Fintech, Regtech And The Role Of Compliance In 2019 Part 4: Industry Opinion, Challenges For Firms, Cyber Resilience, Closing Thoughts | Thomson Reuters Regulatory Intelligence and Compliance Learning | #cyberfraud | #criminal | #cybersecurity | #informationsecurity

The list of financial technology challenges for firms continues to grow. This year the greatest challenges are expected to be the need to keep up with technology advancements; perceived budgetary limitations, lack of investment and cost, and then data security.

Thomson Reuters Regulatory Intelligence has undertaken its fourth global survey to assess the impact of developments in regtech and fintech on the role, remit, and expectations of the compliance function in the financial services sector. The research represents compliance and risk practitioners around the world from almost 400 financial services firms.

This section looks at the key challenges over the next 12 months identified by practitioners, such as the need for cyber resilience, and reflects on the areas firms that need to be addressed in order to realise the potential benefits offered by fintech, regtech and insurtech.


Technology-enabled solutions have driven a wave of start-ups pushing the bounds of innovation and using the new capabilities offered by concepts such as artificial intelligence and machine learning. Financial services firms themselves are also developing solutions in-house often in ring-fenced ‘labs’ where innovations are tested before beginning to be deployed.

The greatest financial technology challenges you expect your firm to face in the next 12 months are…

…Acute shortage of FinTech talent, more regulations, increased collaboration between traditional financial services and fintechs and more cyber-security/data breaches and enforcements…

In this section a range of views from the industry have been collated to illustrate the multi-faceted approaches taken and varying attitude towards new forms of technology.

“As regulation and data outpace compliance, regtech brings welcome structure and precision for focusing and prioritising critical resources. Regtech finds the ‘needle in the haystack’, providing insight how it got there so compliance can prevent it getting lost again.”

Stacey English, chief digital officer, Corlytics

“As outsourced compliance principals, we use our clients’ technology. We always try to conform to the culture and systems that our clients use. For smaller firms in particular, I don’t think adequate and affordable technologies exist to monitor risk. Although I believe that our clients do a good job monitoring their risk, the majority of it is incredibly time-consuming for their internal staff and for us as outsourced regulatory compliance principals. I find that the technology either isn’t cost-effective for the smaller firms, or in many cases does not meet the demands of the client in a holistic way.”

Deirdre Patten, compliance principal and founder, Patten Training & Review, Texas, United States

“I worked for 10 years as a compliance officer, and although management would pay for sufficient technology to monitor money laundering and other types of financial crime risk, it was not as useful as it could have been, partly because we were understaffed. Also, we needed more training on how to use the technology better, particularly how to get the most from the tools and link them to those used by other departments.”

Former AML compliance officer for a large, global bank, NY office

“Technological advances have great promise for improving the effectiveness and efficiency of compliance functions at global financial institutions. Transactions can be reviewed and filtered by use of artificial intelligence and other technology methods that can assist in the fight against financial crimes, ensuring compliance with the Bank Secrecy Act, anti-money laundering laws, and OFAC sanctions requirements. Financial institutions should consider these advancements, paying particular attention to the reliability of the technologies and methods used, as with any vendor management program.”

Maria Vullo, former superintendent of the New York Department of Financial Services and now CEO of Vullo Advisory Services, PLLC

“We use regtech for front-end KYC and customer due diligence screening, mainly. We should be using it for cybersecurity purposes more, but there is still a “it might not happen to us” mentality here. Regtech has made compliance work easier and more effective, but it can be easy to depend too much on it – I think we’re not being skeptical enough, sometimes. And it’s used best when people know their roles well – who oversees the technology, who tests it, who updates it.”

Senior BSA/AML compliance officer at a large, global bank (NY office)

“Regtech is, like any tool, a great support mechanism for the compliance function. But like any tool, it is only as good as the system into which you input it. A system will not by itself solve issues, but it will do a couple of things: it will add welcome automation and objectivity to a process. Computational analysis helps us understand our own data and processes better and allows us to look critically at any process. It is not, however, a means to let the machine take over a function completely. Controls keep all systems in check by providing oversight, and model governance was meant to create the balance in the operational systems by providing quantifiable evidence that a system is working effectively. Also, the staff that are in charge of managing such systems must be equipped for success with adequate training, controls and permissions to manage the systems. Without the oversight and controls, there is not much to stop exploitation, abuse or even cyber influence. Making the program work with the systems is the key to success in balancing technology and operations.”

Debra Geister, CEO at Section 2 Financial Intelligence, Minnesota, United States

The last three years show a relatively steady view on fintech (including insurtech) innovation and digital disruption with 83% expressing either a mostly or extremely positive view. What is clear is that the neutrality of view on fintech from 2016 is no longer the case, with 56% of respondents reporting a neutral view of fintech in 2016 compared with 15% in 2019.

As with the view on fintech, there has been a relatively steady and overall positive view of regtech innovation and digital disruption. A total of 77% (20% extremely positive, 57% mostly positive) expressed a positive view of regtech and, again, the neutrality reported in 2016 (57%) has reduced by almost two thirds to 20% in 2019.

“Innovation in financial services has the capacity to bring many benefits for consumers, the economy and society in general. It is essential to the effective functioning of a competitive economy. However, here is where a challenge lies for financial regulators. Innovation is good, but not all innovations are good, and not all good innovations are done well.”

Ed Sibley, deputy governor at the Central Bank of Ireland, November 2019

A view from Thomson Reuters Labs

The regtech industry is maturing and as a result Thomson Reuters Labs is seeing a shift in how regulators, corporations and the start-ups and vendors that serve them are using technology. The goal of regulation has always been to shift human behavior positively. Traditionally this is done by monitoring behavior and retroactively punishing non-compliance, but increased cost pressure and the rapid advancement of technology is helping to prevent things like fraud and money laundering by creating infrastructure that is resilient enough to detect and prevent negative behavior, be it malicious or unintended.

The technologies at play in the regtech industry are transformational, but it is the growing prevalence and intersection of these technologies that are creating new opportunities. By highlighting select examples, we hope to illustrate this ongoing shift from reactive to proactive compliance.

  • Identity verification and customer onboarding remains one of the least customer-friendly and most expensive compliance activities that banks, and other professional advisors need to perform. It is still mostly performed in person and require customers and agents to meet in person to authenticate documents and verify a person’s identity. The biometrics on modern smartphones however are now capable of running facial recognition models as well as AI that can be trained to verify government documents, all of this is enabled by cloud platforms that aggregate data and makes it available in real time anywhere in the world. Thanks to the intersection of these technologies, identity verification is becoming faster, more effective, less expensive, and improving the overall customer experience.
  • Adverse media screening has become essential as an early indicator of involvement with money laundering, drug trafficking, financial fraud, organized crime, terrorism and more, but using human initiated search to monitor the entirety of the media landscape is prohibitively expensive and is therefore traditionally reserved for only the highest risk customers. Automated processes are changing this paradigm. The use of social channels, data mining, sentiment analysis, and the use of techniques like adversarial neural networks to detect deep fakes, all has the potential to lower the cost of comprehensive adverse media screening and improve outcomes.
  • Self-sovereign identity, while still several years away from mass adoption, has the power to upend the current model where states and private corporations own and administer an individual’s identity. The combination of mobile biometrics and distributed ledger technology will allow individual to control their personal data and share it selectively and for a limited amount of time. These future systems will have a higher degree of trust by design and as such has the potential to further reduce the friction inherent in ID verification and authentication.
  • AI driven risk assessment and customer due diligence is becoming more prevalent. The barriers to entry for AI are being lowered continuously as technologies are being developed that that will make it easier to adopt and manage AI applications. Technologies like transfer learning, which uses pre-trained models, reduces the reliance on technical expertise, while approaches like top-down artificial intelligence can beat data-hungry approaches by modelling what a human expert would do in the face of high uncertainty and little data. Hardware requirements are also being lowered by software that is capable of running AI models on traditional CPUs instead of specialized GPUs. As the technology matures, we are seeing a democratization of AI and a much broader application in regulatory use-cases.
  • Regulators are embracing technology too. Supervisory technology (suptech) is growing as a category as government agencies embrace the use of innovative technology to support their supervisory functions. By digitizing reporting and regulatory processes, regulators can more efficiently and proactively monitor risk and compliance at financial institutions. This creates opportunity for regtech start-ups as well as corporations to more closely align their activities with regulators, further reducing the compliance burden.

The rapid advance of these technologies and industry’s increased appetite for “technology first” solutions means the next large regulatory challenge may not be met with a knee-jerk increase in staffing. In fact, we are already seeing this shift; hundreds of new companies have been formed to respond to the GDPR regulation coming out of the EU, all of which promise increased compliance and lowered cost through the application of technology. We expect that any substantially impactful new regulation will see a similar, technology-driven, response from the regtech industry. We also expect to see an acceleration in the use of technologies that not only lowers the cost of compliance through automation, but also moves organizations away from reactive remediation towards proactive prevention.

Thomson Reuters Ventures is a corporate venture capital fund focused on driving innovation in law, tax, compliance, government, and media. It provides the necessary capital and support to help grow start-ups operating at the intersection of commerce and regulation.

• Quinten Fourie – Director, emerging technology investments

• Nick Jarema – VP, Thomson Reuters Ventures


“…the increasing growth of big tech could have a more profound impact on the industrial organisation of financial services. The financial hierarchy could be reversed, with banks relegated from being in the centre of the financial system to a subordinated player to payment services provided by big tech companies.”

Pablo Hernández de Cos, chairman of the Basel Committee on Banking Supervision and governor of the Bank of Spain, November 2019

Technological challenges for firms come in all shapes and sizes. There is the potential, marketplace changing, challenge posed by the rise of bigtech. There is also the evolving approach of regulators and the need to invest in specialist skill sets. Lastly, there is the emerging need to keep up with technological advances themselves.

Basel Committee on Banking Supervision: 10 key implications and considerations on emerging supervisory issues arising from financial technologies and innovation

(1) The overarching need to ensure safety and soundness and high compliance standards without inhibiting beneficial innovation in the banking sector.

(2) The key risks for banks related to fintech developments, including strategic/profitability risks and operational, cyber and compliance risks.

(3) The implications for banks of the use of innovative enabling technologies.

(4) The implications for banks of the growing use of third parties, via outsourcing and/or partnerships.

(5) Cross-sectoral cooperation between bank supervisors and other relevant authorities.

(6) International cooperation between bank supervisors.

(7) The need to adapt the supervisory skill set.

(8) Potential opportunities for supervisors to use innovative technologies (“suptech”).

(9) The relevance of existing regulatory frameworks for new innovative business models.

(10) Key features of regulatory initiatives set up to facilitate fintech innovation.

Source: Pablo Hernández de Cos, chairman of the Basel Committee on Banking Supervision and governor of the Bank of Spain, November 2019.

The challenges for firms have moved on. In the first three years of the report the biggest financial technology challenge facing firms was that of the need to upgrade legacy systems and processes. This year the top three challenges are expected to be the need to keep up with technology advancements; perceived budgetary limitations, lack of investment and cost, and then data security.

The greatest financial technology challenges you expect your firm to face in the next 12 months are…

The need to upgrade legacy systems and processes has not gone away even if it is now seen to be less of a challenge. More than half of firms (59%) reported they were either very or mostly confident that their IT infrastructure was or would be able to support fintech, regtech and insurtech solutions, up from 42% in the prior year. A third (33%) reported they were far from confident and that more investment was needed, though progress has been made.

Firms choose to face the challenges of financial technology to reap the expected benefits which have themselves moved on. In the prior year, the greatest benefits expected to be seen from financial technology were greater efficiency and accuracy, improvements in compliance monitoring and reporting and better product delivery and customer experience. This year the top three benefits are seen as being strengthened operational efficiency, improved services for customers and greater businesses opportunities.

The greatest benefits you expect your firm to see from financial technology in the next 12 months are…


Cyber risk and the need to be cyber-resilient is a major challenge for financial services firms which are targets for hackers. They must be prepared and be able to respond to any kind of cyber incident. Good customer outcomes will be under threat if cyber resilience fails. One of the most prevalent forms of cyber attack is ransomware.

There are different types of ransomware, all of which will seek to prevent a firm or an individual from using their IT systems and will ask for something (usually payment of a ransom) to be done before access will be restored. Even then, there is no guarantee that paying the fine or acceding to the ransomware attacker’s demands will restore full access to all IT systems, data or files.

Many firms have found that critical files often containing client data have been encrypted as part of an attack and large amounts of money are demanded for restoration. Encryption is in this instance used as a weapon and it can be practically impossible to reverse-engineer the encryption or “crack” the files without the original encryption key – which cyber attackers deliberately withhold.

What was previously viewed often as an IT problem has become a significant issue for risk and compliance functions. The regulatory stance is typified by the UK Financial Conduct Authority (FCA) which has said its goal is to “help firms become more resilient to cyber attacks, while ensuring that consumers are protected and market integrity is upheld”. Regulators do not expect firms to be impervious but do expect cyber risk management to become a core competency.

Good and better practice on defending against ransomware attacks

Risk and compliance officers do not need to become technological experts overnight but must ensure cyber risks are effectively managed and reported on within their firm’s corporate governance framework. For some compliance officers, cyber risk may be well outside their comfort zone but there is evidence that simple steps implemented rigorously can go a long way towards protecting a firm and its customers.

Any basic cyber-security hygiene aimed at protecting businesses from ransomware attacks should make full use of the wide range of resources available on cyber resilience, IT security and protecting against malware attacks. The UK National Cyber Security Centre has produced some practical guidance on how organizations can protect themselves in cyberspace, which it updates regularly. Indeed, the NCSC’s 10 steps to cyber security have now been adopted by most of the FTSE350.

National Cyber Security Centre: 10 Steps to Cyber Security


Set up your risk management regime

Assess the risks to your organisation’s information and systems with the same vigour you would for legal, regulatory, financial or operational risks. To achieve this, embed a risk management regime across your organisation, supported by the board and senior managers.


Network security

Protect your networks from attack. Defend the network perimeter, filter out unauthorized access and malicious content. Monitor and test security controls.


User education and awareness

Produce user security policies covering acceptable and secure use of your systems. Include in staff training. Maintain awareness of cyber risks.


Malware prevention

Produce relevant policies and establish anti-malware defences across your organisation.


Removable media controls

Produce a policy to control all access to removable media. Limit media types and use. Scan all media for malware before importing onto the corporate system.


Secure configuration

Apply security patches and ensure the secure configuration of all systems is maintained. Create a system inventory and define a baseline build for all devices.


Managing user privileges

Establish effective management processes and limit the number of privileged accounts. Limit user privileges and monitor user activity. Control access to activity and audit logs.


Incident management

Establish an incident response and disaster recovery capability. Test your incident management plans. Provide specialist training. Report criminal incidents to law enforcement.



Establish a monitoring strategy and produce supporting policies. Continuously monitor all systems and networks. Analyse logs for unusual activity that could indicate an attack.


Home and mobile networking

Develop a mobile networking policy and train staff to adhere to it. Apply the secure baseline and build to all types of device. Protect data both in transit and at rest.

Source: 10 Steps to Cyber Security Infographic, National Cyber Security Centre, November 2018.

Good advice on the general prevention of a ransomware attack is to seek to ensure company-confidential, sensitive client or other important files are securely and regularly backed up in a remote, un-connected back-up or storage facility. As with other aspects of compliance, the basics done consistently well will go a long way toward providing firms and their clients with a reasonable level of cyber resilience. A firm that has been a victim of a ransomware attack should use all possible means to regain access to IT systems and client files as swiftly and cleanly as possible. This may mean paying any ransom demanded as a matter of urgency. The follow-up action is then to learn all possible lessons to prevent a recurrence of the attack.

Some specific good and better practice recommendations on preventing ransomware attacks include:

  • Checking the firm has basic protection against malware and it is up to date – malware being an umbrella term to cover any code or content that could have a malicious, undesirable impact on systems.
  • Ensuring all devices have the latest security “patches”.
  • Removing all unnecessary user accounts (such as guest and administrator accounts) and restricting user privileges to only what is required.
  • Removing or disabling any unnecessary software to reduce the number of potential routes of entry available to ransomware attackers.
  • Segmenting the network so that if an attack does take place the damage suffered is limited
  • Ensuring the firm has an offline and offsite back-up of all critical systems (with the aim of protecting any back-up from also being encrypted as part of an attack)
  • Training staff to recognize a ransomware attack if it does manage to get past any anti-malware protection in place.

Some specific good and better practice recommendations for preparing to recover from a ransomware attack include:

  • Ensuring the firm has an effective back-up policy and process in place and that it has been regularly tested as working. An essential element of any effectiveness testing is to consider how the firm can seek to ensure that any back-up will not also be maliciously encrypted in the event of a successful ransomware attack.
  • Including cyber-attack scenarios in all business and disaster recovery plans and, again, testing regularly to ensure they work as planned.
  • Once any ransomware has been removed, ensure a full security scan and penetration test of all systems and network is carried out. If attackers were able to get ransomware onto the firm’s systems, they may have gained other access that has not yet been detected.

Cyber security has become a significant regulatory risk and firms must ensure they manage and, whenever feasible, mitigate cyber risks, including ransomware. The compliance function must ensure that cyber risks are expressly included in the range of risks considered, and that the board is prepared to discuss the actions taken to ensure that all reasonable steps have been taken to embed cyber resilience throughout the firm.


“The pace of change, together with the borderless nature of technology, requires an appropriate level of caution to be taken, through financial services firms taking risk-based approaches to strategic and business initiatives. Financial services firms need to make informed choices about where and how they are going to adapt and make sure that the associated risks are understood, considered, and measured as they make changes to their processes and business models.”

Ed Sibley, deputy governor at the Central Bank of Ireland, November 2019

The financial services industry has much to gain from the effective implementation of fintech, regtech and insurtech but practical reality is there are numerous challenges to overcome before the potential benefits can be realised. Investment continues to be needed in skill sets, systems upgrades and cyber resilience before firms can deliver technological innovation without endangering good customer outcomes. An added complication is the business need to innovate while looking over one shoulder at the threat posed by bigtech.

There are also concerns for solution providers. The last year has seen many technology start-ups going bust and far fewer new start-ups getting off the ground – an apparent parallel, at least on the surface, to the bubble that was around dotcom. Solutions need to be practical, providers need to be careful not to over promise and under deliver and above all developments should be aimed at genuine problems and not be solutions looking for a problem.

There are nevertheless potentially substantive benefits to be gained from implementing fintech, regtech and insurtech solutions. For risk and compliance functions much of the benefit may come from the ability to automate rote processes with increasing accuracy and speed. Indeed, when 900 respondents to the 10th annual cost of compliance survey report were asked to look into their crystal balls and predict the biggest change for compliance in the next 10 years, the largest response was automation.

Technology and its failure or misuse is increasingly being linked to the personal liability and accountability of senior managers. Chief executives, board members and other senior individuals will be held accountable for failures in technology and should therefore ensure their skill set is up-to-date. Regulators and politicians alike have shown themselves to be increasingly intolerant of senior managers who fail to take the expected reasonable steps with regards to any lack of resilience in their firm’s technology.

This year’s findings suggest firms may find it beneficial to consider:

  • Is fintech (and regtech) properly considered as part of the firm’s strategy? It is important for regtech especially not to be forgotten about in strategic terms: a systemic failure arising from a regtech solution has great capacity to cause problems for the firm – the UK FCA’s actions on regulatory reporting, among other things, are an indicator of this.
  • Not all firms seem to have fully tackled the governance challenge fintech implies: greater specialist skills may be needed at board level and in risk and compliance functions.
  • Lack of in-house skills was given as a main reason for failing to develop fintech or regtech solutions. It is heartening that firms understand the need for those skills. As fintech/regtech becomes mainstream, however, firms may be pressed into developing such solutions. Is there a plan in place to plug the skills gap?
  • Only 22% of firms reported that they need more resources to evaluate, understand and deploy fintech/regtech solutions. This suggests 88% of firms are unduly relaxed about the resources needed in the second line of defence to ensure fintech/regtech solutions are properly monitored. This may be a correct conclusion, but seems potentially bullish.

To read the full report click here.


Get your CompTIA A+, Network+ White Hat-Hacker, Certified Web Intelligence Analyst and more starting at $35 a month. Click here for more details.

.  .  .  .  .  .  . .  .  .  .  .  .  .  .  .  .   .   .   .    .    .   .   .   .   .   .  .   .   .   .  .  .   .  .

Source link
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Leave a Reply

Shqip Shqip አማርኛ አማርኛ العربية العربية English English Français Français Deutsch Deutsch Português Português Русский Русский Español Español

National Cyber Security Consulting App







National Cyber Security Radio (Podcast) is now available for Alexa.  If you don't have an Alexa device, you can download the Alexa App for free for Google and Apple devices.