By Burt Esrig, Managing Director and Michael Lehman, Partner, ACA Compliance
The RegTech industry has exploded, with over 250 RegTech businesses worldwide and $1bn invested last year, as firms look to beat the regulators and the competition. But firms still aren’t doing enough. There have been $26 billion in fines for non-compliance with AML, KYC and sanctions regulations over the past decade. As the regulators get better at detecting illegal activity, firms must do more to stay ahead. We get the lowdown on the best ways to do just that with an exclusive insight from BURT ESRIG and MICHAEL LEHMAN of ACA Compliance, a US-based provider of governance, risk, and compliance advisory services and technology solutions.
It’s a new year, and most global financial regulators are preparing or announcing their examination priorities and focus areas for 2019 and beyond. As in previous years, cybersecurity and technology remain top focus areas for the US Securities and Exchange Commission (SEC) and the Financial Industry Regulatory Authority (FINRA). These are themes that we expect to be included in the UK Financial Conduct Authority’s (FCA) 2019 priorities when announced in April — along with a continued focus on market abuse surveillance.
Regulatory Investment in Technology
To support their supervisory activities in these areas, regulators globally continue to invest in developing and improving their technological capabilities to process and analyze large amounts of data quickly and efficiently.
In recent years, regulators have taken a risk-based approach to compliance and made significant investments in their own technology tools and operations. Regulators expect firms to be proactive in detecting, preventing, and remediating compliance issues within their own operations, but the data management required to meet these expectations is costly, inefficient — and many times impossible — using manual processes alone.
These realities mean that investment firms need to make their own advances and investments in regulatory technology (RegTech) so they can stay ahead of – or at least keep pace with – the regulators.
How RegTech can Transform Compliance Operations
Fortunately, there are technology tools available that can help your firm meet its regulatory obligations efficiently and cost-effectively. Below are six ways RegTech can help your firm stay ahead of regulators:
- Detect market abuse and non-compliant trades
No firm wants to be the last to know about market abuse among employees — many firms fear that regulators have more information than their compliance teams.
Regulators can now process market data faster and more efficiently than ever to uncover market abuse and other financial crimes. For example:
- The SEC’s National Exam Analytics Tool (NEAT),which enables examiners to crunch large volumes of trading data, was expanded to support blotter data validations, anti-money laundering, options, and reviews of broker-dealer information.
- The SEC’s Market Information Data Analytics System(MIDAS) is also used for reviewing specific market activities.
- The FCA’s Market Data Processor (MDP) System, which is the mechanism by which the FCA receives market data types including daily transaction reports, presents the FCA with the opportunity to interrogate trading records for suspicious activities.
- The MDP also interfaces with the European Securities and Markets Authority’s (ESMA) Transaction reporting exchange mechanism(TREM), which allows the FCA to exchange transaction reports with other National Competency Authorities (NCAs) to allow their own surveillance activities to occur.
Firms must also ensure their electronic communications surveillance programs are properly tuned for the business they conduct – regulators on both sides of the Atlantic continue to focus on electronic communication oversight programs.
In 2018, the SEC and FINRA issued enforcement actions alleging that certain firms did not have proper electronic communications programs or procedures in place. The SEC issued a risk alert regarding the need for firms to more effectively monitor employee electronic communications across different platforms.
MiFID II also introduced obligations in Europe that expanded on the FCA’s own communication recording obligations. Previously in the UK, the FCA’s rules on recording had a sell-side firm focus and included a reliance provision that meant many buy-side firms didn’t record their communications — nor were they required to. MiFID II has changed this, and many firms that previously had not recorded their communications now must do so, as well as conduct adequate surveillance of such conversations.
In addition to electronic communications surveillance, meetings and events received heightened attention from regulators. Where and with whom your analysts or portfolio managers (PMs) conduct meetings are now in focus and discoverable. This means the tracking and, potentially, chaperoning, testing, and reviewing of notes, is crucial. Sometimes this may cause an unwelcome shift in business processes.
Transacting when potentially in the possession of material non-public information (MNPI) — also known as insider trading — continues to be on the radar of regulators. Therefore, the collection of much of the previously mentioned data, as well as the ability for firms to recreate the life cycle of a trade, are in focus. The life of a trade begins with the thought process and trade sizing relative to historical risk profiles — the execution process through to the allocation between accounts. This workflow assumption — cross-referencing whether the same security appeared in employee accounts — is frequently scrutinized.
- Manage personal trading programs and other employee activities
The SEC’s rules regarding codes of ethics are well-established — monitoring personal trading, political contributions, entertainment, and outside business activities to identify conflicts of interest is required.
Firms are feeling the pressure in this area in other ways as well — the SEC’s technological approach to transaction monitoring means that it’s picking up more suspicious personal trades than ever before. It is anticipated that the FCA will identify correlations between a firm and its employee personal trading as well, given the personal identifiers included in the reports.
As a result, personal trading/code of ethics technology solutions are becoming increasingly popular, particularly with U.S. financial firms. In the IAA and ACA’s 2018 Investment Management Compliance Testing Survey, nearly 47% of the respondents who had detected material compliance issues over the past year found them in this area (up from just over 20% the previous year). It’s hardly surprising that 27% of respondents had increased the type, scope, and/or frequency of compliance testing in this area over the past two years. In 2019, it’s recommended that firms continue their vigilance in this area.
- Manage third-party cyber risk
Cybersecurity has been a regulatory focus area for the past several years, and 2019 is no different. Third-party vendors continue to pose significant risks to the firms they work with, a concern that was flagged by the FCA in the findings of their recent Technology and Cyber Resilience Questionnaire. Major data breaches seem to be announced every day, and this is a trend we expect will continue in 2019.
Firms need to take a proactive approach to third-party risk management by performing ongoing due diligence on the vendors they work with. RegTech, particularly when used in tandem with a trusted outsourced third-party risk management solution, can help reduce the burden, risks, and costs associated with managing the vendor life cycle.
- Streamline marketing review workflows
Regulators around the world are cracking down on marketing practices by financial services firms. In 2017, the SEC highlighted its concerns around performance marketing, while the FCA continues to issue enforcement proceedings against firms that market themselves inappropriately.
MiFID II expanded the marketing demands on UK firms. Whether firms are communicating to prospects through social media, brochures, client presentations, or other materials, marketing must be fully compliant with these enhanced standards.
Mistakes can easily creep in. Compliance teams must establish strong, auditable processes for managing, reviewing, approving, and archiving marketing and advertising materials. In addition, an automated process for submitting materials to regulators will reduce steps in the process.
- Track and record compliance activities and tasks
Increasingly around the globe, regulators expect firms to record their compliance activities in detail. Essentially, for the regulator, if something isn’t documented in an auditable way, it didn’t happen.
Tracking these activities manually can put a tremendous burden on firms. RegTech is helping firms to meet their obligations by automating information collection and processing, risk monitoring, regulatory compliance, day-to-day compliance task/activity tracking, and logging, including all materials related to compliance activity. Document management and recording of processes and procedures, with a full audit trail and reporting capabilities completes the technology package useful to satisfy responsibilities.
- Centralize and submit regulatory filings
Today, regulators are using technology to process and comb through regulatory filings and determine which firms they should examine over the course of the year. These technology solutions are crunching the numbers in reports to detect anomalies or other problematic data that could flag potential challenges at firms.
These enhanced supervisory capabilities make it essential that firms get their filings correct – otherwise they risk the cost and distraction of a regulatory exam they may not otherwise have had. This was reflected in the FCA’s recent changes to its Connect System — a system that enables firms to make applications and notifications to the regulator — which added a new functionality that allows tracking of the case status.
The RegTech Return on Investment
RegTech can help compliance teams achieve a significant return on their investment by increasing operational efficiencies, reducing administrative costs, and decreasing the risk of violations. Additionally, as these technologies become widely adopted, regulators continue to evolve their expectations of investment firms’ compliance technology capabilities while growing their own system capabilities. To keep pace with these changes, firms need to adopt their own RegTech solutions – or else risk regulatory scrutiny, fines, reputational damage, and other complications.