• wblogo
  • wblogo
  • wblogo

The cost of not complying with RegTech

Regulatory team, ACA Compliance, London, 20 March 2019

articleimage

The adoption of regulatory compliance technology (RegTech) has increased in recent years and the reason is clear: not only have the financial industry’s regulatory rules become more complex and difficult to obey, but the cost of non-compliance has also sky-rocketed.

According to the US Securities and Exchange Commission’s 2018 Enforcement Annual Report, 490 'stand-alone actions' were 'issued' in the financial year of 2018, 63% of which involved investment advisory issues, securities offerings and issuer reporting/accounting and auditing collectively, with others relating to broker-dealer misconduct (13%), insider dealing (10%) and market manipulation (7%).

The SEC’s cyber unit became fully operational in that year and its investigations led to 20 enforcement actions for cyber-related misconduct, including cases related to initial coin offerings (ICOs) and digital assets.

In the UK, the Financial Conduct Authority is scrutinising firms' compliance with the European Union's Market Abuse Regulation more and more tightly, concentrating especially on trade surveillance and controls, especially at buy-side firms such as market-facing private banks. Its enforcement division has been very active here.  

This regulatory obsession has inspired firms to invest in software that not only helps them meet their compliance-related obligations more efficiently, but also more effectively. In order to appreciate the challenges that RegTech is trying to solve, we must look at the cost of non-compliance and how it has evolved in recent years.

The regulatory reach

One of RegTech’s biggest contributions to the world has been the fact that it has made it easier for firms to store records. This, as every reader has probably realised, is a feedback loop. As firms can store records more efficiently, regulators can make greater demands on them to do so. As they do so, they hand regulators more and more information with which to investigate cases of non-compliance. This is just as well because new regulations promulgated over the last several years – covering market abuse, data privacy, cyber-security, best execution, inducements, money laundering, bribery and corruption – have broadened the regulators’ reach.

Although the pendulum has started to swing away from overly prescriptive rules towards a more principles-based approach, this is not likely to reverse the financial sector's demand for RegTech.

More regulatory scrutiny, more punishments

In a world of burgeoning data privacy regulations, the UK’s Information Commissioner took her first 'enforcement action' in accordance with the EU's General Data Protection Regulation (GDPR), punishing a Canadian data analysis firm. She also accused it of contravening the UK's Data Protection Act.

The FCA has a record number of market abuse investigations open at the moment, with enforcement actions in the pipeline for a range of offences on both the sell-side and buy-side.

The surveillance of electronic communications remains an obsession for regulators on both sides of the Pond as it is a form of preventing and detecting financial crime at firms. The SEC, the FCA, and the Financial Industry Regulatory Authority (FINRA) have all punished firms for this.

In the realm of cyber-security compliance, the SEC’s Cyber Unit opened its first case against a public company last year for failing to inform investors about a cyber breach properly. It also took its first action against a firm for breaking the Identity Theft Red Flags Rule. For the latter case, the charged broker-dealer/investment advisor had to pay a $1 million fine.

Also in 2018, the Commodity Futures Trading Commission (CFTC) ordered a registered futures commission merchant (FCM) to pay a $100,000 fine for its alleged failure to supervise the way in which its IT provider obeyed the law while running its information systems security programme (ISSP).

A broader trend

These examples are evidence that investment management firms have broader obligations and suffer from closer scrutiny and harsher penalties than ever before.

Aggregate statistics back this up. The SEC’s Enforcement Division took 821 'actions' (490 of which were “stand alone actions") and obtained court judgments and orders that came to $3.945 billion in disgorgements and penalties in the financial year 2018, a higher figure than that of 2017. It only returned $794 million of this to victims, the rest being purely punitive. In addition to the 20 "stand alone" cases promulgated by the SEC’s Cyber Unit in 2018, the regulator ended the fiscal year with more than 225 cyber-related investigations in the pipeline.

What the future holds

There are still many recently introduced regulations in this world that have not yet been the subject of fines and punishments. The European Union's second Markets in Financial Instruments Directive has not yet been tested when it comes to enforcement. Even the GDPR has only inspired one fine so far. These are both far-reaching pieces of extra-territorial legislation whose effects are bound to be colossal eventually.

At the same time, initiatives such as the FCA’s Senior Managers and Certification Regime (SM&CR) (due to be extended to all investment management firms later this year) will make individuals more accountable for failures in compliance. Although the Trump Administration is keen to reduce the regulatory burden that firms have to shoulder, it has not yet made a real difference.

The RegTech imperative

Regulators regard IT as a vital part of the future of regulation, as detailed in FINRA’s recent report on RegTech and the FCA’s 2018/19 Business Plan. They are, moreover, investing in their own technological capabilities.

In the US, the SEC can analyze large amounts of trading data using its own National Exam Analytics Tool (NEAT) while also reviewing various market activities using its Market Information Data Analytics System (MIDAS).

In the UK, the FCA employs its Market Data Processor (MDP) System to analyse trading records for suspicious activities and link itself up with the European Securities and Markets Authority’s Transaction reporting exchange mechanism (TREM), through which it exchanges transaction reports with other national regulators.

The part that technology plays in compliance will continue to evolve and grow. With IT helping regulators scrutinise investment firms to an unprecedented degree and with those regulators expecting firms to be able to produce large and specific data sets on demand, RegTech is no longer optional.

Latest Comment and Analysis

Latest News

Award Winners

Most Read

More Stories

Latest Poll