Skip to main content

end-to-end compliance

9 Common RegTech Questions, Answered

By Blog

As a young industry, RegTech often gives rise to a host of questions — everything from “what is it?” to “how does it work?” to “how will it affect me?” We’ve collected a handful of the more common ones and answered them below.

Have a question that’s not on our list? Drop us a line at and we will be happy to help answer it!

What does RegTech mean?

RegTech (Regulatory Technology) is the application of emerging technology to improve the way businesses manage regulatory compliance. 

RegTech companies can be established GRC (Governance, Risk, and Compliance) platforms, startup companies, and everything in between. They are united by their use of new, groundbreaking technology in the service of solving the problems of regulatory compliance.

As an industry, RegTech has emerged over the last few years to address the rising tide of regulation and its growing complexity. To learn more about the history and future of RegTech, check out our comprehensive guide, “What is RegTech?”

READ MORE: What is RegTech?


What are the benefits of RegTech?

For financial services, the benefits of RegTech are substantial:

  • Efficiency gains — As regulation continues to grow, it becomes nearly impossible for compliance personnel to keep up without the aid of technology. Technology, capable of processing a high volume of data at incredible speeds, can quickly parse and analyze raw legal text and extract valuable insights. 
  • Greater accuracy and comprehensiveness — Manual, siloed processes tend to create gaps in the compliance operation, leading to human error and increased exposure. Implementing the right technology (and integrating those technologies thoughtfully where necessary) shores up gaps and creates a streamlined compliance process.
  • Greater internal alignment — Technology tools enable greater transparency throughout the business, connecting once siloed people and processes. The result is better insights between business units that can be shared faster, which also leads to a stronger culture of compliance.
  • Improved risk management — Many RegTech tools help protect against various types of risk, including market abuse, cyber attacks, and fraud, by monitoring systems and alerting personnel to suspicious activity.

READ MORE: How Ascent customers reduce risk, slash costs, and save time


What is end-to-end compliance and how does RegTech fit in?

End-to-end (E2E) compliance is a fully traceable process that connects external regulatory events to a business’ specific obligations, then all the way through to that business’ internal controls, policies, and procedures. In an ideal world, E2E compliance leverages automation and other technologies to create a complete functional system of compliance. To achieve E2E compliance, different RegTech solutions can be used together (often referred to as a ‘compliance technology stack’) to create a seamless process that automates rote work, connects once-disjointed processes, and supports a robust compliance framework.

With a properly implemented E2E system, businesses could 1) be alerted to relevant new rules or changes to existing rules, 2) be directed to the exact parts of their internal controls or P&Ps that are impacted so team members can make the appropriate changes, 3) manage their obligations digitally including assigning work and tracking progress against deadlines, 4) easily produce records of their compliance activities, and 5) generate useful reporting dashboards. 

Again, due to the complexity and nuance of regulatory compliance, one-size-fits-all solution. Rather, compliance leaders should take a modular approach to building a technology stack that meets the firm’s unique circumstances and objectives.

What kind of tech stack should I consider for my compliance framework?

Compliance and Risk professionals are responsible for not only determining what their firms’ regulatory framework is, but also how to maintain it once it’s set. Thankfully, there are a number of solutions within the RegTech universe that support this effort and can be combined into a comprehensive, end-to-end tech stack. The key is to know which ones to bring into your tech stack in the first place, so here are a few types of solutions to consider:.

Regulatory content tools are situated at the beginning of the compliance process. They typically take the form of a content library, feed, or resource center. Content tools consolidate documents published by regulators into one platform (including the laws, enforcement actions, guidance, rule updates, and more), making research and horizon scanning more efficient. Leaders in this space include Thomson Reuters Regulatory Intelligence, LexisNexis and Reg-Room.

Regulatory knowledge automation is technology that bridges the gap between the raw data of regulatory content and actionable insight. Market leader Ascent, for example, generates the regulatory obligations that pertain to your specific firm based on key factors like what type of financial entity you are, what services/products you offer, and where you operate. Ascent then automatically updates your obligations as rules change. This targeted regulatory knowledge allows compliance personnel to know exactly what the firm must comply with at all times, without the manual effort. 

GRC (governance, risk and compliance) platforms help operationalize compliance and often house all of a firm’s regulatory information, including obligations, controls, policies and procedures. Workflow capabilities allow users to track and manage their compliance efforts. Leaders in the space include LogicGate, MetricStream, IBM OpenPages, and RSA Archer to name a few. 

Point solutions cover a wide swath of RegTechs, helping firms execute compliance in a compliant way or assess compliance with an obligation or control. These could include (but are not limited to) trade monitoring, portfolio risk, know-your-customer, anti-money laundering, operations risk management, and cybersecurity tools. Point solutions are more limited in scope than regulatory knowledge automation or GRC solutions, but when they meet the right need they can provide substantial value.

READ MORE: The first (and most difficult) step in setting a regulatory compliance framework


What technologies do RegTech solutions use?

RegTech providers leverage a wide variety of emerging technologies. Here are a few of the most common:

  • Machine learning (ML) is the application of algorithms that improve automatically through experience. Rather than being specifically programmed to complete a task, ML models are fed large amounts of data, which they use to learn and improve on their own. In regulatory compliance, ML models can process large amounts of regulatory data and gradually draw conclusions about that data, becoming more and more accurate over time.
  • Natural language processing (NLP) is the field of using computers to process and analyze human language. In compliance, NLP can parse the unstructured raw text of regulation and reorganize it or otherwise transform it so that people can retrieve meaningful insights. 
  • Blockchain is a digital record of transactions, most often associated with cryptocurrencies. Blockchain has many other purposes however, such as enabling the secure sharing of know-your-customer data within or between organizations for compliance purposes.
  • Robotic process automation (RPA) allows users to configure metaphorical “robots” or “digital workers” to replicate the actions of a human in a digital environment in order to complete a business process. RPA tools can automate laborious manual processes, like the production of hundreds of disclosures that asset management firms are required to generate throughout the year.

READ MORE: RegulationAI™: World-Class Technology Built for Compliance


What’s the difference between RegTech, FinTech, and SupTech?

RegTech leverages emerging technology to create tools focused on solving the challenges of regulatory compliance. While the majority of existing RegTech solutions are currently focused on the world of financial regulation, RegTech could also be leveraged for other regulated industries — for example, healthcare.

FinTech, short for financial technology, is the application of technology to solve problems or create new value in financial services. Examples include crowdsourcing platforms, mobile payments, cryptocurrency, robo-advisors, budgeting apps, or the use of open banking APIs. Recently, digital banks that operate purely online with no physical locations are also being referred to as FinTechs. 

SupTech, short for supervisory technology, is the application of emerging technology to improve how regulators conduct supervision. Just as RegTech leverages technology for regulated companies, SupTech leverages technology for the regulators.

READ MORE: What is SupTech and how will it change compliance?


Can RegTech help me with specific regulation like GDPR?

The rise of data privacy legislation like GDPR (General Data Protection Regulation) and CCPA (California Consumer Privacy Act) have added necessary protections for consumers but have increased financial institutions’ already significant regulatory burden in the process. Depending on what you are trying to achieve with specific regulation like GDPR, RegTech offers various solutions. 

There are many point solutions that help firms execute GDPR-compliant behavior. For example, UserCentrics helps firms obtain customer data in a transparent way. Syrenis provides one central platform to manage personal data, legal basis for obtaining that data, consent, and marketing practices. GDPR365 is a compliance assessor that offers guidance on what security weaknesses need to be fixed.

To understand what your organization’s obligations are under GDPR (or any other regulation), look to regulatory knowledge tools like Ascent. Ascent’s AI-driven technology pinpoints the GDPR obligations that your firm must comply with, then updates them automatically if the rules change.

READ MORE: How a Global Top 50 Bank Secured Its GDPR Obligations Using Ascent


How can I use RegTech to help my firm ease compliance burdens?

There are many use cases for RegTech, but here are some of the most common:

  • Horizon Scanning — monitoring regulatory developments including rule updates, guidance, and any other communications from regulators to better understand potential threats and opportunities.
  • Identifying Obligations and Changes — conducting regulatory analysis (also referred to as regulatory mapping) to understand which obligations or requirements your business must comply with. These obligations must then be routinely updated as rules change.
  • Compliance Management — managing your daily compliance activities and aligning them with the broader framework of regulatory strategy and process.

Finding a solution for these use cases can be challenging since the RegTech space is vast and each solution facilitates a different part of the compliance process. Breaking the RegTech landscape into these four categories makes it easier: 1) Regulatory content tools, 2) Regulatory knowledge automation, 3) GRC platforms, and 4) Point solutions.

For the examples above, the solutions for each use case vary:

  • Solution for Horizon Scanning: A regulatory content provider such as Thomson Reuters Regulatory Intelligence helps save time with horizon scanning and research.
  • Solution for Regulatory Obligations: A regulatory knowledge provider such as Ascent identifies your obligations and keeps them updated as rules change. This targeted regulatory knowledge can also be used to understand downstream impact. For example, a rule change identified by Ascent can be used to trigger alerts or workflows related to that rule in your GRC or other compliance management platform. 
  • Solution for Compliance Management: A GRC or other compliance management system such as LogicGate or IBM OpenPages allows you to house and project manage your compliance activities, including assigning tasks, tracking progress against deadlines, and managing any internal documentation such as your controls, policies and procedures. Ascent’s granular obligations can be seamlessly fed into these systems so your regulatory data and activities are monitored, tracked, and managed all in one place.

If you are looking to accomplish all of these use cases, it is likely that your compliance operation requires multiple solutions, combined to create a full-scale compliance technology stack.

What questions should I ask a RegTech vendor that leverages “AI”?

What kinds of AI technologies do you use, and why?

First, brush up on machine learning and natural language processing basics so you can follow the vendor’s response. You do not need to be an AI expert; a good vendor will be able to explain their process in a way that any business leader can understand. What’s important is that you get a clear picture of how the specific technologies and approaches used create business value for you. Is the vendor using “AI” as a flashy marketing term, or is it actually integral to the solution?

Where are you getting the data that is training your algorithms?

Good AI tools require significant amounts of quality data – as they say, ‘bad in equals bad out.’ The vendor should be able to explain how they are ingesting regulatory text (did they build an ingestion or scraping tool, or are they white-labeing another product?), from where (the best case scenario is that the vendor is pulling straight from official regulatory websites), and at what frequency (this should be reasonably frequent so you know you have the most up-to-date information at any given time). The vendor should also be able to explain the quality-assurance process that ensures all intended data points are properly captured. 

Are there humans involved in the training of your algorithms, and to what degree?

In many industries, the notion of humans-in-the-loop (meaning the technology is not 100% machine-driven; humans are still involved in some part of the process) is considered a negative sign because it means “that the tool isn’t really AI.” The compliance industry, however, is unusual in that a humans-in-the-loop process is considered a positive. Why? Because the world of regulatory compliance is so nuanced and complex, that AI solutions are far better when trained and QA-ed by human experts in regulation and law. This does not mean that all AI-driven RegTechs require humans-in-the-loop to be great tools, but the vendor should be able to explain why they do or do not involve people in the process.

Who is held liable if your solution fails?

This question is as important for you as it is for the vendor. Because this issue exists in a legal gray area, you must carefully weigh the risk of implementing any new solution (AI or not). A good AI vendor will understand why this is a concern, and should show evidence of a strong model risk management framework, rigorous internal controls, and most importantly be completely transparent about what the solution can and cannot do. If it sounds too good to be true, it probably is. 

*Ascent offers a performance guarantee for its AI solution that is backed by an insurance cover from Munich Re Group. Read the case study to learn more.

We recommend checking out these articles to continue learning about RegTech and how it can be applied throughout the compliance process:

Want to receive more articles like these? Subscribe to receive helpful content designed to help you win at compliance.

What makes a good RegTech partner: fit and scalability

By Blog

Finding the right RegTech partner can be difficult. So we sat down with an industry expert to get his take on how he evaluates vendors.

As an expert in regulatory change management, Vincent Schultinge has seen the evolution and impact of regulation on financial firms firsthand. So, naturally, he has also been drawn to the niche industry that emerged to try to solve these RCM challenges—RegTech. 

Now, in his current role as a senior RegTech consultant at ING, he is responsible for defining, developing and implementing RegTech innovation throughout the ING organization. During his sit-down with Ascent, Vincent shares:

  • His perspective on what makes a good RegTech partner
  • What methodology ING follows when looking to implement a RegTech partner
  • How making machine readable regulation will open doors for the future of RegTech

Editor’s note: This interview has been lightly edited for clarity.

Using RegTech Maturity as an Evaluation Benchmark

To Vincent, managing regulation is a task that’s too fluid and too risky to put into the hands of new-to-the-market solutions. Here’s how he considers the maturity of RegTech.

When assessing a RegTech provider, you want to make sure it fits your business’s demands. I have a firm belief that we should strive for market standard solutions. Therefore I look to see whether a RegTech has the potential to become a market standard for their solution or offering. Once we have measurable results from a Proof of Concept (PoC), then we can decide if a RegTech is suitable for our purpose or not.

The way we assess RegTechs differs from the way we look at other vendors. Due to constant regulatory oversight as a bank, we have less freedom to experiment. For many business cases we will look for parties that are more mature and that have, for example, delivered the equivalent product to our peers or are engaging in sandboxes with regulators.


Being Able to Audit RegTech’s Black Box

Vincent believes that “auditability” is a key factor that firms should also consider when determining whether or not to work with a RegTech provider.

Providers should always be able to explain and demonstrate how their machine learning works. For risk and compliance teams, auditability of machine learning is absolutely key. If you can’t audit a technology solution properly, especially a machine learning solution, it becomes Pandora’s box. Not to mention that regulators won’t accept anything less than full transparency.


Aligning Around a RegTech Provider

At ING, Vincent’s team relies on what they call “PACE” methodology when considering what RegTech solution to implement.

Whatever methodology you are using to implement RegTech, you have to be consistent, thorough, and constantly verify that you are doing the right thing. 

At ING, we use our in-house PACE methodology for the delivery of innovation. This applies to our delivery of RegTech as well. With PACE, we combine Design Thinking, Lean Startup and Agile Scrum into a single process. PACE consists of five stages being: discover, problem fit, solution fit, market fit and scaling. 

For us this works really well and we gained a lot of traction with this in the organization. On top of PACE methodology at the whole of ING we practice an agile way of working. This helps accelerate the way we set up PoCs as well as other partnerships. 


Unlocking the Value of RegTech

For RegTech to truly be effective, Vincent has learned that it’s important to first have a culture of innovation prior to implementing a solution.

It is essential that you have business owners with the right mandate and budget who are convinced by the usage of technology. Business and innovation teams have to be able to establish the demand and create strong use cases for the application of RegTech. Teams should collaborate in such a way that the business demand and the premise of the solutions are a true match. This will help with validating and demonstrating the benefit of using certain RegTech solutions along the way. Regardless of the size of the firm, you need the right innovative culture and the right appetite from business owners; otherwise, it just won’t work.


Using RegTech to Manage Pandemic Woes

According to Vincent, the pandemic has only amplified the need for RegTech.

Regulatory changes keep coming, especially considering that people are working remote and are having to align virtually due to the pandemic. Regulators demand that banks remain in control. So, firms need to be able to monitor upcoming changes in the regulatory landscape by scanning the regulatory horizon as well as assessing obligations and potential risks. This is where having proper tooling in place for horizon scanning and risk assessment will definitely help firms to maintain control in these difficult times.


Pioneering the Next Frontier of RegTech

What’s next for RegTech? Vincent believes that making regulation machine readable will open incredible opportunities for financial firms to unlock the true potential of RegTech.

In order for RegTech to play an even bigger role in the industry, we first need to look into a few things— machine readable regulations, data and format standardization, and global harmonization of regulations. If regulations, updates and guidelines become machine readable and ingestible globally, it will become easier for firms to demonstrate compliance and adhere to rules and guidelines more efficiently. It will open a whole range of possibilities for the adoption of RegTech within financial institutions.

The same applies to data and format standardization. If we can agree on common data and format standards, adherence to regulations becomes more efficient. With the financial system being a truly global system nowadays, it allows institutions to act across jurisdictions in a safer and more compliant manner. Together, with harmonizing regulations globally, this could translate into a much broader usage of RegTech within the financial system. This end goal is something that I believe will contribute to the overall safety and stability within the financial industry.

ING is a global bank that aims to empower people to stay a step ahead in life and in business. Visit ING’s website. 

For more content like this, subscribe to our email updates.


A former regulator’s take on AI, Big Tech, and RCM

A former regulator’s take on AI, Big Tech, and RCM

By Blog

Rick Bonhof. Managing Consultant, SynechronWe recently sat down with Rick Bonhof, a managing consultant who leads the Amsterdam regulatory change and compliance practice within the business consulting arm of Synechron—a leading digital transformation consulting firm that accelerates digital initiatives for banks, asset managers, and insurance companies around the world.

In his role, Bonhof oversees a team of experts who help clients build the regulatory framework that enables compliance. As an advisor for the digital-first firm, Bonhof is hyperfocused on making compliance more efficient through the use of technology, leveraging emerging tech such as machine learning and existing systems such as GRCs.

Prior to Synechron, Bonhof served as a supervision officer for Dutch regulator Autoriteit Financiële Markten (AFM) at the height of the 2008 financial crisis. After spending seven years crafting and executing supervisory strategy for AFM, he decided to redirect his work from supervising firms to actually helping them become compliant with regulation. And so, after witnessing how Synechron helped a number of financial institutions get back on track with EMIR (the EU equivalent of Dodd Frank in the US), Bonhof transitioned to the firm.

During our sit-down, Bonhof shared his blended supervisory-consultative perspective on a variety of topics—from the role of regulatory change management during the COVID-19 pandemic to how Big Tech will shape the future of financial services.

Editor’s note: This interview has been lightly edited for clarity.

Setting the Record Straight on Regulators

Touching on his experience as a former regulator, Bonhof kicked off our conversation by sharing what he wished compliance professionals knew about regulators, and what he wished he had known as a regulator. 

When I made the switch from regulator to consultant, I realized that a lot of financial firms are afraid of regulators. But the reality is that regulators are people too and most are not out to fine you. What I think compliance professionals sometimes forget is that if you’re able to explain to regulators why you made certain decisions and how you implemented certain requirements, they’ll listen to you.

“A lot of financial firms are afraid of regulators. But the reality is that regulators are people too and most are not out to fine you.”

My advice to compliance professionals is to document their interpretation of the rule and why they applied the rule in a certain way according to their interpretation, so they have all of the information they need when it comes time to talk to regulators.

On the flip side, what I wish I had known as a regulator was, no matter how simple a request for information may seem on paper, it doesn’t actually mean that there’s a clearcut way to gather requested information or to implement a new rule. Many financial institutions do not start out as multinational global-spending institutions—they grow through mergers, acquisitions, and restructuring.

So there’s a whole collection of teams that suddenly need to contribute to this “one simple request,” making it not so simple after all.

Managing Regulatory Change in the Time of COVID 

Bonhof has long emphasized the importance of having a well-documented regulatory change management (RCM) strategy, especially when it comes to major events such as financial crises, election years and of course — the COVID-19 pandemic.

When it comes to regulatory change management, my mantra has been “take control, be in control, and demonstrate control.” 

“Take control” is about understanding what your obligations are, understanding the impact of them, and then implementing and enforcing a compliant process.

“Be in control” is about understanding where your firm is in terms of compliance with the requirements, and revisiting both its requirements and compliance processes frequently. You should not only be control testing your processes to understand whether your firm is compliant with existing rules, but also monitoring whether there’s a change coming that could impact compliance with those rules. And, if there is a change on the horizon, then you need to go back to “take control” and proactively act on it.

Lastly, “demonstrate control” is about being able to take the evidence that you have and explain both internally and externally to what extent you comply with those measures.

How to Avoid Dropping the Ball on RCM

In Bonhof’s view, the biggest mistake that firms can make when implementing RCM best practices, is to treat them as a one-time solution. 

Most regulatory change management processes are driven by a regulatory change implementation date. Let’s say that a firm has to comply with X, Y, and Z by January 1, 2021. What I’ve found (and even been guilty of myself) is that many firms focus solely on making that milestone without the end result in mind. So once the firm does reach it, everyone sort of drops the ball and says, “We’re done, we made it.” But that’s the wrong approach because 2021 does not mark the end of implementing that change, it actually marks the start of it. 

What I’ve found (and even been guilty of myself) is that many firms focus solely on making [a] milestone without the end result in mind.

Firms are expected to be compliant with that new rule, and need to have a roadmap that accounts for what comes after that date. Firms often put makeshift technical solutions in place to meet the deadline, but then what happens is the technical solution silently becomes the structural solution. The result is that there’s no roadmap beyond that point to account for new data that needs to be tracked or changed, resulting in an issue of data quality and therefore explainability. 

COVID Response: Swings of the Regulatory Pendulum

To Bonhof, regulatory change management has never been more important as the pandemic response continues to fold. While he and his team have seen the easing of certain regulatory requirements, they have also seen the mounting impact of others.

On the one hand, the regulatory response to the pandemic has been to suspend certain requirements in order to alleviate the burden of regulation. However, at the same time, we’ve also seen an increase in requests for financial firms to implement certain risk measures from regulators such as the European Securities and Markets Authority

For example, we had an “intelligent lockdown” in the Netherlands that prohibited us from going to the shops or the cinema. As a result, this (like other lockdowns across the globe) had a large impact on service providers, as many businesses had outstanding loans with financial institutions and were suddenly not able to make good on those loans. This has led to a tipping of scales with regulators adding more capital reporting requirements, while continuing to suspend or delay implementation of other regulatory requirements. For example, ESMA deferred the final two phases of its bilateral margin requirements to provide additional operational capacity for counterparties to respond to the immediate impact of COVID-19. 

On the Importance of Innovation in IRM

While regulators have been more forgiving during the pandemic, they have also become increasingly more aware of all of the possible gap—bringing the topic of Integrated Risk Management (IRM) to the fore. Here’s Bonhof’s take on IRM.

Integrated Risk Management allows you to identify what risks exist within your firm, define a response to those risks, and then determine whether your firm is within that risk appetite. Ultimately, IRM combines all of those processes and rolls them up into a multi-level process chart where you can prioritize risks and pinpoint which ones are of the highest risk to your firm. 

IRM is such a hot concept right now because regulators are putting more emphasis on it.

As part of Synechron’s FinLabs RegTech accelerator suite, I’ve actually had the opportunity to work on automating parts of IRM. Knowing how effective your controls are is a key part of integrated risk management, so we built an intelligent control testing environment that maps a firm’s individual control statements into a decision tree that automatically runs against a data set to help firms quickly pinpoint whether a control is effective or not. This advancement frees up compliance teams’ valuable resources so they can focus on remediating any deficiencies.

These types of innovation are becoming more important as Integrated Risk Management continues to gain more traction. IRM is such a hot concept right now because regulators are putting more emphasis on it. For example, ESMA recently published a consultation paper that assessed the suitability of the management at financial institutions, which concluded that the highest levels of management (including at the board level) need to understand their firms’ requirements, how they are complying with them, and what the state of the firm’s risk management looks like.  

Clash of the Titans: Big Banking vs. Big Tech

As an innovator in his own right, Bonhof is naturally drawn to industry disruptors. In particular, he has been following the rise of digital banks and believes that it’s only a matter of time until Big Tech enters into the banking industry as well.

The rise in digital banks has served as a catalyst for digital transformation in the industry at large. In order to stay competitive with digital banks, traditional banks have worked to provide digital services to their customers. For customers, having a digital bank account becomes more of a commodity because it opens up a whole ecosystem of additional services around it. 

For digital banks, their competitive advantage is that they’re not burdened by a chain linked system of legacy tools or processes, so they can get it right immediately. Digital banks can be more nimble when it comes to things like digital client onboarding processes and company reporting. On the other hand, it’s difficult for digital banks to achieve the same scale as larger banks. Plus, they’re bound to face the same kind of regulatory requirements as incumbent banks and will need to comply with them, lessening some of their initial competitive edge.

When Big Tech enters the market, it will drive a significant change that some incumbent banks will likely not be able to transition through and will lose traction within the market. 

What I’m really curious about is when Big Tech will officially enter into the banking space. Today, we have Apple Pay and Google Pay, but I think that it’s just a matter of time before they’re adding banking services to their offering. At that point the market will change. Digital banks just mark the beginning of the banking industry’s digital transformation. When Big Tech enters the market, it will drive a significant change that some incumbent banks will likely not be able to transition through and will lose traction within the market. 

Financial Firms and Regulators to Step Up Their AI Game

With the high likelihood of Big Tech companies entering the market in addition to other innovations in financial services, Bonhof is encouraging the industry to direct its focus toward emerging technologies such as Artificial Intelligence (AI) now, before it’s too late.

I think regulators really need to step up their digital game. They need to understand the tech component that goes into digital banking. AFM just compiled an insightful trend report where they spoke around their fears about Big Tech entering into the financial market. Today, Big Tech is predominantly supervised by privacy watchdogs. But, if Big Tech entered the financial market tomorrow, financial market regulators would not always be allowed to share information with those supervisory agencies, so that would make supervision really difficult. 

Regulators are just now issuing responses around the use of AI, which center around the concepts of explainability and trustworthiness. Together, they are two sides of the same coin because they help explain the decisions that come out of algorithms and apply fair principles that limit their biases. However, I still think that we have a ways to go and that regulation around the use of AI will only continue to increase in the future as the digital market matures.

The Role of AI in Regulatory Compliance

According to Bonhof, the role of AI is not just limited to the mechanics of digital banking. It applies to regulatory compliance too.

We recognize that regulators are starting to provide guidelines around AI, so we are changing the way that we advise our clients about AI. AI was once the new and exciting thing to talk about. Now it’s the means to an end. We’re looking at where AI models can help firms improve explainability in their compliance processes. 

AI was once the new and exciting thing to talk about. Now it’s the means to an end.

Using robotics (or AI) helps automate certain regulatory compliance processes such as horizon scanning, and makes the outcomes of those processes more predictable and reliable. AI allows teams to focus less time doing the monotonous work of running these processes and more time on investigating outliers. Instead, the “robot” leads the processes and identifies areas where there are inconsistencies that require the review of compliance experts.

On Implementing RegTech: Final Advice

So, what’s Bonhof’s advice to firms that are looking to implement new technologies in their compliance programs? “Be really clear about what you want to achieve in your compliance program and therefore what you want the technology to achieve.”

First, you need to understand where you are and where you want to go. For instance, if your firm was just fined by a regulator, then you’ll likely need to find a solution that can help you become more compliant. On the other hand, if your organization is in a good place but needs to become more efficient, then it’s likely you’ll need a different tech stack than the firm that was recently fined. When you understand what you want to achieve by adding technology, then you can better pinpoint the right type of technology solution for your compliance program.


If you’d like to learn more about Synechron, visit their website. To learn more about Rick Bonhof, connect with him on LinkedIn

If you’d like to contact an Ascent team member, you can do so here. Stay tuned for our next interview from the lines of defense. All interviews will be featured in our monthly Cliff Notes newsletter, which you can subscribe to below.

Subscribe to Cliff Notes

How an Integrated Risk Management (IRM) approach can transform your organization

By Blog

Today there are more risk drivers that span across more areas of business, making it harder to monitor, manage, and mitigate risk than ever before. Yet much of the financial services industry is continuing to approach risk in the same way it always has—through two distinct silos of compliance and risk. However, the onset of the COVID-19 pandemic has exposed the cracks in these traditional approaches, and raised the need for a more comprehensive approach called Integrated Risk Management (IRM).

“The response to the coronavirus pandemic is a perfect example of when the [three lines of defense] and traditional risk governance don’t work very well. Traditional approaches fail because they can’t effectively deal with fast-moving and interconnected risks.” — Malcolm Murray, VP, Gartner Audit & Risk practice.

In this article, we cover:

An Overview of IRM and How It’s Different From Other Approaches

There are many factors that drive the overwhelming pace of change across financial firms’ risk profiles. These factors include:

  • The sweeping adoption of digital tools to meet consumer needs, which requires a reliance on external-facing third-party vendors.
  • The adoption of third-party vendors to manage behind-the-scenes complexities; often these new technologies and integrations must access consumer data collected by the firm, or they themselves collect more consumer data—a reality that leads to more subsequent risk.
  • Business expansion into other markets across the nation and around the globe, adding liability as both the number of consumers to protect and the number of regulators to adhere to multiply.
  • The reality of regulatory complexities, which is increasing on both a national and global scale.

How firms monitor, manage, and mitigate the risk associated with these factors depends on their risk and compliance philosophy. Here are two approaches that firms often take and how they compare to an IRM strategy.

Governance, Risk, and Compliance (GRC)

To understand IRM, it’s important to also understand how it came to be. In 2002, a series of financial scandals led to the passage of Sarbanes Oxley (SOX), a federal law that created a set of rules for accountants, auditors, and corporate officers, and imposed more stringent recordkeeping requirements on financial firms especially. As a result, the industry developed the discipline of “governance, risk, and compliance” (GRC) to keep up with and manage these SOX requirements.

Over time, the role of innovation began to play a more prominent role within the governance, risk, and compliance discipline to both align IT with business objectives, and effectively manage risk and meet compliance requirements. This ultimately led to the creation of GRC-focused technology designed to help companies achieve these goals.

As time has passed, the GRC acronym has become synonymous with the GRC technology itself, which has led to the framework of the GRC discipline being conflated with the technology that powers it. But the framework that connects governance, risk, and compliance is an essential part of monitoring, managing, and mitigating risk effectively.

A conventional GRC framework is typically carried out by the three lines of defense, which are each responsible for a different aspect of overall risk management:

  • 1st line of defense: Line management should act as the first line of defense, identifying risks and implementing controls.
  • 2nd line of defense: Risk and assurance functions such as legal, compliance and enterprise risk management (ERM) should act as a second line, overseeing and monitoring risk management processes.
  • 3rd line of defense: Internal audit should act as a third line, taking a birds’ eye view of the effectiveness of controls and risk management.

(Source: Gartner)

While the three lines of defense model is important, it can also make reacting to new risks difficult because it is more meticulous and is often disjointed from the rest of the organization, including at the executive and board level.

Enterprise Risk Management (ERM)

As SOX compliance auditing and the GRC framework were taking shape, the role of enterprise risk was evolving as well. Risk mitigation was historically covered by purchasing insurance—such as property insurance, liability insurance, and malpractice insurance—to deal with literal events like natural disasters and theft, as well as lawsuits and claims relating to damage, loss, or injury. However, as more drivers of risk began to surface for firms, risk professionals expanded their purview to include risks associated with technology (particularly technological failures), company supply chains, and business expansion.

In response to this expanded risk profile, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) created the concept of Enterprise Risk Management (ERM) to spot risks and map them throughout a traditional company structure. ERM typically involves the highest levels within an organization, including executive and board-level decision makers, as it is intended to connect all of the departments across the organization.

While ERM is meant to help organizations proactively manage and mitigate company-wide risks, it does not oversee the management and implementation of the measures necessary to prevent and mitigate risk, especially in relation to regulatory compliance.

Integrated Risk Management (IRM)

In 2016, Gartner revisited the concepts of GRC and ERM and determined that each, while critical, didn’t fully connect all of the dots from a risk and compliance perspective. So, Gartner created a renewed framework that addressed both the high-level strategy of managing risk, as well as the hands-on work of making these strategies possible. And so Integrated Risk Management was born.

The numbers speak for themselves:

  • 57 percent of senior-level executives rank “risk and compliance” as one of the top two risk categories they felt least prepared to address.
  • 87 percent of organizations see tech risk management as a siloed, reactive process rather than an organization-wide function for proactive risk management.
  • Only 4 percent of organizations feel that their third-party risk management tools fully integrate and capture overall risk for reporting purposes.

IRM helps organizations address all of these concerns. It is an umbrella approach that bridges ERM and GRC—both relying on ERM strategy to identify risk drivers, and the framework of GRC to implement the actual work of compliance. Through this connection, IRM creates a comprehensive view that:

  • Exposes any risk management gaps that exist due to silos
  • Proactively monitors, tracks, and implements compliance measures across all of the areas identified by the company’s executive-led ERM strategy

In turn, this enables companies to be more agile in their response to unforeseen circumstances, as IRM is both a top-down and bottom-up approach that includes executive and board-level leadership and the teams that do the actual work.

“Rather than putting compliance first, integrated risk management enables an organization to manage its unique set of risks that face its organization specifically and in turn meet compliance requirements as a part of that mission.” CyberSaint Security

The Six Practice Areas of IRM

Gartner defines IRM through six practice areas:

six practice areas of integrated risk management

1.  Strategy: Enablement and implementation of a framework, including performance improvement through effective governance and risk ownership

2. Assessment: Identification, evaluation and prioritization of risks

3. Response: Identification and implementation of mechanisms to mitigate risk

4. Communication and reporting: Provision of the best or most appropriate means to track and inform stakeholders of an enterprise’s risk response

5. Monitoring: Identification and implementation of processes that methodically track governance objectives, risk ownership/accountability, compliance with policies and decisions that are set through the governance process, risks to those objectives and the effectiveness of risk mitigation and controls

6. Technology: Design and implementation of an IRM solution (IRMS) architecture

Ultimately, IRM oversees, prepares for, and mitigates all of the aspects that make up a company’s dynamic risk profile, such as physical, technological, data-oriented, and regulatory risk. According to LogicGate, an agile GRC cloud solution and Ascent integration partner:

“Integrated Risk Management gives business leaders a clear picture of all their risks. With their newfound understanding of the enterprise’s dynamic risk profile, they can make better decisions at the enterprise level about which risks to mitigate and which to accept or transfer. By integrating risk areas and recognizing interdependencies, executives can ask more strategic questions about how risk is one part of the business impacts other parts of the business.”

LEARN MORE: Ascent GRC Integrations


The First Steps in Implementing an IRM Strategy

The first steps in building an IRM strategy focuses on two of the six practice areas (Strategy & Assess):

1. Outline your company goals and strategy

2. Determine which stakeholders ladder up to those areas of business

3. Identify the key risk drivers from those areas of business, including those associated with regulatory compliance

To identify the risks associated with regulatory compliance, it’s important to start from the beginning. At Ascent, we use the most granular regulatory data in the industry to help risk and compliance teams pinpoint and map their regulatory requirements / obligations throughout their organizations. This is especially important when trying to set a regulatory compliance framework for the first time or address any gaps within a firm’s existing regulatory compliance framework.

Our AI-driven technology called RegulationAI takes this process one step further, by keeping firms’ obligations updated so they never miss a regulatory change that could expose them to additional risk. These dynamic granular obligations are even more powerful when they’re seamlessly tied into GRC platforms, such as LogicGate and IBM OpenPages—a capability that Ascent has built through its API integrations.

To learn more about Ascent’s API integrations, contact us directly.

End-to-End Compliance is Closer Than You Think: How Businesses Can Get a Practical Head Start

By Blog

As advances in technology give rise to new ways of approaching age-old problems, a new term has begun to surface, one that will no doubt dominate the global dialogue around compliance in very short time: End-to-End Compliance.

Up until very recently, the only possible compliance process was by its nature a fragmented one. Typically, it’s myriad steps, activities, and tasks are handled across disparate systems and are further complicated by the fact that compliance work travels through several departments and lines of business.

There have been a few attempts at partial automation to help unify these efforts, including widespread use of Excel spreadsheets, GRCs, and various point solutions. Even with these tools in place, however, businesses have fallen prey to the gaps inherent in such a disjointed environment, negatively impacting their ability to keep up with regulatory events, implement policy internally, and provide clear evidence of compliance to auditors. 

As advances in technology give rise to new ways of approaching age-old problems, a new term has begun to surface, one that will no doubt dominate the global dialogue around compliance in very short time: End-to-End (E2E) Compliance. 

Due to its relative newness, the term is often met with mixed emotions — excitement, but also skepticism and confusion over what exactly constitutes E2E Compliance and how it can be achieved practically.

Defining E2E Compliance

At its core, E2E simply describes a process that takes a service from beginning to end, delivering a complete functional system. 

E2E Compliance is a fully traceable process that connects external regulatory events to a business’ specific obligations, then all the way through to that business’ internal controls, policies, and procedures. 

This process, which can only be achieved through automation, covers both existing regulations and new rules or changes, thereby integrating horizon scanning and change management into the overall flow. 

In an ideal E2E system, businesses could 1) be alerted to relevant new rules or changes to existing rules, 2) be directed to the exact parts of their internal controls or P&Ps that are impacted so team members can make the appropriate changes, 3) manage their obligations digitally, 4) easily produce records of their compliance activities, and 5) generate useful reporting dashboards. 

E2E as a Pathway to Better Business 

A study of other industries provides us with much encouragement about the achievability of E2E.

E2E unlocks a number of exciting opportunities. Automating the bulk of the manual tasks that plague the process, like scouring the web for regulatory changes and connecting them to internal policies, will save significant time and reduce the risk of errors that could lead to undesired consequences including fines, suspensions, reputational damage. Alerts help drive action that will allow companies to stay ahead of regulation. Automated audit trails and reporting capabilities bring much-needed relief to regulatory examinations. Overall, there are more ways to knit the process together than ever before without requiring so much laborious, manual work to see results.

A study of other industries provides us with much encouragement about the achievability of E2E. Marketing was one of, if not the first, industries to widely adopt automation and AI technologies on a massive scale. Literally thousands of MarTech solutions are available today that help businesses compile a 360 degree view of their customers and to produce and distribute hyper-targeted marketing messages based on demography, geography, behavior, intent, and a whole slew of other markers that would be impossible to tap into without some form of automation. 

The shipping and logistics industry has also made incredible advancements due in no small part to innovation powerhouses like Amazon. An E2E shipping and logistics process today combines multiple, integrated solutions to track and manage inventory, storage, and distribution, giving the business complete visibility into every minute detail, down to whether one of their trucks turns right or left — or more importantly, whether that truck should turn right or left depending on traffic patterns and delivery schedules.

As industries like marketing and shipping have been transformed by E2E, so will it be for compliance. The only question that remains is not necessarily of when, but of how. 

A Practical Approach

That a variety of solutions are available is an advantage as it allows firms to build a fully integrated technology stack that is unique and optimal for their specific business. 

The most common misconception that financial firms have about E2E Compliance is that it can be accomplished with one vendor. While an attractive vision, it’s one that is simply unattainable (at least in the foreseeable future) considering the massive complexity and scope of regulation.

On its face, this may seem like a disheartening and unwelcome truth, but again we can take cues from industries like marketing and shipping. Both have fully embraced both automation and the concept of E2E and yet no single one-size-fits-all solution dominates either market; quite the contrary in fact. That a variety of solutions are available — and this applies to regulatory technology as well — is an advantage as it allows firms to build a fully integrated technology stack that is unique and optimal for their specific business. 

The first step businesses must take on the pathway to E2E Compliance is to outline their processes and engage with the market to identify which aspects are possible to automate. Firms will find, as we have, that the upfront lift of regulatory research and analysis can certainly be automated, along with a number of other points in the process that RegTechs of all shapes and sizes today are ready to address. 

Ascent can play an integral part in E2E Compliance by providing customers with the ability to automatically identify the obligations and ongoing rule changes that apply to their specific business, then to connect that regulatory knowledge to their other systems via automation. Ascent achieves this on a level of granularity and scale that simply was not possible a decade ago.

As the market leaders in developing Regulation AI — artificial intelligence built uniquely for the regulatory compliance industry — Ascent is forging a new path to help our customers in the financial services industry not only automate and scale their compliance programs, but to make E2E Compliance a reality rather than a vision of a faraway future.

Enjoy this article? Subscribe for fresh thoughts designed to help you stay at the forefront of compliance and technology.