The interplay of RegTech and SupTech should be at the forefront of regulatory activity in the near future. The Authors examine the challenges of relevant blockchain proposals. Part of the Blockchain & Procedural Law seminars (Max Planck Institute Luxembourg for Procedural Law).
The dynamic development of market practices and services frequently limits regulatory effectiveness. New technologies, however, might assist regulators in better tracking market changes. While Regulatory Technology (“RegTech”) has been vastly reducing compliance costs, Supervisory Technology (“SupTech”) has the potential to enhance data accuracy even further. Proper integration between these two will assist regulators in obtaining a continuously updated picture of their regulatees and allow higher regulatory adaptability, without incurring extensive additional costs. Still, harnessing technology for regulatory purposes might lead to an increased dependence on technology providers which risks regulatory capture. We argue in this essay that additional requirements, such as technological neutrality and interoperability, are needed to mitigate such risks. We illustrate our case through blockchain proposals for RegTech and SupTech and their interoperability challenge.
Regulation recurrently falls short at achieving its objectives as it fails to acknowledge market dynamism. This limitation is especially true in financial regulation.1 As crises surface, new requirements are added to a growing rulebook, increasing regulatory costs but not necessarily fixing this root problem.2 Meanwhile, new technologies disrupting financial services, such as artificial intelligence, big data, cloud computing, and blockchain,3 are also being directed at coping with these rising costs.4 Such technologies have mostly been used by the financial industry to address business challenges and respond to regulatory oversight. If adequately tailored, however, they could also assist regulators themselves in better adapting to market changes and emerging risks.
Regulatory technology (“RegTech”) involves the use of technologies to enhance compliance processes, matching regulated entities’ data to information taxonomies relevant to regulators’ oversight.5 As pointed out by the European Securities and Markets Authority (“ESMA”), the RegTech industry has been accelerating in recent years courtesy of both demand and supply shocks.6 On the demand side, a costly wave of new regulations that followed the financial crisis intensified RegTech’s attractiveness.7 On the supply side, FinTech firms, beyond disrupting financial intermediation,8 have also been innovating to provide new ways of reducing compliance costs significantly.9
Though regulated entities have been speedily making use of these tools to enhance compliance, regulators have lagged in revising themselves for the digital age.10 To correct such delay, Supervisory Technology (“SupTech”) has attracted some attention. SupTech makes use of similar tools as those applied by RegTech but is directed toward the technological empowerment of regulators and market supervisors, the refinement of their oversight capabilities and data accuracy, and to the more timely delivery of these interventions.11 Since market dynamism tends to magnify information asymmetries between regulators and those regulated, better integrating RegTech and SupTech could enhance needed regulatory adaptability.
In this essay, we argue that RegTech and SupTech must go hand-in-hand to counter markets’ dynamism. Consequently, in the process of better embedding these technologies, regulators should enforce specific requirements on the development of these new solutions. As RegTech and SupTech are prone to monopolistic tendencies and could serve as a new stage for regulatory capture, legal requirements such as technological neutrality and interoperability have to be considered by policymakers, which can posit blockchain solutions as a problematic case.
We proceed as follows. Section II explores how market dynamism limits regulatory efficacy. Sections III and IV discuss how technology may assist regulators who are facing such difficulties, by arguing that RegTech, infra Section III, and SupTech, infra Section IV, can assist in identifying the need for adaptations and reforms in regulation. Against that backdrop, Section V will show how RegTech and SupTech solutions may backfire, thereby making a case for certain design amendments. Section VI illustrates these technological potentials and challenges through blockchain proposals. Section VII concludes.
Markets are continuous fleeting targets for regulation.12 Their inherent dynamism is partly driven by competitive pressures and market players’ constant search for a more favorable regulatory environment. Thereby, this degree of mismatch between market changes and regulatory adaptation ends up limiting regulatory efficacy.
In financial markets, beyond a significant shift in the way funds are channeled from suppliers to users of capital, technological advancements have reduced the costs of financial transactions and international capital flows, encouraging the emergence of new markets and risk management options. Organizational complexity has also grown with a considerable rise in the average number of subsidiaries controlled by global banks.13 As these subsidiaries engage with different businesses and operate in more jurisdictions, building opaque organizational structures, their regulation and supervision become ever more challenging.14
Remarkably, regulation also spurs dynamism as market actors create new ways to reduce its costs.15 This practice includes the phenomenon known as shadow banking, which gained public attention after the financial crisis. In the U.S., for instance, nontraditional banks are the ones today providing most credit to borrowers with lower credit scores.16 The increased regulatory burden has not stopped the flow of credit but has instead moved it towards sources outside those that are traditionally regulated.17
FinTech is one of these phenomena propelled by technological change and, partly, regulatory costs. Its capacity to disperse risks once concentrated in banks has produced some efficiencies and stability gains, enabling customers to access more affordable credit, amplifying liquidity, and reducing biases and negative prejudices in the credit market.18 Nevertheless, products and services such as crowdfunding,19 digital currencies,20 and initial coin offerings21 all seem to partly display features of solutions that have evolved to sidestep regulation.22
The disruption FinTech brings to how financial services are provided, and by whom they are provided, has forced financial regulators to widen their areas of competence and to increase the number of players they have to monitor. Moreover, FinTech competes against traditional financial institutions but has also been increasingly partnering with them, building more intricate relationships and opening the door for novel business and operational models, further limiting regulators’ capacity to monitor emerging risks.23
Regulatory effectiveness requires that policymakers and regulators are continually learning while they regulate, monitoring how market changes can potentially lead to consumer harm or financial instability, and preparing the appropriate counter-measures. To mitigate the information asymmetry, regulators have been devising new regulatory experiments such as regulatory sandboxes and innovation hubs.24 This experimentalism has also led regulators to perceive technology as an ally for boosting compliance levels. The following two sections explore how regulatory technologies, infra Section III, and supervisory technologies, infra Section IV, may assist regulators in responding to dynamic market developments.
The rising costs of compliance and the availability of new technologies have led to an intense episode of market entry and product development in recent years, especially in sectors that heavily use data.25 Both phenomena fueled the development of RegTech. RegTech provides tools that can support the handling of large amounts of data, develop more sophisticated analysis, and automate reporting. As financial institutions now must submit far more data on their decisions and risk exposure, they need better information technology systems, which forces them to rely on RegTech providers. Nevertheless, they have also been developing in-house solutions and sometimes, more critically, conducting this development in collaboration with established competitors.26
The range of RegTech services and products goes beyond compliance and regulatory reporting. While the first incorporates solutions that identify and keep track of changes in regulatory requirements in diverse jurisdictions and automate real-time monitoring of compliance and risk levels through the analysis of operational and internal data (such as insights from managers and employees observation), the second helps to automate and integrate regulatory reporting requirements to cut costs and increase accuracy and speediness.27 It also includes customer identification and transaction monitoring (digitizing and updating customers and partners information and identifying suspicious transactions) and risk management functionality (generating data and internal reporting, monitoring risk according to internal methodologies and regulatory definitions, and creating alerts and automated reactions to changes in risk level).28
The development of RegTech solutions holds great promise for reporting accuracy, cost-cutting, and improved dialogue between regulators and regulatees. It is therefore no surprise that regulators have designed ways on how to support the emergence of RegTech solutions. Already, in 2016, the British Financial Conduct Authority (“FCA”) had summarized the following four goals regarding how to assist the RegTech industry, all of which have been replicated in some way by other regulators: (i) efficiency and collaboration (through alternative technologies that allow efficient data-sharing, such as cloud computing and online platforms, and communication among diverse parties); (ii) integration and automation (through technologies that close the gap between the intentions and interpretations of policymakers and regulators or, better still, technologies that assist converting regulatory text into machine-readable formats and shared data ontologies, and the “Robo-Handbook”, tailored to assist firms’ compliance in a more precise format); (iii) predict, learn, and simplify (through technologies that simplify data and allow for better decision-making, such as big data analytics through the creation of “data lakes,” better visualization technologies, and risk and compliance monitoring); and (iv) new directions (through technologies that accommodate new approaches to regulation and compliance, such as system integrity and transparency with blockchain).29
This digitization of financial services brings a wide range of benefits, but also some challenges. Cybersecurity is a problematic issue facing the financial markets as remote banking services grow, and this has attracted the attention of several regulators.30 And now, because of the use of novel technologies for compliance, financial markets might be even more susceptible to cyber-attacks and data privacy risks.31 To address these emerging issues, financial institutions have more actively turned to data analysis and cybersecurity companies, increasing third-party risks from technology providers in doing so.32 Consequently, these new layers of intermediaries, which in many cases entail cross-border collaborations, pose yet another additional source of informational asymmetry between regulators and regulated entities. These new types of market participants might end up building intense communication channels with regulators, especially after regulators start more intensely incorporating some of the solutions developed by market participants.
It is also important to emphasize that as financial markets and compliance become increasingly data-driven, they arouse the attention of large technology firms (so-called “BigTech”), who currently dominate innovations in artificial intelligence and data analysis.33 This change in players might lead to competition concerns as one of the BigTech strategies for growth is built on identifying and acquiring promising smaller technology companies while holding extensive consumer data in their platforms.34
Technological change is a driver of not only dynamism in the financial markets, but also of innovation in regulation and supervision. As the costs of regulatory arbitrage fall with better information and communication technologies, competition among regulators intensifies, incentivizing them to perfect their institutional environment. In this sense, while RegTech development has been driven mostly by industry participants aiming to reduce their compliance costs, it has also received growing support from regulators seeking to lessen the burden they place on regulated entities and lately, explore how such tools could be adapted into SupTech, improving monitoring and stability.
The Basel Committee on Banking Supervision (“BCBS”) was one of the first observers to point out that the same technologies that improve the efficiency of banks35 and FinTech should also be used to improve supervisory efficacy.36 While RegTech assists financial institutions in complying with changing laws and regulations, SupTech is focused on enabling regulators to “conduct supervisory work and oversight more effectively and efficiently.”37
The most basic supervisory need at this moment is for regulators to be able to assess and evaluate the increasing amount of material being provided by financial institutions, which is required by the wave of new regulations that came after the financial crisis. This need may also be related to, and the logical consequence of, the automation of reporting systems and RegTech. SupTech, therefore, may be seen as the “regulator’s response,” reinstalling a level of parity between supervisor and supervisee. At the outset, SupTech is mainly found in data collection and analytics.38 Its most transformative potential, however, lies in its capacity to enable real-time monitoring of financial markets, improving the evaluation of compliance breaches and firms’ due diligence, as well as the assessment of new risks as they unfold. This development will improve market monitoring, allowing regulators to more effectively process new types of data concerning the growing number of players under their supervision.39
SupTech moves in the direction of better enabling regulators to anticipate future market changes and how firms are adapting themselves to novel regulatory requirements. In this sense, SupTech assists regulators in tracking the impact of novel products, services, and business models, shortening regulators’ discovery and regulatory lags. Through the use of these technologies, financial regulation is better prepared to account for market dynamism, enhancing the ability of regulators to monitor systemic implications in a timelier and comprehensive manner.
The Financial Stability Board (“FSB”) and the International Monetary Fund (“IMF”) have identified the need to synchronize reporting templates for systemically important financial institutions to make data analysis easier.40 Risk data aggregation requirements were also promoted by the Basel Committee,41 which encourages institutions and regulators to focus their internal procedures on near-real-time delivery and analysis. Moreover, the FCA and the Bank of England have been operating a database named Gabriel, fed by electronic reports from regulated entities.42 As its maintenance still partly involves manual procedures, both institutions have been studying how to upgrade their system with tools such as blockchain and natural language processing to improve completeness and consistency.43
The Cambridge Centre for Alternative Finance’s benchmark report on RegTech pointed to a market premium for solutions offering real-time insights and the transformation of compliance and oversight into an “end-to-end process.”44 Artificial intelligence and machine learning are assisting regulators in improving their analyses over more massive data sets and, combined with big data, in identifying new patterns that might indicate suspicious activities and find previously ignored correlations.45 Digital reporting has already altered the quantity, quality, and velocity of data available to regulators, and it could soon also allow access to firms’ data recorded internally in a secure manner, improving regulators’ decision-making in the process.46
Another recent experiment of the FCA and the Bank of England with language-processing technologies involves translating the reporting requirements of the FCA’s Handbook from English to computer code, assisting institutions to catch up with regulatory changes.47 Nevertheless, this could go further. With the capacity to access regulated entities’ data as it is being produced, SupTech could be tailored using smart contract functionalities to identify breaches and imbalances, making specific suggestions for sanctions and interventions in a timelier manner.48
Finally, institutional differences such as the legal mandates, public accountability, lack of technological expertise, limited budget constraints, and consequently the risk-averse nature of regulators, leave them at a disadvantage in adopting technological innovations.49 While the private sector is relatively well-equipped to create and adopt RegTech solutions, it has less incentive to utilize these tools in the public interest and to assist SupTech to enhance regulatory capabilities. The question, therefore, turns to how to build a regulatory framework that embeds both technological flexibility and public accountability.
Regulators’ improvement in monitoring changes in the market can lead to more effective regulations, which in turn will be more flexible and adapted to emerging risks. In the process of improving their technological capacity, however, regulators may end up becoming even more dependent on technology providers, including established financial institutions which are now cooperating with regulators in building these shared infrastructures. Subsequently, the key question becomes how to ensure that this process does not lead to regulatory capture and reduced competition.
We have seen so far that RegTech and SupTech both hold great promise in coping with the dynamic evolvement of financial markets: their role will—and to a certain extent, already does—go beyond mere compliance facilitation. A technology-driven framework for the supervision of financial services providers may partly overcome the present-day problems that regulators face—a lack of speed and sophistication, legal uncertainty of outdated regulatory frameworks, and the absence of innovative ways in approaching new products and services, to name but a few.
Nevertheless, as the RegTech industry grows and regulators become more dependent on their solutions for supervision, a new window for regulatory capture is open, which might threaten public accountability. It is our principal argument in this essay that, in this new age of financial markets governance, RegTech and SupTech solutions should first and foremost be developed hand-in-hand rather than in isolation. We believe that RegTech and SupTech can most fruitfully interact by following a number of key framework principles, such as technological neutrality and interoperability, to which we now turn.
The first issue relates to the choice of the right technology. In the current age of continuous technological exploration, it is hard to determine which technology is superior or will have higher market adherence.50 The choice of a particular solution can lead to possible technological dependence, which is highly detrimental in public institutional models that leverage partnerships with private actors. Accordingly, because of the limitations in assessing the quality and security of an adopted technology, especially new technology which has yet to prove its validity, regulators should ensure that any partnerships entered into are straightforward and easy to exit, as a means of ensuring public accountability.
An initial measure to uphold public accountability is to guarantee technological neutrality. Technological neutrality means that, instead of promoting and regulating the technology itself, regulators should focus on their outcomes.51 Such a step reduces the possibility that regulators are lured into endorsing certain technologies only because of pressure or influence from specific technology providers or regulated entities. In other words, technological neutrality mitigates the risk that regulatory capture would start at the moment of choosing a particular technology. Regulators should focus on outcomes; therefore, if a more efficient competing solution delivers better results, it should be preferred instead of another.
In Europe, Directive 2009/140/EC enshrines the requirement for technological neutrality for electronic communication networks.52 However, it is paramount to expand these requirements to the emerging RegTech and SupTech industries. Regulators, therefore, should not be promoting or discouraging certain technologies over others, but should instead adopt a neutral stance. For example, it is not necessarily algorithmic trade that is the problem, but rather the risk of fraud. And it is not blockchain data pools that should be the goal but rather secure data pools, which may end up being developed on a blockchain or not. The FCA, for instance, is neutral towards the technology used by the entities it regulates, so it does not matter how firms maintain their records or organize themselves as long as they produce the reports required and comply with the rules contained in its Handbook.53
A further measure is to ensure that the solutions adopted by the industry and, even more importantly, by the regulators themselves, are interoperable. Interoperability is the capacity of a product or service to communicate with or function alongside other products and services which might be technically distinct.54 Interoperability invites more competition as it avoids technological dependency and potential regulatory capture. The characteristics of the RegTech and SupTech industries are somewhat akin to those of the digital platform economy, which is another major topic of interest among policymakers in recent years, with particular emphasis on its competition risks and political influence. Among others, a major common characteristic shared by these industries is a tendency towards monopoly. The following features illustrate this characteristic: (i) strong network effects (the adoption of a certain RegTech or SupTech solution makes it more appealing to others firms and regulators); (ii) strong economies of scale and scope (the costs of producing more and moving to other market segments decrease as the size of the technology provider grows); (iii) low marginal costs of serving additional customers; (iv) increasing returns from data use (the more firms and regulators a technology provider attends to, the more data it will control and more leverage it will acquire); and (v) the low global distribution costs.55
This confluence of characteristics might lead to increased market concentration and the establishment of a few dominant players. The Cambridge Centre’s benchmark report has already pointed to a growing saturation in the RegTech market.56 Interoperability is not an uncontroversial topic, as the incentives for investment might decrease if customers can migrate more easily to other solutions.57 Accordingly, producing an interoperable product is a strategic business choice: companies with larger networks will tend to offer products or services that are not interoperable with products or services from other companies, to maintain their position. Nevertheless, these concerns are allayed when the focus switches to technologies with a more public purpose such as regulatory compliance and oversight, which require a higher degree of public accountability. RegTech and SupTech might be of even greater concern than digital platforms because, as they evolve, they turn into essential public facilities in financial regulation and supervision.
Public consultations are essential in this regard because of information asymmetries between regulators, RegTech, and SupTech providers. Consultations are paramount in governance systems with diverse participants with unique interests and demands which are hard to reconcile.58 This is especially true in highly dynamic environments such as financial markets. A problem, however, arises where better-funded market actors can participate more actively.59 As the RegTech and SupTech industries grow, dialogues among regulators, financial institutions, and technology providers will intensify, and this might lead to collusion and higher barriers to entry for newcomers. This risk is accentuated by rising compliance costs,60 which turns these tools into indispensable requirements instead of mere options, as well as the limited political influence of newcomers when compared to larger financial and technology firms.
Network externalities represent another concern, and not a new one either. They were previously present in the phone industry and were solved by forced interoperability among various phone companies. Today, in most jurisdictions, no network can block calls from another.61 For instance, in the cloud computing industry, a significant challenge in many cases is the absence of an interoperable Application Program Interface (“API”).62 Mandating an open and common API, which consists of a particular set of rules that software programs must follow to facilitate communication and interaction with other software, would allow different RegTech and SupTech solutions to connect better and migrate more easily.63 This requirement would avoid “lock-in,” a vital issue with cloud services,64 which is now the most commonly used technology in RegTech.65
Hence if not adequately designed, RegTech and SupTech, rather than reducing costs and increasing competition, might generate the complete opposite. In financial markets, a common form of capture is related to the constructed need of intermediaries, even when more efficient alternatives already exist. Better politically positioned intermediaries might promote self-serving arrangements.66 Thus, neutrality and interoperability are essential requirements to reduce the incentives for RegTech and SupTech firms to attempt to create dependable relationships with regulators and, consequently, with other firms to whom they might provide their products.
In Europe, the Revised Payment Services Directive (“PSD2”) includes the promotion of an innovative payment system through open banking, open APIs for banking services, and open-source technology that enables third-party developers to build competing applications and services around all financial institutions.67 This development also links to solutions such as data ownership and portability, illustrated by regulations like the EU General Data Protection Regulation (“GDPR”), which imposes portability across the entire economy, not only in the context of payments.68 Finally, the use of these new tools will undoubtedly raise data-related issues that are sector-specific. Increased interoperability and data exchange among and within jurisdictions should go some way towards resolving these issues. Notably, only a shared understanding of legal concepts and a common technical approach can deliver open regulatory standards and cross-border platforms.69
A significant technology being explored by the industry and regulators for RegTech and SupTech solutions is blockchain. The existing blockchain architecture, however, is usually not interoperable.70 We dedicate this last section to analyzing some of these proposals, highlighting the challenge of blockchain interoperability, and thereby attempting to guide regulators on how they go into promoting and incorporating its use.
Blockchain, like other technologies discussed in this essay, is present on both sides of the regulatory arena. It is disrupting financial markets and generating new challenges that demand public attention,71 while at the same time it can also be harnessed to increase compliance levels and solve past coordination problems, which might have been the justification for earlier interventions. Blockchain was initially proposed as an infrastructure for an “electronic payment system based on cryptographic proof instead of trust,”72 delivering a new way to store and monitor the exchange of information and digital assets.
Blockchain is composed of a combination of several technologies, including append-only databases and peer-to-peer networks, creating decentralized and more secure data records. Its application extends beyond cryptocurrencies to areas as diverse as supply chain platforms, utility markets, shared registries, and corporate governance, and it is well-equipped to prevent cyber-attacks, data privacy risks, and data alteration.73 Blockchain cryptography is transforming data into a more secure format to facilitate compliance with data-sharing regulations, such as PSD2 and GDPR,74 thereby diminishing data security concerns for big datasets by providing customized access.75
Blockchain is also assisting financial institutions in facilitating the storage of information and know-your-customer (“KYC”) procedures and anti-money laundering (“AML”) requirements.76 As KYC tasks are repetitive, which can lead to inconsistencies, and AML compliance requires extensive documentation, FinTech firms and the banking industry have been exploring how blockchain can improve their data collection. One possibility is to develop internal KYC blockchains that enable the sharing of data across a firm’s divisions, such as an “internal KYC platform,” and possibly among several firms, a “multi-participant KYC registry.”77 Thereby blockchain could also be combined with artificial intelligence to monitor the records of a broader range of transactions and firms.
A tool through which this could be done would be the establishment of “Data Storage Cell Level Security”78 with a cryptography application that only allows authorized parties to access the information shared on the blockchain data pool, protecting business-sensitive information79 without compromising the needed secrecy for banks’ strategies.80 Market participants can develop a blockchain system through which they hold and transfer financial assets connected with regulators’ SupTech solutions, thus enabling close monitoring and auditing.81 This system would also allow for exploration into new ways of aggregating information currently held by different regulators to produce a more complete and accurate picture of the financial system, incorporating new metrics to assess financial stability more broadly.
Remarkably, blockchain is more prevalent in applications tested by regulators rather than those tested by the industry overall.82 A reason for this might be the capacity of blockchain to develop smart contracts, which are in essence computer protocols that can self-execute a transaction upon the satisfaction of pre-defined conditions, thereby reducing settlement risks.83 Such a feature could also assist in the automation of certain regulatory interventions.84 Much of this rambling about the blockchain’s potential for RegTech and SupTech, however, is still conjecture. And some of the features that turn blockchain into an exciting technology for specific products and services, like its tamper-proof nature, may not be valuable for solutions that require more flexibility and adaptation, such as financial regulation and supervision. These regulatory and supervisory solutions may end up turning into new problems because of the blockchain interoperability limits.
There are multiple reasons for the lack of blockchain interoperability. Several of them are economic as explained earlier. For instance, when designing blockchain for the governance of cryptocurrencies, the founders recognize that part of its value comes from the enlargement of its network, which increases its acceptability. Thus its developers are motivated in keeping their users within the system; therefore developing a system to better communicate with others might be economically disadvantageous as it eases customers’ exit. Another reason is more technical and based on the “trust” element of blockchain. As the interaction of nodes verifies every transaction, the network monitors itself, and thereby interoperability could frustrate its operating rules. For Tasca and Piselli, “[i]n relation to the impact upon the market, [blockchain] non-interoperability could strengthen technological lock-ins and could block the competitive and prosperous development of a market for the downstream applications of the ledger.”85 This limitation could end up leading to the emergence of a few dominant systems which could harm the market of blockchain-based applications, thereby being detrimental to further innovation.86
On the positive side, recent years have seen significant research on defining protocols for interoperability across independent blockchains, especially for crypto-asset cases.87 The basic proposal for interoperability would be to leverage digital assets defined on blockchain X to serve as a backing store for “shadow assets” in blockchain Y.88 How such a solution could be translated to the RegTech and SupTech products and services is yet to be seen. Nevertheless, exploring paths to mitigate network externalities and the risk of technological lock-in in blockchain systems should be a paramount concern for public authorities considering adoption of these solutions.
Regulatory effectiveness largely depends on the establishment of a more adaptable dynamic to counter emerging risks. Consequently, regulatory and supervisory technologies will be an essential key to the development of a new framework for market governance. To achieve such a goal, regulators must ensure better integration between RegTech’s potential to reduce the firm’s costs of monitoring regulatory changes and SupTech’s potential to expand data accuracy and timely interventions. In the process of achieving this integration and higher regulatory adaptability, however, established market players and technology providers might attempt to create self-serving relationships through technological dependence, which can lead to new forms of regulatory capture. We argue that the interplay of RegTech and SupTech should be at the forefront of regulatory activity in the near future. Inter alia, this involves strict adherence to technological neutrality and interoperability between the two twins to avoid any lessening of market competition.