Embracing technology and innovation in compliance and risk management

Are we truly becoming more knowledgeable to new and emerging risks?

Organisations are collecting more data – the foundation of any decision making — because of improving technologies, changing business needs, to satisfy regulatory requirements and to enhance risk management capabilities in our institutions.

According to Damien Pang executive director (data and technology architecture) and deputy chief fintech officer at Monetary Authority of Singapore, there has been  great leaps in the policy and risk fronts. But organisations “have not paid as much attention to the plumbing in this information age – the infrastructure and enablers that allow us to function efficiently and identify new fault lines that we may need to plug”.

Examples of this includes:

  • Many firms still have in place proprietary IT systems that are more than a decade old.
  • These systems do not communicate with other systems. Neither are they designed for the age of big data, AI and cloud computing.
  • The limitations of these systems are now apparent and hindering progress in adopting innovative solutions in all domains.
  • The pandemic has also brought existing and new shortcomings to the forefront.

Pang notes there are two specific domains – risk management and regulatory compliance:

  • Regulatory Technology, or RegTech for short, has entered into the financial industry’s lexicon in recent years.
  • RegTech is generally defined as the use of technology to enhance risk management, compliance and regulatory reporting by financial institutions.
  • MAS is a strong advocate when it comes to the use of technology in financial firms.

In April this year (2021), MAS launched the RegTech grant, a S$12 million grant to support financial institutions to develop capabilities towards risk management or regulatory compliance.

  • The reasons were obvious and remain so – Depending solely on manual processes, siloed teams and outdated systems would be detriment to the institution in the medium to long term.
  • In the first six months of the grant, It has allocated close to 10 per cent of the amount to relevant RegTech projects.

Administering the grant has given us significant insights into the use of RegTech in the industry and we continue to learn.

  • Based on these insights, allow me to share four perspectives on how MAS can embrace technology and innovation in compliance and risk management, targeted at RegTech firms but with equally important lessons for institutions.

Embrace Limitations.

During the development and testing phase of a product, many assumptions are often made. There is nothing inherently wrong with these assumptions. The problem arises when these assumptions get hardwired into the DNA of the product. This means that the product is unable to function should these assumptions not manifest in real life. And the likelihood of this happening is much higher than either reported or spoken about, said Pang.

Take the foundation of any tool – Data.

Often, much assumptions are made about data availability, data structures, data stores, etc. The reality is that financial institutions are only starting to develop and implement their data strategies. This comes with real implications because much time will be spent dealing with legacy systems, API-less datasets, old data file structures. Many tools either fail or only achieve limited success at best in these environments if they cannot adapt to these limitations.

“The key lesson here – Don’t relegate limitations to an afterthought; Consider these limitations early in the product lifecycle,” he said.

The absolute need to support customisation.

In the regulatory sphere, there must be an absolute expectation that the laws, rules and guidance from regulators are customised to each jurisdiction’s requirements. So while the foundation may be Basel Principles, CPMI/ISOCO Standards, FSB guidance, IMF requirements or FATF rules, as product developers, you will quickly learn that each jurisdiction charts its own path, building on these baselines and deviating significantly when it must. And this is where most RegTech products suffer significantly. The development sprints of the tool are often designed to operate in a one-size-fits-all environment, hardly a replication of the real, complex world.

“I cannot stress this point enough, given the feedback we hear from the industry,” said Pang. “Products languish in Pilots or products are unfairly criticised or in extreme cases, products are given cursory consideration and dismissed almost immediately because they lack the ability to fit the market for which they are supposed to be deployed in.”

Complexity is your biggest enemy.

There was a tool that Pang had come across that pride itself in the level of sophistication that I have not seen, such that it did not seem to be grounded in rules nor known AI algorithms. Instead, all that was needed was for large amount of data to be fed into the product for it to ‘self-learn’ the heuristics of the dataset. When the training was completed, it was able to proceed to detect anomalous data points.  It was a fascinating demonstration of the technological capabilities and reflected an absolute mastery of complex mathematical techniques. However, this tool did not do too well, when tested for various regtech use cases, including transaction monitoring, and credit scoring.

“Simply put – It was too complex for it to inspire confidence,” said Pang. “A Money Laundering Review Officer (“MLRO”) is unable to ascertain the reasons why the tool has flagged a transaction if no other information is present. Similarly, a staff will likely remain unconvinced that a recipient is a poor candidate for a loan without any additional information beyond a simple red flag.”

This example is just one of the many that we have heard about – tools that are presented with such complex features that firms are reluctant to consider them for everyday use.

“We must remember that regulation today is significantly rules-based. Hence a tool that can efficiently synthesize the rules and establish the requisite outcomes will likely be held in higher regard that a one that spit out red flags with nothing more,” noted Pang,

“This is not to say that products should not bear features of machine learning or artificial intelligence. However, if this is the sole characteristic that defines your product, it will likely not generate the buzz that you had envisaged to replace existing methods.

In short, make sure your product is a solution to today’s working style as well as the challenges of tomorrow. And most importantly keep it simple.”

Don’t leave out the experts.

Pang elaborates using a parallel example. In a recent article in the MIT Technology Review, the headline reads “Pandemic tech left out public health experts. Here’s why that needs to change”.

“The article speaks about how various sophisticated technological tools were developed to alert individuals about potential exposure etc. However, much of this development work was devoid of inputs from the very individuals whose inputs are sorely needed – healthcare professionals,” he said. “Consequently, these tools were riddled with complaints and struggled with poor interest.”

Shifting gears back to RegTech, the same advice remains sage, but sometimes forgotten.

“We focus so much on the marvels of technology and its potential, forgetting that it is but a means to achieve something much more foundational, in this case, regulatory compliance,” he said. “To succeed in the RegTech space, you need deep domain expertise. The individuals using your product are not going to be technologists. Instead, they are going to possess deep domain knowledge and will evaluate your product on those terms.”


Leave a Comment

Related posts