“Life moves pretty fast. If you don’t stop and look around once in a while, you could miss it.”
So said Matthew Broderick in the 80s movie “Ferris Bueller,” in which he played the titular character. So it is with regtech—shorthand for technology used to ease the regulatory compliance burden—which is moving pretty fast, and bank leaders need to get their operations and cultures up to speed so they don’t miss a significant opportunity.
Just a few years ago, Fauquier Bankshares was relying on Excel to comply with rules and regulations around areas including the Bank Secrecy Act and third-party management, according to the company’s chief administrative officer and chief information officer, Chip Register. There’s no way to obtain scale in the compliance function through Excel, and spreadsheet risk is a real concern due to inconsistent coding, human error in data entry and the like. Fauquier, like others in the industry, is learning that regtech relationships can fill significant compliance gaps. “We see an increasingly complex environment for compliance and regulation,” says Register. In 2017, the $645 million asset bank, based in Warrenton, Virginia, implemented two new technology solutions—software by Longwood, Florida-based RATA Associates to comply with the Home Mortgage Disclosure Act and the Community Reinvestment Act, and a security management solution provided by Focus Audits, in Thonotosassa, Florida.
Regtech has certainly come a long way. What started as a mechanism to put paper-based recordkeeping in a digital format is now rapidly evolving as the industry digitizes the business of banking. The rise of fintech has paved the way—and contributed to the need—for the regtech solutions rapidly entering the marketplace. And despite Republican control of the White House and Congress—a recipe that tends to work well for industry deregulation—it’s unlikely that banks can rely on Washington to significantly ease the compliance burden posed by the Dodd-Frank Act and the myriad of regulatory expectations facing banks. And as technological solutions mature, regulators will continue to raise the bar for financial institutions, further driving demand in the banking industry.
“We’re in the process of digitizing finance and financial regulation right behind it,” says Jo Ann Barefoot, the chief executive officer of Washington, D.C.-based Barefoot Innovation Group and Hummingbird Regtech, a solution focused on anti-money laundering compliance.
As the banking industry relies more and more on vendors, bank management teams and boards are rapidly trying to understand the technologies impacting compliance and how to vet new providers. But banks also need to look within their own organizations, including culture, policies, processes and talent, and examine how the deployment of regtech fits into the institution’s overall strategic goals.
The vast majority of banks are deploying technology to ensure compliance with the Bank Secrecy Act and anti-money laundering (AML) rules, according to Bank Director’s 2018 Risk Survey. (For more on the survey, read “Is Your Bank Ready for Rising Rates?” on page 40.) “There is a crying need for better AML tools,” says Barefoot, which is why her company is focusing on providing an AML solution. “[Banks are] spending a fortune to get terrible outcomes.” Seventy-three percent of survey respondents say they use technology to aid in vendor management, 60 percent to comply with Know Your Customer rules and 52 percent for Community Reinvestment Act compliance.
But technology isn’t a magic bullet, says Pam Perdue, chief regulatory officer at Continuity, a regtech provider based in New Haven, Connecticut. An unclear vision can quickly derail the implementation of new technology or result in an unsatisfactory outcome. Before various providers and solutions are even considered, bank boards and management teams need to understand the goals that the bank wants to accomplish. What problem needs to be solved, and is technology the right solution? If so, what type of technology should be deployed? If the bank wants to move forward with considering technology providers, a specific employee—not a department or team—should be identified to own the process, she says. “There’s got to be role-based, officer of the institution, buck-stops-here accountability,” says Perdue. And the major areas impacted by the solution should have some representation in these discussions, both as subject matter experts within their area of the organization and to assure their buy-in further down the road.
Ensuring that the bank gets the desired return on investment and is spending the appropriate amount on the technology really hinges on setting clear goals at the outset, says Perdue. More than half of the executives and directors responding to the 2018 Risk Survey indicate that their investment in regtech has increased the bank’s compliance budget. While it’s highly possible that these banks would have been spending above and beyond that without the use of technology, this finding also underscores the importance of internal planning around technology and finding the right solution to suit a bank’s specific needs and strategy.
There are other common gaps in the banking industry that can prevent the successful implementation of regtech solutions. Third-party management is a key risk, and vendor management policies may need to be reviewed. Radius Bank, a $1 billion asset bank headquartered in Boston, examined its policies and thresholds around vendor management to adjust to its plans to work with newer technology providers, compared to more established core technology companies and legacy vendors. “The board had to understand [that] we were going to bring companies on that didn’t necessarily have 35 years of experience,” which changes the analysis in terms of risk and reward, says Radius CEO Mike Butler.
Considering the sensitive nature of regulatory compliance, banks will likely want to take an even more stringent approach to third-party risk management, and will want to ensure that the companies they work with have sound financial backing and are likely to last a long time. That doesn’t necessarily mean that banks should default to older, more established providers, but the onus is on the bank to make sure that it is comfortable with the solution.
Banks have significantly enhanced their vendor management processes, according to Ed Black, a partner and co-head of the technology, media and telecommunications practice at the law firm Ropes & Gray. These processes can take as long as 120 days of continuous work on the part of the technology provider just to be qualified as a candidate by the bank.
In vetting the identity verification solution Socure, Butler traveled to New York and spent two hours getting to know the company’s CEO. He wanted to know about Socure’s investors and long-term objectives, and to determine whether the two organizations fit together culturally. “It takes you a little more time,” says Butler. “You’ve got to get to know people [and] understand their culture.”
Matthew Russell, chief technology officer at the Nashville, Tennessee-based lending platform Built, says banks that are properly vetting partners will get a good feel for the relationship early on. “If there are red flags before you’re even doing business together, you should be worried. If everything is absolutely perfect before you’re doing business together, maybe probe a little deeper. It doesn’t hurt to ask for references.”
After getting to know a potential provider, Butler says Radius may ask the company to prove its model with a sample of the bank’s data to demonstrate it can do what it says it does—identify instances of fraud, for example. “We know where the problems were, so we know if the technology works better or not,” he says.
Vendors should be able to describe their solution to the board’s and management team’s satisfaction, and banks shouldn’t be afraid to ask questions, says Alexandra Villarreal O’Rourke, a partner at the law firm McGuireWoods. Boards don’t have to know every minute detail, but should understand the data used, the expected output, and the risks and possible problems. And directors shouldn’t ignore a gut reaction or hesitate to ask a question, as it’s just as likely that the bank’s regulator could express similar concerns.
O’Rourke encourages bank boards and management teams to talk to regulators about regtech, and says banks shouldn’t fear that expressing a desire to improve will reveal a weakness. “Regulators are aware that the market is changing, and are aware of the pressure,” she says. It’s highly unlikely that the regulator would give their blessing to a specific solution, but they will express their concerns. “They’re going to raise pointed questions,” she says. “I’d want to know their concerns before spending money on a solution.”
Barefoot agrees, and says those conversations shouldn’t end with examiners. She recommends engaging with the innovation offices that the federal regulatory agencies have opened up. “Understanding how they’re looking at issues and making them aware of what you’re doing—I think it’s a good step,” she says.
Regulators are growing more comfortable with regtech, but some may express concerns that the bank is attempting to do more with less. Barefoot advises that banks proactively defend a new tool by running it in parallel with the old system to prove that the organization is getting the right results.
Many banks have been working to become more digitally focused, and going digital means going regtech too. “You need to be constantly redesigning your service delivery platform, which means constant redesign of your compliance flow—[that’s] essential,” says Black.
“The internal process either needs to be sufficiently mature or sufficiently designed to be able to take advantage of the automation” inherent in many regtech solutions, says Perdue. If the process is haphazard, with too many variables, technology won’t work effectively. Banks with immature processes should at least analyze and determine what the process should look like in the near future, Perdue advises. She also recommends that banks considering regtech solutions examine internal resources early on, both in terms of capability—does the bank have the right skills—and capacity—will the internal team have the time to focus on effective deployment of the regtech solution.
“Somebody could give me a Lamborghini, but if I don’t know how to drive a stick shift, then I’m just going to be sitting in a pretty car,” says Perdue. “Technology is the same way.”
Evaluating vendor performance won’t just occur on the front end. Perdue says to expect frequent communication—once or twice a week—with the regtech provider at the beginning of the relationship, with interactions tapering off as the bank grows more comfortable with the solution. Even then, Perdue says to expect to touch base with the provider on a quarterly basis after the first year.
While communications should occur between the provider and the bank’s designated internal point person for the relationship, the board still ultimately bears responsibility for third-party vendor risk. Directors should be asking questions, particularly during the deployment phase, says Perdue. Like any good vendor relationship, progress should be measured against the bank’s goals, including expected milestones.
An understanding of technology on the part of compliance teams—along with a cultural mandate to embrace innovations—is needed to properly vet and deploy regtech solutions, says Butler. He adds that Radius has hired data scientists to work with compliance and other teams within the bank. Data systems have been upgraded from Excel spreadsheets to more advanced data tools. “It’s impressive, when you get these guys in a room, what they can do with data,” he says. “We’ve got a lot more data people here who can make the numbers sing, more than we’ve ever had before.”
Banks already struggle with data management, and it can be a big gap in the deployment of regtech solutions, due in part to disaggregated data sources. But, “more banks are undertaking projects to make new data accessible to everybody” in the bank, says Barefoot. The compliance staff needs to work more closely with other departments, she says. Working with the technology team—and data scientists, like at Radius—is a good start.
Perdue says there are two reasons why technology solutions—including regtech—fail for an institution. Organizations that operate in silos may find that one department adopts the technology, while the other never engages with it. In other organizations, employees may fear being replaced by technology. Both issues point to the company’s culture, and whether the value of the solution has been appropriately communicated and employees properly trained on its use. “When people fail to derive value from a technology, it’s because they have failed to use it in the intended manner,” Perdue says. Boards should ensure that management plans for an effective launch campaign for the solution.
The customer experience on digital platforms requires that banks consider how to reduce steps and pain points to provide an experience on par with competitors, both within and outside the banking industry. “The goal should be to design enterprise-wide technology,” says Syed Raza, a senior vice president and director of financial crimes compliance at Dallas-based Texas Capital Bancshares, with $25 billion in assets. The compliance process should be discussed as the bank is designing a new product or service, or launching a new business.
Balancing service with compliance has been key for Radius Bank, says Butler. The bank’s regtech providers “are trying to help us treat the right clients in the right ways and also protect against fraud coming through the system.”
Investing in regtech isn’t going to be cheap, but the cost of noncompliance—whether through human error or insufficient resources—is steep. In early February, U.S. Bancorp settled with the Department of Justice to pay more than $600 million for running an inadequate AML program over a five-year period, from 2009 to 2014. The bank had insufficient compliance staff during that time and concealed its mistakes from regulators. AML policies have since been corrected, according to the bank.
Technological checks and balances can help banks avoid missteps. If alerts produced by a system are ignored by one employee, an issue can be escalated up the chain. “Regtech can deliver a snapshot of who failed to make what decision when,” says Black. While it’s impossible to completely stamp out human error, “properly designed technology allows you to identify a point of failure much more rapidly,” he says.
Regulators will increasingly expect more from the banking industry when it comes to regulatory compliance. As regtech matures, Barefoot expects regulators to apply more pressure on banks to use these tools.
“Regulators [and] examiners are asking us for increasingly detailed information,” says Register. He credits Fauquier’s recent regtech implementations with the successful outcome of the bank’s recent exam with its regulator, the Federal Reserve. “Manually, it’s not possible. We’re able to respond very quickly because we have been working at this for a number of years, and our philosophy [has been to] follow the digital evolution,” says Register. “We can’t hire the people, so regtech for us has increasingly become a more and more important asset.”