Skip to main content


9 Common RegTech Questions, Answered

By Blog

As a young industry, RegTech often gives rise to a host of questions — everything from “what is it?” to “how does it work?” to “how will it affect me?” We’ve collected a handful of the more common ones and answered them below.

Have a question that’s not on our list? Drop us a line at and we will be happy to help answer it!

What does RegTech mean?

RegTech (Regulatory Technology) is the application of emerging technology to improve the way businesses manage regulatory compliance. 

RegTech companies can be established GRC (Governance, Risk, and Compliance) platforms, startup companies, and everything in between. They are united by their use of new, groundbreaking technology in the service of solving the problems of regulatory compliance.

As an industry, RegTech has emerged over the last few years to address the rising tide of regulation and its growing complexity. To learn more about the history and future of RegTech, check out our comprehensive guide, “What is RegTech?”

READ MORE: What is RegTech?


What are the benefits of RegTech?

For financial services, the benefits of RegTech are substantial:

  • Efficiency gains — As regulation continues to grow, it becomes nearly impossible for compliance personnel to keep up without the aid of technology. Technology, capable of processing a high volume of data at incredible speeds, can quickly parse and analyze raw legal text and extract valuable insights. 
  • Greater accuracy and comprehensiveness — Manual, siloed processes tend to create gaps in the compliance operation, leading to human error and increased exposure. Implementing the right technology (and integrating those technologies thoughtfully where necessary) shores up gaps and creates a streamlined compliance process.
  • Greater internal alignment — Technology tools enable greater transparency throughout the business, connecting once siloed people and processes. The result is better insights between business units that can be shared faster, which also leads to a stronger culture of compliance.
  • Improved risk management — Many RegTech tools help protect against various types of risk, including market abuse, cyber attacks, and fraud, by monitoring systems and alerting personnel to suspicious activity.

READ MORE: How Ascent customers reduce risk, slash costs, and save time


What is end-to-end compliance and how does RegTech fit in?

End-to-end (E2E) compliance is a fully traceable process that connects external regulatory events to a business’ specific obligations, then all the way through to that business’ internal controls, policies, and procedures. In an ideal world, E2E compliance leverages automation and other technologies to create a complete functional system of compliance. To achieve E2E compliance, different RegTech solutions can be used together (often referred to as a ‘compliance technology stack’) to create a seamless process that automates rote work, connects once-disjointed processes, and supports a robust compliance framework.

With a properly implemented E2E system, businesses could 1) be alerted to relevant new rules or changes to existing rules, 2) be directed to the exact parts of their internal controls or P&Ps that are impacted so team members can make the appropriate changes, 3) manage their obligations digitally including assigning work and tracking progress against deadlines, 4) easily produce records of their compliance activities, and 5) generate useful reporting dashboards. 

Again, due to the complexity and nuance of regulatory compliance, one-size-fits-all solution. Rather, compliance leaders should take a modular approach to building a technology stack that meets the firm’s unique circumstances and objectives.

What kind of tech stack should I consider for my compliance framework?

Compliance and Risk professionals are responsible for not only determining what their firms’ regulatory framework is, but also how to maintain it once it’s set. Thankfully, there are a number of solutions within the RegTech universe that support this effort and can be combined into a comprehensive, end-to-end tech stack. The key is to know which ones to bring into your tech stack in the first place, so here are a few types of solutions to consider:.

Regulatory content tools are situated at the beginning of the compliance process. They typically take the form of a content library, feed, or resource center. Content tools consolidate documents published by regulators into one platform (including the laws, enforcement actions, guidance, rule updates, and more), making research and horizon scanning more efficient. Leaders in this space include Thomson Reuters Regulatory Intelligence, LexisNexis and Reg-Room.

Regulatory knowledge automation is technology that bridges the gap between the raw data of regulatory content and actionable insight. Market leader Ascent, for example, generates the regulatory obligations that pertain to your specific firm based on key factors like what type of financial entity you are, what services/products you offer, and where you operate. Ascent then automatically updates your obligations as rules change. This targeted regulatory knowledge allows compliance personnel to know exactly what the firm must comply with at all times, without the manual effort. 

GRC (governance, risk and compliance) platforms help operationalize compliance and often house all of a firm’s regulatory information, including obligations, controls, policies and procedures. Workflow capabilities allow users to track and manage their compliance efforts. Leaders in the space include LogicGate, MetricStream, IBM OpenPages, and RSA Archer to name a few. 

Point solutions cover a wide swath of RegTechs, helping firms execute compliance in a compliant way or assess compliance with an obligation or control. These could include (but are not limited to) trade monitoring, portfolio risk, know-your-customer, anti-money laundering, operations risk management, and cybersecurity tools. Point solutions are more limited in scope than regulatory knowledge automation or GRC solutions, but when they meet the right need they can provide substantial value.

READ MORE: The first (and most difficult) step in setting a regulatory compliance framework


What technologies do RegTech solutions use?

RegTech providers leverage a wide variety of emerging technologies. Here are a few of the most common:

  • Machine learning (ML) is the application of algorithms that improve automatically through experience. Rather than being specifically programmed to complete a task, ML models are fed large amounts of data, which they use to learn and improve on their own. In regulatory compliance, ML models can process large amounts of regulatory data and gradually draw conclusions about that data, becoming more and more accurate over time.
  • Natural language processing (NLP) is the field of using computers to process and analyze human language. In compliance, NLP can parse the unstructured raw text of regulation and reorganize it or otherwise transform it so that people can retrieve meaningful insights. 
  • Blockchain is a digital record of transactions, most often associated with cryptocurrencies. Blockchain has many other purposes however, such as enabling the secure sharing of know-your-customer data within or between organizations for compliance purposes.
  • Robotic process automation (RPA) allows users to configure metaphorical “robots” or “digital workers” to replicate the actions of a human in a digital environment in order to complete a business process. RPA tools can automate laborious manual processes, like the production of hundreds of disclosures that asset management firms are required to generate throughout the year.

READ MORE: RegulationAI™: World-Class Technology Built for Compliance


What’s the difference between RegTech, FinTech, and SupTech?

RegTech leverages emerging technology to create tools focused on solving the challenges of regulatory compliance. While the majority of existing RegTech solutions are currently focused on the world of financial regulation, RegTech could also be leveraged for other regulated industries — for example, healthcare.

FinTech, short for financial technology, is the application of technology to solve problems or create new value in financial services. Examples include crowdsourcing platforms, mobile payments, cryptocurrency, robo-advisors, budgeting apps, or the use of open banking APIs. Recently, digital banks that operate purely online with no physical locations are also being referred to as FinTechs. 

SupTech, short for supervisory technology, is the application of emerging technology to improve how regulators conduct supervision. Just as RegTech leverages technology for regulated companies, SupTech leverages technology for the regulators.

READ MORE: What is SupTech and how will it change compliance?


Can RegTech help me with specific regulation like GDPR?

The rise of data privacy legislation like GDPR (General Data Protection Regulation) and CCPA (California Consumer Privacy Act) have added necessary protections for consumers but have increased financial institutions’ already significant regulatory burden in the process. Depending on what you are trying to achieve with specific regulation like GDPR, RegTech offers various solutions. 

There are many point solutions that help firms execute GDPR-compliant behavior. For example, UserCentrics helps firms obtain customer data in a transparent way. Syrenis provides one central platform to manage personal data, legal basis for obtaining that data, consent, and marketing practices. GDPR365 is a compliance assessor that offers guidance on what security weaknesses need to be fixed.

To understand what your organization’s obligations are under GDPR (or any other regulation), look to regulatory knowledge tools like Ascent. Ascent’s AI-driven technology pinpoints the GDPR obligations that your firm must comply with, then updates them automatically if the rules change.

READ MORE: How a Global Top 50 Bank Secured Its GDPR Obligations Using Ascent


How can I use RegTech to help my firm ease compliance burdens?

There are many use cases for RegTech, but here are some of the most common:

  • Horizon Scanning — monitoring regulatory developments including rule updates, guidance, and any other communications from regulators to better understand potential threats and opportunities.
  • Identifying Obligations and Changes — conducting regulatory analysis (also referred to as regulatory mapping) to understand which obligations or requirements your business must comply with. These obligations must then be routinely updated as rules change.
  • Compliance Management — managing your daily compliance activities and aligning them with the broader framework of regulatory strategy and process.

Finding a solution for these use cases can be challenging since the RegTech space is vast and each solution facilitates a different part of the compliance process. Breaking the RegTech landscape into these four categories makes it easier: 1) Regulatory content tools, 2) Regulatory knowledge automation, 3) GRC platforms, and 4) Point solutions.

For the examples above, the solutions for each use case vary:

  • Solution for Horizon Scanning: A regulatory content provider such as Thomson Reuters Regulatory Intelligence helps save time with horizon scanning and research.
  • Solution for Regulatory Obligations: A regulatory knowledge provider such as Ascent identifies your obligations and keeps them updated as rules change. This targeted regulatory knowledge can also be used to understand downstream impact. For example, a rule change identified by Ascent can be used to trigger alerts or workflows related to that rule in your GRC or other compliance management platform. 
  • Solution for Compliance Management: A GRC or other compliance management system such as LogicGate or IBM OpenPages allows you to house and project manage your compliance activities, including assigning tasks, tracking progress against deadlines, and managing any internal documentation such as your controls, policies and procedures. Ascent’s granular obligations can be seamlessly fed into these systems so your regulatory data and activities are monitored, tracked, and managed all in one place.

If you are looking to accomplish all of these use cases, it is likely that your compliance operation requires multiple solutions, combined to create a full-scale compliance technology stack.

What questions should I ask a RegTech vendor that leverages “AI”?

What kinds of AI technologies do you use, and why?

First, brush up on machine learning and natural language processing basics so you can follow the vendor’s response. You do not need to be an AI expert; a good vendor will be able to explain their process in a way that any business leader can understand. What’s important is that you get a clear picture of how the specific technologies and approaches used create business value for you. Is the vendor using “AI” as a flashy marketing term, or is it actually integral to the solution?

Where are you getting the data that is training your algorithms?

Good AI tools require significant amounts of quality data – as they say, ‘bad in equals bad out.’ The vendor should be able to explain how they are ingesting regulatory text (did they build an ingestion or scraping tool, or are they white-labeing another product?), from where (the best case scenario is that the vendor is pulling straight from official regulatory websites), and at what frequency (this should be reasonably frequent so you know you have the most up-to-date information at any given time). The vendor should also be able to explain the quality-assurance process that ensures all intended data points are properly captured. 

Are there humans involved in the training of your algorithms, and to what degree?

In many industries, the notion of humans-in-the-loop (meaning the technology is not 100% machine-driven; humans are still involved in some part of the process) is considered a negative sign because it means “that the tool isn’t really AI.” The compliance industry, however, is unusual in that a humans-in-the-loop process is considered a positive. Why? Because the world of regulatory compliance is so nuanced and complex, that AI solutions are far better when trained and QA-ed by human experts in regulation and law. This does not mean that all AI-driven RegTechs require humans-in-the-loop to be great tools, but the vendor should be able to explain why they do or do not involve people in the process.

Who is held liable if your solution fails?

This question is as important for you as it is for the vendor. Because this issue exists in a legal gray area, you must carefully weigh the risk of implementing any new solution (AI or not). A good AI vendor will understand why this is a concern, and should show evidence of a strong model risk management framework, rigorous internal controls, and most importantly be completely transparent about what the solution can and cannot do. If it sounds too good to be true, it probably is. 

*Ascent offers a performance guarantee for its AI solution that is backed by an insurance cover from Munich Re Group. Read the case study to learn more.

We recommend checking out these articles to continue learning about RegTech and how it can be applied throughout the compliance process:

Want to receive more articles like these? Subscribe to receive helpful content designed to help you win at compliance.

Brexit Impact: A Look at the Next Normal

By Blog

Back in 2016 when the concept of the United Kingdom’s exit from the European Union (“EU”) seemed like a fantastical proposition, the prospect of the referendum’s success let alone its implications seemed like a mystery. The question for financial institutions now becomes how to implement and maintain a newly-domesticated compliance framework in the face of regulatory uncertainty. 

The Story on Domestic Data

The larger focus for financial services will be on sustainability of domestic and international compliance frameworks for areas such as data, sanctions, and overall governance. 

The UK has implemented a host of regulatory expectations in the past few years, from MiFID to the Senior Managers’ Regime. While those regulations will continue, financial services must continue to enmesh international laws with touch and concern to the UK in their programs.

Despite the UK’s exit from the EU, the parameters of the General Data Protection Regulation (“GDPR”) will continue to be enforceable. In fact, GDPR has been a primary area of international enforcement, with two UK-centric breaches in 2020 totaling in USD $56 million in penalties alone. 

CASE STUDY: How a Global Top 50 Bank Pinpointed Its GDPR Obligations Using Ascent


Similarly, despite infrequent enforcement actions for sanctions violations from the UK in the past few years (OFSI issued its first ever sanctions penalty in 2020 since its establishment four years prior), the UK Sanctions and Anti-Money Laundering Act of 2018 will continue to pose challenges for UK banks wishing to keep a foot in the international space.

In late December, the Financial Conduct Authority (“FCA”) issued the final Temporary Transitional Power (TTP) directions. Firms should be well-versed in the TTP directions, as they outline which regulations are expected to be maintained throughout the transaction and which have exemptions until the end of the transition period in March 2022. While these provisions apply to existing entities, the FCA was careful to note that the TTP does not apply to new European Economic Area entities seeking to onshore. 

Business as Usual for AML

As part of the EU, the UK would have historically been adhering to the framework of the EU’s Anti-Money Laundering Directives (“AMLD”). This would have been leveraged to set the framework for an anti-money laundering compliance program, from the “pillars” approach derived from the Financial Action Task Force (FATF) standards, to threshold for transaction monitoring. 

From a practitioner’s perspective, the EU AMLD set basic criteria that were then enhanced or supplemented, as needed, at the country level. In the absence of those directives, the UK will now rely entirely on the Proceeds of Crime Act (“POCA”) and its interpretation by regulators to determine firms’ adherence to AML standards. The FCA has not had a particularly robust enforcement year in terms of AML enforcement, with only two notable penalties issued for compliance-related failures. In fact, the absence of such enforcement actions has been cited in the press as a relative laxity by the regulator. 

Perhaps due to Brexit or exacerbated by it, the FCA has not made clear that AML compliance will be a priority over conduct-related enforcement in the coming year. Given the EU’s spate of Baltic-related fines and penalties, the first AML fine of 2021 may in fact be related to the same.  

The Way Forward

There is, as was expected when Brexit was first announced, a bit of trailblazing to be expected in the next few years. The shifting regulatory expectations around conduct over AML and sanctions enforcements is suggestive, but not dispositive. While the FCA has recently provided a rulebook with post-Brexit expectations, unlike their peers in the US, wavers have been embedded with those expectations, some as far out as 2022.  Perhaps drawing from their peers (subsidiaries and affiliates too) in the US, UK-based banks will need to leverage a far more conservative risk-based approach until the updated regulatory expectations become more certain.  

In the meantime, new technology such as regulatory knowledge automation can help financial firms keep tabs on enforcements, updates, and rule changes as they are issued. Today, many firms continue to try to manage and synthesize this influx of information in the same ways that it always has — by increasing personnel to do the work manually. 

INFOGRAPHIC: Regulatory Knowledge Automation, Explained


But missing even the finest detail within a body of regulation or rule amendment can be disastrous for a firm. Like the proverbial needle in the haystack, any obligation missed among the thousands of lines of regulatory information could have severe consequences come audit time. 

Regulatory knowledge automation uses machine learning (ML) and natural language processing (NLP) to complete this work in mere minutes, at a fraction of the cost, and with greater accuracy than manual efforts.

READ MORE: How to set a foundation for your regulatory compliance framework


For more information about RegTech, regulatory knowledge automation, and articles like these,  subscribe to our monthly Cliff Notes newsletter.



A former regulator’s take on AI, Big Tech, and RCM

A former regulator’s take on AI, Big Tech, and RCM

By Blog

Rick Bonhof. Managing Consultant, SynechronWe recently sat down with Rick Bonhof, a managing consultant who leads the Amsterdam regulatory change and compliance practice within the business consulting arm of Synechron—a leading digital transformation consulting firm that accelerates digital initiatives for banks, asset managers, and insurance companies around the world.

In his role, Bonhof oversees a team of experts who help clients build the regulatory framework that enables compliance. As an advisor for the digital-first firm, Bonhof is hyperfocused on making compliance more efficient through the use of technology, leveraging emerging tech such as machine learning and existing systems such as GRCs.

Prior to Synechron, Bonhof served as a supervision officer for Dutch regulator Autoriteit Financiële Markten (AFM) at the height of the 2008 financial crisis. After spending seven years crafting and executing supervisory strategy for AFM, he decided to redirect his work from supervising firms to actually helping them become compliant with regulation. And so, after witnessing how Synechron helped a number of financial institutions get back on track with EMIR (the EU equivalent of Dodd Frank in the US), Bonhof transitioned to the firm.

During our sit-down, Bonhof shared his blended supervisory-consultative perspective on a variety of topics—from the role of regulatory change management during the COVID-19 pandemic to how Big Tech will shape the future of financial services.

Editor’s note: This interview has been lightly edited for clarity.

Setting the Record Straight on Regulators

Touching on his experience as a former regulator, Bonhof kicked off our conversation by sharing what he wished compliance professionals knew about regulators, and what he wished he had known as a regulator. 

When I made the switch from regulator to consultant, I realized that a lot of financial firms are afraid of regulators. But the reality is that regulators are people too and most are not out to fine you. What I think compliance professionals sometimes forget is that if you’re able to explain to regulators why you made certain decisions and how you implemented certain requirements, they’ll listen to you.

“A lot of financial firms are afraid of regulators. But the reality is that regulators are people too and most are not out to fine you.”

My advice to compliance professionals is to document their interpretation of the rule and why they applied the rule in a certain way according to their interpretation, so they have all of the information they need when it comes time to talk to regulators.

On the flip side, what I wish I had known as a regulator was, no matter how simple a request for information may seem on paper, it doesn’t actually mean that there’s a clearcut way to gather requested information or to implement a new rule. Many financial institutions do not start out as multinational global-spending institutions—they grow through mergers, acquisitions, and restructuring.

So there’s a whole collection of teams that suddenly need to contribute to this “one simple request,” making it not so simple after all.

Managing Regulatory Change in the Time of COVID 

Bonhof has long emphasized the importance of having a well-documented regulatory change management (RCM) strategy, especially when it comes to major events such as financial crises, election years and of course — the COVID-19 pandemic.

When it comes to regulatory change management, my mantra has been “take control, be in control, and demonstrate control.” 

“Take control” is about understanding what your obligations are, understanding the impact of them, and then implementing and enforcing a compliant process.

“Be in control” is about understanding where your firm is in terms of compliance with the requirements, and revisiting both its requirements and compliance processes frequently. You should not only be control testing your processes to understand whether your firm is compliant with existing rules, but also monitoring whether there’s a change coming that could impact compliance with those rules. And, if there is a change on the horizon, then you need to go back to “take control” and proactively act on it.

Lastly, “demonstrate control” is about being able to take the evidence that you have and explain both internally and externally to what extent you comply with those measures.

How to Avoid Dropping the Ball on RCM

In Bonhof’s view, the biggest mistake that firms can make when implementing RCM best practices, is to treat them as a one-time solution. 

Most regulatory change management processes are driven by a regulatory change implementation date. Let’s say that a firm has to comply with X, Y, and Z by January 1, 2021. What I’ve found (and even been guilty of myself) is that many firms focus solely on making that milestone without the end result in mind. So once the firm does reach it, everyone sort of drops the ball and says, “We’re done, we made it.” But that’s the wrong approach because 2021 does not mark the end of implementing that change, it actually marks the start of it. 

What I’ve found (and even been guilty of myself) is that many firms focus solely on making [a] milestone without the end result in mind.

Firms are expected to be compliant with that new rule, and need to have a roadmap that accounts for what comes after that date. Firms often put makeshift technical solutions in place to meet the deadline, but then what happens is the technical solution silently becomes the structural solution. The result is that there’s no roadmap beyond that point to account for new data that needs to be tracked or changed, resulting in an issue of data quality and therefore explainability. 

COVID Response: Swings of the Regulatory Pendulum

To Bonhof, regulatory change management has never been more important as the pandemic response continues to fold. While he and his team have seen the easing of certain regulatory requirements, they have also seen the mounting impact of others.

On the one hand, the regulatory response to the pandemic has been to suspend certain requirements in order to alleviate the burden of regulation. However, at the same time, we’ve also seen an increase in requests for financial firms to implement certain risk measures from regulators such as the European Securities and Markets Authority

For example, we had an “intelligent lockdown” in the Netherlands that prohibited us from going to the shops or the cinema. As a result, this (like other lockdowns across the globe) had a large impact on service providers, as many businesses had outstanding loans with financial institutions and were suddenly not able to make good on those loans. This has led to a tipping of scales with regulators adding more capital reporting requirements, while continuing to suspend or delay implementation of other regulatory requirements. For example, ESMA deferred the final two phases of its bilateral margin requirements to provide additional operational capacity for counterparties to respond to the immediate impact of COVID-19. 

On the Importance of Innovation in IRM

While regulators have been more forgiving during the pandemic, they have also become increasingly more aware of all of the possible gap—bringing the topic of Integrated Risk Management (IRM) to the fore. Here’s Bonhof’s take on IRM.

Integrated Risk Management allows you to identify what risks exist within your firm, define a response to those risks, and then determine whether your firm is within that risk appetite. Ultimately, IRM combines all of those processes and rolls them up into a multi-level process chart where you can prioritize risks and pinpoint which ones are of the highest risk to your firm. 

IRM is such a hot concept right now because regulators are putting more emphasis on it.

As part of Synechron’s FinLabs RegTech accelerator suite, I’ve actually had the opportunity to work on automating parts of IRM. Knowing how effective your controls are is a key part of integrated risk management, so we built an intelligent control testing environment that maps a firm’s individual control statements into a decision tree that automatically runs against a data set to help firms quickly pinpoint whether a control is effective or not. This advancement frees up compliance teams’ valuable resources so they can focus on remediating any deficiencies.

These types of innovation are becoming more important as Integrated Risk Management continues to gain more traction. IRM is such a hot concept right now because regulators are putting more emphasis on it. For example, ESMA recently published a consultation paper that assessed the suitability of the management at financial institutions, which concluded that the highest levels of management (including at the board level) need to understand their firms’ requirements, how they are complying with them, and what the state of the firm’s risk management looks like.  

Clash of the Titans: Big Banking vs. Big Tech

As an innovator in his own right, Bonhof is naturally drawn to industry disruptors. In particular, he has been following the rise of digital banks and believes that it’s only a matter of time until Big Tech enters into the banking industry as well.

The rise in digital banks has served as a catalyst for digital transformation in the industry at large. In order to stay competitive with digital banks, traditional banks have worked to provide digital services to their customers. For customers, having a digital bank account becomes more of a commodity because it opens up a whole ecosystem of additional services around it. 

For digital banks, their competitive advantage is that they’re not burdened by a chain linked system of legacy tools or processes, so they can get it right immediately. Digital banks can be more nimble when it comes to things like digital client onboarding processes and company reporting. On the other hand, it’s difficult for digital banks to achieve the same scale as larger banks. Plus, they’re bound to face the same kind of regulatory requirements as incumbent banks and will need to comply with them, lessening some of their initial competitive edge.

When Big Tech enters the market, it will drive a significant change that some incumbent banks will likely not be able to transition through and will lose traction within the market. 

What I’m really curious about is when Big Tech will officially enter into the banking space. Today, we have Apple Pay and Google Pay, but I think that it’s just a matter of time before they’re adding banking services to their offering. At that point the market will change. Digital banks just mark the beginning of the banking industry’s digital transformation. When Big Tech enters the market, it will drive a significant change that some incumbent banks will likely not be able to transition through and will lose traction within the market. 

Financial Firms and Regulators to Step Up Their AI Game

With the high likelihood of Big Tech companies entering the market in addition to other innovations in financial services, Bonhof is encouraging the industry to direct its focus toward emerging technologies such as Artificial Intelligence (AI) now, before it’s too late.

I think regulators really need to step up their digital game. They need to understand the tech component that goes into digital banking. AFM just compiled an insightful trend report where they spoke around their fears about Big Tech entering into the financial market. Today, Big Tech is predominantly supervised by privacy watchdogs. But, if Big Tech entered the financial market tomorrow, financial market regulators would not always be allowed to share information with those supervisory agencies, so that would make supervision really difficult. 

Regulators are just now issuing responses around the use of AI, which center around the concepts of explainability and trustworthiness. Together, they are two sides of the same coin because they help explain the decisions that come out of algorithms and apply fair principles that limit their biases. However, I still think that we have a ways to go and that regulation around the use of AI will only continue to increase in the future as the digital market matures.

The Role of AI in Regulatory Compliance

According to Bonhof, the role of AI is not just limited to the mechanics of digital banking. It applies to regulatory compliance too.

We recognize that regulators are starting to provide guidelines around AI, so we are changing the way that we advise our clients about AI. AI was once the new and exciting thing to talk about. Now it’s the means to an end. We’re looking at where AI models can help firms improve explainability in their compliance processes. 

AI was once the new and exciting thing to talk about. Now it’s the means to an end.

Using robotics (or AI) helps automate certain regulatory compliance processes such as horizon scanning, and makes the outcomes of those processes more predictable and reliable. AI allows teams to focus less time doing the monotonous work of running these processes and more time on investigating outliers. Instead, the “robot” leads the processes and identifies areas where there are inconsistencies that require the review of compliance experts.

On Implementing RegTech: Final Advice

So, what’s Bonhof’s advice to firms that are looking to implement new technologies in their compliance programs? “Be really clear about what you want to achieve in your compliance program and therefore what you want the technology to achieve.”

First, you need to understand where you are and where you want to go. For instance, if your firm was just fined by a regulator, then you’ll likely need to find a solution that can help you become more compliant. On the other hand, if your organization is in a good place but needs to become more efficient, then it’s likely you’ll need a different tech stack than the firm that was recently fined. When you understand what you want to achieve by adding technology, then you can better pinpoint the right type of technology solution for your compliance program.


If you’d like to learn more about Synechron, visit their website. To learn more about Rick Bonhof, connect with him on LinkedIn

If you’d like to contact an Ascent team member, you can do so here. Stay tuned for our next interview from the lines of defense. All interviews will be featured in our monthly Cliff Notes newsletter, which you can subscribe to below.

Subscribe to Cliff Notes

The Rise of Data Privacy Regulation and How RegTech Can Help

By Blog, Featured

(7 min read)

If data is money, it’s often left sitting out in the open.

Ascent founder and CEO Brian Clark has a hypothetical question he often likes to ask new people when meeting them: If you were given a giant bag of money, what world problem would you solve? 

Homelessness, poverty, world hunger — there are ample crises to choose from. But what Brian’s really interested in is your answer to his second question: If that bag of money were then taken away, and you were instead given a giant bag of data, what problem do you solve now and how do you do it?

The implication, of course, is that ultimately the two bags equate to the same thing. They’re both resources. And as technology has revolutionized our ability to capture and analyze huge troughs of data, big data has in turn become an increasingly powerful resource and disrupted industry after industry.

And much of that disruption has come at a price.

Facebook, Equifax, Yahoo! — these are just a few of the massive data breaches that have happened over the last handful of years. As companies have collected more and more data, they have not always taken the proper precautions to protect that data. In the terms of our original analogy, if data is money, it’s often left sitting out in the open.

As a result, we have seen a number of large new data privacy regulations come into play recently, with many more on the horizon. Like all things related to big data, these regulations have been extremely hefty, sometimes to the point of seeming overwhelming. But we would argue that they don’t have to feel this way.

In this article, we dig deeper into the rise of data privacy regulation, examining the major new regulations that have recently come into play, the way these regulations are transforming the compliance function, and how RegTech can help transform them from overwhelming obstacles into exciting opportunities.

READ CASE STUDY: How a Global Top 50 Bank Secured Its GDPR Obligations Using Ascent


GDPR: The Game-Changer

The modern age of data privacy regulation was ushered in by four letters: GDPR. The first significant update to Europe’s data protection rules since the 1990s, GDPR (or, the General Data Protection Regulation) serves as both the core of Europe’s digital privacy legislation and as the benchmark the rest of the world began comparing their data privacy policies against.

First introduced in 2012 and then argued over until it was adopted in 2016, GDPR finally came into effect in May of 2018. The regulation was revolutionary for its emphasis on citizens’ rights. It was designed to give EU citizens control over their personal data, as exemplified by the eight rights for individuals within the regulation. These rights include giving EU citizens easier access to data companies hold about them, laying out fines for the failure to do so, and requiring companies to receive consent from individuals before collecting their data. 

There are many more details to the 99 articles in the regulation, but it’s these individual rights that caught a lot of public attention, both for the burden they placed on companies and the pop-up banners they created on our web browsers

GDPR came to seem so ubiquitous because its obligations applied not only to companies headquartered in the EU, but to any company gathering the personal data of an EU citizen. In the borderless age of the internet, this more or less meant any company with a website that tracked any information about its visitors

Of course, the EU wasn’t likely to chase down every mom-and-pop shop around the world that failed to comply with GDPR regulations. But the breadth and depth of the legislation acted as a standard-bearer, telling companies and countries it was time to update data privacy regulation for the twenty-first century. It would only be a matter of time until other countries followed suit.

CCPA: GDPR Hops Across the Pond

That most notably and recently happened in the US with the California Consumer Privacy Act (CCPA). The CCPA, which was just implemented at the beginning of this year, brought similar GDPR-like obligations to the US, including consumer rights related to the disclosure of personal information and requests for personal data

The CCPA affects a significant number of companies. It applies to businesses that either exceed a gross revenue of $25 million, gain 50% or more of their annual revenue by selling consumer’s personal information, or that buy, sell, receive, or share personal information of 50,000 or more consumer households.

Like GDPR, the CCPA is similarly focused on consumer rights, including a section known as data subject requests, which grants users the right to access or delete the personal information a company may have about them.

And — just as GDPR acted as the data privacy blueprint for the rest of the world — the CCPA is acting as the blueprint for the rest of the US. A number of other states are quickly catching up:

  • Washington State currently has a bill with requirements and fines drawn straight from the CCPA currently working its way through the state senate and house.
  • New York, in typical coastal one-up-manship, recently introduced an even more comprehensive bill into its state senate, which disregards the CCPA’s revenue requirement for covered entities.
  • Nevada actually implemented privacy legislation a few months before California, but its definition of “sale” resulted in a law that was narrower and more lenient on financial institutions.

The Changing Role of the Compliance Officer

The above litany of legislation, without any guiding federal framework, is a significant challenge for companies, especially those transacting business across the country. This patchwork of regulation means, for simplicity’s sake, companies often have to comply with the strictest requirements of any one regulation, even if it doesn’t necessarily apply to all the states where they are doing business. That is, of course, assuming companies and Compliance Officers can keep up-to-date on the waves of new regulation constantly being released and updated.

But in another light, these new data privacy regulations actually represent an opportunity for Compliance Officers

These regulations could help raise the visibility of the compliance role at companies, especially those that might have dismissed data privacy as not relevant to their day-to-day. That’s because compliantly following these privacy regulations is going to require companies to make real changes in their policies and procedures and in their corporate culture — all of which are crucial aspects of the compliance role. 

As companies update and overhaul internal procedures accordingly, Compliance teams will need to play an integral role in developing business processes to ensure that personal data is being managed compliantly.

But for Compliance teams to do that, they will somehow need to keep current with the massive amount of new regulations being rolled out and find a way to quickly and concisely understand how those regulations relate to their policies and procedures. Between the hefty laws already in place and the long list of those in process, this can seem like an insurmountable task.

Technology, though, provides a path forward.

READ ARTICLE: How Your Peers in Financial Services are Tackling 3 Big Compliance Issues


RegTech Offers the Key to Data Privacy Regulation

RegTech (Regulatory Technology) is an emerging industry of companies leveraging machine learning, natural language processing, blockchain, AI, and other technologies to solve the challenges of regulatory compliance. These technologies offer a way to leverage the big data of regulatory compliance to help solve the problems of data privacy regulation.

In a recent case study, one global Top 50 bank tried to identify its obligations under GDPR within one of its business units. The bank had a lack of clarity around which aspects of GDPR it was required to follow, and it attempted to solve this problem via a traditional solution: hiring a consulting firm.

The consulting firm, though, proved expensive and inaccurate. The firm missed a number of obligations and the bank was forced to hire a second consulting firm to correct those initial mistakes — adding duplicative costs. It was in the midst of this frustrating process — causing costly mistakes and creating continued regulatory uncertainty — that the bank decided to try a different approach.

The bank partnered with Ascent, an AI-powered compliance automation solution. At Ascent, our proprietary RegulationAI™ technology generates the obligations that apply to our customers, helping banks and other financial firms reduce risk and gain confidence in their compliance programs.

RegulationAI™ was able to generate a complete obligations register in mere minutes and at a 99% cost savings. This technology — a true innovation in RegTech — leverages machine learning and natural language processing to ingest hundreds of regulations and then rapidly determine which obligations apply to your business — with zero manual effort from you.

Rather than the time-consuming, expensive, and inaccurate results it had received before, the bank now had all its obligations in an easy-to-read digital format, produced with significantly lower risk of human error.

READ ARTICLE: How Ascent Simplifies Regulatory Change Management with Automation


Secure Your Obligations with Ascent.

The complexity of data privacy regulation is likely only going to increase in the future. But you don’t have to drown in regulation. Ascent can help you leverage technology to make this fast-paced world of digital disruption work for you.

LEARN MORE: Click here to learn about Ascent Solutions


Want to receive more articles like these? Subscribe to our monthly Cliff Notes newsletter.


How a Global Top 50 Bank Secured Its GDPR Obligations Using Ascent

By Blog

Case Study

A Global Top 50 Bank sought to identify its obligations under the Genderal Data Protection Regulation (GDPR) within one of its business units.

Our Customer at a Glance

  • $20B Annual Revenue
  • 30,000 Employees
  • 1,000+ Locations Worldwide
  • 300+ Regulating Bodies to Comply With

The Problem

Our customer faced the following hurdles:

  • Needed help determining which parts of GDPR were required for the business.
  • Initially hired a consulting firm to produce its GDPR requirements, but the firm missed a number of obligations.
  • Forced to hire a second consulting firm to correct initial mistakes, creating duplicative costs.
  • Ultimately dissatisfied with the rigamarole of multiple consultancies, missed obligations, and ongoing regulatory uncertainty.

Partnering with Ascent

Frustrated with their journey so far, the Bank partnered with Ascent, an AI-powered compliance automation solution. Ascent generates the obligations that apply to the customer, helping banks and other financial firms reduce risk and gain confidence in their compliance programs.

Using Ascent, the Bank was able to comprehensively identify its GDPR obligations at a fraction of the time and effort, kickstarting its path to compliance and better positioning the Bank to protect the privacy of its customers.

How the Global Bank Accelerated GDPR Compliance with Ascent

Before Ascent:

  • Hundreds of thousands of dollars in ongoing consulting fees
  • Countless hours and headaches, only to produce an incomplete register of GDPR obligations
  • Increased regulatory risk and error

After Ascent:

  • A mere fraction of the cost (99% savings)
  • Took just minutes to produce a complete and verified register of GDPR obligations
  • Thorough and easy-to-read digital format, produced with significantly lower risk of human error

We’re here to make compliance easier.

The road to compliance can be confusing and complex. Ascent makes it simpler with an AI-driven solution that generates the obligations that are relevant to your business. Ascent allows you to:

  • Reduce the risk-prone and costly impact of human error and missed obligations
  • Review a much narrower set of obligations, fast-tracking the tedious and manual process of regulatory research and analysis
  • Save a significant amount of time and money while reducing your regulatory and reputational risk

Modern challenges require modern tools. Interested in seeing how Ascent can help you stay ahead of regulations like GDPR?

Contact Us

Stay Ahead of GDPR Compliance with Ascent

By Blog

The General Data Protection Regulation (GDPR) enforces strict requirements around Chief Data Officers (CDOs), EU citizen data management, and data permissions—including protocols for dealing with data breaches.

GDPR, the EU’s personal data protection and privacy regulatory ruleset for companies around the world became active in May 2018. Forrester reported that just four months before the laws went into action, 11% of organizations were still figuring out what to do about it and 8% of firms had no familiarity with GDPR rules and regulations.

Overview of GDPR

GDPR regulations require all businesses which meet the satisfy the following conditions to employ a CDO:

  • Employ over 250 people
  • Process or store large amounts of EU citizen personal data
  • Process or store special personal data
  • Regularly monitor data subjects
  • Are a public authority

Beyond requiring CDO employment, GDPR regulations enforce the following restrictions on EU citizen data:

  • Right Of Erasure
  • Right Of Data Control
  • Right Of Data Portability
  • Right To Be Informed
  • Right To Access Personal Data
  • Right Of Correction
  • Right To Object
  • Rights Related To Automated Decision Making Including Profiling

Each of these rights require EU citizens’ data be kept separate and compartmentalized, ensuring the ability to remove them from a database at-will.

American consumers expressed support and would like to see some GDPR-esque laws enforced within the U.S. specifically, 38% responded with the ability to control how their data is used while 39% favored the “right to be forgotten” rule.

Consequences of Non-compliance

If businesses fail to comply with GDPR regulations, they can be fined between 1-4% of annual revenue or up to €10-20 million, whichever is higher. These fines will depend on which parts of GDPR were not followed, how many people and how much data was affected, and a slew of other factors.

The cost of GDPR compliance failure is substantial, as is the risk of attempting to ‘fly under the radar’. Anyone within the EU can file a complaint, starting the trend of unsavory consequences. 

Read More: The Not So Hidden Costs of Compliance

Stay Ahead of GDPR Compliance with Ascent

The key to staying current on GDPR is a compliance program that evolves with new regulations. A system with the right fail-safes in place will help ensure that your firm’s obligations are always up to date.

Great technology makes this easier than ever. Ascent provides you with a feed of regulatory changes (including those related to GDPR) that apply to your firm, helps you visualize how the rule text has changed, and indicates whether that change impacts your existing controls, policies and procedures. 

Ascent also serves as a central repository for all regulator documents so you can easily search for speeches, guidelines or other releases concerning GDPR, allowing for comprehensive research.

SOLUTION HIGHLIGHT: How Ascent Automates Regulatory Change Management


Enjoy this article? Subscribe for fresh thoughts designed to help you stay at the forefront of compliance and technology.