In the expanding universe of ﬁnancial service technology ﬁrms, most are trying to capture a slice of the proﬁt pools that banks and other financial institutions currently enjoy. One galaxy of ﬁntechs, though, has begun to help banks manage one of their costliest and most troublesome activities: complying with regulations.
Banks could realize substantial beneﬁts from working with regtech ﬁrms, including an enhanced experience for customers, more effective regulatory compliance and greater cost efﬁciency. Given the high stakes involved, however, banks should gain a better understanding of the options and make a careful assessment of their high-priority needs. Critically, they will need to bring regulators into the conversation before committing. And they must ensure that combining third-party technology and services with their internal processes does not create more system complexity.
Bain & Company has identiﬁed more than 80 emerging regtechs, and the rise of these ﬁrms should be welcome. Banks have been reducing their cost base for several years now, and have already harvested the easy gains. Many of the efﬁciency gains, moreover, have been offset by resources required to meet expanded regulatory requirements and to settle ﬁnes. We estimate that governance, risk and compliance (GRC) costs account for 15% to 20% of the total “run the bank” cost base of most major banks. And GRC demand drives roughly 40% of costs for “change the bank” projects under way.
While the cost of ﬁnes may have peaked in 2016 at a total accumulated amount of over $200 billion globally, we project that the cost to implement and run regulatory requirements will grow over the next ﬁve years. Despite substantial compliance investments to date, the frequency and impact of illegal incidents remains signiﬁcant, ranging from trades with suspected money-laundering patterns in Russia to breaches of US sanctions on Iran or foreign exchange insider trading. That leads regulators to further increase the pressure and requirements on banks.
How regtech ﬁrms can help
Regulatory compliance entails a complex chain of activities:
- analyzing and implementing rules;
- extracting, analyzing and storing data; and
- monitoring employee and customer behavior in the moment and after the fact.
Banks have struggled to devise a robust and efﬁcient approach to compliance using their own legacy systems and GRC organization. Typically, the required data resides in different bank systems and is hard to extract in the appropriate structure or level of quality. That’s because automated, algorithm-based data aggregation, integration and enrichment requires modern technology. Legacy software code often cannot accommodate this integration, making internal compliance efforts slow and expensive. For example, to implement online customer onboarding through legacy systems at some major banks would take two years at a cost of more than $10 million vs. three months at $300,000 if handled through a regtech specialist.
How, speciﬁcally, can regtechs help? To borrow a biological metaphor, they can provide brains, guts and backbone to improve GRC processes in a number of ways (see Figure 1).
The regtechs’ “brains” advantage stems from their expertise in extracting and structuring data, mixing it with unstructured sources and devising algorithms to derive insights. These ﬁrms extract and integrate data from banks’ proprietary systems, third-party data providers and public sources. They design algorithms to crunch the data in highly automated, scalable ways. And they use machine learning to continuously improve the quality, precision and reliability of the insights that emerge. While major IT consultants, software ﬁrms and data infrastructure providers have worked in the ﬁeld over the past decade, most offer only partial solutions, use dated technology or face conﬂicting interests with their core business. Many regtech start-ups, by contrast, have made compliance their sole focus.
Regtechs also provide the “guts,” or processes for smart, standard-setting governance and control. By pursuing straight-through-processing and looking for ways to automate and simplify processes, they can reduce costs and pick up the pace of GRC.
Because many regtechs deploy new technologies, they can offer an advanced infrastructure, or “backbone.” For instance, they use the cloud to remotely provide solutions and manage and back up data. Banks pay only for the data they use, making it easy to add or remove service features. Standardized interface layers allow data to ﬂow in real time and help integrate third-party data network partners and solution providers. In addition, we expect block-chain technology to take hold in GRC over the next two to ﬁve years. Most promising is the advanced “smart contract” function and its effect on regulatory compliance through self-executed and self-enforced contract clauses.
To date, the most common regtech applications provide tools to manage ﬁve areas of GRC (see Figure 2).
- Advanced regulatory requirements management. Firms such as Cube monitor and manage the regulatory landscape and policy releases, collect and aggregate regulatory requirements, perform an automated impact assessment, and can install automated implementation into a bank’s day-to-day operations.
Know-your-client (KYC) services are the most advanced solutions offered by regtechs so far. Clarient Entity Hub, Fenergo and kyc.com identify clients and counterparties during onboarding and recurring interactions. These vendors use highly standardized data structures, harness the bank’s proprietary client data and match it against public information such as credit and criminal databases, commercial registers and social media in order to score clients with an advanced rule engine and ultimately ﬁle the client proﬁle (see Figure 3). They use machine learning to recognize data patterns and recalibrate scoring, which helps to improve regulatory compliance effectiveness and reduce manual process interventions, thereby reducing process costs.
Emerging KYC utilities address inefﬁciency by splitting costs among many institutions and proﬁling a single customer once on behalf of all banks. At the same time, their approach could improve the customer experience. Bain’s interviews with corporate customers reveal widespread frustration with banks’ unclear requirements, limited reuse of existing data, piecemeal requests for documentation and weeks-long delays for access after an account has been requested. Half to three-quarters of onboarding requests never reach the ﬁnal stage of account opening, our benchmarking found, which wastes time and effort and causes occasional embarrassment with customers.
Anti-money-laundering (AML) and anti-terrorist-ﬁnancing (ATF) services monitor payments or securities transactions to identify suspicious transactions possibly linked to illegal activities. Regtechs’ AML and ATF risk and compliance engines build on KYC data enriched with additional data.
- Consumer protection services monitor client and adviser behavior to identify possible breaches of laws and regulations designed to protect consumers from fraud or inappropriate advice and investments. The services build on an appropriate client proﬁle. Key features include front-to-end advisory management tools and smart rule engines that fuse a client’s proﬁle scores with broader investment data.
- Market conduct services analyze trading transactions with behavioral analytics and banks’ proprietary risk models to ferret out misconduct or fraud. Sybenetix, Behavox and other vendors sift through events, using tools to escalate and remediate the events early, which minimizes false alerts.
- Reporting and risk management services provide a response to the complex layers of new requirements related to exhaustive risk data aggregation and reporting. Vendors such as AQMetrics and MetricStream offer integrated modeling, scenario analysis, forecasting analysis and risk management tools.
Laying the groundwork
Banks’ partnerships with regtechs will be signiﬁcantly shaped by regulators, in the form of GRC standards and approval of proposed solutions. Success in this area thus hinges on choreographing the cooperation of banks, regtechs and regulators.
The elements to support innovative solutions are starting to fall in place in some countries. In the UK, the Financial Conduct Authority is serving as a hub to support adoption of new technologies that make it easier for regtech start-ups to grow quickly and get connected to the regulatory ecosystem. The Monetary Authority of Singapore recently mapped out a plan to move toward an open application programming interface architecture that can be easily used by regtech vendors and banks.
In parallel with their discussions with regulators, banks should make a thorough assessment on several fronts.
- Cost baselining: the cost of regulatory compliance, including one-off and recurring costs, as-is and estimated over the next three to ﬁve years
- Technology assessment: the level of functionality, complexity and efﬁciency of their current technology, systems and data as the new requirements kick in
- Regtech landscape: which regtechs will add value to the bank’s technology and capabilities to close identiﬁed gaps or provide the best solutions
- Business case: the best options for deploying regtech solutions, whether through a proprietary, hosted or cloud-based single-vendor solution or a partnership or joint venture
Innovation by both established and insurgent technology ﬁrms looks to ease banks’ regulatory compliance burdens by automating many tasks and reducing costs. Over the long run, banks that prepare now to adopt the appropriate regtech solutions may reap the additional beneﬁts of smarter, cheaper and more effective GRC management and a much improved customer experience.
Matthias Memminger is a partner with Bain & Company’s Financial Services practice. Mike Baxter leads the practice in the Americas. Edmund Lin is the global leader of the practice. They are based, respectively, in Frankfurt, New York and Singapore.