accumulated amount of over $200 billion globally, we project that the cost to implement and run regulatory requirements will grow over the next five years. Despite substantial compliance investments to date, the frequency and impact of illegal incidents remains significant, ranging from trades with suspected money-laundering patterns in Russia to breaches of US sanctions on Iran or foreign exchange insider trading. That leads regulators to further increase the pressure and requirements on banks.

How regtech firms can help

Regulatory compliance entails a complex chain of activities:

• analyzing and implementing rules;
• extracting, analyzing and storing data; and
• monitoring employee and customer behavior in the moment and after the fact.

Banks have struggled to devise a robust and efficient approach to compliance using their own legacy systems and GRC organization. Typically, the required data resides in different bank systems and is hard to extract in the appropriate structure or level of quality. That’s because automated, algorithm-based data aggregation, integration and enrichment requires modern technology. Legacy software code often cannot accommodate this integration, making internal compliance efforts slow and expensive. For example, to implement online customer onboarding through legacy systems at some major banks would take two years at a cost of more than $10 million vs. three months at $300,000 if handled through a regtech specialist.

How, specifically, can regtechs help? To borrow a biological metaphor, they can provide brains, guts and backbone to improve GRC processes in a number of ways (see Figure 1).

The regtechs’ “brains” advantage stems from their expertise in extracting and structuring data, mixing it with unstructured sources and devising algorithms to derive insights. These firms extract and integrate data from banks’ proprietary systems, third-party data providers and public sources. They design algorithms to crunch the data in highly automated, scalable ways. And they use machine learning to continuously improve the quality, precision and reliability of the insights that emerge. While major IT consultants, software firms and data infrastructure providers have worked in the field over the past decade, most offer only partial solutions, use dated technology or face conflicting interests with their core business. Many regtech start-ups, by contrast, have made compliance their sole focus.

Regtechs also provide the “guts,” or processes for smart, standard-setting governance and control. By pursuing straight-through-processing and looking for ways to automate and simplify processes, they can reduce costs and pick up the pace of GRC.

Because many regtechs deploy new technologies, they can offer an advanced infrastructure, or “backbone.” For instance, they use the cloud to remotely provide solutions and manage and back up data. Banks pay only for the data they use, making it easy to add or remove service features. Standardized interface layers allow data to flow in real time and help integrate third-party data network partners and solution providers. In addition, we expect block-chain technology to take hold in GRC over the next two to five years. Most promising is the advanced “smart contract” function and its effect on regulatory compliance through self-executed and self-enforced contract clauses.

To date, the most common regtech applications provide tools to manage five areas of GRC (see Figure 2).

• Advanced regulatory requirements management. Firms such as Cube monitor and manage the regulatory landscape and policy releases, collect and aggregate regulatory requirements, perform an automated impact assessment, and can install automated implementation into a bank’s day-to-day operations.

• Know-your-client (KYC) services are the most advanced solutions offered by regtechs so far. Clarient Entity Hub, Fenergo and kyc.com identify clients and counterparties during onboarding and recurring interactions. These vendors use highly standardized data structures, harness the bank’s proprietary client data and match it against public information such as credit and criminal databases, commercial registers and social media in order to score clients with an advanced rule engine and ultimately file the client profile (see Figure 3). They use machine learning to recognize data patterns and recalibrate scoring, which helps to improve regulatory compliance effectiveness and reduce manual process interventions, thereby reducing process costs.

  Emerging KYC utilities address inefficiency by splitting costs among many institutions and profiling a single customer once on behalf of all banks. At the same time, their approach could improve the customer experience. Bain’s interviews with corporate customers reveal widespread frustration with banks’ unclear requirements, limited reuse of existing data, piecemeal requests for documentation and weeks-long delays for access after an account has been requested. Half to three-quarters of onboarding requests never reach the final stage of account opening, our benchmarking found, which wastes time and effort and causes occasional embarrassment with customers.

  Anti-money-laundering (AML) and anti-terrorist-financing (ATF) services monitor payments or securities transactions to identify suspicious transactions possibly linked to illegal activities. Regtechs’ AML and ATF risk and compliance engines build on KYC data enriched with additional data.

• Consumer protection services monitor client and adviser behavior to identify possible breaches of laws and regulations designed to protect consumers from fraud or inappropriate advice and investments. The services build on an appropriate client profile. Key features include front-to-end advisory management tools and smart rule engines that fuse a client’s profile scores with broader investment data.
• Market conduct services analyze trading transactions with behavioral analytics and banks’ proprietary risk models to ferret out misconduct or fraud. Sybenetix, Behavox and other vendors sift through events, using tools to escalate and remediate the events early, which minimizes false alerts.
• Reporting and risk management services provide a response to the complex layers of new requirements related to exhaustive risk data aggregation and reporting. Vendors such as AQMetrics and MetricStream offer integrated modeling, scenario analysis, forecasting analysis and risk management tools.

Laying the groundwork

Banks’ partnerships with regtechs will be significantly shaped by regulators, in the form of GRC standards and approval of proposed solutions. Success in this area thus hinges on choreographing the cooperation of banks, regtechs and regulators.

The elements to support innovative solutions are starting to fall in place in some countries. In the UK, the Financial Conduct Authority is serving as a hub to support adoption of new technologies that make it easier for regtech start-ups to grow quickly and get connected to the regulatory ecosystem. The Monetary Authority of Singapore recently mapped out a plan to move toward an open application programming interface architecture that can be easily used by regtech vendors and banks.

In parallel with their discussions with regulators, banks should make a thorough assessment on several fronts.

• Cost baselining: the cost of regulatory compliance, including one-off and recurring costs, as-is and estimated over the next three to five years
• Technology assessment: the level of functionality, complexity and efficiency of their current technology, systems and data as the new requirements kick in
• Regtech landscape: which regtechs will add value to the bank’s technology and capabilities to close identified gaps or provide the best solutions
• Business case: the best options for deploying regtech solutions, whether through a proprietary, hosted or cloud-based single-vendor solution or a partnership or joint venture

Innovation by both established and insurgent technology firms looks to ease banks’ regulatory compliance burdens by automating many tasks and reducing costs. Over the long run, banks that prepare now to adopt the appropriate regtech solutions may reap the additional benefits of smarter, cheaper and more effective GRC management and a much improved customer experience.

Matthias Memminger is a partner with Bain & Company’s Financial Services practice. Mike Baxter leads the practice in the Americas. Edmund Lin is the global leader of the practice. They are based, respectively, in Frankfurt, New York and Singapore.