We are on the cusp of a digital transformation of regulation with the increasing adoption of information technology and data science methods by regulators and regulated entities, known as RegTech. RegTech is well embedded in the financial and banking sector where information systems are used to collect and manage data more effectively to meet regulatory requirements. Increasingly, emerging technologies such as artificial intelligence and distributed ledger technology are being tested to streamline and automate regulatory processes.
Definitions of RegTech are heterogeneous. Some have described RegTech as narrowly about using information technology for core regulatory activities such as monitoring, compliance, and reporting. However, others have described RegTech more broadly as the use of any technology to make regulatory activity more effective and efficient.
We are beginning to see signs that RegTech is expanding into other sectors. A recently released report1 by the Productivity Commission (PC) paints an opportunistic picture for increased RegTech adoption in Australia, highlighting the potential benefits for regulatory compliance. In addressing the implementation of RegTech solutions, the PC advocates that policymakers and regulators take an arms-length, facilitative approach to the development RegTech by regulated entities, for example by “providing a more neutral or supportive regulatory environment.” The PC suggests government can also support the growth of RegTech as a procurer or provider of solutions or functions, and that regulators be involved in ensuring that the regulatory landscape keeps meeting regulatory outcomes – but does not advocate for government and regulators to be proactive in framing the RegTech landscape.
This caution appears tied to the risk that the technology ‘tail’ will wag the regulatory reform ‘dog’. However, we would argue that the risks and unknowns of RegTech, especially beyond the financial and banking sector, are too great for policymakers and regulators not to be deeply involved. The adoption of RegTech by industry will shape reasonable expectations of future regulatory reform, thus lack of involvement by the regulator now risks future conflict with firms who have invested deeply in regulatory technology. We argue that there is an urgent need for regulators to reclaim the initiative with RegTech before it is too late.
Thinking about the future of RegTech
One way we’ve considered the future of RegTech is in three waves. These waves include some forecasting, but they reflect similar digitisation efforts in other sectors which have included the adoption of information technology for specific tasks, followed by more broad-scale digitisation of functions leading to new digitally-enabled processes.
Wave 1 (present day)
Regulated entities adopt regulatory technology to reduce the cost of complying with regulation. This involves the use of information systems to simplify the process of complying with regulatory reporting. Regulators create enabling conditions and, in many cases, reporting requires can only be reasonably met with the use of information technology.
At some point in the future, regulators will need to respond to the increasing adoption of RegTech by regulated entities. Regulators and policymakers could take a more prescriptive approach to RegTech, such as setting standards or guidelines for those developing RegTech, and expectations for those being regulated. Alternatively, the regulator may develop its own technologies and make them compulsory for those being regulated. Wave 2 can be viewed as a steppingstone to Wave 3, but it is an important one because the decisions made in Wave 2 will have huge ramifications for future RegTech developments. We see these questions around regulator involvement being raised in the case-study below regarding employment regulation.
|Example: A recent Australian example is when the Australian Small Business and Family Enterprise Ombud (ASBFEO) advocated for RegTech solutions to ensuring conditions and pay scales are compliant with industry awards and other labour laws integrated with payroll software. The ASFBEO has argued this software could be accredited by the Australian employment standards regulator, the Fair Work Ombud. More controversially, ASBFEO has suggested that in situations where an accredited RegTech solution is followed, the government should provide a ‘safe harbour’ from litigation for non-compliance where a business has acted in ‘good faith’.|
The steps taken to digitise current regulatory practice will enable a new digitally-enabled regulatory landscape. Reports and research into RegTech have envisioned a future regulatory system in which near-real-time monitoring is enabled by interoperability between technologies used by regulated entities and technology used by regulators (e.g., supervisory technology, or SupTech). The use of emerging technologies such as artificial intelligence, natural language processing and smart contracts allow for greater automation of regulation, which would supposedly make non-compliance near impossible. Regulations are translated into code that can be read by RegTech. The near-real-time data flows available to regulators allow for a more anticipatory approach to regulation. Whereas Waves 1 and 2 are the digitisation of the current regulatory system, Wave 3 represents a digitally enabled regulatory landscape. However, Wave 3 is dependent on what happens in previous waves with the development and adoption of RegTech. This is similar to what has happened in other industries such as healthcare, where historical decisions to adopt proprietary technologies with limited interoperability have become a barrier for digitally enabled healthcare.
Guiding the future of RegTech
If policymakers and regulators take a hands-off approach to the development of RegTech, we risk having a complex system of proprietary technologies which are not interoperable, making regulatory change challenging, especially for small and medium-sized enterprises. The risk for business, especially SMEs is high if they invest in RegTech, only to have it become outdated with future developments in the regulatory landscape. Regulators and policymakers need a long-term vision for a digitally enabled regulatory system so that standards and system requirements can be established today. We argue that a long-term vision should include the following:
- Regulators should initiate the process to either design or adopt regulatory data standards. These standards should ensure interoperability between technologies used in regulation.
- Regulators should establish a RegTech adoption model relevant to their sector, with stages to guide the maturity of RegTech implementation by regulated entities. This model would acknowledge that different sectors, and different businesses within a sector, will be digitising their regulatory processes at different rates. The regulator could apply different requirements to businesses at different levels of maturity. The maturity model would also establish foundational requirements for the adoption of RegTech, such as basic security standards, and internal interoperability between information systems.
- Acknowledging that RegTech technology will more than likely be developed by third-party software developers, regulators should establish guidelines to support businesses in choosing RegTech software. Such guidelines could mimic the meaningful use stages adopted in the United States to guide the digitisation of the health system. Meaningful use guidelines would establish the core requirements of RegTech adoption. In the long-term, these meaningful use stages could be tied to benefits or incentives such as eligibility for government contracts or financial incentives and relaxed regulatory requirements. Finally, meaningful use requirements could also be established for regulators wishing to adopt new technologies for the enforcement of regulation. Though these technologies might enable new ways to regulate, meaningful use requirements could limit regulatory creep by ensuring the use of technology is specific to the outcomes of the regulator.
- Not all regulation will be easily turned into machine-readable code. Interpretation will still be required when applying regulation via RegTech. Regulators need to establish methods and processes for validating interpretations of regulations. For example, with the ASBFEO proposal discussed above, identification of the relevant award and pay classification may require interpretation based on context and actual work in individual cases.
Policymakers and regulators should be more involved in RegTech developments for several reasons, outlined below.
Oversight & transparency: The use of propriety software raises issues as to transparency, data privacy and accountability. For firms that purchase RegTech from third-party vendors, questions arise as to the transparency of how decisions are made. This is especially the case with the use of algorithmic technologies which can operate in a ‘black-box’. If RegTech leads to poor decisions which were not understood by the regulated entity, or if there are software errors, the issue of accountability will be raised.
Data can also be manipulated as was seen in the case of Volkswagen tampering with the devices that undertook regulatory tests.2 Will the role of the regulator become one of detecting misuses of data? This raises questions as to the capabilities of regulators when it comes to data and artificial intelligence. It is no secret that many regulators are playing catch-up when it comes to information technology, and this raises the risk that companies may use the information to obscure non-compliance.
Cybersecurity: Cybersecurity is one of the major concerns for businesses and governments in the modern-day.3 Regulators should consider setting minimum cybersecurity standards for RegTech technologies adopted internally and by regulated entities. Further, regulators may need to establish competency standards for staff in regulated entities who are responsible for RegTech oversight, as well as their own staff. Investment and support will be critical for small businesses and start-ups who may have less capacity to ensure cybersecurity standards and processes compared to larger businesses.
Politics, trust & legitimacy: In many liberal democracies, there has been a shift towards deregulation and privatisation; cynicism and mistrust of government intervention are commonplace. If we consider the third wave of RegTech proposed, where regulators have unfettered access to company data (even if mediated by a technology layer) the current and future political context is important. Right now, RegTech appears to be viewed positively by industry as it can reduce the cost of complying with regulation. However, under a government that is more favourable to extending government regulation and oversight, RegTech may be less accepted. The PC report outlines the risk of technology facilitating expanded regulatory activity, which may be unjustified, or undermine acceptance of regulatory legitimacy. RegTech provides opportunities for improving the efficiency and effectiveness of regulation, but the PC argues this is all the more reason for policy makers to ensure that the need for, and design of, regulation ‘are soundly-based’.
Translation: Translation captures the challenge of taking regulation and business processes and turning this into computer code.4 Machine-readable regulation will be essential to the success of RegTech. However, both human bias and limitations of the technology can create distortions in the translation, which can exclude certain types of data or information. These distortions happen at the point of translating regulations into actions taken by the business and then translating these actions into computer code.5 This distortions can have huge ramifications if they hide certain types of risk, or cannot handle irregular circumstances. The use of human-centred design could help address this issue. However, policymakers will need to decide how to address the implications of these distortions, especially when regulated entities appear to be acting in good faith. Providing regulated entities with a ‘safe harbour’ when using regulator-approved RegTech, which transfers the risk back to the regulator, is one option. Another option would be for regulators to set requirements for a ‘human-in-the-loop’ to manage risks posed by the translation of law into code.
The PC report makes the point that RegTech is not a replacement for regulatory reform. However, consideration must nevertheless be given to how regulatory reform progresses in a landscape transformed by technology. A clear issue is the mix of prescriptive and principle-based regulation. Some components of a digitally enabled regulatory system, such as machine-readable regulation, aligns with prescriptive regulation. However, predictive algorithms could support both business and regulators to tailor their approach to principle, risk-based or outcome-based regulation. These opportunities require testing and experimentation, which could be supported by ‘regulatory sandboxes’ or test-beds.
The PC report posits an extreme RegTech future where regulators can scale back their intervention due to automation of compliance activities. However, we argue that for this future to be possible, there is an urgent need for policymakers and regulators to intervene in the design and implementation of RegTech. Governments should have a plan for the future of digitally enabled regulation. This plan must acknowledge that RegTech will play a role but should not dictate the aims and outcomes of regulation. Having this plan will allow regulators and policymakers to support and guide the development and implementation of RegTech while also addressing the risks we have outlined above. Further, such a plan would provide certainty to SMEs and reduce the risks associated with investing in RegTech solutions.
- Productivity Commission. Regulatory Technology [Internet]. 2020. Available from: https://www.pc.gov.au/research/completed/regulatory-technology
- Brand V. Corporate whistleblowing, smart regulation and regtech: The coming of the whistlebot? University of New South Wales Law Journal. 2020;43(3).
- Arner DW, Barberis JN, Buckley RP. The emergence of RegTech 2.0: From know your customer to know your data. 2016;
- Micheler E, Whaley A. Regulatory technology: replacing law with computer code. European Business Organization Law Review. 2020;21(2):349–77.
- Bamberger KA. Technologies of compliance: Risk and regulation in a digital age. Tex L Rev. 2009;88:669.